Yes, the law on the subject is mostly nonsense. That said, I've thought a lot on the subject and this is what I think the law should have been -
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
I think we'd be better off if we were the ones suggesting ways to define unauthorized access. I've thought about this quite a bit and I posted something on that subject about a week ago with my own suggested definition thereof. Quoting from that earlier comment:
=====
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
In the US, the law is written in defense of the host. The attacker is considered at fault for breaching a system that they are not supposed to have access to. From the CFAA(a)(2)(C)[1]:
>Whoever... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information from any protected computer;
The spirit of this law is fine: security is notoriously hard to get right. We have to account for the human component that will inevitably fudge something. Thus companies that give reasonable attempts at securing their data yet still fall short in certain areas are still protected under the law. Conversely, companies that don't care are also protected due to the letter, rather than the spirit, of the law.
Yes, but a computer has programming to enforce the rules and it can (and should) reasonably be expected to enforce those intentions accurately.
Another way of putting this is that they are using the computer to express their intention to authorize (or not authorize) access by means of the programming. It should, as a matter of good public policy, be on them to get this right. That's why my standard would require material deception--that is, but for the intentional deception, access would not have been granted.
Anything less simply sets too low a bar and excuses incompetence. This is bad public policy because it allows people to stumble into felonies while excusing all kinds of negligence on the part of those people who were supposed to be protecting things. Otherwise we have an "I know it when I see it" standard for which parts of a site are okay to interact with and reasonable minds can (and frequently do) disagree over the particulars. My standard would move this rule to determining statements of fact--did they know or should they have known they were deceiving this computer system/person in order to gain access? It also deliberately prevents people from shifting the blame for negligently configuring access to their computers.
I think we both know the widespread public harm caused by networks of hacked computers and we both know that, unlike the real world, essentially every computer's locks and windows are tested many times a day. Leaving things open is clearly negligent in my view and I've seen far too many clients of mine leave vulnerabilities open longer than is justifiable, contrary to my advice. I mean, I still see PCI audits reporting POODLE, which is just sad.
Now, inasmuch as you're telling me that the law doesn't and isn't likely to see things my way, sadly, I have to agree with you there.
As simple as it was, the "squares" will always see this behavior as "hacking". Which is one of the many reasons why we should have much more specific laws than we have. The phrase "access to a computer" is so vague and vapid that it's useless for writing a just law.
Completely agree - the issue here is absolutely the definition of "protected computer".
That said, I'm curious which specific case you're referring to in your first paragraph - and which court it was in.
I've done a fair amount of research into this type of case law and, from what I've seen, it seems like things have gone both ways in various different courts. As far as I know there is no binding precedent, at least not from a higher court, but I'd love to be wrong on this.
Seeing as this comment may end up lost within this thread, feel free to shoot me an email directly (available on my profile).
I very much agree here. The problem isn't that there's a law against accessing a computer system without authorization or how it's defined. The problem is that the law treats unauthorized access to a computer system so much more harshly than the equivalent trespasses on physical property. If he'd been charged with a misdemeanor resulting in "a fine of not more than $100 and up to 30 days in jail" I could see that as being a just law. Decades in prison and a felony record? Not so much.
To intentionally access a computer system after being told not to by its owner is, by definition, unauthorized access of a computer system - the core of the Computer Fraud and Abuse Act. That should be pretty clear.
However, the law in question is old and probably doesn't make much sense any more. Claiming that the courts made the wrong decision is nonsense - the law needs to be rewritten.
You're the one who keeps bringing up technicalities. I think the ethical implications are pretty clear when you access a system to specifically use it in a way that the owner asked you not to.
In addition to being clearly unethical for me, it also is quite possibly illegal due to the CFAA, under the wording "exceeds authorized access".
It should not be the simple act of accessing a computer contrary to the owners terms and conditions that is a crime, but the specific acts of searching for, wilfully accessing and sharing privileged information on systems where the persons whose information you were accessing had a reasonable expectation that that information would be private.
I think that covers police databases, social security and also customer details on a website amongst others. It would not necessarily cover accidentally accessing customer data on a system (that happens) but if you started wilfully sharing that data or details about how to access it with persons other than the owners of the system then you could start to get into the problematic zone. To prevent the scenario where the owners just do nothing and then when the 'hacker' tells somebody else they call the cops and accuse, it should probably be a crime, after being notified that your system is leaking private data, that you didn't take any action to plug that hole.
And if you exploit a bug to gain unauthorized access to a computer, you've committed a crime.
Computers and networks are not magic and it makes no sense to pretend that laws cannot limit unauthorized access. We do need to improve many of the laws related to computers, but it's unreasonable to claim that there's no way for laws to cover computers in a reasonable way.
> The law is out of its depth here, least of all because it is attempting to proscribe what it can neither reliably control nor measure.
You could claim the same about trespass. The courts cannot control access to your property, nor can they monitor or measure such access. Nonetheless, they can prosecute and convict people who trespass on your property and in general, we tend to agree that this is a good thing.
The problem is that the various computer crime laws are vague and subject to interpretation. I read an article recently claiming that accessing a URL manually that is not intentionally exposed via a public link could be considered a form of unauthorized access and wire fraud.
Those laws are retarded and it's sad to see them defended in HN.
Always try to do a parallel without computers to see if a computer law pass the retarded test.
In this case "it's illegal to enter a door left wide open for months, pick up a wallet full of money from a desk visible inside thru said open door, and return it to the home owner with all the money and a note about closing the door because it's not a safe neighborhood"
There's a lot wrong with this law and certain interpretations thereof, and a lot of room to debate its appropriate reach, constitutionality, etc. But this particular objection -- that you don't need to "hack" to be prosecuted as a "hacker" -- seems strange to me, seeing as the law never uses the word hack [0]. It's not a "hacking" law, but a "fraud and related activity" law.
It refers repeatedly to situations wherein a person "accesses a computer without authorization or exceeds authorized access"; the law doesn't care if that access was gained through technically impressive means (sophisticated cracks based on zero-day exploits) or mundane means (an employee misusing access).
That is not ok. A law that purports to outlaw computer fraud and abuse should particularly prohibit the government from committing computer fraud and abuse.
It is a grey area, at least in the US. The main federal law for computer crimes is the ancient Computer Fraud and Abuse Act. The provisions of the act state all work off the concept of "exceeding authorized access" - but the law never defines what authorized access actually is. Logging in with a default username and password has never been tested in court, as far as I know, and I think there are arguments to be made for both sides about whether that counts as authorized access.
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
Sadly, I don't get to write these laws.
reply