Like the famous 2017 Burger King ad that deliberately hijacked nearby Google Home smart speakers. [0]
There's an argument to be made that it should be covered by cyber-attack laws. You aren't allowed to deliberately take control of someone else's computer without their permission.
Consider a hypothetical example: an author without use of their hands, who uses text-to-speech to write books and to control their computer. Imagine if they put you on speakerphone and you read out a sequence of commands to delete their work. That certainly wouldn't be covered under freedom of expression.
There's an obvious difference in degree, as spamming someone by hijacking their smart speaker isn't all that costly, but it's similar in category.
I know Bloomberg et al don’t appreciate my attempting to bypass their technical controls and cause undesired effects on their systems, and would likely file a criminal complaint.
Why is it legal for advertisers to write code which is meant to bypass a system control and exceed their authorization?
I think we need a browser that automates CFAA complaints to the FBI when a company engages in behavior that would be illegal for an individual — such as hacking your audio.
I believe at the point where a company writes code with the explicit purpose of bypassing your control of the computer, eg autoplaying a video despite technical measures being taken to prohibit that behavior, it constitutes a breach of the CFAA.
In what country? I suspect that given the intentions it would be a breach of the U.K. computer misuse act for example. Holding the perpetrator to the law is another matter of course.
The terminology as it stands it too broad. The people on the internet shouldn't be allowed to hijack each others computers. There should be a law specifically against hijacking another computer without permission.
Just like guns, and going to the bank aren't illegal. In some places going to the bank with a gun isn't illegal. But pointing a gun in a bank at a teller and saying "give me all the money" is illegal.
I tend to agree, though I tried to do some searches for a law citation here, but struggled to find anything concrete. I imagine this will be a big area of research and exploration for law in the coming years.
Some interesting scenarios to consider: If I visit a friend's house, and I start getting targeted ads for a service I didn't subscribe to without prior consent or my knowledge, can I sue her/him? What about a scenario where some service collects my data, said service is hacked, and someone commits identity theft on me, who is liable for damages? Do I need my buddy to sign a waiver when he visits to play some Xbox for a bit?
Attacks are a bit different than someone trying to access information, though. Much like it is illegal to punch someone in the face, unless they try to punch you first.
Would this type of hack fall under the Computer Fraud and Abuse Act? If so, it seems like an easy case to prosecute (the person committing the act has a financial profit motive, the public would like to see genuine bad actors get punished, etc). Or does the CFAA not apply because this isn't a protected resources?
Not a lawyer. But this would never come to pass - no DA would have the brains let alone the skill or political will to prosecute. Also, seems like a freedom of speech issue. Otherwise it would be difficult for educators to discuss computer security. In fact, I'm pretty sure he could even do away with all of the "non-suggestion" text and still be fine.
If I say, "I think you should hack website X, humanity will be better off for it" that's just my opinion. I can even say, "I think you should empty all of Goldman Sach's bank accounts and use the proceeds to buy up endangered rain forest land in Brazil." As long as I'm not materially facilitating the commission of the crime, I'm just another guy on the internet with an opinion.
Edit: After reviewing http://en.wikipedia.org/wiki/Freedom_of_speech_by_country#ci... I'm coming to the conclusion that the above is pretty far from accurate in any country. Apparently freedom of speech has been under serious assault for decades. Which is sort of sickening, but also a fact of life.
As far as the CFAA, you may have a point. However, the EFF is spot on when it comes to the DMCA, which does in fact allow for speech to be restricted even when no identifiable 'hack' under the CFAA is alleged. The MBTA case is probably the most famous - https://www.wired.com/2008/08/eff-to-appeal-r/
Also, while not approving of 'weev' or his methods, I think most on HN and elsewhere would agree that merely visiting a website should not be considered a hack - https://www.wired.com/2013/03/att-hacker-gets-3-years/ - adding an additional layer to this mess.
They probably should be, but I'm not aware of any law against it. Failure to secure sensitive customer data? That should at least be a fineable offense. If a customer was provably injured by this hack, they would probably have grounds for civil suit.
I'm not a lawyer, but technically the hacker didn't "hack" the computer systems. So I'd wager that you can't slap a data protection law. But on the other hand, they definitely are legally liable for even a social-engineered attack. Maybe they'll get hit with negligence?
In short:
The United States Court of Appeals for the Second Circuit issued an opinion rejecting the government’s attempt to hold an employee criminally liable under the federal hacking statute—the Computer Fraud and Abuse Act (“CFAA”)—for violating his employer-imposed computer use restrictions... The court also ruled that the government cannot hold people criminally liable on the basis of purely fantastical statements they make online—i.e., thoughtcrime.
Depends on country's laws and contracts between parties. If the contract does not mandate service by the manufacturer, only suggests it, this sounds illegal. Not because of hacking, because of not documenting behavior and disturbing state entity hence the people.
Can any attorneys out there explain how altering computing devices to redirect and intercept email is not a criminal act when done without the knowledge or consent of the owner?
If any of us pulled the same stunt, even if authorized to access the system for other reasons, would we not be subject to prosecution? Hopefully, the same will happen to FB.
In addition to the Federal communications and cybercrime statutes, there is California Penal Code 502:
(c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer, computer
system, or computer network in order to either (A) devise or execute
any scheme or artifice to defraud, deceive, or extort, or (B)
wrongfully control or obtain money, property, or data.
...
(4) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or external to a
computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of
computer services to an authorized user of a computer, computer
system, or computer network.
...
etc.
It remains to be seen if there is a prosecutor with the backbone to go after this.
There's an argument to be made that it should be covered by cyber-attack laws. You aren't allowed to deliberately take control of someone else's computer without their permission.
Consider a hypothetical example: an author without use of their hands, who uses text-to-speech to write books and to control their computer. Imagine if they put you on speakerphone and you read out a sequence of commands to delete their work. That certainly wouldn't be covered under freedom of expression.
There's an obvious difference in degree, as spamming someone by hijacking their smart speaker isn't all that costly, but it's similar in category.
[0] https://en.wikipedia.org/wiki/Burger_King_advertising#2000s%...
reply