I'm a Brit, and live in the UK but I do access US based computer systems so I suppose I could be subject to this law.
>accesses a computer without authorization or exceeds authorized access
There are two possible meanings of 'authorized access' here. One is authorization by the computer's security system, e.g. file access permissions. The other is authorization according to a contract of some kind. The court in this case used the latter interpretation.
Were the judges even aware that this term could be interpreted in more than one way? What was the intention of the original law in this regard, did it indicate which interpretation(s) were intended?
To intentionally access a computer system after being told not to by its owner is, by definition, unauthorized access of a computer system - the core of the Computer Fraud and Abuse Act. That should be pretty clear.
However, the law in question is old and probably doesn't make much sense any more. Claiming that the courts made the wrong decision is nonsense - the law needs to be rewritten.
> The difference between “access without authorization” and “exceed[ing] authorized access.”
I never really understood why this distinction is considered so contentious. The law itself defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."
Which isn't that helpful because it's approximately what you would expect it to mean if it wasn't defined. But I'm not sure where the ambiguity between "access without authorization" and "exceeds authorized access" is supposed to come in. The plain meaning is clearly that in one case you have no legitimate access (i.e. the system doesn't allow anonymous access and you have no account) and in the other case you have some legitimate access but not to do what you did. Kerr makes the argument that it is possible for "access without authorization" to imply "exceeds authorized access", but that is one place where the statutory definition is useful: The definition of "exceeds authorized access" first requires you "to access a computer with authorization..."
The real trouble with the CFAA is that it doesn't make the scope of authorization clear in either event. The canonical way people know whether they're authorized to do something to a computer system is that it allows them to do it. If you aren't authorized then it comes back with "access is denied" and you can't do it.
So the only way to break the law is to get the computer to do something it isn't supposed to let you. But where is the definition of that? How are you supposed to know what the computer is supposed to do, if the normal way of knowing that is to look at what it actually does, and the only cases that matter are the ones where that doesn't apply? There may be some obvious cases (e.g. logging in with someone else's account), but by what rule or principle are these cases supposed to be distinguished from others?
""The CFAA makes it a crime to "access a computer without authorization or exceed authorized access." Courts have been struggling to figure out what this means ever since Congress passed it more than 30 years ago.""
The law by itself is ok, but I suspect lawmakers were referring to accessing a single personal workstation, probably not taking into account a cluster of servers containing public accessible data.
Orin Kerr has an excellent paper on the state of the law in this area that I'm too lazy too Google right now. But while the courts have occasionally ruled that "access" is "any access," other courts have realized how stupid this is and have moved away from that strict meaning.
"Whoever... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information from any protected computer. A protected computer is any computer which is used in or affecting interstate or foreign commerce or communication."
His blog seems to be used in foreign communication, it can be accessed from foreign countries. Does that make it a "protected computer"? I accessed his computer and received information. And I was never "authorized" to do so, except through the implied openness of the web, which the law doesn't seem to mention at all.
> "Authorization" is more than just technical controls.
You are applying too broad a definition to "authorization." In this context it refers specifically to the configured authorization behavior of the computer system. They gave him the equivalent of a key to a lock implemented in the computer system, and the law is meant to address the equivalent of someone who pick locks, not someone who misuses the access provided by keys they were given.
Completely agree - the issue here is absolutely the definition of "protected computer".
That said, I'm curious which specific case you're referring to in your first paragraph - and which court it was in.
I've done a fair amount of research into this type of case law and, from what I've seen, it seems like things have gone both ways in various different courts. As far as I know there is no binding precedent, at least not from a higher court, but I'd love to be wrong on this.
Seeing as this comment may end up lost within this thread, feel free to shoot me an email directly (available on my profile).
Oof. I don't like this decision, and surprised to see the breadth of agreement from the Court. When you grant a person access to a system (digital or physical), it's for a specific purpose. Violating that purpose should be a criminal act. If I give a plumber my house key to come in and fix my sink, and he goes and he opens up my computer and looks at my files, that should be a crime. If I grant a Geek Squadder access to my computer to get a virus off my computer, and he looks at my private photos except to the extent necessary to do the job I hired him to do, that should be a crime.
One could always say "Congress can remedy this with legislation" but that body has become fully dysfunctional so we all know that won't happen.
Because when that law was written it wasn't obvious how to distinguish in law between authorized and unauthorized access.
But that's not what the laws do. They make committing fraud with a computer a worse crime than committing fraud some other way; that's a completely separate issue from defining what constitutes unauthorized access.
It appears that you may not have read anything but the title of the act.
“Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer;”
Would you want to go to trial over whether circumventing security through obscurity qualifies as access without authorization or exceeding authorized access?
This is going to be tough to argue from a hacking standpoint. IANAL, but a quick perusal of some of the hacking-related legislation shows that almost all federal definitions of "hacking" involve "without or exceeding authorization "(See sections (1)(a), (1)(b), and (1)(c) in the Computer Fraud & Abuse Act (CFAA) [1]). A definition of that phrase is provided at length in this pamphlet [2] put out by the Department of Justice Cybercrime division. Specifically, from the first document (section (e)(6)):
> the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
and from the second (section A.2):
> The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Later in the same section, it states:
> Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. [...] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party. See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
Not sure what to make of that, as again, IANAL. Still, this is definitely not hacking in the traditional legal sense.
It is an interesting question. In addition to any common law covering contracts, there are also some statutes that specifically cover interactions on a computer, like the Computer Fraud and Abuse Act. These laws often refer to "intended use" or "exceeding authorized access". IANAL, but It seems complicated enough that we probably won't really know the answers until a few cases are litigated.
While I don't think that's actually how the law can be interpreted, it does get at the central issue most computer users/researchers have with the law. It allows different standards for what "unauthorized" means, hence it is very elastic and can easily be abused, especially when combined with the plea bargain process (@see Aaron Schwartz).
My apologies. My pretending to be a lawyer via google is stupid. 1030(a)(2)(c) seems really terrifying, obviously there is formal language in the text "Whoever—
(2) intentionally accesses a computer without authorization and thereby obtains -
(C) information from any protected computer;
obviously includes formal language that means something i don't understand.
This kind of hair-splitting is why the legal definition of "exceeding authorized access" is so general.
There seems to be a very popular misconception that the law criminalizes "hacking", as in "0-day exploits" and "SQL injection". No: thankfully, the law doesn't so much care about how you get access. It cares that you knowingly access things without permission, no matter how you do it.
>accesses a computer without authorization or exceeds authorized access
There are two possible meanings of 'authorized access' here. One is authorization by the computer's security system, e.g. file access permissions. The other is authorization according to a contract of some kind. The court in this case used the latter interpretation.
Were the judges even aware that this term could be interpreted in more than one way? What was the intention of the original law in this regard, did it indicate which interpretation(s) were intended?
reply