It appears that you may not have read anything but the title of the act.
“Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer;”
Would you want to go to trial over whether circumventing security through obscurity qualifies as access without authorization or exceeding authorized access?
My apologies. My pretending to be a lawyer via google is stupid. 1030(a)(2)(c) seems really terrifying, obviously there is formal language in the text "Whoever—
(2) intentionally accesses a computer without authorization and thereby obtains -
(C) information from any protected computer;
obviously includes formal language that means something i don't understand.
I don't think that matters. The Act has verbiage along the lines of accessing a computer without authorization, which is what you're doing by hopping on the network.
This is going to be tough to argue from a hacking standpoint. IANAL, but a quick perusal of some of the hacking-related legislation shows that almost all federal definitions of "hacking" involve "without or exceeding authorization "(See sections (1)(a), (1)(b), and (1)(c) in the Computer Fraud & Abuse Act (CFAA) [1]). A definition of that phrase is provided at length in this pamphlet [2] put out by the Department of Justice Cybercrime division. Specifically, from the first document (section (e)(6)):
> the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
and from the second (section A.2):
> The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Later in the same section, it states:
> Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. [...] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party. See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
Not sure what to make of that, as again, IANAL. Still, this is definitely not hacking in the traditional legal sense.
No. He's saying that the court would not use 18 USC 1030(a) to charge someone of a crime when they did something completely normal and innocuous but which was technically against the language in 18 USC 1030(a) because it was poorly drafted.
He's saying that the courts can make distinctions between what Congress intended (to make it illegal to bypass computer security systems without permission), and what the law might technically forbid but what is completely normal and innocuous to do (like browsing someone's website without their explicit permission).
There's a lot wrong with this law and certain interpretations thereof, and a lot of room to debate its appropriate reach, constitutionality, etc. But this particular objection -- that you don't need to "hack" to be prosecuted as a "hacker" -- seems strange to me, seeing as the law never uses the word hack [0]. It's not a "hacking" law, but a "fraud and related activity" law.
It refers repeatedly to situations wherein a person "accesses a computer without authorization or exceeds authorized access"; the law doesn't care if that access was gained through technically impressive means (sophisticated cracks based on zero-day exploits) or mundane means (an employee misusing access).
The relevant part of the act would be: "Intentionally accessing a computer without authorization to obtain ... information from any protected computer". A "protected computer" is a computer "which is used in or affecting interstate or foreign commerce or communication", which fits Craisglist pretty well.
Violation of the clause I quoted is a criminal offense with potential jail time.
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value
A criminal investigation into whether or not this was really accidental would be entirely warranted here. If there was intent to access this information without authorized access that is criminal.
> The difference between “access without authorization” and “exceed[ing] authorized access.”
I never really understood why this distinction is considered so contentious. The law itself defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter."
Which isn't that helpful because it's approximately what you would expect it to mean if it wasn't defined. But I'm not sure where the ambiguity between "access without authorization" and "exceeds authorized access" is supposed to come in. The plain meaning is clearly that in one case you have no legitimate access (i.e. the system doesn't allow anonymous access and you have no account) and in the other case you have some legitimate access but not to do what you did. Kerr makes the argument that it is possible for "access without authorization" to imply "exceeds authorized access", but that is one place where the statutory definition is useful: The definition of "exceeds authorized access" first requires you "to access a computer with authorization..."
The real trouble with the CFAA is that it doesn't make the scope of authorization clear in either event. The canonical way people know whether they're authorized to do something to a computer system is that it allows them to do it. If you aren't authorized then it comes back with "access is denied" and you can't do it.
So the only way to break the law is to get the computer to do something it isn't supposed to let you. But where is the definition of that? How are you supposed to know what the computer is supposed to do, if the normal way of knowing that is to look at what it actually does, and the only cases that matter are the ones where that doesn't apply? There may be some obvious cases (e.g. logging in with someone else's account), but by what rule or principle are these cases supposed to be distinguished from others?
Under Computer Fraud and Abuse Act (18 U.S.C. 1030) it is a federal crime to "intentionally access a computer without authorization or exceed authorized access" ...
An eager prosecutor could take that and run a mile
Intentionally accessing a protected computer system without authorization and obtaining information from it is a federal criminal offense (18 USC 1030 (a)(2)(C)).
Isn't this a felony under the Computer Fraud and Abuse Act? It's intentionally exceeding authorized access to a computer and intentionally (not even recklessly) causing damage.
This kind of hair-splitting is why the legal definition of "exceeding authorized access" is so general.
There seems to be a very popular misconception that the law criminalizes "hacking", as in "0-day exploits" and "SQL injection". No: thankfully, the law doesn't so much care about how you get access. It cares that you knowingly access things without permission, no matter how you do it.
intentionally accesses a computer without authorization or exceeds authorized access
Did he exceed authorized access? He did, and therefore he broke the plain reading of the law. The law should be better, and separate violating access controls from violation of access policy, but it doesn't.
That would be the Computer Fraud and Abuse Act[0,1]. The relevant bit is "Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished as provided in subsection (c) of this section." A "protected computer", by the way, is any computer "which is used in or affecting interstate or foreign commerce or communication."
That's not relevant, though, because US v. Lori Drew[2] decided that a user can't be prosecuted under the CFAA for breaking a ToS agreement. (BTW, IANAL.)
“Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer;”
Would you want to go to trial over whether circumventing security through obscurity qualifies as access without authorization or exceeding authorized access?
reply