My apologies. My pretending to be a lawyer via google is stupid. 1030(a)(2)(c) seems really terrifying, obviously there is formal language in the text "Whoever—
(2) intentionally accesses a computer without authorization and thereby obtains -
(C) information from any protected computer;
obviously includes formal language that means something i don't understand.
Knowingly and with intent to defraud, accesses a
protected computer without authorization, or exceeds
authorized access, and by means of such conduct
furthers the intended fraud and obtains anything of value,
The courts have interpreted "protected computer" as any computer connected to the internet.
I'm curious if this violates U.S. code 1030(a)(5) [0]
"(5)
(A)knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B)intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C)intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.[2]"
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value
A criminal investigation into whether or not this was really accidental would be entirely warranted here. If there was intent to access this information without authorized access that is criminal.
18 USC 1030(a)(2): "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— ... (C) information from any protected computer;"
18 USC 1030(e)(2): the term “protected computer” means a computer—
(A) [computers used by financial institutions or the government] or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States [read as 'is on the internet']
So you're saying intent makes the difference. But I don't know how much that helps. We still have a state of reality in which the general public wanders the internet assuming they're allowed to access arbitrary websites without any explicit authorization from the operators. The strict (and obviously insane) interpretation is that they're all guilty because they know they haven't gone to Google's headquarters and gotten something like an authorization letter permitting them to do a search on google.com, but the alternative is the void for vagueness problem the author is trying to articulate: If you have implied authorization then where does impliedly authorized access end and unauthorized access begin? The line is so indistinct and open to interpretation that no one can say for sure, which is why all the hypotheticals (and some actual prosecutions) about mothers being jailed for Facebook posts and the like.
Yeah, 18 USC 1030 (a)(2)(C) might be a better fit:
> Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished as provided in subsection (c) of this section.
(The definition of "protected computer" encompasses any computer that is "used in or affecting interstate or foreign commerce or communication".)
That would be the Computer Fraud and Abuse Act[0,1]. The relevant bit is "Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished as provided in subsection (c) of this section." A "protected computer", by the way, is any computer "which is used in or affecting interstate or foreign commerce or communication."
That's not relevant, though, because US v. Lori Drew[2] decided that a user can't be prosecuted under the CFAA for breaking a ToS agreement. (BTW, IANAL.)
It appears that you may not have read anything but the title of the act.
“Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer;”
Would you want to go to trial over whether circumventing security through obscurity qualifies as access without authorization or exceeding authorized access?
"18 U.S.C. § 1030(a)(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;"
No. He's saying that the court would not use 18 USC 1030(a) to charge someone of a crime when they did something completely normal and innocuous but which was technically against the language in 18 USC 1030(a) because it was poorly drafted.
He's saying that the courts can make distinctions between what Congress intended (to make it illegal to bypass computer security systems without permission), and what the law might technically forbid but what is completely normal and innocuous to do (like browsing someone's website without their explicit permission).
I went and had a quick look and I think you are over-stating the situation. 1030 appears to deal with either going around authorisations for USG computers (a)(3), or going around authorisations for other computers (a)(4) in order to commit what would be in other settings ordinary crimes and misdemeanours: intentional damage (5)(A), reckless damage (5)(B), damage and loss (5)(C) and various species of fraud (6),(7).
I'm pretty sure Flattr's actions qualify for zero of these.
Intentionally accessing a protected computer system without authorization and obtaining information from it is a federal criminal offense (18 USC 1030 (a)(2)(C)).
Do you want me to start quoting Title 18 U.S.C Section 1030 (the Computer Fraud and Abuse Act) or can you Google it yourself? There is no possible reading of these facts that does not run afoul of that law, among others.
There is no affirmative defense "But it was really easy for me to exceed my authorized privileges because their security sucked" provided for in the law.
The relevant part of the act would be: "Intentionally accessing a computer without authorization to obtain ... information from any protected computer". A "protected computer" is a computer "which is used in or affecting interstate or foreign commerce or communication", which fits Craisglist pretty well.
Violation of the clause I quoted is a criminal offense with potential jail time.
I believe this would still be covered by the first clause, the one not even being argued in this decision.
> Subsection (a)(2) specifies two distinct ways of obtaining information unlawfully—first, when an individual “accesses a computer without authorization,” §1030(a)(2), and second, when an individual “exceeds authorized access” by accessing a computer “with authorization” and then obtaining information he is “not entitled so to obtain,” §§1030(a)(2), (e)(6).
I fraudulently obtain and use credentials to a system which authorize another person to access it. I am still "accessing a computer without authorization", because those credentials never authorized me.
This starts to get really fuzzy if I fraudulently have credentials explicitly granted to me...
That's specifically not what I said. You can look at the timestamp on this comment and the timestamp on the comment where I listed the 1030(a) crimes to see that. This argument is invalid on its face; it's a straw man.
The core of your argument is that Rob is right that there's a chargeable offense happening when you read his blog, because the 1030(a) statute is so vague. That's just not true. There's specific precedent for why it's not true.
If you want to refine your argument to say that 1030(a)(2) (plain unauthorized access) and 1030(e)(2)(b) ("protected computer") are unconscionably vague and leave too many people exposed to frivolous prosecution, we agree, modulo that I think we diverge on the fact that nobody's going to be convicted in those prosecutions without an allegation of fraud to accompany it.
He didn't access it intentionally, and as broad as "protected computer" is, it's hard to say that a public library computer has a role in interstate commerce. I think he's fine.
Title 18 U.S.C Section 1030 (the Computer Fraud and Abuse Act) makes it a federal offense to exceed your authorized access on, basically, any computer system anywhere. (Does it communicate? It is used in interstate commerce? BAM.)
"Whoever... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains... information from any protected computer. A protected computer is any computer which is used in or affecting interstate or foreign commerce or communication."
His blog seems to be used in foreign communication, it can be accessed from foreign countries. Does that make it a "protected computer"? I accessed his computer and received information. And I was never "authorized" to do so, except through the implied openness of the web, which the law doesn't seem to mention at all.
obviously includes formal language that means something i don't understand.
reply