It is a grey area, at least in the US. The main federal law for computer crimes is the ancient Computer Fraud and Abuse Act. The provisions of the act state all work off the concept of "exceeding authorized access" - but the law never defines what authorized access actually is. Logging in with a default username and password has never been tested in court, as far as I know, and I think there are arguments to be made for both sides about whether that counts as authorized access.
Your periodic reminder that under US law, you do not have to somehow get past a login page to be exceeding authorized access to a computer system. A prosecutor needs only to show that a reasonable person, looking at the same computer system, would have known they had no authorized access to it.
That makes things like this a pretty bad idea. At least, in the US.
In the US, yes. Unauthorized access and computer trespass is often felonious. People have gone to prison for logging into an email account by guessing the password.
Attempting to login to someone else's account without permission is clearly unauthorized use of a computer system. People have gone to jail for much less.
It seems to generally be a crime to access a computer system you aren't supposed to, regardless of how you came by the login info (phishing, guessing passwords, etc).
There's some kind of weird penumbra here. The intent of the owner of the computer system clearly matters, but how much?
At the "seems pretty clearly like unauthorized access" end of the spectrum, we can imagine someone brute-forcing a password to gain access to a system. They're "authorized by technical access" once they have the username/password, but that's surely a focal case of the kind of crime that the statute was intended to address.
Alternatively, say there was a guest account activated with a default password.
Would we argue that someone with no relationship to the owner who discovered the account was active and then used it was "authorized by technical access"?
Presumably the answer is that authorization in that case depends on whether it was the intent to allow strangers to use the system as a guest or whether it was some kind of technical oversight.
What about if you were hired as a data entry operator, but your account was accidentally set up as a superuser? The owner of the system intended to give you one level of access but accidentally gave you another. Are you a hacker if you use the unintended access grant to snoop around? Again, you're "authorized by technical access".
What about if your boss puts his username/password on a post-it note on his monitor and you use his account without his knowledge? What about if you use it with his knowledge and agreement?
This is going to be tough to argue from a hacking standpoint. IANAL, but a quick perusal of some of the hacking-related legislation shows that almost all federal definitions of "hacking" involve "without or exceeding authorization "(See sections (1)(a), (1)(b), and (1)(c) in the Computer Fraud & Abuse Act (CFAA) [1]). A definition of that phrase is provided at length in this pamphlet [2] put out by the Department of Justice Cybercrime division. Specifically, from the first document (section (e)(6)):
> the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
and from the second (section A.2):
> The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Later in the same section, it states:
> Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. [...] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party. See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
Not sure what to make of that, as again, IANAL. Still, this is definitely not hacking in the traditional legal sense.
Under Computer Fraud and Abuse Act (18 U.S.C. 1030) it is a federal crime to "intentionally access a computer without authorization or exceed authorized access" ...
An eager prosecutor could take that and run a mile
You're right about a lot of that, but there are huge problems with making mere policy violations into federal felonies. We want to stop people from hacking stuff, but at the same time, we can't do that by giving every random company the power to make things into federal felonies via their own complex and often-ignored rules.
I posted up thread too, but my own personal view is that unauthorized access should hinge on whether the person used deception to obtain access. That provides a clear separation between lawful and unlawful conduct without giving private parties the power to define new felonies.
With computers, I don't think that the proverbial "employees only" sign on a load of private data means anything and the incentive should be on the business to provide a proper access control there. Meanwhile, if they add a guard who asks "are you an employee?" and you lie to them to get access, I would say you're unauthorized.
That gives us some semblance of mens rea while not going to far in any direction, I believe.
Logging in using someone's password, even if it got leaked like this, is considered a crime where I'm from. I'm sure whatever jurisdiction the author lives in has similar laws.
If you know you're not supposed to be inside someone else's computer system, you shouldn't access that system, or shut up about it at least! A crime with good intentions is still a crime according to the law!
Isn't this a felony under the Computer Fraud and Abuse Act? It's intentionally exceeding authorized access to a computer and intentionally (not even recklessly) causing damage.
The CFAA makes knowing, purposeful access to computer systems you don't have permission to use a crime, and a felony when that access is used to attempt to perpetrate additional crimes. It's a simple statute.
There are two common arguments against CFAA.
The first is that it shouldn't be a felony to access computer systems without authorization. The logic goes: if you use access to a computer system to perpetrate a fraud, charge fraud. If theft, charge theft.
A variant of this argument suggests that maybe "serious hacking" should be a felony, but things like reusing an old password, or guessing the URL after the login screen, those things shouldn't be felonious.
These arguments are problematic. For instance, in cases where the offender has used their unauthorized access solely to cause economic harm to someone else, there may not be a better crime to charge. The vandalism statutes weren't designed for offenses that can easily rack up tens of thousands of dollars. There's also the basic issue of trespass and violation of property rights. And, of course, civil remedies to these problems have their own problems, prominent among them the fact that all the burden for collecting those remedies falls on the victim, who under civil law receives no assistance from the rest of society.
The second set of arguments against CFAA is that the sentences are draconian. This argument seems much more straightforward. A particular problem with CFAA is that the sentence scales with damage, but damage can trivially scale with the induction variable of a program's loop; it does not seem intuitively just that typing an extra '0' into a single program can ratchet your sentence by years.
A variant of this argument suggests that damages are also inflated by victims and prosecutors. This is likely very true, but it's less meaningful in this case than in others, because even the most charitable view of the offenses charged suggest he did more than 15k of damages, and is facing a multi-year sentence.
I think CFAA should be reformed so that damages accelerate sentences only to the extent that the prosecution can prove intent to cause damage. That wouldn't much help Keys, though, who is convicted of deliberately trying to maximize the harm to Tribune Corporation.
The situation you describe is almost certainly not a crime under the prevailing interpretation of the CFAA.[1] (Although I do grant that your theory could potentially be correct, which is part of the reason it's such a bad law.[2])
The CFAA criminalizes "unauthorized access" and "exceeding authorized access."
The unauthorized access provision applies to various means of hacking into a computer. The exceeding authorized access provision applies (in general) to company and government insiders. "The term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6)[3]
Your contract with your ISP gives you access to the network. By spoofing a device, you would breach your agreement with the ISP, but you would not be obtaining or altering information that you are not already entitled to under your agreement with the ISP as an authorized user.
In sum, for an authorized user to commit a crime, he must break through the access level he was granted by his authorization and reach information that was effectively closed-off to him.
I think logging in with someone else's username/password, defacing the website, corrupting/deleting files and stealing data to start a rival business are all crimes.
I draw the line here. If my username/password still work it should be lawful to continue to use. For example if I buy a subscription to a saas product and my card expires, if the service continues to allow me access I should be able to legally use the product until the saas restricts my access.
This kind of hair-splitting is why the legal definition of "exceeding authorized access" is so general.
There seems to be a very popular misconception that the law criminalizes "hacking", as in "0-day exploits" and "SQL injection". No: thankfully, the law doesn't so much care about how you get access. It cares that you knowingly access things without permission, no matter how you do it.
OK, so would you be OK with it if unauthorized access to a computer system (eg an ex-employers or some other case where the lack of authorization is clear and criminal intent is present) resulted in a charge of burglary?
I agree with this decision, but I've always advocated my own personal test for whether access is 'unauthorized' or not.
Basically, I would say that unauthorized access should require some material deception to gain access. So if you socially engineer your way in, it's unauthorized--you lied to someone. If you use a computer virus, it's unauthorized--you lied to the computer to get it to execute that code, probably misrepresenting it as some other type of data. If they set the permissions wrong or it's just an AUP thing, it's not unauthorized access. Though, as here, it might be against the law for some other reason (violation of privacy or whatever).
This would avoid catching people out because someone set permissions to give too much access or wrote overbroad AUPs that shouldn't be turned into federal felonies, while providing a nice bright line because you can actually test whether, if not for the deception, they'd have been granted access to the system, especially the computer side of that. So the people who used anonymous FTP with a fake email won't become felons because it's easy to prove the system lets in everyone no matter what their email is set to, whereas the person using someone else's credentials lied to the system about who they are and should get punished, etc.
I think that my test would be consistent with this holding, but remember that this is merely my view of how the law should be. It's not a description of how the law is, it's something I would advocate that I believe provides a reasonable boundary between authorized an unauthorized access that's both clear and testable.
reply