To intentionally access a computer system after being told not to by its owner is, by definition, unauthorized access of a computer system - the core of the Computer Fraud and Abuse Act. That should be pretty clear.
However, the law in question is old and probably doesn't make much sense any more. Claiming that the courts made the wrong decision is nonsense - the law needs to be rewritten.
Isn't this a felony under the Computer Fraud and Abuse Act? It's intentionally exceeding authorized access to a computer and intentionally (not even recklessly) causing damage.
I'm a Brit, and live in the UK but I do access US based computer systems so I suppose I could be subject to this law.
>accesses a computer without authorization or exceeds authorized access
There are two possible meanings of 'authorized access' here. One is authorization by the computer's security system, e.g. file access permissions. The other is authorization according to a contract of some kind. The court in this case used the latter interpretation.
Were the judges even aware that this term could be interpreted in more than one way? What was the intention of the original law in this regard, did it indicate which interpretation(s) were intended?
It's straight up unauthorized access to a computer system. They tell you they don't allow it and you have to pay for it, the author clearly knew that, and evaded the protections. Cite me a legal environment where that is not a crime.
Yes, the law on the subject is mostly nonsense. That said, I've thought a lot on the subject and this is what I think the law should have been -
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
I very much agree here. The problem isn't that there's a law against accessing a computer system without authorization or how it's defined. The problem is that the law treats unauthorized access to a computer system so much more harshly than the equivalent trespasses on physical property. If he'd been charged with a misdemeanor resulting in "a fine of not more than $100 and up to 30 days in jail" I could see that as being a just law. Decades in prison and a felony record? Not so much.
That could be inferred as unauthorized computer systems access under various laws, so I don't personally, but it's definitely something you can try to do in varying degrees.
It looks to me like that only clearly applies to unauthorized access to programs and data stored on a computer. Unauthorized routing of packets through a computer is not obviously covered by that law.
reply