[HN Gopher] Van Buren is a victory against overbroad interpretat...
___________________________________________________________________
Van Buren is a victory against overbroad interpretations of the
CFAA
Author : sohkamyung
Score : 163 points
Date : 2021-06-04 01:32 UTC (21 hours ago)
(HTM) web link (www.eff.org)
(TXT) w3m dump (www.eff.org)
| giantg2 wrote:
| Generally good news. I just hope they have specific laws about
| abusing government data. For example, the LEO taking money to do
| searches of the database and releasing that otherwise protected.
| information.
| caturopath wrote:
| Oral arguments at https://www.oyez.org/cases/2020/19-783 if
| anyone wants to listen, along with other information.
| PureParadigm wrote:
| The key takeaway for me is how this decision affects port
| scanning. According to the article:
|
| > _Van Buren_ is really good news for port scanning, for example:
| so long as the computer is open to the public, you don't have to
| worry about the conditions for use to scan the port.
|
| As a frequent user of nmap, this is good to hear.
| chx wrote:
| OK that's good to hear yes.
|
| But I am confused by the implications here.
|
| How is port scanning different legally from brute forcing
| passwords? Iterating integers is fine, iterating the dictionary
| is not? What if there's an integer ID in the URL but it's MD5
| hash'd and I recognize for what it is and iterate integers and
| MD5 them?
| rocqua wrote:
| I think brute-forcing passwords offline isn't illegal under
| the CFAA. Using a password you got that way would be illegal.
|
| Similarly, password stuffing (just trying many passwords on
| the login form) would be illegal, since you are trying to
| gain access. Not sure how that works if you are not
| successful though.
|
| Port-scanning would be fine. Interesting edge case is, what
| happens if you port-scan, find an open telnet port, and use
| it to get a shell. There is no authentication, but does that
| mean you are authorized? My gut says that logging in to such
| a telnet port (when the device is not yours) is a CFAA
| violation. Just like walking in to a random house when the
| door is open is still illegal.
| quickthrowman wrote:
| Brute forcing passwords is attempting to access a computer
| without authorization, port scanning.. is not
| parsimo2010 wrote:
| It's not about the techniques used, it's about the intent of
| the functions. Remember that we're in the legal domain and
| sometimes a common sense argument prevails even if there are
| some potential holes (if a hole is discovered, a future court
| case can worry about it). Port scanning is like looking at
| the outside of a house and noting where the doors and windows
| are. Brute forcing a password is like picking a lock to gain
| access to something, or possibly identity theft to
| authenticate yourself as someone else. Judges can easily
| understand the difference even if the technical method might
| be similar. Nobody is going to believe you "port scanned"
| your way into someone's online banking access and took money
| out of their account.
| ncallaway wrote:
| > How is port scanning different legally from brute forcing
| passwords?
|
| Because humans are trivially able to recognize the difference
| between those two activities. A judge that has that case in
| front of them can _really_ easily see the difference between
| those activities.
| peterkelly wrote:
| Related: "Aaron Swartz, Vindicated"
| https://news.ycombinator.com/item?id=27394974
| sigzero wrote:
| Except he wasn't. Not by this ruling.
| olliej wrote:
| I mean he's dead and that's an ok result for the police,
| being guilty or not doesn't really matter. And we'll never
| know if this ruling would be sufficient because again, he's
| dead.
| gscott wrote:
| There should be some sort of count of people who committed
| suicide because of overcharging by prosecutors.
| perihelions wrote:
| Also related: "US Supreme Court Restricts Scope of Computer
| Fraud and Abuse Act [pdf]"
|
| https://news.ycombinator.com/item?id=27382752
| mywittyname wrote:
| This ruling is really confusing for me. So I feel pretty strongly
| that what van Buren did is a massive abuse of authority and it
| warrants punishment. Yet so many people I usually agree with
| (SCOTUS judges, EFF, privacy lawyers) are all calling this a win.
|
| Am I missing something? To me, this ruling means that if a person
| is granted technical access to a computer system, then that
| person cannot be held criminally liable for anything they do with
| access to that system, even if the owner explicitly prohibits it.
|
| In other words, lets say I work at a gay hookup website and they
| grant me access to their production database as part of my job.
| If I start selling off information about user to third parties
| (say journalists), how can that be legal?
|
| Aside, I do understand and agree with the argument allowing for
| spidering and screen scrapping. Like, if I buy a subscription to
| an online parts catalog, I should be able to use a bot to access
| that data in the same ways a human could.
| monocasa wrote:
| Van Buren was also convicted of wire fraud for the same act,
| with a concurrent prison sentence with the CFAA count of the
| same length (18 months). So at least in this case he's getting
| the same punishment either way for his actions.
|
| Reducing the scope of the CFAA in case law just means that we
| take the teeth out of a overused and honestly crappy law that's
| ruined lives without reason to.
| 0110101001 wrote:
| The guy was also convicted of wire fraud and bribery. Those
| charges were not at question in this decision. This decision
| only says that looking up records you have access to is not
| hacking.
| ddlatham wrote:
| Perhaps it would be helpful to consider an offline analogy.
| Suppose there were no computers involved and all the
| information was stored in files in a locked room.
|
| Now Van Buren is given a key to access the filing room for his
| duties, and then uses his key to go in and look up the file on
| some license plate in exchange for money.
|
| Clearly, this is a terrible breach of trust and authority. It
| should be against policy. He should be fired. Likely there
| should also be criminal statutes about police or government
| employees selling or abusing government records.
|
| But he's not guilty of breaking and entering. He was given
| access to that data, even if this is not what he was supposed
| to be going in there for.
|
| As one of the justices noted, if merely misusing computer
| access that you were otherwise allowed to access were a
| criminal offense, then potentially "an employee sending a
| personal email or checking sports scores on a work device"
| could be criminal, rather than just breaking a company policy.
| matthewmarkus wrote:
| Yeah, I don't buy this line of argumentation. Suppose the
| locked room is an apartment and the person with a key is your
| landlord. I'm pretty sure he's not authorized to enter and do
| whatever.
|
| A plain reading of "authorized" means "having official
| permission or approval." Van Buren might have been
| "authorized" to access the system but he certainly wasn't
| "authorized" to access certain data for cash bribes.
|
| I guess I'm at a loss to see this as a "win" for civil
| liberties, but maybe I'm missing something.
| ClumsyPilot wrote:
| "Yeah, I don't buy this line of argumentation. Suppose the
| locked room is an apartment and the person with a key is
| your landlord"
|
| So he would not be Breaking and Entering, and if he has a
| valid reason such as emergency it would be legal.
|
| There are different crimes with different punishments and
| it's important the right ones are applied.
|
| Fraud and theft are different. Manslaughter and murder are
| different. Sexual harrasment and rape are different.
| LocalPCGuy wrote:
| You're trying to make the same argument as in the dissent,
| but the Court decision spent something like parts of 5
| pages defining the word "so" and how this specific law
| applies to this kind of situation.
|
| It's a win for civil liberties because how an employer
| writes their policies should not potentially open an
| individual up to federal criminal prosecution under the
| CFAA specifically.
| matthewmarkus wrote:
| So, what about the Michael Thomas case? Does this verdict
| overturn his conviction?
|
| http://www.epspros.com/news-resources/news/2018/it-
| worker-lo...
|
| "Mr. Thomas challenged the verdict, arguing that his
| conduct was not illegal because his IT position provided
| him full access to the system and empowered him to
| 'damage' the system by deleting files or taking the
| system offline. Thus, any acts were not 'without
| authorization.' The Fifth Circuit rejected this argument,
| finding that the statute's prohibition against exceeding
| authorized access applies to insiders who go beyond the
| permission granted them in order to cause damage."
| ghaff wrote:
| He'd presumably be guilty of other things but those might
| well be civil. IANAL. But when laws/interpretations
| change, they're not necessarily retroactive.
| LocalPCGuy wrote:
| I was initially going to say no, that when he went on to
| damage files, he caused material harm. He was not
| authorized to "damage" the system, and although he had
| access to the system and so gaining access in and of
| itself is not a crime, causing damage would be.
|
| But then I looked into the case a bit closer and I start
| to think he has an argument for not being charged under
| the CFAA. As with many laws, intent matters, so it is
| possible that if his intent was to harm the business,
| there may well be charges that could be applied in that
| realm. And obviously he could be held civilly liable for
| damages, which is no different than any other employee
| who does something to damage their employer's equipment.
| Offline example - if I work at a construction company,
| and I wreck construction equipment because I wasn't happy
| my co-worker got fired, that isn't going to be a criminal
| offense, but the company will likely fire me and try to
| collect damages.
|
| So I'm going to go back on my initial judgement and say
| that I think he may have grounds to get his conviction
| overturned and while he may be charged with other crimes,
| not sure it would come from the CFAA.
|
| *disclaimer, not a lawyer
| matthewmarkus wrote:
| If the CFAA doesn't apply to sys admins working at the
| highest levels of authorization, it seems to be a useless
| law. Foreign actors can simply hire sys admins to access
| whatever they want, no need for hacking.
|
| I really do think the court has opened Pandora's box on
| this one. They should've voided the statute for vagueness
| if that was the concern. As it stands now, it has to be
| one of the dumbest laws on the books.
| ghaff wrote:
| Those sysadmins could probably spend the next 10 years in
| civil court, possibly be exposed to various criminal
| changes potentially including the Foreign Corrupt
| Practices Act. Doesn't seem that straightforward.
| JumpCrisscross wrote:
| > _Foreign actors can simply hire sys admins to access
| whatever they want, no need for hacking_
|
| This is prosecutable under a myriad of existing laws.
| CFAA was specifically crafted to deter and punish
| hacking. As far as I know, that's still very much a
| thing.
| kstrauser wrote:
| I think there's a solid online analogy for HIPAA data.
|
| Certain employees at a hospital have authorization to pull up
| medical records as part of their jobs. It is extremely
| illegal for them to view records that aren't required for
| specific work purposes. If a nurse is treating Jane Smith in
| room 203, it's OK and normal for her to look at Jane Smith's
| records. It's absolutely _not_ OK, and punishable with huge
| fines, for her to pull up her ex-boyfriend 's records just
| out of curiosity.
|
| However, it's _not_ a violation of the CFAA for her to look
| at her ex 's data. It's 100% against _HIPAA_ , but she didn't
| have to break into a computer system to view them. She was
| authorized to access the system. She wasn't authorized (by
| virtue of her work requirements) to pull up those specific,
| but as a nurse, the system permitted her to without going
| around any login prompts or doing anything harder than typing
| "John Doe" into the search box.
|
| That's the distinction that the CFAA cares about. It's about
| breaking into systems, or, at least, that's why it was
| written and that's how the SCOTUS just ruled that it was
| meant for. It's about access to the system in general, not
| access to a specific record in the system. There are other
| laws that govern those specifics.
| treis wrote:
| >But he's not guilty of breaking and entering
|
| He is in my state:
|
| >A person commits the offense of criminal trespass when he or
| she knowingly and without authority:
|
| >(1) Enters upon the land or premises of another person or
| into any part of any vehicle, railroad car, aircraft, or
| watercraft of another person for an unlawful purpose;
| foota wrote:
| It seems to me like the issue here is that reasonable people
| disagree on where the boundary between work misconduct and
| criminal liability is, and that computers being involved are
| pushing that to the forefront in these kinds of cases.
| bobthepanda wrote:
| Also there is no reason that misconduct of this kind
| couldn't be prosecuted under laws preventing similar
| breaches that aren't digital in nature.
|
| Selling private data for bribes should be illegal whether
| or not it's a database or a file cabinet.
| [deleted]
| ddlatham wrote:
| I agree that defining where the boundary should be is
| tricky in practice, and it's a good point that this was
| hardly a unanimous decision, not to mention overruling the
| appealed ruling.
|
| On the other hand, the underlying law, the CFAA, is about
| more than just workplace issues like this issue.
| Interpreting it broadly could mean that violating some
| terms of use could be a criminal offense, and I am glad
| that the court avoided that interpretation. It's better
| having this law be more specific to the intent of
| criminalizing "hacking" and leaving other laws or policies
| to deal with how one might abuse computers or networks that
| one is otherwise entitled to access.
| caturopath wrote:
| Van Buren clearly committed a heinous act and should be
| punished.
|
| The issue is that this is a hacking statue. He didn't hack into
| the system, he just used it in a bad way. The punishment should
| be the same if he got it from a filing cabinet he had the keys
| to.
|
| The takeaway isn't "If you have access, everything you do is
| legal" -- not for computers, not for filing cabinets.
| JoeCortopassi wrote:
| In your example, the information you sell would still be
| illegal, it just wouldn't have the added crime of hacking aka
| "unauthorized access" attached to it.
|
| People are calling this a win because the CFAA, as it used to
| be interpreted, would have had you potentially charged for
| changing the url of this post from
| 'https://news.ycombinator.com/item?id=27389500' to this
| 'https://news.ycombinator.com/item?id=waffles'. This allowed
| cops/feds to charge you with crazy high penalties if they
| really wanted to make you sweat, see Aaron Schwartz
|
| Some of the most memorable SCOTUS cases had less than noble
| test cases (ever hear of Miranda rights?
| https://en.wikipedia.org/wiki/Miranda_v._Arizona). SCOTUS isn't
| deciding if the defendant is a dirt bag or not, just if the
| very specific law is valid/applied correctly
| willseth wrote:
| > Am I missing something? ... it warrants punishment.
|
| The decision does not prevent punishment. It narrows the scope
| of how the CFAA can be applied. Had it been interpreted as
| broadly as the government asked, terms of service violations
| would be open to Federal prosecution. The EFF article lays out
| some particularly troublesome implications, like criminalizing
| the use of your work computer for personal matters.
|
| > If I start selling off information about user to third
| parties (say journalists), how can that be legal?
|
| It's not. The decision simply states that because you were
| given access, you can't be charged specifically for hacking.
| You would still on the hook for stealing and selling the data.
| cbsmith wrote:
| > This ruling is really confusing for me. So I feel pretty
| strongly that what Van Buren did is a massive abuse of
| authority and it warrants punishment.
|
| I wouldn't disagree with your judgement here, but you wouldn't
| charge him with murder right? Neither should you charge him
| with hacking.
|
| > If I start selling off information about user to third
| parties (say journalists), how can that be legal?
|
| Well, by default it would be legal, except I imagine any
| employment contract would have a provision around privacy,
| disclosure, and trade secrets, etc. You'd be in violation of
| the contract, and since you made money from it, some form of
| fraud or similar would apply.
|
| The question is, would you consider that the _same_ crime as
| someone without access to the production database breaking in
| and grabbing the data, and perhaps just giving it away for free
| (so they 'd avoid committing a bunch of other criminal acts).
| 1vuio0pswjnm7 wrote:
| "This ruling is really confusing to me. So I feel like what Van
| Buren did is a massive abuse of authority and it warrants
| punishment."
|
| The Supreme Court decision does not by itself exonerate Van
| Buren. It just remands the case to the lower court to decide
| again, taking into account the clarification of the CFAA's
| applicability. Van Buren could still be found guilty and
| punished, on other grounds.
|
| Just because some action involves a computer (database) and
| does not violate the CFAA does not necessarily mean it will not
| trigger potential culpability or liability under other criminal
| or civil law.
| LocalPCGuy wrote:
| It isn't saying it is legal, just that it doesn't run afoul of
| the CFAA and become a federal computer hacking crime. There
| very well be other laws and repercussions, whether at different
| levels, like State, or being fired, etc.
|
| It is refreshing because it doesn't put the risk of federal
| criminal prosecution at the whim of how an employer writes
| their policies.
| cletus wrote:
| Just because someone did something wrong and should be punished
| doesn't mean they committed murder.
|
| Just because a computer was used doesn't mean it was "hacking".
|
| The Supreme Court essentially limited the scope of the CFAA to
| unauthorized access of a computer system. That is a good thing.
| The alternative is your employer could institute a policy
| change in what you can use internal systems for and you could
| find yourself on the wrong end of a CFAA "hacking" criminal
| prosecution. That's not hyperbole.
|
| On a side note, we once again find Thomas on the wrong side of
| history. The dissenters have gone well beyond what they might
| argue is strict textualism to simply supporting broad
| authoritarianism.
|
| Aaron Swartz is frequently brought up here as a prime example
| of prosecutorial overreach. For example, he was charged with
| "hacking" with the (then) interpretation of the CFAA, which
| then compounded to other charges, like breaking and entering to
| commit a felony (CFAA "hacking" was that felony).
|
| We need less not more overbroad legislation.
| belorn wrote:
| My understanding of the issue is that the prosecutor chose to
| use the CFAA rather than going after the real crime because of
| the circumstances.
|
| The accused in the case was caught in a sting operation. The
| police created a fake situation where they pretended to have an
| undercover agent, and tries to see if the accused would
| interfere with the case. He did. The prosecutor however did not
| charge the accused over obstruction of justice, but rather CFAA
| and hacking charges. I would guess that the reason is that the
| prosecutor thought it was easier than charging someone with
| interfering with a fake case.
|
| From what I understand, courts and judges do not like it when
| either side try to be clever. CFAA is not a tool to be used
| when the prosecutor want to avoid a more difficult case, and so
| it needed to be limited in scope.
| amelius wrote:
| > I should be able to use a bot to access that data in the same
| ways a human could.
|
| I don't think even this is something that follows naturally.
|
| For example, a human can sit next to the highway and write down
| license plates. However, it is still a crime if you use a
| computer to do the same (and perhaps sell a huge database
| containing this information).
| stachetoverlord wrote:
| Where is this a crime? Dashcams are generally not illegal.
| dragonwriter wrote:
| > So I feel pretty strongly that what van Buren did is a
| massive abuse of authority and it warrants punishment. Yet so
| many people I usually agree with (SCOTUS judges, EFF, privacy
| lawyers) are all calling this a win.
|
| Whether Van Buren deserves punishment is a separate question
| from whether the legal theory the DoJ sought to use to get him
| punished was proper.
|
| > Am I missing something? To me, this ruling means that if a
| person is granted technical access to a computer system, then
| that person cannot be held criminally liable for anything they
| do with access to that system, even if the owner explicitly
| prohibits it.
|
| No, it doesn't. This is not a finding that the activity is
| Constitutionally protected, or even non-criminal in any broad
| sense, but that it is not within the scope of the criminal
| provisions of the CFAA, which is a win, because the
| interpretation of the CFAA necessary to make it applicable is
| ludicrously broad.
|
| > In other words, lets say I work at a gay hookup website and
| they grant me access to their production database as part of my
| job. If I start selling off information about user to third
| parties (say journalists), how can that be legal
|
| It shouldn't be, but that doesn't justify abusing the CFAA into
| a blank prosecutorial check.
| tialaramex wrote:
| > Whether Van Buren deserves punishment is a separate
| question from whether the legal theory the DoJ sought to use
| to get him punished was proper.
|
| Exactly.
|
| https://www.youtube.com/watch?v=PDBiLT3LASk
|
| "That man's bad" / "There's no law against that" "Whilst you
| talk he's gone" / "And go he should, if he were the devil
| himself until he broke the law".
| walrus01 wrote:
| > So I feel pretty strongly that what van Buren did is a
| massive abuse of authority and it warrants punishment.
|
| After reading the background info in the Supreme Court decision
| PFD... Agreeing to accept a $5000 cash bribe from some sketchy
| dude for information available only to law enforcement,
| undoubtedly falls within many existing anti-corruption laws
| that he could have been prosecuted under.
| billiam wrote:
| the decision is not about other laws for criminally misusing
| information, as in your example, it is about the fact that the
| CFAA is a bad law written by legislators who did not understand
| (and appeared to be afraid of) computers.
| kragen wrote:
| The opinion doesn't mean they can't be held criminally liable
| for anything they do with access to that system, just that the
| CFAA isn't the law that is broken. That means that the
| punishment or restitution imposed, if any, has to do with some
| other harm that was caused, over and above the mere fact of,
| for example, your "intrusion" into Facebook's computers by
| posting a photo of a cartoon character and thus violating
| Facebook's terms of service.
|
| In your gay-hookup-website example, you might be civilly or
| criminally liable in various states of the US under a variety
| of laws that have nothing to do with computers. For example:
|
| * an invasion-of-privacy tort or negligent-infliction-of-
| emotional-distress tort due to publicly disclosing private
| facts about the plaintiffs;
|
| * a breach-of-contract tort or tortious-interference tort or
| negligence due to damaging your employer's business relations
| with the users (especially if you signed an NDA);
|
| * a misappropriation-of-trade-secrets tort arguing that the
| users' information is a "trade secret" of the employer;
|
| * a breach-of-fiduciary-duty tort claiming that if someone was
| going to get paid for the users' information it should have
| been your employer and not you;
|
| * a breach-of-confidence tort claiming that your employer owed
| the users a duty of confidentiality, and you correspondingly
| owed it to your employer, and that you breached it by selling
| the data to journalists; or
|
| * a conversion tort because you used the computer system in a
| way you were not authorized to use it.
|
| (Also, the employer can probably recover whatever you were paid
| with an unjust-enrichment tort.)
|
| Aside from being a tort, trade-secret theft is also a federal
| crime, so if your employer can persuade a prosecutor to go
| after you, they may be able to get you jail time. IANAL but I
| think the trade-secret case here is kind of weak, because in
| your scenario I think the journalist isn't running a competing
| gay-hookup website, so they aren't competing with your
| employer. There's also a crime of "criminal conversion", which
| I think is also kind of a stretch, since the employer can still
| use the computer system.
|
| However, there was a _civil_ conversion award for conversion of
| computer programs in Alabama in 01978, and another for
| conversion of personal information in New York in 02007:
| https://www.law.cornell.edu/nyctap/I07_0029.htm and in Oregon
| in 02013: https://www.tradesecretslaw.com/wp-
| content/uploads/sites/232.... Such innovations are still
| controversial and not widely accepted: https://www.nortonrosefu
| lbright.com/-/media/files/nrf/nrfweb...)
| Miner49er wrote:
| If ruled the other way then basically everyone who works a desk
| job would be breaking the CFAA daily. Let me explain.
|
| If an employer only allowed employees to use their work
| computers for work (I assume most do, at least officially) as
| soon as an employee does anything personal on it (checks FB,
| checks HN, etc) even if on lunch break, they have exceeded
| their authorization, broken the law under the CFAA, and face up
| to 10 years in prison.
| WillPostForFood wrote:
| That's incorrect. If you read the full statute, it has to be
| unauthorized access combined with some sort of theft of data,
| or access of governmental records. It wouldn't apply to
| browsing public sites. The specific subsection that was
| applied to Can Buren lays out three cases. Unauthorized
| access plus obtaining:
|
| (A)information contained in a financial record of a financial
| institution, or of a card issuer as defined in section
| 1602(n) [1] of title 15, or contained in a file of a consumer
| reporting agency on a consumer, as such terms are defined in
| the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
|
| (B)information from any department or agency of the United
| States; or
|
| (C)information from any protected computer;
| rurabe wrote:
| Thanks for posting this, I didn't realize there was a such
| a tangle of definitions as to what was accessed.
|
| That said, doesn't this pretty much include anything on the
| web?
|
| (a)Whoever-- (2)intentionally accesses a computer without
| authorization or exceeds authorized access, and thereby
| obtains-- (C)information from any protected computer;
|
| where a "protected computer" is:
|
| (e)As used in this section-- (2) the term "protected
| computer" means a computer-- (B) which is used in or
| affecting interstate or foreign commerce or communication
|
| seems like that would catch an awful lot of webservers.
| walshemj wrote:
| Id agree all this means a bent cop got off on a technicality
| and the tabloid press get a free pass.
| quickthrowman wrote:
| He was still convicted of wire fraud and bribery, how is that
| a free pass?
| walshemj wrote:
| The tabloids can dodge some of the consequences see teh
| hacked off campaign in the UK
| rurabe wrote:
| The CFAA is a law about _how_ you access systems, so this
| ruling defines "authorization" under the CFAA as "had
| legitimate access to this system" only.
|
| There are many other laws that you can still be charged with
| that govern _what_ you access, irrespective of _how_ , ie
| copyright, child porn, confidential information.
|
| The people who view this as a win are worried that if
| "authorization" is defined as "against any rule, made by
| anyone" then the CFAA could be used to criminalize almost
| anything online. Note that restriction of the CFAA does not let
| you off the hook of other laws.
|
| The people who worry about this are worried that judges had to
| use a fair bit of extrapolation and guessing as to the intent
| and effects of the law because the wording is pretty vague, and
| probably problematic for internet activity if interpreted very
| narrowly.
| [deleted]
| ghaff wrote:
| The majority are happy to see that minor or even trivial access
| of things people aren't "supposed" to look at--even though they
| have access to systems--are no longer CFAA violations. The
| assumption is that if it isn't trivial they're probably
| violating some other law or at least doing something they'll be
| fired for.
|
| That said, I have sympathy for the dissent as well which
| essentially argues that the majority is drawing an awful fine
| distinction here. i.e. so long as you're OK to access a system
| for _some_ purpose, you 're fine so far as the CFAA is
| concerned.
| LocalPCGuy wrote:
| > so long as you're OK to access a system for some purpose,
| you're fine so far as the CFAA is concerned
|
| This is a pretty gross simplification of the position by the
| majority. I get it was an example and maybe a bit
| exaggerated, but wanted to point this out. They even
| specifically said that you have to have the specific access
| to the information you are retrieving - the example
| (paraphrased) was if you have access to folder X, but not
| folder Y, and you then access folder Y, you are now in
| violation.
|
| If anything, the minority was basically being, IMO, too
| trusting that people with the authority to bring these
| charges would be reasonable and exercise it in an unbiased
| and even manner.
| ghaff wrote:
| Fair enough. I was using "system" in the sense of
| collection of resources/information--not necessarily
| everything connected to it in some manner.
|
| I'm not unhappy with the result. I also think it draws a
| very narrow line that doesn't really exist in the law
| (which is why you see Thomas et al dissenting).
| olliej wrote:
| All the ruling says is that he didn't violate the CFAA. It
| doesn't say anything about bribery laws, selling government
| information, etc
|
| It is typical for a prosecution to include every charge
| possible. In this case they included the CFAA, and the Supreme
| Court said that particular charge was an invalid application of
| that particular law. It has no effect on any other charges, and
| no effect on any other laws.
| fron wrote:
| > then that person cannot be held criminally liable for
| anything they do with access to that system, even if the owner
| explicitly prohibits it.
|
| They would not be criminally liable under CFAA, but they can
| absolutely be charged with other crimes in such a circumstance
| TazeTSchnitzel wrote:
| > To me, this ruling means that if a person is granted
| technical access to a computer system, then that person cannot
| be held criminally liable for anything they do with access to
| that system
|
| That is not the meaning of the ruling. Nothing precludes trying
| someone for other crimes.
| babypuncher wrote:
| What he did was despicable and a grotesque abuse of his
| position, but it had nothing to do with hacking.
|
| The prosecutors decided to charge him under the CFAA because
| the data he sold for money was stored in a computer system. Van
| Buren accessed data he was authorized to access, using his own
| perfectly valid credentials. Because of this, the Supreme Court
| says it is not a violation of the Computer Fraud and Abuse act.
| They say that a person cannot be charged under the CFAA just
| because the crime they committed involved a computer.
| monocasa wrote:
| Well, van Buren was convicted of a felony wire fraud charge
| as well with an equal length concurrently served sentence as
| the CFAA charge. So there was another crime we could charge
| him with, and we did successfully. The only difference is the
| lack of a CFAA charge on his record and some good case law
| about what the CFAA actually means so that hopefully it'll
| only be pushed against true computer crimes rather than
| crimes that happen to involve a computer.
| benlivengood wrote:
| This should also make the use of open wireless access points
| legally protected. It was always ridiculous that an AP could
| broadcast "come join me" incessantly but it was potentially
| infringing to actually join and use the advertised network.
___________________________________________________________________
(page generated 2021-06-04 23:00 UTC)