[nols]

The CFAA is absurdly broadly worded, so much so that it's extremely easy to wield against people accused of violating it. The DoJ uses it as their hammer, if they targeted everyone who violated it the jails would be overflowing.

[beedogs]

It would be nice if they'd target someone -- like Uber -- who really deserves to be punished for it.

[Spivak]

Writing a law that makes basically everyone a criminal and selectively applying it to 'people who deserve it' is the wrong way to approach this problem.

[pyre]

Ah, but Uber can afford a legal time that could make some case law surrounding the CFAA that the DoJ doesn't want to me made.

[yawaworht12]

That's not how the law should work. Its frightening that people think this way and it's the reason the US has the largest incarcerated population in the world.

[cookiecaper]

Yes, my understanding is that criminal prosecutions under the CFAA are relatively rare. It's primarily wielded in civil cases. It seems very unlikely that Kalanick et al would be brought up on criminal charges for this. I'm not a lawyer.

[toomuchtodo]

CFAA criminal charges (and the associated sentencing guidelines) were famously used as leverage against Aaron Swartz.

https://www.eff.org/issues/cfaa

"Even first-time offenses for accessing a protected computer without sufficient "authorization" can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government's case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were "unauthorized" access claims."

I doubt Uber had authorization to use Lyft's API in the manner they did.

[cookiecaper]

There have been a lot of cases about companies scraping data from each other. I'm not aware of any that came to criminal charges.

Swartz had illegally entered a staff-only routing closet at MIT and hard-wired his laptop into the router so he could suck down files rapidly. This is what really cast the case as a criminal thing; he was arrested fleeing MIT Police as they pursued what I suspect they only knew as "the guy who is breaking into the closet and doing weird stuff with our network". Once you're taken down on B&E, you already have a prosecutor's attention, and it's common for them to throw on all the charges that they think will stick, especially when they have high resume value like cybercrime prosecution.

Swartz was acting as an activist who had previously acknowledged the illegal nature of his actions in his stirring "Guerilla Open Access Manifesto" [0], which includes the phrase "[t]here is no justice in following unjust laws". He was also operating as an individual outside of the context of a liability shield like a corporation.

I hate the CFAA and regularly post against it on this forum, and I disagree heartily with the prosecution of Swartz. But it's not likely that those criminal charges would be replicated in a B2B scenario where a company accesses an otherwise-public resource, and the furthest they go is using a proxy to shield their identity. Many civil cases where exactly this has happened have been brought without criminal charges being filed, probably most often because the criminal chain reaction never gets activated by something like breaking and entering, as it did in Swartz's case, because personal information is not compromised/leaked, and because the behavior is usually stopped pretty dead by the lawsuit.

I assume if someone were to disobey the judge's injunction preventing them from continuing to violate the CFAA, they'd be arrested initially on contempt charges and then formal charges for breaking the CFAA may be filed.

I'm not a lawyer.

[0] https://archive.org/stream/GuerillaOpenAccessManifesto/Goamj...

[andai]

Thanks for the very informative comment!

I must ask, as a non-lawyer, how did you learn so much about these things?