Hacker News new | ask | show | jobs
by kube-system 2246 days ago
I'm not so sure about that.

AWS terms do not assign their customers any rights to any physical computer. And the AWS customer agreement gives Amazon the authority to access your data for certain purposes.

I'm not sure I've ever heard of anyone prosecuted under the CFAA for accessing a computer that they physically own and physically control. AWS is a service, not a computer rental.
1 comments
ceejayoz 2246 days ago
https://aws.amazon.com/agreement/

> We will not access or use Your Content except as necessary to maintain or provide the Service Offerings, or as necessary to comply with the law or a binding order of a governmental body.

The CFAA uses wording like "exceeds authorized access", which Amazon would absolutely be guilty of if they went into your database to spy on your product listings.

If they could go after Aaron Swartz for using authorized access in an unauthorized way, it seems likely it could be applied here.

link
SkyBelow 2246 days ago
"One reason we could charge the price we did for the service is that we were treating the data we had access to as an investment. Thus the data we accessed was done so to ensure the service could be maintained."

Would a judge accept that argument? From me? No. From the lawyers Amazon can afford? I wouldn't be comfortable betting either way.

link
tehjoker 2245 days ago
A reminder that the legal system is designed to serve the wealthy, and few are wealthier than Amazon. It's not absolute, but the little guy isn't going to walk away with Bezo's fortune in damages.
link
kube-system 2246 days ago
The CFAA doesn't protect "content", though. It protects "protected computers".

In this case, Amazon fully owns, possesses, and operates the "protected computer".

You'd have to successfully argue that Amazon fraudulently accessed their own computer. It might be possible, but I'm guessing it'd be a first.

The difference in Aaron's case is huge: he didn't own the computers that hosted JSTOR.

link
ceejayoz 2246 days ago
The Amazon employee accessing the data would be "exceeding authorized access".

> The difference in Aaron's case is huge: he didn't own the computers that hosted JSTOR.

His access was authorized, though. They still threw CFAA at him.

link
kube-system 2246 days ago
"exceeding authorized access" is not enough to violate the CFAA.

You have to "exceed authorized access to a protected computer"

The CFAA is not a data protection law. It is a computer protection law.

link
ceejayoz 2246 days ago
https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

> In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the interstate nature of most Internet communication.

link
kube-system 2246 days ago
Sure. The question I am alluding to is: can someone defraud their own computer?

Maybe it is possible, but the consequences to answering 'yes' to this is pretty scary.

link