| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by rurabe 1841 days ago

There are so many things going on here it's easy to conflate them but here's how I read it:

The CFAA is a law about how access is attained not what is accessed. There may or may not be other laws that have penalties for what is accessed given the nature of what is accessed, but that is a separate issue from the CFAA.

For example, I am sure that there is some statue I would be in violation of for walking out of a CIA office with a binder of classified information. This should be illegal regardless of how it's accomplished.

By contrast I think it should probably be a crime to gain access to a system through either technical exploits or social engineering, even if all you do is access cat memes that were public anyway.

Layered on these issues is whether you think judges should stick to literal textual interpretations or rule based on the projected impacts of their decisions.

Personally, as many have laid out, a strict textual approach opens the door to let private companies write felony law for literally anything they want, which seems an unworkable way to run a society.

I think it's much more prudent to restrict this law to methods of access and allow other laws dictate what can and can't be accessed or used (copyright law, state secrets etc).

A final question is how to test for whether methods are authorized or not. Someone here suggested the test should be the inclusion of "material deception". This I think falls short because a lot of behavior that we would not want to criminalize would satisfy the test. Should it be illegal to use a VPN? Because I can see that being construed as material deception. Sacha Baron Cohen dressed up as Borat is unquestionable material deception but I don't think it should be illegal for him to use a computer when doing so.

Ultimately I don't know that there is a bright line definition, but that's okay because we use a "reasonable person" standard a lot in law, (and we should seek to seat judges that are the most reasonable of us).

- No reasonable person would impersonate another to customer service to steal their phone and thus password. - A reasonable person might want to use a VPN to avoid being tracked by private corporations. - No reasonable person would exploit a zero day bug on a major corporation. - A reasonable person might change their user agent to see how a site looks on a phone. - A reasonable person might look up and save articles from a database they have access to.