[matthewmarkus]

Yeah, I don't buy this line of argumentation. Suppose the locked room is an apartment and the person with a key is your landlord. I'm pretty sure he's not authorized to enter and do whatever.

A plain reading of "authorized" means "having official permission or approval." Van Buren might have been "authorized" to access the system but he certainly wasn't "authorized" to access certain data for cash bribes.

I guess I'm at a loss to see this as a "win" for civil liberties, but maybe I'm missing something.

[LocalPCGuy]

You're trying to make the same argument as in the dissent, but the Court decision spent something like parts of 5 pages defining the word "so" and how this specific law applies to this kind of situation.

It's a win for civil liberties because how an employer writes their policies should not potentially open an individual up to federal criminal prosecution under the CFAA specifically.

[matthewmarkus]

So, what about the Michael Thomas case? Does this verdict overturn his conviction?

http://www.epspros.com/news-resources/news/2018/it-worker-lo...

"Mr. Thomas challenged the verdict, arguing that his conduct was not illegal because his IT position provided him full access to the system and empowered him to 'damage' the system by deleting files or taking the system offline. Thus, any acts were not 'without authorization.' The Fifth Circuit rejected this argument, finding that the statute’s prohibition against exceeding authorized access applies to insiders who go beyond the permission granted them in order to cause damage."

[LocalPCGuy]

I was initially going to say no, that when he went on to damage files, he caused material harm. He was not authorized to "damage" the system, and although he had access to the system and so gaining access in and of itself is not a crime, causing damage would be.

But then I looked into the case a bit closer and I start to think he has an argument for not being charged under the CFAA. As with many laws, intent matters, so it is possible that if his intent was to harm the business, there may well be charges that could be applied in that realm. And obviously he could be held civilly liable for damages, which is no different than any other employee who does something to damage their employer's equipment. Offline example - if I work at a construction company, and I wreck construction equipment because I wasn't happy my co-worker got fired, that isn't going to be a criminal offense, but the company will likely fire me and try to collect damages.

So I'm going to go back on my initial judgement and say that I think he may have grounds to get his conviction overturned and while he may be charged with other crimes, not sure it would come from the CFAA.

*disclaimer, not a lawyer

[matthewmarkus]

If the CFAA doesn't apply to sys admins working at the highest levels of authorization, it seems to be a useless law. Foreign actors can simply hire sys admins to access whatever they want, no need for hacking.

I really do think the court has opened Pandora's box on this one. They should've voided the statute for vagueness if that was the concern. As it stands now, it has to be one of the dumbest laws on the books.

[JumpCrisscross]

> Foreign actors can simply hire sys admins to access whatever they want, no need for hacking

This is prosecutable under a myriad of existing laws. CFAA was specifically crafted to deter and punish hacking. As far as I know, that's still very much a thing.

[treis]

It's not immediately clear which laws. The whole point of the CFAA was that existing trespass & theft laws don't really work for digital files.

[wslack]

> If the CFAA doesn't apply to sys admins working at the highest levels of authorization, it seems to be a useless law. Foreign actors can simply hire sys admins to access whatever they want, no need for hacking.

It's still illegal to steal IP. But no, you can't charge a janitor with keys to the whole building for breaking and entering if he uses those keys to steal something.

You charge him for theft.

[LocalPCGuy]

Companies have a responsibility to vet their employees, first. I don't know how that is affected by the CFAA being a bit more constrained than it was before, which was extremely overly broad.

I strongly disagree with your assessment (re: Pandora's box, dumbness), but I do think and acknowledge it is a law worthy of being replaced with one more up to date and more clear.

[ByteJockey]

It prevents you from using someone else's credentials to access the system.

It prevents a whole bunch of other sophisticated attacks as well, but let's be honest, people just giving out their password or using a really weak password is the most likely scenario.

[ghaff]

He'd presumably be guilty of other things but those might well be civil. IANAL. But when laws/interpretations change, they're not necessarily retroactive.

[narrator]

Private corporations are not legislatures. If you are an invited guest to my house and I say it's not ok to drink wine out of a shot glass, and instead you must always drink from a wine glass when in my house, and you do it, that's not a felony. If the family album is on the couch and I give it to you and say you can look at it, but don't look at the last two pages which have the pictures of the wife nude and you do that, that's not a felony.

You could, in both cases, theoretically argue that it's a trespass to chattels and get nominal damages, but that's a civil matter.

[ClumsyPilot]

"Yeah, I don't buy this line of argumentation. Suppose the locked room is an apartment and the person with a key is your landlord"

So he would not be Breaking and Entering, and if he has a valid reason such as emergency it would be legal.

There are different crimes with different punishments and it's important the right ones are applied.

Fraud and theft are different. Manslaughter and murder are different. Sexual harrasment and rape are different.

[matthewmarkus]

"If a landlord does not give notice to the tenants or enters for an unauthorized purpose, the landlord may be charged with trespassing" [1].

[1] https://www.criminaldefenselawyer.com/resources/can-you-tres...

[ClumsyPilot]

Which is different than breaking and entering

[matthewmarkus]

Yes, sure. But the point is that, under certain circumstances, the use of the key can exceed your level of authorization. Possession of the key isn't a get out of jail free card.

[cgriswald]

The point seems to be that using the key isn’t the crime.