[LocalPCGuy]

I was initially going to say no, that when he went on to damage files, he caused material harm. He was not authorized to "damage" the system, and although he had access to the system and so gaining access in and of itself is not a crime, causing damage would be.

But then I looked into the case a bit closer and I start to think he has an argument for not being charged under the CFAA. As with many laws, intent matters, so it is possible that if his intent was to harm the business, there may well be charges that could be applied in that realm. And obviously he could be held civilly liable for damages, which is no different than any other employee who does something to damage their employer's equipment. Offline example - if I work at a construction company, and I wreck construction equipment because I wasn't happy my co-worker got fired, that isn't going to be a criminal offense, but the company will likely fire me and try to collect damages.

So I'm going to go back on my initial judgement and say that I think he may have grounds to get his conviction overturned and while he may be charged with other crimes, not sure it would come from the CFAA.

*disclaimer, not a lawyer

[matthewmarkus]

If the CFAA doesn't apply to sys admins working at the highest levels of authorization, it seems to be a useless law. Foreign actors can simply hire sys admins to access whatever they want, no need for hacking.

I really do think the court has opened Pandora's box on this one. They should've voided the statute for vagueness if that was the concern. As it stands now, it has to be one of the dumbest laws on the books.

[JumpCrisscross]

> Foreign actors can simply hire sys admins to access whatever they want, no need for hacking

This is prosecutable under a myriad of existing laws. CFAA was specifically crafted to deter and punish hacking. As far as I know, that's still very much a thing.

[treis]

It's not immediately clear which laws. The whole point of the CFAA was that existing trespass & theft laws don't really work for digital files.

[JumpCrisscross]

> not immediately clear which laws

Yes it is, theft of trade secrets [1].

[1] https://www.justice.gov/opa/pr/former-dow-research-scientist...

[pbhjpbhj]

Espionage is illegal.

[wslack]

> If the CFAA doesn't apply to sys admins working at the highest levels of authorization, it seems to be a useless law. Foreign actors can simply hire sys admins to access whatever they want, no need for hacking.

It's still illegal to steal IP. But no, you can't charge a janitor with keys to the whole building for breaking and entering if he uses those keys to steal something.

You charge him for theft.

[LocalPCGuy]

Companies have a responsibility to vet their employees, first. I don't know how that is affected by the CFAA being a bit more constrained than it was before, which was extremely overly broad.

I strongly disagree with your assessment (re: Pandora's box, dumbness), but I do think and acknowledge it is a law worthy of being replaced with one more up to date and more clear.

[ByteJockey]

It prevents you from using someone else's credentials to access the system.

It prevents a whole bunch of other sophisticated attacks as well, but let's be honest, people just giving out their password or using a really weak password is the most likely scenario.