Hacker News new | ask | show | jobs
by otterley 1567 days ago
> maximize societal benefit when it comes to internet usage.

How would it maximize societal benefit to make it lawful to access and retain content that the owner didn't intend to make public?

> Intentional access isn't even at issue here. "Knowing" access is all it takes under the law. I put knowing in quotes here because a prosecutor can prove that simply by your violation of the implicit agreement to ToS, even if you never read or knew them.

I do not think this is correct, either under a plain reading of the text, or my experience. I'm looking at CFAA again (18 U.S.C. 1030 et seq.) and I don't see a bare knowledge requirement for any of the enumerated proscribed activities. Can you point to a specific one at issue?

Besides, if you can show that a defendant had knowledge that the content was private and that they wouldn't have had been granted access had they asked the owner permission, yet the defendant proceeded to access the content anyway, how can one not conclude that proceeding further was intentional?

At any rate, if you ever see a case where someone is successfully convicted for unauthorized access without proving an ill intent based on the circumstances of the case, by all means, I'd love to hear about it. But I haven't heard of any so far, and I don't expect to in the future.
1 comments
giantg2 1567 days ago
"How would it maximize societal benefit to make it lawful to access and retain content that the owner didn't intend to make public?"

Because it would lead to companies implementing better cyber security policies and scanning, which reduces our county's susceptibility to foreign attacks, instead of spending money on lawyers just to sue people and spending tax money policing an issue that is the result of poor due diligence on the part of the company. This means that we would strengthen the incentive to prevent issues instead of relying on after the fact actions which may not even be feasible due to international actors. It also can also protect people from inadvertently violating the law and being prosecuted in a biased way if the boundaries of authorizations and public/private resources are more explicitly defined. This will also allow peace of mind for beneficial professionals like security researchers, journalists, and others in fields that currently find themselves at risk of significant legal fees even if they decide not to charge them.

"Besides, if you can show that a defendant had knowledge that the content was private and that they wouldn't have had been granted access had they asked the owner permission, yet the defendant proceeded to access the content anyway, how can one not conclude that proceeding further was intentional?"

How can you prove that, or is that a "reasonable person" (which is especially tricky when it comes to tech)? For example, do you always ask permission before posting or visiting links online? You have no way of knowing if someone is going to give permission or not in most cases. I assume you, like the vast majority of us, access publically available computer resources based on the implied consent that if it was made public, that it's authorized to use. The OP thinks he was allowed to link to public files. I'm inclined to agree. If you put something in public, you should expect the public to interact with it. That's common sense and consistent with concepts already in use in physical property law (viewing/recording private property from a public space).

"At any rate, if you ever see a case where someone is successfully convicted for unauthorized access without proving an ill intent based on the circumstances of the case"

Conviction isn't the only damage. It can cost thousands of dollars just for the legal representation if you are just investigated. The recent high profile MO reporter case is an example of this. The individual came forward with the information showing good faith and still they had to retain legal council to deal with the accusation. Security researchers have no ill intent and they are often the target of the CFAA. United States v Drew shows that it's a CFAA violation just if you create a fake account without knowing it's a ToS violation.

"I'm looking at CFAA again (18 U.S.C. 1030 et seq.) and I don't see a bare knowledge requirement"

You're right that the code required intent. But there have been rulings that just require knowingly accessing a system, and that ToS violations are enough to meet the criteria. Sandvig v Barr demonstrates that ToS violations can be CFAA violations (even though the specific research was found to be excluded). Van Buren v United States and United States v Drew further supports ToS violations being enforced, even if Drew didn't actually know it was a ToS violation.

There are a lot of legal documents around this issue from the EFF and ACLU. They are especially concerned about the lack of definition around what constitutes authorization, a concern I share.

link
otterley 1567 days ago
First, I don't think a majority of Americans are in favor of changing the law such that if they don't protect their stuff, it's free for the taking. We've never had such a default rule and I can't foresee a sea change in attitudes that would have to take place before this happens. It's just not realistic.

Legitimate security researchers get permission from their targets. The current laws don't seem to impede their work very much; there's a healthy market for red teams for hire.

Journalists are in a class by themselves and are subject to First Amendment protections. Whistleblowing isn't at issue here anyway.

> If you put something in public, you should expect the public to interact with it. That's common sense and consistent with concepts already in use in physical property law (viewing/recording private property from a public space)

This is where the tangible/real-estate concept of property truly diverges from the concept as applied to cyberspace. When you are out in the real world, you always have to be in some location, and if someone's private property is visible from your perspective, there's nothing that can be done about that without a physical barrier of some sort. You can either cover the property, or cover everyone else when they're around it. Obviously it makes more sense to cover the property, from an economical and practical perspective.

But when you're in cyberspace, you have to perform an overt act to access something. URLs don't fetch themselves. Consistent with that, and in the interest of encouraging people to publish and do business on the Internet, we have made a societal decision to make strong laws protecting against unauthorized access, even when resources are available without controls as strong as perhaps they ought to be.

> Sandvig v Barr demonstrates that ToS violations can be CFAA violations ...

Sandvig v. Barr held the opposite: "violating public websites’ terms of service ... does not constitute a CFAA violation under the “exceeds authorized access” provision."

Van Buren v. U.S. was not about a ToS violation; it was about a police officer accessing and misusing confidential police records for non-law-enforcement purposes.

U.S. v. Drew resulted in an acquittal on appeal: "The pivotal issue herein is whether basing a CFAA misdemeanor violation as 12 per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A) upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine. This Court concludes that it does primarily because of the absence of minimal guidelines to govern law enforcement, but also because of actual notice deficiencies."

So as you can see, the law seems to be converging towards your own opinion that ToS violations alone are insufficient to constitute criminal activity under CFAA.

link