| First, I don't think a majority of Americans are in favor of changing the law such that if they don't protect their stuff, it's free for the taking. We've never had such a default rule and I can't foresee a sea change in attitudes that would have to take place before this happens. It's just not realistic. Legitimate security researchers get permission from their targets. The current laws don't seem to impede their work very much; there's a healthy market for red teams for hire. Journalists are in a class by themselves and are subject to First Amendment protections. Whistleblowing isn't at issue here anyway. > If you put something in public, you should expect the public to interact with it. That's common sense and consistent with concepts already in use in physical property law (viewing/recording private property from a public space) This is where the tangible/real-estate concept of property truly diverges from the concept as applied to cyberspace. When you are out in the real world, you always have to be in some location, and if someone's private property is visible from your perspective, there's nothing that can be done about that without a physical barrier of some sort. You can either cover the property, or cover everyone else when they're around it. Obviously it makes more sense to cover the property, from an economical and practical perspective. But when you're in cyberspace, you have to perform an overt act to access something. URLs don't fetch themselves. Consistent with that, and in the interest of encouraging people to publish and do business on the Internet, we have made a societal decision to make strong laws protecting against unauthorized access, even when resources are available without controls as strong as perhaps they ought to be. > Sandvig v Barr demonstrates that ToS violations can be CFAA violations ... Sandvig v. Barr held the opposite: "violating public websites’ terms of service ... does not constitute a CFAA violation under the “exceeds authorized access” provision." Van Buren v. U.S. was not about a ToS violation; it was about a police officer accessing and misusing confidential police records for non-law-enforcement purposes. U.S. v. Drew resulted in an acquittal on appeal: "The pivotal issue herein is whether basing a CFAA misdemeanor violation as 12 per 18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(A) upon the conscious violation of a website’s terms of service runs afoul of the void-for-vagueness doctrine. This Court concludes that it does primarily because of the absence of minimal guidelines to govern law enforcement, but also because of actual notice deficiencies." So as you can see, the law seems to be converging towards your own opinion that ToS violations alone are insufficient to constitute criminal activity under CFAA. |