[tptacek]

Committing fraud: illegal.

Using stolen identities to purchase goods: illegal.

Attacking a database: not illegal without CFAA.

[neilk]

"Attacking" - are databases people? Do they have rights?

I'm stumbling around trying to figure out what the right balance is too, but I think the existing laws we have around fraud and privacy are all that we need. That is, we don't need to criminalize accessing inadvertently public information; we just need to criminalize exploiting it.

[fnordfnordfnord]

Exploiting it is criminalized. Exploiting it is harder to detect and enforce. It is easy to read server logs and parse them for crimes. Lazy man's way to enforce the law.

[sneak]

Why do we need the third? Why make downloading PII a crime when we already have felony laws for using such data to commit fraud?

[xyandnoz]

There are many things one can do with your PII besides using it for identity theft, including publishing it, which is NOT illegal in many states.

[fnordfnordfnord]

Attacking a database: not illegal without CFAA.

That's a big problem since we can't really even define clearly (and rationally) what an attack is.