Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
JumpCrisscross 4 days ago

> how is someone supposed to know that?

When was the last CFAA prosecution where the perpetrator literally didn't know they were doing something unauthorised?

mapt 4 days ago | parent | next [-]

Legislative overreach that leads to an almost total reliance on prosecutorial discretion is a terrible way to run a society. The moment that federal prosecutors stop being obsessed with 100% conviction rates, the whole weaponized process becomes tyrannical overnight. Regardless of innocence, most people get advised today to take the dramatically reduced plea bargain because of the extortion-tier penalties for most crimes; we barely use trials to establish facts and guilt any more.

JumpCrisscross 4 days ago | parent [-]

> almost total reliance on prosecutorial discretion is a terrible way to run a society

Asking for precedence is not the same as "total reliance on prosecutorial discretion." It's asking if a hypothetical is grounded.

> moment that federal prosecutors stop being obsessed with 100% conviction rates, the whole weaponized process becomes tyrannical overnight

This is an orthogonal problem. Prosecutors can bring bullshit cases with zero basis in the law if they want to.

AnthonyMouse 4 days ago | parent | prev [-]

So that's actually a big part of the problem. "Unauthorized" means what, that they abstractly don't like what you're doing? It's hard to tell what it really means because by its terms it prohibits way too much. Like it would plausibly be unconstitutional if they actually tried to enforce it that way. Which creates the expectation that things are unauthorized that potentially can't be prohibited, and that's the ambiguity. It's not that you don't know what you can't do, it's that it nominally prohibits so much that you don't know what you can do.

So then you get cases like Sandvig v. Barr where the researchers are assuming the thing they want to do isn't authorized even though that would be unreasonable and then they have to go to court over it. Which is how you get chilling effects, because not everyone has the resources to do that, and companies or the government can threaten people with prosecution to silence them without charges ever being brought because the accused doesn't want to experience "the process is the punishment" when the law doesn't make it sufficiently clear that what they're doing isn't illegal.

JumpCrisscross 4 days ago | parent [-]

> then you get cases like Sandvig v. Barr

Sandvig "was brought by researchers who wished to find out whether employment websites engage in discrimination on the basis of race, gender or other protected characteristics" [1]. It was literally the researchers asking the question you asked and then getting an answer.

"he Court interpreted CFAA’s Access Provision rather narrowly to hold that the plaintiffs’ conduct was not criminal as they were neither exceeding authorized access, nor accessing password protected sites, but public sites. Construing violation of ToS as a potential crime under CFAA, the Court observed would allow private website owners to define the scope of criminal liability – thus constituting an improper delegation of legislative authority. Since their proposed actions were not criminal, the Court concluded that the researchers were free to conduct their study and dismissed the case."

Nobody was prosecuted. Researchers asked a clarifying question and got an answer.

[1] https://globalfreedomofexpression.columbia.edu/cases/sandvig...

AnthonyMouse 4 days ago | parent | next [-]

Right. That's what I'm saying. It's used to intimidate people, which doesn't require actually prosecuting them because nearly all of them fold before it even gets to that point or are deterred from doing something they have a right to do because of the risk.

Let's remember how the process works. First they threaten you, then if you don't fold they do a more thorough investigation to try to find ways to prove their case which makes you spend significant resources, then they decide whether to actually prosecute you. They don't actually do it if they can't find a way to make you look like a criminal, but that's why it needs to be unambiguous from the outset that they won't be able to.

Otherwise people will fold at the point of being threatened because you'd have to spend resources you don't have and the deal you're offered gets worse because you made them work for it.

tptacek 4 days ago | parent [-]

Post Van Buren, the legal concern in Sandvig (that doing "audit" studies that would require signing up for a bunch of accounts in ways that violate the ToS of commercial sites) is dead anyways everywhere in the US. The idea that mere violation of ToS is per se a violation of CFAA is off the table.

AnthonyMouse 4 days ago | parent | next [-]

And we had to live under the ambiguity for more than three decades because the law was so poorly considered, and it's still not clear exactly what it covers.

Suppose some researchers are trying to collect enough data to see if a company is doing something untoward. They need a significant sample in order to figure it out, but the company has a very aggressive rate limit per IP address before they start giving HTTP 429 to that IP address for the rest of the day. If the researchers use more than one IP address so they can collect the data in less than 20 years, is that illegal? It shouldn't require a judge to be able to know that.

JumpCrisscross 4 days ago | parent | next [-]

> we had to live under the ambiguity for more than three decades

Reality is infinitely complex. The law, meanwhile, is a construct.

One can always come up with anxious apparitions of hypothetical lawbreaking. (What if I’m murdered by a novel ceramic knife. The killer might get away!)

> If the researchers use more than one IP address so they can collect the data in less than 20 years, is that illegal? It shouldn't require a judge to be able to know that

It doesn’t. It requires a lawyer.

coldtea 4 days ago | parent [-]

>Reality is infinitely complex. The law, meanwhile, is a construct

We managed to make the law more complex than actual reality.

tptacek 4 days ago | parent | prev | next [-]

It doesn't. The fact pattern you've just presented is settled law: it might be a tort, it might be some other violation of state law, but it's not a CFAA violation.

AnthonyMouse 4 days ago | parent [-]

I feel like I purposely chose a fact pattern that couldn't meaningfully be distinguished from a DDoS except by the rate, which wasn't specified.

I get that there are cases where someone exceeded a rate limit by a moderate amount and that was fine -- although it's still bad that figuring that out required them to go to court to begin with -- but it seems like we're missing the thing that tells you where the line is. Unless it's really not a violation to just permanently render someone's site inaccessible because you have a lot more bandwidth than them and constantly want the latest version of whatever's on it?

Which is the problem with doing it this way. You don't have anyone working things through to come up with a good rule and give people clarity from the start, so instead it all gets decided slowly over time through expensive litigation.

mrguyorama 3 days ago | parent | prev [-]

>And we had to live under the ambiguity for more than three decades because the law was so poorly considered, and it's still not clear exactly what it covers.

No, we lived with that ambiguity because the US system of laws purposely chooses to let Judges in the court system decide those ambiguities (and create "precedent") but only after something has happened, only after that happening leads to a court case, and only if that court case is not settled or dismissed.

That means everyone can just settle cases that would lead to a precedent they don't want.

US law ambiguity is purposeful. The solution is that we should have judges and courts that emphasize the outcome to normal people, and endeavor to improve justice to normal people, but all the people who get law degrees seem to be somewhat sociopathic and prefer instead to waste millions setting precedents on what individual words mean (that don't match at all what a normal and reasonable person would understand) and police syntax.

Judges who try to do just that are labelled "Activist" by politicians.

Meanwhile, when we have agencies who take it upon themselves to take a vague law and turn it into much less vague rules and clear recommendations, they are accused of being unelected bureaucrats writing laws.

If you want less ambiguity, you need to elect people that don't punish agencies for putting out clear documentation, and you need to reform the entire justice system to prioritize clear readings of plain language law over our stupid system of treating english as a programming language for law, which it can never be.

Human language is ambiguous. Law will always be ambiguous. If you suggest instead we should use more strict language in law on a forum full of programmers, you should hopefully understand how that is a cure far worse than the disease. You will end up with law exactly as unambiguous as it can be to an army of specialized lawyers and nobody else.

adgjlsfhk1 4 days ago | parent | prev [-]

the problem is it's only off the table until the Trump DOJ decides that they want to charge ex FBI members who investigated Trump with felonies for using an add blocker, and the supreme Court changes their mind since apparently the new law is that Trump can do whatever he wants

tptacek 4 days ago | parent [-]

No? It's a Supreme Court precedent, established under Trump judges. At the point where you're saying that doesn't matter, you might as well just go the final rhetorical millimeter and say none of the law matters.

4 days ago | parent | prev [-]
[deleted]