| ▲ | AnthonyMouse 4 days ago |
| It's not that hard to figure out at the extremes. Using Google to find a nearby place to get lunch, not a violation. Phishing someone's password so you can sign into their company's network and delete all their files, go to jail. And then most of the cases that are actually brought are of the second category, which makes everything seem fine. But those are the same cases that could be brought under a better law or under other existing laws. The problem is that if message board nerds and other ordinary people can't figure out what the law requires in the cases that probably won't be prosecuted, but could be, then it deters people from doing things that shouldn't be -- and maybe even aren't -- against the law. And it gives the government a weapon it shouldn't have, because the lack of clarity can be used to coerce plea bargains. |
|
| ▲ | JumpCrisscross 4 days ago | parent | next [-] |
| > if message board nerds and other ordinary people can't figure out what the law requires in the cases that probably won't be prosecuted, but could be, then it deters people from doing things that shouldn't be -- and maybe even aren't -- against the law Message boards are constantly debating insane shit. If someone feels—beyond generalized anxiety—they’re on the edge of the law, there are plenty of private and public resources they can consult. If they want to shoot shit, as, to be clear, we’re doing here, they can ponder on a message board. The former presages real work. The latter entertainment. |
| |
| ▲ | akerl_ 4 days ago | parent [-] | | Do other disciplines do this in reverse? Is there a lawyer forum where the members constantly try to construct from the ground up "how does the internet happen", and then draw a bunch of inferences and concerns from their construction? I'd like to know we're not unique in assuming that expertise in our field grants us the necessary magics to speak as experts in other ones. | | |
| ▲ | AnthonyMouse 4 days ago | parent | next [-] | | People don't care about how the internet works because it's working right now and if it isn't then they can pay someone to fix it. People care whether something is illegal before they do it because ordinary people can't pay someone to make the prosecutor go away after they've already done the thing they're being charged with. | | |
| ▲ | akerl_ 4 days ago | parent [-] | | I think you've fallen into a message board hole. Of the humans alive today, basically a rounding error of them are ever going to come anywhere near the CFAA. Firstly, the intent requirement. Which has been pointed out to you upthread and you just sortof waved away that judges are willing to accept anything as proof of intent, despite that not seeming to be the case from the cases I can see. Secondly, the average human alive is not poking at web vulnerabilities as part of their humanitarian journalism. The CFAA is nearly a perfect overlap where the people at risk of accidentally violating it are the folks who have the means to ask a professional about their nuanced situation. The CFAA (like many laws) has problems, but you've really latched onto whether or not something counts as a crime for the CFAA in a way that doesn't seem to be attached with a real threat model. | | |
| ▲ | AnthonyMouse 4 days ago | parent [-] | | > Firstly, the intent requirement. Which has been pointed out to you upthread and you just sortof waved away that judges are willing to accept anything as proof of intent, despite that not seeming to be the case from the cases I can see. It's not that they're willing to accept anything, it's that isn't really how intent works, because intent is a question of fact when the ambiguity is a question of law. Which is how it produces an unreasonable result: It's not the intent to commit a crime, it's the intent to commit an act, whether or not you knew it was a crime. And when the law was ambiguous, you can't have known, because the judge hadn't decided it yet. So you do X, you end up in court, the judge finally decides if X is illegal, and then if it is the government has to prove if you intended to do X. But you did intend to do that, you just didn't intend for that to be illegal, which is the part they don't include in the accounting. It seems like I should also clarify this point from my post above: > and failed to include the part about intent to commit a crime The salient thing that burglary has and the CFAA is missing isn't the intent to commit unauthorized access, it's the intent to commit a separate crime, e.g. unauthorized access with the intent to commit credit card fraud. Because without that the penalties make no sense and it's not clear that should even be an independent crime, since there are definitely times when accessing a server the operator doesn't want you to should be allowed and basically all of the cases where it shouldn't are the instances where you're doing it to commit a separate crime. > The CFAA is nearly a perfect overlap where the people at risk of accidentally violating it are the folks who have the means to ask a professional about their nuanced situation. So you're in a situation where there hasn't been a high court case with the same fact pattern yet. You ask a professional and they tell you so. What now? |
|
| |
| ▲ | JumpCrisscross 4 days ago | parent | prev [-] | | > Is there a lawyer forum where the members constantly try to construct from the ground up "how does the internet happen", and then draw a bunch of inferences and concerns from their construction? Idk about lawyers, but finance forums will regularly construct absolutely batshit crazy assumptions about how the world works. I think it’s a feature of online echo chambers. |
|
|
|
| ▲ | akerl_ 4 days ago | parent | prev | next [-] |
| Just to be clear: I think ordinary people (and message board nerds when they’re not trying to win message board debates) are entirely capable of looking at a fact pattern and identifying if it was or wasn’t hacking. If you think that’s not true, can you give some examples of ambiguous fact patterns? |
|
| ▲ | tptacek 4 days ago | parent | prev [-] |
| You still haven't explained what the lack of clarity you're concerned about it. The examples you've given have been things that are settled law not illegal. You're never going to get a schematic list of everything that could violate the law, and you don't get that for non-computer crimes either. |
| |
| ▲ | AnthonyMouse 4 days ago | parent [-] | | It's not about enumerating every possible circumstance, it's about the law erring on the side of prohibiting more than it should rather than less and effectively shifting the burden to the defense to establish an exception to a rule that by its terms nominally prohibits anything a company doesn't like. Let's try this for an example. There is a company whose security is very bad. Their company portal is on the internet and if you visit the site it shows you everything. A journalist gets tipped off about this and is presented with the opportunity to read the company's internal documents which allegedly show clear evidence of a crime so they can write a story about it. How bad does the security have to be before the journalist is in trouble? Is it illegal if there is absolutely no access control but the company hadn't intended to publish that? What if anyone can create their own account? What if there is a login box but it doesn't care what you put in it, so you can make up your own username and password? What if it requires an existing username but accepts a blank password? What if it only requires a password and it's just really easy to guess? Or someone gave it to them? What if someone at the company sends them an internal URL but it's accessible on the internet? Does it matter if they sent it on purpose or by accident? I admittedly haven't checked which of those if any have already had precedents established, but it's unlikely that every one of those scenarios has made it all the way to the Supreme Court, so what's the journalist supposed to do when they find themselves facing one where it hasn't? Not write the story? Do it anyway because maybe? And it's not just a matter of how to tell where the line is. The journalist is being a journalist, not stealing credit cards. If the thing that matters is really intent then their intent was to expose a crime, and in that case why do we want a law that makes any of those illegal? | | |
| ▲ | akerl_ 4 days ago | parent | next [-] | | It's a good thing that intent is a major element of the crime, then. If you just happen on a dump of a company's data, you didn't have the necessary intent. If you hit a login form and figure out that it has flaws and then use those flaws to access data, you do. The examples you're giving don't seem to be ambiguous? There's a pretty clear pattern if you look at cases where folks have found flaws in websites. Find a flaw? So far, so good. Test the flaw against dummy data or your own data? Still good. Test the flaw by pulling other people's data or trying things that would reasonably damage the company's infrastructure? Not good. | | |
| ▲ | AnthonyMouse 4 days ago | parent [-] | | > If you just happen on a dump of a company's data, you didn't have the necessary intent. If you hit a login form and figure out that it has flaws and then use those flaws to access data, you do. A good first question here is why should that be the thing that matters? Take the scenario where it lets anyone create an account. It's not yet obvious at that point what the thing is even for, but you sign up for an account and it gives you one. Once you sign in the things you have access to might be the sort of things you might not expect to be public, but then how are you distinguishing that from a data dump with the same stuff in it? Or is this one allowed because they're still essentially granting access to the public? If someone who works there gives you the password, are you now authorized because they just authorized you, or not authorized because the password was only meant for people who work there? What if the password is included as part of the link? So is the form of access control really the thing that ought to matter? Or is it what you're accessing? But now notice that the company isn't going to purposely authorize you to view the evidence of their criminal activity, so maybe a law that imposes a blanket ban on anybody accessing anything a company doesn't want them to is broader than it ought to be. | | |
| ▲ | akerl_ 4 days ago | parent [-] | | > But now notice that the company isn't going to purposely authorize you to view the evidence of their criminal activity, so maybe a law that imposes a blanket ban on anybody accessing anything a company doesn't want them to is broader than it ought to be. I think we've jumped pretty clearly here from actual discussion about the CFAA to a policy stance you're taking about how you feel it should be acceptable to hack companies if they deserve it. |
|
| |
| ▲ | 2 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | tptacek 4 days ago | parent | prev [-] | | You have not here presented a fact pattern that would put the journalist at risk. A journalist can safely write a story about the gross insecurity of a website. You could put 10 million bank account numbers behinds a login field that accepts 'OR''=' as a password, and write about that. You could have a bypass for that login whereby incrementing an integer revealed those bank accounts, one after another, on an unauthenticated HTTP GET. Where you get into trouble is when you use either of those conditions to collect bank account numbers. Whether you're collecting them to sell or collecting them as color (the amount, scale, diversity, whatever) for your story: you'll be expected to understand that you did not have authorized access to that data, and by collecting it, you'll have violated CFAA. You would similarly be at risk when, having used the 'OR''=' password, you then poked around inside the website to see what else was exposed. That might "feel" like journalism. So too would be wandering around inside a bank you found unlocked at night. But no sane journalist would do what I just described. In fact: this is straightforward. Further evidence of that: that journalists routinely write about this stuff and don't get prosecuted. The Barrett Brown case is an especially good illustration of where the lines are drawn. | | |
| ▲ | AnthonyMouse 4 days ago | parent [-] | | They're not trying to write a story about the security of the website, they're trying to write a story about the crime the company is committing. They're allegedly poisoning the water and killing people, it's more serious than a website. If they write the first story the company immediately takes the site offline before anybody else can see what's there, or if anyone does then they could get prosecuted. The analogy to a bank vault doesn't work because it isn't a bank vault and you've never left your office. It's more analogous to finding the mailing address of the company's internal records office and then sending them a letter requesting a copy of their records. You should go to jail for requesting something it's not even illegal for you to have just because they were willing to send them to you without establishing who you are? | | |
| ▲ | tptacek 4 days ago | parent [-] | | Yeah, you can't hack into websites to pursue stories about corporate misdeeds, any more than you could break into a company's office and rifle through the files. This is silly. | | |
| ▲ | akerl_ 4 days ago | parent | next [-] | | What if I team up with another journalist, and I tell them about curl commands to run but never tell them that they're exploiting vulnerabilities in the company's website? That way they don't have the necessary intent and I never perform any illegal acts? Do you think the judge would fall for it? Or would we have done a RICO? | | |
| ▲ | tptacek 4 days ago | parent [-] | | No, that's exactly how Barrett Brown ended up in federal prison. |
| |
| ▲ | AnthonyMouse 4 days ago | parent | prev | next [-] | | The question is at what point is it considered "hacking"? There is evidence of corporate misdeeds on the company's computers. Under what circumstances can a journalist view it? At no point would the guilty company want them to for obvious reasons, but if the answer is thereby "never" that seems like a major flaw in the law. Whereas if it isn't never then when is it, and why? Or to extend your analogy, where's the computer equivalent of an investigative reporter getting let inside under a pretense so they can snoop around wearing a guest badge instead prying open the back door with a crowbar? | | |
| ▲ | tptacek 4 days ago | parent [-] | | The question at the trial will be whether a reasonable person would have believed the evil corporation authorized the requests. You seem set on replacing the evil corporation with society, interposing a sort of "it's a public good for this information to come out, and so we'd generally authorize it". But if the company itself clearly wouldn't have intended you to have that access, and you knew that, and you used the access anyways, then yes: you committed a crime. Again: mere ToS violations are not enough to cross that line. | | |
| |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
|
|
|
|
|
