| ▲ | AnthonyMouse 4 days ago |
| It's not about enumerating every possible circumstance, it's about the law erring on the side of prohibiting more than it should rather than less and effectively shifting the burden to the defense to establish an exception to a rule that by its terms nominally prohibits anything a company doesn't like. Let's try this for an example. There is a company whose security is very bad. Their company portal is on the internet and if you visit the site it shows you everything. A journalist gets tipped off about this and is presented with the opportunity to read the company's internal documents which allegedly show clear evidence of a crime so they can write a story about it. How bad does the security have to be before the journalist is in trouble? Is it illegal if there is absolutely no access control but the company hadn't intended to publish that? What if anyone can create their own account? What if there is a login box but it doesn't care what you put in it, so you can make up your own username and password? What if it requires an existing username but accepts a blank password? What if it only requires a password and it's just really easy to guess? Or someone gave it to them? What if someone at the company sends them an internal URL but it's accessible on the internet? Does it matter if they sent it on purpose or by accident? I admittedly haven't checked which of those if any have already had precedents established, but it's unlikely that every one of those scenarios has made it all the way to the Supreme Court, so what's the journalist supposed to do when they find themselves facing one where it hasn't? Not write the story? Do it anyway because maybe? And it's not just a matter of how to tell where the line is. The journalist is being a journalist, not stealing credit cards. If the thing that matters is really intent then their intent was to expose a crime, and in that case why do we want a law that makes any of those illegal? |
|
| ▲ | akerl_ 4 days ago | parent | next [-] |
| It's a good thing that intent is a major element of the crime, then. If you just happen on a dump of a company's data, you didn't have the necessary intent. If you hit a login form and figure out that it has flaws and then use those flaws to access data, you do. The examples you're giving don't seem to be ambiguous? There's a pretty clear pattern if you look at cases where folks have found flaws in websites. Find a flaw? So far, so good. Test the flaw against dummy data or your own data? Still good. Test the flaw by pulling other people's data or trying things that would reasonably damage the company's infrastructure? Not good. |
| |
| ▲ | AnthonyMouse 4 days ago | parent [-] | | > If you just happen on a dump of a company's data, you didn't have the necessary intent. If you hit a login form and figure out that it has flaws and then use those flaws to access data, you do. A good first question here is why should that be the thing that matters? Take the scenario where it lets anyone create an account. It's not yet obvious at that point what the thing is even for, but you sign up for an account and it gives you one. Once you sign in the things you have access to might be the sort of things you might not expect to be public, but then how are you distinguishing that from a data dump with the same stuff in it? Or is this one allowed because they're still essentially granting access to the public? If someone who works there gives you the password, are you now authorized because they just authorized you, or not authorized because the password was only meant for people who work there? What if the password is included as part of the link? So is the form of access control really the thing that ought to matter? Or is it what you're accessing? But now notice that the company isn't going to purposely authorize you to view the evidence of their criminal activity, so maybe a law that imposes a blanket ban on anybody accessing anything a company doesn't want them to is broader than it ought to be. | | |
| ▲ | akerl_ 4 days ago | parent [-] | | > But now notice that the company isn't going to purposely authorize you to view the evidence of their criminal activity, so maybe a law that imposes a blanket ban on anybody accessing anything a company doesn't want them to is broader than it ought to be. I think we've jumped pretty clearly here from actual discussion about the CFAA to a policy stance you're taking about how you feel it should be acceptable to hack companies if they deserve it. |
|
|
|
| ▲ | 2 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | tptacek 4 days ago | parent | prev [-] |
| You have not here presented a fact pattern that would put the journalist at risk. A journalist can safely write a story about the gross insecurity of a website. You could put 10 million bank account numbers behinds a login field that accepts 'OR''=' as a password, and write about that. You could have a bypass for that login whereby incrementing an integer revealed those bank accounts, one after another, on an unauthenticated HTTP GET. Where you get into trouble is when you use either of those conditions to collect bank account numbers. Whether you're collecting them to sell or collecting them as color (the amount, scale, diversity, whatever) for your story: you'll be expected to understand that you did not have authorized access to that data, and by collecting it, you'll have violated CFAA. You would similarly be at risk when, having used the 'OR''=' password, you then poked around inside the website to see what else was exposed. That might "feel" like journalism. So too would be wandering around inside a bank you found unlocked at night. But no sane journalist would do what I just described. In fact: this is straightforward. Further evidence of that: that journalists routinely write about this stuff and don't get prosecuted. The Barrett Brown case is an especially good illustration of where the lines are drawn. |
| |
| ▲ | AnthonyMouse 4 days ago | parent [-] | | They're not trying to write a story about the security of the website, they're trying to write a story about the crime the company is committing. They're allegedly poisoning the water and killing people, it's more serious than a website. If they write the first story the company immediately takes the site offline before anybody else can see what's there, or if anyone does then they could get prosecuted. The analogy to a bank vault doesn't work because it isn't a bank vault and you've never left your office. It's more analogous to finding the mailing address of the company's internal records office and then sending them a letter requesting a copy of their records. You should go to jail for requesting something it's not even illegal for you to have just because they were willing to send them to you without establishing who you are? | | |
| ▲ | tptacek 4 days ago | parent [-] | | Yeah, you can't hack into websites to pursue stories about corporate misdeeds, any more than you could break into a company's office and rifle through the files. This is silly. | | |
| ▲ | akerl_ 4 days ago | parent | next [-] | | What if I team up with another journalist, and I tell them about curl commands to run but never tell them that they're exploiting vulnerabilities in the company's website? That way they don't have the necessary intent and I never perform any illegal acts? Do you think the judge would fall for it? Or would we have done a RICO? | | |
| ▲ | tptacek 4 days ago | parent [-] | | No, that's exactly how Barrett Brown ended up in federal prison. |
| |
| ▲ | AnthonyMouse 4 days ago | parent | prev | next [-] | | The question is at what point is it considered "hacking"? There is evidence of corporate misdeeds on the company's computers. Under what circumstances can a journalist view it? At no point would the guilty company want them to for obvious reasons, but if the answer is thereby "never" that seems like a major flaw in the law. Whereas if it isn't never then when is it, and why? Or to extend your analogy, where's the computer equivalent of an investigative reporter getting let inside under a pretense so they can snoop around wearing a guest badge instead prying open the back door with a crowbar? | | |
| ▲ | tptacek 4 days ago | parent [-] | | The question at the trial will be whether a reasonable person would have believed the evil corporation authorized the requests. You seem set on replacing the evil corporation with society, interposing a sort of "it's a public good for this information to come out, and so we'd generally authorize it". But if the company itself clearly wouldn't have intended you to have that access, and you knew that, and you used the access anyways, then yes: you committed a crime. Again: mere ToS violations are not enough to cross that line. | | |
| |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
|
|
|
