Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
The Internet Advertising Communications Crime Education Government Network Networking The Courts United States News Your Rights Online Science Technology

ACLU Lawsuit Challenges Computer Fraud and Abuse Act (thestack.com) 76

An anonymous reader writes: The American Civil Liberties Union (ACLU) has filed a lawsuit with the U.S. Department of Justice contending that the Computer Fraud and Abuse Act's criminal prohibitions have created a barrier for those wishing to conduct research and anti-discrimination testing online. The ACLU have pursued the matter on behalf of a group of academic researchers, computer scientists and journalists seeking to remove that barrier to allow for third-party testing and research into potential online discrimination. In a public statement the ACLU contend: "The CFAA violates the First Amendment because it limits everyone, including academics and journalists, from gathering the publicly available information necessary to understand and speak about online discrimination."
This discussion has been archived. No new comments can be posted.

ACLU Lawsuit Challenges Computer Fraud and Abuse Act

Comments Filter:
  • I read the article... it says that the CFAA somehow prevents people from doing legitimate research, but fails to even give a single example of actually how this happens. How does the law that is supposed prevent computer fraud stop a person from doing research, exactly?
    • Re:I don't follow (Score:5, Informative)

      by Anonymous Coward on Wednesday June 29, 2016 @05:21PM (#52416457)

      One of the provisions makes it a felony for unauthorized access to a computer system. In most EULAs it spells out that reverse engineering is disallowed and creates an area of unauthorized access. Thus a security researcher trying to analyze a system is technically committing a felony under the CFAA as it doesn't make any exceptions. Even if the analysis is being performed completely locally on systems they own if say the OS is Windows or MacOS.

      • by Anonymous Coward

        Sure but how is any of that related to research into potential online discrimination?

      • by mark-t ( 151149 )

        Thus a security researcher trying to analyze a system is technically committing a felony under the CFAA as it doesn't make any exceptions

        It doesn't have to make exceptions.... the law prohibits *UNAUTHORIZED* access to a computer system. If you own the computer system yourself, then who else is supposedly supposed to be authorizing you to access it? If someone else controls authorization to access to some piece of property, then by definition that property belongs to THEM. Unless there is another law th

        • by rsilvergun ( 571051 ) on Wednesday June 29, 2016 @06:14PM (#52416703)
          in it's definition of "Unauthorized". If you don't like how someone is using information you've made publicly accessible on your web site then it's suddenly "Unauthorized" and congrats, you're perl script just committed a felony for you. This isn't like walking into a house with it's doors unlocked. It's more like you wrote down advertised prices from billboards, aggregated the data, and when somebody notices you doing that doesn't make them look so good they throw you in prison.

          This has been discussed multiple times on /.. It seldom comes up because most of us are working for large corps doing what we're told and so have a bit of the corporate veil to protect us. Someone trying to research a politically unpopular idea (racial profiling is being used to target minorities for expensive high risk loans and exclude them from cheaper low risk ones they otherwise qualify for) has to worry about this. If your study shows a pattern of abuse from on the part of a multi-billion dollar mortgage company expect to see some charges.
          • by mark-t ( 151149 )

            Obviously you don't own the information on someone else's website though... even if they made the information public.

            My question remains... how does this law prevent lawful research?

            Or does it just prevent lazy research?

            • by Facekhan ( 445017 ) on Wednesday June 29, 2016 @08:12PM (#52417101)

              If you make factual data public, you don't generally "own" it as in you don't have exclusive rights to it. You can't copyright a database of factual information. Basically the CFAA lets a firm make data public but then if someone uses a script to aggregate it, they can claim it was a felon. Just as an example, the CFAA could even apply to things like price comparison websites if a particular merchant doesn't want their public pricing information compared to their competitors.

              • by mark-t ( 151149 )
                If the information is public, then there is no way to even necessarily know it was obtained in the first place from a website, let alone that a scraper may have been used.
            • The other issue concerns employee use of employer owned systems. There have been cases where employees have been prosecuted for violating a purely civil agreement between them and their employer about the systems they have access to.

              In general the law should not criminalize a civil contract violation or in the case of EULA's and Acceptable Use policies, it is questionable whether they are even valid contracts. This is especially true when the law in question is very one sided in favor of big companies usin

    • by PRMan ( 959735 )
      They need to lie and say they are black or lie about their zip code in order to see if there is any disparate treatment. They can't do this with the CFAA as it is technically illegal, since they are lying about their identity.
      • They need to lie and say they are black or lie about their zip code in order to see if there is any disparate treatment. They can't do this with the CFAA as it is technically illegal, since they are lying about their identity.

        Why can't these researchers simply hire some black people? Why do they need to commit fraud to do their research? And if I'm offering an online service or business, why should I be compelled to offer my computing resources to assist in your research, noble though your research goals may be?

      • by Anonymous Coward

        Seems like they could just temporarily "identify as" black or "identify as" poor, since Western Civilization now tells us that things like gender and race have no basis in concrete reality.

        • by mark-t ( 151149 )

          ...since Western Civilization now tells us that things like gender and race have no basis in concrete reality.

          Things like that have no lawful basis for certain types of discrimination, but it is wholly erroneous to say they have no lawful basis in concrete reality.

          One example of a legal type of discrimination based on sex would be one's right to discriminate on the gender of a person that they may want in a roommate, when the roommate shares any of either a bedroom, bathroom or kitchen with the other pers

    • by Intron ( 870560 )

      I read the article... it says that the CFAA somehow prevents people from doing legitimate research, but fails to even give a single example of actually how this happens. How does the law that is supposed prevent computer fraud stop a person from doing research, exactly?

      How's this?

      https://www.databreaches.net/c... [databreaches.net]

      Or this?

      http://www.computerworld.com/a... [computerworld.com]

      • by mark-t ( 151149 )
        As I said, I know what the CFAA is, but I don't see how it prevents people from doing otherwise lawful research for instance... At most, it only prevents you from doing research with someone else's data.... but then a good researcher that was not being lazy would collect their own data, and not rely on data that did not belong to them anyways.
        • by Mashiki ( 184564 )

          If you're trying to reconfirm an existing conclusion using their data first, then your own is the best option to see if everything is the same. Remember, the story on /. not more then a few months ago showing that ~60% of studies couldn't be reproduced even using the same methodology as the original?

    • by Hentes ( 2461350 )

      They want to use bots on sites. The CFAA is irrelevant in my opinion as they would still be in breach of the ToS.

  • My life's ambition has long been to invent a new crime. People will say 'that has to be illegal', it will be made illegal after I do it.

    The computer fraud and abuse act ruins that. Anything a federal judge doesn't like, crime...ipspostfacto, schmipspostfacto.

    • The CFAA is the "X with a computer" of criminal law, where X is just about anything they want to enforce it as. And that's the problem. It's stupid and BS for patents, and it shouldn't be any more valid in criminal cases.
  • by u19925 ( 613350 ) on Wednesday June 29, 2016 @05:33PM (#52416501)

    If you go to doctor's office and start video recording everyone to collect data on discrimination, will it allow it? Same way, website can limit recording of publicly available information. Doctor's office will also ask you provide true information just like websites do. I don't see much difference between the two. There are many private clubs which limit do the same. I don't see Facebook, Twitter any different than YMCA etc where if I want to be in, I have to become member, pay, provide my true information and then can do limited recording. If you ask online sites to allow fake id, unlimited recording, then why not doctor's office, gyms, hotels etc?

    • by Fire_Wraith ( 1460385 ) on Wednesday June 29, 2016 @06:04PM (#52416659)
      Probably the analogy would be the laws making it illegal to record abuses at places like food processing plants. There have been several states that have attempted to outlaw undercover video, after activists managed to get hired, and later released video of the horrible and illegal stuff that was going on in those plants. Or consider bans against recording the police on video, that wind up making any video recording of the police, even of the police committing a blatant crime, illegal.

      That doesn't mean the law needs to go away entirely, but having some sort of affirmative defense should play a part, for instance.
    • I assume you'd have to pay without insurance but I can't see any reason why you couldn't use any name you like at a doctor's office.
      It's not like they do background checks. And celebrities go to hospitals under pseudonyms sometimes, right?
      IANAL but, as long as you paid your bill, I assume it wouldn't be fraud.

      Any sane person can see the CFAA is broad and overreaching and I get the feeling that this is just another angle the ACLU thinks might work to attack it.

      Did we really need a specific law for computer-r

      • I'd say we do need specific laws for some computer-related crimes. One would be unauthorized access, provided we define "unauthorized" in a reasonable manner. Logging in with a supplied account name and password should not count, for example, no matter for what purpose. Fraud normally requires proof of harm, as does property damage. Someone hacking into a computer system may not do visible harm, but we really are better off if it's illegal.

  • To be guilty of a crime one must intend to commit the crime but also there must be evil implied. A person who hacks into computers or networks with a real intention of doing good has no criminal liability if police and courts support the concept in law of intent. Here is a common type of issue that makes law enforcement next to impossible. There are many sites, such as Craig's List that have sections in which supposed prostitutes solicit business. Yet simply asking for money for sex is usually
    • Crimes do not necessarily require criminal intent. It's illegal to kill someone even if you weren't trying to kill them. It's criminal to be criminally negligent even if it was out of laziness rather than malice.

      Solicitation to commit a criminal activity is mostly illegal by itself. Police are allowed to participate in some illegal activities while running sting operations, so a police officer could solicit, although aggressive solicitation would probably constitute entrapment.

"Freedom is still the most radical idea of all." -- Nathaniel Branden

Working...