Supreme Court To Consider Limiting America's 'Anti-Hacking' Law

America's Supreme Court "is finally considering whether to rein in the nation's sweeping anti-hacking law, which cybersecurity pros say is decades out of date and ill-suited to the modern Internet," according to the Washington Post's cybersecurity writer: The justices agreed to hear a case this fall that argues law enforcement and prosecutors have routinely applied the law too broadly and used it to criminalize not just hacking into websites but also far more innocuous behavior — such as lying about your name or location while signing up on a website or otherwise violating the site's terms of service...

[C]urrent interpretations of the 1986 law, known as the Computer Fraud and Abuse act (CFAA), have made researchers wary of revealing bugs they find because they fear getting in trouble with police or with companies, which can also sue under the law in civil courts. "Computer researchers are constantly afraid that a security test they run is going to run them afoul of the law," Tor Ekeland, an attorney who specializes in defending people accused of violating the CFAA, told me. "This law makes the Internet less safe because it chills legitimate information security research and it's bad for the economy because it chills innovation...."

"This is about whether a statute should be drafted so broadly that everyone is committing crimes all the time and the government gets to choose who to prosecute," Greg Nojeim, senior counsel at the Center for Democracy and Technology, told me... The Justice Department even charged WikiLeaks founder Julian Assange under the law — his crime was allegedly giving advice to one of the site's main leakers Chelsea Manning about how to crack a Defense Department password to gather more information...

One of the best-known CFAA prosecutions was of the Internet activist Aaron Swartz.

Sounds like a lot of laws

[alvinrod]

The justices agreed to hear a case this fall that argues law enforcement and prosecutors have routinely applied the law too broadly and used it to criminalize not just . . .

This could be applied to a lot of laws on the books.

Re:

[Impy the Impiuos Imp]

My favorite was in the late 1990s, when government passed an intrusive anti-terrorism bill, swearing they would only use it for terrorism, then immediately began using it on drugs. When asked, they did not even bother with the sophistry that drugs are terrorism. They just flat-out stated ha ha the law doesn't say terrorism only.

So watch these m-effers who plan to lie and lie. This is not appropriate in democracy, to put it mildly.

Non-paywalled edition.

[tacarat]

https://www.politico.com/newsl... [politico.com]

This won't end well...

[msauve]

One thing I've learned over time is that despite the spin, the legal system has very little to do with justice. It's about process and money (e.g. which party can overwhelm the other with case law and motions, even if inapplicable). The King has no clothes.

Another thing I've learned is that judges very rarely understand technology. Probably because any explanations get filtered through lawyers who either don't understand it either, or are being disingenuous in their explanations.

Re:This won't end well...

[DRJlaw]

Another thing I've learned is that judges very rarely understand technology. Probably because any explanations get filtered through lawyers who either don't understand it either, or are being disingenuous in their explanations.

Another thing that I've learned is that technologies very rarely understand the law or how ambiguities within it are resolved.

The CFAA says [cornell.edu], in highly abbreviated form, "Whoever... intentionally accesses a computer... [and] exceeds authorized access... shall be punished as provided in subsection (c) of this section."

What does "exceeds authorized access" mean? Do people have to, e.g., exploit a technical defect to gain access to another account like a superuser account? Can an employee exceed authorized access by giving their credentials to a competitor to access their employer's private business information? Can a competitor exceed authorized access by using such credentials to access the employer's private business information? Can you exceed authorized access by providing false information, scraping a site (that requires login), or doing something else in violation of the site's TOS?

By the way, the statute defines "exceeds authorized access" to mean "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." Big help.

Different people have different opinions concerning what that term means. Different judges have different opinions concerning that that term means. Different appellate judges have different opinions concerning what that term means. Trespassing [seattle.gov] can occur if you violate conditions upon physical entry to real property, so why can't a CFAA violation occur if you violate conditions upon electronic entry into a computer system?

You don't have to misunderstand the technology to have such opinions, either. It may be comforting to claim that a judge that issues an opinion that you disagree with doesn't understand the technology, but at least one side has every incentive to teach the judge how to understand the technology. and more oftentimes than not they do.

What you rarely understand is that your technical arguments may not be legally relevant, or that in their relevant respect they may support a judge's opinion in a way that you don't appreciate.

Re:

[DRJlaw]

Dangit. "Technologies" was intended to be "technologists."

Re:

[Antique Geekmeister]

That "authorized access" is why clickable license agreements exist.

Re:

[Impy the Impiuos Imp]

Is violating that criminal, as opposed to civil.

Even more simply, if you have a password legitimately obtained, and go in, are you committing the same crime as some Bond villain hacker? Because that's how it's shaking out.

Re:

[alvinrod]

I think it's more of a matter that justice is difficult to administer even when it isn't a group of very fallible humans doing it. The whole thing has to run on process in order to prevent people from abusing the entire system. However, the law is incredibly complex and as a result that means that even when no one is intentionally trying to subvert the legal process there will inevitably be some procedural errors that can be appealed. Yes, that means that the system can to some degree be gamed by whichever

Re:

[Registered Coward v2]

Also, juries should be the ones delivering verdicts, so a failure of understanding technology is on their end. Judges are merely there to make sure that the process is being followed correctly or to issue rulings on matters of law. If juries can't understand technology or how it relates to laws then I think that's a better argument that we probably shouldn't have such laws in the first place. Most of it just seems to be moral busybodies that can't keep their nose out of someone else's business or the government trying to play corporate favorites.

I disagree. A jury's job is to weigh the facts presented and decide wether or not the person violated the law. They need not understand the technology; if either side feels it is important to understand aspects of the technology to bolster their case then it is up to them to provide an explanation to that end. They do so at their own risk, however, since they also risk hurting their case. For example, I know of a case where the defense attorney tried to argue their client was not guilty of DUI because the

Re:

[ArchieBunker]

By "stealing" you mean violating copyright?

Re:

[Impy the Impiuos Imp]

Yes. Money that should have gone into the pockets of the owners and creators was grabbed by him and thrown onto a bonfire.

It it walks like a duck and quacks like a duck, it's stealing.

Re:

[ArchieBunker]

I'd like to see actual projected damages.

Re:

[Registered Coward v2]

By "stealing" you mean violating copyright?

People will argue the semantics of theft vs. violation; but in the end you have potentially diminished the value of the copyrighted work and thus damaged its owner. Should it be a criminal matter is a valid point of discussion. Personally, I think it generally should be a civil manner and only criminal in very limited circumstances, such as when their is intent to damage or for financial gain. However, if you argue the original work is still available and nothing has been lost, you can't complain if someo

Re:

[Anonymous Coward]

However, if you argue the original work is still available and nothing has been lost, you can't complain if someone takes GPL software, modifies it and refuses to release the source because since you still have access to the original unmodified source you have not lost anything either.

That's not a violation of GPL, why would I complain about that?

Re:

[DRJlaw]

By "stealing" you mean violating copyright?

You're both wrong [volokh.com].

The CFAA violation was physically accessing a wiring closet and hardwiring into a switch [rxlist.com] in order to overcome the fact that MIT had repeatedly blocked his laptop from their wireless network.

And yes, that's a CFAA violation no matter how narrowly you attempt to construe the law. Debate the motives all you want, but the means was illegal.

Re:

[DRJlaw]

How the hell did I pull that off? The tab was even in the right page [wired.com]. Sigh.

opinion

[barodius64]

We're talking about cybersecurity here, why are they doing this? Now all of a sudden, my data and privacy are in danger because of this nonsense? I guess I'll have to use this G Suite security service from https://spinbackup.com/product... [spinbackup.com] as a part of my cybersecurity preset.