The Supreme Court Will Hear Its First Big CFAA Case (techcrunch.com) 61
The Supreme Court will hear arguments on Monday in a case that could lead to sweeping changes to America's controversial computer hacking laws -- and affecting how millions use their computers and access online services. From a report: The Computer Fraud and Abuse Act was signed into federal law in 1986 and predates the modern internet as we know it, but governs to this day what constitutes hacking -- or "unauthorized" access to a computer or network. The controversial law was designed to prosecute hackers, but has been dubbed as the "worst law" in the technology law books by critics who say it's outdated and vague language fails to protect good-faith hackers from finding and disclosing security vulnerabilities. At the center of the case is Nathan Van Buren, a former police sergeant in Georgia. Van Buren used his access to a police license plate database to search for an acquaintance in exchange for cash. Van Buren was caught, and prosecuted on two counts: accepting a kickback for accessing the police database, and violating the CFAA. The first conviction was overturned, but the CFAA conviction was upheld. Van Buren may have been allowed to access the database by way of his police work, but whether he exceeded his access remains the key legal question. Orin Kerr, a law professor at the University of California, Berkeley, said Van Buren vs. United States was an "ideal case" for the Supreme Court to take up. "The question couldn't be presented more cleanly," he argued in a blog post in April.
No good deed (Score:2, Flamebait)
Goes unpunished. If you find something, keep your mouth shut. Pointing out flaws only shines the spotlight on yourself. The only way companies learn is when it interferes with their bottom line.
Re:No good deed (Score:5, Insightful)
Goes unpunished.
He didn't do a good deep that was punished, he used his police powers to assist a stalker, for money.
ACAB
Re: (Score:3)
The issue here is if this is a CFAA issue or if there would need to be another law covering what he did.
If you have legitimate access to a computer and use it for something that the person who granted access didn't intend you to use it for is that a crime under CFAA.
That affects white hats finding security issues because if the owner of the system decides that although they made a publicly accessible web site they didn't want people using it to point out obvious security flaws it could be a CFAA violation.
Re: (Score:3)
The issue here is if this is a CFAA issue or if there would need to be another law covering what he did.
Abuse of power (using a departmental resource beyond the authorized scope or for personal gain) and corruption (committing an act that violates their duty for payment or gain). If there's not an abuse of power law on the books you've got a bigger problem there. Fix that first.
Re: (Score:3)
Re:No good deed (Score:4, Informative)
The problem is that it appears that he was charged with accepting a kickback, and that conviction was overturned. It looks like it was overturned based on a jury instruction regarding determining whether what Van Buren did was an "official act". Supposedly, just doing that kind of search (which was intended to out an undercover cop, by the way and wasn't just a simple incident of stalking), might not constitute an "official act" making accepting money to do it not an act of corruption. That's obviously ridiculous, but it was apparently enough to overturn the conviction. Now it's looking like the officer is going to get away with this second count as well, which wouldn't be that much of a problem if he hadn't been let off for the obvious corruption.
Re: (Score:2)
The problem is that it appears that he was charged with accepting a kickback, and that conviction was overturned. It looks like it was overturned based on a jury instruction regarding determining whether what Van Buren did was an "official act". Supposedly, just doing that kind of search (which was intended to out an undercover cop, by the way and wasn't just a simple incident of stalking), might not constitute an "official act" making accepting money to do it not an act of corruption. That's obviously ridiculous, but it was apparently enough to overturn the conviction.
Hey, I'm sure those jurors were just really excited to be part of the judaical...jeweydecimal system!
Re:No good deed (Score:4, Insightful)
The "hacking" part doesn't seem like it should apply....so, maybe that gets thrown out too, but that first charge...why didn't it stick?
Re: (Score:2)
but that first charge...why didn't it stick?
The "justice" system is mostly random. Most police investigations are very sloppy. They mostly rely on plea bargains so their sloppiness rarely gets challenged in court.
But this guy was a cop, so he knows how the system works. He refused to accept a plea and got off.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
It gets better...
“The question which should have been presented to the jury is: ‘Was it an official act?'” she continued. “Just asking the question, ‘Whose car is this?’ by running a tag isn’t an official act If he had influenced a matter under investigation, that would’ve been an official act.”
Police officer takes money in order to lookup a license plate to determine if the license plate belonged to an undercover officer. Since it wasn't an undercover
Re: (Score:2)
Re: (Score:3)
ACAB
When will you learn that acting crazy and stupid is guaranteed to destroy any chances you had of effecting real change? The charismatic and reasonable will bring people together. Not the vitriolic and extreme. A positive message is always better than a negative one. Yes our law enforcement system needs reform. But calling all cops bastards tells me you aren't interested in reform. You are interested in anarchy. And I can't work with that, nor do I want to.
Re: (Score:2)
ACAB
When will you learn that acting crazy and stupid
Yeah, fuck you. As Ben Franklin put it, The bad apple spoils his companion.
What we have here is a barrel of rotten apples, and when we actually shine a light in there and start arresting the felons, we'll have defunded the fucking police because they're all rotten bastards. If they weren't, they either quit or got fired their first year.
Re: (Score:2)
You sound like a petulant child raging against an unfair world they don't even understand.
Ripe for abuse, and overdue (Score:2)
Probably most computer enthusiasts could be prosecuted under the CFAA for what are really innocent and normal activities. We need really laws about technology to be written by people who understand technology. When everybody can be construed as guilty, government officials selectively prosecute those they don't like. That's really convenient for the DOJ, but has nothing to do with true justice.
Re: (Score:3)
I am not convinced that those who know technology would be that good with laws to protect us from Cyber Criminal Activity.
I really doubt that there will be any consensus. The line between ethical computer use and cyber criminal activity is like Pornography, you know it when you see it. But it is difficult to draw a clear line, even with us techs.
The design of a Computer Virus or Malware, could also be used for Shared Computing, and rapid deployment. Rooting a phone to give yourself more features, or are
Re:Ripe for abuse, and overdue (Score:4, Interesting)
That's where a mens rea content comes in, often worded as "criminal intent" or "malicious intent".
It adds a substantially higher bar for prosecution. They need to show not just that an action happened, but convince the judge/jury about your intentions for doing the event.
Sadly, it is something that a tremendous number of policies and laws did away with over the past few decades. Removing it makes it easier for prosecutors, so they constantly push for removing those pesky requirements. It should be a requirement for nearly all major crimes, but isn't.
Re:Ripe for abuse, and overdue (Score:4, Informative)
Every single prohibited act in the CFAA [cornell.edu] contains either the word 'knowingly' or 'intentionally'.
Re:Ripe for abuse, and overdue (Score:5, Interesting)
Yes, that wording is exactly the problem.
There is an enormous difference between intentionally doing an action, versus intending to do an action with malicious intent.
As an example, consider a similar poor wording in another field, someone who intentionally creates a bomb versus someone who creates a bomb with malicious intent. Someone might create a bomb because they're a forensic scientist and they have the intent to research and study, versus someone else who creates a bomb because they want revenge. Both intentionally created a bomb, but only one did it for malicious intent.
For CFAA and the great-grandparent post, there is a similar difference from someone intentionally exceeding authorization because they are seeking a bug bounty, or because they are a security researcher trying to improve security versus because they want to harm the company or because they want to sell the credit card numbers. The key detail of "intentionally" versus "with malicious intent" is critical.
Re: Ripe for abuse, and overdue (Score:2)
Yes... but mens rea doesn't refer to something like, "I am going to commit a crime" it's more often having an intent (or less; depending on the crime knowledge, recklessness, or negligence can qualify) to do the particular thing which happens to be unlawful.
I agree that strict liability (where it doesn't matter what you knew or whether it was reasonable for you to know it) should be sharply limited, but it does have its place.
Here we go (Score:3)
So a small set of people, who at most only uses M/S Word/Excel and who if they even do anything else outside of Word or Excel does it only on a IPhone (or maybe an Android) will decide how to use a Computer ?
From this I can easily see if you live outside of someone else's Walled Garden you will be breaking the law.
Case (Score:4, Interesting)
I've been following this case. The CFAA is long overdue for some legal narrowing. Prosecuting the police officer for hacking is like prosceuting drug dealers under anti-terrorism laws (which is also becoming common.)
There are already similar limits for breaking and entering. Basically, if you make any physical attempt at protecting your valuables, even using a toy safe, opening it constitutes breaking and entering. This case is akin to putting a sign on an open box full of money saying "this is my money don't take it," and leaving it on your front porch. If someone takes it, it is stealing. It is not breaking and entering, as you made no real effort to secure your stuff. A sign doesn't cut it.
Violating a term of service isn't "hacking" any more than that scenario is breaking and entering.
Re:Case (Score:5, Insightful)
I've been following this case. The CFAA is long overdue for some legal narrowing. Prosecuting the police officer for hacking is like prosecuting drug dealers under anti-terrorism laws (which is also becoming common.)
There are already similar limits for breaking and entering. Basically, if you make any physical attempt at protecting your valuables, even using a toy safe, opening it constitutes breaking and entering. This case is akin to putting a sign on an open box full of money saying "this is my money don't take it," and leaving it on your front porch. If someone takes it, it is stealing. It is not breaking and entering, as you made no real effort to secure your stuff. A sign doesn't cut it.
Violating a term of service isn't "hacking" any more than that scenario is breaking and entering.
Yeah, I fail to see how this is "hacking". He was authorized to use the database, but used it outside of official duties for a purpose not intended. It should be prosecuted as abuse of power and corruption (taking cash for it). No different than an off duty cop using his lights to get to his daughter's dance recital or someone using department CCTV cameras to watch the guy he thinks his wife is cheating on him with.
Re: (Score:2)
He was authorized to use the database,...
I think he wasn't. He was authorized the database only for the purpose of law enforcement, not for personal gain.
Re: (Score:3)
He was authorized to use the database,...
I think he wasn't. He was authorized the database only for the purpose of law enforcement, not for personal gain.
You left out the 2nd part of my sentence saying what he did was outside the scope of official use and authorization. It's no different than me letting my neighbor use my car to go get groceries while his car is in the shop, but if he decides to drive it to Vegas for a week I can report it stolen because he was not authorized to do that. (Yay car analogy! I feel like slashdot has been low on those recently).
real car analogy (Score:2)
more like useing an company car for picking up groceries on day becomes an felony as the work place policy rules are violated in some small way.
Re: (Score:2)
Work policies aren't laws. It would be more akin to taking the work car to Vegas over the weekend even though you are only authorized to use the car in San Diego where your company exist.
The company can fire you of course but it can also prosecute you for stealing the car.
This police officer was authorized to use the computer and database. He wasn't authorized to use it off the record for his buddy while taking cash for the service.
Amazing that the computer part is what is being argued rather then the corru
Re: (Score:2)
replace only authorized to use the car on per set route. Aka Some dumb HR rule to cut costs that if that road is closed / backed so bad that you take an different route then technically you are not authorized use is at that time.
And that is like some TOS on an web site and being not authorized to do say vits an page that is not linked on the main page but was an URL that you can enter by hand = not authorized to view that page and that is an felony.
As you took the car off route so now it's felony GTA.
The corruption charge fell into a Catch-22 (Score:2)
It's a crime of abuse of authorization (bribery/corruption) for him to have used his authorized access for shady reasons - but access for shady reasons, by definition, isn't authorized. Only a sane person wouldn't want to fly more missions...
cop using his light can = hacking an traffic light (Score:2)
cop using his lights can = hacking an traffic light.
As they where not authorized to use the traffic light changer part of the cop car lights system. At that time
Re: (Score:2)
Re: (Score:2)
“There is no evidence VanBuren committed an official act in exchange for money when he ran the license plate The term ‘official act’ is a term of art with a specific meaning under McDonnell,”
Durrett said, referring to a 2016 U.S. Supreme Court ruling. From https://www.courthousenews.com... [courthousenews.com]
Basically, since it was an FBI sting, and not related to an official investigation it wasn't illegal under the law he was charged.
Technicality (Score:2)
IIRC it was a technicality. I'm pretty sure there is an existing law covering misuse of police resources, or something similar. I'm not sure why they didn't charge the officer with breaking that law.
I don't see a real remedy for this (Score:4, Insightful)
IANAL, but there is nothing constitutional stopping the federal government from using contractual terms to define access limits for the purpose of creating an "anti-hacking law." It superficially makes a lot of sense, especially to lawyers.
Most of us know that what such a law **should be** about is preventing real hacking like breaking into Facebook's data analysis platform, spoofing identity through various attacks, etc. I think the Supreme Court may well actually get that because they are some of the best jurists in the country, but in the end their response will probably be to us "look, we can fix unconstitutional but we can't fix stupid."
And sadly, that is precisely the sort of reaction we would want from an unelected, coequal branch.
Re:I don't see a real remedy for this (Score:4, Interesting)
On the contrary, I very much want a law that says it's a crime for people to abuse their access to a company's computer system to pull up data. A cop should go jail for looking up and selling details of someone's life in a police database (this case). The Uber execs who spied on their users (e.g. reporters or love interests) should be prosecuted if they exceeded what Uber authorized and Uber should be held liable if they allowed people to have access in violation of their stated privacy policies.
I would love it if cop shows didn't go
Cop: "give us data X"
Clerk: "no"
Cop: "don't make me get a warrant"
Clerk: "okay, here is data."
I want them to go
Cop: "give us data X"
Clerk: "no"
Cop: "don't make me get a warrant"
Clerk: "that would be great, it's a felony for me to turn over user data without a warrant."
Re: (Score:2)
So would I. But people do.
Is your dad a cop? Because even most cops get more news on the accuracy of fingerprint matches (as well as other things) from TV than from experts.
Part of that is already illegal (Score:2)
It's already illegal to bribe cops like this. Using the CFAA was probably just a case of "well, why the fuck not?" by a US Attorney looking for a better scalp.
Re: (Score:2)
And it's a good thing the US Attorney did. The cop beat the other charges.
I fail to see why that's a problem. Why shouldn't customers be able to trust that their data is not being abused? Why isn'
Because abuse is nebulous (Score:2)
Why should it be a felony for someone at Facebook to read your private messages? There's a reason we normally privilege certain data and not others. The process of criminalizing mishandling of data should be a deliberate political act that weighs the pros and cons, including "is this worth adding another (to 4200 existing) ways for a man to go directly to federal prison?"
Easiest way to royally fuck over someone who does something
Re: (Score:2)
Why should it be different for someone at Facebook spying on your messages than for someone sitting in a basement somewhere. Why should exploiting your employee access result in less jailtime than exploiting a poorly configured server. Hell, given that a lot of hacking is just social engineering, why is that okay but sending a message that you're a special assistant to [blah blah blah] and need access a felony.
Re: (Score:2)
and court discovery rules will force the work place policies in public records. And this being an criminal trail give you more rights then an civil trail. And you have The RIGHT TO JURY TRAIL as well.
Cracking, not hacking (Score:2)
If the CFAA applied to cracking, and not to hacking, things would be less opaque.
Cracking vs Hacking (Score:2)
...is old rhetoric that never took hold within mainstream vernacular.
It's been somewhere around 20 years since I first heard of the whole "cracking vs hacking" debate, and yet today's world still routinely labels breaking into a computer system as "hacking".
By all means, keep trying to change everyone's mind if you wish. It just seems like that effort could be better spent elsewhere at this point.
Why this case? (Score:3)
term of service need to be voided if forced or if (Score:2)
term of service need to be voided if forced or if the end user is not the one who paid for the service.
Just wait for toll roads to use the CFAA to go after people who don't pay them with hacking clams
Re: (Score:2)
You do know that the oral arguments come after the court has had time to consider extensive written arguments and preceding court documents.
Summmmm (Score:2)
The idea is he had legitimate access, password-wise. He just supposedly used it for an unauthorized reason.
The case hinges on the technical definitions of "have legitimate access". Traditionally if you have a key legitimately, you can go in, but cannot steal.
Here, can he be additionally prosecuted for "breaking in" when he didn't break in?
If you have a key, can you be additionally prosecuted for unauthorized access when your access is authorized? This is separate from prosecution for doing the wrong thin
Violating TOS shouldn't be a crime (Score:2)
The real issue isn't that the cop abused his job privileges. That's granted, and he's already liable for that.
Instead, this is about criminalizing violations of TOS clauses.
If this is considered a CFAA violation, then you could, for instance, put up a website with a joke, and post a statement on that site that says by visiting the site, I agree not to repeat the joke. And then if I went ahead and repeated the joke anyway, I would be criminally liable for a CFAA violation.
It means that essentially, web site
just read the 700 page TOS to the jury (Score:3)
just read the 700 page TOS to the jury in the court room and when the judge stops you go all Johnnie Cochran with "If it can't be said in full, you must acquit,