CFAA, "Authorized" Access, and Common Sense

Browse Source

There is little common sense to be had with the [Computer Fraud and Abuse
  Act][cfaa] (CFAA) to begin with.
To add to the confusion,
  the Ninth Circuit Court of Appeals last week held 2-1 in [United States
  v. Nosal][uvn] that accessing a service using someone else's
  password---even if that person gave you permission to do so---[violates
  the CFAA][cfaa-passwd],
    stating that only the _owner_ of a computer can give such authorization.
This is absurd even with complete lack of understanding of what the law is:
  should your spouse be held criminally liable for paying your bills online
  using your account?

Common sense says no.
In another case this week---[Facebook v. Power Ventures][fvp]---the same
  court (though a different panel of judges) stepped back from the original
  decision and stated that computer _users_ can indeed provide
  authorization.
This authorization holds even if the service's Terms of Service say
  otherwise.
Yet: the computer owner (in this case, Facebook) can revoke authorization,
  which takes precedence over any authorization provided by a user of that
  system.
So with a seemingly magical incantation,
  a benign situation can be made into a federal crime,
  just like that.

These situations highlight dangerous confusion over the interpretation of an
  already dangerously vague law.
The CFAA is the law that was used to prosecute Aaron Swartz for federal
  "crimes"---with a punishment of up to thirty-five years in prison---for
  liberating documents hosted on JSTOR.
Because of this [draconian threat][eff-punish],
  [Aaron committed suicide][aaron] on January 11th, 2013.

The CFAA already has blood on its hands;
  it needs to be reined _in_,
    not be given further broad powers.
So don't take news of the decisions in US v. Nosal and Facebook v. Power
  Ventures as canceling one-another out;
    things may appear the same for now,
      but serious problems still need to be resolved.

[cfaa]: https://www.eff.org/issues/cfaa
[cfaa-passwd]: https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit
[cfaa-back]: https://www.eff.org/deeplinks/2016/07/ninth-circuit-panel-backs-away-dangerous-password-sharing-decision-creates-even
[uvn]: https://www.eff.org/cases/u-s-v-nosal
[fvp]: https://www.eff.org/cases/facebook-v-power-ventures
[eff-punish]: https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime
[aaron]: https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz

master

Mike Gerwitz 2016-07-16 22:06:31 -04:00

parent c6ca369ab8

commit 0b6fa52735

No known key found for this signature in database

GPG Key ID: F22BB8158EE30EAB

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Show Stats Download Patch File Download Diff File Expand all files Collapse all files

Diff Content Not Available