
You are committing a crime right now - ssclafani
http://erratasec.blogspot.com/2012/11/you-are-committing-crime-right-now.html
======
grellas
In April, 2012, the erudite Judge Kozinski wrote for the entire Ninth Circuit
in an _en banc_ decision addressing the very concerns raised in this piece
(see decision here:
[http://www.ca9.uscourts.gov/datastore/opinions/2012/04/10/10...](http://www.ca9.uscourts.gov/datastore/opinions/2012/04/10/10-10038.pdf)).

The opinion is not only compelling, it is a brilliant example of law at its
best, for it shows how a wonderful legal mind wrestles with a knotty problem
that can be summed up with the question, "Should courts apply a badly drafted
piece of legislation to lead to the absurd result of criminalizing a whole
host of minor misdeeds committed by individuals every day in using the web and
their computers?" Judge Kozinski answered this question with a resounding
"no."

He did so by applying the "rule of lenity," which requires "penal laws . . .
to be construed strictly." (at p. 3872) "The rule of lenity not only ensures
that citizens will have fair notice of the criminal laws, but also that
Congress will have fair notice of what conduct its laws criminalize. We
construe criminal statutes narrowly so that Congress will not unintentionally
turn ordinary citizens into criminals." Applying this rule, he held as
follows: "Therefore, we hold that 'exceeds authorized access' in the CFAA is
limited to violations of restrictions on _access_ to information, and not
restrictions on its _use._ " (emphasis in original)

In other words, though the CFAA is so badly worded that one _might_
potentially give it an absurd and unconstitutional interpretation so as to
criminalize things one would think shocking for Congress to have criminalized,
the courts have the power to apply well-established rules of statutory
construction so as to avoid such an absurdity. Here, the Ninth Circuit did so
by construing the CFAA to criminalize violations of access restrictions (i.e.,
hacking) and not violations of use restrictions (terms of use on website and
the like).

Now, there is a split in the federal circuits on this issue and it will either
be resolved by an amendment to the statute or it will eventually find its way
to the Supreme Court for resolution. But, even granting the split, the most
extreme cases in which the CFAA has been applied criminally have involved
things such as employees misappropriating trade secrets and other items that
go far beyond innocuous things such as violating an employer's computer use
policies by surfing the internet on company time.

In other words, no court has gone so far as to adopt anything close to the
absurd outcomes suggested in this piece. Even the government in its arguments
to Judge Kozinski strongly stated that it would never consider prosecuting
such items as crimes. ("The government assures us that, whatever the scope of
the CFAA, it won't prosecute minor violations. But we shouldn't have to live
at the mercy of the local prosecutor." at p. 3870)

Thus, it is fit and proper to call out the alarmist tone of this piece as
being wildly outside the mainstream of where the courts have gone with the
CFAA and of where they are likely to go. Is it badly drafted legislation? Yes,
it is a mess (if you want to lose your mind, try reading through the text of
the statute here: <http://www.law.cornell.edu/uscode/text/18/1030>). Can it be
interpreted to criminalize things that Congress might not have intended to
criminalize? Yes, including acts by employees that, though wrongful, may not
have been within the contemplation of Congress when it passed the statute.
But, that said, is there a risk that the CFAA can be applied to criminalize
our daily interaction with computers and the web? No, not unless normal, sound
principles of law are wholly disregarded by the courts, which they won't be.

~~~
clicks
So you say that a court would not use 18 USC 1030(a) to charge someone of a
crime:

> In other words, no court has gone so far as to adopt anything close to the
> absurd outcomes suggested in this piece.

Pardon me if I'm missing something here, but doesn't the post exactly say that
that has what weev has been charged for?

> This is the issue behind the recent conviction of Andrew Auernheimer for
> “hacking” AT&T.

~~~
saraid216
> Pardon me if I'm missing something here, but doesn't the post exactly say
> that that has what weev has been charged for?

weev's actions are a gray area. I don't think that convicting him under the
CFAA is absurd. It might be unreasonable or unconstitutional, but there's a
valid security issue at stake. To liken weev's actions to viewing a
deliberately published-for-public-consumption blog post is a false
equivalence: and precisely what makes the piece alarmist.

~~~
dendory
I disagree that it's a one-off case. This case now sends a chilling effect to
all security researchers. Next, what if a stock broker finds a press release
on a web site that was published early, and makes money from it? What if a
blogger finds a leaked photo of an unannounced product? The point is that they
took a law that was meant to prevent you from hacking past security measures
to get into a private computer, and successfully applied it to data posted on
a public web server, and that is ridiculous, regardless what his intent was to
do with the data.

~~~
vidarh
You "disagree that it's a one-off case", but the comment you've replied to did
not claim it is a one-off case. Nor did the comment you reply to dispute that
it may have chilling effects. Who exactly are you disagreeing with?

------
jellicle
Despite the assertions of tptacek, there is no requirement for any fraud to
occur for a crime to have occurred. This is a pretty important thing for
computer people to understand, and it's really unfortunate that one
knucklehead vehemently asserting false facts has ruined this whole thread.

<http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf>

Essentially, anything you do exceeding authorization to a computer connected
to the internet is potentially a U.S. federal crime. Anywhere in the world. No
fraud need be proved. For example, here are the elements of a crime under
1030(a)(2):

1030(a)(2) Summary (Misd.) 1\. Intentionally access a computer 2\. without or
in excess of authorization 3\. obtain information 4\. from financial records
of financial institution or consumer reporting agency OR the U.S. government
OR a protected computer

So if the government can prove these things: you intentionally accessed a
computer; without or in excess of authorization; obtained any information at
all; and it was a computer connected to the internet, then they have
successfully proved that you violated 1030(a)(2). Numerous whistleblowers have
been charged with violating this law, including Bradley Manning; at least one
"cyberbullying" case has been charged under it, etc.

NO FRAUD IS REQUIRED. You can shouldersurf someone's password, log in as them,
type "ls", log out and never use that password again - you've violated that
law.

Every person working with computers in the U.S. or anywhere the U.S. can reach
with its laws should have this engraved along the top of their keyboard.

~~~
CodeMage
_and it's really unfortunate that one knucklehead vehemently asserting false
facts has ruined this whole thread._

What _is_ it with Hacker News lately? I've never whined about the quality of
community before, but this trend is beginning to worry me.

Further bellow you can see someone else saying that your arguments are
"bullshit". Then there was this submission the other day stating that "Stephen
Elop is so full of shit". Not even "full of it" -- no, it's like that
"Madagascar" quote: "Well, of course we're going to throw poo at him!"

I often state my position quite bluntly when I disagree with someone, but
personal insults are a different story. (Not that I haven't made that mistake
ever, but you make a mistake and you learn from it.)

Honestly, I don't know what I might achieve by writing this, but there's a
small part of me that harbors hope that things might change. It doesn't hurt
anyone to maintain a modicum of civility, people.

~~~
tptacek
I read things like "knucklehead" as an expression of frustration, and I'm
aware that being on the other side of an argument about the legalities of
hacking --- OK, I'll own it, being on the other side of any argument with me
--- is very frustrating. Yesterday wasn't a banner day for me on HN; I was
chasing down emulator bugs and every time I fixed one I'd procrastinate for
another 30 minutes to avoid digging into the next. I think I created a lot of
frustration in the process.

Not to make it about me; I'm just saying, there are message board pathologies
that are as annoying as "knucklehead" but not as obvious, so let's not single
them out.

------
tptacek
_Are you reading this blog? If so, you are committing a crime under 18 USC
1030(a) (better known as the “Computer Fraud & Abuse Act” or “CFAA”). That’s
because I did not explicitly authorize you to access this site, but you
accessed it anyway. Your screen has a resolution of 1280x800. I know this,
because (with malice aforethought) I clearly violated 18 USC 1030(a)(5)(A) by
knowingly causing the transmission of JavaScript code to your browser to
discover this information._

Jesus, Rob. You know this isn't true. Under the CFAA, you can't simply declare
your blog "off limits" and then press charges. I have to access the site _with
the intent to commit fraud_. And my access to your site has to further that
fraud.

~~~
jellicle
Nope. You're committing a violation of Federal law if you access any protected
computer (a protected computer is one used in interstate commerce, which is to
say any computer connected to the internet), you do so without authorization
or exceed your authorization, and you obtain any information whatsoever from
that computer. Read it yourself.

For the most part he CAN declare his blog off limits and press charges. Except
that Federal prosecutor has to decide to press charges, not the individual.

Note tptacek: you should understand there are several different sorts of
crimes criminalized by this statute, and fraud is only one of them, and for
the other ones, no fraud is required to have occurred. Read carefully.

~~~
tptacek
That's simply not true.

The law is here: <http://www.law.cornell.edu/uscode/text/18/1030>

EFF's analysis of the law is here:
[http://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(C...](http://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_\(CFAA\))

The Ninth Circuit's model jury instructions are here:
[http://www3.ce9.uscourts.gov/web/sdocuments.nsf/0/71dd91317b...](http://www3.ce9.uscourts.gov/web/sdocuments.nsf/0/71dd91317b8b28ca88257742005f1ccb?OpenDocument)

~~~
jellicle
§1030(a)(1) through §1030(a)(7) are seven separate crimes. A person can commit
one or two or all seven of them. They are separate.

Read the government manual:

<http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf>

You're filling this whole thread with disinformation. Stop it.

~~~
tptacek
I listed all seven of them downthread before you wrote this comment. Which of
them applies to a blog post? Please be specific.

You can feel free to point to the part of the DOJ manual that rebuts me, too.

~~~
macchina
He actually does have a point based on the text.

1030(a)(2)(C) Whoever intentionally accesses a computer without authorization
or exceeds authorized access, and thereby obtains information from any
protected computer; shall be punished as provided in subsection (c) of this
section.

Under the statute, a "protected computer" generally means any computer
connected to the internet.

Also, based on the legislative history, "obtains information" has been read to
mean "merely observing" information.

The only issue is "without authorization." Based on its _plain meaning_ , the
law could mean that you need affirmative authorization to access any website.

Obviously, that's a real stretch, but there was a case decided by the 1st
Circuit Court of Appeals [1] that held a company liable for using a web
scraper - where the court said the defendants exceeded authorized access based
on the website's boilerplate copyright notice.

[1][http://openjurist.org/274/f3d/577/ef-cultural-travel-bv-v-
ex...](http://openjurist.org/274/f3d/577/ef-cultural-travel-bv-v-explorica-
inc)

~~~
Tloewald
IANAl but putting up a website implies granting certain kinds of access. This
is common knowledge and common practice. The foundation of Common Law (the
basis of our legal system) is "what would a reasonable man do?"

<http://en.wikipedia.org/wiki/Reasonable_person>

You can't parse sentences out of context and apply programmer logic to them,
that's not how laws work.

~~~
macchina
The federal government has plenary authority to regulate interstate commerce.
Federal law generally overrides common law to the extent its unambiguous.

It's true that Judge Kozinski in the 9th Circuit said he would not "apply a
badly drafted piece of legislation to lead to [an] absurd result."

But the issue is not cut and dry.

Kozinski essentially acknowledged he was interpreting the statute in a manner
possibly at odds with its very language. These courts get reversed all the
time (over 70% of their cases) - and other circuits have read the law more
narrowly.

And the government itself supports a narrow reading of the law.

OP's article is over the top. My point is, the "authorization" part of the law
appears extremely broad and as the DOJ puts it: "the case law on this issue is
muddy."

~~~
Tloewald
Federal law itself resides on common law. (It's more fundamental than the
constitution. Ever heard of habeas corpus? Due process? Rules of evidence?
Trial by jury? Precedent? Think Magna Carta.) In earlier the linked article
Oliver Wendell Holmes is quoted on the importance and nature of the reasonable
man.

As for common law:

<http://en.wikipedia.org/wiki/Common_law>

I am still not a lawyer.

~~~
macchina
I'm not a lawyer either, but I am in my 3rd year of law school - so yes I've
heard of all those things. I've also studied the CFAA.

Common law is judge-made and only governs in the absence of statutory
authority. (Due process and trial by jury are constitutional laws). The
reasonable man is primarily a negligence standard.

[http://online.wsj.com/article/SB1000142405311190406060457657...](http://online.wsj.com/article/SB10001424053111904060604576570801651620000.html)

<http://www.amazon.com/gp/product/1594035229/>

------
coffeemug
The entire U.S. legal system is based on a principle of "acting in good faith"
and interpreting laws from the point of view of a "reasonable observer." If
you choose to ignore these two principles, every single sentence of every
single law can be convoluted to have an enormous range of meanings. That's not
what the law is about -- it's not just about the letter, it's also about the
spirit.

Sometimes judges and juries screw up -- maliciously, or otherwise. Most of the
time they don't. It sucks, but it's the best system we've got.

That's not to say that the legislators shouldn't try to make laws clear and
unambiguous, but they have a lot on their plates and patching a hole in a 1986
legislation that doesn't seem to actually harm anyone isn't high on their
priority list.

~~~
tintor
Have you read his entire blog post?

------
fierarul
It's hard for an analytical mind to understand that law is mostly a socio-
political game with some vague rules. It's not a verifiable axiomatic system
(although, I think it should be quite close).

I'm coming to grips with the idea that law is mostly empirical and can only be
falsified. Which means that, by design, you can't know if you are following
the law or not.

~~~
j_baker
By and large, US law is considered to be stable and has been duplicated
precisely for this reason. That's not to say that there aren't areas that
couldn't be improved or made simpler. Rather, it's to say that we have a
society where laws aren't arbitrarily changed on the whims of whatever party
happens to be in charge of Congress.

You can almost think of the law just like you would a complex codebase.
Unfortunately, we live in an age where the law has become so complex the
average person can't keep it straight. I seriously doubt that this would
change no matter how the law were refactored. The good news is that we _do_
have a society where a concerned citizen can learn a lot about the law on
their own. Thus, I would argue that the law is complex, but easy to approach
if you want to become an expert on a particular module or subsystem.

------
crazygringo
It's always bothered me that laws can be so vague such that, in advance,
there's no way for you to know if a particular action of yours would break the
law or not. You literally have to do it, wait to see if you're charged, and
then wait for a judge/jury to decide which side of the law you fall on. It
seems so unfair that law should ever be a gamble.

I've always wished there could be some kind of government agency you could go
to, where you would lay out exactly what you would like to do, and they will
explicitly decide in advance, and it would even set judicial precedent. Maybe
you would have to pay the fees for lawyers on both sides and judge (so it
wouldn't be cheap) no matter what the outcome, but if your actions were found
to be legal in advance, then that would be binding, and there would be zero
risk to your actions.

~~~
rayiner
For civil actions, you can seek a declaratory judgment.

~~~
hayksaakian
You have to admit though, that action is not very intuitive in most cases.

------
monochromatic
> That's silly, you say, because that’s not what the law means. Well, how do
> you know what the law means? The law is so vague that it’s impossible to
> tell.

No, it's not that this isn't what the law _means_. It's that this isn't what
the law _says_. There are vague laws, and there are ambiguous laws, but you
are way overstating your case here. Either that, or you have never read §
1030.

~~~
elpool2
Care to explain what the law really means then? Because I just read what the
law _says_, but to me it still sounds pretty vague, and its unclear exactly
what constitutes "authorization".

~~~
tptacek

      The defendant is charged in [Count _______ of] the indictment with
      computer fraud in violation of Section 1030(a)(4) of Title 18 of the
      United States Code. In order for the defendant to be found guilty of
      that charge, *the government must prove each of the following elements*
      beyond a reasonable doubt:
       
      First, the defendant knowingly [accessed without authorization]
      [exceeded authorized access to] a computer [that was exclusively for
      the use of a financial institution or the United States government]
      [that was not exclusively for the use of a financial institution or
      the United States government, but the defendant’s access affected the
      computer’s use by or for the financial institution or the United
      States government] [used in or affecting interstate or foreign
      commerce or communication] [located outside the United States but
      using it in a manner that affected interstate or foreign commerce or
      communication of the United States];
       
      Second, the defendant did so with the intent to defraud;
       
      Third, by [accessing the computer without authorization] [exceeding
      authorized access to the computer], the defendant furthered the
      intended fraud; [and]
       
      Fourth, the defendant by [accessing the computer without
      authorization] [exceeding authorized access to the computer] obtained
      anything of value[.] [; and]
       
      [Fifth, the total value of the defendant’s computer use exceeded
      $5,000 during [specify applicable period.]
    

The last clause applies when the object of the fraud is access to the computer
itself; for instance, if your fraud was "gain free wireless access".

~~~
jellicle
In this case, the defendant is charged with 1030(a)(4), which is fraud, and
the government therefore has to prove fraud.

The defendant could also have been charged - in some other case - with
1030(a)(2), which is obtaining information from any protected computer without
access. In that case, the government would not have to prove fraud.

~~~
tptacek
A blog is not a protected computer, which is a term with a definition in the
law --- it's one that used by financial institutions, by the US government, or
that affects interstate commerce. Again: not a blog.

Furthermore, regardless of whether the prosecution charges a crime that
requires intent to commit fraud --- for instance, in the unlikely event that
they tried to spin a yarn about a blog affecting interstate commerce --- CFAA
crimes aren't strict liability. They must prove intent to exceed
authorization.

~~~
trhtrsh
"affects interstate commerce" is _anything_ , as has been shown time and time
again by the Federal government.

<http://en.wikipedia.org/wiki/Wickard_v._Filburn> and subsequent cases:
producing a product on your own, and thereby _not_ engaging in commerce, is
considered commerce.

~~~
danielweber
As someone who thinks _Wickard_ was a gross expansion of power, that doesn't
mean that it applies in CFAA cases.

(Also, this year's PPACA ruling detoothed the commerce clause's power. How
much it did that is to be determined.)

------
j_baker
You know, I think we as programmers have a tendency to want everything to be
well-defined, and that can sometimes turn tedious. In this particular case,
that's what the OP is doing. Congress simply isn't capable of writing these
laws fast enough to keep up with the technology, nor do I think it's
preferable ("The citizens of Utah _will not stand_ for oauth2-based
authentication! Only SOAP will do!").

This is what we have courts and an executive branch for: the law can really
only provide broad guidelines. It's up to the other branches to apply these
principles in practice.

~~~
chii
except that the wording of the law allows for application in which unfortunate
individuals can be prosecuted, but the reason for the prosecution isn't due to
the fact that their action has harmed society at large, but might have harmed
an important individual or entity. In other words, they can be applied
unfairly, and this gives power to entities that have lobbying power over the
citizen, with no recourse for the citizen.

------
iuguy
What Rob Graham is saying is very similar to the situation for many years with
the Computer Misuse Act 1990 in the UK. It took the conviction of someone for
_not hacking_ for the establishment to realise that the law indeed was an ass
and needed to be changed, and several years for the amendments in the Police
and Justice act to kick in that provided much needed background, sadly at the
cost of what are referred to as "dual use tools", such as your web browser.

~~~
aptwebapps
Are you referring to the guy who was convicted for accessing his bank's site
with lynx (or similar)? I remember a story like that but this [1] is basically
all I turned up. I'm sure I read more than that originally. Do you know more
about it?

[1] <http://boingboing.net/2005/01/27/jailed-for-using-a-n.html>

~~~
iuguy
Yes, that's the one. Yes, I know the guy in question personally. He's an
extremely well respected security specialist who unfortunately got the full
kafkaesque treatment[1].

[1] - <http://www.samizdata.net/blog/archives/008118.html>

------
ChuckMcM
This would be a more effective rant if it had a suggested fix and maybe a copy
of the letter this guy who is clearly an expert in the field sent to all of
the members of Congress on the Science and Technology committee that would
have to consider changes to CFAA. Or maybe just to Ben Quayle (R AZ) who
chairs the subcommittee on Technology and Innovation.

EDIT: Obligatory shout out for <https://postcongress.io/>

------
gggggggg
Could these be let in to allow people prosecuting to selectivally target those
they can not get for other reasons.

Like Al Capone for Tax. Cant get someone for real hacking, so these vague laws
help along the way?

~~~
jlgreco
Chances are, if they want to get someone like that, they are _going_ to find a
way. There probably isn't much need to specifically engineer a law to enable
that sort of behaviour.

------
harryh
The problem with this post is that it isn't going to convince anyone that
doesn't already agree with you. I swear to god that I am on your side. I'm a
nerd. I'm pretty confident that what's being done to Weev is awful. You & I
probably have mutual colleagues.

But this post made me less supportive of your cause not more.

You wont improve the standing of your argument in this manner. You'll only
make regular people think you're crazy.

------
wisty
> A well-known legal phrase is “ignorance of the law is no defense”. But that
> doesn’t really apply here. You know the law exists. You may have read it in
> detail. You may have even consulted your lawyer. It’s just that nobody can
> tell precisely whether this act as crossed the line between “authorized” and
> “unauthorized” access. We won’t know until if and when somebody tries to
> prosecute you.

This is a GOOD thing. The whole point is, there's no clear line between
reasonable access and hacking. It's something which the courts have to figure
out.

The Common Law is largely based on common sense, and precedent; and precedent
is based on a previous judge's common sense. The three big rules for
interpreting laws are the plain meaning rule (use the literal meaning), the
"golden rule" (ignore the plain meaning rule if it's obviously stupid), and
the mischief rule (figure out what mischief the lawmakers were trying to
prevent).

A vaguely written law lets judges use their common sense. While I'm sure
there'll be people who disagree with their interpretations, it's either that
or black and white statues which simply won't work.

~~~
chii
a vaguely written law also allows prosecutors much more broader power than
intended, and thus this power could be abused for other purposes than serving
justice (for example, to punish an individual unfairly for whistleblowing
because they happened to have accessed the information via a channel that
could be construed as breaking this particularly broad law).

------
frobozz
This is hosted on Blogspot, so I don't think the author has the authority to
permit or deny people access to that computer.

Surely it's entirely within Google's gift.

<http://www.google.com/intl/en/policies/terms/>

That said, I can't actually see where they authorise access, only that they
tell us not to misuse. Though they do give an example: "don’t interfere with
our Services or try to access them using a method other than the interface and
the instructions that we provide." which might imply that accessing them
through the provided interface, and not interfering is OK.

------
46Bit
Interesting argument towards the end, although my answer to about half the
questions is caselaw.

~~~
derleth
> my answer to about half the questions is caselaw.

True. This is how a Common Law system works, and why rants about 'activist
judges' who 'legislate from the bench' are so idiotic in (most parts of) the
USA: That's a pretty fair description of how Common Law works.

The legislature writes laws _knowing_ that they can't possibly think of every
possible fact pattern, every possible scenario the law might be applied to,
and the legislators expect judges to apply their judgement to apply the law,
clarifying it in the process. They are active because the law was written to
be applied by humans, and they legislate to the extent they effectively add
interpretations and nuance to the statute law.

(The only part of the USA not under Common Law is Louisiana, which inherited
its Civil Law system from France, which inherited it from Rome. AFAIK, the
entire United Kingdom is under Common Law; the UK is, after all, where the
majority of the USA got the Common Law from.)

~~~
monochromatic
Why does this imply that rants about activist judges are idiotic? Yes, judges
frequently have to determine what the law means. No, that doesn't mean they
have completely free rein.

~~~
derleth
> Why does this imply that rants about activist judges are idiotic?

Because all, or nearly all, such rants _are_ idiotic when you know how Common
Law works.

~~~
monochromatic
Lawyer here, and I have a fairly good working understanding of our common law
system. Nevertheless, I think there is some truth to the rants about activist
judges legislating from the bench.

~~~
trhtrsh
Yes, every case has an activist judge -- according to the losing side in that
case.

~~~
monochromatic
No.

------
b3n
I'm committing a crime by (supposedly) breaking a law from a country I've
never been to? I guess I should start wearing a hijab so I don't break Saudi
Arabia's laws too.

------
smsm42
That sounds like bullshit. Posting link to Hacker News is not exactly how one
protects access to his private information. Obviously, whatever is written on
that page, the real intent of the author was to publicize the article, and his
words in the blog that he is denying access is a lie.

Also, this is placed on a well known public blog, also submitted to search
engines and other public catalogues, means that nobody in his sane mind would
consider this a private place not intended for public visitors.

It is also a common practice, accepted by vast majority of users, that sites
run Javascript in user's browser, and that some data - such as cookies,
display resolution, etc. - is available to these scripts. If the site took
some liberties outside of accepted practices common for Internet browsing -
such as using a hole in the browser to read documents on my hard disk that I
did not specifically upload to the site - then yes, the site author would be
liable. But to scare me into believing what author intends me to believe, he
better would find any court insane enough to interpret it this way.

~~~
ben0x539
> Your screen has a resolution of XXX. I know this, because (with malice
> aforethought) I clearly violated 18 USC 1030(a)(5)(A) by knowingly causing
> the transmission of JavaScript code to your browser to discover this
> information.

Ha, ha, ha. My anti-JavaScript firewall has steadfastly deflected this
individual's malicious attacks!

------
gort
I feel I'm given explicit authorisation to read the page when the server sends
a "200 OK" response to my request to read it.

------
budchrislee
As Kyrgizio mentions, You can do whatever you want, probably even illegally,
but you DON'T embarrass your "betters". You don't bite the hand that feeds
you, and you DON'T stick your head up out of the herd.

------
mercurialshark
The posting of corporate earnings is a rather poor example. The law doesn't
require you to personally trade on inside information, as an attempt to
manipulate trading by furthering actual or false inside information is
sufficient. A reasonable person, which is what I presume the standard is,
could expect trades to be conducted based off early release of corporate
earnings. Therefore, this example isn't really applicable to the authors
primary point.

------
TheCapn
Anyone care to fill me in why creating a web server, opening access publicly
through the creation of an authorized user account and publishing information
on said access does not constitute explicit permission to access? There's a
lot of flipflopping legal discussion happening in this thread but to me there
were explicit actions taken by the web host in order to allow anonymous
individuals access to the information published.

------
wooptoo
451 Unavailable For Legal Reasons

------
xyandnoz
I am assuming that most or all of those who are defending Weev have never
experienced life after he "drops docs" on you (which he has of course done for
years, and as casually as one swats a fly)

------
jnazario
bear in mind that weev's an awful poster child for this. he's a known internet
professional troll and has made a lot of enemies in the past few years through
his actions. ISTR he'd probably been under investigation for a while and this
is what stuck.

as noted elsewhere in comments in an article about the event he laughed that
what he was doing was probably illegal, suggesting knowledge of a likely
crime.

i'm no fan of an absurd application of laws, but there have got to be better
poster children for this sort of thing.

~~~
maradydd
Weev may not be the hero Gotham City needs, but he's the one Gotham City's
stuck with. That's the thing about the judicial system; you go to court with
the defendant you have.

The government may well have been counting on weev's reputation to work
against him here. If your goal is to set a precedent that allows "unauthorized
access" to be defined after the fact, you want a defendant people won't stand
up for. It's much easier to turn bad law into bad case law when people don't
fight back.

------
Nursie
From the title I assumed this was going to be about how we have such a volume
of law that it's pretty inevitable that you're already breaking several, if
not several hundred.

------
genuine
Please don't encourage the government to try to update legislation for the
world as we currently know it, because that will be woefully out of date in
just a few years, and same for something enacted a few years from now, etc. By
pointing out what needs to change, they won't remove the law- they will try to
update it. The best thing to do is to know how to defend yourself against the
existing law so that you can fight it if and when you it affects you. It seems
currently that the most obvious defense is that it is unclear. I'm not sure
how well that would work, but odds are good that you won't have to defend
yourself anyway.

------
geon
Webservers usually have a very explicit authorization setting. Apache often
has the lines

    
    
        Order allow,deny
        Allow from all
    

in a config file somewhere.

------
mannjani
We are a democratic country they said. We believe in fundamental rights they
said.

------
spiritplumber
If you break the law, make sure it's not worth fixing.

------
neilmiddleton
Trust no man who writes web content in MS Word.

------
guard-of-terra
I think Anonymous should be trashing AT&T right now.

------
kailuowang
not if I don't click this link.

~~~
rplnt
Or if you are not located in USA I guess.

~~~
pbhjpbhj
USA don't appear to be worried about letting such things as jurisdiction and
sovereignty of other states interfere with their application of various USC.

tptacek's post (<http://news.ycombinator.com/item?id=4812735>, '[located
outside the United States but using it in a manner that affected interstate or
foreign commerce or communication of the United States];') and other info on
the statute appears to show that the law is extended to those that cause
detriment to US trade from anywhere.

