
Appeals Court: No Hacking Required to Be Prosecuted as a Hacker - ssclafani
http://www.wired.com/threatlevel/2011/04/no-hacking-required/
======
lotharbot
There's a lot wrong with this law and certain interpretations thereof, and a
lot of room to debate its appropriate reach, constitutionality, etc. But this
particular objection -- that you don't need to "hack" to be prosecuted as a
"hacker" -- seems strange to me, seeing as the law _never uses the word hack_
[0]. It's not a "hacking" law, but a "fraud and related activity" law.

It refers repeatedly to situations wherein a person "accesses a computer
without authorization or exceeds authorized access"; the law doesn't care if
that access was gained through technically impressive means (sophisticated
cracks based on zero-day exploits) or mundane means (an employee misusing
access).

[0] <http://www.law.cornell.edu/uscode/18/1030.html> , ctrl-f hack. It's not
there.

~~~
pyre
From the article: _The case against Drew hinged on the government’s novel
argument that violating MySpace’s terms of service was the legal equivalent of
computer hacking and a violation of the CFAA._

This could mean that websites that have Terms of Service agreements preventing
linking to their site could constitute a Federal crime with mandatory jail
time? That doesn't seem right to me.

~~~
dangrossman
Linking to a site does not involve accessing any other computer. The terms of
service can show that certain access is unauthorized, they can't _make
unrelated activities into_ computer access.

------
hga
Volokh conspirator Orin Kerr has some good commentary on this:
[http://volokh.com/2011/04/28/ninth-circuit-holds-that-
violat...](http://volokh.com/2011/04/28/ninth-circuit-holds-that-violating-
any-employer-restriction-on-computer-use-exceeds-authorized-access-making-it-
a-federal-crime/)

------
alok-g
>> unless the object of the fraud and the thing obtained consists only of the
use of the computer and the value of such use is not more than $5,000 in any
1-year period

Going from $4999.99 to $5000.00 turns it from nothing to a federal crime! If
we engineers were making such stupid algorithms, nothing these law-makers use
in their daily lives would work!

~~~
pyre
On the other hand, you would be complaining that the law was 'too broad' if it
only defined it as a 'significant amount' or something equally as nebulous.

~~~
alok-g
"Make everything as simple as possible, but not simpler." - Albert Einstein

There are more options besides making it over-simple, or leaving it incomplete
(nebulous).

------
fleitz
This is why I never sign those stupid HR forms.

When I was asked these sorts of things I asked two questions:

1\. Am I required to sign this in order to maintain my employment?

2\. Can you put it in writing that I am required to sign this to maintain my
employment?

It never gets past question 2.

~~~
xiaoma
What's the result? Do you usually get fired for no specified cause?

~~~
fleitz
I was threatened with firing once unless I started coming in at 9 am. I had
never come in before 10 am and I suspect it was because the company figured I
couldn't risk my job after having some legal problems. Didn't bother showing
up at their requested time and a couple months later (on the ides of march,
you can't say I'm not poetic) I tendered my resignation after another star
programmer quit. I got yelled at because apparently I wasn't supposed to call
their bluff when they were in no position to back it up.

The day before my notice was up they decided it was ok for me to continue my
normal schedule.

------
simonh
I'm a Brit, and live in the UK but I do access US based computer systems so I
suppose I could be subject to this law.

>accesses a computer without authorization or exceeds authorized access

There are two possible meanings of 'authorized access' here. One is
authorization by the computer's security system, e.g. file access permissions.
The other is authorization according to a contract of some kind. The court in
this case used the latter interpretation.

Were the judges even aware that this term could be interpreted in more than
one way? What was the intention of the original law in this regard, did it
indicate which interpretation(s) were intended?

------
bugsy
Completely insane!

