
The CFAA Reaches the Supreme Court, Sort Of - CapitalistCartr
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/11/23/the-cfaa-reaches-the-supreme-court-sort-of/
======
AnthonyMouse
> The difference between “access without authorization” and “exceed[ing]
> authorized access.”

I never really understood why this distinction is considered so contentious.
The law itself defines "exceeds authorized access" as "to access a computer
with authorization and to use such access to obtain or alter information in
the computer that the accesser is not entitled so to obtain or alter."

Which isn't that helpful because it's approximately what you would expect it
to mean if it wasn't defined. But I'm not sure where the ambiguity between
"access without authorization" and "exceeds authorized access" is supposed to
come in. The plain meaning is clearly that in one case you have no legitimate
access (i.e. the system doesn't allow anonymous access and you have no
account) and in the other case you have some legitimate access but not to do
what you did. Kerr makes the argument that it is possible for "access without
authorization" to imply "exceeds authorized access", but that is one place
where the statutory definition is useful: The definition of "exceeds
authorized access" first requires you "to access a computer _with
authorization_..."

The real trouble with the CFAA is that it doesn't make the scope of
authorization clear in either event. The canonical way people know whether
they're authorized to do something to a computer system is that it allows them
to do it. If you aren't authorized then it comes back with "access is denied"
and you can't do it.

So the only way to break the law is to get the computer to do something it
isn't supposed to let you. But where is the definition of _that_? How are you
supposed to know what the computer is supposed to do, if the normal way of
knowing that is to look at what it actually does, and the only cases that
matter are the ones where that doesn't apply? There may be some obvious cases
(e.g. logging in with someone else's account), but by what rule or principle
are these cases supposed to be distinguished from others?

~~~
rayiner
> The canonical way people know whether they're authorized to do something to
> a computer system is that it allows them to do it.

I am not convinced you have to throw common sense out the window just because
you're dealing with a computer. The computer doesn't need to reject your
attempts to, e.g., see other peoples' account information for you to know
that's outside the scope of authorized use.

The presumption when you're dealing with any other sort of property is that
you have license to do what you can reasonably believe the property owner is
giving you permission to do. You can browse around a shop, but the property
owner doesn't need to lock the back room for you to know you don't have
authorization to go there.

What you're saying is that for the specific case of computers, that
presumption should be flipped: you have authorization to do whatever you're
not actively prevented from doing.

~~~
AnthonyMouse
> I am not convinced you have to throw common sense out the window just
> because you're dealing with a computer. The computer doesn't need to reject
> your attempts to, e.g., see other peoples' account information for you to
> know that's outside the scope of authorized use.

It seems you're advocating for the "I know it when I see it" test.

If this common sense is so common then we can write down what it is and make
sure everybody is on the same page, right?

> What you're saying is that for the specific case of computers, that
> presumption should be flipped: you have authorization to do whatever you're
> not actively prevented from doing.

The practice is flipped. In practice you _are_ actively prevented from doing
anything you aren't authorized to do, absent some flaw in the server. Why
shouldn't the rule follow the practice?

~~~
rayiner
> The practice is flipped. In practice you are actively prevented from doing
> anything you aren't authorized to do, absent some flaw in the server. Why
> shouldn't the rule follow the practice?

Because it puts the burden on the property owner to secure their systems,
instead of on the user to not behave in anti-social ways. In an ideal world,
you wouldn't need computer security--people should just do what they're
supposed to do.

~~~
AnthonyMouse
> In an ideal world, you wouldn't need computer security--people should just
> do what they're supposed to do.

It would certainly be nice if everyone in the world would just behave
themselves, but then we wouldn't need computer security _or_ laws.

> Because it puts the burden on the property owner to secure their systems,
> instead of on the user to not behave in anti-social ways.

Which would be a much stronger argument if not for the independent need to
defend against foreign attackers.

And once you have to have computer security because there exist people on the
internet in countries with no meaningful law enforcement, the existence of
that security informs expectations of how authorization works.

~~~
tptacek
Your argument is becoming incoherent. It is because people don't behave
themselves that we do need laws. The CFAA was enacted because existing wire
fraud laws don't cover non- remunerative offenses, which are most serious
computer offenses.

~~~
AnthonyMouse
> It is because people don't behave themselves that we do need laws.

And it is because people don't behave themselves that we do need computer
security. So "if only the law was effective then we wouldn't need computer
security" is no more accurate than "if only computer security was effective
then we wouldn't need the law", except that laws have the fundamental
disadvantage of not applying to attackers outside of your jurisdiction, which
means that we will regardless still need computer security.

> The CFAA was enacted because existing wire fraud laws don't cover non-
> remunerative offenses, which are most serious computer offenses.

Why it was enacted has very little to do with whether it is a good law.

~~~
harryh
No one, at any point in this thread, has ever suggested that we don't need
computer security.

~~~
AnthonyMouse
[https://news.ycombinator.com/item?id=10628733](https://news.ycombinator.com/item?id=10628733)

> In an ideal world, you wouldn't need computer security--people should just
> do what they're supposed to do.

~~~
harryh
We do not live in an ideal world.

~~~
AnthonyMouse
Which is why we need computer security. And sometimes laws.

------
jevinskie
If the law says A | B, and someone is convicted of A & B, is it not plainly
obvious that the jury would have convicted of A | B as well, since it is a
strictly "weaker" predicate?

~~~
AnthonyMouse
The argument is from the other side. The idea is that the prosecutor clearly
didn't prove A & B, so the jury didn't follow the judge's instructions. If the
judge had told the jury A | B then the jury's verdict would have been more
reasonable, which hurts the defendant's argument that it was unreasonable.

------
tbrownaw
Not really, per TFA this seems to be more about handling procedural goofs than
about the particular law they goofed up on.

