So practically yes, let's be aware that the author could indeed be persecuted under the CFAA. But let's not grandstand and pretend that following that law is some sort of moral imperative that benefits everyone. The common individual will be the target of the same attacks with or without that law.
My perspective is that a fundamental aspect of the Internet and the digital world is that the software-codified rules are basically authoritative. While constructive behavior still does matter - eg knowingly turning off a hospital ventilator is still murder - the only gain here was temporarily obtaining some transit. The real remedy is for the provider to fix their systems.
Do you think that hacking per se is ever immoral?
In isolation, why would finding a hole in someone else's ruleset be immoral? If hacking per se were immoral, then there could be no such thing as a "white hat".
I specifically wrote "per se", so no - I'm not.
> If hacking per se were immoral, then there could be no such thing as a "white hat".
White hat hacking it typically specifically authorized (e.g. red teams). That is not the case with the example from the article.
In the locksport community there is a pretty strong norm to only pick locks you own or have specific authorization to pick.
Computer security not the same thing, but it's also not that different.
That is merely one kind of white hat hacking. Another kind would be figuring out an exploit for software that you have a local copy of, even against the wishes of its developer. If we agree that this is moral, then general finding of holes itself cannot be immoral.
I don't think you mean to imply that in locksport, you only pick models of locks that the manufacturer has given you the go-ahead to attack. Rather you're referring to ownership of the physical lock itself, which is merely one type of authorization. I would also guess that the reason the community repeats this prominently is to head off legal entanglement.
To the extent that a given ruleset only exists on a specific device that one does not own, then it is indeed hard to find holes in it without also affecting that device itself. However, it is still important to draw the distinction between any effects and the logical hacking itself, lest minor effects end up being persecuted inequitably.
In the context of the original article, there are essentially no damages and a little bit of unjust enrichment. Yet this whole thread has blown up about a spectre of harsh punishment under the CFAA, when equity is closer to the amount of the access fee.
EDIT: I’m fairly sure at current prices a single flight could pay for a month’s service for a single plane, probably several times over. The profit margins (& I imagine some the cut to the airline) must be enormous, & there is no pretense of fair terms at sale time because a single corporation can entirely monopolize your attention.
In what bizarro world are people being forced to buy inflight wifi?
How come that isn't happening here?
Anyway, it's a commodity. The positioning of it as a luxury service amounts to theft.
Offense versus defense.
Not saying this is ethical (although selling WiFi for 12$ per hour isn’t either) but I wouldn’t go as far as calling this an attack.
Care to elaborate on this? WiFi on a plane isn’t any kind of thing people are dependent on to survive and satellites are pretty expensive. Airplane WiFi is entirely a luxury good.
Do you feel that charging $12 to watch a movie in a theatre is unethical as well? How about $150k for a Porsche?
Finally it’s just way too expensive at that price.
Versus tracking does actually do something on your computer (e.g. running JS to discover fonts). Arguably that is a circumvention of the intentions of the user on their own hardware.
This is why the CFAA is such a horribly written law. It takes the ToS, something that should be squarely under civil law, and elevates them to being a felony under federal law.
All the js code runs but it doesn't download anything.
Obviously the Terms of Service could prohibit that too.
Refusing to fetch a particular resource would be non-access. You cannot punish non-access as unauthorised access, because no such crime of non-access exists.
I'm curious if it would be feasible to sue a company over sending ads. They have just as much information about what you want displayed on your computer as you have about how they want you to use their apis.
The possible crime (if it is one) would be if you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway.
Pontificating about abstract "intent" is not actually useful in the digital realm. Protocols  are what ultimately mediate between parties with different desires. The CFAA is merely a relic that gets invoked when some powerful entity gets upset at the outcome of a protocol.
 to be clear, I'm talking about de facto protocols as executed, not de jure protocols as written into RFC.
So let us turn to the ‘proposed’ argument itself: “Software doesn’t commit crimes; people do” The first thing to notice is that the argument has no stated conclusion. What follows? That there should be no software regulation at all? That there should not be any more software regulation than there already is? That the increase in cybercrimes done with ‘software’ is irrelevant to whether or not there should be cyber regulations? Who knows? An argument without a conclusion is by technical basis, not an argument at all.
The statement under consideration clarifies that, when it comes to crimes committed with software , people are the ultimate cause and software is merely a proximate cause—the end of a causal chain that started with a person deciding to commit cyber crimes. But nothing follows from these facts about whether or not software should be regulated. Such facts are true for all criminal activity, and even noncriminal activity that harms others: The ultimate cause is found in some decision that a person made; the event, activity, or object that most directly did the harming was only a proximate cause. But this tells us nothing about whether or not the proximate cause in question should be regulated or made illegal. For example, consider the following argument:
"Bazookas don't kill people; people kill people."
Although it is obviously true that bazookas are only proximate causes, it clearly does not follow that bazookas should be legal. Yes, bazookas don't kill people, people do—but bazookas make it a lot easier for people to kill people, and in great numbers. Further, a bazooka would not be useful for much else besides mass murders. Bazookas clearly should be illegal and the fact that they would only be proximate causes to mass murders does not change this. In fact, it is totally irrelevant to the issue; it has nothing to do the fact that they should be illegal. Why? Because other things are proximate causes to people’s demise, but obviously shouldn’t be illegal. For example, consider this argument (given in the aftermath of a bad car accident):
"Cars don't kill people; people kill people."
Obviously cars should not be illegal, but notice that this has nothing to do with the fact that they are proximate causes. Of course, they should be regulated; I shouldn't be allowed to go onto the highway in a car with no brakes. But all of that has to do what cars are for (they are not made for killing people), what role they play in society (it couldn't function without them) and so on. It's a complicated issue—one to which pointing out that cars are merely proximate causes to some deaths contributes nothing.
In conclusion- people who make the feeble argument “software doesn’t commit crime; people do” have mistaken the relevance of proximate causation
As I interpreted it, someone said adblock may be illegal under existing law because you are accessing a server without authorization. Someone else seems to have argued that this isn't true because adblock doesn't cause anything to happen on the server; therefore, adblock must be legal because adblock only affects the client.
My comment was that this reasoning doesn't hold water. Perhaps the owner states that authorization is only granted to people who don't use adblock. (Maybe there's a splash page that informs the user they aren't authorized to proceed to the next page if they have adblock enabled.) What matters is the choices people make, not that the behavior of the software avoids interacting with the server. Your hands are not clean just because your software doesn't take an action.