>If picketing IRL factories is allowed, what would the law be on DDOS of an online business by union members?
I'm pretty sure union/striking isn't a valid excuse to violate laws, and that "picketing IRL factories" doesn't violate any laws (ie. they do in on the sidewalk/public roads).
Perhaps surprisingly, whether picket lines are lawful is often a matter of legal contention when there's a strike. Company owners argue that they are obstructive (which is at least partially the point), and courts often grant injunctions or restraining orders placing limits on the size, location, or even existence of picket lines.
Have any of these restrictions been on people operating entirely on public property? The only ones I've ever seen typically entail trying to block access entirely, something that by definition almost requires access to private property unless you have a ton of people, which most picket lines don't.
Submitting a job application with false information does not violate any law that I am aware of (perhaps if it's a government position there is? I'm not sure).
Manually submitting 50 job applications with false information also does not violate any laws that I am aware of.
The focus then becomes on automation. But if I automate the job application process at 1 application/day, that's not illegal. So it becomes a balancing act between how fast I am automating, and how shoddily designed the application system is.
I don't think it's as cut and dry as "this is illegal" or not.
Sending a single request to a website is not illegal. Hammering a website with thousands of requests per second with the intent of taking it down or making it inaccessible is. I agree it's not cut and dry but intent matters to some extent.
In the context of this specific scenario, I can agree to that.
But in the context of the parent comment ("what would the law be on DDOS of an online business by union members"), there's a valid discussion to be had.
If my code submits 1 fake application to each open position, once per hour or once per day (which is well within what I can do manually), and that code is shared between thousands of striking workers (and their supporters), and that results in downtime or inaccessibility, should that be illegal? If so, why? Would it be different if there wasn't code, but just thousands of strikers submitting applications as fast as they manually can and as fast as the website allows?
At what point does the responsibility lie with the company who isn't rate-limiting or captcha-ing?
With the CFAA, it's actual entirely possible that the person who wrote the code is entirely at fault if their intent was that multiple people run malicious code. Courts aren't black and white and take intent and amount of damage into account. There's no hard and fast "number" on how many people makes a DDOS. In fact, the service (site) doesn't even need to be hampered to be considered a DOS. Just having HR have to filter through tens of thousands of bogus applications can be considered a DOS.
In the context of the CFAA, I think you can make just about any activity on a computer be deemed illegal. Which is why I think these cases are worth discussing, and we should have the discussions with the intent of improving what the CFAA is and does, because it's grossly outdated.
Personally, I believe that if a few thousand striking workers decided to manually fill out job applications as fast as they could, as opposed to walking a picket line, that should potentially considered a valid form of protest. If the job-application-taking website fails or slows down or HR gets a headache, so be it. That's sort of the point of union workers protesting - cause headaches so their voices will hopefully be heard.
And at that point, what is the difference between a few thousand people manually submitting applications or using code to submit them at a pace which they manually could anyways?
>If my code submits 1 fake application to each open position, once per hour or once per day (which is well within what I can do manually), and that code is shared between thousands of striking workers (and their supporters), and that results in downtime or inaccessibility, should that be illegal? If so, why?
A lot of it hinges on intent. If the people striking are attempting to overwhelm the service, I could see that being illegal, regardless of whether or not a program was used to assist in the denial of service.
Put another way, if I and a group of friends coordinate to call your office and tie up all of your phone lines, should there be legal consequences for my group?
I agree intent matters. But if the intent is to strike, which is what my posts are in the context of, the intent is obviously to cause headaches. That's what strikes do - cause inconvenience (less production, picket lines slowing traffic into/out of the workplace, etc.) so that demands can be heard.
>Put another way, if I and a group of friends coordinate to call your office and tie up all of your phone lines, should there be legal consequences for my group?
I think this is somewhat detached - your friends aren't striking workers trying to make a point - but I think it somewhat depends on what easily available mitigations I could employ. Can I simply block the numbers? Then I should do that. Can I rate-limit the number of times a certain number can call me? Then I should do that as well.
More illustratively, if my phone system is poorly designed and only accepts 1 phone call every 5 minutes or it crashes, should there be legal consequences for someone who calls twice in that 5 minute period? I say this, because if a website has no rate-limiting, no captcha, and can easily fall over -- is it really solely the fault of the striking workers who manually submit applications?
What if your phone system is poorly designed and only accepts 500 phone calls a minute or it crashes, should there be legal consequences for getting 600 people to call during the minute? What if your web site is poorly designed so that more than five million requests make it crash, and a DDOS sends ten million requests? Is it okay for the NSA to hack your computer to spy on you because computer software is poorly designed and includes exploits that allow hackers in? What if your automobile is poorly designed in that it can't handle having caltrops thrown in front of it to puncture the tires and cause a crash?
All systems are "poorly designed" if by that you mean they'll fail under pressure but this could have been prevented. It would, after all, be possible to design a car that is more resilient to running over a row of caltrops, it would just be expensive and unrewarding most of the time.
Of course, the person disrupting the system is a biased party. He shouldn't get to decide what counts as poorly designed in order to excuse his disruption; if you allow that, he's always going to claim that whatever vulnerability he found is just poor design. We don't think this is a good excuse for the NSA; it shouldn't be a good excuse for anyone trying to overwhelm a phone system.
Your whole comment is based on an analogy which I already said is detached from the issue at hand. None of your examples relate, at all, to a striking worker.
Was my phone analogy poorly constructed? Yes. Does your extension all the way to NSA hacking innocent citizens make sense? No.
Nobody is talking about "hammering a website with thousands of requests per second with the intent of taking it down." They're flooding an application process so that Kellogg HR can't find any real people in the giant pile of fake applications. Taking the website down is not a goal.
Both are attacks on availability in an IT context which is what makes it illegal. The goal is to cost the company money by reducing their ability to use recruiting systems, which is rather analogous to taking down a website in the eyes of the law.
What do you mean by "in an IT context?" The limit of the "IT" part of this is submitting the application online. There is no further technical piece, and I can't help drawing a parallel between you saying this is illegal because it's "in an IT context" and similarly ridiculous things like patenting already-patented processes but "on a computer."
If this stuff is illegal then posting a job when you already have an internal candidate in mind, or you are just collecting resumes or the actual job does not match the listing should also be illegal. After all aren't they sabotaging my application process with their spammy adds?
The intent to access systems in an unauthorized way in order to disrupt those systems-- the clear intent of this script-- would fall afoul of the rather broad CFAA.
I'm pretty sure union/striking isn't a valid excuse to violate laws, and that "picketing IRL factories" doesn't violate any laws (ie. they do in on the sidewalk/public roads).