Relax, breaking a website's fine-print doesn't make you a criminal hacker, says judge in US cyber-law legal row

Tuesday 31st March 2020 18:27 GMT Mike 137

At last, some common sense

This ruling is good news all round. The UK Computer Misuse Act 1990 has no such provision, and the UK Data Protection Act 2018 only offers a defence - and, interestingly, only after mandatory self incrimination as there's a requirement to inform the ICO of the unauthorised act (in that case reversing the anonymisation of personal data). Many of us have for years (ever since the DMCA) been fighting for the right to carry out legitimate investigations in the public interest without threat of prosecution in cases where "authorisation" is not practicable. Maybe the tide of opinion is finally changing - we can but hope.

4 0 Reply
1. Tuesday 31st March 2020 19:45 GMT Yet Another Anonymous coward
  
  Re: At last, some common sense
  
  In the UK expect to go to jail for typing in the top-level name of the website
  
  tsunami_hacker_convicted
  
  1 1 Reply
Tuesday 31st March 2020 18:57 GMT a_yank_lurker

Let's see if this stands

T&C's are contracts which may be invalid because of their one-sided nature anyway (point not litigated here). The idea violating a contract is automatically a crime is idiotic. But grandstanding DA's love nothing more than an easy notch of a conviction to make themselves look good.

5 0 Reply
Wednesday 1st April 2020 00:53 GMT Anonymous Coward

Overly Paranoid.

While I applaud the fact that these guys went ahead and sued the US Government ahead of doing something that is albeit gray, I have to wonder if they were being a bit paranoid.

The researchers can still be sued in civil court over any implied breach. This judgement doesn't stop that, however it does stop the government from going after them. IMHO the government wouldn't have gone after them in the first place. They aren't hacking/breaking the site. They are using it within its constraints, albeit creating 'fake accounts' as a way to verify the algos. So the website's code functions as it was intended. No criminal act.

1 1 Reply
1. Wednesday 1st April 2020 04:02 GMT doublelayer
  
  Re: Overly Paranoid.
  
  Researchers are frequently targeted under criminal law based on complaints from people who don't get it which are taken too seriously by police who don't get it. Examples are available in the U.S., U.K., and probably some other places as well. At a lower level, have you ever reported a security problem to someone you don't know? I have, and while you sometimes get gratitude, there's often a measure of suspicion about how you know this and why you're telling them. If you do it a lot because your job is security research, rather than only every once in a while because you find things, you're more likely to encounter someone suspicious enough to call the cops on you. Since they use this law against people who had no malicious intensions, it is very valuable that someone got legal precedent, albeit a fragile one, that they can go ahead without having to worry about American police going after them (or in reality, a legal precedent to tell the police about when they show up).
  
  1 0 Reply
  1. Wednesday 1st April 2020 09:01 GMT flayman
    
    Re: Overly Paranoid.
    
    Indeed, I believe this is how they prosecuted Aaron Schwartz, whose unauthorised access to the JSTOR site was nothing more than basic mirroring tools. An amendment to the CFAA that would have excluded ToS violations stalled in committee. So it's quite understandable that this law would be challenged. If a USDA wanted you they could get you on fairly innocuous acts, essentially reversing the burden of proof. Put it this way, I wouldn't want to have to convince a judge and jury that it's fine to modify the URL in the address bar of your browser after inferring the use of sequential ids (I seem to recall a case like that).
    
    1 0 Reply
2. Wednesday 1st April 2020 13:33 GMT Anonymous Coward
  
  Re: Overly Paranoid.
  
  Doing this is gray? Maybe impulsively thinking that is a trained impulse? Surely things similar to T&C are justified, but in public facing communications? If anything, T&C like applications are what have lead to the downfall of all communication, journalism in particular.
  
  T&C's wrapped around public communication is also the legal scapegoat for the obvious current flood of Moral Panic.
  
  Moral Panic
  
  https://www.youtube.com/watch?v=pwQqOdfc7pw
  
  0 0 Reply
3. Thursday 2nd April 2020 22:25 GMT Michael Wojcik
  
  Re: Overly Paranoid.
  
  IMHO the government wouldn't have gone after them in the first place
  
  An excellent basis for a legal strategy. "Eh, they'll probably just ignore it."
  
  The politicization of the prosecutorial function in the US is making it increasingly easy for powerful interests to suborn prosecutions - not that it was ever particularly difficult. And the CFAA and related laws have already been abused in a number of cases. The dangers are widely acknowledged in the research community.
  
  0 0 Reply