back to article Relax, breaking a website's fine-print doesn't make you a criminal hacker, says judge in US cyber-law legal row

Netizens probing websites' algorithms for bias and discrimination, against the sites' terms and conditions, can breathe a small sigh of relief. A US federal court has ruled it's not a criminal offense to flout a consumer-grade website's fine-print. The question arose after boffins and journalists, with the help of the ACLU, …

  1. Mike 137 Silver badge

    At last, some common sense

    This ruling is good news all round. The UK Computer Misuse Act 1990 has no such provision, and the UK Data Protection Act 2018 only offers a defence - and, interestingly, only after mandatory self incrimination as there's a requirement to inform the ICO of the unauthorised act (in that case reversing the anonymisation of personal data). Many of us have for years (ever since the DMCA) been fighting for the right to carry out legitimate investigations in the public interest without threat of prosecution in cases where "authorisation" is not practicable. Maybe the tide of opinion is finally changing - we can but hope.

    1. Yet Another Anonymous coward Silver badge

      Re: At last, some common sense

      In the UK expect to go to jail for typing in the top-level name of the website

      tsunami_hacker_convicted

  2. a_yank_lurker Silver badge

    Let's see if this stands

    T&C's are contracts which may be invalid because of their one-sided nature anyway (point not litigated here). The idea violating a contract is automatically a crime is idiotic. But grandstanding DA's love nothing more than an easy notch of a conviction to make themselves look good.

  3. Mike the FlyingRat
    Big Brother

    Overly Paranoid.

    While I applaud the fact that these guys went ahead and sued the US Government ahead of doing something that is albeit gray, I have to wonder if they were being a bit paranoid.

    The researchers can still be sued in civil court over any implied breach. This judgement doesn't stop that, however it does stop the government from going after them. IMHO the government wouldn't have gone after them in the first place. They aren't hacking/breaking the site. They are using it within its constraints, albeit creating 'fake accounts' as a way to verify the algos. So the website's code functions as it was intended. No criminal act.

    1. doublelayer Silver badge

      Re: Overly Paranoid.

      Researchers are frequently targeted under criminal law based on complaints from people who don't get it which are taken too seriously by police who don't get it. Examples are available in the U.S., U.K., and probably some other places as well. At a lower level, have you ever reported a security problem to someone you don't know? I have, and while you sometimes get gratitude, there's often a measure of suspicion about how you know this and why you're telling them. If you do it a lot because your job is security research, rather than only every once in a while because you find things, you're more likely to encounter someone suspicious enough to call the cops on you. Since they use this law against people who had no malicious intensions, it is very valuable that someone got legal precedent, albeit a fragile one, that they can go ahead without having to worry about American police going after them (or in reality, a legal precedent to tell the police about when they show up).

      1. flayman

        Re: Overly Paranoid.

        Indeed, I believe this is how they prosecuted Aaron Schwartz, whose unauthorised access to the JSTOR site was nothing more than basic mirroring tools. An amendment to the CFAA that would have excluded ToS violations stalled in committee. So it's quite understandable that this law would be challenged. If a USDA wanted you they could get you on fairly innocuous acts, essentially reversing the burden of proof. Put it this way, I wouldn't want to have to convince a judge and jury that it's fine to modify the URL in the address bar of your browser after inferring the use of sequential ids (I seem to recall a case like that).

    2. overunder Silver badge

      Re: Overly Paranoid.

      Doing this is gray? Maybe impulsively thinking that is a trained impulse? Surely things similar to T&C are justified, but in public facing communications? If anything, T&C like applications are what have lead to the downfall of all communication, journalism in particular.

      T&C's wrapped around public communication is also the legal scapegoat for the obvious current flood of Moral Panic.

      Moral Panic

      https://www.youtube.com/watch?v=pwQqOdfc7pw

    3. Michael Wojcik Silver badge

      Re: Overly Paranoid.

      IMHO the government wouldn't have gone after them in the first place

      An excellent basis for a legal strategy. "Eh, they'll probably just ignore it."

      The politicization of the prosecutorial function in the US is making it increasingly easy for powerful interests to suborn prosecutions - not that it was ever particularly difficult. And the CFAA and related laws have already been abused in a number of cases. The dangers are widely acknowledged in the research community.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020