" led the case all the way up the Supremes"
Yes, they do seem to making quite a song and dance about it.
There’s a growing problem with computer laws written in the late 1980s and early 1990s. They were produced just as PCs began entering widespread personal usage but they failed to account for what electronic devices would soon be used for most of the time: accessing information over the internet. Nowhere is that more clear than …
There's believing in precedence and there's allowing judges' interpretations of badly worded laws to fix issues (particularly ANYTHING related to technology). Putting bad laws in place and assuming the courts will fix it later is lazy and liable to abuse from both prosecutors and defences.
I'd think there's a big difference between resolving an ambiguity in law by referring to what legislators intended to enact, and resolving an ambiguity in what legislators intended by somehow inferring what they might have intended under some alternate technological progress timeline. The first can often be pinned down firmly. The second is just an attempt to create law without any kind of scrutiny.
@ Jimmy2Cows
Well, it has prompted a thoughtful comment from Blazde below, so it waste completely pointless. I am sorry that feel aggrieved by what I posted, but interpretations of the Constitution of the USA are going to become quite interesting now there is a strong right wing majority on SCOTUS provided by Trump's three nominees, particularly Kavanaugh and Barrett.
"Isn't that exactly what the US Supreme Court does?"
Ideally it does the first thing (interprets what the drafters of the constitution intended), doesn't it? So for example we get debates over what they meant by 'arms' and whether assault rifles are now necessary for a well functioning militia (being the stated intention of the right). It's fair to assume they could have expected some progress in firearms technology so this may well have been intended. That's not to say there isn't plenty of room for debate over what was intended. Clearly there is.
An example of something we can't know is their hypothetical intention following the development of weapons of mass destruction and therefore any argument which claims the second amendment drafters would have intended to permit (or outlaw) the right to bear megaton thermonuclear devices, if only they'd known about them, is nonsense. They couldn't possibly have had that level of destruction in mind when using the word 'arms' and to pretend they did would be to abstract the literal words of the constitution away from any concept of intention.
"They couldn't possibly have had that level of destruction in mind when using the word 'arms' "
Ha, I am sure there of plenty of gun nuts that would be comfortable with personal nuclear weapons, cause you know, if your neighbor has them, well then, you need them, other wise only criminals have nukes.
Re personal nukes. I suspect that the right of national government, i.e., the US President and the Houses of Congress to declare and make war would be interpreted as denying any citizen any weapon whose use on its own could be a de facto declaration of war. Consider the movie 'Billion dollar brain', where an anti-communist attempts to invade Russia during the Cold War. Clearly the Russians (in the movie) could take that as a declaration of war. Owning your own nuclear bomb, like Matthias Rust, you could pop it into an aeroplane, fly to Moscow, land in Red Square and detonate it.
Also the USA has signed the Nuclear Non-Proliferation Treaty* so they are bound by international treaty to deny nuclear weapons to their private citizens.
* https://en.wikipedia.org/wiki/List_of_parties_to_the_Treaty_on_the_Non-Proliferation_of_Nuclear_Weapons
I confess to being intrigued by the reason for the thumb down. The USA has signed the nuclear non-proliferation treaty, the US President and Congress do have the right to declare (whereas US private citizens do not), and launching a nuclear attack on a foreign state probably does constitute and act of war. Please let me know to what you object and why. (And yes, Mathias Rust dod fly his light aircraft from Germany to Moscow and landed it in red Square: https://en.wikipedia.org/wiki/Mathias_Rust)
@ AC,
Your preferred sport does not make you a 'nut'. There are perfectly responsible gun owners and users all over the place. Watch Olympic shooting events, the competitors' handling skills are exemplary (as they should be). Indeed, when the Ceausescu regime in Romania was falling, one of the people besieging the presidential palace complained that he preferred paper targets to live ones. He was the reigning Olympic small-bore pistol gold medalist.
The term 'gun nuts' only applies to people who consider that they have an inalienable right to own and carry whatever weapon they choose in whatever circumstances they choose, and that everyone should have those rights. 'Gun nuts' are people who claim that the perpetrators of mass killings were suffering from mental health issues, but reject the idea that mental health issues should be considered when deciding whether to allow that person to own a firearm. They are people who object to laws on gun ownership applying to private sales of second hand weapons. (What is the point of denying a convicted murderer a firearms licence if (s)he can just buy one from someone else?). They claim that a 'good guy with a gun' is all that you need to protect against a 'bad guy with a gun', without considering that with that reasoning you only know who that 'bad guy' is after they have killed someone, and seem unconcerned about prevention of the initial murder.
Just like with motorcars and motorbikes, there are responsible owners and users and irresponsible ones. The young man caught doing 180mph (yes, one hundred and eighty miles per hour) on his motorbike on a UK public road was clearly not being sensible.
Like any derogatory term, 'gun nut', is often used improperly or to offend, but also occasionally accurately. If you are offended, I suggest you ignore it.
No, it is not necessarily clear what the constitution meant in most or at least some cases. That's why jurisprudence at one point had something called "the prudent man standard". It asked: "Would a reasonably careful person under such and such circumstances find this or that conclusion reasonable and acceptable?" US law-making and law-interpretation did away with that standard long ago.
Today, the law can mean whatever a Supreme Court decides it should mean. Thus, keep stuffing a Supreme Court with crazy people, and the whole thing will go off the rails, to the right or to the left.
The judgments of German Courts between 1933 and 1945 is just one example. USSR courts, Chinese Communist Courts, Catholic Inquisition courts, are all examples of how wrong such systems can go.
To me, the issue of the police man using his ability to look up a license plate for a quick cash deal is
clear: You are allowed to use these official systems only for official purposes. The police guy did something wrong, overstepped the boundaries of what he was allowed to do. Should he be fired?
Maybe not at the first offense. A warning might suffice. But if he keeps doing the same thing over and
over and does not listen to reprimands, then eventually he's gonna get fired for a cause.
Another example of this is: A person working for the US Internal Revenue Service, or the British Inland Revenue is not allowed to look up his neighbor's tax return, just because he can. Such a person is required to work only the cases he is assigned. That's because that information is supposed to be private, as much as possible. Same with any medical doctor: Is a doctor allowed to publish whether such and such famous actor, politician, etc has had treatment for sexually transmitted diseases, etc? NO, I don't think so. There is a presumption and or requirement of privacy.
My sense of justice in these matters is merely based on the "Golden Rule", which says, more or less,
"if you didn't want to be treated like that, you should not allow to have anyone else treated like that".
So, would you want yourself, your wife, your children, your relatives be treated unfairly? Well then, stand up and say so. If your mindset is "Everyone else can be treated unfairly, except me", then you fail to understand what justice should be all about.
Either one has a sense for these issues, or one doesn't. I don't need to refer to any other law to come to that conclusion: "Justice is fairness, and if it is not fair, it's crap!"
"So a lawyer who doesn't believe in precedent?"
I find the whole "precedent" idea pretty dumb.
Its akin to "This is the way we've always done it" which is the excuse I am regularly given for a whole buch of pointless , unproductive and downright stupid I.T. working practices.
One senuile old judge decides that murder is ok if its on a tuesday.
Now a "Precedent" is set, and it shall be thus
On the subject of accessing Facebook to quote "Except of course, it does. Especially if someone is using two-factor authentication for additional security."
Unless things have changed radically, you don't actually have to log in to access Facebook.
You do to post, etc, but whilst you might be nagged to log in to view content it isn't actually needed.
So maybe not so ignorant after all
Not to mention Facebook, Google, Amazon etc. are using UNAUTHORIZED access to track you across the web. Of course, if this law changes all the MegaCorps. will have it re-written so there's never a doubt that you can be spied on. When it's re-written, MegaCorps will be allowed to log INTO YOU and "gather data for economic growth". Too paranoid... look around, what world do you live in?
I went and read the law and I like it. It works for people and company, as seen with most computer laws before IT influence (a.k.a. greed). Stupidity is no excuse, why do people make it so? If you're an IRS tax agent, you can't look up the tax history of Netflix to pay your bill!! The cop is guilty by just about every case, read this link... https://www.law.cornell.edu/uscode/text/18/1030#
(1) having knowingly accessed a computer without authorization or exceeding authorized access,
(2) intentionally accesses a computer without authorization or exceeds authorized access,
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States,
(4) ... It just goes and on... guilty.
Authorisation for megacorps to do what they do is usually implicitly granted by using their services, or the services which use their services, etc.
Usually buried on page 348 of impenetrable legalise that is the T's & C's or some such.
But yes, the cop is clearly guilty of unauthorised misuse. He's just trying every possible angle to weasel out of it, no matter how absurd. His lawyer is probably paid by the hour so is happy to do so.
that is the crux of the matter: the difference between "misuse" and "unauthorised access".
Does "unauthorised access" covers "authorised access but for a wrongful use"?
Just image what may happen if it so.
You are requested by a person of authority to access a web site to retrieve some information that only you can access.
Your provide the information to that person of authority.
That person use it in a way that is latter deemed unlawful.
Are you guilty?
He has been issued a password to access the system, but there are presumably rules about what he is allowed to do on the system. Anything else is not authorised.
I don’t think the rules have to be coded into the system to be legally effective? If they were, any sort of hacking would be legal, because the system allows access in this manner.
Case law always puzzled me as a concept. Wouldn't it be better to revise the law instead?
Case law (Vast oversimplification I'm sure!):
1. Create a new law
2. Lawyers now need to learn the new law.
3. Prosecute someone under that law, and notice some issue or ambiguity in the law. i.e. It's not been written well and is too open to interpretation, or the Worlds moved on, and things not envisioned at the time of writing, are now possible etc etc.
4. Escalate this issue to some higher ranking judges, for them to interpret the law, make a decision.
5. Create new case law based on the decision.
6. Lawyers etc now need to learn the new case law, in addition to the original law.
Move on a few years, and you potentially have many case laws for the original law, and a whole mess to sort out by lawyers and judges.
Alternate:
1. Create a new law
2. Lawyers now need to learn the new law.
3. Prosecute someone under that law, and notice some issue or ambiguity in the law. i.e. It's not been written well and is too open to interpretation, or the Worlds moved on, and things not envisioned at the time of writing, are now possible etc etc.
4. Escalate this issue to some higher ranking judges, for them to interpret the law, make a decision.
5. DIFF STARTS HERE: Update the original law based on the decision. i.e. we now have Law 'x' version 1.1
6. Lawyers etc now need to learn the updated law.
Move on a few years, and you still only have the one law to learn, you just need to keep pace with the revisions.
This would also allow changes to the law, where it no longer makes sense, for example if something was specific to a tech that no one uses any more.
Just a thought anyway!
Decades? Hardly. It can sometimes be measured in days or weeks, and is frequently measured in months.
It can also be measured in miles. There are MANY cases where a US federal law means five different things depending on what part of the country you're in, and unless the SCOTUS deigns to fix it another court can still find a sixth.
The 'Alternate' scenario here is kinda what happens because new texts get written which summarise case law and lawyers only need to read that for the most part, referring to the specific cases occasionally for further clarification.
It's not like you go to law school and they show you a humongous library and say "Right, start at 1066. I hope you're a fast reader".
It's what is attempted in country not based on common law. The legislators attempts to identify all the possible situations, thereby the law is usually very complex. Usually they fail, and with time, more previously unknown situations piles up. So more and more loopholes are found. Instead of enacting a full new law, articles are continuously modified. Sometimes they are so extensive they make a different law, and tacking all the changes becomes a true pain anyway. Lawyers could have the required tools, "common people" less so.
Legislators should stop aiming at grandstanding and need to return to be humble people writing needed laws.
Amen to that, brother!
As a lawyer in one such country I can tell you that sometimes it's a royal PITA to try and explain certain laws to people.
One funny example (among many) comes to mind when the title of the new law was 'Government Decision xxx for the modification of the Goverment Decision yyy for the modification of the Government Decision zzz for the modification of Law xyz'.
And now, during this pandemic, we have the Health Minister issuing orders (with the power of law) almost every week, changing a bit of this and a bit of that in many different laws that even lawyers have a hard time tracking all that.
"And it needs to make clear that misuse of that information is the crime."
As I understand it, that is one of the arguments againt the statute as it potentially means that anyone who signs or accepts a licence agreement would be liable to criminal prosecution not civil liability.
Of course this means the 'simple' wording needs 'simply' extending to exclude private data ... but that would only refer to personal private data on a private machine not data hosted or belonging to a third party organisation ... unless of course you accepted a licence to access a private organisation's systems to look at data ... for instance a cloud database which happens to contain your personal data as part of a bigger system ... Oops it's suddenly complicated. I can see an email on the webmail server that says Malcom was sleeping with Justin's hamster - my data (addressed to me) but if I mention it to anyone am I dragged into the courts by Justin's jealous dog because that data was not on a personal, private system but held on a corporate email server that I was granted access to and which now makes it a criminal offence to 'use' under the CFAA ...
The CFAA is clearly rubbish and needs fully rewriting ... carefully.
The Electronic Privacy Information Center (EPIC) has more information here: https://epic.org/amicus/cfaa/van-buren/
Quote -------------------------
The FBI charged Van Buren with honest-services fraud and felony computer fraud. A jury convicted him on both counts. On appeal to the Eleventh Circuit, Van Buren argued, among other things, that the jury instructions were incorrect and that there was insufficient evidence to support his convictions. The Eleventh Circuit reversed and remanded the honest-services conviction because of an error in the jury instructions, but affirmed the computer-fraud conviction. The court determined that it was bound by its prior ruling in United States v. Rodriquez, where the court held that a Social Security Administration employee who accessed the personal information of seventeen individuals in an agency database for personal reasons “exceed[ed] authorized access” under the CFAA.
Van Buren petitioned for review in the U.S. Supreme Court, arguing that the Eleventh Circuit’s decision deepens a circuit split over the interpretation of “exceeds authorized access.” The Court granted review on the question
Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.
End quote --------------------
Note that he was also convicted of "honest services fraud". The "reversed and remanded" means that it got sent back to the original court for a retrial. That retrial will probably also result in a conviction.
It seems that this would have been better handled as using one's privileged position for monetary.
Bribery refers to the offering, giving, soliciting, or receiving of any item of value as a means of influencing the actions of an individual holding a public or legal duty.
So, cash offered, actions taken on the part of a person holding a legal duty, information transmitted, cash received.
Looks like they picked the wrong law to enforce.
Reference: https://www.law.cornell.edu/wex/bribery#:~:text=Bribery%20refers%20to%20the%20offering,a%20public%20or%20legal%20duty.&text=Solicitation%20of%20a%20bribe%20also,receipt%20of%20a%20valuable%20gift.
"But seemingly nothing that would get a cop convicted for looking up people's license plate numbers for cash."
What about bribery, misuse of authority in public office, gross misconduct, data protection?
Set aside computers entirely. Does the law really say it is acceptable to pay a policeman to do things for you which are only possible due to a police officer's privileged position? Where those services take place in police time, in police offices, and using police resources?
Could you equally pay a council worker or tax officer to give you photocopies of documents they hold about your neighbour?
exactly, the government defined the requirement of a "substantial meal," without defining the term
its up to the court to decide on the definition of substantial and meal should a case were somone is prosecuted under that statute appear before them and a hgiher court has yet to make that determination.
Based on this, probably not - https://www.lawgazette.co.uk/obiter/a-substantial-meal-try-pickles-and-beetroot-to-stay-legal/5105974.article
But if you add pickles and beetroot to the plate, or sausages on sticks, you will be fine.
Surely a "substantial meal" includes three courses, a decent bottle of red wine, cheese and biscuits all rounded off with a liqueur coffee and a 'wafer thin mint'?*
If you don't need to undo your belt a notch it ain't substantial in my book.
*Not for breakfast of course, that would be porridge, a brace of kippers, kedgeree (or sausage, egg, mushrooms, fried bread, baked beans with tomato sauce, fried tomatoes and possibly black pudding) a pot of coffee and marmalade on toast. Also note that a gentleman serves himself at breakfast, the servants having swept the grates, set the fires, laid the table, cooked breakfast, and done all of that before you were awake, oh and then dressed you.
The current law hinges on whether you are or are not *authorised* to access a (particular part of a) computer system. What the argument being made in the article assumes is that authorisation is a binary condition - i.e. it must either be absent or it must be unconditional. But that is not the case. A person may have *conditional* authorisation to access a computer system or database etc. Authorisation can be implicit - e.g. yes you are authorised to access certain FaceBook databases - but only by going through FaceBook's normal front end. You are not authorised to access that same database by exploiting a vulnerability to tap into the raw database files.
In the case in point, a police officer is authorised to access the PNC databases for the purpose of crime detection, prevention or enforcement. The officer is *not* authorised to access the PNC to see whether his daughter's new boyfriend has a criminal history. Or to sell licence plate information. Or to trace the whereabouts of his ex. Or to erase the criminal history of his brother.
Just as a system administrator may be authorised to access a customer database in order to maintain & backup that database etc. Which does *not* mean that he is authorised to sell the CC details in that database on the dark web, or to list the contact details of customers and sell them to the competition.
There may be a few grey areas where a person is uncertain of exactly what they are or are not authorised to do, but I suggest that there are not a huge number of such cases.
"What the argument being made in the article assumes is that authorisation is a binary condition - i.e. it must either be absent or it must be unconditional."
Yeah, I was reading that and thought of Edward Snowden. I mean, the "you gave me access so I can do whatever the hell I like" angle really wouldn't fly, so why should it be any different just because the guy is a cop?
He has been given access. Part of that is being trusted to use that access (and information) correctly within the necessary capacities of performing his job. Hawking off info for a bit of cash on the side is neither part of the job or making legitimate access to the information.
What’s the difference between looking up a license plate on a computer and looking it up in some paper files? I would think that looking up the information for money is a crime in either case. But with no computer involved, it’s obviously not computer fraud, and if the cop was authorised to lookup license plates, then it still isn’t.
There was a case of a store employee whose job it was to use a computer to print and sell lottery tickets. She also printed out about $1,000 worth of tickets every week for herself without paying. She was charged with computer fraud and found not guilty because using that computer was her job. She was also charged with theft and found guilty.
If that cop had no authorisation to lookup license plates and had to use a colleague’s login, that would be computer fraud.
I'd rather let Van Buren go and send the message that the law needs to be turfed and rewritten. The CFAA is the nightmare that nightmares have, and people in countries with extradition treaties to the country that miscarried it into existence have to deal with it as well. Burn it down.
Surely they can get him for what is essentially bribery - if the plate database isn't public (and if it was I assume no one would be willing to pay him to look stuff up) then he's trading access his job allows for money. How is that any different than a tech company employee selling non-public information on future product plans?
If nothing else, they can force all the cops to sign an agreement specifying how they will use information they have access to and the penalty for failure to do so. If they refuse to sign, fire them. Problem solved!