Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in The US Supreme Court on Thursday limited the scope of the 1986 Computer Fraud and Abuse Act (CFAA) in a ruling that found a former sergeant did not violate the law by misusing his access to a police database. When he was a police officer in Georgia, Nathan Van Buren used his credentials to log into the computer in his patrol …
This will also help penetration testers to test the claims of service providers they rent cloud services from. Authorised access to execute code in their guest VM and if it happens to crash the host because the provider lied about what they did or did not patch, it’s no longer a felony.
Sen. Wyden mentions the need to "protect users against corporate employees who abuse their access to databases of sensitive personal information." Great, I agree. But it seems much more important to talk about protection against government employees doing the same. First because *that's what this case was about*, but even more importantly because one cannot opt out of having one's data stored by the government. Opting out of giving your personal information to corporations may be inconvenient, but it *is* possible (no, you do not "need" a cell phone, so however obnoxious it is that carriers insist on collecting your personal information and giving it to Equifax who will promptly leak it to criminals, you *can* avoid that). That's not the case with government agencies, many of which have even more sensitive information. Sen. Wyden is culturally incapable of imagining that anything about government is ever bad, but for the rest of us that's a pretty serious concern, especially when governments' own research has shown that they are hopelessly unprepared for attacks that lead to information theft, and they don't even try to compete with the private sector for the kind of technical staff they'd need to correct that.
You may not "need" a cellphone (possibly - I haven't tried living without one for more than a couple of days, I imagine it's still doable but I may be wrong). But it may severely limit your job options if you "choose" to do without. I suspect this "option" is only even technically possible to a minority of people.
But you probably do need electricity supply in your house. And water. And it's pretty hard to get along without some kind of banking service. And depending where you live, some kinds of insurance may also be either mandatory or highly advisable.
"Opting out" is an illusion fostered by megacorps who want to avoid regulation by pretending that people interact with them of their own free will. As the recent debates around Google and Facebook have shown, merely "avoiding using someone's services" is not nearly enough.
So - sure, prosecute government employees who abuse their access. But let's not assume ab initio that this abuse is either more pervasive or more serious than the private sector.
I must be an illusion, too, then; I don't use any of those things and haven't owned a cell phone in 7 years (my Internet service comes from a local provider who doesn't have any information on me that the local government land registry doesn't already publish). Opting out may not be everyone's cup of tea and I'm not going to waste my breath arguing anyone else into it, but it is an available choice.
That doesn't mean the law shouldn't restrict people with access to their employers' customers' personal data from abusing that access for personal gain, convenience, curiosity, etc. But given a choice between the inconvenience of opting out -- which if everyone did it would instantly render all corporations bankrupt -- and allowing corporations access to my information, I'll gladly tolerate the former. I don't have a choice when it comes to the government.
Regulating the government always takes precedence over regulating private actors, because one can avoid private actors and they are (however it may seem) far less powerful. This case actually provides a perfect example: the victim in this case has just been denied justice because although there are numerous laws regulating private storage and use of personal information, there is as of today absolutely nothing to stop individual government employees from doing literally anything they want with it. When a cop decides to sell your information to criminals or give it away to gawker tabloids, your choices are to sit there and take it or sit there and take it. This may be a rare instance in which I can't agree with the EFF: as bad as the "TOS violations are criminal offenses" interpretation of the CFAA was, the interpretation that you can't do anything to stop government officials acting as individuals from doing whatever they want with the databases they can access may in fact be even worse. At a minimum, the court could and should have split hairs here: terms of service aren't criminally binding, but government policies regulating their own employees' conduct are. This cop belongs in prison, or hanging from a rope, even if people who ignore some website's TOS link don't. This decision is as big a defeat as it is a victory, unless you're a dirty cop.
You don’t have a water supply - do you pump from a well in your back garden? And without electricity or a mobile phone, are you typing these replies from a PC at a library or something? Wow,
There are likely to have been other laws that could be more appropriately applied. Bribery springs to mind if there was any element of benefit offered. Admittedly none will attract the death penalty, but that seems a wee bit extreme for looking up a plate.
What carries the greatest potential for state abuse - making life slightly more difficult for prosecutors in cases like these, or criminalising basically everyone and leaving them open to intrusive searches and police coercion?
If there are gaps in law resulting from interpreting this one sensibly, the best remedy is sensible new law.
If you can indeed do without water, electricity, banking or cellphone provision, I suggest your lifestyle is probably one that is not easily - or even difficultly, come to think of it - available to most of us. "Homesteading in Wyoming" is simply not an option that scales.
I don't know what the basis of the justices' thinking is here, and I can't be bothered to find out, but one possible loophole I see in the law is that although it criminalises "exceeding authorized access" to "information from any department or agency of the United States", it's not clear that that extends to state government records. Maybe states were supposed to pass their own versions to protect their own systems, I don't know. But the defendant has tried - successfully, it seems - to frame the law as an all-or-nothing prohibition on "doing anything unauthorized on your work computer", which is surely not the intent.
> Sen. Wyden is culturally incapable of imagining that anything about government is ever bad ...
"The Fourth Amendment Is Not For Sale Act is sponsored by a bipartisan group including Sen. Ron Wyden (D-OR), Sen. Rand Paul (R-KY), and 18 other members of the Senate. The bill would make law enforcement agencies obtain a court order before accessing people’s personal information through third-party brokers — companies that aggregate and sell information like detailed user location data, surreptitiously gathered from smartphone apps or other sources."
[ "Lawmakers propose ban on police buying access to Clearview AI and other data brokers" , The Verge, April 2021 ]
While it is great that the court narrowed the law, and it is great that members of Congress are talking about it and praising it -- both we and congress need to remember that it is the responsibility of CONGRESS to fix this, not the courts, and that it was CONGRESS that created the problem.
knee-jerk legislation, painting too broad of a brush, out of cluelessness, to the point of unconstitutional "umbrella" laws that empower DA's to abuse them for malicious or even vexatious prosecutions...
That sounds like "Con-Grab" CONGRESS members alright...
(What's REALLY fun is that the 3 most recent Supreme Court members sided with the Liberals on this one, and Barrett wrote the majority opinion)
It's a start but it's still up to Congress to fix the law.
Still, like the API ruling, it speaks to a Court that isn't flummoxed by technology and is willing to investigate the consequences of its decisions.
What I found interesting is that the Trump judges voted en masse with the Clinton and Obama judges. I'm still fearful of Trump's appointees, but a little less today than I was yesterday .
To get anywhere near the Supreme court you have to be a methodical and rational human being, it's not as if Trump could find appointees in his own image (the exact opposite of those qualities). The real drama will come when they're asked to rule on clash-of-values type cases where there's no objectively sensible answer. And perhaps the real long-term problem with Trump's appointees isn't even who they are but that it set a precedent for partisan meddling in the court at the exact moment the parties are becoming entrenched in several opposing value systems the judges will need to rule on.
"...it [Mr Trump's action] set a precedent for partisan meddling in the court..."
No, that precedent was established before Mr Trump was even born, by someone from a different party: https://www.fjc.gov/history/timeline/fdrs-court-packing-plan. Nothing new under the sun.
Partisan appointments of judges --- Supreme or lesser --- and civil service appointments existed since the minute the United States was created. And was a feature [ to the parties and their presidents ] and not a bug.
Don't know about other countries, but certainly in Britain judges were appointed by party from the 17th century creation of Factional Party Government. It may or may not be the case now, since judges are appointed by the legal system itself rather than by parliament, no idea --- but as late as the last century some on the Left were under the impression that British judges veered to conservative views.
It's the gaming of the process that became partisan rather than who's appointed, which always has been.
In England High Court judges have of course always been appointed by the Monarch and thus entirely apolitical.
(Hah just kidding, since 2005 though there's a committee process intended to remove political bias and ostensibly appoint on merit, plus the newer UK Supreme Court judges have to have input from Scotland and N.Ireland so I'd imagine it's way harder for any party to influence the outcome. Of course they still end up drawn from particular class demographics and therefore exhibit bias. It all matters less than the US though since they're not defending a written constitution from overreach by the legislature).
I suspect the CFAA was the broadest law with the harshest sentence the shyster DA could go with. I would be surprised if he could not be nailed on another law with a more lenient sentence. But the CFAA is still an incompetently written law that needs to be scrapped but I doubt 'America's Criminal Class' aka Congress will be arsed to do anything about it.
Yes. Certainly in the jurisdictions I've lived in, there are other laws against misuse of police databases. The problem with the original Van Buren prosecution, as is generally the case, is the politicization of the prosecutorial office in the US, which has become a stepping-stone to higher political offices, severely compromising its economics. Among other issues, of course.
Various former prosecutors have written about this at length – Ken White on PopeHat, for example, or Jesse Eisinger's The Chickenshit Club.
I can definitely see why people would have liked a different result in this trial - the cop badly abused his powers - but this is why statutes need to be written clearly. The general rule is that if a statute is unclear, then the narrowest interpretation is adopted. People need to know what they can and cannot do, otherwise the presumption of innocence means nothing. If that means that wrong 'uns get away, the blame rests squarely on the shoulders of the legislature.
So this might sound super messed up, but I have an idea.
Premise the first: it takes a cop doing something wrong and going all the way to the Supreme Court to get logical cybercrime laws.
Premise the second: cops do super illegal stuff on the regular, and they often get caught on cell phones doing it.
Why don't we take some cops that do crimes, teach them to hack, get them to break the law by hacking in very specific ways in exchange for dropping the other investigation into them (because you can apparently just do that), and eventually there will be a robust and detailed set of laws dealing with cybercrime?
This benefits the world because it means people in countries with extradition treaties with the US don't have to worry about being wrung through a court system with one monolithic computer crime law with judges that think pdfs are a type of ammunition they've never heard of!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
