The American Alpha-Omega State has become so large and red-tape burdensome that many people are unaware when they commit a crime. Traditionally, this was the sign of an unjust system – reasonable people should be able to figure out what is right and wrong under the law. This is not true today, and as a small blog points out, you are committing a crime right now…
So we are all going to jail together.
That’s silly, you say, because that’s not what the law means. Well, how do you know what the law means? The law is so vague that it’s impossible to tell.
The CFAA was written in 1986. Back then, to access a computer, you had to have an explicit user account and password. It was therefore easy to tell whether access was authorized or not. But then the web happened, and we started accessing computers all over the world without explicit authorization.
So, without user accounts or other form of explicit authorization, how do we tell if access to a website is “authorized” or not?
But what are the limits of implicit authorization? Let’s say you are reading a website that has “articleId=31337” at the end. You wonder what the next article is, so you go to the URL and change it “articleId=31338” and hit return. Have you “exceeded authorized access”? It’s hard to say. If article “31337” is public, why not “31338”?
But in our scenario, let’s say that article “31338” is a press release that is not intended to be published until tomorrow announcing the quarterly corporate earnings. While the article itself is online, a link to it won’t be posted to the home page until tomorrow, so not even Google spiders can find it. Because you’ve gotten early access, you can make a huge profit buying/selling stocks.
Is it your fault for accessing the pre-posted financial results? Or their fault for making them accessible? What does the Computer Fraud and Abuse Act say on this matter?
A well-known legal phrase is “ignorance of the law is no defense”. But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between “authorized” and “unauthorized” access. We won’t know until if and when somebody tries to prosecute you.
Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying “look at what these idiots have done”. As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA.
This is selective enforcement. The FBI doesn’t go after everyone who adds one to a URL, only those who embarrass the Fortune 500. They don’t go after any cow in the herd, only those who stick their heads up. This violates the concept of “rule of law”. Everyone isn’t treated equally under law, some are treated more equally than others.
For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken. When we see this broken press release, what do we do? Do we keep our head down, or do we speak up? Even if we’ll probably be found innocent, why take the risk? Better to keep quiet.
This is the issue behind the recent conviction of Andrew Auernheimer for “hacking” AT&T. The guy isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd. For that, he was convicted today under the CFAA and is on his way to jail (well, currently still out on bail awaiting sentencing).
By the way, this post is based on the legal concept “void for vagueness”. It’s good reading.