undefined | Better HN

0 pointsmacchina13y ago0 comments

The situation you describe is almost certainly not a crime under the prevailing interpretation of the CFAA.[1] (Although I do grant that your theory could potentially be correct, which is part of the reason it's such a bad law.[2])

The CFAA criminalizes "unauthorized access" and "exceeding authorized access."

The unauthorized access provision applies to various means of hacking into a computer. The exceeding authorized access provision applies (in general) to company and government insiders. "The term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6)[3]

Your contract with your ISP gives you access to the network. By spoofing a device, you would breach your agreement with the ISP, but you would not be obtaining or altering information that you are not already entitled to under your agreement with the ISP as an authorized user.

In sum, for an authorized user to commit a crime, he must break through the access level he was granted by his authorization and reach information that was effectively closed-off to him.

1. http://en.wikipedia.org/wiki/Lori_Drew#Guilty_verdict_set_as...

2. http://itlaw.wikia.com/wiki/EF_Cultural_Travel_v._Explorica (One of the most inane cases I've ever read.)

3. http://www.law.cornell.edu/uscode/text/18/1030

0 comments

1 comments · 1 top-level

btilly13y ago

That is comforting to learn. I was relying on my understanding of Orrin's analysis of the law. I should have put bigger disclaimers on it.

That said, "prevailing interpretations" can shift, and can vary by jurisdiction. Thus if someone living in Boston did what I described, and was sued by Ortiz, it is not guaranteed that a Massachusetts judge would decide the case on the same principles.

j / k navigate · click thread line to collapse