"Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," Bates wrote.
IMO that is the most important part of the ruling. You cant have criminal penalties and then delegate the definition of the crime to each website.
Lying or breaking TOS is different than hacking. You are granted access by the site, and it's no different than the access they grant every other user.
> Lying or breaking TOS is different than hacking.
I think this is a good analogy: I accepted the terms, but I was lying. Sue me for lying then. TOS are not contracts for sure, as nobody is expected to actually read them and they aren't negotiatable.
Please be careful when you make legal claims, especially when they probably arent true. IANAL but AFAIK most TOS fall under whats called a shrink wrap contract: https://en.wikipedia.org/wiki/Shrink_wrap_contract
Yeah IANAL obviously. I'm from Europe and basically treat them as non-binding suggestions. In my layman's understanding they aren't valid as nobody reads or signs them, but be aware that your local court may decide otherwise if push comes to shove.
IANAL but I thought contracts needed acknowledgement from both parties. Mr software vendor, can you tell me weather or not your company has entered into a "shrink wrap" contract with my client? Or me? Or the honorable judge?
Please be careful when citing Wikipedia, it's notoriously shoddily written and is at best usable for finding primary sources.
Wikipedia rated that article as "Start Class", which means it's far from complete or informative.
The EULA is the only thing that claims clicking the "I Agree" button means anything other than "press here to install". If you reject the terms of the EULA and press the poorly labeled install button you haven't agreed to anything have you? What if the software company doesnt exist any more? Who is the other party to the so-called agreement?
Genuine question: if it isn't a contract, what legal purpose does a terms of service serve then? I assume any website serving a non-paying user has the right to terminate any services at any point, no reason given. A ToS might establish credibility among users as an open display of policy, but I don't see a legal purpose.
But I don't think it should give site the ability to prosecute users. That power should lie with the state. If a user hacks to get into a server, the state already has laws against that, just call the cops. But you can't point to a clause in your ToS saying, "User X broke term Y, which is hacking." No. The state defines what actions are hacking.
Ah, so legal liability is to protect the company from prosecution?
It is not clear to me that a company needs to say they don't support illegal behavior by the users. It also isn't clear to me that a non-paying user can ever prosecute a website for refusing a service on the basis of the companies terms of service. If the company is already doing something illegal, then it is based on the current legal statutes that they can be prosecuted.
It’s not just about criminal liability, but also civil. If one user of the site does something that harms another, it’s useful for the site to be able to show that one or both of the users were breaking the rules in an attempt to stay innocent in the jury’s eyes.
You can see similar effects all over the place. When was the last time you saw a hotel actually enforcing any of their pool rules? Some rules are there because the owner actually cares, but others are there so the owner can say “I warned you” if they’re ever in court. Telling the difference between the two is often quite hard.
> It is not clear to me that a company needs to say they don't support illegal behavior by the users.
Not just that they "don't support illegal behavior", but more specifically that if you give them your money for a service, and then use that service to do something illegal, then they want to be able to cancel your service while keeping the money you gave them for that service. (Or, similarly, if you buy a product from them, then use that product to do something illegal, they want to be off the hook for processing any potential refund on that product.)
It's sort of like the rule most companies have where swearing at the tech support worker allows them to hang up on you, when they'd otherwise be obligated to stay on the line. The TOS allows allows a company to, upon seeing that you've broken it, immediately claim everything in your account-receivable, and to close your account-payable without making it current.
The law is fuzzy. If a user breaks law while using a service, there's a question of whether the service was a willing participant or abbetor. ToS helps make a case that the service is not a willing participant or abbetor
You also have to enforce the ToS. So Backpage or Craigslist personals are not able to just say, "We're not guilty of aiding prostitution. We tell users not to do that in our ToS."
No, as is the case with Backpage, they could still be held liable if they never actually removed anyone who was engaged in prostitution. It's not enough to say illegal things are not allowed and then look the other way. You have to say illegal things are not allowed, and come down hard on anyone doing those illegal things.
I don't remember the particulars since it was so long ago, but I believe craigslist went so far that they just removed any category that might be used for prostitution. In a court of law, that would be how you demonstrate that you're deserving of liability protection. Backpage was in a significantly different position, because they thought not enforcing anything would give them legal liability. Not smart.
well, for a contract some sort of exchange has to have taken place. The website has given usage of the site, but the user has not given them payment. So yes, they don't have a breach of contract if they are refused access to the site - but wait! Some intrepid person could waste a lot of money arguing that all the personal data the site collected was of value and therefore an exchange happened that meant they could not just cancel access to the site, unless of course they also scrubbed that data etc. etc.
The courts will hold a corporation accountable to its own terms of service, ie. if they, say, terminated an account against their own terms, then they could suffer penalties.
What happens when this logic is applied elsewhere?
Lies for financial gain can become fraud. Is it acceptable to make it so lying for financial gain won't be a crime? What about lying for the sake of obtaining consent? Legal jurisdictions are starting to make this a crime, at least in limited instances (such as lying about use of certain birth control measures).
One can even look at social engineering, which is considered a form of hacking, that specializes in lying to people or presenting false narratives.
These all seem edge cases that still need to be handled.
A webmaster can deny any kind of access they don't want by just not serving to them, just like a landowner can put up a fence. People on the outside can still look over the fence from a public space perfectly legally, like a webmaster serving their homepage to everyone, and the landowner can't demand of people outside the fence, for example, "You can look over the fence, but only if you don't make a mean face at me". If you don't want people to look at all, well, don't make it public and put up a wall instead, and require authorization to enter.
If the landowner voluntarily allows someone inside, they can have pretty arbitrary rules about what people are allowed to do inside (in addition to the actual law), but the only real recourse they have to enforce their arbitrary rules once broken is to evict an offender to the outside. They don't get to pretend that their arbitrary rules are suddenly laws punishable as if they were a crime.
Building a fence, and then leaving an open gate with a sign saying "Anyone that wants to look at my garden can come in, as long as you pinky promise not to take pictures", and then proceeds to leave it unmonitored, does not give the landowner the right to prosecute people under the law for having a photo of the garden. (Watch me be wrong about this :P)
Or more plainly, it's the webmaster's own responsibility to "just not serve" if they don't want it to be served, and their failure to implement their own desires as software doesn't suddenly give them carte blanche to claim whatever they want was breaking the law.
In this case, the data is effectively public. Sure you have to "tell them your name" and "agree to ToS", but neither of those requirements are binding the applicant to tell the truth. So Microsoft chose a method of authorization that is unfit for the purpose of keeping people they don't want to have access out of their system. "But but but how else would they keep people off?" I don't know, but it doesn't matter. Make people sign a contract under supervision of a notary, or validate their drivers license, or whatever. The fact that Microsoft is too lazy to implement a solution that effectively implements their desired policy isn't material to what the actually implemented policy enables.
The only criminal act in trespassing is coming back after being banned. Whatever you did to get banned is not a criminal issue.
And as far as I know trespassing bans have to be a manual blacklist or whitelist. You can't define some arbitrarily complex behavior that makes you into a trespasser. Maybe I'm wrong on that?
>You can't define some arbitrarily complex behavior that makes you into a trespasser. Maybe I'm wrong on that?
I've seen plenty of trespassing signs with statements mentioning specific times of day, like "after sunset" or "after midnight until 8am". I assume these are legally binding but I don't know for sure.
IANAL, but I think it comes down to the trespasser being informed in some way that the property is private and they're not welcome. If I'm kicked out of a store, for example, the owner or one of their agents has informed me that I'm no longer welcome on that property, so trespass happens if I try to come back. In the case of someone's property that has conspicuous no trespassing signs, the sign serves to inform me I'm not welcome.
At least that's what the cops told me one time when I was a kid and got busted exploring in the woods and missed the property owner's "POSTED" signs...
This is the commonly excepted folk advice people are given, however, most state laws (US) take no account of so called posted signs. There is a ‘mens rea’ requirement that for trespassing would typically require only that the trespasser knew they were on land that did not belong to them (this issue is easier to muddy if the trespassing occurs on ‘public’ lands/property).
But the statutory basis for trespassing is most often just the act of crossing into land without prior express permission.
But to be clear about my anecdote, I wasn't doing anything wrong and wasn't actually arrested. My family's property bordered the property I "trespassed" on, and the guy called the cops on me, a 10 year old, instead of just telling me to leave. The cop showed up and basically just scared me and said he didn't want to come back out there.
That would depend on the jurisdiction. Typically in the US, most states define two separate criminal statutes for each situation:
1) Criminal Tresspassing - typically defined as the entering the property of another without express permission from the owner (this tends to include intruding via drone these days)
2) Remaining or Reentry after forbidden - which is for those cases where entry was permitted, but the owner subsequently revoked that permission.
>this tends to include intruding via drone these days
Can you elaborate on this point? There are a LOT of FAA rules and federal laws that allow aircraft to fly over your property without your permission. I could see the argument for a ground-based device or perhaps an extremely low-flying drone but not for general drone use.
Of course, there are other laws (like requiring line of sight, not flying over humans or livestock, etc.) that are probably broken by anyone flying a typical non-commercial light drone over someone else's property at a level low enough to be annoying.
Laws traditionally related to state and local police power – including land use, zoning, privacy, trespass, and law enforcement operations – generally are not subject to federal regulation. Skysign International, Inc. v. City and County of Honolulu, 276 F.3d 1109, 1115 (9th Cir. 2002). State and Local Regulation of Unmanned Aircraft Systems (UAS) Fact Sheet
Federal Aviation Administration Office of the Chief Counsel, 2015.
> 1) Criminal Tresspassing - typically defined as the entering the property of another without express permission from the owner (this tends to include intruding via drone these days)
You generally need to be aware of it though, right? Wandering in the woods won't get you in violation if you accidentally cross property boundaries, there needs to be a fence or at least a sign informing anyone about the blanket "No Trespassing"?
Awareness is not really necessary. Even in the absence of a fence and "No Trespassing" sign, they can still get you for criminal trespass. If, for instance, you go onto old lady Johnson's lawn and help yourself to all of the spinach in her garden or the roses in her rosebush. (Well, assuming she wants to press charges that is.) She doesn't have to have a fence or "No Trespassing" sign.
That's why they'd charge you with misdemeanor theft and criminal trespass. (Unless for some reason old lady Johnson's flowers and veggies were extraordinarily valuable on the open market.) If old lady Johnson is the prosecutor's grandma, you'll also likely see a disorderly conduct charge. And you'd better hope you don't live in a jurisdiction with robust menacing statutes.
Point is, any prosecutor can start stacking these charges and land you in a world of hurt for whatever reasons they please.
I remember vividly a night in college when I got a ticket for underage drinking at a house party. I was wishing I had gone with my friends to a bar downtown. Until they got back later that night and I found out that a bunch of them got cited for underage drinking, disorderly conduct, and also got forgery charges. (Because of the fake id's they used to enter the bar.) In essence, they had done the exact same thing I did, only difference being the cops that busted the house party didn't search everyone and find fake id's on us. All those other charges were totally unnecessary, but they got stacked on anyway because the prosecutor and/or cops wanted to be hard asses.
Presumably not very different. I assume you also cannot have individual customers fined and jailed for violating clause 336b of the 30-page contract everyone signs without reading before stepping into your store. And if you can, that's messed up.
That is not in keeping with the tradition of trespass, and is probably a similar mistake in the (relatively few) jurisdictions that have tried to craft such a framework.
Also, using biblical proportions to describe undesirables traversing your land is melodrama in the extreme.
In practice people are convicted of criminal trespass when they have either obviously entered unlawfully or have entered lawfully and have been told to leave and have not done so.
If a property posts a sign or sends a letter that only people wearing green may enter. If we allowed the owner to prosecute people found to be on the premises without the correct color even if they leave immediately upon being asked to we would indeed be letting the property owner enforce their whims within the scope of their property with punishments handed down by official channels.
In practice this is basically impossible in most or probably all jurisdictions although probably untested in virtually all instances. Basically almost nobody would press such a case and if they did the local government would be unlikely to pursue such charges or succeed in them if pursued.
Such matters are inherently local and subject to local laws but lets look at the city of Seattle as an example. In Seattle you can call the cops if people are on your property and wont leave however even in that obvious case prosecution is unlikely unless some other crime is committed in the process. The city pursuing a case against people that merely broke your personal rules for conduct on your premises isn't explicitly mentioned not because it is allowed but because it is beyond the pale of absurdity.
Reading for example the guidance provided by the city of Seattle I read that local businesses partner with law enforcement to remove bad actors according to the contact trespass program.
>The Contract Trespass Program is an agreement among private property owners, businesses and the police department to regulate conditions of entry onto their private property. This can include prohibiting people on the property altogether, or it might involve allowing people onto the property only under certain conditions.
The conditions that can be enforced through the Contract
Trespass Program are listed in the agreements
and posted on the premises. By signing a contract with the police department, property owners agree to let police
officers
warn and then arrest people who continue to violate the conditions
when the owners are not present.
They enumerate the reasons they will cooperate in removing parties and arrest people who have been warned by authorities that they are in violation.
Looking further into the matter businesses don't HAVE to participate in the contact trespass program but they are told that
>Officers may still arrest for violations of SMC 12A.08.040 (Criminal Trespass) on private property regardless of a trespass warning agreement if someone with the authority to set the conditions of entry or revoke the privilege to be on the property has previously warned the individual of the trespass violation and will testify as a witness
They might arrest people who have been previously warned if they are still there when the cops arrive
They are further warned that
>For a successful prosecution, someone with the authority to control the conditions of entry and revoke the privilege to be on the property must testify that the person (1) knew or should have known the conditions of entry, (2) violated the conditions of entry or had their privilege to enter the property revoked, and (3) the person refused to stop the unlawful behavior or leave or they returned to the property after having their privileges revoked. Property owners are encouraged to keep detailed records of the interactions with trespassers on their property.
Please note especially
>the person refused to stop the unlawful behavior or leave or returned to the property after having their privileges revoked
In summary the two situations are exactly alike in the alternate universe in which trespassing is used in that fashion but instead of suggesting a weakness in the defense of such CFAA act cases it suggests that were trespassing laws used in such a fashion they ought to be challenged under the same premise.
Who is really reading a site's terms of service, or EULAs etc.? We mandate food companies to clearly label items with standardized, readable and compact information, but software companies can confront users with text that could only ever be interpreted by bored lawyers. The idea that this could be 'binding', let alone leading to a 'crime', is silly to me.
> Who is really reading a site's terms of service, or EULAs etc.?
I do. I make a point to take the first five to six hours of every working day reviewing the ToS for each website I'm projected to visit that day.
I diff the text against known past versions and if there are significant enough changes to any particular ToS, I stop using that site until I can sit down in-person with my $550/hr lawyer (usually I only do this once or twice a week) and review the changes to make sure I'm clear of all liabilities for my projected use-cases. Once I get the go-ahead, I resume access to that website.
Overall the process only takes on average 30 hours a week, and the costs are around $2000/week. It's worth it though, I wouldn't want to break any rules set by private land owners (whether virtual or not).
Will your lawyer be accountable if you would break some rule because of his error? Did you sign any papers about his accountability? Were those papers reviewed by independent lawyers?
Feels like this is going to create some headaches for prosecuting CFAA cases if the verdict stands.
I suspect the definition of 'unauthorized access' will need to be more clearly defined since I know many cases in the past relied around users doing shit that was unauthorized by the TOS.
> I suspect the definition of 'unauthorized access' will need to be more clearly defined
I've been saying this for years! For reasons unrelated to TOS rulings, too.
A little bit of background...
In 2011, I was charged with unauthorized access to a protected computer. The website in question (Infragard Tampa Bay, run by the FBI through a company called Sylint) was running an older version of DotNetNuke that had a 2008 vulnerability.
The nature of the vulnerability was as follows: If you accessed a specific URL which required no authorization, you could upload files to the server and presumably execute them. (I say presumably, because I didn't.)
I wanted to fight the charge because I never exceeded "authorized access" by using a publicly accessible web form on the public Internet, and the CFAA's terms were vague.
* The website was publicly accessible, without needing authorization
* The file upload form was publicly accessible, without needing authorization
* The folder that files were uploaded to was publicly accessible, without needing authorization
* All of my conduct was authorized by the software they ran on the public Internet, and therefore the unauthorized access I was accused of never actually occurred
My overworked public defender didn't have any fight in him. The EFF wouldn't help either (the person I talked to didn't see the significance of this CFAA ambiguity for civil rights). I grew up in a poor family and couldn't afford legal counsel, so I ended up pleading guilty, which has totally fucked my life up ever since. (It really doesn't get better, even 8-9 years later.)
> since I know many cases in the past relied around users doing shit that was unauthorized by the TOS.
Good. I hope this becomes a precedent that frustrates prosecutors and helps defense cases in appeals court.
Yikes man. I'm sorry that happened to you. If you don't mind my asking, what part of your life is still messed up because of this? Is it directly related to the charges or is it the outcome of spending time behind bars?
> If you don't mind my asking, what part of your life is still messed up because of this?
Employment!
I tried to go the crypto consultant route in recent years and was told by many people via Twitter/Reddit private message that they can't or won't go with the company I helped start simply because of my criminal background.
I spent most of last year job-searching. I interviewed well, but many companies rescinded offers after my background check concluded, even when I told them about this incident up front.
In 2011, everyone joked that I'd be fine. "The government will probably follow up with a job offer," they insisted. Instead, I was rendered unemployable by most of the companies that desire the skills I possess.
The silver lining is that some companies restrict their background checks to a time-gate, which means it's not totally impossible to make a living. But they're the minority.
> Is it directly related to the charges or is it the outcome of spending time behind bars?
My sentence was probation and a short duration of house arrest, community service, and paying Sylint $9,370 (which, at barely above minimum wage, took a few years). My probation was terminated early for good behavior.
The problem has less to do with the courts and more to do with background checks.
People make mistakes. Especially young people. (I was 21 when this happened.)
Learning itself is a messy process that often requires making mistakes to be successful.
Punishing someone in perpetuity for having not lived a perfect life is a problem that society hasn't yet solved.
We have hacks ("Right to be Forgotten") to try to alleviate some of the symptoms, but with the advent of the Internet, there is now a public, immutable record of your most embarrassing fuck-ups. And I don't think we were ready for that.
Generally speaking, federal crimes rarely ever turn up on a standard background check. I'm writing this from a US Navy ship repair yard where I released the information personally despite the fact the check came up clean.
Tell me about it, I was very publicly accused and never convicted. Fortunately I'm independently wealthy but it's a huge pain to get anyone to do large financial transactions WITH me, not talking about employment in that industry. On the employment side I just assume I'm unemployable in the security industry where my talents are so I just engage in hobbies all day every day... End rant.
Who charged you? Infragard's sole job is to facilitate data transfer between industry and the feds to ensure there's security at every layer. That's some weapons grade bullshit right there.
Originally, they also insisted I caused damage days before the date of incident and tried to tack on $32k in damages. I pointed out that I do not possess a time machine, and they shifted it from (June 18-24) to (June 21-27) and lowered the dollar amount to $9k.
Too late now, but would it have been useful/possible to go public about it or threaten to talk the media and cause way worse problems for them? Considering that security is their game, I wonder if the bad PR would've made them re-think targeting you.
Just because something is connected to the public internet doesn't mean that you can hack it. Most homes are accessible from public roads, that doesn't mean you are allowed to climb through any open window that you see.
You used a vulnerability to hack into some server associated with the FBI, I don't see any ambiguity here.
> Just because something is connected to the public internet doesn't mean that you can hack it.
I never said or implied that.
All I said is, because all of my conduct involved publicly accessible components of their web application, I never exceeded authorized access.
Which means that the CFAA's clause about "unauthorized access" in particular does not apply, since none of my packets exceeded or bypassed an authentication or authorization control on their web app.
> Most homes are accessible from public roads, that doesn't mean you are allowed to climb through any open window that you see.
A better analogy is knocking on someone's door, only to discover it swings open, then walking away. And then getting charged with breaking and entering for their failure to shut their door, and then paying for damages for leaving a muddy footprint on their exterior welcome mat.
> You used a vulnerability to hack into some server associated with the FBI, I don't see any ambiguity here.
I won't argue that I'm fully without blame.
The mistake I made during all of this was, upon discovering they were running an outdated version of DotNetNuke (right click > view source; not exactly something I had to go out of my way to detect), I panicked. And to assuage my own anxiety, I tested the file upload to confirm that it was real.
That was the mistake that let them prosecute me at all. And it's a mistake I have learned from:
In the years since, I have never sent a packet with security implications to another network even for projects with a public bug bounty. I constrained myself henceforth to reviewing source code and reverse engineering, since that doesn't involve sending packets over a network and invoking a law that was written before the concept of a public network existed. (And that law being problematic is my entire point in this discussion, not appealing for amnesty in the opinions of HN users. Anyone who decides to hate me won't be the first.)
Even if I knew not to do that then, I still would have informed them of their vulnerability as soon as it was discovered. Because that was the right thing to do.
Is obfuscation a type of authorisation? If you knowingly exploited a vulnerability to access a non-standard URL then it's pretty obvious you shouldn't have been there. This isn't you navigating to a websites home page, the information I've found reads the following for CVE-2008-6541:
>Access Complexity Medium (The access conditions are somewhat specialized. Some preconditions must be satistified to exploit)
And even if you tried to argue that, the exploit was public on exploit-db for years, and therefore the expected security from the broken obfuscation is zero bits; so in this case, it would not count.
More pertinent:
> Authentication Not required (Authentication is not required to exploit the vulnerability.)
This isn't a home, and it wasn't a window. This is like going to a local business, turning the doorhandle, and walking in. How can that possibly be construed as illegal? If your vulnerability is that you have an unlocked door, that's not a fucking vulnerability, it's just an entrance.
I feel like visiting a webpage would equate to opening a door - not whatever happened here, it was probably more involved. Anyway, I invite you to sneak into a local business, let's say Lockheed Martin (or some business that works closely with the FBI), go up a floor and find some filing cabinets and deposit some random thing (something funny like Marx's Capital), and then get caught. Tell me what consequences do you think you might face?
For me, there's a distinction between accessing information you have not been authorised to access, and doing something unauthorised with data you had authorised access to.
Thats why I don't agree with the article that contrasts the Facebook/Power Ventures case with the hiQ Labs case. These are fundamentally different. Power Ventures was using Facebook Users credentials to log on to facebook and I think thats a clear case of unauthorised access. Facebook had no direct relationship with Power Ventures and had not granted them access to those accounts at all.
In the hiQ Labs case they had legitimate access to LinkedIn and were just scraping publicly viewable information. It's jut that LinkedIn didn't like what they were doing with it.
Of course the SSA database access case from 2010 is an anomaly in this aspect. The user was authorised to access the data if doing so in the course of his work, and I think the police case from 2015 was ruled correctly. In both case they're reprehensible creeps, but they should be prosecuted as creeps, not as hackers.
> Power Ventures was using Facebook Users credentials to log on to facebook and I think thats a clear case of unauthorised access. Facebook had no direct relationship with Power Ventures and had not granted them access to those accounts at all.
I strongly disagree. Facebook didn't have a relationship with Power Ventures, but it did have a relationship with its own users who granted Power Ventures access to their accounts. And while I admit it's not legally recognized yet, I firmly believe that users have an inherent Right to Delegate lawful access to 3rd-party software products and services[0].
I don't think the Power Ventures case had anything at all to do with unauthorized access. I think it was an attempt by Facebook to block users from exercising control over their own data.
For context, look at the DMCA claims Facebook also filed in that case. It's been a really long battle to fight against the DMCA's unconstitutional provisions against subverting DRM for legal reasons. We have a lot of precedent to see how companies use systems like the DMCA. And the way they commonly use them is not to go after pirates, it's for market lock in and to restrict legitimate users. To paraphrase Doctorow, there are really bad consequences when we allow a company to make it a federal offense to use a product in a way that doesn't make their shareholders money.
Treating ToS violations as a federal crime gives companies that ability on an even broader scale. It's legal to circumvent DRM? Oh, but our ToS blocks that. You exported your own data that you legally own? No, our ToS blocks that. You build a Matrix bridge for your DMs in my chat app and another competing service? Sorry, that's a federal offense now.
A company should not be allowed to arbitrarily invent new federal laws. At most, violating a ToS should be a civil offense, and companies like Facebook should be forced to sue their own users, not providers like Power Ventures.
Imagine I have a friend who is a cop. They give me their login that lets me run background checks on people. I use it to stalk my ex, check out my neighbors and generally behave creepily. I later get caught.
I absolutely should be charged with unauthorized access, because the person who gave me access had no right to give me that access and I knowingly used a protected computer system against the wishes of the owner, for my own aims.
Replace the above with "medical records" or "banking information" or whatever you wish.
Just because someone gave me a password, doesn't mean I'm allowed to use it, even if THEY were allowed to use it.
First, the cop who gave you access didn't have the right to use it in the way they offered. They don't own the data. The "right" they're delegating to you isn't a lawful right they actually have to delegate.
This is a really big difference -- the problem in the scenario you propose isn't that a police company got hacked (in fact, I would argue it didn't). The problem is the police department illegally abused information and distributed that information to other people, and you willingly participated in that crime.
In contrast, all of the data access that was delegated to Power Ventures and all of the stuff that Power Ventures did with that data was stuff that users had the right to do.
Second problem, this would be illegal because of privacy laws around how the police are allowed to use your data, not because a company declared it so. I'm not saying you should have carte blanch privileges to violate any law just because another person violated that law first, I'm saying companies shouldn't have carte blanch privileges to make new laws.
To re-emphasize the point above, the problem in this scenario isn't that the police department got hacked. The problem is that people were performing illegal background checks. If the police officer didn't give you a password, and instead just did whatever background checks you wanted on their own without you ever touching the system, this would still be a crime. The system access isn't the important part.
Third, in the scenario you propose, both you and the cop would get in trouble. Hopefully, the cop would get in even more trouble than you. So when Facebook brings every user who "illegally" shared their password into court, then I'll entertain the notion that they think this is a real hacking case. Otherwise, why are we comfortable letting off all these willing accomplices to an unlawful entry case?
It should not be the simple act of accessing a computer contrary to the owners terms and conditions that is a crime, but the specific acts of searching for, wilfully accessing and sharing privileged information on systems where the persons whose information you were accessing had a reasonable expectation that that information would be private.
I think that covers police databases, social security and also customer details on a website amongst others. It would not necessarily cover accidentally accessing customer data on a system (that happens) but if you started wilfully sharing that data or details about how to access it with persons other than the owners of the system then you could start to get into the problematic zone. To prevent the scenario where the owners just do nothing and then when the 'hacker' tells somebody else they call the cops and accuse, it should probably be a crime, after being notified that your system is leaking private data, that you didn't take any action to plug that hole.
>if you started wilfully sharing that data or details about how to access it with persons other than the owners of the system then you could start to get into the problematic zone
Here I disagree, assuming we are still talking about the USA. There are strong freedom of speech implications when you make sharing the fact that some company left their S3 bucket world-readable a criminal offense. Would the New York Times be open to criminal prosecution for publishing such information on their front page?
Very tightly-defined, personally-identifiable data I can see being protected. Things like financial and medical records, sensitive search queries etc. but general disclosure of security issues should not be something that is criminal.
So look at the general gist of what I wrote and think about the principle a bit. I did say 'start to get into the problematic zone' so I am not saying here is an abrubt transition between not-crime and crime-with-terrible-punishment.
So you find a company leaves their S3 bucket world-readable by accident and it contains personal information that the persons concerned would reasonably consider private (from medical records all the way to my real identity on a forum). The correct course of action is not to exercise your free speech by going first to the New York Times so they can publish a story about it allowing all and sundry to access that information, but to go to the company and tell them that this is open and that information they are responsible for is leaking. This is your responsibility to your fellow citizens whose data is leaking! However, if the company do not fix it in a reasonable time then you can report them to the relevant authorities who can decide what action to take and now the criminal aspect of this data leakage will now be attached to the owners of the company which has not fixed the problem and you are free to exercise your free speech rights.
If I sell (for money, fame, fake internet points or smug satisfaction) access to your personal data without your consent how can I claim that is my free speech? I think the USA has the concept of limits to freedom, ably illustrated by the phrase "Your Freedom To Swing Your Fist Ends Where My Nose Begins"
> It should not be the simple act of accessing a computer contrary to the owners terms and conditions that is a crime, but the specific acts of searching for, wilfully accessing and sharing privileged information on systems where the persons whose information you were accessing had a reasonable expectation that that information would be private.
Why wouldn't that apply to some website that's using some cache exploit to probe users' browsing histories?
The onus should be on the service operators to clearly define what's authorized and what isn't; and if they miss something, the liability should be borne by the service operator, not the person who found their gap.
Define via ToS, or technical countermeasures?
In the meatspace world, we use ToS and expectations (like don't ransack my house even if he door is unlocked).
Why the hell are prime ministers using Zoom in the course of their civic duty?
Are they discussing national secrets over Zoom? Without end-to-end encryption?! That's some form of criminal negligence and/or mishandling of classified information in every jurisdiction I know.
If not, it's little more than a nuisance and a reminder that Zoom should not be relied on for important communications.
If you use the public internet to go to a public website's landing page, by doing that, do you automatically accept a website's Terms Of Service (contract)?
I would argue no, because the social custom is that public-facing websites are intended to be accessed by the public, and until and unless they explicitly accept a contract (such as a Terms Of Service agreement), there is no contract...
Now... I could be wrong.
In fact, lawyers could argue that there is a social contract, an implied contract (they do this with Negligence claims) even before there is a written contract...
So, I'd be interested in arguments, both for and against, with respect to the presence or absence of a contract, either express or implied...
(We can all agree that if a website creates a pop-up or page which says "By using this site, you accept the terms of service", and if you click "Agree", you agreed (well, unless you do not have the capacity to do so, or other factors apply... <g>)... that's not what I'm soliciting arguments for here...)
IANAL. I would start with consideration. What's the consideration from the site that would form a contract? Access that is freely granted to the public anyway? Could I write a contract in which the only consideration I give is access to a public park? The counter argument would be that internet sites are private. Something more akin to a store than a public park.
I would also include meeting of the minds. At someplace like a gym, you sign your contract and exchange consideration before being granted access. In other words, in order to gain the consideration of access, you must agree with the gym's offer. Sites with required login to gain access work like that, but not "public" websites. They're more like stores than gyms -- anyone can walk in and access is not restricted. [0] So where is the meeting of the minds when I type in a URL and the page loads?
[0] Access can be revoked, since it's still private property, but then your crime is in not leaving or reentering after revocation -- entering in the first place was legal.
My question is not about what the default ToS covers or doesn't cover, my question is about when/where/how/if -- someone on the Internet accepts a ToS...
And it's not really a question.
It's a solicitation of opinions.
To understand what I'm asking for, you must have an understanding of Contract Law.
That is, what is a contract, when are they accepted, how are they accepted, etc.
OK, now given those understandings, apply that to a public website.
How does/would someone in the public accept a public website's ToS, other than clicking "I agree", when presented by a page or requester saying "Do you agree to accept this website's ToS?".
Does it happen?
If so, why so?
If not, why not?
I'm looking for compelling arguments, both for and against, both pro and con...
I'm not a lawyer, I live in Europe. I remember having read somewhere that it is related to clear consentement principles (in the same spirit that the cookie laws and GDPR). At least in Europe, I believe you must be presented to a ToS and a clear, explicit, "I accept" button for the ToS to be valid. I could be wrong, and/or it may only be valid in Europe
Distantly reminds me of the "annoy" website (I forget the exact URL) that was created as a sort of protest of some legislation in the early days of the internet that referenced "annoying" someone (I forget the exact language).
TOS is too vague a term and too broad to cover the complexities that proper legislation in the matter would require. Not to mention, I can write anything I want in my TOS, but you can't enforce illegal terms. People know bad action like they know porn when they see it.
Worth noting this is only a district court ruling, and as the article notes there are a number of conflicting circuit court rulings on the issue. Until a case makes it to the Supreme Court, it's not safe to take this as a given nationally.
How does this correlate to for example accessing a 3rd party API that has some sort of protection, for example an API key or request signature algorithm. Would those be considered a 'password'?
Breaking past security systems. So like scraping publicly facing data might violate TOS, but you can't call it hacking. Using exploits to get the password hashes would be criminal hacking.
Yea, it also only talks about bypassing/breaking passwords, what if the user has a sticky note at their desk and the password is readily exposed. Is that considered hacking? Should be. Unauthorized access regardless of how irresponsible the owner of that account is. At the same time you do not need a ToS or banner saying that. (it still remains illegal to break/trespass into someone's home without a notice saying so!)
Slippery slope. I'd gander a guess this will continue to be a case-by-case call.
Welcome to the central failure of the CFAA: Hacking attempts should be treated as a normal part of life, and systems should be designed to resist hacking, but the law gets this exactly backwards. In a saner legislative setting, hacking would be like harmful radio wave interference, something which is both punishable in a court of law but also which devices are designed to consider in the course of normal operation.
Hacking attempts are treated as a normal part of life and systems are designed to resist hacking. Fortunately, we also have to law acting as an additional form of deterrent.
> hacking would be like harmful radio wave interference
DoS attacks specifically. I would argue that any other form of hacking should not be punishable and it should only be up to the devices to protect against them.
Some sort of civil court conflict type situation... at most ... and maybe not even that?
I moderated plenty busy forums that had rules and ToS, but I didn't think of violations as anything more than something that might lead to me terminating an account.
Now one greifer did have a habit of mass producing accounts quite cleverly and the parent company actually sued him in civil court, but that was unique and actually disrupted the entire site with griefing and such. They even got the ear of a local prosecutor who thought that disrupting the site might count as a criminal act. The griefer went away after that and nothing came of it other than filing a civil case and I belive some contact with the local prosecutor... dude agreed to go away forever.
But of course in the example they are talking about just creating a fake account and speaking more generally about ToS violations.
IMO that is the most important part of the ruling. You cant have criminal penalties and then delegate the definition of the crime to each website.
Lying or breaking TOS is different than hacking. You are granted access by the site, and it's no different than the access they grant every other user.