Hacker News new | past | comments | ask | show | jobs | submit login

I honestly don't think it is unfair. "Both technically violated the CFAA" is an important sentence.

The legal system is very complicated and sometimes small details make very big differences in cases. I'm not convinced others in the legal system would see this as different




I don't think that the author violated the CFAA, though: in both cases, he was acting on behalf of his users that he had created in the system -- the same requests he would normally make when using those accounts. ("BobAtHome", "BobAtWork" could concievably be two accounts for Bob.) That seems substantially different than what Weev did, which was try to read ${Everyone}'s data.


Moonpig.com is not an application you run on your own computer, though, it's a service operated and hosted by Moonpig. Any tampering with that application in a way that's not intended is a violation of the CFAA.

As you and I have essentially both just said, it's very unlikely there would be any prosecution due to the facts and the researcher's intentions, but I think it is still a technical violation. Paraphrasing, but the first line of the CFAA is "having knowingly accessed a computer without authorization or exceeding authorized access" (that line is explicitly for access that could jeopardize national security, but it goes on to set similar limits for general unauthorized access of any entity).

In this case it is not necessarily unauthorized access of a customer's account, but unauthorized access to a component of Moonpig's system.


That's difficult to argue given the app underlying it knowingly makes these requests.

It's arguable that he could be reverse engineering the API to make a compatible client - I think that should be legal, although IANAL.


The CFAA is a very broad statute, but the US legal system still does focus heavily on intent both for charging and sentencing, as well as deciding whether to charge at all. Even if in theory 2 people are convicted under the exact same law, they could get drastically different sentences based on how the judge perceives the defendant's intent.

In this case there's almost no chance law enforcement would charge the researcher unless Moonpig decided to press charges. And even then, they may decide not to charge due to the facts of the case (though of course they legally can).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: