Visiting a Public, Unencrypted Website Now a Federal Felony

[Andy9o8 0]

let's stop using analogies. the real question is whether the specific acts committed under the specific facts of the case violated the specific statutes charged.

[champu 1]

Here's the text of 18 U.S.C. SS 1030 with, I believe, the relevent subsections being (a)(2)(C), (e)(2)(B), and (e)(6)

Quote

(a)Whoever—
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
(C) information from any protected computer;

(e) As used in this section—
(2) the term “protected computer” means a computer—
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

Here's the text of rfc2616 sec11 per the World Wide Web Consortium, the standards body behind web browsers and servers.

Quote

HTTP provides several OPTIONAL challenge-response authentication mechanisms which can be used by a server to challenge a client request and by a client to provide authentication information. The general framework for access authentication, and the specification of "basic" and "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" [43]. This specification adopts the definitions of "challenge" and "credentials" from that specification.

So, if there was an authetication step which he completed, and he then used the credentials from that authentication to obtain other information on the system, then I think there's a solid argument that he's in violation.

If AT&T did not implement any form of authentication before allowing access to the information, and you still want to call this guy guilty, then the subject line of this thread becomes true.

[labrys 0]

Quote

So, if there was an authetication step which he completed, and he then used the credentials from that authentication to obtain other information on the system, then I think there's a solid argument that he's in violation.

If AT&T did not implement any form of authentication before allowing access to the information, and you still want to call this guy guilty, then the subject line of this thread becomes true.

The OP's article stated that he was able to access the information without any authentication. I think that what the Government is trying to prosecute on is the inclusion of a web sites Terms of Service / Use in the CFAA, as in the case against Aaron Swartz. There is proposed legislation to exclude the use of TOS violations.

http://www.csoonline.com/article/726901/congresswoman-proposes-amendment-to-computer-fraud-law-honoring-aaron-swartz

The government was able to bring disproportionate charges against Swartz because of the broad scope of CFAA and the wire fraud statute, wrote Representative Zoe Lofgren in a post on Tuesday on the Reddit news-sharing site in which Swartz played a key role. "It looks like the government used the vague wording of those laws to claim that violating an online service's user agreement or terms of service is a violation of the CFAA and the wire fraud statute," she said.The government was able to bring disproportionate charges against Swartz because of the broad scope of CFAA and the wire fraud statute, wrote Representative Zoe Lofgren in a post on Tuesday on the Reddit news-sharing site in which Swartz played a key role. "It looks like the government used the vague wording of those laws to claim that violating an online service's user agreement or terms of service is a violation of the CFAA and the wire fraud statute," she said.

The proposed amendment to the CFAA (Section 1030(e)(6) of title 18, United States Code) excludes access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.

As it stand, CFAA still includes TOS violations, though. Here's a snippet from the TOS section of AT&T's website (my bold):

http://www.att.com/gen/general?pid=11561#15

"Violating the security of our Site is prohibited and may result in criminal and civil liability. AT&T may investigate incidents involving such violations and may involve and will cooperate with law enforcement if a criminal violation is suspected. Examples of security violations include, without limitation, unauthorized access to or use of data or systems including any attempt to probe, scan, or test the vulnerability of the Site or to breach security or authentication measures"...

I think that the wording and scope of the CFAA really suck and are way too murky, but as it stands, I think he's screwed if the Government wants to pursue this.

Edit so add: So in a nutshell, the current law says that violating terms of use is illegal. He violated terms of use.

Owned by Remi #?

[champu 1]

I was not familiar with the Aaron Swartz case, thank you. I'm inclined to agree with your post.

[Andy9o8 0]

So with the current version of the statute, repeatedly creating sock puppets on a website after having been banned for TOS violations, and after being expressly told by site administrators that said sock puppets are not welcome, is a federal felony. Probably a separate count for each sock puppet. Possibly a separate count for each post made via any such sock puppet. As in, prosecution and prison and fines. As in, court supervision while on bail and during probation and parole. As in, being a convicted felon. And everything that flows from that.

[kallend 1,635]

Quote

So with the current version of the statute, repeatedly creating sock puppets on a website after having been banned for TOS violations, and after being expressly told by site administrators that said sock puppets are not welcome, is a federal felony. Probably a separate count for each sock puppet. Possibly a separate count for each post made via any such sock puppet. As in, prosecution and prison and fines. As in, court supervision while on bail and during probation and parole. As in, being a convicted felon. And everything that flows from that.

And being denied the right to own a gun! Oh poor poor fellow.

...

The only sure way to survive a canopy collision is not to have one.

[labrys 0]

Quote

So with the current version of the statute, repeatedly creating sock puppets on a website after having been banned for TOS violations, and after being expressly told by site administrators that said sock puppets are not welcome, is a federal felony. Probably a separate count for each sock puppet. Possibly a separate count for each post made via any such sock puppet. As in, prosecution and prison and fines. As in, court supervision while on bail and during probation and parole. As in, being a convicted felon. And everything that flows from that.

I suppose so

Owned by Remi #?

[Kennedy 0]

I was just thinking about that exact example. I would've mentioned it, but I didn't want everyone in speakers corner to root for the law.

witty subliminal message
Guard your honor, let your reputation fall where it will, and outlast the bastards.
1*

[champu 1]

Would the standards of conspicuousness brought up in browse-wrap cases apply to TOS violations as an extension of CFAA?

What I'm getting at is if the person is an AT&T customer, then the court may rule that he or she had been reasonably put on notice of the terms of service through the process of creating an account. However, if the person was not an AT&T customer, and they went poking around at urls, one might be able to make an argument that the portion of the terms of service that said "using this site is subject to you not poking around" was not presented in a conspicuous fashion.

[Andy9o8 0]

Quote

Would the standards of conspicuousness brought up in browse-wrap cases apply to TOS violations as an extension of CFAA?

What I'm getting at is if the person is an AT&T customer, then the court may rule that he or she had been reasonably put on notice of the terms of service through the process of creating an account. However, if the person was not an AT&T customer, and they went poking around at urls, one might be able to make an argument that the portion of the terms of service that said "using this site is subject to you not poking around" was not presented in a conspicuous fashion.

Hard to say very broadly because each scenario is potentially unique.

Keep in mind, as you read this, that "conspicuousness" comes under the general category of "fair notice".

Along that line, the level of sophistication of the user would probably be a relevant variable. In the Netscape and Ticketmaster examples, the people at issue were "ordinary consumers" whose level of computer/website sophistication (or lack thereof) was taken into consideration when determining what was and was not conspicuous. A person with a great deal of computer and website expertise, especially one who makes a practice of hacking, may be reasonably deemed to be on notice that most every website has a TOS page that not only can easily be accessed, but if you're a hacker (or even just a "snooper"), ought to be accessed and read carefully before proceeding to hack or snoop - and thus if you still proceed, you do so at your own peril.

Now let's take the sock puppet example. If said sock-puppeteer has been a member and frequent user of/poster on a website for many years, has been given many warnings about TOS violations by site administrators, has almost certainly seen others be given warnings about TOS violations many times, has even chided others on the site for "posting protocol" issues from time to time, and then has been expressly banned for TOS violations, and has even, thereafter, been expressly told by moderators to cease and desist in creating and posting via sock puppets - and then continues do do so nonetheless, I'd say it's pretty much a slam-dunk that he's most certainly under "fair notice" of the TOS he (ahem, or she) is violating.