The Register published a story which lets us know that:
the US Computer Fraud and Abuse Act (CFAA) should be stricken for being unconstitutional.
The civil rights group said in a filing [PDF] to the Washington, DC, District Court that the CFAA prevents researchers and whistleblowers from carrying out their work and violates both the free speech and due process clauses in the First and Fifth Amendments.
The suit ... asks that the courts invalidate the law, which has been the basis for hacking and computer crime prosecutions since its enaction by Congress in 1986.
According to the ACLU, the CFAA illegally prevents researchers from doing their jobs by restricting activities to those approved by a product's terms of service (TOS). Because the Act counts violating a TOS as "unauthorized" access, the ACLU argues that companies are able to effectively write their own criminal laws with a TOS.
The article notes:
The ACLU is filing the suit on behalf of a group of researchers who wish to investigate whether the Fair Housing Act (FHA) is being violated by real estate sites that would provide different results for users based on their race or ethnicity.
The researchers claim that in order to test for discrimination, they would need to present as different individuals of varying races and compare the results. Because falsifying this information would violate a site's terms of service, however, the researchers say they would be in danger of criminal prosecution under the CFAA.
As a result, the suit alleges, the ability of researchers to uncover FHA violations in these services is being blocked by the law, and in the process has a "chilling" effect on free speech and due process.
It's about time!
Related Stories
https://arstechnica.com/tech-policy/2024/03/charges-against-journalist-tim-burke-are-a-hack-job/
Caitlin Vogus is the deputy director of advocacy at Freedom of the Press Foundation and a First Amendment lawyer. Jennifer Stisa Granick is the surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project. The opinions in this piece do not necessarily reflect the views of Ars Technica.
Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper's telephone number was unlisted, should the reporter go to jail for publishing what she heard?
If that sounds ridiculous, it's because it is. And yet, add in a computer and the Internet, and that's basically what a newly unsealed federal indictment accuses Florida journalist Tim Burke of doing when he found and disseminated outtakes of Tucker Carlson's Fox News interview with Ye, the artist formerly known as Kanye West, going on the first of many antisemitic diatribes.
[...]
According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.
And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
(Score: -1, Troll) by Anonymous Coward on Friday July 01 2016, @05:19AM
This is fucking great! Without computer abuse laws, hacking becomes perfectly legal, and there's nothing stopping me from hacking SoylentNews! Take that, NIGGERS! All your shit belongs to ME!! AhAHAHAHAHAA!!
(Score: 0) by Anonymous Coward on Friday July 01 2016, @02:59PM
Typing something in the URL bar isn't hacking, dipshit.
(Score: 1, Funny) by Anonymous Coward on Friday July 01 2016, @11:18PM
and there's nothing stopping me from hacking SoylentNews
My guess is that your lack of brains would probably be an effective brake.
(Score: -1, Troll) by Anonymous Coward on Friday July 01 2016, @05:36AM
And property laws.
And privacy laws.
And rape laws.
And murder laws.
It's Anarchy, baby.
All for SOCIAL JUSTICE, BITCH.
(Score: 3, Insightful) by krishnoid on Friday July 01 2016, @05:48AM
I would think the issue would be more along the lines of the researchers applying for loans with false financial information. Otherwise, why couldn't the government tell the researchers to hire people of these races to submit the applications?
(Score: -1, Offtopic) by Anonymous Coward on Friday July 01 2016, @06:23AM
hire people of these races
Niggas be lazy. Can't fuckin pay me to work, white boy. Now I know you gots some money on ya, else we gonna take a walk to the A-T-M, real friendly like.
(Score: 3, Informative) by DeathMonkey on Friday July 01 2016, @06:04PM
Otherwise, why couldn't the government tell the researchers to hire people of these races to submit the applications?
Because that would be an incredibly inefficient way of determining if search results differ based on a single checkbox?
(Score: 2) by krishnoid on Friday July 01 2016, @08:24PM
Race: [X] Black [ ] Caucasian
Reason for loan: Muffy and I want to refinance the summer home -- got to keep up with the Thorntons, don't you know?
No wait, I mean -- I want to start a family and be a good productive member of society.
Annual Income (net, after totally legitimate deductions): 20,000
Annual Income (gross): 500,000
Hmm ... something's suspicious here. Well, the numbers look good -- loan approved!
(Score: -1, Troll) by Anonymous Coward on Friday July 01 2016, @06:16AM
Remember when the ACLU actually fought for the basic rights of all Americans, instead of trying to legalize any lawbreaking for their favorite liberal causes in the name of social justice?
“I am for socialism, disarmament and ultimately for abolishing the state itself as an instrument of violence and compulsion. Communism is, of course, the goal.” ACLU founder Roger Baldwin
(Score: 1, Touché) by Anonymous Coward on Friday July 01 2016, @05:15PM
I'm having trouble remembering when right wing authoritarians didn't despise the ACLU no matter what they were doing, yes.
(Score: 2) by Gravis on Friday July 01 2016, @06:26AM
either that or i have a great site for the judge to visit that will ensure all his money becomes mine. ;)
(Score: 0) by Anonymous Coward on Friday July 01 2016, @06:39AM
https://www.youtube.com/watch?v=8AZxUtZ2ZgI [youtube.com]
http://www.moron.nl/lyrics/panic-at-the-disco/lying-is-the-most-fun-a-girl-can-have-without-taking-her-clothes-off-lyrics.html [moron.nl]
(Score: 2) by rob_on_earth on Friday July 01 2016, @09:00AM
There was this troubling case back in 2005 of a guy who contributed to the tsunami relief fund but failed to get a thank-you page. So he just tried changing the URL to the level above, this triggered intrusion alerts and then is convicted of unauthorised access.
http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ [theregister.co.uk]
I have often tweaked URLs and before this case I did it a lot. Found a load of hidden pages on Sony's sites(not very exciting, internal parties mostly), a complete list of every entry into a competition of a large games site, SQL connection details of a scientific space mission and a "welcome to ISP here are your FTP details" that had not been changed and many others. In each case I tried to contact the owners so they could get them fixed.
But since seeing that article I have not been helping anybody.
So while all the helpful people are not trying interesting things, cannot really call it hacking, only the crackers hack and they do it for malicious reasons.
It would be much better if we viewed the web as a technical thing. I make a request and get a response, nothing more nothing less. All these companies made all those pages/files freely available if you tried the URL. No "hacking" took place and the world was better off for it.
(Score: 0) by Anonymous Coward on Friday July 01 2016, @09:26AM
> It would be much better if we viewed the web as a technical thing. I make a request and get a response, nothing more nothing less. All these companies made all those pages/files freely available if you tried
> the URL. No "hacking" took place and the world was better off for it.
What about if by typing that URL (or HTTP POST or whatever) I signed a legal contract? E.g. I bought something off amazon/etc.
What about if by typing that URL (or HTTP POST or whatever) I committed fraud? E.g. I bought something off amazon/etc using someone else's credit card.
What about if by typing that URL (or HTTP POST or whatever) I downloaded illegal content?
(Score: 1, Insightful) by Anonymous Coward on Friday July 01 2016, @09:43AM
First, illegal things are still illegal. I don't see why your sentence for committing fraud should be increased by eighty years just because you did it "ON THE INTERNET!"
Second, if you can do all that stuff simply by typing in an URL, without security tokens or whatever, then that site should also be liable for truly crappy security practices. I think that's up to FCC to investigate.
(Score: 0) by Anonymous Coward on Friday July 01 2016, @01:36PM
So lets get this straight... If you're on a website, and the URL is plainly visible in plain text up there in the address bar, and you hit the "up one level" or "add by 1 to last numeral" bookmarklet... that's computer fraud? That's idiotic. If 1 million monkeys were sitting at 1 million PCs typing in random URLs, none of them should be fraud.
(Score: 0) by Anonymous Coward on Friday July 01 2016, @05:27PM
What? That's the exact opposite of what I meant. You're not getting it straight, you're twisting it into pretzels.
I'll try to clarify. Let's use the example from the post I replied to, changing the URL results in buying with some random persons credit card. Whoops. You report it and move on. That should be legal. If you proceeded to buy a $million worth of items, that should be, and probably already is, illegal.
It's like finding a stash of credit cards on the street. If you report it to the police, you'll get a few questions, a thank-you-citizen, and that's it. If you use them to go on a shopping spree, on the other hand...
All I'm saying is, we don't need a law that puts you in prison for 200 years just because you did the equivalent of finding a credit card, only because you did it "on a computer". I'm pretty sure that current laws already deal with fraud, including the criminal intent and all that stuff.
(Score: 2) by SecurityGuy on Friday July 01 2016, @03:04PM
First, a law existing isn't a due process violation unless you don't get the whole due process part. If you violate CFAA and get thrown in Gitmo without a trial, then yeah, it's a due process violation. If you violate the CFAA, get arrested, get a lawyer, get charged, have a fair trial, get convicted, THEN go to prison, it's not a due process issue at all.
As another poster suggested, hire people of varying races. For that matter, just talk to people of varying races who really applied and look at the results.
There is a problem with web site ToSes, but it's not the CFAA, it's that nobody reads them, web site owners know nobody reads them, and therefore there's no actual agreement to the terms, but courts often pretend there is.
(Score: 2) by DeathMonkey on Friday July 01 2016, @06:07PM
There is a problem with web site ToSes, but it's not the CFAA, it's that nobody reads them, web site owners know nobody reads them, and therefore there's no actual agreement to the terms, but courts often pretend there is.
Yes, because the CFAA says so. Which is exactly what the ACLU is arguing against.