Internet Access and Computer Fraud Laws

DrJimbo writes "Groklaw has an explanatory article covering the Computer Fraud and Abuse Act (CFAA) in layman's terms. The article discusses legal precedents that might make it illegal to access much of the internet. The article is a response to a claim by SCO that IBM violated the CFAA by downloading GPL'ed software from SCO's public HTTP and FTP sites."

A bit of a strech here

[The+Cisco+Kid]

Here is an example of how a violation might occur:

1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my "access" to be "authorized".

2. Then I violate this instrument's conditions, and my access, is, at the very moment of the violation, "unauthorized".

3. And since, given that I'm probably staring at the screen, I am therefore "obtaining"... (viewing) "information from a protected computer..."

4. In theory, we have, a violation of the CFAA.

I would suggest that you are only violating it if you are not authorized to access the computer you are accessing *by the owner/operator* of that computer, regardless of wether or not you may be authorized by a network provider to use their network.

That you may not be allowed to use your employers internet connection for personal use may get you fired by your employer, but does not constitute a violation against the websites you might have accessed.

Re:Heh

[itzfritz]

Acc. to TFA:

"SCO provided its customers who purchased SCO Server 4.O with a password to enter at a log-in screen so that only they could access source code via the internet. Sontag Decl. 17-19. After news of a bug in the website's security system was reported on internet websites, IBM exploited the bug to bypass SCO's security system, hack into SCO's computers, and download the very files IBM has now attached to its motion."

If this is true, SCO has a legitimate beef. Dammit.

Re:Heh

[MattT]

The "bug" was that they didn't turn off anonymous FTP, and the "hack" was:

Userid: anonymous
Password: Nazgul@ibm.com

Re:WTF?

[silicon+not+in+the+v]

The other possibility is that they're going to claim that IBM needed explicit permission to access a resource that was publically posted and anonymously available, which doesn't seem supported by current case law.

I hope you do not get modded up for this mis-information. This is exactly what Jon Stanley's article on Groklaw is about. The current case law is (unfortunately) in support of the concept that a flimsy usage policy is enough to establish something as being "unauthorised", and therefore subject to the CFAA (Computer Fraud and Abuse Act). Here is how disturbing this could be: If instead of being on an ftp site, it was plain text, linked to from their main website, but they had a notice that "The following link contains information whose access is restricted to our customers." That would be enough to make the viewing subject to the CFAA. Technical protection measures are not necessary. I encourage everyone to read Jon's article on Groklaw. It is very informative (in a disturbing, "How can they get away with this &%*$#@?" kind of way.) about the current legal precedents with respect to this act.