ACLU Lawsuit Challenges Computer Fraud and Abuse Act

An anonymous reader writes: The American Civil Liberties Union (ACLU) has filed a lawsuit with the U.S. Department of Justice contending that the Computer Fraud and Abuse Act's criminal prohibitions have created a barrier for those wishing to conduct research and anti-discrimination testing online. The ACLU have pursued the matter on behalf of a group of academic researchers, computer scientists and journalists seeking to remove that barrier to allow for third-party testing and research into potential online discrimination. In a public statement the ACLU contend: "The CFAA violates the First Amendment because it limits everyone, including academics and journalists, from gathering the publicly available information necessary to understand and speak about online discrimination."

I don't follow

[mark-t]

I read the article... it says that the CFAA somehow prevents people from doing legitimate research, but fails to even give a single example of actually how this happens. How does the law that is supposed prevent computer fraud stop a person from doing research, exactly?

Re:I don't follow

One of the provisions makes it a felony for unauthorized access to a computer system. In most EULAs it spells out that reverse engineering is disallowed and creates an area of unauthorized access. Thus a security researcher trying to analyze a system is technically committing a felony under the CFAA as it doesn't make any exceptions. Even if the analysis is being performed completely locally on systems they own if say the OS is Windows or MacOS.

Re:I don't follow

Sure but how is any of that related to research into potential online discrimination?

Re:I don't follow

[PRMan]

They need to lie and say they are black or lie about their zip code in order to see if there is any disparate treatment. They can't do this with the CFAA as it is technically illegal, since they are lying about their identity.

Re:I don't follow

[mark-t]

Thus a security researcher trying to analyze a system is technically committing a felony under the CFAA as it doesn't make any exceptions

It doesn't have to make exceptions.... the law prohibits *UNAUTHORIZED* access to a computer system. If you own the computer system yourself, then who else is supposedly supposed to be authorizing you to access it? If someone else controls authorization to access to some piece of property, then by definition that property belongs to THEM. Unless there is another law that also prohibits private people from owning personal computers, the CFAA does absolutely nothing to stop anyone from accessing anything that they want on the devices that they have purchased for themselves. As a secondary point, how the hell would they supposedly even know, anyway?

Re:I don't follow

[BitterOak]

They need to lie and say they are black or lie about their zip code in order to see if there is any disparate treatment. They can't do this with the CFAA as it is technically illegal, since they are lying about their identity.

Why can't these researchers simply hire some black people? Why do they need to commit fraud to do their research? And if I'm offering an online service or business, why should I be compelled to offer my computing resources to assist in your research, noble though your research goals may be?

Re:I don't follow

Seems like they could just temporarily "identify as" black or "identify as" poor, since Western Civilization now tells us that things like gender and race have no basis in concrete reality.

Re:I don't follow

[PopeRatzo]

Well hell, now I have to delete my bitchy empowered female avatar, my ditsy teen schoolgirl avatar, my racist troll sockpuppets,

...and that was the end of his presidential campaign.

Re:I don't follow

[mark-t]

Of course you can.... if you do a proper survey of other people, and compare their results... with their permission, of course.

Re:I don't follow

[mark-t]

...since Western Civilization now tells us that things like gender and race have no basis in concrete reality.

Things like that have no lawful basis for certain types of discrimination, but it is wholly erroneous to say they have no lawful basis in concrete reality.

One example of a legal type of discrimination based on sex would be one's right to discriminate on the gender of a person that they may want in a roommate, when the roommate shares any of either a bedroom, bathroom or kitchen with the other person. One is obviously not required to discriminate based on sex for those reasons, of course, but it is but one example of where it is entirely legal to discriminate based on gender.

Re:I don't follow

[Intron]

I read the article... it says that the CFAA somehow prevents people from doing legitimate research, but fails to even give a single example of actually how this happens. How does the law that is supposed prevent computer fraud stop a person from doing research, exactly?

How's this?

https://www.databreaches.net/c...

Or this?

http://www.computerworld.com/a...

Re:I don't follow

[mark-t]

As I said, I know what the CFAA is, but I don't see how it prevents people from doing otherwise lawful research for instance... At most, it only prevents you from doing research with someone else's data.... but then a good researcher that was not being lazy would collect their own data, and not rely on data that did not belong to them anyways.

Re:I don't follow

[Mashiki]

If you're trying to reconfirm an existing conclusion using their data first, then your own is the best option to see if everything is the same. Remember, the story on /. not more then a few months ago showing that ~60% of studies couldn't be reproduced even using the same methodology as the original?

Re:I don't follow

[Hentes]

They want to use bots on sites. The CFAA is irrelevant in my opinion as they would still be in breach of the ToS.

Re:I don't follow

[tepples]

The view under the DOJ's interpretation of the CFAA is that online roleplay is illegal on sites whose written terms of service explicitly forbid online roleplay.

Re:That vile ACLU

The ACLU would be great if they weren't so selective about the civil liberties they defend.

Invent a new crime.

[HornWumpus]

My life's ambition has long been to invent a new crime. People will say 'that has to be illegal', it will be made illegal after I do it.

The computer fraud and abuse act ruins that. Anything a federal judge doesn't like, crime...ipspostfacto, schmipspostfacto.

Re:Invent a new crime.

[Fire_Wraith]

The CFAA is the "X with a computer" of criminal law, where X is just about anything they want to enforce it as. And that's the problem. It's stupid and BS for patents, and it shouldn't be any more valid in criminal cases.

Re:Invent a new crime.

[HornWumpus]

If you do something with your own computer that a federal judge decides, after the fact, is a crime, it's a crime.

How is it different for offline

[u19925]

If you go to doctor's office and start video recording everyone to collect data on discrimination, will it allow it? Same way, website can limit recording of publicly available information. Doctor's office will also ask you provide true information just like websites do. I don't see much difference between the two. There are many private clubs which limit do the same. I don't see Facebook, Twitter any different than YMCA etc where if I want to be in, I have to become member, pay, provide my true information and then can do limited recording. If you ask online sites to allow fake id, unlimited recording, then why not doctor's office, gyms, hotels etc?

Re:How is it different for offline

[Fire_Wraith]

Probably the analogy would be the laws making it illegal to record abuses at places like food processing plants. There have been several states that have attempted to outlaw undercover video, after activists managed to get hired, and later released video of the horrible and illegal stuff that was going on in those plants. Or consider bans against recording the police on video, that wind up making any video recording of the police, even of the police committing a blatant crime, illegal.

That doesn't mean the law needs to go away entirely, but having some sort of affirmative defense should play a part, for instance.

Re:How is it different for offline

[DarkTempes]

I assume you'd have to pay without insurance but I can't see any reason why you couldn't use any name you like at a doctor's office.
It's not like they do background checks. And celebrities go to hospitals under pseudonyms sometimes, right?
IANAL but, as long as you paid your bill, I assume it wouldn't be fraud.

Any sane person can see the CFAA is broad and overreaching and I get the feeling that this is just another angle the ACLU thinks might work to attack it.

Did we really need a specific law for computer-related crimes? Are existing definitions for things like fraud/wire fraud and property damage not good enough?
And does it even actually help deter crime in any way? I certainly haven't noticed fewer phishing attempts in my spam box...

Re:How is it different for offline

[david_thornley]

I'd say we do need specific laws for some computer-related crimes. One would be unauthorized access, provided we define "unauthorized" in a reasonable manner. Logging in with a supplied account name and password should not count, for example, no matter for what purpose. Fraud normally requires proof of harm, as does property damage. Someone hacking into a computer system may not do visible harm, but we really are better off if it's illegal.

The law is as broad as possible

[rsilvergun]

in it's definition of "Unauthorized". If you don't like how someone is using information you've made publicly accessible on your web site then it's suddenly "Unauthorized" and congrats, you're perl script just committed a felony for you. This isn't like walking into a house with it's doors unlocked. It's more like you wrote down advertised prices from billboards, aggregated the data, and when somebody notices you doing that doesn't make them look so good they throw you in prison.

This has been discussed multiple times on /.. It seldom comes up because most of us are working for large corps doing what we're told and so have a bit of the corporate veil to protect us. Someone trying to research a politically unpopular idea (racial profiling is being used to target minorities for expensive high risk loans and exclude them from cheaper low risk ones they otherwise qualify for) has to worry about this. If your study shows a pattern of abuse from on the part of a multi-billion dollar mortgage company expect to see some charges.

Re:The law is as broad as possible

[mark-t]

Obviously you don't own the information on someone else's website though... even if they made the information public.

My question remains... how does this law prevent lawful research?

Or does it just prevent lazy research?

Re:The law is as broad as possible

[Facekhan]

If you make factual data public, you don't generally "own" it as in you don't have exclusive rights to it. You can't copyright a database of factual information. Basically the CFAA lets a firm make data public but then if someone uses a script to aggregate it, they can claim it was a felon. Just as an example, the CFAA could even apply to things like price comparison websites if a particular merchant doesn't want their public pricing information compared to their competitors.

Re:The law is as broad as possible

[Facekhan]

The other issue concerns employee use of employer owned systems. There have been cases where employees have been prosecuted for violating a purely civil agreement between them and their employer about the systems they have access to.

In general the law should not criminalize a civil contract violation or in the case of EULA's and Acceptable Use policies, it is questionable whether they are even valid contracts. This is especially true when the law in question is very one sided in favor of big companies using the threat of prosecution against researchers and employees and customers. I can't get the FBI to prosecute Comcast for turning on their public Wifi network on my router, even though it does potentially violate the CFAA.

Re:The law is as broad as possible

[mark-t]

If the information is public, then there is no way to even necessarily know it was obtained in the first place from a website, let alone that a scraper may have been used.

Re:The law is as broad as possible

[Agripa]

It does when the US Department of Justice says it does and that is how they have been using it.

Re:The law is as broad as possible

[tepples]

Firstly, that they will have written this usage into your contract, which may have been changed without you signing anything.

You signed the check for another month of service. I haven't known Comcast to get into the ETF game.

I would expect this to mean that they are administering your internet connection. Therefore, they are responsible for the data your modem requests

I thought every packet was tagged with whether it is destined for Comcast's hotspot or for the subscriber. So the person who authenticated to the captive portal on the xfinitywifi SSID is responsible for that data, not you.

Re:ACLU lawsuit

[MasseKid]

As opposed to what? Armed revolution? Protesting with Signs? I mean what do you think they are supposed to do but take violations of the constitution to the courts and using the check and balances system as designed?

Re:ACLU lawsuit

[frovingslosh]

You miss the point. they apparently are upset because the law applies to everyone. They apparently now believe in laws that apply to some people but not others.

Re:ACLU lawsuit

[Intron]

No. They look for cases they can win to overturn unjust laws. They aren't going to go to court with a teenage hacker who broke into NORAD.

cf. Broderick v. USAF, 1963

Re:That vile ACLU

[cavreader]

The law abiding citizens who happen to be gun owners are the ones who are ultimately tasked with upholding their gun rights. The efforts of the NRA just represent the non-violent method of upholding gun rights. And unlike the corporate lobbyists the NRA doesn't buy political support with money they buy political support with the number of voters they can deliver at election time. The anti-gun crowd is shrill at times and relish turning every gun related death into an extinction level event but they are vastly outnumbered by gun owners who only need to vote when they feel their gun ownership rights are being reduced.

Re:That vile ACLU

the Gun Manufacturers aka NRA is doing enough to defend their interpretation of the second amendment.

No, please, don't hold back. Tell us exactly how you feel.

Re:ACLU lawsuit

[dgatwood]

I think you mean 1983. 1963 was the Dr. Who episode with the same title.

It's All about intent

[JimSadler]

To be guilty of a crime one must intend to commit the crime but also there must be evil implied. A person who hacks into computers or networks with a real intention of doing good has no criminal liability if police and courts support the concept in law of intent. Here is a common type of issue that makes law enforcement next to impossible. There are many sites, such as Craig's List that have sections in which supposed prostitutes solicit business. Yet simply asking for money for sex is usually not what it appears to be. A person may post only to collect names, pics and cell phone numbers and also steer men to certain sites such as supposedly safe sites to insure the trick is not a maniac. Just because they claim to solicit as prostitutes is not at all related to their intentions as many of them have never prostituted themselves ever in their entire lives. This puts modern law enforcement in a real bind. We are at the point at which a girl can offer a man sex fro $200. and actually has no intention of breaking any laws at all. That makes her equal to a female cop who also solicits tricks and then arrests the guy who says yes. Fraud schemes could also make use of such a tactic in that the absurd offer is only made to create a list of greedy gullible people and the list is then sold to other fraud groups with no intention by the first group to ever defraud anyone. Imagine what such tactics can do to keep the courts in totally overwhelmed burdens of pseudo cases.

Re:It's All about intent

[david_thornley]

Crimes do not necessarily require criminal intent. It's illegal to kill someone even if you weren't trying to kill them. It's criminal to be criminally negligent even if it was out of laziness rather than malice.

Solicitation to commit a criminal activity is mostly illegal by itself. Police are allowed to participate in some illegal activities while running sting operations, so a police officer could solicit, although aggressive solicitation would probably constitute entrapment.

Re:Wow it isn't even the weekend yet

and the SJW articles are beginning.

While the ACLU is indeed concerned with social justice, I'm not sure that they've ever formally espoused a position that qualifies for the "SJW" label, which would seem to require saying that people who say mean dumb things on websites should be banned from the internet forever, and further that the SJW faction exclusively gets to decide what constitutes "mean" and "dumb". Free speech being our single most cherished civil liberty, it's conceivable that some, if not all, members of the ACLU may actually be opposed to prosecuting thoughtcrime the way SJWs want.

Re:ACLU lawsuit

[cayenne8]

Ok, I"m game.

WFT is "online discrimination"?

How does someone know your color online and prevent you from viewing a site, etc?

Seriously? I would think "online" is the ultimate in color blind territories.....

Re:That vile ACLU

[Coren22]

At least their interpretation doesn't require new grammar rules no one else uses.

Soap, ballot, and jury box

[tepples]

On Slashdot, you occasionally see comments that refer to three "boxes" used in nonviolent defense of liberty: soap box, ballot box, and jury box. Respectively, these refer to petitioning the government, voting out the bastards who disregard said petitions, and challenging constitutionality of legislation. But some people are opposed to use of the jury box as a substitute for the soap box and ballot box. They use "activist judges" as an epithet for those who use the power of judicial review in a way that they don't like. The problem is that the present campaign finance environment encourages use of the jury box, as it is perceived as the box least subject to manipulation by plutocratic rent-seekers.

Re:That vile ACLU

[cavreader]

They could drive down the street and run their daughters over with the car and back up over them just to make sure. Same end result.