Slashdot Mirror

← Back to Stories (view on slashdot.org)

ACLU Lawsuit Challenges Computer Fraud and Abuse Act (thestack.com)

Posted by BeauHD on from the third-party-testing dept.

An anonymous reader writes: The American Civil Liberties Union (ACLU) has filed a lawsuit with the U.S. Department of Justice contending that the Computer Fraud and Abuse Act's criminal prohibitions have created a barrier for those wishing to conduct research and anti-discrimination testing online. The ACLU have pursued the matter on behalf of a group of academic researchers, computer scientists and journalists seeking to remove that barrier to allow for third-party testing and research into potential online discrimination. In a public statement the ACLU contend: "The CFAA violates the First Amendment because it limits everyone, including academics and journalists, from gathering the publicly available information necessary to understand and speak about online discrimination."

16 of 76 comments (clear)

  1. Re:That vile ACLU by Anonymous Coward · · Score: 2, Insightful

    The ACLU would be great if they weren't so selective about the civil liberties they defend.

  2. Re:I don't follow by Anonymous Coward · · Score: 5, Informative

    One of the provisions makes it a felony for unauthorized access to a computer system. In most EULAs it spells out that reverse engineering is disallowed and creates an area of unauthorized access. Thus a security researcher trying to analyze a system is technically committing a felony under the CFAA as it doesn't make any exceptions. Even if the analysis is being performed completely locally on systems they own if say the OS is Windows or MacOS.

  3. How is it different for offline by u19925 · · Score: 2

    If you go to doctor's office and start video recording everyone to collect data on discrimination, will it allow it? Same way, website can limit recording of publicly available information. Doctor's office will also ask you provide true information just like websites do. I don't see much difference between the two. There are many private clubs which limit do the same. I don't see Facebook, Twitter any different than YMCA etc where if I want to be in, I have to become member, pay, provide my true information and then can do limited recording. If you ask online sites to allow fake id, unlimited recording, then why not doctor's office, gyms, hotels etc?

    1. Re:How is it different for offline by Fire_Wraith · · Score: 5, Interesting

      Probably the analogy would be the laws making it illegal to record abuses at places like food processing plants. There have been several states that have attempted to outlaw undercover video, after activists managed to get hired, and later released video of the horrible and illegal stuff that was going on in those plants. Or consider bans against recording the police on video, that wind up making any video recording of the police, even of the police committing a blatant crime, illegal.

      That doesn't mean the law needs to go away entirely, but having some sort of affirmative defense should play a part, for instance.

  4. Re:I don't follow by PRMan · · Score: 2

    They need to lie and say they are black or lie about their zip code in order to see if there is any disparate treatment. They can't do this with the CFAA as it is technically illegal, since they are lying about their identity.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  5. Re:I don't follow by mark-t · · Score: 2

    Thus a security researcher trying to analyze a system is technically committing a felony under the CFAA as it doesn't make any exceptions

    It doesn't have to make exceptions.... the law prohibits *UNAUTHORIZED* access to a computer system. If you own the computer system yourself, then who else is supposedly supposed to be authorizing you to access it? If someone else controls authorization to access to some piece of property, then by definition that property belongs to THEM. Unless there is another law that also prohibits private people from owning personal computers, the CFAA does absolutely nothing to stop anyone from accessing anything that they want on the devices that they have purchased for themselves. As a secondary point, how the hell would they supposedly even know, anyway?

    --
    File under 'M' for 'Manic ranting'
  6. Re:Invent a new crime. by Fire_Wraith · · Score: 2

    The CFAA is the "X with a computer" of criminal law, where X is just about anything they want to enforce it as. And that's the problem. It's stupid and BS for patents, and it shouldn't be any more valid in criminal cases.

  7. The law is as broad as possible by rsilvergun · · Score: 3, Informative

    in it's definition of "Unauthorized". If you don't like how someone is using information you've made publicly accessible on your web site then it's suddenly "Unauthorized" and congrats, you're perl script just committed a felony for you. This isn't like walking into a house with it's doors unlocked. It's more like you wrote down advertised prices from billboards, aggregated the data, and when somebody notices you doing that doesn't make them look so good they throw you in prison.

    This has been discussed multiple times on /.. It seldom comes up because most of us are working for large corps doing what we're told and so have a bit of the corporate veil to protect us. Someone trying to research a politically unpopular idea (racial profiling is being used to target minorities for expensive high risk loans and exclude them from cheaper low risk ones they otherwise qualify for) has to worry about this. If your study shows a pattern of abuse from on the part of a multi-billion dollar mortgage company expect to see some charges.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:The law is as broad as possible by Facekhan · · Score: 3, Informative

      If you make factual data public, you don't generally "own" it as in you don't have exclusive rights to it. You can't copyright a database of factual information. Basically the CFAA lets a firm make data public but then if someone uses a script to aggregate it, they can claim it was a felon. Just as an example, the CFAA could even apply to things like price comparison websites if a particular merchant doesn't want their public pricing information compared to their competitors.

    2. Re:The law is as broad as possible by Facekhan · · Score: 2

      The other issue concerns employee use of employer owned systems. There have been cases where employees have been prosecuted for violating a purely civil agreement between them and their employer about the systems they have access to.

      In general the law should not criminalize a civil contract violation or in the case of EULA's and Acceptable Use policies, it is questionable whether they are even valid contracts. This is especially true when the law in question is very one sided in favor of big companies using the threat of prosecution against researchers and employees and customers. I can't get the FBI to prosecute Comcast for turning on their public Wifi network on my router, even though it does potentially violate the CFAA.

  8. Re:ACLU lawsuit by MasseKid · · Score: 2

    As opposed to what? Armed revolution? Protesting with Signs? I mean what do you think they are supposed to do but take violations of the constitution to the courts and using the check and balances system as designed?

  9. Re:ACLU lawsuit by frovingslosh · · Score: 3, Informative

    You miss the point. they apparently are upset because the law applies to everyone. They apparently now believe in laws that apply to some people but not others.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  10. Re:I don't follow by PopeRatzo · · Score: 3, Funny

    Well hell, now I have to delete my bitchy empowered female avatar, my ditsy teen schoolgirl avatar, my racist troll sockpuppets,

    ...and that was the end of his presidential campaign.

    --
    You are welcome on my lawn.
  11. Re:I don't follow by mark-t · · Score: 2

    ...since Western Civilization now tells us that things like gender and race have no basis in concrete reality.

    Things like that have no lawful basis for certain types of discrimination, but it is wholly erroneous to say they have no lawful basis in concrete reality.

    One example of a legal type of discrimination based on sex would be one's right to discriminate on the gender of a person that they may want in a roommate, when the roommate shares any of either a bedroom, bathroom or kitchen with the other person. One is obviously not required to discriminate based on sex for those reasons, of course, but it is but one example of where it is entirely legal to discriminate based on gender.

    --
    File under 'M' for 'Manic ranting'
  12. Re:I don't follow by Intron · · Score: 2

    I read the article... it says that the CFAA somehow prevents people from doing legitimate research, but fails to even give a single example of actually how this happens. How does the law that is supposed prevent computer fraud stop a person from doing research, exactly?

    How's this?

    https://www.databreaches.net/c...

    Or this?

    http://www.computerworld.com/a...

    --
    Intron: the portion of DNA which expresses nothing useful.
  13. Re:That vile ACLU by cavreader · · Score: 4, Insightful

    The law abiding citizens who happen to be gun owners are the ones who are ultimately tasked with upholding their gun rights. The efforts of the NRA just represent the non-violent method of upholding gun rights. And unlike the corporate lobbyists the NRA doesn't buy political support with money they buy political support with the number of voters they can deliver at election time. The anti-gun crowd is shrill at times and relish turning every gun related death into an extinction level event but they are vastly outnumbered by gun owners who only need to vote when they feel their gun ownership rights are being reduced.