Editing Aaron projects/CFAA
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 83: | Line 83: | ||
** we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations. | ** we feel as though there is sufficient persistent identity in the community that even pseudonymous hackers care about their reputations. | ||
* ''' | * '''focus on bad ''access'', leave ''use'' to other laws''' - laws on copyright, trade secret, identity theft, espionage, extortion, and fraud govern most of the "scary" use cases. | ||
** In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law. | ** In this way, we are leaving the "hats" (black/white/grey/green) discussion for the community norms or existing law. | ||
* '''Consent should always be a defense''' - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way. | * '''Consent should always be a defense''' - server owners ask members of the public to do some weird stuff against their systems, but as long as they ask for it, it should never be a crime to access one's computer in that way. | ||
* ''' | * As to code-based vulnerabilities and authentication measures, '''some level of technical effectiveness should be considered.''' A "reasonable" standard may not be appropriate, as defining what is "reasonable" may lead to unnecessary confusion. But some consideration should be made to ensure that trivially-overcome measures are not considered within the scope. | ||
==== What should be unlawful ==== | ==== What should be unlawful ==== | ||
* ''' | * '''hold the party intending to do the bad behavior culpable''' - don't track liability to a person whose computer was unwittingly used to commit the crime. | ||
* '''Circumvention of a code-based authentication measure''' | * '''Circumvention of a code-based authentication measure''' should be unlawful (leaving proportionality for another discussion). This includes cracking, password guessing, or human-engineering password disclosure. | ||
* '''Exploiting a code-based vulnerability to obtain information''' should be unlawful (leaving proportionality for another discussion). We are thinking of things like a SQL injection hack. | * '''Exploiting a code-based vulnerability to obtain information''' should be unlawful (leaving proportionality for another discussion). We are thinking of things like a SQL injection hack. | ||
Line 101: | Line 100: | ||
==== Uncertain areas ==== | ==== Uncertain areas ==== | ||
* ''' | * '''penetration testing''' is squishy - an open call for bug bounties should be treated like consent to access the site (again, using laws govern bad uses) | ||
* '''"accidentally open" sites are squishy''' - e.g., sites that were supposed to be behind an authentication layer but are not. To a certain extent, it may be best to place the fault of this onto the coder of the site, with the comfort that certain uses by the obtainer of information may still be unlawful. | |||
=== Open questions === | === Open questions === |