Are you sure? I seem to remember people getting burned for publicly disclosing security vulnerabilities after stubborn agencies refused to fix them for years. Stuff like, exposing thousands of SSNs through a public gateway... We are literally having this discussion on URLs because of famous cases where people DID face unfair treatment. I don't recall any actual fix for this legal chicanery either. If you do, I would be very interested.

> I seem to remember people getting burned for publicly disclosing security vulnerabilities after stubborn agencies refused to fix them for years. Stuff like, exposing thousands of SSNs through a public gateway..

This has never happened in the US on the federal level. Unless your definition of "getting burned" is a nasty email from a clueless non-LE government worker.

> We are literally having this discussion on URLs because of famous cases where people DID face unfair treatment

I don't think any reasonable person can read through the court filings in those (Auerheimer, Swartz) cases and agree with the claim that there was unfair treatment wrt the application of the CFAA, or that the CFAA was unfair because it covers those cases.

I totally understand how someone who has not spent time familiarizing themselves with the actual details of the cases might be under the opposite impression; they are frequently misrepresented by people with agendas and nerds who mistakenly understand judicial process as a "Captain Kirk vs Computer" scenario.

There's a trend in communities like HN to claim that the CFAA is bad because Swartz deliberately broke the law while he engaged in some pretty cool civil disobedience. That's not reasonable. Two things can be true at once: what Swartz did was in fact cool and laudable, it still shouldn't be legal. Similarly, a reasonable person might consider it cool and laudable to punch a nazi, doesn't mean it should be legal.

In any case, there's also a trend of misrepresenting the potential penalties involved. On HN, you'll see people posting about how Swartz was facing 30 years in prison, which is an outright lie. Swartz had, in fact, behaved as described in the indictment; he had two plea deals on the table. One for 6 months with the opportunity to argue for further leniency from the judge, and another for 4 months outright. Lawyers familiar with the case have stated that it was very likely that he wouldn't have gone to prison at all.

Swartz killed himself, so the CFAA must be bad, but it's probably realistic to assume that Swartz did not kill himself because he was scared of spending a few months in prison. He was likely seriously mentally ill, and a victim of the poor state of the US healthcare system, not of the CFAA or the DOJ.

Have a look at this: https://m.slashdot.org/story/180969 Clearly there is precedent in the US and elsewhere for prosecution based on accessing URLs. Politicians have even argued that you should not be able to tamper with website source code in your browser, or otherwise use websites in any way not anticipated by the owners.

>Two things can be true at once: what Swartz did was in fact cool and laudable, it still shouldn't be legal. Similarly, a reasonable person might consider it cool and laudable to punch a nazi, doesn't mean it should be legal. We live in an age where people call other people Nazis as if uttering the accusation gives them a free pass to infringe on the rights of those people. Even if it could be proven to be true, the facts would not grant them any such right.

Theft and unprovoked assault are neither cool nor legal. I don't care if we're talking about absolute assholes, either. For each and every one of us, there is probably someone in the world who thinks that they should have our property and have the right to attack us.

>Swartz killed himself, so the CFAA must be bad, but it's probably realistic to assume that Swartz did not kill himself because he was scared of spending a few months in prison. He was likely seriously mentally ill, and a victim of the poor state of the US healthcare system, not of the CFAA or the DOJ.

Idk that much about this case. It seems to me that Swartz was in a hell of a lot of trouble, that could have gotten him a prison term along with financial and career ruination. He clearly should not have killed himself but that kind of stress can make people lose sight of the future.

> Have a look at this: https://m.slashdot.org/story/180969 Clearly there is precedent in the US and elsewhere for prosecution based on accessing URLs

"prosecution based on accessing URLs" is a dishonest way of describing this case. It's a prosecution based on accessing URLs with malicious intent, while the persons responsible knew they were not intended to access said URLs.

That's like saying "prosecution based on walking through a doorway". Well yeah, except it was the middle of the night and the door to someone else's house had been accidentally left unlocked.

>Idk that much about this case. It seems to me that Swartz was in a hell of a lot of trouble, that could have gotten him a prison term along with financial and career ruination. He clearly should not have killed himself but that kind of stress can make people lose sight of the future.

Swartz had good lawyers; he was certainly aware that he wasn't in big trouble. He was facing neither financial nor career ruination. The damages he had caused were far from enough to result in financial ruination. The charges had made him even more of a celebrity and would've been a boost to his career.

https://volokh.com/2013/01/14/aaron-swartz-charges/

https://volokh.com/2013/01/16/the-criminal-charges-against-a...

Orin Kerr, a top subject matter expert addressed this extensively. In the second part he also offers the best criticism of CFAA, which is that it's almost entirely redundant given the existence of very broad wire fraud statute.

And for what it's worth, Swartz had been spending a lot of time thinking about suicide for years before the whole JSTOR debacle http://www.aaronsw.com/weblog/dying