I agree that significantly reducing the penalties under the CFAA would mitigate almost all of the damage it causes, but I don't see how that makes the language any better. It just limits the damage.
"Don't mess with systems that don't belong to you" worked much better in 1980 when typical computers cost a million dollars and were only expected to be used by the employees of the bank or government that owned them, because in that context you know you're authorized when you file a W2 and are issued a security badge.
Once you put systems on the internet for access by the general public it changes everything. "Mess with systems that don't belong to you" is practically the definition of The Cloud. The defining question is no longer who is authorized, because everybody is authorized, so the question becomes what everybody is authorized to do.
The problem is that nobody has any idea what that means in practice. All we can do is make some wild guesses -- maybe SQL injection against random servers of unsuspecting third parties is unauthorized access whereas typing "google.com" into a web browser without prior written permission from Google, Inc. is not. But what about changing your useragent string to Googlebot? What if that will bypass a paywall? What if that will bypass a paywall, but you're a web spider like the real Googlebot? What if you demonstrate a buffer overrun against the web host you use in order to prove their breach of a contract to keep the server patched? Can you charge a journalist for reading a company's internal documents when the company made its intranet server accessible to the internet without any authentication?
The answers to these questions depend primarily on which judge is deciding the case. Which is ridiculous, and the hallmark of a bad piece of legislation.
> He was released on appeal over a jurisdictional issue, not a statue or misapplication of the law.
This is actually why we don't know anything from that case. District court rulings aren't binding on other courts and the appellate court apparently threw out the case without ruling on the CFAA, so there was no precedent created either way.
But if the appellate court had ruled the same way as the district court and created that precedent, I don't think you could reasonably describe that as an improvement in the CFAA situation.
"Don't mess with systems that don't belong to you" worked much better in 1980 when typical computers cost a million dollars and were only expected to be used by the employees of the bank or government that owned them, because in that context you know you're authorized when you file a W2 and are issued a security badge.
Once you put systems on the internet for access by the general public it changes everything. "Mess with systems that don't belong to you" is practically the definition of The Cloud. The defining question is no longer who is authorized, because everybody is authorized, so the question becomes what everybody is authorized to do.
The problem is that nobody has any idea what that means in practice. All we can do is make some wild guesses -- maybe SQL injection against random servers of unsuspecting third parties is unauthorized access whereas typing "google.com" into a web browser without prior written permission from Google, Inc. is not. But what about changing your useragent string to Googlebot? What if that will bypass a paywall? What if that will bypass a paywall, but you're a web spider like the real Googlebot? What if you demonstrate a buffer overrun against the web host you use in order to prove their breach of a contract to keep the server patched? Can you charge a journalist for reading a company's internal documents when the company made its intranet server accessible to the internet without any authentication?
The answers to these questions depend primarily on which judge is deciding the case. Which is ridiculous, and the hallmark of a bad piece of legislation.