Disclaimer: First I am not a lawyer, this post is not about legal advices. Please contact a lawyer for a legal advice. This post is just about what I learned through different sources over time. Let’s start.
One of the most important law for security researcher is the computer fraud and abuse act (cfaa). This act was written in 1984. At that time the main idea of the act was “you are not supposed to gain access government computers”. There were a few additions happened over the time to the act and made the act confusing and pretty much useless. There are problems with this law. I discussed them below:
- 18 usc 1030 a 2c:without authorization or in excess of authorization—> Here we DO NOT know what without authorization mean…
- 18 usc 1030 a 4:knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;->Here we DO NOT know what without authorization mean…
- 18 usc 1030 a 5:(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss. –>Here we DO NOT know what without authorization mean…
There could be criminal charges or civil penalties. However the victim has to have at least 5k of financial loss for court to process the claims.
- What is illegal is unclear.
- Selective enforcement: Law enforcement can interpret the law the way they want since it is so open for interpretation.
- The penalties are harsh.
US v. Nosal (Bonus: watch the trial here)
- US v. Drew
- EF Cultural v. Explorica
- US v. Auernheimer