One of the chief criticisms of the Computer Fraud and Abuse Act, the federal anti-hacking statue, is that it's too vague. It bans unauthorized computer access, but offers scant guidance as to what "unauthorized" computer access actually means. The Christian Science Monitor (thanks Sean Harrington) carried an interesting story on this subject.
For instance, the Seventh Circuit Court of Appeals has ruled that someone could be found guilty of computer fraud for using a company computer against the interests of that business. In a different case, the Ninth Circuit ruled that the Seventh Circuit standard was overly broad.
Orin Kerr, a professor of law at George Washington University, has been a critic of the law's ambiguity. He holds the fairly radical notion that we should not define "unauthorized access" by law but rather that judges should rely on social norms to determine what should be considered computer trespass. His draft paper, titled "Norms of Computer Trespass", more fully articulates that position.
Kerry says that it isn't. In fact, he says, anything the public can see without entering a password should be fair game, because that's the standard he thinks most Internet users would apply.
We've seen versions of this in family law - husband takes a shower and lives his smartphone (no PIN) on his bureau and wife reads steamy texts to his mistress. No problem - if she cracks or guesses a PIN, THAT is a problem. The texts were effectively "open." Another case: Husband shares his e-mail password with his wife and then leaves her - she uses the password to read his e-mails while they are separated. The judge finds that, though he is a moron for not changing his password, she should have known that she no longer had authorized access.
The trouble, as always, is that judges will have different concepts of "social norms" which will result in varying decisions. But that is no different from the present reality. Not sure Mr. Kerr's idea is a solution, but it is an interesting take on the problem.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology