Assignment 7 - Rewriting the CFAA

October 23, 2007

It's hard to not be authorized in my book

Maybe I am just stubborn but I just don't think the line should be drawn at authorization to use a computer. I think that attaching guilt at this point will work effectively in cases where the wrongdoing is obvious (the bank robber going behind the teller window to transfer funds electronically) but that this methodology falters under more ambiguous situations (An employee using a company computer for uses other than what their boss intended, but which may serve to better the company in the long run).  For this reason I am going with a very strict definition for "without authorization."

A person accesses a computer "without authorization" if in respect to that specific computer or network their authorization is not present in the form of
a) express permission to use or access by the system's owner; or 
b) implied permission to use or access based on the necessity or reasonableness of use of the computer by someone in the defendant's position within the home, organization, institution, etc.; or
c) Implied permission based on the programming and arrangement of the computer or network in a manner that allows access by users not physically present; or
d) Implied permission to use or access based on the actions of the owner or other users of the computer or network as perceived from the standard of a reasonable person in the position of the defendant.

Morris: authorized
Shurgard: authorized
DoubleClick: authorized
Mrs. Bluebeard: authorized 
Bank Robber: unauthorized

Posted by Brian Pyne on October 23, 2007 at 01:06 AM in Assignment 7 - Rewriting the CFAA | | Comments (0)

October 22, 2007

Authorization

A person accesses a computer "without authorization" if:

1. The owner of the computer has not authorized said person to access the computer , or

2. The person accesses the computer in bad faith.

Morris- Not authorized
Shurgard- Not authorized
Doubleclick- Not authorized
Bluebeard- Authorized

Posted by Julia Kolva on October 22, 2007 at 11:45 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

Are you authorized?

The purpose test from Morris seems to be the best definition of "without authorization" - access is "unauthorized" if the person uses the computer for a purpose the owner has not intended.

Morris: unauthorized
Shurgard: unauthorized
Doubleclick: unauthorized
Bluebeard: unauthorized.

Posted by Jayne Ricco on October 22, 2007 at 11:14 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

Without authorization

A person accesses a computer "without authorization" if:

a) the person accesses a computer without consent of the owner; or

b) the person breaks a condition of their access

Morris: without authorization

Shurgard:without authorization

DoubleClick: without authorization

Mrs. Bluebeard:  without authorization

Posted by Justin Goldstein on October 22, 2007 at 11:10 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

Shurgard Test is the most practical

A person accesses a computer "without authorization" if they used computer in a way disapproved by authorizer. (Shurgard test)

    Morris: not authorized
    Shurgard: not authorized

    DoubleClick: authorized
    Mrs. Bluebeard: not authorized

Posted by Kristin Marchesiello on October 22, 2007 at 11:03 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

Rewriting the CFAA

A person accesses a computer "without authorization" if he

a) uses a computer for a purpose other than what a reasonable person believes the computer is intended to be used for or

b) uses a computer for a purpose he knows or has a reason to know that the owner of the computer would disapprove of

Morris: unauthorized

Shurgard: unauthorized

DoubleClick: unauthorized

Mrs. Bluebeard: unauthorized

Posted by Richard Park on October 22, 2007 at 10:53 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

"Without Authorization"

A person accesses a computer “without authorization” if: without an account or without permission (express or implied) such person intentionally accesses confidential information from any protected computer, and uses, alters, distributes or discloses such information for a purpose for which they were not granted access.

Morris: unauthorized

Shurgard: unauthorized

DoubleClick: unauthorized

Mrs. Bluebeard: authorized; under the facts, Bluebeard did not use, alter, distribute or disclose the information.

Posted by Ali Weinberg on October 22, 2007 at 10:43 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

Authorize This

Of the three authorization tests my favorite is the purpose test. It comes the closest to an access grant that the owner intended but it should not be so harsh that personal email from a work computer is criminalized. I am okay with the no account test but not in the alternative. “No account” means you are not authorized but having an account does not allow you to do anything you want with that account. While the intended function test is just wrong - just because software allows it should not mean it was authorized.

New CFAA “without authorization” definition:
A person accesses a computer without authorization when that person uses a computer without the permission of the owner or party with the authority to grant permission. Unless permission has been granted to gain access to a computer through (a) guessing a password or (b) port-scanning or (c) spamming then access is without authorization.

Legislative History:
An authorization balancing test was considered but ultimately rejected. The factors to balance became too unwieldy aside from some sort of perfunctory “substantial justice” clause which was also ultimately rejected by the legislature.

Morris, Shurgard, DoubleClick & Mrs. Bluebeard:
not authorized

Posted by Josh B. on October 22, 2007 at 10:30 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

assessing authorization

A person accesses a computer without authorization if he:

(1) accesses a computer which is password protected and was not legitimately given the password by a person authorized to share the password; or

(2) knows or has reason to know that the owner/administrator of the computer intends to restrict access to the computer or any specific data on a computer; or

(3) accesses a computer in such a way that he knows or reasonably should know will cause harm to the computer or with intent to personally profit from such access.

Morris:  Not Authorized (under section 1, 3)

Shurgard:  Authorized

Doubleclick:  Not Authorized (under section 3)

Bluebeard:  Not Authorized (under section 2)

Posted by Jason Bresler on October 22, 2007 at 10:20 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

The New CFAA

A person accesses a computer "without authorization" if . . .

(a)     the person was not directly given authorization to or permission to use the password to access information, for the avoidance of doubt password guessing shall be deemed without authorization, or

(b)   the person was given the password or permission to use the password, but the person uses the password to gain access to information and uses the information in a manner that is harmful to the interstate commerce, the government or financial institutions

Morris: not authorized
Shurgard: not authorized
DoubleClick: authorized,
Mrs. Bluebeard: authorized, assuming the information was not password protected or such access didn’t result in harm to interstate commerce, government, or financial institutions. 

Posted by Alisha H on October 22, 2007 at 08:56 PM in Assignment 7 - Rewriting the CFAA | | Comments (0)

Next »