The problem with the anti-hacking law, the "CFAA", is that it doesn't define what, exactly, is "hacking". Nobody knows what the law forbids.
Every so often somebody asks "Does portscanning violate the CFAA law?" The answer is that really, nobody knows. The answer is "probably not -- until it does".
I get a 404 Not Found when I follow a link to a website. I notice what the problem is. So I change the URL and fix it, and get to the webpage. Does this violate the CFAA? The answer is the same "probably not -- until it does".
An example is the Weev case, where he wrote a script that incremented a number in the URL. The court claimed this violated the CFAA.
One thing that bugs me about all this is 'mens rea', or 'intent'. This is how the court gets around the fact that terms like "authorized" are undefined and vague. It doesn't matter what the word means, it only matters if the accused new they weren't authorized.
I mean, even if the word had a concrete definition, they would still have to show that the accused knew they weren't authorized, and knowingly/intentionally accessed the computer without authorization.
That's how lawyers think it works, but not how it works in practice. A good example is the Weev case. If somebody puts something on a public website, requiring no username/password, most of us think we are implicitly authorized to access it.
I mean, if we weren't authorized to access things on a public web site, by the mere fact they made it public, then how the heck does the entire web work???
I forbid you to click on this link and access this webpage:
blog.erratasec.com/2012/11/you-ar…
blog.erratasec.com/2012/11/you-ar…
Weev knew AT&T made a mistake and didn't intend to make the data public. But at the same time, Weev believed he was still authorized to access the public content by the mere fact that it was public.
So does this meet the mens rea test? Did Weev know his access was unauthorized? The factual answer is that Weev believe he was authorized, but that's not the legal answer.
I mean, there's good reason for the legal answer, otherwise, every criminal would say it was unintentional. However, in this case, it's actually true. It's why the otherwise vile Weev gets so much support in our community, because we all believe it was authorized access.
So since the court can't trust Weev's claims of his intentions, it has to figure it out for themselves. The way they do this is by judging an average person in Weev's situation. It's not whether Weev thought he was authorized, but whether the average person would think so.
But the average person can't write code.
To do his evil deeds, Weev had to write a short computer program to increment the number in the URL millions of times. The average person couldn't do that, not knowing how to code.
To do his evil deeds, Weev had to write a short computer program to increment the number in the URL millions of times. The average person couldn't do that, not knowing how to code.
The mens rea test is thus about whether you can code.
It's like the difference between a curb and a fence. Stepping over a curb isn't trespassing but climbing a fence is. Because most people know that a fence means 'keep out'.
It's like the difference between a curb and a fence. Stepping over a curb isn't trespassing but climbing a fence is. Because most people know that a fence means 'keep out'.
The analogy for computers is that if something keeps out the average person, then the average person knows it's a barrier that means "keep out". If they can't access a website, then access is not authorized.
But writing scripts and programs is perfectly normal in the computer world. For programmers, it's less of a barrier than a curb. We don't see it as a keep out sign.
Indeed, without scripts/code, then Google wouldn't work.
Indeed, without scripts/code, then Google wouldn't work.
It's like the URL at the top of the web browser. Some geeks like me think that I can change that URL, such as adding one to the number I see there to access a different tweet. 90% of the general popular have never done that. 
The court thinks that it's a barrier, that the average person would know that access was not authorized if it required editing the URL. But this reasoning confuses techies. Why the heck can we edit it if it wasn't meant to be editable?
So I get lawyers telling me that "authorized" vagueness isn't a problem, because of "intent", the mens rea element.
But that's not true, because that's even more vague. Techies honestly believe they are authorized and still violate the CFAA.
But that's not true, because that's even more vague. Techies honestly believe they are authorized and still violate the CFAA.
So is writing a script to add one to a URL a crime? The CFAA doesn't tell you. Nobody knows. You can't hire a lawyer to answer this because they don't know, either. You can hire the top lawyer experts on the CFAA and they can't tell you.
In any case, if I remember the case above, it's because Van Buren was authorized to access a computer (as a normal part of his job), but then used the information he was authorized to access in unauthorized ways.
Is that unauthorized access a of computer? nobody knows
Is that unauthorized access a of computer? nobody knows
