undefined | Better HN

0 pointsjcranmer4y ago0 comments

The law you're thinking of is CFAA, and it's not clear that this violates the CFAA. The requisite element is "accesses [...] without authorization or exceeds authorized access."

Given the general enthusiasm of blockchain proponents to believe that "the code is law", it's a pretty easy argument to make that taking advantage of poorly-written code is well within the user's authorized capabilities. Will it win in court? shrug

0 comments

jude-4y ago

Again IANAL, but I think there's more to it than "the code is law." If we accept that hacking is illegal, then we must also accept that the law recognizes a difference between what the code does and what the code intended to do. I would think that this means that the courts would recognize a faulty but good-faith attempt at an authorization check on token movements to be evidence of the developer's intent to prevent tokens from being moved without authorization. If so, then they would further conclude that token movement that doesn't follow the intended authorization code paths is a violation of the CFAA.

jcranmerOP4y ago

IANAL either, but from my following of SCOTUS and other law cases, it does seem that the actual judicial interpretation of CFAA's authorization requirements is kind of vague and unsettled. There's a pending case before SCOTUS this term about CFAA (although it's not directly related to what the question in this thread, it's possible the opinion weighs in on it). Reading the amici, I'm not sure I'd find any consensus as to whether or not people believe this kind of access violates or doesn't violate the CFAA.

That's why I ended with shrug--there's not enough clarity to answer if it is or isn't legal with any degree of certainty.

NovemberWhiskey4y ago

I think regardless of the circuit split on the meaning of "authorization", it seems fairly well settled that the meaning is not "what the computer system allows you to do".

e.g. Van Buren is about resolving the question of whether someone who is given access to a computer system for their job can be considered to have used it in an "unauthorized" way if they use that system in ways that are unrelated to that job.

The circuit-level decisions both start from the position "authorized" means something like "the owner of the computer has decided to grant access", which is more rather than less.

i.e. X intended to give Y access (this is the part of "authorized" on which there is consensus) but Y used it for purposes that X did not approve of (this is the subject matter of the disagreement)

j / k navigate · click thread line to collapse