I think we'd be better off if we were the ones suggesting ways to define unauthorized access. I've thought about this quite a bit and I posted something on that subject about a week ago with my own suggested definition thereof. Quoting from that earlier comment:
=====
For 'unauthorized access' to a computer system you (should) need to knowingly access a protected system in a way not permitted by the rights granted to you by the computer system, or by deliberate deception of either the computer systems or people.
So for 'knowing' we have to actually know (via banners, etc.) that we're somewhere we shouldn't be. For 'protected' it has to be actually protected (none of this "I found unprotected files lying around with no password" nonsense). The last two clauses cover privilege escalation attacks and social engineering. So it should matter if you're operating the system normally or if you accidentally just click/type something wrong and found your way in vs. you were deliberately hacking / social engineering your way in.
I'd also add a safe harbor for anyone who in good faith reported the issue to the site operators, police, or government regulatory bodies to prevent reprisal like this ugly case.
I just emailed my Senators. People routinely underestimate the value of calmly and briefly explaining to elected leaders why they should vote one way or another.
holy crud! CFAA already allows TOS writers to define any behavior as unauthorized & therefore a felony. Congressmen need a way to look strong on security without completely breaking rule of law. We should issue them nerf guns or something.
Wasn't that the very basis of the Aaron Schwartz case? That, by violating the terms of use of the MIT site, he was violating the CFAA thus charged with multiple felonies?
The linked case dealt with employees but I don't see why there should be a distinction. I would consider the general public to have even greater protections.
This is a little different as it has to do with exceeding authorized access as an employee.
The CFAA doesn't allow TOS writers to "invent" felonies, but it does allow for a basis of prosecution against someone who breaks it.
Someone who siphons off data, breaking a TOS, will get treated the same as someone who lies on their dating profile. This is why the CFAA is too vague in its current form.
We're expected to trust that only the "big guys" will be prosecuted under the CFAA, skirting the point of having the rule of law in the first place as no interpretation of a law should be left up to the discretion of a few men.
As well, most people break at least 3 laws a day without knowing it, and they're likely breaking many more throughout the day online, just not getting prosecuted for it, but they could.
Good news everyone, i hid a <img> to my server in this page, now you visited part of my site you were not authorized to! You are now all felons, see you in court.
Learn: https://wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
Call your representatives: TryVoices.com
Donate to the EFF: https://supporters.eff.org/donate/