Law Commons^™

Platforms, Encryption, And The Cfaa: The Case Of Whatsapp V Nso Group, Jonathon Penney, Bruce Schneier

Articles, Book Chapters, & Popular Press

End-to-end encryption technology has gone mainstream. But this wider use has led hackers, cybercriminals, foreign governments, and other threat actors to employ creative and novel attacks to compromise or workaround these protections, raising important questions as to how the Computer Fraud and Abuse Act (CFAA), the primary federal anti-hacking statute, is best applied to these new encryption implementations. Now, after the Supreme Court recently narrowed the CFAA’s scope in Van Buren and suggested it favors a code-based approach to liability under the statute, understanding how best to theorize sophisticated code-based access barriers like end-to-end encryption, and their circumvention, is now …

Access Denied? Unauthorized Access After Hiq Labs V. Linkedin, Dalton Sjong

Marquette Intellectual Property & Innovation Law Review

None

Fixing What’S Broken: The Outdated Guidelines Of The Sca And Its Application To Modern Information Platforms, Lutfi Barakat

Touro Law Review

In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to afford privacy protections to electronic communications and it has not changed since its inception. The ECPA has proven problematic as technology has advanced, but Congress has not modified the law to reflect this change. Courts have struggled to apply the law to both old technologies that have been updated and new technologies that have emerged. The ECPA needs to be revised to reflect the new advances in technology or be repealed and replaced with a new approach. This will ensure that consumer data will be safeguarded while in the …

Legal Risks Of Adversarial Machine Learning Research, Ram Shankar Siva Kumar, Jonathon Penney, Bruce Schneier, Kendra Albert

Articles, Book Chapters, & Popular Press

Adversarial machine learning is the systematic study of how motivated adversaries can compromise the confidentiality, integrity, and availability of machine learning (ML) systems through targeted or blanket attacks. The problem of attacking ML systems is so prevalent that CERT, the federally funded research and development center tasked with studying attacks, issued a broad vulnerability note on how most ML classifiers are vulnerable to adversarial manipulation. Google, IBM, Facebook, and Microsoft have committed to investing in securing machine learning systems. The US and EU are likewise putting security and safety of AI systems as a top priority.

Now, research on adversarial …

Terms Of Service And The Computer Fraud And Abuse Act: A Trap For The Unwary?, David A. Puckett

Oklahoma Journal of Law and Technology

No abstract provided.

Consenting To Computer Use, James Grimmelmann

Cornell Law Faculty Publications

The federal Computer Fraud and Abuse Act (CFAA) makes it a crime to “access a computer without authorization or exceed authorized access.” Courts and commentators have struggled to explain what types of conduct by a computer user are “without authorization.” But this approach is backwards; authorization is not so much a question of what a computer user does, as it is a question of what a computer owner allows.

In other words, authorization under the CFAA is an issue of consent, not conduct; to understand authorization, we need to understand consent. Building on Peter Westen’s taxonomy of consent, I argue …

Data Privacy Regulation In The Age Of Smartphones, Matthew Hettrich

Touro Law Review

No abstract provided.

Kill The Dinosaurs, And Other Tips For Achieving Technical Competence In Your Law Practice, Antigone Peyton

Richmond Journal of Law & Technology

It is a challenge to practice law in the digital age. This is particularly true when a practice involves significant e-Discovery, Intellectual Property, and technology law—areas in which technical issues merge with legal ones. One of the major challenges of bringing a law practice up to twenty-first-century standards relates to dinosaur thoughts, a.k.a. an “old ways are best” mentality.

Cyber Security Active Defense: Playing With Fire Or Sound Risk Management, Sean L. Harrington

Richmond Journal of Law & Technology

“Banks Remain the Top Target for Hackers, Report Says,” is the title of an April 2013 American Banker article. Yet, no new comprehensive U.S. cyber legislation has been enacted since 2002, and neither legislative history nor the statutory language of the Computer Fraud and Abuse Act (CFAA) or Electronic Communications Privacy Act (ECPA) make reference to the Internet. Courts have nevertheless filled in the gaps—sometimes with surprising results.

Code Is Law, But Law Is Increasingly Determining The Ethics Of Code: A Comment, Jonathon Penney

Articles, Book Chapters, & Popular Press

“Code is Law”, the aphorism Larry Lessig popularized, spoke to the importance of computer code as a central regulating force in the Internet age. That remains true, but today, overreaching laws are also increasingly subjugating important social and ethics questions raised by code to the domain of law. Those laws — like the CFAA and DMCA — need to be curtailed or their zealous enforcement reigned; they deter not only legitimate research but also important related social and ethics questions. But researchers must act too: to re-assert control over the social, legal, and ethical direction of their fields. Otherwise, law …

Criminalizing Hacking, Not Dating: Reconstructing The Cfaa Intent Requirement, David Thaw

Articles

Cybercrime is a growing problem in the United States and worldwide. Many questions remain unanswered as to the proper role and scope of criminal law in addressing socially-undesirable actions affecting and conducted through the use of computers and modern information technologies. This Article tackles perhaps the most exigent question in U.S. cybercrime law, the scope of activities that should be subject to criminal sanction under the Computer Fraud and Abuse Act (CFAA), the federal "anti-hacking" statute.

At the core of current CFAA debate is the question of whether private contracts, such as website "Terms of Use" or organizational "Acceptable Use …