There was never a case alleging a CFAA violation for scraping a publicly available database that anyone could use for any purpose. Until there was. How about Register v. Verio? There the district court enjoined Verio for scraping a publicly available database – indeed a database that Register was REQUIRED to keep publicly available. The Court of appeals reversed, but NOT because it was a ridiculous argument that this scraping could ever be a CFAA violation, but only because the $5000 loss could not be shown. If Register had done as AT&T did, and sent paper postal mail to every registrant in the database, the loss might well have exceeded $5000.

Should Weev have gathered 100 addresses rather than 100,000 to prove his point? Maybe, but we’re just talking about scale at that point. Both would be illegal under the act.

And that’s because there are no bad acts required in the statute. I would be happy to add that in to get some clarity. I would also like to see the evidence– not the indictment that Weev is a bad guy (a fact about which I have no opinion), but the evidence– that THIS information was offered for sale.

On a side note, I don’t use Swartz as an example here. I tend to agree with Orin that that case (though perhaps not the potential penalty) was much more supported than people give it credit for.

To my knowledge, nobody has yet produced a case where CFAA was used for criminal prosecution solely for the innocent act of violating TOS rules for purposes of scholarship, general information, or regular website usage.

Your account of the Weev cases simply leaves out the most important facts that were established by the prosecutor and accepted by the jury and that are clearly stated in the indictment. Weev intended to use that data for his own profit, possibly to extort AT&T. This was shown both by other witnesses and examination of other communication by Weev at the time. That is the heart of the case, not in any way peripheral, and suggesting that the formal violations were the reason he was prosecuted is cotnrary to the actual trial history.

Had Weev taken 10 addresses & sent them to AT&T security, there would have been no case, and that’s the example you are really describing. He took something like 120,000, and the prosecution had plenty of reason to think his purpose was mercenary. Weev has pretty much bragged openly about hacking for profit in the press.

Find me a case where someone has been prosecuted for simply taking public information from a public website *without* allegations of a deeper bad act, and we’ll have something to talk about. And no, you can’t use the Swartz case, as the prosecutors there thought Swartz intended to put the nonprofit JSTOR out of business by distributing their entire database of publications for free–my point being that’s what they alleged, and it’s far beyond “he took some information that he shouldn’t have.” I still don’t know of a single case where the prosecution tried–let alone a judge accepting–to use CFAA for a violation in which no other harm or misdeed was alleged.

Indeed, I’m not even sure that the framework works for non-query pages. Consider the buried .htm file that’s not linked to by any other page on the site. If I go searching for such pages, or use wget to obtain all of the .htm files in a directory, am I violating the rule? What if one of the .htm files was left visible by accident and never meant to be seen? Reasonable people would assume that you can’t get it, but we’re not going to outlaw wget, are we?

What the defendant did here was essentially a directory walk, but with ids rather than files. The data was publicly available, but just not “expected” to be seen by anyone but the user who had the matching id on their device. But that would mean that anyone faking browser headers to view a website that is otherwise turned off for their browser (often for technical rather than privacy reasons) is violating the law, too. I’m still not buying this as a distinction that can work in practice.

Orin, that looks like a nice bright-line technological distinction, but I think it breaks down into a mushy social one on closer examination. First, the web is not really a publishing platform in the sense that everything put on it is public. There are networked computers, but some parts of the network are private and some are not. Pages on both private and public portions are the network are written in HTML and requested and transmitted using HTTP via a web browser. Merely knowing that something is on the network somewhere and retrievable by a web browser doesn’t really tell us whether access by general members of the public is authorized or not, even as a default.

As to your proposed distinction — pages retrievable by typing stuff in the address bar are public, pages that require typing something into a field on a page are not — strikes me as too narrow and too broad. Too narrow because it’s possible to create a login page that transmits the login information entered in fields on the page — username and password — in the URL, via a “GET” request. That’s a password-type control that demands login credentials, just the same as any other login page, and I think most people would say that account pages retrieved by typing in the right username and password are not public. Sure, it’s *dreadfully insecure*, but whether access is authorized or not shouldn’t depend on the strength of the security measure, as I think you yourself have stated, what matters is the signal the security measure sends. And I don’t think that the particular portion of the page request where the password is transmitted to the site should matter either. For another example, how about a buffer overflow or SQL-injection attack that either retrieves restricted data or results in administrator access to the server? My understanding is that both can be accomplished through the URL portion of a page request. But certainly both are unauthorized access, even though any member of the public could type malformed URLs into their browser and achieve the same result.

It’s also too broad. There are sites that require login and passwords, but where defeating that requirement seems questionable as unauthorized access. I’m thinking of sites that say, e.g., “No government agents allowed. If you are not a government agent, type “NO” to be allowed entry.” Typing NO lets you into the site. But it’s not really a password control that visitors understand keeps the pages restricted only specific people previously designated by the site owner. The same with sites like newspaper sites that provide free access, based on providing only an email address. Suppose someone finds a way around the login page for such a site (other than by typing something into the URL field of their browser). Is that unauthorized access? The site is essentially open to the public after a trivial hurdle. I can see a jury saying that bypassing that hurdle, like my “Type NO to proceed” or even just clicking a button, does not have the social significance necessary to make entry trespass, just as it might make that determination in a real-property type situation.

I don’t see Pulte Homes as shedding much light on this. The union was sending emails — which I’ve argued is not even “access,” let alone “unauthorized access.” It was really a causing-damage-by-transmission claim, not an access claim. But even assuming it was access, the conventions for one-way communications are bound to be different. It’s hard to even imagine an email address that one should not send email to. It’s easy to imagine pages that one should not access — someone else’s bank account information, for example. The fact that no email addresses are unauthorized email addresses doesn’t help us determine which web pages are unauthorized web pages.