Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

https://aws.amazon.com/agreement/

> We will not access or use Your Content except as necessary to maintain or provide the Service Offerings, or as necessary to comply with the law or a binding order of a governmental body.

The CFAA uses wording like "exceeds authorized access", which Amazon would absolutely be guilty of if they went into your database to spy on your product listings.

If they could go after Aaron Swartz for using authorized access in an unauthorized way, it seems likely it could be applied here.



"One reason we could charge the price we did for the service is that we were treating the data we had access to as an investment. Thus the data we accessed was done so to ensure the service could be maintained."

Would a judge accept that argument? From me? No. From the lawyers Amazon can afford? I wouldn't be comfortable betting either way.


A reminder that the legal system is designed to serve the wealthy, and few are wealthier than Amazon. It's not absolute, but the little guy isn't going to walk away with Bezo's fortune in damages.


The CFAA doesn't protect "content", though. It protects "protected computers".

In this case, Amazon fully owns, possesses, and operates the "protected computer".

You'd have to successfully argue that Amazon fraudulently accessed their own computer. It might be possible, but I'm guessing it'd be a first.

The difference in Aaron's case is huge: he didn't own the computers that hosted JSTOR.


The Amazon employee accessing the data would be "exceeding authorized access".

> The difference in Aaron's case is huge: he didn't own the computers that hosted JSTOR.

His access was authorized, though. They still threw CFAA at him.


"exceeding authorized access" is not enough to violate the CFAA.

You have to "exceed authorized access to a protected computer"

The CFAA is not a data protection law. It is a computer protection law.


https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

> In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the interstate nature of most Internet communication.


Sure. The question I am alluding to is: can someone defraud their own computer?

Maybe it is possible, but the consequences to answering 'yes' to this is pretty scary.


If I buy my spouse a phone, and secretly bug it, I'm still violating wiretap laws, even if it's technically mine.

If I'm renting an apartment, my landlord can't install a camera in the bathroom, even if they're the owner of the building.

Ownership doesn't change the fact that the law says "exceeds authorized access". Amazon agrees to only access the computer I'm renting from them in very specific scenarios. If they violate that, it looks like a pretty clear CFAA violation.


Neither of your two examples have anything to do with the CFAA.

> Amazon agrees to only access the computer I'm renting from them in very specific scenarios.

AWS provides compute services, they do not rent computers. They make this clear in their terms.


> Neither of your two examples have anything to do with the CFAA.

They demonstrate that legal ownership is not the same as the legal right to do whatever you want with what you own.

> AWS provides compute services, they do not rent computers. They make this clear in their terms.

Good luck hoodwinking a judge with that argument.


Okay, you think you rent AWS servers?

Which one do you rent?

Where is your rental agreement?

When did you first take possession?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: