Anti-cybercrime laws are being weaponized to repress journalism
62 comments
·November 2, 2025dlcarrier
xoa
>but why have different punishments based on what technology someone used?
So first as foundation, I see no reason to pretend that the law is always perfectly thought through and logical particularly when it comes to crime. And even when laws have been done for the time, that also doesn't mean circumstances haven't changed over the decades while the law remained static.
That said, in principle punishment embodies multiple components and a major aspect is deterrence. The deterrence value in turn interplays with components like barrier to entry, scaling of the potential harm and the likelihood of getting caught. Usage of technology can have a significant impact on all of this. It's significantly more challenging and expensive to prosecute crimes that stretch across many jurisdictions, technology can also have a multiplier effect allowing criminal actors to go after far more people, both in terms of raw numbers and in terms of finding the small percentage of the vulnerable, and perceived anonymity/impunity can further increase number of actors and their activity levels. It also has often implied a higher degree of sophistication.
All of that weighs towards a higher level of punishment even as pure game theory. That doesn't mean the present levels are correct or shouldn't be only a part of other aspects of fighting fraud that depressingly frequently get neglected, but it's not irrational to punish more when criminals are generating more damage and working hard to decrease the chance of facing any penalties at all.
ajmurmann
You have to levers to enforce law. You can get better at catching lawbreakers or punish those that are caught harder. There are studies that show that catching a higher percentage of criminals and punishing them in a timely fashion leads to lower crime than punishing those you do catch harder. Europe in general has more police officers per capita and higher conviction rates that happen more timely. The US on the other hand spends more on prisons and has her officers. I think this is partially cultural and due to how responsibilities and finance are set up between local, state and federal government in the US.
Fraud via phone or computer is harder to catch. So the US follows it's established pattern and instead of hitting efforts for law enforcement increases punishment
franga2000
Europe has a similar problem of over-punishing "crimes with a computer". In many EU countries, there's no punishment for trespassing, but even accessing an open network share that you found on Shodan, looking around out of curiosity, then disconnecting, is punishable with prison time.
tptacek
The big problem with CFAA isn't particular to CFAA at all; it's that it shares the 2B1.1 loss table with all the other federal criminal statutes, and computers are very good and very fast at running the number on that table up. It's a real problem and I'm not pushing back on the idea that something should change about it, but I wouldn't characterize the problem the way you do, as the law singling out crimes involving computers.
Part of the history of CFAA was that it was passed because the state of the law preceding it didn't comfortably criminalize things like malicious hacking and denial of service; you can do those things without tripping over wire fraud.
AnthonyMouse
> it's that it shares the 2B1.1 loss table with all the other federal criminal statutes, and computers are very good and very fast at running the number on that table up.
That's a problem with it, but another big one is that it's inherently ambiguous.
The normal way you know if you're authorized to do something with a computer is that it processes the request. They're perfectly capable of refusing; you get "forbidden" or "access denied" but in that case you're not actually accessing it, you're just being informed that you're not allowed to right now. So for there to be a violation the computer would have to let you do something it isn't supposed to. But how are you supposed to know that then?
On a lot of websites -- like this one -- you go to a page like https://news.ycombinator.com/user?id=<user_id> and you get the user's profile. If you put in your user there then you can see your email address and edit your profile etc. If the server was misconfigured and showing everyone's email address when it isn't supposed to, how is someone supposed to know that? Venmo publishes their users' financial transactions. If you notice that and think it's weird and write a post about it, should the company -- possibly retroactively -- be able to decide that the data you're criticizing them for making public wasn't intended to be, and therefore your accessing it was a crime? If you notice this by accident when it's obvious the data shouldn't be public -- you saw it when you made a typo in the URL -- should there be a law that can put you in jail if you admit to this in the process of making the public aware of the company's mistake, even if your access resulted in no harm to anyone?
The wording is too vague and it criminalizes too much. "Malicious hacking" might not always be wire fraud but in other cases it could be misappropriation of trade secrets etc., i.e. whatever the actual act of malice is. The problem with the CFAA is that it's more or less attempting to be the federal computer law against burglary (i.e. unlawful entry with the intent to commit a crime) except that it makes the "unlawful" part too hard to pin down and failed to include the part about intent to commit a crime, which allows it to be applied against people it ought not to.
tptacek
'JumpCrisscross is stipulating that you might be right in this analysis but observing that in practice CFAA doesn't play out that way. I'm instead going to go right at your argument and say that a precise definition of unauthorized access isn't necessary in the first place. The statute turns on intent. It's the burden of the prosecution to prove not just that some kind of access was pro-forma unauthorized, but also that the defendant should have known it was.
This is no different than zillions of other criminal statutes, the majority of which hinge on intent.
JumpCrisscross
> how is someone supposed to know that?
When was the last CFAA prosecution where the perpetrator literally didn't know they were doing something unauthorised?
terminalshort
There ought to just be a blanket criminal law for intentionally causing financial damages to citizens over a certain amount. Fraud is typically a civil matter, but the problem comes when someone causes $5000 of fraud to 200 people, which is made much easier by the internet. It doesn't make financial sense to sue for that amount. If we had a law that intentionally causing $1 million or more of civil damages is also a felony punishable by up to 10 years in prison this would allow DAs to apply well deserved criminal penalties without having the possibility of criminalizing harmless behavior.
tptacek
Fraud is almost definitionally not a civil matter. There is civil fraud, but it bears the same relationship to fraud as the Goldman's wrongful death case did to the OJ criminal case.
terminalshort
The governing bureaucrats of the post WWII period have decided that the limited government of the previous era does not give them the level of control over citizens lives that they want. They know that rolling back existing protections is difficult politically since those pesky citizens don't know what's good for them. So our ruling betters need to be a bit more clever. They stoke fear over criminals being out of control because they are using scary new technology that the police just can't handle. Therefore we need to pass harsh new laws to control it. Of course over time that "scary new technology" becomes the routine way everybody communicates, but now without the legal protections that the old system had.
3037412197
[dead]
sonicvroooom
200 good software and marketing engineers that ignore studies and fight for a good, evolutionary rational cause ... as good as they make proxy farms for scraping ... damn ... so much after work, so much to write about, so much to critique, so. much. capital.
ChrisMarshallNY
People will abuse any law they can.
> "Any proposal must be viewed as follows. Do not pay overly much attention to the benefits that might be delivered were the law in question to be properly enforced, rather one needs to consider the harm done by the improper enforcement of this particular piece of legislation, whatever it might be."
-Lyndon B. Johnson
phendrenad2
Why is this surprising to anyone? When the government is corrupt, the laws are just a convenient cover for doing whatever you wanted to do anyway.
Secondly, which countries does the article mention? Nigeria, Pakistan, Georgia, Turkey, and Jordan. Such countries strain the definition of "government" let alone "law".
ugur2nd
Welcome to Earth! Some people really enjoy exploiting legal loopholes.
Two years ago, I was sued for $10,000 in copyright infringement for embedding a YouTube video on my website. They filed a lawsuit by describing the word “embed” as if it were “upload.” But they are two different things. I won the case. But I realized that others didn't.
I learned that the company filed lawsuits against dozens of websites, especially Blogspot sites. I even heard a rumor.
They share content on social media and community sites in a way that entices people, focusing on areas that remain in a gray zone and where few people know it's illegal.
For example, “Embed movies from YouTube and share them on your website. You'll make a lot of money. If I knew how to program, I would do it.” This is just one example. There are many different examples. By the way, my site wasn't a movie site.
They apparently file lawsuits like clockwork against anyone who triggers their radar with the right keywords via Google Alerts.
Cybercrimes are just another reflection of this. If I could, I'd share more, but I don't want to go to jail. Freedom of expression isn't exactly welcomed everywhere on the internet.
retox
[dead]
tptacek
These aren't really cybercrime laws as such; they're cybercrime statutes that include defamation and misinformation laws; it's those speech restrictions, which are explicit and not a knock-on consequences of fighting what we consider "cybercrime", that are the root of this reporting.
walterbell
"US declines to join more than 70 countries in signing UN cybercrime treaty", 200 comments, https://news.ycombinator.com/item?id=45760328
the first global framework “for the collection, sharing and use of electronic evidence for all serious offenses”.. the first global treaty to criminalize crimes that depend on the internet.. [it] has been heavily criticized by the tech industry, which has warned that it criminalizes cybersecurity research and exposes companies to legally thorny data requests. Human rights groups warned.. [it] forces member states to create a broad electronic surveillance dragnet that would include crimes that have nothing to do with technology
https://www.atlanticcouncil.org/blogs/new-atlanticist/the-un...
> states parties are obligated to establish laws in their domestic system to “compel” service providers to “collect or record” real-time traffic or content data. Many of the states behind the original drive to establish this convention have long sought this power over private firms.
tptacek
So, (1) this is a dead letter because UN cybercrime isn't going to happen here, and (2) it's not a good treaty and I wouldn't support it anyways, but the UN cybercrime convention doesn't have any of the problematic terms discussed in this CJR article. It seeks to criminalize:
(7) Unlawful access to systems
(8) Interception and wiretapping
(9) Interfering with data (presumably: encrypting and ransoming databases)
(10) DOS attacks
(11) Knowlingly selling hacking tools to criminals
(12) Forging online documents
(13) Online wire fraud
(14) CSAM
(15) Solicitation and grooming
(16) Revenge porn
Articles 14-16 are the closest you get to something not "according to Hoyle" cybercrime. I wouldn't want them in my cybercrime treaty, but I'd be pretty chill about them being standalone domestic laws.
A reminder: no matter what a UN convention says, treaties don't preempt the US Constitution. We could not enforce a treaty that includes Nigeria's misinformation terms --- it would violate the First Amendment. (Also useful to know, contrary to widespread belief online, that a self-executing treaty is itself preempted by statutes passed after it).
kristjank
>Well meaning
yeah, right
hsuduebc2
Any instrument that can be used to repress opposition should be minimal, transparent, and tightly limited if it must exist at all. When power gets new levers, it always finds new ways to pull them.
But in this case it may be designed for that purpose.
terminalshort
> Across the world, well-meaning laws intended to reduce online fraud and other scourges of the internet are being put to a very different use.
If only someone, anyone, could have foreseen this /s. I read so many HN comments about the "slippery slope fallacy," back when the powers that be were censoring the people that they didn't like. I bet they'll be right back where they were next time the government is going after the "misinformation" they don't like.
ThrowawayTestr
Everyone is an authoritarian towards the other side.
hunterpayne
No, not everyone is like that. But plenty of people are.
gxs
> One provision in particular—Section 24, which made it illegal to publish false information online that was deemed to be “grossly offensive,” “indecent,” or even merely an “annoyance”—has been especially ripe for abuse
I mean how is this surprising to anyone?
Grossly offensive is in the eye of the beholder
hunterpayne
> Grossly offensive is in the eye of the beholder
Quite right. However, certain media outlets have knowingly published false information and when pushed on this they claim that those reports happened as part of the "opinion" part of their reporting. Before you get smug, your side does it too (as does mine). I'm am less concerned with blaming people than coming up with a mitigation of these issues.
So I think we need a 2 class system of reporting. A factual part where knowingly reporting false information has consequences. And an opinion part where it doesn't. Journalists would claim they already do this but here is the new policy. Reporting must constantly and clearly show to which class the report belongs. So maybe a change in background color on websites, or a change in the frame color for videos. Something that make it visually and immediately clear to which class this reporting belongs. That way people can more accurately assess the level of credibility the reporting should have.
gxs
In a different time when different mindsets prevailed, the US government handled this about as well as you could hope
The Fairness Doctrine is irrelevant today because of the way news is published/broadcast, but was effective in my humble opinion
From Wikipedia: “ The fairness doctrine had two basic elements: It required broadcasters to devote some of their airtime to discussing controversial matters of public interest, and to air contrasting views regarding those matters.”
And without getting too political, the beginning of a lot of our media woes in terms of news correlates nicely with when the doctrine was revoked
SilverElfin
What’s the principled line between journalism and crime, if there is one that isn’t just opinion? Often journalists are not just protecting sources but guiding them or encouraging them. And those sources are sometimes committing crimes like leaking trade secrets or other confidential info.
croes
> Often journalists are not just protecting sources but guiding them or encouraging them.
Source?
FrustratedMonky
So cajoling is a crime?
terminalshort
Thankfully, no. But from reading comments on the internet it seems like "look what you made me do" is considered a valid excuse by a large percentage of so called adults in the US.
ThrowawayTestr
Incitement of violence is a crime
BolexNOLA
> And those sources are sometimes committing crimes like leaking trade secrets or other confidential info
I mean this with all sincerity: So what? What bearing does that have on the journalist and what they are writing?
I am also curious about that claim the other guy asked you about, “Guiding” sources and such.
SilverElfin
I know it directly from first hand experience. And I liken it to jurisprudence on incitement to violence. Is incitement to theft also punishable? Does the motivation being journalism matter? Why or why not?
malcolmgreaves
Journalists provide a valuable public service: publishing the truth. The position you’re advocating for is sullied up as “fuck the truth, bend the knee to the law.” Your opinion is incompatible with a free society.
BolexNOLA
Hold on, who said a journalist was inciting criminal activity? That is a completely different animal. Of course I am not saying that’s fine. That’s not even remotely what I’m talking about.
US federal regulations are full of laws that take something minor or completely legal, and add huge punishments because someone used technology. All the way back in 1952, fraud punishments were worse if someone used a telephone to commit fraud. In 1982 the Computer Fraud and Abuse Act added even more punishment, if someone used a computer.
Fraud is bad, and it should be illegal, but why have different punishments based on what technology someone used?
Laws like this go outside of fraud, and often are clearly unconstitutional, like the Unlawful Internet Gambling Enforcement Act of 2006, which made lawful gambling illegal too, until it was effectively overturned with Murphy v. National Collegiate Athletic Association in 2018.