Take for example the law that forbids causing radio interference:
No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.Interference seems like a common, non-technical term, but it's unlikely that's the meaning here. Interference has a very technical meaning, as demonstrated by this long Wikipedia article on "radio interference". There are entire books dedicated this this subject. It's a big technical deal, it's unreasonable to think the law means anythings else.
This is important when looking at the recent "Marriott WiFi Jamming" case, because Marriott did not cause "radio interference" or "jamming". Instead, what they did was send "deauth" packets. Using a real world analogy, jamming is like a locked door, blocking access against your will. On the other hand, a "deauth packet" is merely a Keep Out sign -- you can choose to ignore it. Indeed, I've configured my WiFi devices to ignore deauth packets, so I would not be affected by Marriott's "jamming".
The debate here isn't really over whether the definition of "interference" is technical or common. Instead, the issue is that the situation is technical. Radio interference is important because it's against your will, and there is nothing you can do avoid it. The FCC recognizes that deauths are different from "interference". It therefore allows deauth packets in most situations, only singling out Marriott's case as being disallowed by the statute. It's clearly being vague about the term in order to pursue arbitrary and prejudicial enforcement of this statute.
The same thing happens with "authorization" in the CFAA, the anti-hacking law. Authorization is a technical term, yet judges insist juries should use the common meaning of the term, such as in this recent case. This creates an unsolvable ambiguity. The Internet is defined by technical documents that declare what is "authorized" and "not authorized". This is at odds with what an average person might consider "authorized", and it's impossible for a technical person to understand the common meaning.
I have a fantasy that Tim Berners-Lee gets arrested and stands trial. The prosecution argues that his access of a website was unauthorized according to the common meaning. Berners-Lee then counters that it was authorized according to the technical meaning, and cites RFC2616 as proof. RFC2616 is the document Berners-Lee wrote defining the "web". He invented the thing. It's unreasonable to think that a jury should find something "unauthoized" that he clearly labeled as "authorized" when creating the web.
In other words, when you attach a website to the Internet, you implicitly agree to RFC2616. Likewise, when I access the website, I also implicitly agree with this document. The document delineating what "authorization" means creates an implicit agreement between us. It boggles my mind that this document doesn't have the same weight as things like Terms of Service (ToS). This document should be cited at least as often in court case as ToS documents.
The Weev case hinged partly on whether forging a "User-agent" string allowed "unauthorized" access. Reading the RFC, it's clear that the User-Agent is not an authorization mechanism. Weev would not have perceived it that way. More importantly, the owners of the website would not have seen it that way. Checking for an iPad User-Agent was a way of customizing content for the iPad, not for authorizing iPads. In the broader context, all web browsers forge User-Agent strings. Websites create better content for certain browsers, so browsers lie about their identity so their users get the better content.
The point is that it's impossible for the average person in the jury to tell if forging a User-Agent string is "unauthorized" without refering back to RFC2616 as to what "authorization" means on the web.
I'm writing this post because of this case where the judge said the following:
The root term, however — “authorization” — is not defined by the statute, and has been the subject of robust debate. One point of agreement is that “without authorization” should be given its “common usage, without any technical or ambiguous meaning.”The judge is wrong. It's the common usage that hopelessly ambiguous; the technical meaning is relatively clear. It's the common usage of "authorization" that has lead to prejudicial and arbitrary prosecution under the CFAA. It's impossible for technical person to know what is prohibited by the statute. Moreover, it's really impossible for anybody to know what is prohibited by the statute -- nobody knows whether forging User-Agents is prohibited by the statute without a technical discussion.