Readit NewsA choice quote:
> In recognizing that the CFAA is best understood as an anti-intrusion statute and not as a “misappropriation statute,” Nosal I, 676 F.3d at 857–58, we rejected the contract-based interpretation of the CFAA’s “without authorization” provision adopted by some of our sister circuits. Compare Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016), cert. denied, 138 S. Ct. 313 (2017) (“[A] violation of the terms of use of a website—without more— cannot establish liability under the CFAA.”); Nosal I, 676 F.3d at 862 (“We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty.”), with EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583–84 (1st Cir. 2001) (holding that violations of a confidentiality agreement or other contractual restraints could give rise to a claim for unauthorized access under the CFAA); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010) (holding that a defendant “exceeds authorized access” when violating policies governing authorized use of databases).
And:
> As one prominent commentator has put it, “an authentication requirement, such as a password gate, is needed to create the necessary barrier that divides open spaces from closed spaces on the Web.” Orin S. Kerr, Norms of Computer Trespass, 116 Colum. L. Rev. 1143, 1161 (2016). Moreover, elsewhere in the statute, password fraud is cited as a means by which a computer may be accessed without authorization, see 18 U.S.C. § 1030(a)(6),12 bolstering the idea that authorization is only required for password-protected sites or sites that otherwise prevent the general public from viewing the information.
My layman's (IANAL) interpretation of preliminary injunctions are that the case is far from over, and this could be overturned at any time as more deliberation is done (assuming LinkedIn wants to keep throwing money at that relatively slim possibility). But now this research has been done, and future courts have the ability to look to these references and lines of reasoning all in one place.
EDIT: https://twitter.com/OrinKerr/status/1171116153948626944?ref_... is an analysis by the law professor cited above:
> BIG NEWS: 9th Circuit holds that scraping a public website likely does not violate the CFAA, even after website owner prohibits with a cease-and-desist letter; language strongly suggests CFAA only applies to bypassing authentication. Blog post up soon. http://cdn.ca9.uscourts.gov/datastore/opinions/2019/09/09/17... #N
The post is now here:
https://reason.com/2019/09/09/scraping-a-public-website-does...
ust commented on Ask HN: How are you implementing GDPR-compliant soft deletes? · Posted by u/xstartup
It is quite well possible their company does not need a DPO. But given the nature of the question there is some evidence they do, besides that hiring a DPO is not something done in isolation but most likely as as the result of a GDPR impact study done in ... 2017 or so, which I'm going to again guess was not in the cards for many companies.
So, in summary: likely the vast majority of the companies affected is only now starting to wake up to the fact that they are affected, for quite a few of these companies the effects will be relatively benign unless their servers are compromised, for the more serious offender and the larger companies that have not yet started to address these issues it is likely too late to get anything done in time but since this goes for the vast majority of them they are simply playing a complicated game of Russian roulette with the oversight bodies and a couple of them will undoubtedly get lucky to great relief of the remainder.
Data protection authorities tend to be vastly understaffed, but this too will hopefully change in the future.
Yeah, I agree with everything you said.
It would be interesting to know whether the big companies have addressed (at least partially) their GDPR compliance. Maybe they do just "play Russian roulette" like you said, and hope for the best.. Of course, implementation guidelines are not yet fully defined (like WP29 opinions, some of them will change, even then, those opinions are not legally binding).
ust commented on Ask HN: How are you implementing GDPR-compliant soft deletes? · Posted by u/xstartup
I'm going to go out on a limb here and guess that 99% of the companies out there affected by the GDPR and the OP in particular do not have a DPO (yet), and may not realize they need one, and even if they do know that then they likely won't be able to fill the seat either in time or with someone competent.
Every year we look at quite a few companies, this is the first year that I've spotted a DPO in the wild, and impressively, they even knew their stuff.
Not every company needs a DPO though, e.g. check here:
https://www.eugdpr.org/key-changes.html
Maybe his company doesn't need one. Of course, whether he has a DPO or not, still the question remains of how to "properly" delete the personal data.
https://www.lawfareblog.com/tiktok-and-law-primer-case-you-n...
In short, a president has substantial powers (granted by Congress via IEEPA and CFIUS) to institute a ban or force a divestment of any company "engaged in interstate commerce in the United States", if "national emergency" or "national security" is involved. So, legally, it seems that president can ban TikTok, under certain conditions (that may not be so difficult to achieve). The link above only explains the current legal framework, not whether banning the TikTok is in itself a good or a bad thing. IANAL, so I can't judge the competence of the presented arguments, but it is written by a respected law professor.