I guess what I'm saying is that if your job is security and you fail at security and because of your failure at security a former employee is able to do some damage he or she if of course guilty of whatever crime.
But the amount of money that you spent to clean up the mess because you failed at your job initially, that doesn't matter and shouldn't influence the trial. The crime is a crime no matter how large or small the damage.
Consider a warehouse guarded by a night watchman, but sometimes he takes a smoke break (hence, failing to do his job). Some vandal comes by and tags the building with graffiti. Later, some other vandal comes by and burns the place to the ground. You think both vandals deserve equal treatment?
One is vandalism, the other is arson, destruction of property, and probably a bunch of additional crimes. They should be handled differently because they're different crimes.
The point is that two people who vandalize should be treated equally even if one vandalizes a poor person's house and the other vandalizes a rich person's house. The exact dollar amount of the vandalism shouldn't matter because either way we've all agreed by way of the law that vandalism is wrong.
Yes of course, and within vandalism there probably are different fines or sentences depending on just how much property you damage. But if you're going to label "anything where some property is damaged" as vandalism then 9/11 was vandalism, right?
You also neglected to address arson and the idea that a whole building burned down. I don't think any part of the justice system would seriously suggest that destroying a building and spray painting a building are the same. I don't think they'd be investigated the same, charged the same, etc.
The problem here is that the CFAA has definitions and those definitions are what determine what the crime is. So yes someone breaking into your Facebook account and posting a "turns out I'm gay everyone!" comment is -- again according to a strict reading of the law -- just as bad as someone breaking into VISA and forcing them to re-issue all the credit cards in the country. That's because the law doesn't distinguish damages or anything like that. In part that's because in reality you don't do any actual damage, you just cause people to have to take action to mitigate that your specific knowledge causes problems with their security.
This makes sense too, if you break into a bank it might be reasonable to attempt to force you to pay for the repairs to the vault door, but it would not be reasonable to force you to compensate the bank's shareholders for the loss of goodwill (and share price!) they suffer because the bank's security wasn't able to keep you out.
The CFAA makes knowing, purposeful access to computer systems you don't have permission to use a crime, and a felony when that access is used to attempt to perpetrate additional crimes. It's a simple statute.
There are two common arguments against CFAA.
The first is that it shouldn't be a felony to access computer systems without authorization. The logic goes: if you use access to a computer system to perpetrate a fraud, charge fraud. If theft, charge theft.
A variant of this argument suggests that maybe "serious hacking" should be a felony, but things like reusing an old password, or guessing the URL after the login screen, those things shouldn't be felonious.
These arguments are problematic. For instance, in cases where the offender has used their unauthorized access solely to cause economic harm to someone else, there may not be a better crime to charge. The vandalism statutes weren't designed for offenses that can easily rack up tens of thousands of dollars. There's also the basic issue of trespass and violation of property rights. And, of course, civil remedies to these problems have their own problems, prominent among them the fact that all the burden for collecting those remedies falls on the victim, who under civil law receives no assistance from the rest of society.
The second set of arguments against CFAA is that the sentences are draconian. This argument seems much more straightforward. A particular problem with CFAA is that the sentence scales with damage, but damage can trivially scale with the induction variable of a program's loop; it does not seem intuitively just that typing an extra '0' into a single program can ratchet your sentence by years.
A variant of this argument suggests that damages are also inflated by victims and prosecutors. This is likely very true, but it's less meaningful in this case than in others, because even the most charitable view of the offenses charged suggest he did more than 15k of damages, and is facing a multi-year sentence.
I think CFAA should be reformed so that damages accelerate sentences only to the extent that the prosecution can prove intent to cause damage. That wouldn't much help Keys, though, who is convicted of deliberately trying to maximize the harm to Tribune Corporation.
I would also be in favor of factoring in "what kind of precautions did you take?" to the whole thing, though I have no idea how you could practically do that.
But I do think that most reasonable people would agree that finding someone's browser still logged in to Facebook and making a joke (whatever kind of joke that is) is substantially less bad than cracking the person's password.
Just the same as there are "breaking" and "entering" for forcing your way into someone's home (versus just "entering" if the door or window is unlocked) the severity of the computer crime is in proportion to how hard the people who owned the computer were trying to keep it under their control.
Don't have any kind of access control for your computer at all? Sorry, we're statutorily limited to the lesser charges. Fix your security and if this happens again we can nail them!
EDIT:
So if you say that the X axis is the amount of effort that the entity expends to keep the system secure, then the Y axis is the maximum intent that can be inferred, and your function is something that you think is reasonable like say y=x.
In other words, if a company makes no serious effort to secure their systems or control access no malicious intent can be inferred from someone "accessing without authorization", whereas someone who has to mission impossible style break into your facility says a lot about their level of malicious intent.
I don't think you're right about breaking into people's houses. Breaking a locked window and opening an unlocked window probably doesn't net you a different charge at all.
There are various definitions, here's one that I read that bolstered my claim but there are others that don't; "force" can mean as little as pushing an already open door open further.
I guess what I'm saying is that if your job is security and you fail at security and because of your failure at security a former employee is able to do some damage he or she if of course guilty of whatever crime.
But the amount of money that you spent to clean up the mess because you failed at your job initially, that doesn't matter and shouldn't influence the trial. The crime is a crime no matter how large or small the damage.