Malicious actions by individual moderators

Question

This is a follow up on a previous question.

Using Stack Exchange as a example, moderators should be able to destroy the site within minutes by automated means. There is no meaningful terms of service.

I am not talking about the site intentionally deleting itself as a policy, as Stack Exchange has no policies or rules that would stand in a court room. Just saying if one of the moderators — there are hundreds of them — or not even a moderator, just a individual user who hacked the site — did this, there's nothing in the terms of service saying "you're not allowed to destroy our site." Again, it doesn't have to be a moderator, it could be a individual user, or anyone. There is nothing in the terms of service saying you will go to federal jail for destroying Stack Exchange.

Does this make it illegal? Even if it is illegal, how many mods, or just one, can just run an automated script in Java AWT and destroy the site in seconds or minutes?

Answer 1

Yes, it's illegal.

18 USC 1030 (a) (5) (A)

[Whoever] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer [shall be punished as provided in subsection (c) of this section].

"Damage" is defined at (e)(8) to mean "any impairment to the integrity or availability of data, a program, a system, or information". Your proposed attack would certainly cause impairment to the availability of the Stack Exchange system and the data and information which it hosts.

Whatever else you may think about the Stack Exchange terms of service, they certainly do not authorize any user or moderator to "destroy the site" in any sense such as you describe. It's not necessary for the TOS to explicitly say "you may not do X"; it's enough that they don't say that you may do it. To use a firewall analogy, it's "default deny".

"Protected computer" is defined in (e)(2) to mean, essentially, any computer that is used in or affects interstate commerce. Which means practically every computer that has ever accessed the Internet, and certainly includes Stack Exchange servers.

So your proposed attack would include all the elements of a violation of this section. Such a violation is punishable by up to five years' imprisonment if it causes a loss of more than $5000 (see (4)(A)(i)(I)), which if such an attack were successful, it certainly would. Greater penalties are possible in certain circumstances. Even if the loss does not exceed $5000, or if the attack is merely attempted but without success, it is still punishable by one year imprisonment or a fine ((4)(G)(i)).

There is nothing in the terms of service saying you will go to federal jail for destroying stack exchange.

Irrelevant. It is not up to Stack Exchange Inc. or its TOS to determine who does or doesn't go to federal prison. Rather, it is up to Congress to determine what conduct deserves such punishment (as they did in 1984 by enacting this law), up to federal law enforcement and prosecutors to investigate and make a case against an alleged violator, and up to the federal courts to determine if the accused is guilty and how they should be punished.

Answer 2

The relevant US statute is The Computer Fraud and Abuse Act of 1986 (CFAA), which has been codified at 18 U.S. Code § 1030

Section 1030 prohibits unauthorized access to a "protected computer" under any of several conditions, and also prohibits unauthorized obtaining of information from a "protected computer".

Section 1030 (e)(2) defines "protected computer" The relevant part, (e)(2)(B) defines this as meaning a computer

(e) (2) (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States

That would surely include the computers whch host Stack Exchange.

The offenses relevant to this question would be subsectons (a)(5)(A), (a)(5)(B), and (a)(5)(C) which make it a crime for anyone to:

• [(a)(5)(A)] knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

• [(a)(5)(B)] intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;

• [(a)(5)(C)] intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.

At least one of these subsections would apply to any of the scenarios suggested in the question, or any similar scenario. In all such cases the person or persons would be acting without authorization, or in excess of any authorization such persons had (as no one has authorization to destroy the site), and such actions would cause damage and loss.

Subsection (c) provides the relevant penalties:

(c) The punishment for an offense under subsection (a) or (b) of this section is—

...

(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

(3)(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;

So such conduct would be punishable by imprisonment for up to 5 years, or up to 10 years for a repeat offender, as well as by a fine.

State laws might impose additional criminal liability.

In addition to criminal prosecution, section 1030 provides a right of private action under subsection (g) which provides:

(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in subclauses [5] (I), (II), (III), (IV), or (V) of subsection (c)(4)(A)(i). Damages for a violation involving only conduct described in subsection (c)(4)(A)(i)(I) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.

Note that nothing in 18 USC § 1030 depends upon any "Terms of Service" document. The code section does depend on "authorization". Subsection (e)(6) provides that:

(6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

Subsection (e)(8) defines "damage", and (e)(11) defines "loss":

(8) the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;

...

(11) the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service;

In addition, although I know nothing specific about the internal design of Stack Exchange, I would be astounded to learn that it does not include a robust backup system, so the idea that a rogue moderator or hacker could "destroy the site" so that it could not be put fully back online in a fairly short period of time is impluasible at best.

I suspect that the SE servers also include code that will detect and stop or pause widespread unauthorized deletion, but that is just a guess.

In an case, neither backups nor internal protections depend on any provision in any TOS document. Nor do the various criminal statutes.