Oh, Samsung. I just went through the most insane account recovery process I've ever seen. Tried to register a Samsung account, but my email was already taken. Guess I must have had an account at some point. If you forget your password, you have to provide your name and date of birth to reset it. If you fail to enter the correct details many times, which I somehow did, eventually they will send you the recovery email anyway. When I received it, it was in a language I'd never seen. Then I discovered that it was actually somebody else's account from Indonesia that was using my email address without me ever knowing. So I now have a Samsung account that was someone else's but it was using my email so it was really mine?
I've got a fairly common Gmail address as my primary.
I get all kinds of account sign-ups, and also home purchase paperwork and sheriff's office employment offers, from multiple states.
I used to feel bad, and spent a couple years trying to get in contact and correct whoever used my email.
Now? Fuck em. If you use my email, it's my account. I just deleted "my" Roku account and unsubscribed to the services attached to it (required to delete an account).
Me deleting "your" account is the least-abusive thing I could do if you sign up with my email address.
>Now? Fuck em. If you use my email, it's my account. I just deleted "my" Roku account and unsubscribed to the services attached to it (required to delete an account).
>Me deleting "your" account is the least-abusive thing I could do if you sign up with my email address.
This is illegal, CFAA of 1996.
Them signing up with your email is a mistake, you deliberately modifying data that isn't your own because of that is illegal.
It's not illegal per cfaa, the individual who signed up did not own the email or have a reasonable/any entitlement to it. Above poster deleting the account is accessed through fully legal and intended means by service provider. The law would treat poster's deletion as fraud protection, which arguably it is. That data you claim its not theirs isn't true.
In case law studies it is debated whether or not something that is erroneously made available to you can still be construed as fraud or theft when you take advantage of it.
Think of it like an ATM that suddenly thinks your balance is 5 quadrillion dollars, and you empty it because if their system says you have it, then it's your prerogative to appropriate those funds, according to your assertion. Unfortunately, this is not how the courts have decided this should be handled. In US v Auernheimer the question is whether publicly accessible and sequential (read: guessable) routes being accessed by those they're not intended for is criminal. The improper venue appeal has nothing to do with the essence and spirit of this segment of case law, it means that the suit was brought forward improperly. That act itself was deemed criminal, otherwise Auernheimer would have remained safely in Arkansas rather than absconding to the then-stateless Republic of Abkhazia.
Saying all of this, it is important to me that I communicate to you Ethbr0, that I'm responding objectively and not at all trying to tell you that I feel one way or the other, or that I am judging you as criminal. If that's how this was taken, I wholeheartedly apologize. You are free to do what you want, and you're granted the right to speak freely publicly. To me it doesn't seem like a good idea to say what you said, and I would not act similarly, but I will not judge you for doing what you feel is right.
I'm honestly curious, because my reading of US v Auernheimer was that the majority of the penalties were linked with sharing the records obtained.
Which stands to reason and is in line with my understanding of the CFAA: that circumventing and breaching security is a crime, but the severe penalties kick in when one shares the results of those actions.
What precedent? You linked a case where the defendant '...began to write a program that he called an “accountslurper” '. Hard disagree with your statements as protecting your identify is no where similar to maliciously accessing and manipulating data.
I'm not sure it is. The system you are accessing is not the user's, it's the company's. The company let you in with your own email address.
Discord was horrible about this. They kept sending automated emails about someone else's account, because the user signed up with my email address. I told them it wasn't mine and they should make the user fix their email address. Instead, they asked me to confirm I wanted to delete the account. I refused, telling them it wasn't mine. This all happened in Spanish, because the user spoke Spanish, even though my inquiry was originally in English.
So clearly, not all companies care all that much who you are and will freely let you take over other people's accounts.
What should be illegal is companies accepting an email address without verification. My email is my identity. It should be impossible to sign up with an email that you don't have access to.
And email verification has been around forever too! Even obscure forums have it. It's wild to think there's still companies out there allowing account creation without email verification.
