> The question of whether a hashed password “permits access” to an online account is a complex question that has not been fully addressed from a legal standpoint.
Isn't this already answered by existing law? Wasn't Kevin Mitnick already charged and prosecuted with laws that would cover unauthorized access? Obviously if you have a hashed password and it's not your password and you're trying to access an account that isn't yours then I'm sure that qualifies as unauthorized access. What am I missing here?
It sounds like there is an argument being put forth to make hashed/salted passes PII for, I can only guess, the sole purpose of litigation against businesses for being hacked. Otherwise, does anyone think hackers care about PII?
I can understand prosecuting for security lapses that are related to a data breach. But within reason. You're getting close to charging the victim for the crime here.
I know it's fashionable to argue against storing any PII here on HN. But that's not reasonable for our society. Because, much like salting+hashing, when you're implementing security measure X, all the future hacker has to do is X+1 to breach the wall. This game will never end. If we go down this route, you know what's going to happen? Only Amazon and Google and Facebook can control your PII. With CCPA and GDPR you're already seeing how this plays out. The businesses with deep pockets win. They can afford to deal with the legal realities of doing business all day long. There is an entire cottage industry that popped up just to put those stupid cookie banners on websites now. Does anyone really want to live in a world where Google gets to dictate if your business can exist, and Amazon constantly stepping on your neck and demanding rent?
CCPA/GDPR are basically laws that punish the entire world for the sins of three or four monopolies.
Isn't this already answered by existing law? Wasn't Kevin Mitnick already charged and prosecuted with laws that would cover unauthorized access? Obviously if you have a hashed password and it's not your password and you're trying to access an account that isn't yours then I'm sure that qualifies as unauthorized access. What am I missing here?
It sounds like there is an argument being put forth to make hashed/salted passes PII for, I can only guess, the sole purpose of litigation against businesses for being hacked. Otherwise, does anyone think hackers care about PII?
I can understand prosecuting for security lapses that are related to a data breach. But within reason. You're getting close to charging the victim for the crime here.
I know it's fashionable to argue against storing any PII here on HN. But that's not reasonable for our society. Because, much like salting+hashing, when you're implementing security measure X, all the future hacker has to do is X+1 to breach the wall. This game will never end. If we go down this route, you know what's going to happen? Only Amazon and Google and Facebook can control your PII. With CCPA and GDPR you're already seeing how this plays out. The businesses with deep pockets win. They can afford to deal with the legal realities of doing business all day long. There is an entire cottage industry that popped up just to put those stupid cookie banners on websites now. Does anyone really want to live in a world where Google gets to dictate if your business can exist, and Amazon constantly stepping on your neck and demanding rent?
CCPA/GDPR are basically laws that punish the entire world for the sins of three or four monopolies.