Comment by digitaltrees 9 hours ago
Its not a hack to copy and paste text that is part of the document data. The incompetence of the people responsible to comply with the law doesnt mean its reasonable to label something a hack.
Please change the title.
If I open your laptop and guess your password then that counts as hacking you in both legal and security terms
You don't need to do some sophisticated thing for it to be considered hacking
I’m not an attorney or anything, but the relevant federal statute is explicitly about unauthorized access of computer systems (18 USC 1030).
Opening someone else’s laptop and guessing the password would absolutely fall under that definition, but I think it’s very much questionable if poking around a document that you have legitimately obtained would do so.
Placing a black box on the text isn’t a redaction any more than placing a sticky note would be. No reasonable person can expect a sticky note to permanently prevent readers from seeing text and no reasonable person can expect a black overlay box in pdf to prevent reading text because this is literally a fundamental feature of pdfs as a layer format file
If someone sends me a document with text in it that they meant to remove but didn't and then I read that text, I haven't hacked anything they're just incompetent.
Hacking is unauthorised use of a system. Reading a document that was not adequately redacted can hardly be considered hacking.
Or in case some folks find the addition of a computer confusing here, if someone sends you a physical letter and they've used correction tape or a black marker to obscure some parts of the letter, and you scratch away the correction tape or hold the letter up to a light source to read what's underneath, have you committed a crime?
I'm not a lawyer, so I don't know what the law has to say about this. But I do have at least a small handful of brain cells to rub together, so I know what the law _should_ say about this.
Precisely. If someone wants me to sign a contract on acceptable use of resources (like an agreement not to reverse engineer their software) they send me then that's another thing.
Absent that excluding other default protections like copyright, what I do with it should fall under the assumption of "basically anything".
If this were prior to 2021, I would say the CFAA could be violated so long as the property owner's _intentions_ were for that information to only be accessible to certain users. But I think the CFAA has been sufficiently reduced in scope after Van Buren v United States [0]
[0] https://en.wikipedia.org/wiki/Van_Buren_v._United_States
Hacking is not just authorised use of a system. Hacking and hacking techniques can apply to systems you fully own or systems which you are authorised to hack. Hacking is using something in a way that the designer didn’t anticipate or intend on.
Adobe designed pdf to behave this way. Placing layers over text doesn’t remove the text from the file. They have a specific redaction feature for that purpose.
You guessing my password is not the same as a know and expected behavior of a program. Adobe has a specific feature to redact. PDF is a format known to have layers. Lawyers are trained on day one not to make this mistake. (I am a recovering lawyer). This is either incompetence or deliberate disclosure.
Hacking is any use of a technology in a way that it wasn’t intended. The redaction is so stupid as to almost appear intentional, so maybe you’re right, this isn’t hacking because maybe the information was intended to be discovered.
> limit/lack of authorization
By serving up the PDF file I am being authorized to receive, view, process, etc etc the entire contents. Not just some limited subset. If I wasn't authorized to receive some portion of the file then that needed to be withheld to begin with.
That's entirely different from gaining unauthorized entry to a system and copying out files that were never publicly available to begin with.
To put it simply, I am not responsible for the other party's incompetence.
For starts, wouldn't it be kind of ironic to set up limits and authorization in a context that is about making some content available to the public?
I'd say any technical or legal restrictions or possible means to enforce DRM ought to be disabled or absent from the media format used when disseminating content that must be disclosed.
Censorship (of necessary) should purge the data entirely,ie: replace by ###
That's not true, you can mistakenly receive data you're not authorized to have (might even be criminal to have!)
> That's entirely different from gaining unauthorized entry to a system and copying out files that were never publicly available to begin with.
That's not the sum total of hacks, if you have publicly accessible password-protected PDF and guess the password as 1234, that's a hack. Copy& paste of black boxes is similarly a hack around content protection
> To put it simply, I am not responsible for the other party's incompetence.
To put it even simpler, this conversation is not about you and your responsibility, but about the different meanings of the word "hack "
> you can mistakenly receive data you're not authorized to have (might even be criminal to have!)
Not the layman, at least to the best of my knowledge.
Yes, certain licensed professionals can be subject to legal obligations in very specific situations. But in general, if you screw up and mail something to me (electronic or otherwise) then that is on you. I am not responsible for your actions.
> if you have publicly accessible password-protected PDF and guess the password as 1234, that's a hack
Sure, I'll agree that the software to break the DRM qualifies as a hack (in the technical work sense). It also might (or might not) rise to the level of "lack of legal authorization". I don't think it should, but the state of laws surrounding DRM make it clear that one probably wouldn't go in my favor.
However that isn't what (I understood) us to be talking about - ie legal authorization as it relates to black box redaction and similar fatally flawed approaches that leave the plain text data directly accessible (and thus my access plainly facilitated by the sender, if inadvertently).
> this conversation is not about ...
You are the only one using the term "hack" here. Please note that I had responded to your "limit/lack of authorization" phrasing. Nothing more.
That said, while we're on the topic I'll note the ambiguity of the term "hack" in this context. Illegal access versus clever but otherwise mundane bit of code (no laws violated). You seem to be failing to clearly differentiate.
It’s not a hack. It’s known, expected behavior of the program. Adobe has a specific feature to redact. Color filled boxes is not it.
A dictionary definition: "use a computer to gain unauthorized access to data in a system."
This isn't about knowledge or expectations. They didn't use colored boxes to jazz up the presentation, they _intended_ to prevent you from reading it, and now you can, with this, again incredibly _lame_ almost meaningless even-my-five-year-old-could-do this "hack."
Not the only thing hack means now, or the most common usage anymore. See "life hack" - it means unexpected technique.
But this isn’t an unexpected technique it’s literally the core design of the pdf format. It’s a layered format that preserves the layers on any machine. Adobe has a redaction feature to overcome the default behavior that each layer can be accessed even if there is a top layer in front.
>Please change the title.
HN discourages editorializing headlines.
While I wouldn't call it a "hack," common usage even here on HN isn't limited to "to gain illegal access to (a computer network, system, etc.)" [0]
[0] https://www.merriam-webster.com/dictionary/hack