Yep, but even if you can't get them for "use of the system", which was legislatively to avoid having "any instruction you cause to operate on a computer 'uses' the computer, therefore this would otherwise criminalize any use of a computer not explicitly OKed in advance if we don't narrow that scope to commercially significant uses", you'd still be able to get them on a) retrieving any information from the computer system (not limited by value of information retrieved -- see a.2.C ) or b) causing any "damage and loss" to the owner of computer system (and theft-of-service-by-fraud will trivially satisfy that -- see a.5.C).

I'm working not from the CFAA itself, but from the US criminal model jury instructions for CFAA cases, which capture a superset of the information in the actual law.

> Did the defendant knowingly access a system used by the federal government, a financial institution, or a system used in interstate commerce without authorization?

The answer to that one is "no". He had authorization to both pages. Unless we're going to interpret that authorization was given to each device and not the person.

You're suggesting that the defendant in this case either didn't know the difference between a phone and a computer, or had a reasonable belief that despite the obvious language on those pages, the provider did not care whether he was using a phone or a computer.

Good luck with that argument.

Playing devil's advocate: it seems to me that a laptop is a mobile device.

Further playing devil's advocate: it seems that the system is not so much that the provider cared about whether it was a phone or computer (I bet a galaxy tablet would get the mobile price... and I can use just as much data on that as on a laptop without trying very hard at all), but whether they were using a browser with a mobile user-agent string. They offered a discount for having the right user-agent string, and being willing to browse the mobile version of Gogo's landing page.

Questions this raises: what if my phone browser was not on their list of mobile browser agent strings? Say it was just a custom webkit thing I built? Or a firefox compiled for a tablet? Would I be defrauding by making my user-agent work for my mobile device? What if I had been working with a mobile browser compiled for my laptop, as I was just browsing with it, but not using my phone, so I could get a feel for various quirks it would introduce over a non-mobile browser, in an easy to side-by-side way on my nice big laptop monitor?

Critically: the prosecution of a fraud case must prove beyond a reasonable doubt that the accused acted with the intent to deceive another party in order to gain something of value.

Still playing devil's advocate: If there was a discount based on user-agent string, and that is settable in most browsers, how is taking advantage of a feature "intent to deceive" over "meeting the conditions of the discount". There is really nothing stating that the mobile agent string must actually come from a mobile device.

By analogy, a few years ago, many mobile banking sites worked just fine with firefox, but those users were denied access because it was an "IE only" site. Does changing the user agent to IE to gain access to the bank site then also constitute fraud? Web/interne banking is something of value.

edit: Accidentally said mobile instead of web.

Does the offer clearly say there's one price for using the Internet from your phone, and another price for using the Internet from your computer?

Then what are we arguing about? The way they enforce that restriction is relevant only to the extent that someone could accidentally violate it. You can't accidentally commit fraud.

This actually goes back to my original devil's advocate point: the screen caps don't show anything suggesting "phone only". One is called gogo mobile, the other gogo.

As I said, a laptop is arguably a mobile device. Further, there is nothing there that states it is for a mobile device, just that it is the mobile page. It doesn't say "for phone users only".

As for my analogous situation: My bank said I could only sign in through IE to access my web banking. Does this mean I committed fraud to access via a Firefox with changed agent string? I used that log in to transfer money to my debit card account and get some cash. Definitely a deceit with value. (Note, the account was in fact mine).

No, because you had no intent to deceive and obtained no undue value from your bank. The bank in no way made it clear that they were requiring you to use IE as a term of service; the IE system requirement is for compatibility, and that's how reasonable people understand it.

On the other hand, when you see $7.99 for phone service and $25.99 for computer service, it's clear to a reasonable person what the intent of that price difference is: the company wants to charge more to computer users.

As for the clearness or not-clearness of the message: there's a lot of reasons why I think this case isn't going to the Supreme Court. If you want to suggest that the clarity of the pricing message is one of those reasons, I'm not going to disagree too strongly --- though I do disagree.

2 things: first of all, the "you need to use IE, to use this website, your browser is unsupported" message, is in fact much clearer on the bank site than the subtle difference in name for "mobile", and ambiguous term at best. I don't understand why one case of user string subversion is different than another, even if the clearness of terms is equal.

Second, what is the real line between say a macbook air or other keyboarded computer and an ipad or galaxy table or kindle fire or... they all run operating systems that let me use more or less the same software and access the same network resources.

The combination is really the difficult part for me, given I can do the same things - look at the same sites, get the same utility, and otherwise use the same bandwidth in both cases, particularly when usb tethering is a real option giving me the same deal but now without the act you are calling fraud, how is it even reasonable to think that the "mobile" case is other than a discount for some magic words?

Reasonable people all understand that the reason why an ISP would offer a lower rate to phone users is the anticipation that either phone users would use the service less, or that users who have only phones and not computers are less interested in paying a premium for Internet access.

> Does the offer clearly say there's one price for using the Internet from your phone, and another price for using the Internet from your computer?

<devil's advocate> Well, in this case: No. The plan seen on the phone is simply labeled as "GoGo Mobile Pass". The plan seen on the laptop is labeled "GoGo Flight Pass". They do not clearly list any examples of what devices they think should be "mobile". It is not unreasonable to make the assertion that a laptop is a mobile device. Not recognizing the laptop as a mobile device sounds like a bug. This guy was able to find a work around for that bug. </devil's advocate>

I'm not saying there's not a case for fraud, but the answer is resoundingly NO to this question: (i) Did the defendant knowingly access a system used by the federal government, a financial institution, or a system used in interstate commerce without authorization?

It's a public facing website. He has authorization to access it. I don't see any other viable interpretation.

My reading: he purchased authorization to use the system from a phone. He instead used the system from a computer, without authorization for doing that.

Whether or not Gogo should price discriminate like that, it seems clear that they want more money in exchange for authorizing use from a laptop.

Again, this branch was to the specific question referenced by tptacek:

(i) Did the defendant knowingly access a system used by the federal government, a financial institution, or a system used in interstate commerce without authorization?

My beef is with GoGo's price difference in the first place.

I'm not seeing why you think the answer is "no," then.

(a) Knowingly? The blog post (and the changing and then changing-back of the UA) makes this clear. (Though if he had happened to inadvertently had his UA set to mobile before hand, maybe to test something the day before, and never even saw the other screen... but once he saw it, and consciously decided to get around the higher price, it hits the "knowingly" requirement.)

(b) "Access a system used by the federal government, a financial institution, or a system used in interstate commerce"? The Gogo system seems pretty clearly an interstate commerce system to me, what with the whole used-across-the-country thing and the charging-for-access part.

(c) Without authorization? He specifically notes that he saw they charged different prices for different devices and purchased the option for a device that was not the type he was using. So he did not purchase authorization to use it from a laptop.

No contest to (a) and (b) - I agree there.

As to (c) I was reading "system" as the two signup pages, not the overall wifi system. Still, unless there's a difference between the mobile and laptop services, they're the same product regardless of type of device used to access the system, and you're paying for the service.

It would be like an all you can eat restaurant charging extra if you were over certain weight/height thresholds.

well... most buffets I've been to have a reduced price for children since they are typically going to eat less. But it is hard to make good analogies between physical/virtual things.

True those analogies are very hard to make, as evidenced by the media piracy debate and "you wouldn't download a car, would you?"

I think the majority of my vitriol comes because it's an asinine way to split up service based on what we're assuming is bandwidth concerns. If they want a tiered service, then put in a tiered rate structure. The "laptop" rate gets you 300kbps, the "mobile" gets you 100kbps. Simple.

Agreed. It is totally asinine.

You're confusing Gogo's website with Gogo's WiFi network. It's not too hard to argue that he had authorization to access Gogo's WiFi network from a phone, but not from a laptop.

I disagree that's a "resounding no".

What is your reasoning there? Remember, we're not talking about the overall fraud case, just the answer to this question.

I believe that any reasonable person viewing those offerings would understand that the cheaper price was for phone Internet, and the more expensive price was for computer Internet. I also believe that the author of this post made it completely clear that they were getting one over on the ISP, which does not at all help their case.

That's about as far as I'd like to go with this particular branch of the discussion, if that's OK with you.

That's fine with me. You've shifted the argument back to the overall case and refused to address my specific concern about the answer to question (i), so I'm just going to declare myself the winner of this branch, if that's OK with you.