The CFAA applies here. His right to access the cloud service legally expired the moment he returned the camera. I wouldn't want to see such a prosecution, but there is almost no question that he has technically violated the CFAA by accessing the cloud service after his right to access it was legally terminated.
His access to the account was not legally terminated - it is still his account, it is active, and it's okay to use that account - if he had other linked cameras, that would be the point to use them.
However, the issue is that his account shows data also from a device that isn't his (anymore). He has access to the cloud service, but simply the set of valid devices should be empty, and isn't.
Under the CFAA, the burden isn't on the service provider to block access. They can be as incompetent as they'd like. It's up to the person accessing the service to not exceed their access rights - and in this case he had no access rights.
Simply put, the guy that bought the cameras acquired access rights to the view the camera stream through the cloud service with his purchase. When he returned them, those rights expired. By logging back into the service and viewing the stream from cameras he knew he had returned, he exceeded his access rights.
I really think we need to get them to make a more sensible definition of 'unauthorized access'. I've posted a few times before about how I think we should have defined it -
No, and they never will be because we've decided that a group hug is the only cyber-defense you have a professional obligation to perform.
If you send me a paper investor-relations document with a document ID of 7, I'm not committing a crime by calling your documents department and asking for documents 1-6 and 8. If they give them to me, I now even have a legal right to that copy of the document - such that you can't compel me to return them.
But the USG put Weev in jail for accessing a series of incrementally numbered public URLs. It was theoretically so bad as to warrant jail, and yet so meaningless that they didn't even tell customers about it or reprimand a sysadmin. No security people were fired for incompetence.
So no, there's no technical obligation for the service provider. If the cleaners unplug your servers while cleaning, cyber-attack! If someone scrapes your website, cyber-attack!
To bring the physical world to parity, when banks get robbed we now recommending hanging dream-catchers around to make everyone feel better. /s
If I, as owner of house number 7 on Honest Drive, give you permission to pop in and take a copy of the leaflet I wanted to give you, you don't automatically get a right to wander into houses 1-6 and 8 on the same road. If the doors to those houses aren't locked, it doesn't mean you have permission to enter. There's no requirement for technical barriers on your wandering around, particularly when I give you specific instructions on where to go and get what I have given you permission to get, in order to make explicit your lack of permission to go elsewhere.
Right. But, if I knock on the door of houses 1-6 and 8, and they let me in (or hand me a letter through the post slot), I have permission to enter (or take the information on that letter).
A request to a URL is just that - a request. What level of access a request grants should be the responsibility of the grantor.
Please don't invoke the tired and ridiculous "URL:physical address" metaphor. A moment's thought is all that's required to see how dumb it is, every single time it comes up. In real life, one host sending another host a packet is nothing like physically breaking into a house. Houses have many purposes other than the distribution of leaflets. In fact, those physical entities actually designed to distribute leaflets are much more like internet hosts than houses are. No one ever got thrown in FPMITAP for taking one of each of the hundreds of different tourist brochures at a highway rest stop.
No, because accidentally loading the page at a cached URL that just happens to show you something sensitive takes no intent. Logging into work to delete data to hurt them shows malicious intent.
But in today's legal climate, both people are dirty hackers despite neither actually performing any hacking.
