Why aren't these vendors being prosecuted under the "exceeds authorized access" provisions of the Computer Fraud and Abuse Act? There's no EULA to protect the vendor.
FWIW the equivalent in the UK the Computer Misuse Act 1990 has been amended (by the Police and Justice Act 2006, [1]) to include a Section 3A that in part says:
>"(2)A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3." (UK Police Act 2006) //
Sections 1 and 3 [2] refer to unauthorised access and the same but with intent to cause damage ("impair").
Arguably the inclusion of a backdoor without authorisation of a customer impairs the device and so it would already breach Section 3, but the new amendments mean that just making it where there's likelihood that it will be used nefariously is a crime. A backdoor is intended for unauthorised access and is certainly likely to be used that way IMO.
This amendment is a step too far IMO but it appears to apply here to router manufacturers (and anyone else including backdoors in consumer goods without notifying the user).
tl;dr actual commission of an actus reus isn't required in the UK just supplying to someone who has a "likelihood" of committing an act is enough.
Agreed. If we're going to have laws like the CFAA they should be applied equally, rather than assuming that "mere consumers" don't have any data to protect.
