Changing your MAC address is not, by itself, illegal. But the path from there to a felony is easy to cross.
Suppose that you have an ISP that only allows you to connect one device to their modem. (This used to be very common.) Suppose that you want to connect a different device. (Again a common desire.) Suppose that you spoof the MAC address of the original device so that you can connect. (This use case is a big part of why consumer electronics added the ability to spoof MAC addresses.)
Under federal law, you've now committed a felony for which you can serve jail time. Your access to your ISP's network is unauthorized.
Let me make this personal. This is not a random use case. I have done this. If anyone had cared, I could be charged with a felony. I could serve jail time, for accessing a network that I paid for in a way that I thought was pretty fair. (My "crime" being that I wanted to attach a wireless modem to the network so that I didn't have to have a wire connecting my laptop while I was using it. OK, I was bad, my wife and I could both use computers at the same time.) I didn't think I was doing anything wrong. It was a pretty common act. It was still a felony.
So no, randomizing your MAC address is not illegal. But the line between legal and a felony here is awfully easy to cross.
The situation you describe is almost certainly not a crime under the prevailing interpretation of the CFAA.[1] (Although I do grant that your theory could potentially be correct, which is part of the reason it's such a bad law.[2])
The CFAA criminalizes "unauthorized access" and "exceeding authorized access."
The unauthorized access provision applies to various means of hacking into a computer. The exceeding authorized access provision applies (in general) to company and government insiders. "The term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6)[3]
Your contract with your ISP gives you access to the network. By spoofing a device, you would breach your agreement with the ISP, but you would not be obtaining or altering information that you are not already entitled to under your agreement with the ISP as an authorized user.
In sum, for an authorized user to commit a crime, he must break through the access level he was granted by his authorization and reach information that was effectively closed-off to him.
That is comforting to learn. I was relying on my understanding of Orrin's analysis of the law. I should have put bigger disclaimers on it.
That said, "prevailing interpretations" can shift, and can vary by jurisdiction. Thus if someone living in Boston did what I described, and was sued by Ortiz, it is not guaranteed that a Massachusetts judge would decide the case on the same principles.
I'm not convinced even then you've committed a felony. Your access to the cable network, assuming your bills are paid up, is authorized. They'd have to demonstrate that your decision to change your router's MAC was intended to defraud them.
Setting up four different laptops all with the same MAC, so that either you or your three neighbors could share the connection, is probably closer to the kind of thing that would land you in jail.
Existing precedent says that my access to the cable network is only authorized if I am within their terms of service. The terms of service said "one device" and explicitly said I couldn't plug a router in.
I used that network from more than one device, and plugged a router in. I was therefore accessing the cable network in a way that was not authorized. Furthermore I intentionally changed the MAC address on my router so that I could circumvent their control mechanism that was intended to make sure that I followed their terms of use. There is no question that I did this in full knowledge of the fact that, according to the owner of that network, I was not allowed to do that. Among other things that I did with that network connection was gained access to online collections of software, including CPAN and Debian repositories.
I therefore used unauthorized access to a computer to obtain information. When valued in accord to the standards used in precedent as described in http://www.volokh.com/2013/01/14/aaron-swartz-charges/ there is no question that the cost of production of the property that I gained access to was worth more than $5000. (The fact that my cable provider did not produce that content does not enter into the statute, and is therefore irrelevant.)
By my reading, my changing of the MAC address allowed me to gain unauthorized access under false pretenses to property worth more than $5000 that resided in another state from me at that time. That means that a prosecutor could, in theory, have charged me with the first 3 of the 4 original charges that were leveled at Aaron Swartz.
But, you say, no prosecutor would have actually done so, and a judge would not impose a serious penalty if one did? That is absolutely true. The phenomena is called selective enforcement. And selective enforcement of bad laws only against people that someone in power doesn't like is a real problem.
(The fact that my cable provider did not produce that content does not enter into the statute, and is therefore irrelevant.)
Is this really true? I would think the circumvented security and the damaged party would need to be more "proximate". If you downloaded 500 copies of antivirus software from the Comcast only FTP site there'd be a case.
I don't think piling on of charges is right, but I don't think charges are piled on in quite the way you're describing. There is a connection, even if tenuous, between them.
I am not a lawyer, but my understanding is that proximity is not needed, and in fact was not present in Aaron Swartz' case.
Aaron had unauthorized access to MIT's network, through which he downloaded JSTOR's documents, and the value calculation they would use was based on the effort of various academic authors around the world. MIT complained to the prosecutor, and who brought the case despite JSTOR not being interested and no complaint from the actual owners of those documents (which mostly was not JSTOR).
In my parallel scenario, the cable company takes the role of MIT, open source repositories take the role of JSTOR, and open source authors take the role of the academic researchers, journals, etc who owned the documents downloaded. The parallel is exact. If the cable company (like MIT) complained, the fact that the other pieces of the puzzle do not want charges brought would not stop an overzealous prosecutor from being able to charge me.
What could I be charged with? Of the 4 initial charges against Aaron Swartz, the fact that he caused damage only matters for the last one. The first three are only concerned with the fact of unauthorized access over a network of valuable property. My parallel scenario has that.
The amendment that is being proposed saying that violation of terms of service does not suffice to count as unauthorized access under this bill would protect my case. That change is definitely needed. As I've commented elsewhere, the fact that Aaron's access required physical trespass means that his lack of authority did not merely stem from violating the terms of service. Therefore I don't believe that he would have been protected by the proposed bill that bears his name.
My cable modem is somewhat similar - it makes one DHCP offer, at boot. If you connect it directly to a switch, you don't get connectivity. That's why the ISP recommends you make the one device a router.
Suppose that you have an ISP that only allows you to connect one device to their modem. (This used to be very common.) Suppose that you want to connect a different device. (Again a common desire.) Suppose that you spoof the MAC address of the original device so that you can connect. (This use case is a big part of why consumer electronics added the ability to spoof MAC addresses.)
Under federal law, you've now committed a felony for which you can serve jail time. Your access to your ISP's network is unauthorized.
Let me make this personal. This is not a random use case. I have done this. If anyone had cared, I could be charged with a felony. I could serve jail time, for accessing a network that I paid for in a way that I thought was pretty fair. (My "crime" being that I wanted to attach a wireless modem to the network so that I didn't have to have a wire connecting my laptop while I was using it. OK, I was bad, my wife and I could both use computers at the same time.) I didn't think I was doing anything wrong. It was a pretty common act. It was still a felony.
So no, randomizing your MAC address is not illegal. But the line between legal and a felony here is awfully easy to cross.