Law Review Article Says Port Scanning Illegal

Anonymous Coward writes: "The Journal of Technology Law and Policy has a good article on computer security and privacy. If you ignore the more metaphorical crap at the beginning of the article, the author marches through some laws that apply to the Internet and shows how they apply and why his way of deciding what kind of access to a computer breaks the law and what kinds don't is better. (Its based on property and expectations of privacy.) It's interesting to see the computer security from a lawyer's point of view. Especially interesting are his claims that using nmap is illegal, despite the VC3 v. Moulton case. I'm not sure I agree with him, but he definitely makes a pretty sobering case." Actually, I think the metaphors throughout this piece (not just at the beginning) are what make it interesting, and a big component of law is dealing with metaphors. This piece also collects in one place a lot of the cases dealing with computer law.

This is a GOOD article

[Chris+Johnson]

"Technical measures implemented by the computer owner protect and control his property, while technical measures implemented by copyright owners provide control over their work at the expense of the computer owner."

This is a _good_ article. Law and justice that doesn't have two sides is no law at all... this article goes a long way towards presenting a concept of digital property rights that is _local_.

There is a lot of money and power behind content creators, copyright holders etc. saying "we own this, it is OUR property, therefore we get to scan your computer, send back information to the mothership, and if you are a criminal we get to delete stolen goods off your hard drive, you pirate you! You miscreant!"

The thing is, _law_ sees this and comes back with "If you're saying that is property, wouldn't the person's hard disk be property too? As in 'not yours', as in 'you are a guest but they bought it and own it and live in it'?"

That's the beauty of law and justice- it balances, in time. The inevitable result of pushing for extensive 'property' law regarding copyright etc. is to also cast light on the subject of what kind of property a person's datasphere is.

I even wrote an essay on this in November 1998: it's at http://www.airwindows.com/fiction/essays/Hotel.htm l. When you operate a computer it is like you are moving your stuff around on virtual property: you put something somewhere. Does a company have a right to move it to somewhere else? To pile stuff next to it obscuring it? To paint it a different color, or dust it off? To remove, discard it, set it on fire, impound it as evidence?

The fact that all of this seems totally permissible only shows that law hasn't begun thinking about these issues yet.

You can't have it both ways- if I am forbidden even to portscan a company, then the company is forbidden to go over _my_ computer either. It's analogous. If we're tightening the protections for company-owned 'cyberspace' we're also laying a precedent for tighter protections on privately owned cyberspace.

In the future it may be ILLEGAL for Microsoft to shut off the mp3 encoding in its software and force people to migrate to WMA- or more plausibly, it may be ILLEGAL for them to take a WMA file that was once functional and render it nonfunctional arbitrarily if you don't cough up a license fee. It may also be illegal for them to place restrictions on OEM desktops- on the basis that they make the building materials, the OEM builds the house, the customer buys it and moves in. There is no compelling argument that they must be able to prohibit the OEM from decorating the 'house' as they see fit.

Very interesting stuff in this article, and grounds for hope :)

Re:this is true

[sheldon]

Guns don't kill people.

It's the damn bullets!

Re:Why portscanning must be legal.

[dattaway]

The policy for specifying what is allowed and not allowed is simply closing the damn port in the first place.

Search Engines ?

[AftanGustur]

Does this mean that Google and company can now be found guilty when searching for open port 80 on networks ?

How about search engines that look for open 21(ftp) port ? , How about gopher ? CIFS (Common Internet filesystem) ? Hmmmm Interesting ..
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D7272 C3AF4F2snlbxq'|dc

Re:Search Engines ?

[(void*)]

Boston Daily - Police have arrested a man, going by the name of Malcontent for gunning down an old lady in his front yard. The victim was a 84 year old Junice Jones who lived next door.

Eliza Jones, her daughter was distraught when we attempted to contact her. `She's such a sweet old lady, Why would anyone want to hurt her?'

When asked what she was doing on the neighbor's house, she only said she did not know. "She is very old, and her memory's not as good as before. She could have just wandered into the wrong house."

Further queries as to why Malcontent could not recognise his own neighbor was asked. "I don't know - the fellow keeps to himself, his house and windows all locked all the time. He's very secretive. I remember a year ago, when little Annie from down the street ran to his house, after having falled down a tree and getting cut. She asked him for a bandaid, and he growled something about not presuming to offer bandaids. He is a very sullen and nasty fellow."

Who is this Malcontent, and why did he commity this atricious act? Rumor as it that as POlice dragged him away, he was shouting something about a trespassing upon a private driveway. But that is an unconfirmed rumor, and as yet, we have idea of why exactly was going on through the mind of this unprovoked killing.

case law

[josepha48]

Usually case law outweighs some lawyers interpretation of the law. Since there is already a case that discusses that port scanning is NOT against the law, then it woudl be a matter of him obverturning this decision and proving it wrong. It also depends on which court these decisions were made (I am referring to US couts). Supreme Court decisions can be overturned, but they need another case to ..

I don't want a lot, I just want it all!
Flame away, I have a hose!

Re:Guh?

[dillon_rinker]

I've read several responses to your post, all agreeing that the article is written at a pretty high level. I'd suggest that it's not "lawyer's English" - it's "bad English." In most cases, you can understand the author's intent, but it's badly in need of some editing.

- 1st paragraph, 2nd sentence:

Particularly, laws made to protect computers on the Internet and computer security are applied unpredictably.

Laws made to protect computer security? How do you protect security? Or does he mean computer security is applied unpredictably? What?

- 2nd para., 2nd sent.

This article assumes that legal decisions about the Internet will continue to be based in partially on property rights.

Either the word 'in' or the phrase 'partially on' need to be deleted.

- 2nd para, 3rd sent.

Without property rights, computer owners may not be willing to connect to the Internet if their computers can be abused without legal remedy.

With property rights, computer owners will not be willing to connect to the Internet if their computers can be abused without legal remedy. So what's his point?

/me gives up in disgust and then notices byline, at the very beginning:
Ethan Preston expects to receive his J.D. from the Georgetown University Law Center in 2001.
Right... and I expect to be made emperor in 2001. I'll never hire a Georgetown alumnus if Ethan makes the grade.

Re:Guh?

[Mike+Schiraldi]

It might seem that way to someone studying law at a school so prestigous and selective, where the current and former members of the student body are surely the most brilliant and ambitious of all academia, but if i may speak for the Slashdot crowd, it's a little boggling for us. Sure, i can't point to any one part and say, "Yeah, right here is where it's confusing." Any little part makes sense. But trying to swallow and digest it is rather difficult for someone not used to reading such documents.

It's kinda like showing a proof of Godel's Incompleteness Theory to someone not versed in math. Each step of the process is simple and straightforward, but as a whole it's tough for an untrained mind to grasp and follow along.

--

Guh?

[Mike+Schiraldi]

Anyone know when Babelfish's "Lawyer to English" translation will be available?

--

Re:Why portscanning must be legal.

[WNight]

Port scanning IS passive.

In the bank analogy, how do you know if they have a door or a window? Photons from the sun bounce off of it and hit your eye in a recognizable pattern.

How would you do this on a cloudy night? A flashlight perhaps?

There's no way (asside from sending out continual broadcast messages from everyone) for a server to broadcast that it is serving something. You simply have to ask. Portscanning is how you do that. You ask if they are serving files. How about web pages? How about ...

Now, you could make up some convoluted scenario where the bank had photo-cells in the windows to detect if it was night, and your flashlight, unlawfully shined into their windows, blah blah blah...

This would be like if you were scanning for someone sharing files, you check FTP, HTTP, Windows networking, etc... Now maybe someone has a misconfigured program that instead of saying 'No', crashes when asked.

But that's not your fault, you were just asking a question.

If you exploited this, by asking over and over, it'd be akin to harassment. An otherwise legal action would be forbidden by context.

Similarly, portscanning should be legal. It's the way the network works. But malicious use of portscanning, or portscanning connected to a crime, wouldn't be legal.

Bad analogy

[ttfkam]

Port scanning is like looking at a house from across the street. The equivalent of "crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, basement doors, garage doors, electric panel doors, gas valves, water valves, sewer vent lines, outdoor outlets, chimney openings, stove vents" is sending known exploit code to the port in order to see if you can get unauthorized access. It's not even like looking in the windows. A port scan tells you nothing more about a computer than seeing that a window on the second floor has been left open.

The first could be used in the sense of "casing the joint," but it could also be a case of looking at the architecture of the houses on the block without the owners' permission. It may make some people uncomfortable, but it's hardly illegal. A port scan is the closest thing to a look-but-don't -touch on the Net today.

If port scanning is found to be illegal, would a bare ping to see if a site is up and running be made illegal in the future as well? Beware the slippery-slope. We need to make sure that there is a difference in law between commiting a crime and having the potential to commit a crime.

If a script kiddie starts trying known exploits against your box, THAT should be seen as a crime. They are totally trying the vents to see if it's loose so that they can gain access. This is a clear, distinct, and unambiguous step beyond a port scan.

Re:Prop. "Ammendment XXVIII to the U.S. Constituti

[HerrNewton]

Verra dangerous, imho, because it's horrdily broad. Building a massive microwave generator and pointing it at your neighbor's house would be legal.

----

Why portscanning must be legal.

[Dwonis]

Let's say you're shopping around for a web hosting provider. A lot of them will say "secure and reliable", but you know that doesn't really mean anything. So, you decide to run a few trivial security checks on their servers, including running a port scan.

Should you be deprived of the right to examine the quality of a service before buying it, especially when it wouldn't fall under "theft of services"? I think not.
------

The Physical Property Metaphor

[Louis+Savain]

How faithful can one be to the private property metaphor without getting into absurd comparisons? If port scanning is illegal, so should looking at someone's house, roof, lawn, doors, windows, etc...

Re:The nature of law

[Speare]

And if law were more like open source, it would be better?! Don't get me wrong... open source is fine for open source but not necessarily for law.

Imagine a system of law in which each person could set up their own government, a system of rules to which nobody else had to conform or comply. Imagine the few most popular standards were only useable by the legislators and legal pundits for twenty or thirty years while the bugs were worked out. The general public wouldn't have the understanding to try any of the several governing distributions by themselves, so they'd have to rely on more experienced people to set up their systems. Over the years, hot contentions would organize blocs of specialists who fought for only one or two standards, even though the underlying system was still supposedly a free-to-be-an-individual system.

Hm, the more I look at it, the US government resembles open source, too.

Huh?

[pyth]

Shouldn't slashdot be making original material? This is copied straight out of kuro5hin. At least put a reference to K5 if you're gonna cutnpaste!

A law journal article on Slashdot?

[CaseStudy]

I predict that this could set the record for the highest percentage of replies from people who didn't read the article.

Only the article doesn't actually say that.

[CaseStudy]

Can someone point out to me where the article claims that nmap, or port scanning, is currently illegal? (Bonus points if you show evidence contrary to the claim. Hint: Moulton did not hold that port scanning was legal; it held that the claimant didn't show damages to the court's satisfaction, and specifically said that Moulton may be subject to criminal prosecution under the Georgia Computer Systems Protection Act.)

I view port scanning as analogous to door knocking

[yerricde]

After reading through much of the article, I still fail to see how scanning a host's ports is any different from knocking on that host's various doors and windows, seeing if anybody's home, or giving that host's various telephone lines a ring. If you don't want people coming through a doorway, lock the door.

If the right to portscan is overturned, how will a potential customer be able to discover whether or not the owner of a given host has given permission to connect via HTTP, FTP, SMTP, etc.?

Technical measures

[Frank+T.+Lofaro+Jr.]

In real world terms, computer owners should be able to assert their property rights (in the form of imposing liability) only when users have circumvented technical measures that should have prevented the litigated use. (from the article)

2 problems:

(1)Lack of security is an excuse to break in. If someone leaves the root password unset on a machine, or leaves off the security on their web server, the above would say it is legal to access whatever you want on that system - whether it is meant to be private or even if one is explicitly told it is private.
Imagine the prosecutor letting someone who robbed you go free because you "didn't take precautions" (e.g. left personal belongs for a second, etc).
(2) It legitimizes making technical measures have the force of law. If I (as an private citizen) have the technical ability to stop you from entering a public park, should you get arrested for going there anywhere? Heck no. In fact, I wouldn't be allowed to even use technical measures to stop you. That is why the DMCA is so bad. Copyright is limited by fair use - fair use activities are not trespass, they are more like entering a public easement on a property where such is allowed by law. If I as a property owner in the real world block access to an easement (try to build a wall on a road crossing my property), not only do people not get arrested for breaking down/circumventing/destroying the wall, I'll get arrested for building it.
The DMCA turns that common sense notion upside down - the wall builder is ALWAYS right, the others are ALWAYS criminal.

That article seems to feed that thinking.

I am not a lawyer, but I understand common sense - which puts me above most of Congress.

Wow

[bonzoesc]

Pretty soon, sending and recieving packets through ports will be illegal, too. Hopefully, we can call them sockets and evade the law.

Tell me what makes you so afraid
Of all those people you say you hate

Re:Why portscanning must be illegal.

[peccary]

Since they're doing it from Korea, China, and Ghana, the fact that it might be illegal here doesn't help your security much.

Or, to put it another way, since you're going to have to secure your systems anyway, why bother trying to make something illegal that actually might have a useful purpose once in a while?

Why portscanning must be illegal.

[beable]

Let's say you're shopping around for a web hosting provider. A lot of them will say "secure and reliable", but you know that doesn't really mean anything. So, you decide to run a few trivial security checks on their servers, including running a port scan.

Let's say I'm connecting my computer to the internet for private purposes. Why should I have to put up with repeated port scans? Those people aren't trying to connect to ports 111, 161, etc to do me a favour by testing my security. They're trying to break in! This would be obvious by examining what they had done, which would be to scan certain exploitable ports on a range of IP addresses. If you asked them, they would probably tell you why they did it: to find computers to break into. Let's not forget what happened to grc.com.

Portscanning should be considered a crime.

Take a Law Course?

[Alien54]

It might seem that way to someone studying law at a school so prestigous and selective, where the current and former members of the student body are surely the most brilliant and ambitious of all academia, but if i may speak for the Slashdot crowd, it's a little boggling for us.

A long time programming friend of mine mentioned that the most useful courses he took outside of the programming course were a business law course, just to cover the basics of things like this, and a business accounting course, just to get his mind wrapped around modelling what bean counters were doing in the first place.

You would think with all of the legal issues running around, technical types could spend time just to get a toe wet, and get some familiarity with the concepts. It seems very much worth it.

Check out the Vinny the Vampire comic strip

Port scan is checking doors/windows/air ducts/...

[SlushDot]

After reading through much of the article, I still fail to see how scanning a host's ports is any different from knocking on that host's various doors and windows, seeing if anybody's home, or giving that host's various telephone lines a ring.

I see port scanning as crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, basement doors, garage doors, electric panel doors, gas valves, water valves, sewer vent lines, outdoor outlets, chimney openings, stove vents. Trying all 256 codes on RF X-10 modules, using a frequency counter/scanner to check for and listen in on radio transmissions, ringing phone lines, ringing doorbells, seeing if you can turn on sprinklers/water faucets, etc.

Would you have no problem with someone doing all that? That's a port scan.

"Ringing a doorbell" is a single probe on port 80. "Ring a telephone" is a single probe on port 23. Don't bullshit yourself.

Re:Port scan is checking doors/windows/air ducts/.

[raju1kabir]

I see port scanning as crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, etc., etc., etc.

Then you need better glasses.

Your list of metaphorical intrusions and indignities doesn't leave anything to analogize for actual attacks.

You're not going to be able to map the full cycle of casing, analysis, attack, and penetration to the burglary story unless you pace yourself a little.

• Driving around looking for nice houses: Ping & port scan
• Trying doors and windows: Using packaged exploits (parallels: It's easy; if it succeeds you are now able to walk around and do what you want; and any responsible person would have taken the simple measures to prevent its effectiveness)
• Picking locks or prying open transomes: Launching hand-tooled attacks
• Stealing and vandalizing once inside: Stealing and vandalizing once inside

Remember perspective, it's a wonderful thing.

Good news

[jsse]

It's surely a good news to me. Everyday I got hundreds netbios (137/138/139) port scannings on my Linux server from Windows boxes within the same domain. I always wish somebody would bash them and jail them.

Yes those Windows users might not aware as the netbios port scanning is being done automatically. However, they must take responsible for booting up their netbios port scanning OS which annoy their honest Linux neighbours.

Re:this is true

[mikethegeek]

"Say you are a sysadmin. You run a mission-critical webserver. In the status quo, you receive around 40 portscans a minute. Hackers have been successful 3 times on your site. If portscans are outlawed, then the overall security of your site receives additional protection.
Practical benefits like this one should be MUCH more important than simply protecting 'liberty."

Please don't take this as a flame, but this is the same kind of flawed thinking that leads to things like anti-gun laws.

It is an extremely FALSE assumption that merly outlawing portscans will somehow reduce breaking into systems, DOS attacks, etc. Last time I checked, THOSE activities were already illegal.

To have any HOPE of effectiveness, you'd have to outlaw portscanning utilities. And give that law enough teeth to allow the stormtroopers (police) the ability to "find out who has them".

Portscanners have very PRACTICAL and good purposes you know, such as, me, as a sysadmin can use one to make sure the ports I wanted closed ARE closed... To ban portscans and portscanning means more systems will be left open and vulnerable!

Please think about the implications before so quickly giving up a liberty for the (false) promise of government guaranteed safety.

Here is the best quote on this subject:

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

-- Benjamin Franklin, Historical Review of Pennsylvania, 1759.

Questions.....

[gooberguy]

Just wondering, what constitutes port scanning? How many TCP ports need to be probed in how much time to be defined as port scanning? Does a program have to used? If I send 50 http GET requests to a computer within one second, is that port scanning? What about 50 TCP requests to a computer to 50 different ports in one second? I want to know!

D/\ Gooberguy