Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
(P)Pronunciation Key(kss) n. 1.A means of approaching, entering, exiting, communicating with, or making use of: a store with easy access. 2. An outburst or onset: an access of rage. definetly 2. ooh man i hate computers sometimes
When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
Opus: the Swiss army knife of audio codec
This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).
You can tell a great deal about the character of a man by observing those who hate him.
Does /.'ting a server count as unauthorized use? Because then, we should be a bit worried here...
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
..but the computer can't say no, I thought it wanted me to access it, honest!
/.'ed after 2 posts!
I would like to read, so please post text and/or mirror.
The article links to an abstract, which has a pdf link in it to the actual goodies. here is the pdf link, for your viewing pleasure. http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID39 9740_code030507630.pdf?abstractid=399740
Very first thought, dag nab it ....
The fact that what constitutes "unauthorized access" is very broad, or that the penalties for "unauthorized access" are ridiculously out of whack. You could practically murder someone and spend less time in jail then if you commit a computer crime.
posting "1 4/\/\ 0wnz0ring j00!!!!!! luser!!!! FEE KEVIN" on their website, qualifies.
"This Abstract has been viewed 415 times"
Hope they didn't use a short int for that counter variable.
occultae nullus est respectus musicae - originally a Greek proverb
The charge was eventually dropped at any rate.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Since their server is almost dead, I managed to pull this off before /. effect kills it.
Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes
ORIN S. KERR
George Washington University - Law School
GWU Law School, Public Law Research Paper No. 65
New York University Law Review, Vol. 78, November 2003
Abstract:
In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to "access" a computer, however, nor when access becomes "unauthorized." The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.
This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.
Keywords: cybercrime, computer crime, unauthorized access, code
...dictates that it means that you're somewhere where you're not supposed to be. If you're not authorized (given permission, implicitly or otherwise), then don't access. Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.
I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.
"Want in one hand and spit in the other and see which one fills up first." - My Dad
If RIAA comes looking for the MP3's that aren't on my computer and in the process even look at a single byte of the copyrighted data on my hard drive, that is unauthorized. BTW, that data is available under perfectly reasonable license terms. I charge $1/Kb. I have 2 80Gb drives. The $160,000,000 is payable in advance, thank you.
From a federal law perspective, "access" becomes illegal if use of the system exceeds $5K (say in CPU cycles), OR if ANY copying of information or information altering is done. Take a screen snapshot - illegal. Modify a system log to cover your tracks - illegal. Under federal law, "simple trespass" is not in itself illegal.
HOWEVER, many states have local statutes making simple trespass illegal.
Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.
Vic Vandal
Isn't just the act of touching the computer accessing it. I work for a company that doesn't want us to do anything known work related on computer. I can't even check my email or check our the weather or the news. I think some policies about computer access in corporate america are bull. If they have people who surf porn they should fire them not punish everyone else by banning general surfing.
For all the kiddies who cant access the pdf file:
9 9740_code030507630.pdf?abstractid=399740
:)
http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID3
Enjoy!
hmm... I don't think you were supposed to download Matrix 2. please expect our agents to arrive shortly.
Any Mac users getting it to work? For that matter, has anyone gotten it to work? None of the comments suggest that the poster has read the whole thing, not that's necessarily unusual.
What I'm listening to now on Pandora...
"And this is my boy, Sherman. Speak, Sherman." "Hello." "Good boy."
Remember when the Internet was about sharing? These days some people would have you believe that any packet you receive is "unauthorised access". You probed me, unauthorised access. You visited my website, unauthorised access. You sent me an instant message, unauthorised access. This really needs to play out in the courts before any precedent is set for what is or is not "unauthorised access". (replace the s in unauthorised with z if you're American :P)
Since when does an articles length matter?? Nobody reads them anyway, this is /. :)
This has nothing to do with the /. article, but makes good reading nonetheless.
How about declaring that if access requires the user to specify a password, and the user is not "authorized" to know the password, then that access is not authorized. If no password is required, then there's no way the access can be unauthorized.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Interesting.. I thought I knew what those words meant until I started thinking about it... but that won't stop me from giving it a stab:
unauthorized: Exposure of information / access to systems to / by individuals not authorized to receive it / access the system.
access: 1. The ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system. 2. To obtain the use of a resource. 3. [The] capability and opportunity to gain detailed knowledge of or to alter information or material. 4. [The] ability and means to communicate with (i.e. , input to or receive output from), or otherwise make use of any information, resource, or component in an AIS. Note [for 3 and 4]: An individual does not have "access" if the proper authority or a physical, technical, or procedural measure prevents him/her from obtaining knowledge or having an opportunity to alter information, material, resources, or components. 5. An assigned portion of system resources for one data stream of user communications or signaling.
Thanks to google and Federal Standard 1037C.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
Logging onto the internet is sort of like putting your house in the middle of a city, with all the doors and windows open, then letting random strangers walk through your house, along with the people you "want" to walk through your house. Your gonna have a hard time keeping people out of your bed room........
"Much work is lost, for the lack of a little more." -Edward H. Harriman
Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes
ORIN S. KERR
George Washington University - Law School
GWU Law School, Public Law Research Paper No. 65
New York University Law Review, Vol. 78, November 2003
Abstract:
In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to "access" a computer, however, nor when access becomes "unauthorized." The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.
This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.
Keywords: cybercrime, computer crime, unauthorized access, code
Access is a noun. Hence one can perform an act which becomes illegal access, one can grant or revoke access, but one cannot access something anymore than one can plane, car, or fireplug.
/. about grammar is about as pointless as crying "Dupe"
Of course, bitching on
But what the hell, I do that too.
--
Just don't support Karma Whores, mod up the AC post instead.
occultae nullus est respectus musicae - originally a Greek proverb
I sure didn't.
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.
Near the end (I started at about page 50), he states that accessing a computer "without authorization" should only be considered true in cases where a cracker has circumvented code-based restrictions, not contract-based restrictions. Part of me things this is a great idea conceptually, but part of me is worried about the implications it would have for the vast majority of home computer users.
/.'ers, this is already a given. Be it with firewalls, NIDS, or whatnot, I'm sure everyone on here is doing something to make sure that people aren't getting access to your system. I think of one of the best points he makes is that as long as you implement code that is intended to stop malicious attacks, that is enough legally to build your case. I'm sure many average users have misconfigured firewalls or something that would allow someone knowledgeable to crack their machine. I'm sure there are stupid sysadmins out there who have unsecure networks. While I don't think this excuses you from not keeping up to date, patching, etc., I think it is a good step to take.
/.'er and make rulings that seem ignorant of the technologies.
By saying that only when you break code-based restrictions are you committing unauthorized access, this puts the responsiblity on the user to secure their box. For most
My biggest worry is that the definition of code-based restrictions could be misconstrued. Say for example you lock down everything except Apache/IIS running on port 80. Since both these two have had security exploits in the past (not trying to start a holy war here), what happens if someone exploits your webserver to gain more access? Obviously you have given access to the webserver on port 80. If one of the "features" of the webserver is a buffer exploit, would it still be considered circumventing a code-based restriction to exploit it? I think most here would agree that it is, but as we all have seen, most judges are not your averager
SNOPES OWNZ JOO!
" No, the FBI doesn't release an annual list of the "Top 20 Homicides." If the sheer inanity of some of these entries (e.g., a man "drowning" from drinking too much Coca-Cola), the atrocious spelling and grammar, and the use of Britishisms (such as 'tonne,' 'doctors surgery,' and 'kilometers' ) don't give away that this list is just a bit of humor, then consider that most of the homicides detailed here are not federal crimes and don't involve a crossing of state lines, and therefore the FBI wouldn't have been called upon to investigate them. "
Did he forget to return a library book?
If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
http://world.std.com/~swmcd/steven/rants/merlyn.ht ml
I'm not entirely sure if this is true, but back when I took my undergrad CS classes, one professor mentioned to the class that use of the word "Welcome" at a login prompt was supposedly giving the world legal access to the system to do what they wished. He went on to say that a hacker back in the 80's or 90's got away with hacking into a high-profile computer network because of this loophole, where accessing the system from a remote location prompted the user with "Welcome!". His defense was that since this system was welcoming him to login to it, what crime was being commited?
Trolls lurk everywhere. Mod them down.
Are there really that many ISPs out there which disallow NAT use?
The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."
Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.
But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.
Are there that many places out there that ban NAT?
You all said it died, but I got it... maybe cached from our proxy though.. but anyway.
:)
HERE IT IS
enjoy.. I'll be busy for a bit.
Put your money where your mouth is -
In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.
He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.
He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).
(Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )
"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
Does the title to this article sound like what Bill Clinton once said
"That depends on what the definition of the word 'is' is.
Spooky
What is "unauthorized access" to my house?
1. When some one comes in uninvited.
2. When someone breaks into my house.
3. When someone is in my house already and then I ask them to leave and they don't.
Obviously these rules apply similarily to a website vs a brick and mortar.
1. All people can come into my business
2. If it is closed you cannot come in.
3. If there is a private area you cannot have access to it.
4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.
Why does the digital world have to be any different?
My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.
No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...
Where do I send this?
I think a better question would be , "What constitutes "Unauthorized" _Data_ access?"
It's often easier to access to the data being served than it is to the machine itself and I think the debate would be much more valuable.
maybe he adressess this as i didnt RTFA.
--
|-_-| . o O ( bEef!)
The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.
It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.
The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):
And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right?It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!
"Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The easy answer to the question is that it is unauthorized access when they don't give a damn or can't do anything about it.
Unauthorized access should be defined by the user, the isp, the network, and differs from place to place. ISP's as general rule should have broad access restrictions that should be open and accessible, and users with networks or public computers (WWW, etc) should have their own.
-Sean
When the number of comments reaches twice the number of abstract views... which must be 10% of the whole article views.. You just know slashdot has a problem :)
If it's trivial to access the system, then there should be no crime committed.
You cannot just leave an open webserver and expect people to 'just know' they they cannot request files from it. You cannot expect people not to poke around your unpassworded FTP server.
Trivial passwords should fall into the same category - you can't be bothered to take care of your data/services, you can't bitch when someone else reads it/uses them.
Beep beep.
1. Put up a website on the net
2. Wait for 100 hits
3. Sue the 100 people who visited your site for $50,000 each, claiming that you didn't give them authorization to access your computer. Profit!
For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:
These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read. :)
The thing about laws that a lot of people don't understand is that all of those "vague" terms that seem ambiguous.. are actually well defined within the legal code. At least in the states I've lived in.
In california.. it goes something like this:
(b) For the purposes of this section, the following terms have the following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
(2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.
I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.
If so, then the legal tools are already available to make some serious examples.
/. If the government wants us to respect the law, it should set a better example.
in the state of maine (along with others i'm sure)it is illegal to attempt to access, as well as access a computer that isn't yours.
Give me a break. People should have to log out to be helpful by posting the text of a /.ed article???
Note, lack of security does not equate to implicit authorization, since even if my front door is unlocked, if someone I do not want in my home comes in, they are still trespassing, even if I am not *at* home to tell them to get out (although if they steal anything, my insurance may not cover it since I had not shown diligence in taking care to prevent that). If, however, I come home to find this person in my house, even if they have not stolen or tried to steal anything, I can still charge them with trespassing.
Also note that mere posession of a suitable entry key or password does not equate to authorization, unless that posession is currently recognized as valid by authorized channels.
File under 'M' for 'Manic ranting'
That's my policy. It's short, simple and easy to understand. It is also extremely satisfying and lawyers are un-necessary.
There's one small difference:
computers rely on automation. If someone accidentally leaves a "private" section of their website unprotected either through oversight or a bug, it's entirely possible, and indeed likely that tools like wget, or a spider could end up there. It would be 100% impossible to prove "unauthorized" access was "intentional", and the tool didn't do anything wrong, just exactly what it was supposed to do.
I don't think this overall affects your argument, but it does demonstrate some unique cases where access was unauthorized, unintentional, and in many cases, probably "unavoidable". If someone isn't really careful with their security, they could be f*cked before they realize it and (rightly) have no legal recourse against the offender.
The thinking would be: If you don't authorize popups, then why are you running a web browser that intentionally supports popups? The programmers of your browser went to extra trouble and effort to make popups work. If you don't like it, change the behavior of your browser. It's not like someone tricked your browser into displaying the popup, in defiance of its design.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
--
Some people think that accessing their open web server unauthorized access. This is not reasonable.
I think anything not clearly identified as private should be authorized on a public network.
If I walk to someones front door who has no signs informing me this is unacceptable, and ring the doorbell I do not think I'm tresspassing.
Same for a computer.
The article is well worth reading, just for the following quote:
Sounds like a fun guy to work with.
SYN: (may I access this tcp port?)
SYN ACK: (sure go ahead!)
ACK: (thanks!)
At what time does he think people should access his machine, his PC, and look though his files. The information contained in there could be personal and damnaging for others to know.
A popup add is one thing. The page you are viewing put that there. It's part of the whole package you have requested. That's your fault.
I cannot put it any better than the fourth ammendment. He in the US we are unique. We have rights. Yes, rights, not privileges. These rights cannot be set aside legally.
We of the US are not "lucky" to have these rights, we demand them. Once we stop our demanding they'll disapear faster than can blink. We through our contract with our governing bodies, the Constitution, give the government some powers, the states some powers, reserve some rights, and reserve all other power for the people.
I cannot put it better than the fourth ammendment, so I'll post it here.
Forth Ammendment
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrents shall issue, but upon probable cause, supported by Oath or affirmantion, and particularly describing the place to be searched, and the person or things to be seized.
Take care, and protect your rights. Anything not maintained will fall into disrepair. Keep our rights from falling into disrepair.
-- James Dornan
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
Like we talked about before with regards to "breaking into" a Wi-Fi network and using bandwitdh that is attached to the Wi-Fi network (wired or unwired).... these things are much simpler, ans FAR less confusing if you get to the actual bits of the matter. They also, sometimes, allow one to use real-world anaologies of law.. such as breaking and entering. Their downfall (or greatness, depending on what side you take) is that they, in the end, place responsibility of the proprety owners to know - karnally - what is going on with what they bought.
... you clearly have intent of the 3rd party to gain "unauthorized access" because they are doing the equivalent of lock picking - hacking tumblers with a non-key to fake an authorized key.
.. i requested data - and you gave it to me.. be it a letter, a picture named "45728.jpg", the comany's secret files improperly stored on a website...
I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security
But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?
What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.
If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.
If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.
Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..
in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.
If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS
If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...
1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.
2. I am a begger, and i do not threaten you in any way. You give me all your money freely.
In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.
open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.
just as there is no crime in giving a person money on a train, so long as there is no violati
guns kill people like spoons make Rosie O'Donnell fat.
I fully realize that I'm fighting a long-since lost battle, but it's one of the perversions of the languange that I'm unwilling to accept.
Please don't take this way off-topic message as a personal affront, as it's not meant as one.
My impression is that english is a living, growing language. At what point in time, then, do you say something is English or not? 1600? 1900? For example, the "plane" you referred to earlier was first used to describe a vehicle of flight in 1908.
And of course there is the "problem" of deciding what gets "accepted" as proper language. I'm not sure a democratic method is necessarily best. For example, "have got" as in "I have got three cars." seems to be acceptable now because of its common use. That makes me cringe every time I hear it!
Going back to "plane", you can in fact plane something. That is to make it flat, as in a carpenter planing a piece of wood. The wings of the first airplanes were flat, which gave the craft its name. This noun for the word is surely newer than the verb.
Newer than a mathematically defined plane? I doubt it.
...they call it various things but falls roughly under "maintaining a public nusiance" or some such. You don't even have to be aware of it, or you can claim stupid, and it doesn't matter. Hmm, for instance, having a full swimming pool with no fence around it, some kid falls in, whoops! It's happened to people. I could see it easily applied to running a totally unsecured computer that is used as a spammer relay or zombie machine in an attack.
AND THEN, in turn, once clueless computer owner gets shafted, THEY can turn around and sue the OS distributor for selling an operating system that installs broken,and is wide open. Using the same law.
THAT would sort these things out a bit.
Just as a matter of discussion, I'd class millions of wide open computers out there as a major public nusiance. People who aren't consciously running a server by choice-shouldn't be running a server! It's a completely simple and logical concept.
I'm not saying the law is 100% correct or "fair" in that regard, but the case law and precedent is out there in spades. Not sure if it was ever applied to computers though, but it would be an interesting case if it occurred. Follow culpability and "who suffers". Why should innocent person A suffer because computer user B allowed his machine to be used by haxor C in an attack? And I don't mean a really exotic take over situation, I mean using computers that ship and install with extremely insecure OS and apps that are obviously "too loose" for someone who isn't a server? Anyway, an argument along those grounds.
So what you mean to say is that if I hook a wireless router up and someone drives by my house and uses my network - which is now legal in some states - they are within the law, but I am breaking it since they are using my router to connect a 3rd computer to my isp? (my isp allows 2 by default).
Laws will get messy.
Or how about I connect my check my email from my palm pilot through my computer....is it now a network?
Messy.
Messy.
Messy.
That's not always true, and that's where a lot of problems arise in the law, because undefined terms are subject to vagaries of interpretation. There are many examples in the law, for example, check out the HIPAA statute and regulations some time, there are REAMS of undefined terms in those. (One example: certain elements of the HIPAA Privacy Rule are waived in the case of an "emergency", but the federal agency which wrote the Rule has flatly refused to define the term "emergency". Another example: The HIPAA Privacy Rule governs medical "assessments", but doesn't define what those are, and the term "assessment" has a different meaning in a medical context when used by doctors, than it does in regular parlance. Yet another example: The HIPAA rules allow disclosures of that subset of an individual's private health information by a facility (such as a hospital) which represents the individual's "general condition". Once again, the term is not defined, and noone knows if that means things like "critical", "serious", "guarded", etc. and whether a hospital is allowed to release information about a patient's death. The term is simply undefined, with no intention to define it. This happens all too frequently in the law, and causes a host of problems). The article's author was pointing out that oftentimes the term "unauthorized access" is not defined or is defined in a vague manner, leading to difficulties with interpretation.
More and more, I'm starting to think the law should just butt out when it comes to technical problems. How much different would the technological landscape look if administrators were fully liable for failing to secure their server? How much different would OSes look if the OS vendor was responsible for infection?
I think we'd all be a lot more secure.
Let's see what the dictionary has to say about it:
unauthorized - not endowed with authority, without official authorization.
Hmm..okay. And this is ambiguous how, exactly? I'm sure you could bring up all sorts of bullshit arguments ("just because I have a webserver running on port 80 doesn't mean I want people to visit my webiste," et. al.), but the truth is that everyone knows exactly what it means. It means that you're not supposed to hack into a computer and poke around in people's business..in fact you're not supposed to hack into a computer at all, unless it's your own. And hey, if it is your own, you already have "authorization."
A server on the internet is like a retail shop at the mall, It's there to be entered! Now, at the mall, sometimes, stores open before the "offical" hours. Hence, if the door is open, you can't get in trouble for going in--often there isn't a "sign" to say open or closed.
Also, there's lots of doors at the mall that are marked "Authorized Personel Only" and sometimes doors that aren't marked are still locked. In a very small case, of unlocked, unmarked doors but if you enter, the security guard will let you know to leave and someone ELSES ass will fry. Trying to pry a lock or enter a marked door will quickly get you scolded, maybe arrested if you don't comply--but there is a strong legal precedent for diligence of locking and marking in a public place. This isn't at all like entering your house.
What you have right now are old, loud-mouthed, corperate executives that want to have "internet" access to be "cool" but don't want to be responsible to understand how to use it--and too cheap to pay someone to do it properly! They immediately are getting the law involved instead of following a few simple instructions. And, unfortunately, the Law is all to ready to get it's fingers in our business! Looking at the ridiculous claims that prosecutors have been filing, it looks to be more of the "old Boy" network rather than working to make the systems work better and with more understanding of the rules. It's the typical selfish, egotistical mess [like the *IAA,and like] accelerated at internet speed!
okerr@main.nlc.gwu.edu
This is a golden opportunity to provide feedback where it might really make a difference. According to Professor Kerr's Curriculum Vitae , he will be a Law Clerk for U.S. Supreme Court Justice Kennedy for the October 2003 term.
Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.
The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?
Did I circumvent "regulation by code" with person C?
Did I circumvent "regulation by code" with person D?
There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.
Surely I crossed the line on person E. I'm not so sure about persons C and D.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
holy shit.
the next time i have something insightful to write, i'll fscking spell check and grammar and english check it.
sorry about that... i'm at work, and i got pulled away to do something, and i just hit submit without reviewing it.
my apologies. Hell, i'll rewrite it in my response to the lawyer who wrote the article. And, i'll actually cut and past from the RFCs to prove my point.
guns kill people like spoons make Rosie O'Donnell fat.
Another thing, how are these people getting away with storing data on machines and downloading secret documents because they 'aren't depriving the owners of their use' If I download software, leaving it intact on the server, I may have deprived the owner of a trade secret (I thought that for sure a lawyer would have seen that one!) Also, accessing private data, even though it's only to satisfy my curiosity could be construed as 'depriving the owner of sole ownership' which may or may not be critical. You don't need a new law to tell you that.
Conversly, even using some clock cycles 'deprives' someone of something. (even one or two) So a port scan could also be considered theft. (Not saying that I agree with that, but that's the way it looks to me) If I'm wasting clock cycles responding to port queries, or ICMP traffic, that's a DOS attack, plain and simple. I could be using my processor for better things. This was easier to see when all we had were 56 k modems all over the place.
Speak for yourself.
If I park my car on the public street in front of your house or business and sniff your unencrypted 802.11 traffic, many people might say that counts as access. But not by his definition.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Your browser is configured to request that pop-up. It might not be nice and you might not like it, but you turned over the rock the pop up was sitting under.
The rooted Red Hat box did not go out and request a rooting. The user, if they followed the install, made a difficult to guese password for root to prevent people from doing this. A cracker must seek out and trick such a computer to take it over.
The case of someone using the flaws in a browser to do nasty things is just the same as cracking the computer and should be distinguished from a "legitimate" unrequested popup window full of advertising shit. Gator and other crap like that does indeed fit the unauthorized use model. It's installed by trick, it's a fruadulent, unrequested and abusive use of a computer and should be condemed as one. Someone said it was like helping youself to the bathroom in your host's house. No, it and regular old cracking, is more like entering without permission and then pissing on your host's bed.
Friends don't help friends install M$ junk.
The whole problem here is that people are looking at these things the wrong way, from the get go. The point is not the machines, the point is the impact on people. Try to define things in terms of the technology and you are inevitably and irrevocably drawn into exactly the problems you describe, and there is no way out of them.
Machines don't matter. Technology doesn't matter. Only people do.
In the case of Explorica, I could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not.
Sounds good on Slashdot, but this is terrible legal advice.
Interestingly, the CFAA, and not the RFC is the law of the nation. The generalization fails, in both extreme and ordinary cases -- a person who serially guesses passwords until he succeeds has passed the passwd protocol, but has also hacked the machine to obtain unauthorized access -- this is not because of protocols, but because of the understanding that the password process is intended to be a gate.
Hypos can be built around HTTP scenarios that also use common sense understanding that some requests are ok, but others are verboten. YES, ABSOLUTELY, routine browsing can rarely create a CFAA claim, and in large part, I would argue from RFCs to show an implied consent to access information through routine protocols, but implied consents can be withdrawn -- and knowing entries where you are not wanted will be actionable AND criminal in appropriate cases, even if all you did was execute an HTTP GET.
The question is not really a technical one - nor is it even a purely legal one. It is a question of common sense and normative behavior. Was your conduct consented to, expressly or impliedly, and was the consent somehow vitiated by subsequent facts. It requires not a read of RFC's alone, but a review of the totality of the circumstances.
Social policy is more tricky than any simple mantra.
that line near the top as:
"GNU Law School, Public Law Research Paper No. 65"?
for a moment i thought what the..
Questions like this that are tossed out into the ether that is known as the 'net' {or whatever particular thing anybody wishes to call it} are comletely assinine. It lists right up there with 'e'this and 'i'that. Questions like this pretend that what's wrong/right changes if a computer or the internet is involved.
Unauthorized access boils down to this, just like in the real world...
If your not invited... stay out.
If it's not public... stay out.
If it's not yours, and you dont' have permission to enter... stay out.
If it's locked... stay out - don't pick the damn lock.
There's no fucking difference in applicability of unauthorized access between the 'real world' and computers/interent/etc...
It's not a huge philosophical question.
Steve's Computer Service, Hobbs, NM
"The computer has not agreed to let the defendant access the computer. Instead, the computer is tricked into letting the defendant access the computer through a misrepresentation...[t]he computer may "believe" that the user is someone else, ... may be tricked into unwittingly giving access...both cases reveal fraud in the factum"
IANAL, but this looks like one of the most logical approaches to the subject I've ever had the pleasure of skimming.This comment is fully compliant with RFC 527.
If you own a PC and attempt to access the internet to do anything, your a criminal. PERIOD.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
However, the only plausable explaination for there being penis-enlarger mail in my box is that someone else opt'ed me on to the list.
I must commend Mozilla's "Junk" filters for doing an excellent job of keeping my inbox clean from this kind of stuff.
Fight or flight its all the same
Live to die another day
--Ryan
This is just what we need. Another lawyer offering their "expertise" and thereby adding more FUD to our society. How about this for an issue paper topic "Imagine a world without lawyers" anyone on /. want to take a shot at that one ;-)
Another thread in alt.folklore.computers gives another example where "welcome" banners are mentioned:
From: EXE April 1992 v6 n10 p46
Process Communications Ltd. (UK)
Are hackers really criminals? (the UK Computer Misuse Act)
David Martin
"...a shop steward had been using a computer system in the middle of the night. The shop steward had already got an account of his own. However, by use of a password used by his daughter, he accessed information that he was not required, by his job, to be able to access. The Tribunal decided that although the employer should have defined exactly the extent of access permitted, any reasonable person would have realized that this was unauthorised [sic] access. A computer system manager should therefore ensure that any Welcome banner states that if the user does not have explicit permission to access the computer system and use it for an explicitly permitted set of actions, he should log out."
Apparently this has mutated over the years into the story told by people who don't bother to check their sources!
Helevius
By choosing to use Internet Explorer ( a nice browser ), the user agrees to accept popups in default mode. Mozilla ( another nice browser ), for example, is a browser that allows the user not to execute popups, with an easy switch of settings. Cant say as I am familiar with other browsers, but it seems it is a user choice whether or not you view popups, and nobody elses fault.
HenryJamesFeltus.com
This goes to convention which is not very well established for the net, and certainly not well legally established for the net.
For example, by accepted convention, a place of business that is not locked or marked closed may be freely entered (permission implied) while in the case of a residence, that same action is tresspassing. This is based on convention and interpretation of the owner's most probable permission.
On the net today, it is fairly safe to guess that a server with an open relay is NOT meant as an invitation to send out spam (unless the 220 message says send all the spam you want). It may or may not be an invitation to send an email to a friend. It is most likely not intentionally open, much like when someone forgets to lock the door when they leave home.
Just check whether the Evil Bit is set or not!
Enig? Det alt for hot det smor!