Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
The article links to an abstract, which has a pdf link in it to the actual goodies. here is the pdf link, for your viewing pleasure. http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID39 9740_code030507630.pdf?abstractid=399740
The charge was eventually dropped at any rate.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Since their server is almost dead, I managed to pull this off before /. effect kills it.
Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes
ORIN S. KERR
George Washington University - Law School
GWU Law School, Public Law Research Paper No. 65
New York University Law Review, Vol. 78, November 2003
Abstract:
In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to "access" a computer, however, nor when access becomes "unauthorized." The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.
This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.
Keywords: cybercrime, computer crime, unauthorized access, code
For all the kiddies who cant access the pdf file:
9 9740_code030507630.pdf?abstractid=399740
:)
http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID3
Enjoy!
Interesting.. I thought I knew what those words meant until I started thinking about it... but that won't stop me from giving it a stab:
unauthorized: Exposure of information / access to systems to / by individuals not authorized to receive it / access the system.
access: 1. The ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system. 2. To obtain the use of a resource. 3. [The] capability and opportunity to gain detailed knowledge of or to alter information or material. 4. [The] ability and means to communicate with (i.e. , input to or receive output from), or otherwise make use of any information, resource, or component in an AIS. Note [for 3 and 4]: An individual does not have "access" if the proper authority or a physical, technical, or procedural measure prevents him/her from obtaining knowledge or having an opportunity to alter information, material, resources, or components. 5. An assigned portion of system resources for one data stream of user communications or signaling.
Thanks to google and Federal Standard 1037C.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
http://world.std.com/~swmcd/steven/rants/merlyn.ht ml
You can look at it as Apache/IIS allowing access to port 80, or restricting access to only port 80, and only a certain publicly available part of the filesystem.
If you view it the latter way, then exploiting it to get access to another protocol, or section of the filesystem would clearly be a trespass.
Ie; I run a business like a barbershop out of the front room of my house, or say live above a store. This doesnt give the public access to go check out my bedroom.
I don't need no instructions to know how to rock!!!!
The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.
It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.
The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):
And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right?It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!
"Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:
These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read. :)
The thing about laws that a lot of people don't understand is that all of those "vague" terms that seem ambiguous.. are actually well defined within the legal code. At least in the states I've lived in.
In california.. it goes something like this:
(b) For the purposes of this section, the following terms have the following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
(2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.
I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.
That isn't at all an "of course" issue. If I place an unpatched default installation of Red Hat 6.2 on an Internet-connected host, my "preferences" (read: installed software) by default allow remote users to obtain root access. No matter how stupid or negligent I would be to do so, I would still expect that for someone to take advantage of those "preferences" to r00t the b0x0r would indeed be illegal. Similarly, just because Jane Winecooler's browser by default allows the installation of spyware and the forced display of popup spam, does not authorize anyone to set up booby-trapped Web sites which do such things to her browser.
The idea that any access that my host does not block is by default an authorized access is compelling to the hacker (in the old sense) since it means that everything one can do, one may do, provided it is not obviously harmful. Under this construction, if you leave your box r00table, then I may r00t it -- but I may not (for instance) delete your files or use your host to DoS someone. However, I do not think this is a solid foundation for a polity which must include non-hacker computer users. Such people expect that unless they intend to grant access, nobody may access their computers.
I hold host operators responsible for their own hosts' behavior and security. However, I also hold abusers responsible for their behavior in exploiting vulnerable hosts to do things that they know would be unwelcome to those hosts' owners. Spyware, abusive popup spam, r00ting, email spam, and the many other unwelcome abuses of people's systems are all simply different degrees of unwelcome, unauthorized access.
By a similar token, does allowing anonymous ftp access mean that anyone can use the ftp site.
If someone sets up an ftp with full access to anonymous users, can they really say it's unauthorized when a million kiddies start trading warez through there? (I'm wondering about all the 'pubs' which are basically "stolen" space on public ftps for the warez kiddies. )
The piracy is a crime, but does a computer trespass take place? (Say they were trading Red Hat ISOs for the sake of argument)
I don't need no instructions to know how to rock!!!!
Here is one page I found that suggests using the world "welcome" in a login banner is asking for trouble. Has some other related info. as well.
Trolls lurk everywhere. Mod them down.
I have to disagree on this one. Interpreting common law cases can be some of the most difficult work performed by an attorney. In the US, it includes all statutory and case law background of England and the American colonies before the American Revolution. Common law is not the opposite of civil law but rather of current statutory law. It may include civil as well as criminal components. It most certainly is not simple.
Nah, just use Mozilla and one of those userContent css files that will let you block ads, etc. Although I'm still looking for one for flash adverts using the embed tag...