Slashdot Mirror

← Back to Stories (view on slashdot.org)

Legally Defining "Unauthorized" Computer Access

Posted by michael on from the breaking-and-entering dept.

SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."

6 of 359 comments (clear)

  1. PDF link by Anonymous Coward · · Score: 4, Informative

    The article links to an abstract, which has a pdf link in it to the actual goodies. here is the pdf link, for your viewing pleasure. http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID39 9740_code030507630.pdf?abstractid=399740

  2. Court case by DNS-and-BIND · · Score: 5, Informative
    I was involved in a federal case where the defendant was accused of unauthorized access because he used EXPN and VRFY to determine a range of email addresses to mailbomb. I thought it was bullshit, and faxed them a copy of this page (God forbid they use email) indicating that these commands were publically availible to anyone on the internet, but the prosecutors weren't particularly interested and were rather disappointed at my opinion.

    The charge was eventually dropped at any rate.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  3. Oregon vs. Schwartz by swm · · Score: 4, Informative
    Commentary on a specific (and troubling) case where someone was convicted of "unauthorized" computer access

    http://world.std.com/~swmcd/steven/rants/merlyn.ht ml

  4. "Authorization" and DMCA by Sloppy · · Score: 4, Informative
    There are people who need to see this, such as lawmakers. But as for computer nerds, it's kind of obvious: Yes, the terms are vague and complex issues arise as a result. No duh.

    The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.

    It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.

    The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):

    Under these precedents, nearly any use of a computer that is against the interests of its owner is an "access" to the computer either "without authorization" or "exceeding authorized access," triggering criminal unauthorizrd access statues.
    And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right? ;-) "Against the interests" is much simpler.

    It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!

    "Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  5. The good thing about laws by poopdik · · Score: 4, Informative

    The thing about laws that a lot of people don't understand is that all of those "vague" terms that seem ambiguous.. are actually well defined within the legal code. At least in the states I've lived in.

    In california.. it goes something like this:
    (b) For the purposes of this section, the following terms have the following meanings:
    (1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
    (2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.

    I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.

  6. Re:Popups? by Frater+219 · · Score: 5, Informative
    Of course it's authorized. Your browser preferences allow pop-up to be displayed, or you'd never see them.

    That isn't at all an "of course" issue. If I place an unpatched default installation of Red Hat 6.2 on an Internet-connected host, my "preferences" (read: installed software) by default allow remote users to obtain root access. No matter how stupid or negligent I would be to do so, I would still expect that for someone to take advantage of those "preferences" to r00t the b0x0r would indeed be illegal. Similarly, just because Jane Winecooler's browser by default allows the installation of spyware and the forced display of popup spam, does not authorize anyone to set up booby-trapped Web sites which do such things to her browser.

    The idea that any access that my host does not block is by default an authorized access is compelling to the hacker (in the old sense) since it means that everything one can do, one may do, provided it is not obviously harmful. Under this construction, if you leave your box r00table, then I may r00t it -- but I may not (for instance) delete your files or use your host to DoS someone. However, I do not think this is a solid foundation for a polity which must include non-hacker computer users. Such people expect that unless they intend to grant access, nobody may access their computers.

    I hold host operators responsible for their own hosts' behavior and security. However, I also hold abusers responsible for their behavior in exploiting vulnerable hosts to do things that they know would be unwelcome to those hosts' owners. Spyware, abusive popup spam, r00ting, email spam, and the many other unwelcome abuses of people's systems are all simply different degrees of unwelcome, unauthorized access.