Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
Opus: the Swiss army knife of audio codec
This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).
You can tell a great deal about the character of a man by observing those who hate him.
If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
Does /.'ting a server count as unauthorized use? Because then, we should be a bit worried here...
/. the server, I'd think. If you are just going to the linked page to read the article, that's fine. But if you're collectively conspiring to bring a server to its knees...(as is the case in some links in comments to a story), well, consider yourself vulnerable to those laywers.
I would think a lawyer could twist it that way, but they'd have to prove intent to
Are there really that many ISPs out there which disallow NAT use?
The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."
Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.
But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.
Are there that many places out there that ban NAT?
In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.
He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.
He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).
(Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )
What is "unauthorized access" to my house?
1. When some one comes in uninvited.
2. When someone breaks into my house.
3. When someone is in my house already and then I ask them to leave and they don't.
Obviously these rules apply similarily to a website vs a brick and mortar.
1. All people can come into my business
2. If it is closed you cannot come in.
3. If there is a private area you cannot have access to it.
4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.
Why does the digital world have to be any different?
My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.
No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...
Where do I send this?
I think a better question would be , "What constitutes "Unauthorized" _Data_ access?"
It's often easier to access to the data being served than it is to the machine itself and I think the debate would be much more valuable.
maybe he adressess this as i didnt RTFA.
--
|-_-| . o O ( bEef!)
Does this mean that if my doormat says "welcome" Then anyone is free to break down my door and take all my stuff? If a judge actually accepted this argument he should be removed from the bench. It never ceases to amaze me how much is allowed to occur with computers that noone would tolerate out in the physical world.
Thinking about how to deal with hairy situations before they go to the court room is not a bad idea.
Read Bujold. Free (as in
but the prosecutors weren't particularly interested and were rather disappointed at my opinion
You should have sent that to the defense. The prosecutors aren't going to bring up any info that will possibly weaken their case.
I'm out of my mind right now, but feel free to leave a message.....
If it's trivial to access the system, then there should be no crime committed.
You cannot just leave an open webserver and expect people to 'just know' they they cannot request files from it. You cannot expect people not to poke around your unpassworded FTP server.
Trivial passwords should fall into the same category - you can't be bothered to take care of your data/services, you can't bitch when someone else reads it/uses them.
Beep beep.
Of course, you could look in a real dictionary, like the OED, and see what they have to say. And they say that access as a verb can be traced back to at least 1962, in a comp sci context no less:
access, v. 1. trans. a. To gain access to (data, etc., held in a computer or computer-based system, or the system itself).
1962 A. M. ANGEL in M. C. Yovits Large-Capacity Memory Techniques for Computing Systems 150 Through a system of binary-coded addresses notched into each card, a particular card may be accessed for read and write operations.
Note, lack of security does not equate to implicit authorization, since even if my front door is unlocked, if someone I do not want in my home comes in, they are still trespassing, even if I am not *at* home to tell them to get out (although if they steal anything, my insurance may not cover it since I had not shown diligence in taking care to prevent that). If, however, I come home to find this person in my house, even if they have not stolen or tried to steal anything, I can still charge them with trespassing.
Also note that mere posession of a suitable entry key or password does not equate to authorization, unless that posession is currently recognized as valid by authorized channels.
File under 'M' for 'Manic ranting'
I think that criminal intent chould be criminalized.
This story is about unauthorized access. I think that defining unauthorized access is easy. It is an access that the owner would not give explicit permission for. If I have a house and leave all the doors open, it should be obvious that that is private property, and I don't expect anyone to welcome themselves inside. However, if I have a retail store I expect people to come in. The same should apply to cyberspace. It is unauthorized if it is not obvious that the unwashed masses are expected in.
One of the most foolish things I've ever heard is that someone who uses an exploit to get around a login banner that says "UNAUTHORIZED ACCESS PROHIBITED", is found not guilty of unauthorized access because he didn't see the banner.
-BrentI agree the spider owner was a wank ... but this is human nature.
... but the fact that you opened it up for people to hit means that you're going to get your share of jerks who won't play by the rules and you need to account for that.
This is the exact reason we have things like traffic lights. Unfortunately, people just can't be trusted to act responsibly (in some situations) on their own.
So you are right, they were being stupid
...they call it various things but falls roughly under "maintaining a public nusiance" or some such. You don't even have to be aware of it, or you can claim stupid, and it doesn't matter. Hmm, for instance, having a full swimming pool with no fence around it, some kid falls in, whoops! It's happened to people. I could see it easily applied to running a totally unsecured computer that is used as a spammer relay or zombie machine in an attack.
AND THEN, in turn, once clueless computer owner gets shafted, THEY can turn around and sue the OS distributor for selling an operating system that installs broken,and is wide open. Using the same law.
THAT would sort these things out a bit.
Just as a matter of discussion, I'd class millions of wide open computers out there as a major public nusiance. People who aren't consciously running a server by choice-shouldn't be running a server! It's a completely simple and logical concept.
I'm not saying the law is 100% correct or "fair" in that regard, but the case law and precedent is out there in spades. Not sure if it was ever applied to computers though, but it would be an interesting case if it occurred. Follow culpability and "who suffers". Why should innocent person A suffer because computer user B allowed his machine to be used by haxor C in an attack? And I don't mean a really exotic take over situation, I mean using computers that ship and install with extremely insecure OS and apps that are obviously "too loose" for someone who isn't a server? Anyway, an argument along those grounds.
What constitutes "implicit permission"? Is an open port 80 and a responsible HTTP server evidence of "implicit permission", until the web page asks for a password? How would I get to that page (and realize that my access is explicitly prohibited because I don't have a password) without "accessing"?
Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.
That's not the problem. The problem is when somebody else thinks your accessing without authorization, and sues or arrests you. What if cnn.com suddenly switched to a pay model, and defined a HTTP GET from a non-paying customer as "unauthorized access"?
Somebody brought it up as a joke, but the act of slashdotting a server is similar in result as a DDoS attack, but only one should be illegal and punishable. That's the result of "splitting hairs".
Let's see what the dictionary has to say about it:
unauthorized - not endowed with authority, without official authorization.
Hmm..okay. And this is ambiguous how, exactly? I'm sure you could bring up all sorts of bullshit arguments ("just because I have a webserver running on port 80 doesn't mean I want people to visit my webiste," et. al.), but the truth is that everyone knows exactly what it means. It means that you're not supposed to hack into a computer and poke around in people's business..in fact you're not supposed to hack into a computer at all, unless it's your own. And hey, if it is your own, you already have "authorization."
The way I see "granting access" is that the person must 1st be authenticated, ie identified as "themselves" and then authorized.
To get a shell on any of my systems, you must first authenticate youself with your userid and then your password or key with authorize you access. The buffer overflow does neither. Also if a user shares an account and knows a password, this is fraudently authenticating themselves even though they pass the authorization step.
It's almost that simple...but let's use a real world example.
/intent/ matters, often more than your actions. Don't intend to murder someone but you do, not such a big thing. Intend to murder someone but don't, a much bigger deal. Unfortunately intent is not understood very well when it comes to cyber crimes. The law can't tell the difference between someone just checking if the door is closed because they legitimately wanted to access something, and someone trying to find the back door into the place. These standards will, for better or for worse always vairy from person to person, location to location. Try a door in East Nowhere Iowa and you're probably a good guy, try a door in Harlem and you must be a crook.
You go to a business on a tuesday at 3PM. You try their door and find it locked. Turns out they are closed on tuesdays. Is it unauthorized access? I think not.
Now, you go to the same business on the same tuesday at 3PM. They are still closed, but forgot to lock their door. You walk right in, realize something is funny, and leave without taking anything. Is it unauthorized access? Maybe.
Finally, you go to the same business on Sunday night at 3AM, and poke at the door until it opens for you. Unauthorized access, yep.
You see, in the real world your
On the other hand, it could be argued that the concept of licensing as it's currently used in software is completely absurd.
If I rent an apartment, I pay a monthly fee to use that space. I don't own it. The fact that I don't own it has certain consequences: I have to continue to pay to continue to use it, but also, the owner is responsible for maintenance. If something breaks, the landlord is responsible for fixing it. If I'm renting a car, the company that owns it is also responsible for certain things. If the car breaks in some way under normal use, they have to fix it, as with the apartment; but if the car breaks something of mine--for instance, the CD player destroys a CD for no apparent reason--the company renting the car to me is responsible for damages.
So, now we get into the software. By analogy, the "owner" of the software--i.e., the company that developed it--is responsible for maintaining that software. "Normal use" would be defined as running the software for its intended purpose on supporting hardware under a particular operating system. If I'm running MS Word X for Mac, on my Mac, under Mac OS X, and the software corrupts itself and refuses to run again, Microsoft is responsible for fixing the software, regardless of what sort of "warranty" I may or may not have--after all, warranties are for things we purchase, not for things we rent. Further, if Word suddenly crashes for no reason, and I lose data, MS is responsible for reimbursing me for any losses incurred as a result of the crash. That is, unless I actually own the software.
If we extend this to hardware, the vendors get themselves into even more of a mess, because once again, it doesn't matter what sort of "warranty" I have, the manufacturer is responsible for ensuring that I have working hardware--indefinitely. There's no clause in any contract I signed when I "licensed" my computer that my license to use it expires after a certain amount of time; there's no clause that says that I can only expect it to work for a certain amount of time. Thus, if the processor fries itself under normal use ten years down the road, the manufacturer had damned well better fix it! Licensing software is pushing things; licensing hardware would be insane.
I found the meaning of life the other day, but I had write-only access.
In the case of Explorica, I could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not.
Sounds good on Slashdot, but this is terrible legal advice.
Interestingly, the CFAA, and not the RFC is the law of the nation. The generalization fails, in both extreme and ordinary cases -- a person who serially guesses passwords until he succeeds has passed the passwd protocol, but has also hacked the machine to obtain unauthorized access -- this is not because of protocols, but because of the understanding that the password process is intended to be a gate.
Hypos can be built around HTTP scenarios that also use common sense understanding that some requests are ok, but others are verboten. YES, ABSOLUTELY, routine browsing can rarely create a CFAA claim, and in large part, I would argue from RFCs to show an implied consent to access information through routine protocols, but implied consents can be withdrawn -- and knowing entries where you are not wanted will be actionable AND criminal in appropriate cases, even if all you did was execute an HTTP GET.
The question is not really a technical one - nor is it even a purely legal one. It is a question of common sense and normative behavior. Was your conduct consented to, expressly or impliedly, and was the consent somehow vitiated by subsequent facts. It requires not a read of RFC's alone, but a review of the totality of the circumstances.
Social policy is more tricky than any simple mantra.