Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
Opus: the Swiss army knife of audio codec
This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).
You can tell a great deal about the character of a man by observing those who hate him.
If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
Does /.'ting a server count as unauthorized use? Because then, we should be a bit worried here...
/. the server, I'd think. If you are just going to the linked page to read the article, that's fine. But if you're collectively conspiring to bring a server to its knees...(as is the case in some links in comments to a story), well, consider yourself vulnerable to those laywers.
I would think a lawyer could twist it that way, but they'd have to prove intent to
Are there really that many ISPs out there which disallow NAT use?
The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."
Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.
But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.
Are there that many places out there that ban NAT?
In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.
He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.
He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).
(Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )
What is "unauthorized access" to my house?
1. When some one comes in uninvited.
2. When someone breaks into my house.
3. When someone is in my house already and then I ask them to leave and they don't.
Obviously these rules apply similarily to a website vs a brick and mortar.
1. All people can come into my business
2. If it is closed you cannot come in.
3. If there is a private area you cannot have access to it.
4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.
Why does the digital world have to be any different?
My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.
No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...
Where do I send this?
Does this mean that if my doormat says "welcome" Then anyone is free to break down my door and take all my stuff? If a judge actually accepted this argument he should be removed from the bench. It never ceases to amaze me how much is allowed to occur with computers that noone would tolerate out in the physical world.
Thinking about how to deal with hairy situations before they go to the court room is not a bad idea.
Read Bujold. Free (as in
...they call it various things but falls roughly under "maintaining a public nusiance" or some such. You don't even have to be aware of it, or you can claim stupid, and it doesn't matter. Hmm, for instance, having a full swimming pool with no fence around it, some kid falls in, whoops! It's happened to people. I could see it easily applied to running a totally unsecured computer that is used as a spammer relay or zombie machine in an attack.
AND THEN, in turn, once clueless computer owner gets shafted, THEY can turn around and sue the OS distributor for selling an operating system that installs broken,and is wide open. Using the same law.
THAT would sort these things out a bit.
Just as a matter of discussion, I'd class millions of wide open computers out there as a major public nusiance. People who aren't consciously running a server by choice-shouldn't be running a server! It's a completely simple and logical concept.
I'm not saying the law is 100% correct or "fair" in that regard, but the case law and precedent is out there in spades. Not sure if it was ever applied to computers though, but it would be an interesting case if it occurred. Follow culpability and "who suffers". Why should innocent person A suffer because computer user B allowed his machine to be used by haxor C in an attack? And I don't mean a really exotic take over situation, I mean using computers that ship and install with extremely insecure OS and apps that are obviously "too loose" for someone who isn't a server? Anyway, an argument along those grounds.
It's almost that simple...but let's use a real world example.
/intent/ matters, often more than your actions. Don't intend to murder someone but you do, not such a big thing. Intend to murder someone but don't, a much bigger deal. Unfortunately intent is not understood very well when it comes to cyber crimes. The law can't tell the difference between someone just checking if the door is closed because they legitimately wanted to access something, and someone trying to find the back door into the place. These standards will, for better or for worse always vairy from person to person, location to location. Try a door in East Nowhere Iowa and you're probably a good guy, try a door in Harlem and you must be a crook.
You go to a business on a tuesday at 3PM. You try their door and find it locked. Turns out they are closed on tuesdays. Is it unauthorized access? I think not.
Now, you go to the same business on the same tuesday at 3PM. They are still closed, but forgot to lock their door. You walk right in, realize something is funny, and leave without taking anything. Is it unauthorized access? Maybe.
Finally, you go to the same business on Sunday night at 3AM, and poke at the door until it opens for you. Unauthorized access, yep.
You see, in the real world your
On the other hand, it could be argued that the concept of licensing as it's currently used in software is completely absurd.
If I rent an apartment, I pay a monthly fee to use that space. I don't own it. The fact that I don't own it has certain consequences: I have to continue to pay to continue to use it, but also, the owner is responsible for maintenance. If something breaks, the landlord is responsible for fixing it. If I'm renting a car, the company that owns it is also responsible for certain things. If the car breaks in some way under normal use, they have to fix it, as with the apartment; but if the car breaks something of mine--for instance, the CD player destroys a CD for no apparent reason--the company renting the car to me is responsible for damages.
So, now we get into the software. By analogy, the "owner" of the software--i.e., the company that developed it--is responsible for maintaining that software. "Normal use" would be defined as running the software for its intended purpose on supporting hardware under a particular operating system. If I'm running MS Word X for Mac, on my Mac, under Mac OS X, and the software corrupts itself and refuses to run again, Microsoft is responsible for fixing the software, regardless of what sort of "warranty" I may or may not have--after all, warranties are for things we purchase, not for things we rent. Further, if Word suddenly crashes for no reason, and I lose data, MS is responsible for reimbursing me for any losses incurred as a result of the crash. That is, unless I actually own the software.
If we extend this to hardware, the vendors get themselves into even more of a mess, because once again, it doesn't matter what sort of "warranty" I have, the manufacturer is responsible for ensuring that I have working hardware--indefinitely. There's no clause in any contract I signed when I "licensed" my computer that my license to use it expires after a certain amount of time; there's no clause that says that I can only expect it to work for a certain amount of time. Thus, if the processor fries itself under normal use ten years down the road, the manufacturer had damned well better fix it! Licensing software is pushing things; licensing hardware would be insane.
I found the meaning of life the other day, but I had write-only access.