Slashdot Mirror

← Back to Stories (view on slashdot.org)

Legally Defining "Unauthorized" Computer Access

Posted by michael on from the breaking-and-entering dept.

SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."

9 of 359 comments (clear)

  1. Popups? by jmv · · Score: 5, Insightful

    When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)

    --
    Opus: the Swiss army knife of audio codec
    1. Re:Popups? by Surak · · Score: 4, Insightful

      Not only that, but a lot of things could be illegal on the OTHER side of that fence.

      For instance, your ISP forbids you to hook more than one machine to your connection. You setup a NAT box. That NAT box is of course accessing one or more computers on the ISPs network (DNS server, mail server, news server, etc.). But you now have MULTIPLE computers accessing those boxes THROUGH the NAT box.

      You've just violated your contract between your ISP and yourself. And according to this paper, that means that you may have just committed not only a civil breach of contract, but also a CRIMINAL act for which you can be *incarcerated*.

      Wow. The implications of this are *staggering* if you think about that way.

      --
      My journal has hot /. gossip.
  2. Yet another example by b-baggins · · Score: 4, Insightful

    This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).

    --
    You can tell a great deal about the character of a man by observing those who hate him.
  3. The ultimate spam law by egburr · · Score: 4, Insightful

    If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
    Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
    I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.

    --

    Edward Burr
    Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
  4. I always wonder... by Corvaith · · Score: 4, Insightful

    Are there really that many ISPs out there which disallow NAT use?

    The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."

    Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.

    But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.

    Are there that many places out there that ban NAT?

  5. Brief summary by alkali · · Score: 4, Insightful
    Prof. Kerr points out that a number of statutes criminalize "unauthorized access" to a computer, but that there has been little attention to what that means. He proposes that "access" be broadly defined (to include basically any kind of interaction with a computer) but that "unauthorized" or "without authorization" be narrowly defined.

    In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.

    He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.

    He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).

    (Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )

  6. apply it like real life, by Vaughn+Anderson · · Score: 5, Insightful

    What is "unauthorized access" to my house?

    1. When some one comes in uninvited.
    2. When someone breaks into my house.
    3. When someone is in my house already and then I ask them to leave and they don't.

    Obviously these rules apply similarily to a website vs a brick and mortar.

    1. All people can come into my business
    2. If it is closed you cannot come in.
    3. If there is a private area you cannot have access to it.
    4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.

    Why does the digital world have to be any different?

    My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.

    No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...

    Where do I send this?

  7. Re:Using the word "Welcome" by bensej · · Score: 5, Insightful

    Does this mean that if my doormat says "welcome" Then anyone is free to break down my door and take all my stuff? If a judge actually accepted this argument he should be removed from the bench. It never ceases to amaze me how much is allowed to occur with computers that noone would tolerate out in the physical world.

  8. Re:Good ol' days by Fiver-rah · · Score: 4, Insightful
    But this isn't how things work. When a case comes up, and people ask "is this authorized?" the judge isn't going to sit there and decide on his or her own with no input at all from legal scholars. What's going to happen is that the judge (or, more likely, the judge's clerks) will query Lexis or Westlaw or something like that, and see what else has been written. The judgement that sets the precedent will most likely cite an immense body of legal work, possibly including this article.

    Thinking about how to deal with hairy situations before they go to the court room is not a bad idea.

    --
    Read Bujold. Free (as in