Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
You also "access" the popups http daemon. Both actions (you receiving the popup, and you accessing their server) aren't really your fault, but the law is pretty vague.
The fact that what constitutes "unauthorized access" is very broad, or that the penalties for "unauthorized access" are ridiculously out of whack. You could practically murder someone and spend less time in jail then if you commit a computer crime.
...dictates that it means that you're somewhere where you're not supposed to be. If you're not authorized (given permission, implicitly or otherwise), then don't access. Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.
I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.
"Want in one hand and spit in the other and see which one fills up first." - My Dad
From a federal law perspective, "access" becomes illegal if use of the system exceeds $5K (say in CPU cycles), OR if ANY copying of information or information altering is done. Take a screen snapshot - illegal. Modify a system log to cover your tracks - illegal. Under federal law, "simple trespass" is not in itself illegal.
HOWEVER, many states have local statutes making simple trespass illegal.
Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.
Vic Vandal
Remember when the Internet was about sharing? These days some people would have you believe that any packet you receive is "unauthorised access". You probed me, unauthorised access. You visited my website, unauthorised access. You sent me an instant message, unauthorised access. This really needs to play out in the courts before any precedent is set for what is or is not "unauthorised access". (replace the s in unauthorised with z if you're American :P)
How about declaring that if access requires the user to specify a password, and the user is not "authorized" to know the password, then that access is not authorized. If no password is required, then there's no way the access can be unauthorized.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Near the end (I started at about page 50), he states that accessing a computer "without authorization" should only be considered true in cases where a cracker has circumvented code-based restrictions, not contract-based restrictions. Part of me things this is a great idea conceptually, but part of me is worried about the implications it would have for the vast majority of home computer users.
/.'ers, this is already a given. Be it with firewalls, NIDS, or whatnot, I'm sure everyone on here is doing something to make sure that people aren't getting access to your system. I think of one of the best points he makes is that as long as you implement code that is intended to stop malicious attacks, that is enough legally to build your case. I'm sure many average users have misconfigured firewalls or something that would allow someone knowledgeable to crack their machine. I'm sure there are stupid sysadmins out there who have unsecure networks. While I don't think this excuses you from not keeping up to date, patching, etc., I think it is a good step to take.
/.'er and make rulings that seem ignorant of the technologies.
By saying that only when you break code-based restrictions are you committing unauthorized access, this puts the responsiblity on the user to secure their box. For most
My biggest worry is that the definition of code-based restrictions could be misconstrued. Say for example you lock down everything except Apache/IIS running on port 80. Since both these two have had security exploits in the past (not trying to start a holy war here), what happens if someone exploits your webserver to gain more access? Obviously you have given access to the webserver on port 80. If one of the "features" of the webserver is a buffer exploit, would it still be considered circumventing a code-based restriction to exploit it? I think most here would agree that it is, but as we all have seen, most judges are not your averager
I'm not entirely sure if this is true, but back when I took my undergrad CS classes, one professor mentioned to the class that use of the word "Welcome" at a login prompt was supposedly giving the world legal access to the system to do what they wished. He went on to say that a hacker back in the 80's or 90's got away with hacking into a high-profile computer network because of this loophole, where accessing the system from a remote location prompted the user with "Welcome!". His defense was that since this system was welcoming him to login to it, what crime was being commited?
Trolls lurk everywhere. Mod them down.
One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
Of course it's authorized. Your browser preferences allow pop-up to be displayed, or you'd never see them. The combination of your browser configuration and your request for a web page that contained Javascript code, plus the fact you authorized your browser (and by extension, the sites you access) to run such code, is all the authorization that is needed.
Don't try solve technical problems by legal means. It wastes your time and annoys the pig.
not necessarily, my dad and me had a discussion on this yesterday in the terms of spammers.
;)
Is a spammer unauthorized to use an open relay. I definately think its unethical, but think about it for a second. The admin set up the mail sever as an open relay. Now did he purposely set it up this way, or was it defaulted that he wouldnt have wanted. If the person set it up to allow others to use it, maybe for some remote users. But he didnt intend the general public to use it.
How does the law apply here, is it implicit consent because it is open? does the admin have to knowingly set it up this way? it does get tricky here, because intent of the admin is taken into account. it is similar to anonymous ftp, how do you know you are allowed to use the server? ftp.mozilla.org is clear, but what about some company that doesnt realize it? and in that case, how do you know if the company doesnt realize or want it that way?
i think sending one email through an open relay (for what purpose? i dont know) would not be unethical. if it was a harrasing/whatever email, the use of the open relay wouldnt come into play, the message would be considered. but a person that sends HUGE quantities of email through it, would be considered unethical.
my definition of spam is simple, Unsolicited Bulk Email. it does not have to be commercial in content, so this would also include politicians (i consider that commercial personally, but thats a whole different issue
this definition simplifies things, if i send an email to someone i havent communicated before, it would be unsolicited, but it wouldnt be bulk. if i send a thousand out to a mailing list (legit) it wouldnt be unsolicited.
Claus
This is how the author would change the laws if it were up to him. A recommendation. Actual laws may very, but the article specifically says that some jurisdictions are actually defining 'illegal access' by the contract theory of authorization.
My journal has hot
Unauthorized access should be defined by the user, the isp, the network, and differs from place to place. ISP's as general rule should have broad access restrictions that should be open and accessible, and users with networks or public computers (WWW, etc) should have their own.
-Sean
Didn't say or imply anything of the sort. The grandparent article was about the folly of trying to jail someone for using EXPN and VRFY.
It could work to criminalize doing something legal with illegal intent, but it's a dangerous road to go down.
There is no federal common law of crimes, and pretty much no federal common law of any sort outside of a few narrowly defined areas (e.g., admiralty and maritime law).
Why you think that common law (unwritten, a tradition embedded in thousands of precedential cases contained in law reporters that few public libraries have) is necessarily better for the "average Joe" than civil law (statutes available online for anyone who cares to read them) is not clear.
Or, it could be said that since your keyboard, which has a microprocessor in it, and also your hard drive, are both connected to the CPU that is attached to your computer, which is connected to the Internet through an ISP, that you've attached multiple machines to the network, even when you only have one 'computer' connected. Or is it the embedded controller in your modem or on your ethernet card that is connected and hence your main CPU is in violation of the 'one machine' rule??
I recieved a snail mail from Comcast a few months ago for the same thing. They even offered 2/256k speed for the service which is an upgrade from the normal 1.5/256 (1.5/128 at the time) all for only $10 more a month including the Linksys Wireless router. The goal of the advertising package was wireless access from anywhere in your house and more speed for "demanding" business applications when others are online in the house also. The full color ad had pictures of kids playing online games in the family room while Mom was in the den in a business suit, talking on the phone and typing away in a fake spreadsheet application.
I was never able to find any information online about that deal and a call to CS about the package was useless. Maybe it was a limited test of some sort that failed?
Funny how they advertise these things and at the same time complain about people using too much of thier "unlimited" internet driving up costs.
Bad boys rape our young girls but Violet gives willingly.
Why you think that common law (unwritten, a tradition embedded in thousands of precedential cases contained in law reporters that few public libraries have) is necessarily better for the "average Joe" than civil law...
Common law is better for the average Joe because, being unwritten as it is, it is by neccessity far simpler and more straightforward. This as opposed to the contorted legalese that comprises nearly all civil law, specially designed to be so complicated that you have to hire someone who makes a living of knowing it all to defend you in court... yet so very easy for the courts to interpret far more broadly than it should.
Is a spammer unauthorized to use an open relay. I definately think its unethical, but think about it for a second. The admin set up the mail sever as an open relay. Now did he purposely set it up this way, or was it defaulted that he wouldnt have wanted. If the person set it up to allow others to use it, maybe for some remote users. But he didnt intend the general public to use it.
This point is also relevant with regards to wireless access. Is the fact that an access point allows you to associate with it and a DHCP server provides network settings for you mean that it is ok for you to access the network?
My personal view is that the Internet should default to open - if there are no barriers (whether effective or ineffective), then the default assumption should be that the administrator/installer/owner intended for the resource to be available to the Internet at large. Otherwise, it would become a legal minefield just to surf, let alone turning on your laptop with a wireless card in the middle of Wall Street. The effect is that the owner of a resource has an obligation to block/deny access if he does not intend for it to be publically available.
That goes both for wireless access point and mail relays.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
Like we talked about before with regards to "breaking into" a Wi-Fi network and using bandwitdh that is attached to the Wi-Fi network (wired or unwired).... these things are much simpler, ans FAR less confusing if you get to the actual bits of the matter. They also, sometimes, allow one to use real-world anaologies of law.. such as breaking and entering. Their downfall (or greatness, depending on what side you take) is that they, in the end, place responsibility of the proprety owners to know - karnally - what is going on with what they bought.
... you clearly have intent of the 3rd party to gain "unauthorized access" because they are doing the equivalent of lock picking - hacking tumblers with a non-key to fake an authorized key.
.. i requested data - and you gave it to me.. be it a letter, a picture named "45728.jpg", the comany's secret files improperly stored on a website...
I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security
But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?
What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.
If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.
If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.
Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..
in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.
If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS
If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...
1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.
2. I am a begger, and i do not threaten you in any way. You give me all your money freely.
In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.
open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.
just as there is no crime in giving a person money on a train, so long as there is no violati
guns kill people like spoons make Rosie O'Donnell fat.
Actually it does apply.
If someone at a store removes (or forgets to label) a private area of the store a person goes in there, is the person's fault or the stores?
I figure people our automatons at times enough to fill the same analogy. But if they take something from that room the fact that it was private or not is irrellavant, as it is stealing.
If someone makes a map to that room and says "go here" (aka, a link) then it's the store's job to lock it down.
The point you make about security is a matter of damage and stealing, not really access. If you drop a private letter on a public street, I doubt there is a law to protect you from a newspaper publishing your private letter.
If you drop your security online for a public website then the only thing that you can get for recourses in is damages, not unathorized access, as your site is publicly accessable.
BUT, my computer, no that is illegal access. A public web site without proper "doors" and "stay out" signs, no that is not illegal access, that is negligence on the part of the site owner. I personally have a real problem with people just walking into my house, even if they don't take anything.
My website though is out there for the soul purpose to have people see it. If you don't want people to see it, then put a password on it, and then if someone get's in, then it's unathorized access.
It can't be helped if people don't know how to lock down there site, it's a risk they are taking if they don't, won't or can't secure their site.
Unfortunately I see this drivel from time to time. If you have your entire hard drive available via your web server, kazaa, CIFS, or any other non-password protected (that is reasonably secure, as in, not posted to alt.hacks.cracks.warez.porn) you have effectively granted permission to the world to view it for free. You can't arbitrarily decide group A can't read it without charge, anymore than you could walk down the street with a sign saying anyone who reads this notice owes me $100.
Now, if the RIAA were to hack into your computer an access data, that would be another thing, though stupid claims about your data being worth $1/kb (Not even Oracle costs that much) will label you as an idiot for the court.
Someone will be by to bitch-slap you later. Be expecting them.
You are in a maze of twisted little posts, all alike.
Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.
The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?
Did I circumvent "regulation by code" with person C?
Did I circumvent "regulation by code" with person D?
There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.
Surely I crossed the line on person E. I'm not so sure about persons C and D.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If I park my car on the public street in front of your house or business and sniff your unencrypted 802.11 traffic, many people might say that counts as access. But not by his definition.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Yes it is a good question.
Is it legal for you to ring your neighbours' doorbell? Technically it is trespassing. So when is trespassing not trespassing eh?
If you pop into one of my webservers are you accessing the computer in an "authorized" fashion? How do you know if I'm technically competant enuf to configure it so the people who should have access do have access and the ones who shouldn't have access don't?
If I have my winders file shares open - are you "authorized" to pop in for a look?
I say "YES". I know a person who deliberatly opened her shares because she wanted people to get at her music.
Yet another person who I called who had open shares claimed I hacked the computer. So much for trying to be a nice guy to these idjots.
Actually - on that phone call to tell them the shares were wide open - another person found out I did this and accused me of trying to get someone fired! I mean the bullshit factor is really deep sometimes.
Its like some people are so stupid that they will walk down the street with their damn dicks hanging out and if some one tells them their fly is open - that person is accused of being a peeping tom!
So - this is a good question.