Legally Defining "Unauthorized" Computer Access

SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."

Which is worse?

[jonfelder]

The fact that what constitutes "unauthorized access" is very broad, or that the penalties for "unauthorized access" are ridiculously out of whack. You could practically murder someone and spend less time in jail then if you commit a computer crime.

Common sense...

[Elvisisdead]

...dictates that it means that you're somewhere where you're not supposed to be. If you're not authorized (given permission, implicitly or otherwise), then don't access. Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.

I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.

Re:Common sense...

[Beryllium+Sphere(tm)]

But there's a wide range of activities that educated computer users can argue about. Consider the debates that pop up regularly on Slashdot about the ethics of port scans, war driving, spam and so forth.

Of course you're free to argue that Slashdot discussions aren't informed by "common sense".

The root problem is that a lot of permission is implicit and is conditional on unwritten rules. The Bedouin did the same thing with water wells. Everybody knew that a well was property. Everybody knew that travelers were implicitly allowed to dip in one or two at a time. Everybody also knew that watering your entire flock at someone else's well would get you killed.

The legal system may already have answers. After all, it's been resolving disputes for thousands of years. Trespass law has all sorts of concepts of notice and intent that could be used for computer law.

Definition of illegal access

From a federal law perspective, "access" becomes illegal if use of the system exceeds $5K (say in CPU cycles), OR if ANY copying of information or information altering is done. Take a screen snapshot - illegal. Modify a system log to cover your tracks - illegal. Under federal law, "simple trespass" is not in itself illegal.

HOWEVER, many states have local statutes making simple trespass illegal.

Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.

Vic Vandal

Good ol' days

[ergonal]

Remember when the Internet was about sharing? These days some people would have you believe that any packet you receive is "unauthorised access". You probed me, unauthorised access. You visited my website, unauthorised access. You sent me an instant message, unauthorised access. This really needs to play out in the courts before any precedent is set for what is or is not "unauthorised access". (replace the s in unauthorised with z if you're American :P)

How about if it's password protected?

[LordNimon]

How about declaring that if access requires the user to specify a password, and the user is not "authorized" to know the password, then that access is not authorized. If no password is required, then there's no way the access can be unauthorized.

Using the word "Welcome"

[Gudlyf]

I'm not entirely sure if this is true, but back when I took my undergrad CS classes, one professor mentioned to the class that use of the word "Welcome" at a login prompt was supposedly giving the world legal access to the system to do what they wished. He went on to say that a hacker back in the 80's or 90's got away with hacking into a high-profile computer network because of this loophole, where accessing the system from a remote location prompted the user with "Welcome!". His defense was that since this system was welcoming him to login to it, what crime was being commited?

Re:Popups?

[lightspawn]

One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)

Of course it's authorized. Your browser preferences allow pop-up to be displayed, or you'd never see them. The combination of your browser configuration and your request for a web page that contained Javascript code, plus the fact you authorized your browser (and by extension, the sites you access) to run such code, is all the authorization that is needed.

Don't try solve technical problems by legal means. It wastes your time and annoys the pig.

Re:Yet another example

[alkali]

Criminal law has been almost exclusively a law of statutes for a very long time. California eliminated common law crimes in 1873; many other states have also done so.

There is no federal common law of crimes, and pretty much no federal common law of any sort outside of a few narrowly defined areas (e.g., admiralty and maritime law).

Why you think that common law (unwritten, a tradition embedded in thousands of precedential cases contained in law reporters that few public libraries have) is necessarily better for the "average Joe" than civil law (statutes available online for anyone who cares to read them) is not clear.

Re:Popups?

[SN74S181]

Or, it could be said that since your keyboard, which has a microprocessor in it, and also your hard drive, are both connected to the CPU that is attached to your computer, which is connected to the Internet through an ISP, that you've attached multiple machines to the network, even when you only have one 'computer' connected. Or is it the embedded controller in your modem or on your ethernet card that is connected and hence your main CPU is in violation of the 'one machine' rule??

No attempt to dissect what is actually happening

[gsfprez]

Like we talked about before with regards to "breaking into" a Wi-Fi network and using bandwitdh that is attached to the Wi-Fi network (wired or unwired).... these things are much simpler, ans FAR less confusing if you get to the actual bits of the matter. They also, sometimes, allow one to use real-world anaologies of law.. such as breaking and entering. Their downfall (or greatness, depending on what side you take) is that they, in the end, place responsibility of the proprety owners to know - karnally - what is going on with what they bought.

I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security ... you clearly have intent of the 3rd party to gain "unauthorized access" because they are doing the equivalent of lock picking - hacking tumblers with a non-key to fake an authorized key.

But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?

What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.

If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.

If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.

Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..

in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.

If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS .. i requested data - and you gave it to me.. be it a letter, a picture named "45728.jpg", the comany's secret files improperly stored on a website...

If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...

1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.

2. I am a begger, and i do not threaten you in any way. You give me all your money freely.

In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.

open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.

just as there is no crime in giving a person money on a train, so long as there is no violati

Regulation by code

[Sloppy]

I think that "regulation by code" could still be vague.

Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.

The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.

I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."

• Most of my recipients are running a mailreader that doesn't automatically execute scripts, so my email has no effect except to use some disk space. Or maybe some of them even run filters that drop my mail before it gets stored.
• Person A is running the mail client that I designed the script for, and it executes the script. It runs, and then reports back to me he let the animation run to completion. Person A is amused by the animation, though probably doesn't realize everything the script did.

  If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?

• Person B also runs that same mailreader, but the mail exchange for his domain, filters out all mail that contains the word "penis." So he never got it and it never even had a chance to run. No crime here.
• Person C has the same kind of filter, but his filter is misconfigured, and it fails to stop my mail. Again: the exchange is intended to filter, but it's not working correctly. I don't know why. I didn't even know he had a filter. But it's there. I didn't do anything (so far as I know) that influenced whether or not my mail would get through the filter, but it did. Person C's workstation executes my script, and he is annoyed.

  Did I circumvent "regulation by code" with person C?

• Person D has a filter, but I already suspected that he might have one and that it might filter out messages containing the word "penis." I change that one word in my mail to a synonym and it gets through his filter and executes. I took an active and deliberate (but speculative) measure to bypass a filter that I though may or may not be there. Gee, what a lame filter.

  Did I circumvent "regulation by code" with person D?

• Person E's filter has a bug that will pass any message that is a multiple of 666 bytes long. Otherwise, it aggressively blocks any mail that contains a script or the name of a body part. I know for certain that he has this filter and I know about the bug, so I pad my message to a multiple of 666 bytes, thereby willfully exploiting the bug and it gets through and executes. Person E is furious.

  There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.

Surely I crossed the line on person E. I'm not so sure about persons C and D.