Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
Opus: the Swiss army knife of audio codec
This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).
You can tell a great deal about the character of a man by observing those who hate him.
Does /.'ting a server count as unauthorized use? Because then, we should be a bit worried here...
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
..but the computer can't say no, I thought it wanted me to access it, honest!
The article links to an abstract, which has a pdf link in it to the actual goodies. here is the pdf link, for your viewing pleasure. http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID39 9740_code030507630.pdf?abstractid=399740
The fact that what constitutes "unauthorized access" is very broad, or that the penalties for "unauthorized access" are ridiculously out of whack. You could practically murder someone and spend less time in jail then if you commit a computer crime.
posting "1 4/\/\ 0wnz0ring j00!!!!!! luser!!!! FEE KEVIN" on their website, qualifies.
The charge was eventually dropped at any rate.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Since their server is almost dead, I managed to pull this off before /. effect kills it.
Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes
ORIN S. KERR
George Washington University - Law School
GWU Law School, Public Law Research Paper No. 65
New York University Law Review, Vol. 78, November 2003
Abstract:
In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to "access" a computer, however, nor when access becomes "unauthorized." The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.
This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.
Keywords: cybercrime, computer crime, unauthorized access, code
...dictates that it means that you're somewhere where you're not supposed to be. If you're not authorized (given permission, implicitly or otherwise), then don't access. Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.
I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.
"Want in one hand and spit in the other and see which one fills up first." - My Dad
If RIAA comes looking for the MP3's that aren't on my computer and in the process even look at a single byte of the copyrighted data on my hard drive, that is unauthorized. BTW, that data is available under perfectly reasonable license terms. I charge $1/Kb. I have 2 80Gb drives. The $160,000,000 is payable in advance, thank you.
From a federal law perspective, "access" becomes illegal if use of the system exceeds $5K (say in CPU cycles), OR if ANY copying of information or information altering is done. Take a screen snapshot - illegal. Modify a system log to cover your tracks - illegal. Under federal law, "simple trespass" is not in itself illegal.
HOWEVER, many states have local statutes making simple trespass illegal.
Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.
Vic Vandal
For all the kiddies who cant access the pdf file:
9 9740_code030507630.pdf?abstractid=399740
:)
http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID3
Enjoy!
hmm... I don't think you were supposed to download Matrix 2. please expect our agents to arrive shortly.
Any Mac users getting it to work? For that matter, has anyone gotten it to work? None of the comments suggest that the poster has read the whole thing, not that's necessarily unusual.
What I'm listening to now on Pandora...
"And this is my boy, Sherman. Speak, Sherman." "Hello." "Good boy."
Remember when the Internet was about sharing? These days some people would have you believe that any packet you receive is "unauthorised access". You probed me, unauthorised access. You visited my website, unauthorised access. You sent me an instant message, unauthorised access. This really needs to play out in the courts before any precedent is set for what is or is not "unauthorised access". (replace the s in unauthorised with z if you're American :P)
Since when does an articles length matter?? Nobody reads them anyway, this is /. :)
This has nothing to do with the /. article, but makes good reading nonetheless.
How about declaring that if access requires the user to specify a password, and the user is not "authorized" to know the password, then that access is not authorized. If no password is required, then there's no way the access can be unauthorized.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Interesting.. I thought I knew what those words meant until I started thinking about it... but that won't stop me from giving it a stab:
unauthorized: Exposure of information / access to systems to / by individuals not authorized to receive it / access the system.
access: 1. The ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system. 2. To obtain the use of a resource. 3. [The] capability and opportunity to gain detailed knowledge of or to alter information or material. 4. [The] ability and means to communicate with (i.e. , input to or receive output from), or otherwise make use of any information, resource, or component in an AIS. Note [for 3 and 4]: An individual does not have "access" if the proper authority or a physical, technical, or procedural measure prevents him/her from obtaining knowledge or having an opportunity to alter information, material, resources, or components. 5. An assigned portion of system resources for one data stream of user communications or signaling.
Thanks to google and Federal Standard 1037C.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
Logging onto the internet is sort of like putting your house in the middle of a city, with all the doors and windows open, then letting random strangers walk through your house, along with the people you "want" to walk through your house. Your gonna have a hard time keeping people out of your bed room........
"Much work is lost, for the lack of a little more." -Edward H. Harriman
Access is a noun. Hence one can perform an act which becomes illegal access, one can grant or revoke access, but one cannot access something anymore than one can plane, car, or fireplug.
/. about grammar is about as pointless as crying "Dupe"
Of course, bitching on
But what the hell, I do that too.
--
I sure didn't.
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.
Near the end (I started at about page 50), he states that accessing a computer "without authorization" should only be considered true in cases where a cracker has circumvented code-based restrictions, not contract-based restrictions. Part of me things this is a great idea conceptually, but part of me is worried about the implications it would have for the vast majority of home computer users.
/.'ers, this is already a given. Be it with firewalls, NIDS, or whatnot, I'm sure everyone on here is doing something to make sure that people aren't getting access to your system. I think of one of the best points he makes is that as long as you implement code that is intended to stop malicious attacks, that is enough legally to build your case. I'm sure many average users have misconfigured firewalls or something that would allow someone knowledgeable to crack their machine. I'm sure there are stupid sysadmins out there who have unsecure networks. While I don't think this excuses you from not keeping up to date, patching, etc., I think it is a good step to take.
/.'er and make rulings that seem ignorant of the technologies.
By saying that only when you break code-based restrictions are you committing unauthorized access, this puts the responsiblity on the user to secure their box. For most
My biggest worry is that the definition of code-based restrictions could be misconstrued. Say for example you lock down everything except Apache/IIS running on port 80. Since both these two have had security exploits in the past (not trying to start a holy war here), what happens if someone exploits your webserver to gain more access? Obviously you have given access to the webserver on port 80. If one of the "features" of the webserver is a buffer exploit, would it still be considered circumventing a code-based restriction to exploit it? I think most here would agree that it is, but as we all have seen, most judges are not your averager
Did he forget to return a library book?
If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
http://world.std.com/~swmcd/steven/rants/merlyn.ht ml
I'm not entirely sure if this is true, but back when I took my undergrad CS classes, one professor mentioned to the class that use of the word "Welcome" at a login prompt was supposedly giving the world legal access to the system to do what they wished. He went on to say that a hacker back in the 80's or 90's got away with hacking into a high-profile computer network because of this loophole, where accessing the system from a remote location prompted the user with "Welcome!". His defense was that since this system was welcoming him to login to it, what crime was being commited?
Trolls lurk everywhere. Mod them down.
Are there really that many ISPs out there which disallow NAT use?
The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."
Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.
But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.
Are there that many places out there that ban NAT?
You all said it died, but I got it... maybe cached from our proxy though.. but anyway.
:)
HERE IT IS
enjoy.. I'll be busy for a bit.
Put your money where your mouth is -
In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.
He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.
He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).
(Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )
"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
Does the title to this article sound like what Bill Clinton once said
"That depends on what the definition of the word 'is' is.
Spooky
What is "unauthorized access" to my house?
1. When some one comes in uninvited.
2. When someone breaks into my house.
3. When someone is in my house already and then I ask them to leave and they don't.
Obviously these rules apply similarily to a website vs a brick and mortar.
1. All people can come into my business
2. If it is closed you cannot come in.
3. If there is a private area you cannot have access to it.
4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.
Why does the digital world have to be any different?
My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.
No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...
Where do I send this?
I think a better question would be , "What constitutes "Unauthorized" _Data_ access?"
It's often easier to access to the data being served than it is to the machine itself and I think the debate would be much more valuable.
maybe he adressess this as i didnt RTFA.
--
|-_-| . o O ( bEef!)
The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.
It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.
The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):
And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right?It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!
"Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The easy answer to the question is that it is unauthorized access when they don't give a damn or can't do anything about it.
Unauthorized access should be defined by the user, the isp, the network, and differs from place to place. ISP's as general rule should have broad access restrictions that should be open and accessible, and users with networks or public computers (WWW, etc) should have their own.
-Sean
When the number of comments reaches twice the number of abstract views... which must be 10% of the whole article views.. You just know slashdot has a problem :)
If it's trivial to access the system, then there should be no crime committed.
You cannot just leave an open webserver and expect people to 'just know' they they cannot request files from it. You cannot expect people not to poke around your unpassworded FTP server.
Trivial passwords should fall into the same category - you can't be bothered to take care of your data/services, you can't bitch when someone else reads it/uses them.
Beep beep.
1. Put up a website on the net
2. Wait for 100 hits
3. Sue the 100 people who visited your site for $50,000 each, claiming that you didn't give them authorization to access your computer. Profit!
For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:
These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read. :)
The thing about laws that a lot of people don't understand is that all of those "vague" terms that seem ambiguous.. are actually well defined within the legal code. At least in the states I've lived in.
In california.. it goes something like this:
(b) For the purposes of this section, the following terms have the following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
(2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.
I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.
If so, then the legal tools are already available to make some serious examples.
/. If the government wants us to respect the law, it should set a better example.
Note, lack of security does not equate to implicit authorization, since even if my front door is unlocked, if someone I do not want in my home comes in, they are still trespassing, even if I am not *at* home to tell them to get out (although if they steal anything, my insurance may not cover it since I had not shown diligence in taking care to prevent that). If, however, I come home to find this person in my house, even if they have not stolen or tried to steal anything, I can still charge them with trespassing.
Also note that mere posession of a suitable entry key or password does not equate to authorization, unless that posession is currently recognized as valid by authorized channels.
File under 'M' for 'Manic ranting'
The thinking would be: If you don't authorize popups, then why are you running a web browser that intentionally supports popups? The programmers of your browser went to extra trouble and effort to make popups work. If you don't like it, change the behavior of your browser. It's not like someone tricked your browser into displaying the popup, in defiance of its design.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
--
Some people think that accessing their open web server unauthorized access. This is not reasonable.
I think anything not clearly identified as private should be authorized on a public network.
If I walk to someones front door who has no signs informing me this is unacceptable, and ring the doorbell I do not think I'm tresspassing.
Same for a computer.
The article is well worth reading, just for the following quote:
Sounds like a fun guy to work with.
SYN: (may I access this tcp port?)
SYN ACK: (sure go ahead!)
ACK: (thanks!)
At what time does he think people should access his machine, his PC, and look though his files. The information contained in there could be personal and damnaging for others to know.
A popup add is one thing. The page you are viewing put that there. It's part of the whole package you have requested. That's your fault.
I cannot put it any better than the fourth ammendment. He in the US we are unique. We have rights. Yes, rights, not privileges. These rights cannot be set aside legally.
We of the US are not "lucky" to have these rights, we demand them. Once we stop our demanding they'll disapear faster than can blink. We through our contract with our governing bodies, the Constitution, give the government some powers, the states some powers, reserve some rights, and reserve all other power for the people.
I cannot put it better than the fourth ammendment, so I'll post it here.
Forth Ammendment
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrents shall issue, but upon probable cause, supported by Oath or affirmantion, and particularly describing the place to be searched, and the person or things to be seized.
Take care, and protect your rights. Anything not maintained will fall into disrepair. Keep our rights from falling into disrepair.
-- James Dornan
-- Prepared at the direction of, or to be sent to Legal Counsel, in anticipation of litigation. Attorney Client Pri
Like we talked about before with regards to "breaking into" a Wi-Fi network and using bandwitdh that is attached to the Wi-Fi network (wired or unwired).... these things are much simpler, ans FAR less confusing if you get to the actual bits of the matter. They also, sometimes, allow one to use real-world anaologies of law.. such as breaking and entering. Their downfall (or greatness, depending on what side you take) is that they, in the end, place responsibility of the proprety owners to know - karnally - what is going on with what they bought.
... you clearly have intent of the 3rd party to gain "unauthorized access" because they are doing the equivalent of lock picking - hacking tumblers with a non-key to fake an authorized key.
.. i requested data - and you gave it to me.. be it a letter, a picture named "45728.jpg", the comany's secret files improperly stored on a website...
I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security
But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?
What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.
If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.
If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.
Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..
in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.
If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS
If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...
1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.
2. I am a begger, and i do not threaten you in any way. You give me all your money freely.
In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.
open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.
just as there is no crime in giving a person money on a train, so long as there is no violati
guns kill people like spoons make Rosie O'Donnell fat.
I fully realize that I'm fighting a long-since lost battle, but it's one of the perversions of the languange that I'm unwilling to accept.
Please don't take this way off-topic message as a personal affront, as it's not meant as one.
My impression is that english is a living, growing language. At what point in time, then, do you say something is English or not? 1600? 1900? For example, the "plane" you referred to earlier was first used to describe a vehicle of flight in 1908.
And of course there is the "problem" of deciding what gets "accepted" as proper language. I'm not sure a democratic method is necessarily best. For example, "have got" as in "I have got three cars." seems to be acceptable now because of its common use. That makes me cringe every time I hear it!
Going back to "plane", you can in fact plane something. That is to make it flat, as in a carpenter planing a piece of wood. The wings of the first airplanes were flat, which gave the craft its name. This noun for the word is surely newer than the verb.
Actually it does apply.
If someone at a store removes (or forgets to label) a private area of the store a person goes in there, is the person's fault or the stores?
I figure people our automatons at times enough to fill the same analogy. But if they take something from that room the fact that it was private or not is irrellavant, as it is stealing.
If someone makes a map to that room and says "go here" (aka, a link) then it's the store's job to lock it down.
The point you make about security is a matter of damage and stealing, not really access. If you drop a private letter on a public street, I doubt there is a law to protect you from a newspaper publishing your private letter.
If you drop your security online for a public website then the only thing that you can get for recourses in is damages, not unathorized access, as your site is publicly accessable.
BUT, my computer, no that is illegal access. A public web site without proper "doors" and "stay out" signs, no that is not illegal access, that is negligence on the part of the site owner. I personally have a real problem with people just walking into my house, even if they don't take anything.
My website though is out there for the soul purpose to have people see it. If you don't want people to see it, then put a password on it, and then if someone get's in, then it's unathorized access.
It can't be helped if people don't know how to lock down there site, it's a risk they are taking if they don't, won't or can't secure their site.
...they call it various things but falls roughly under "maintaining a public nusiance" or some such. You don't even have to be aware of it, or you can claim stupid, and it doesn't matter. Hmm, for instance, having a full swimming pool with no fence around it, some kid falls in, whoops! It's happened to people. I could see it easily applied to running a totally unsecured computer that is used as a spammer relay or zombie machine in an attack.
AND THEN, in turn, once clueless computer owner gets shafted, THEY can turn around and sue the OS distributor for selling an operating system that installs broken,and is wide open. Using the same law.
THAT would sort these things out a bit.
Just as a matter of discussion, I'd class millions of wide open computers out there as a major public nusiance. People who aren't consciously running a server by choice-shouldn't be running a server! It's a completely simple and logical concept.
I'm not saying the law is 100% correct or "fair" in that regard, but the case law and precedent is out there in spades. Not sure if it was ever applied to computers though, but it would be an interesting case if it occurred. Follow culpability and "who suffers". Why should innocent person A suffer because computer user B allowed his machine to be used by haxor C in an attack? And I don't mean a really exotic take over situation, I mean using computers that ship and install with extremely insecure OS and apps that are obviously "too loose" for someone who isn't a server? Anyway, an argument along those grounds.
So what you mean to say is that if I hook a wireless router up and someone drives by my house and uses my network - which is now legal in some states - they are within the law, but I am breaking it since they are using my router to connect a 3rd computer to my isp? (my isp allows 2 by default).
Laws will get messy.
Or how about I connect my check my email from my palm pilot through my computer....is it now a network?
Messy.
Messy.
Messy.
The computers running /. aren't yours, and you just accessed them to post that message, so by your own words, you just broke the law.
There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
The computers running /. aren't yours, and you just accessed them to post that message, so by your own words, you just broke the law.
In about 1993 or 1994, a lawyer told me that what you said was exactly right. Authorization in California - at the time anyway - was explicit. Without explicit authrorization, any access is illegal access. At my young age this led me to theorize that in all aspects of life people are probably "breaking the law" pretty much all day, every day.. and it is only when "the man" chooses to enforce it that "he" will. That theory has pretty much held true for those 10 years.
Let's see what the dictionary has to say about it:
unauthorized - not endowed with authority, without official authorization.
Hmm..okay. And this is ambiguous how, exactly? I'm sure you could bring up all sorts of bullshit arguments ("just because I have a webserver running on port 80 doesn't mean I want people to visit my webiste," et. al.), but the truth is that everyone knows exactly what it means. It means that you're not supposed to hack into a computer and poke around in people's business..in fact you're not supposed to hack into a computer at all, unless it's your own. And hey, if it is your own, you already have "authorization."
A server on the internet is like a retail shop at the mall, It's there to be entered! Now, at the mall, sometimes, stores open before the "offical" hours. Hence, if the door is open, you can't get in trouble for going in--often there isn't a "sign" to say open or closed.
Also, there's lots of doors at the mall that are marked "Authorized Personel Only" and sometimes doors that aren't marked are still locked. In a very small case, of unlocked, unmarked doors but if you enter, the security guard will let you know to leave and someone ELSES ass will fry. Trying to pry a lock or enter a marked door will quickly get you scolded, maybe arrested if you don't comply--but there is a strong legal precedent for diligence of locking and marking in a public place. This isn't at all like entering your house.
What you have right now are old, loud-mouthed, corperate executives that want to have "internet" access to be "cool" but don't want to be responsible to understand how to use it--and too cheap to pay someone to do it properly! They immediately are getting the law involved instead of following a few simple instructions. And, unfortunately, the Law is all to ready to get it's fingers in our business! Looking at the ridiculous claims that prosecutors have been filing, it looks to be more of the "old Boy" network rather than working to make the systems work better and with more understanding of the rules. It's the typical selfish, egotistical mess [like the *IAA,and like] accelerated at internet speed!
Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.
The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?
Did I circumvent "regulation by code" with person C?
Did I circumvent "regulation by code" with person D?
There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.
Surely I crossed the line on person E. I'm not so sure about persons C and D.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Another thing, how are these people getting away with storing data on machines and downloading secret documents because they 'aren't depriving the owners of their use' If I download software, leaving it intact on the server, I may have deprived the owner of a trade secret (I thought that for sure a lawyer would have seen that one!) Also, accessing private data, even though it's only to satisfy my curiosity could be construed as 'depriving the owner of sole ownership' which may or may not be critical. You don't need a new law to tell you that.
Conversly, even using some clock cycles 'deprives' someone of something. (even one or two) So a port scan could also be considered theft. (Not saying that I agree with that, but that's the way it looks to me) If I'm wasting clock cycles responding to port queries, or ICMP traffic, that's a DOS attack, plain and simple. I could be using my processor for better things. This was easier to see when all we had were 56 k modems all over the place.
Speak for yourself.
If I park my car on the public street in front of your house or business and sniff your unencrypted 802.11 traffic, many people might say that counts as access. But not by his definition.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Your browser is configured to request that pop-up. It might not be nice and you might not like it, but you turned over the rock the pop up was sitting under.
The rooted Red Hat box did not go out and request a rooting. The user, if they followed the install, made a difficult to guese password for root to prevent people from doing this. A cracker must seek out and trick such a computer to take it over.
The case of someone using the flaws in a browser to do nasty things is just the same as cracking the computer and should be distinguished from a "legitimate" unrequested popup window full of advertising shit. Gator and other crap like that does indeed fit the unauthorized use model. It's installed by trick, it's a fruadulent, unrequested and abusive use of a computer and should be condemed as one. Someone said it was like helping youself to the bathroom in your host's house. No, it and regular old cracking, is more like entering without permission and then pissing on your host's bed.
Friends don't help friends install M$ junk.
The whole problem here is that people are looking at these things the wrong way, from the get go. The point is not the machines, the point is the impact on people. Try to define things in terms of the technology and you are inevitably and irrevocably drawn into exactly the problems you describe, and there is no way out of them.
Machines don't matter. Technology doesn't matter. Only people do.
In the case of Explorica, I could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not.
Sounds good on Slashdot, but this is terrible legal advice.
Interestingly, the CFAA, and not the RFC is the law of the nation. The generalization fails, in both extreme and ordinary cases -- a person who serially guesses passwords until he succeeds has passed the passwd protocol, but has also hacked the machine to obtain unauthorized access -- this is not because of protocols, but because of the understanding that the password process is intended to be a gate.
Hypos can be built around HTTP scenarios that also use common sense understanding that some requests are ok, but others are verboten. YES, ABSOLUTELY, routine browsing can rarely create a CFAA claim, and in large part, I would argue from RFCs to show an implied consent to access information through routine protocols, but implied consents can be withdrawn -- and knowing entries where you are not wanted will be actionable AND criminal in appropriate cases, even if all you did was execute an HTTP GET.
The question is not really a technical one - nor is it even a purely legal one. It is a question of common sense and normative behavior. Was your conduct consented to, expressly or impliedly, and was the consent somehow vitiated by subsequent facts. It requires not a read of RFC's alone, but a review of the totality of the circumstances.
Social policy is more tricky than any simple mantra.
If you drop a private letter on a public street, I doubt there is a law to protect you from a newspaper publishing your private letter.
There's copyright law. There's also trespass to chattel, if the newspaper picks the letter up and opens it. There could be trade secret laws, depending on the content of the letter.
BUT, my computer, no that is illegal access. A public web site without proper "doors" and "stay out" signs, no that is not illegal access, that is negligence on the part of the site owner. I personally have a real problem with people just walking into my house, even if they don't take anything.
But how can you identify whether the computer is meant to be public (like a store) or private (like a house) without accessing it?
Questions like this that are tossed out into the ether that is known as the 'net' {or whatever particular thing anybody wishes to call it} are comletely assinine. It lists right up there with 'e'this and 'i'that. Questions like this pretend that what's wrong/right changes if a computer or the internet is involved.
Unauthorized access boils down to this, just like in the real world...
If your not invited... stay out.
If it's not public... stay out.
If it's not yours, and you dont' have permission to enter... stay out.
If it's locked... stay out - don't pick the damn lock.
There's no fucking difference in applicability of unauthorized access between the 'real world' and computers/interent/etc...
It's not a huge philosophical question.
Steve's Computer Service, Hobbs, NM
"The computer has not agreed to let the defendant access the computer. Instead, the computer is tricked into letting the defendant access the computer through a misrepresentation...[t]he computer may "believe" that the user is someone else, ... may be tricked into unwittingly giving access...both cases reveal fraud in the factum"
IANAL, but this looks like one of the most logical approaches to the subject I've ever had the pleasure of skimming.This comment is fully compliant with RFC 527.
If you own a PC and attempt to access the internet to do anything, your a criminal. PERIOD.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
However, the only plausable explaination for there being penis-enlarger mail in my box is that someone else opt'ed me on to the list.
I must commend Mozilla's "Junk" filters for doing an excellent job of keeping my inbox clean from this kind of stuff.
Fight or flight its all the same
Live to die another day
--Ryan
Another thread in alt.folklore.computers gives another example where "welcome" banners are mentioned:
From: EXE April 1992 v6 n10 p46
Process Communications Ltd. (UK)
Are hackers really criminals? (the UK Computer Misuse Act)
David Martin
"...a shop steward had been using a computer system in the middle of the night. The shop steward had already got an account of his own. However, by use of a password used by his daughter, he accessed information that he was not required, by his job, to be able to access. The Tribunal decided that although the employer should have defined exactly the extent of access permitted, any reasonable person would have realized that this was unauthorised [sic] access. A computer system manager should therefore ensure that any Welcome banner states that if the user does not have explicit permission to access the computer system and use it for an explicitly permitted set of actions, he should log out."
Apparently this has mutated over the years into the story told by people who don't bother to check their sources!
Helevius
By choosing to use Internet Explorer ( a nice browser ), the user agrees to accept popups in default mode. Mozilla ( another nice browser ), for example, is a browser that allows the user not to execute popups, with an easy switch of settings. Cant say as I am familiar with other browsers, but it seems it is a user choice whether or not you view popups, and nobody elses fault.
HenryJamesFeltus.com
Interesting note, I didn't know this. But I really doubt there is a law against anyone "reading" it after they found it, then passing it around to others... which would not be publishing it. Or even more to the point of the original analogy, leaving the letter on the street for the next person to find it and read it.
Would it then be illegal for the first person to tell other people that that letter is there?
It seems that if you leave something just sitting around for anyone to look at, then you have no law protecting you if people do look at it. For example, there's case law that says I can use a 55mm (numbers may be off) lens and from the street take pictures of your house and you inside your house. This was defined as legal because the 55mm lens has the same capability to see as the human eye.
But it is illegal to use a zoom lens. Same goes with businesses and from sidewalks.
But how can you identify whether the computer is meant to be public (like a store) or private (like a house) without accessing it?
Well for one super easy test, if you have a domain name pointing to a computer. Bing, instantly label that as public access. (just like the phone book and a business vs private phone) If you want people to come to your computer privately, use an IP address only or password protect your domain name root folder.
To my knowledge every single communication protocol to access a remote computer requires a login/password. (not talking about web pages here) If this is true, then if you access a computer without a valid login/password (that means it has to be legit, no forgeries or fraud to get it) then it's unauthorised. That makes this all very simple, that computer is not public. If no password is needed (ie web page or P2P, etc..) then public access is limited by default to the parameters of the delivery software, (web server:public html folder, p2p:shared folder, etc...)
The problem is that lawyers like it complicated so they can have lot's of lawsuits about it. But this is not complicated, also journalists like complex issues to debate and write about, ugh what a pain ... why should we make this a complex issue when it may not be? Isn't this similar to how copyright got mangled into the digital realm by the DMCA?
I believe the more clear cut the definition the better protected the average guy will be in the court system...
If the letter is unopened it's almost certainly tresspass to chattel to open it.
Ok, a letter is not a good analogy to a website, let's call it a poster. Then no mail or legal reasons not to inspect it, just like finding a webpage...
Certainly not. There's TFTP, RCP, Anonymous FTP, SMTP, etc.
Ok, but don't these systems have to be intentionally setup? And if they are, then the person setting them up must accept that the public, may, can and will access those areas. My computer can't be accessed like that by default, and if I did make it publiclly accessible without a password, I should say to myself in the mirror, "don't be stupid".
I think it's a lot more complicated than you're making it out to be. Maybe you are right, but there's no reason not to try to simplify it first before adding all the exceptions to the rules.
I think the biggest key here is defining the most popular modes of access first, web/internet and P2P. P2P mainly because it's going to get into the courts faster than anything else...
This goes to convention which is not very well established for the net, and certainly not well legally established for the net.
For example, by accepted convention, a place of business that is not locked or marked closed may be freely entered (permission implied) while in the case of a residence, that same action is tresspassing. This is based on convention and interpretation of the owner's most probable permission.
On the net today, it is fairly safe to guess that a server with an open relay is NOT meant as an invitation to send out spam (unless the 220 message says send all the spam you want). It may or may not be an invitation to send an email to a friend. It is most likely not intentionally open, much like when someone forgets to lock the door when they leave home.
ok, so basically we have come to the crux of the matter.
If automatic bots (wget) take data randomly from the net (which I understand they need a link to get somewhere anyways, but we can deal with that later if true) are the owner's of the bot's liable for
1."stolen IP"
or
2. "unauthorized access"
or possibly both?
1. The aspect of "stealing" something is a bit of a problem, as like if I made a copy of a novel while still in the store, they probably could kick me out, but if I left and they didn't know about it, unless I did something like pirate the copy, I doubt any lawsuit would hold up.
So that leaves "unauthorized access" by the bot. (until further debate on item 1)
2. As I stated before, there should be a basic premis that if something is private that is should be labeled that way or there should be certain obvious flags right off the bat, like no web server running on said computer is an easy one.
How long before robots go to the store, shop for us and do door to door sales?
If a robot came into my house, I would be pretty upset, so there should definitely be some containment of how a bot runs. For example as I stated before if we can safely consider the www a public area, then bot's could limit their hunting to www for a very safe, but possibly limited boundry.
If they do hit IP addresses directly, then they could be set to only recognize web pages and web servers, and ignore all other forms of communication protocol. This is all just as a starting idea.
But yes, if a bot invades my computer, the owner should be held accountable, as the only bots that I detect hitting my firewall I could safely assume are port scanners looking for doors in to my computer to make it a zombie or worse.. Then at that point a bot is not a bot, but a form of a virus or trojan...
But as a justice safety possision, if nothing is disturbed on my computer and the owner of the bot could justify the accidental intrusion (aka, I ran a web server on my computer and left some stuff in a folder I shouldn't have) then the bot owner should not be held accountable, just like Google shouldn't be if Madonna left her latest CD in mp3 format on her home page and google finds it there... Modonna's being guilty of negligence then exhonerates google, (not sure if I got all those big words right...)
Just check whether the Evil Bit is set or not!
Enig? Det alt for hot det smor!