Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
Opus: the Swiss army knife of audio codec
This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).
You can tell a great deal about the character of a man by observing those who hate him.
Does /.'ting a server count as unauthorized use? Because then, we should be a bit worried here...
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
..but the computer can't say no, I thought it wanted me to access it, honest!
The article links to an abstract, which has a pdf link in it to the actual goodies. here is the pdf link, for your viewing pleasure. http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID39 9740_code030507630.pdf?abstractid=399740
The fact that what constitutes "unauthorized access" is very broad, or that the penalties for "unauthorized access" are ridiculously out of whack. You could practically murder someone and spend less time in jail then if you commit a computer crime.
posting "1 4/\/\ 0wnz0ring j00!!!!!! luser!!!! FEE KEVIN" on their website, qualifies.
The charge was eventually dropped at any rate.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Since their server is almost dead, I managed to pull this off before /. effect kills it.
Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes
ORIN S. KERR
George Washington University - Law School
GWU Law School, Public Law Research Paper No. 65
New York University Law Review, Vol. 78, November 2003
Abstract:
In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to "access" a computer, however, nor when access becomes "unauthorized." The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.
This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.
Keywords: cybercrime, computer crime, unauthorized access, code
...dictates that it means that you're somewhere where you're not supposed to be. If you're not authorized (given permission, implicitly or otherwise), then don't access. Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.
I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.
"Want in one hand and spit in the other and see which one fills up first." - My Dad
If RIAA comes looking for the MP3's that aren't on my computer and in the process even look at a single byte of the copyrighted data on my hard drive, that is unauthorized. BTW, that data is available under perfectly reasonable license terms. I charge $1/Kb. I have 2 80Gb drives. The $160,000,000 is payable in advance, thank you.
From a federal law perspective, "access" becomes illegal if use of the system exceeds $5K (say in CPU cycles), OR if ANY copying of information or information altering is done. Take a screen snapshot - illegal. Modify a system log to cover your tracks - illegal. Under federal law, "simple trespass" is not in itself illegal.
HOWEVER, many states have local statutes making simple trespass illegal.
Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.
Vic Vandal
Remember when the Internet was about sharing? These days some people would have you believe that any packet you receive is "unauthorised access". You probed me, unauthorised access. You visited my website, unauthorised access. You sent me an instant message, unauthorised access. This really needs to play out in the courts before any precedent is set for what is or is not "unauthorised access". (replace the s in unauthorised with z if you're American :P)
Since when does an articles length matter?? Nobody reads them anyway, this is /. :)
How about declaring that if access requires the user to specify a password, and the user is not "authorized" to know the password, then that access is not authorized. If no password is required, then there's no way the access can be unauthorized.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
Interesting.. I thought I knew what those words meant until I started thinking about it... but that won't stop me from giving it a stab:
unauthorized: Exposure of information / access to systems to / by individuals not authorized to receive it / access the system.
access: 1. The ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system. 2. To obtain the use of a resource. 3. [The] capability and opportunity to gain detailed knowledge of or to alter information or material. 4. [The] ability and means to communicate with (i.e. , input to or receive output from), or otherwise make use of any information, resource, or component in an AIS. Note [for 3 and 4]: An individual does not have "access" if the proper authority or a physical, technical, or procedural measure prevents him/her from obtaining knowledge or having an opportunity to alter information, material, resources, or components. 5. An assigned portion of system resources for one data stream of user communications or signaling.
Thanks to google and Federal Standard 1037C.
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
Near the end (I started at about page 50), he states that accessing a computer "without authorization" should only be considered true in cases where a cracker has circumvented code-based restrictions, not contract-based restrictions. Part of me things this is a great idea conceptually, but part of me is worried about the implications it would have for the vast majority of home computer users.
/.'ers, this is already a given. Be it with firewalls, NIDS, or whatnot, I'm sure everyone on here is doing something to make sure that people aren't getting access to your system. I think of one of the best points he makes is that as long as you implement code that is intended to stop malicious attacks, that is enough legally to build your case. I'm sure many average users have misconfigured firewalls or something that would allow someone knowledgeable to crack their machine. I'm sure there are stupid sysadmins out there who have unsecure networks. While I don't think this excuses you from not keeping up to date, patching, etc., I think it is a good step to take.
/.'er and make rulings that seem ignorant of the technologies.
By saying that only when you break code-based restrictions are you committing unauthorized access, this puts the responsiblity on the user to secure their box. For most
My biggest worry is that the definition of code-based restrictions could be misconstrued. Say for example you lock down everything except Apache/IIS running on port 80. Since both these two have had security exploits in the past (not trying to start a holy war here), what happens if someone exploits your webserver to gain more access? Obviously you have given access to the webserver on port 80. If one of the "features" of the webserver is a buffer exploit, would it still be considered circumventing a code-based restriction to exploit it? I think most here would agree that it is, but as we all have seen, most judges are not your averager
If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
http://world.std.com/~swmcd/steven/rants/merlyn.ht ml
I'm not entirely sure if this is true, but back when I took my undergrad CS classes, one professor mentioned to the class that use of the word "Welcome" at a login prompt was supposedly giving the world legal access to the system to do what they wished. He went on to say that a hacker back in the 80's or 90's got away with hacking into a high-profile computer network because of this loophole, where accessing the system from a remote location prompted the user with "Welcome!". His defense was that since this system was welcoming him to login to it, what crime was being commited?
Trolls lurk everywhere. Mod them down.
Are there really that many ISPs out there which disallow NAT use?
The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."
Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.
But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.
Are there that many places out there that ban NAT?
In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.
He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.
He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).
(Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )
What is "unauthorized access" to my house?
1. When some one comes in uninvited.
2. When someone breaks into my house.
3. When someone is in my house already and then I ask them to leave and they don't.
Obviously these rules apply similarily to a website vs a brick and mortar.
1. All people can come into my business
2. If it is closed you cannot come in.
3. If there is a private area you cannot have access to it.
4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.
Why does the digital world have to be any different?
My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.
No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...
Where do I send this?
The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.
It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.
The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):
And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right?It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!
"Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:
These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read. :)
The thing about laws that a lot of people don't understand is that all of those "vague" terms that seem ambiguous.. are actually well defined within the legal code. At least in the states I've lived in.
In california.. it goes something like this:
(b) For the purposes of this section, the following terms have the following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
(2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.
I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.
SYN: (may I access this tcp port?)
SYN ACK: (sure go ahead!)
ACK: (thanks!)
Like we talked about before with regards to "breaking into" a Wi-Fi network and using bandwitdh that is attached to the Wi-Fi network (wired or unwired).... these things are much simpler, ans FAR less confusing if you get to the actual bits of the matter. They also, sometimes, allow one to use real-world anaologies of law.. such as breaking and entering. Their downfall (or greatness, depending on what side you take) is that they, in the end, place responsibility of the proprety owners to know - karnally - what is going on with what they bought.
... you clearly have intent of the 3rd party to gain "unauthorized access" because they are doing the equivalent of lock picking - hacking tumblers with a non-key to fake an authorized key.
.. i requested data - and you gave it to me.. be it a letter, a picture named "45728.jpg", the comany's secret files improperly stored on a website...
I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security
But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?
What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.
If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.
If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.
Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..
in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.
If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS
If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...
1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.
2. I am a begger, and i do not threaten you in any way. You give me all your money freely.
In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.
open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.
just as there is no crime in giving a person money on a train, so long as there is no violati
guns kill people like spoons make Rosie O'Donnell fat.
...they call it various things but falls roughly under "maintaining a public nusiance" or some such. You don't even have to be aware of it, or you can claim stupid, and it doesn't matter. Hmm, for instance, having a full swimming pool with no fence around it, some kid falls in, whoops! It's happened to people. I could see it easily applied to running a totally unsecured computer that is used as a spammer relay or zombie machine in an attack.
AND THEN, in turn, once clueless computer owner gets shafted, THEY can turn around and sue the OS distributor for selling an operating system that installs broken,and is wide open. Using the same law.
THAT would sort these things out a bit.
Just as a matter of discussion, I'd class millions of wide open computers out there as a major public nusiance. People who aren't consciously running a server by choice-shouldn't be running a server! It's a completely simple and logical concept.
I'm not saying the law is 100% correct or "fair" in that regard, but the case law and precedent is out there in spades. Not sure if it was ever applied to computers though, but it would be an interesting case if it occurred. Follow culpability and "who suffers". Why should innocent person A suffer because computer user B allowed his machine to be used by haxor C in an attack? And I don't mean a really exotic take over situation, I mean using computers that ship and install with extremely insecure OS and apps that are obviously "too loose" for someone who isn't a server? Anyway, an argument along those grounds.
Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.
The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?
Did I circumvent "regulation by code" with person C?
Did I circumvent "regulation by code" with person D?
There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.
Surely I crossed the line on person E. I'm not so sure about persons C and D.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If I park my car on the public street in front of your house or business and sniff your unencrypted 802.11 traffic, many people might say that counts as access. But not by his definition.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.