Slashdot Mirror
Legally Defining "Unauthorized" Computer Access
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
Opus: the Swiss army knife of audio codec
This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).
You can tell a great deal about the character of a man by observing those who hate him.
..but the computer can't say no, I thought it wanted me to access it, honest!
The article links to an abstract, which has a pdf link in it to the actual goodies. here is the pdf link, for your viewing pleasure. http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID39 9740_code030507630.pdf?abstractid=399740
The fact that what constitutes "unauthorized access" is very broad, or that the penalties for "unauthorized access" are ridiculously out of whack. You could practically murder someone and spend less time in jail then if you commit a computer crime.
posting "1 4/\/\ 0wnz0ring j00!!!!!! luser!!!! FEE KEVIN" on their website, qualifies.
The charge was eventually dropped at any rate.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
...dictates that it means that you're somewhere where you're not supposed to be. If you're not authorized (given permission, implicitly or otherwise), then don't access. Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.
I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.
"Want in one hand and spit in the other and see which one fills up first." - My Dad
If RIAA comes looking for the MP3's that aren't on my computer and in the process even look at a single byte of the copyrighted data on my hard drive, that is unauthorized. BTW, that data is available under perfectly reasonable license terms. I charge $1/Kb. I have 2 80Gb drives. The $160,000,000 is payable in advance, thank you.
From a federal law perspective, "access" becomes illegal if use of the system exceeds $5K (say in CPU cycles), OR if ANY copying of information or information altering is done. Take a screen snapshot - illegal. Modify a system log to cover your tracks - illegal. Under federal law, "simple trespass" is not in itself illegal.
HOWEVER, many states have local statutes making simple trespass illegal.
Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.
Vic Vandal
Remember when the Internet was about sharing? These days some people would have you believe that any packet you receive is "unauthorised access". You probed me, unauthorised access. You visited my website, unauthorised access. You sent me an instant message, unauthorised access. This really needs to play out in the courts before any precedent is set for what is or is not "unauthorised access". (replace the s in unauthorised with z if you're American :P)
Since when does an articles length matter?? Nobody reads them anyway, this is /. :)
How about declaring that if access requires the user to specify a password, and the user is not "authorized" to know the password, then that access is not authorized. If no password is required, then there's no way the access can be unauthorized.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
Edward Burr
Having a smoking section in a restaurant is like having a peeing section in a swimming pool.
http://world.std.com/~swmcd/steven/rants/merlyn.ht ml
I'm not entirely sure if this is true, but back when I took my undergrad CS classes, one professor mentioned to the class that use of the word "Welcome" at a login prompt was supposedly giving the world legal access to the system to do what they wished. He went on to say that a hacker back in the 80's or 90's got away with hacking into a high-profile computer network because of this loophole, where accessing the system from a remote location prompted the user with "Welcome!". His defense was that since this system was welcoming him to login to it, what crime was being commited?
Trolls lurk everywhere. Mod them down.
Are there really that many ISPs out there which disallow NAT use?
The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."
Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.
But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.
Are there that many places out there that ban NAT?
In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.
He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.
He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).
(Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )
What is "unauthorized access" to my house?
1. When some one comes in uninvited.
2. When someone breaks into my house.
3. When someone is in my house already and then I ask them to leave and they don't.
Obviously these rules apply similarily to a website vs a brick and mortar.
1. All people can come into my business
2. If it is closed you cannot come in.
3. If there is a private area you cannot have access to it.
4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.
Why does the digital world have to be any different?
My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.
No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...
Where do I send this?
The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.
It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.
The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):
And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right?It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!
"Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The thing about laws that a lot of people don't understand is that all of those "vague" terms that seem ambiguous.. are actually well defined within the legal code. At least in the states I've lived in.
In california.. it goes something like this:
(b) For the purposes of this section, the following terms have the following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
(2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.
I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.
SYN: (may I access this tcp port?)
SYN ACK: (sure go ahead!)
ACK: (thanks!)
Like we talked about before with regards to "breaking into" a Wi-Fi network and using bandwitdh that is attached to the Wi-Fi network (wired or unwired).... these things are much simpler, ans FAR less confusing if you get to the actual bits of the matter. They also, sometimes, allow one to use real-world anaologies of law.. such as breaking and entering. Their downfall (or greatness, depending on what side you take) is that they, in the end, place responsibility of the proprety owners to know - karnally - what is going on with what they bought.
... you clearly have intent of the 3rd party to gain "unauthorized access" because they are doing the equivalent of lock picking - hacking tumblers with a non-key to fake an authorized key.
.. i requested data - and you gave it to me.. be it a letter, a picture named "45728.jpg", the comany's secret files improperly stored on a website...
I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security
But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?
What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.
If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.
If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.
Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..
in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.
If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS
If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...
1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.
2. I am a begger, and i do not threaten you in any way. You give me all your money freely.
In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.
open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.
just as there is no crime in giving a person money on a train, so long as there is no violati
guns kill people like spoons make Rosie O'Donnell fat.
Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.
The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?
Did I circumvent "regulation by code" with person C?
Did I circumvent "regulation by code" with person D?
There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.
Surely I crossed the line on person E. I'm not so sure about persons C and D.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.