Sunday, February 12, 2006

"Access"

18 U.S. Code section 1030 is the basic federal computer crime statute. Section 1030 makes it a federal crime to use a computer to commit fraud or extortion or to disseminate viruses and other types of malware. Like most state computer crime statutes, it also outlaws gaining "access" to a computer without authorization.

The statute assumes unauthorized access is of two types: (i) access by an outsider who has not been given permission to communicate with a particular computer; and (ii) access by an insider who has been given permission to communicate with a computer at a specific level, but who goes beyond the scope of that authorization. The first alternative is usually known as "unauthorized access," while the second is called "exceeding authorized access." See
18 U.S. Code section 1030.

The statute defines "computer" and other relevant terms, but it does not define "access," which seems a peculiarly basic omission. It is also surprising to learn that there is relatively little case law on the definition of "access" in this context.

The case that is usually cited on this issue is State v. Allen, 260 Kan. 107, 917 P.2d 848 (Kan. 1996). Allen was charged, essentially, with gaining "access" to Southwestern Bell's computers without authorization. The State's evidence showed that, in this era of dial-up connections, Allen had been wardialing, i.e., had used his computer to repeatedly call Southwestern Bell modems that could let a caller "enter" the Southwestern Bell computer system. The evidence also showed that if a call went through, the computer determined if it was answered by a modem or by a person, after which it terminated the connection.

The issue that went to the Kansas Supreme Court was whether Allen had "accessed" the Southwestern Bell computers; if he had, then the access would have been without authorization and the crime would have been committed. But if he had not accessed the computer, then the charged crime had not been committed.

The Kansas statute (like some state statutes in effect today) defined "access" as "to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of" a computer. Kansas Statute Annotated section 21-3755. The state argued that, at a minimum, Allen had "approached" the Southwestern Bell computers, but the Kansas Supreme court disagreed. It agreed with a U.S. Department of Justice report which concluded that this use of "access" was unconstitutionally vague because it did not provide sufficient notice of what is forbidden; as the DOJ report pointed out, this interpretation of "access" would criminalze mere physical proximity to a computer.

The Kansas Supreme Court held that the evidence did not support the State's contention that Allen had "accessed" the Southwestern Bell computer because there was no evidence that he had "made use" of them or had been in a position to do so. It therefore upheld the lower court's dismissal of the charge against Allen.

The holding in Allen, which is still valid precedent on the issue of "accessing" a computer, would suggest that port-scanning, the process of searching a network for open ports that can be used to "access" the network, is not a crime. Surprisingly, perhaps, we have no criminal cases on this precise issue. The only decision in U.S. law on whether port-scanning is a violation of statutes like 18 U.S. Code section 1030 is a civil case. (Section 1030 also creates a civil cause of action for one whose computer has been attacked in violation of the statute.). In Moulton v. VC3, 2000 WL 33310901 (N.D. Ga. 2000), the court held that port-scanning was not a violation of section 1030.

Another way to attack this issue is to charge that a defendant -- like Allen -- is attempting to gain access to a computer or computer system without being authorized to do so. Section 1030(b) makes it a crime to attempt to commit any of the intrusions outlawed by section 1030(a), and most state computer crime statutes do something similar.

One wonders why the Allen prosecutor did not try this approach.

No comments: