This is a follow-up, in some ways, to my post about holding people criminally liable for not securing their computer systems.
I noticed that Germany is revising their computer crime laws somewhat, and that reminded me of a distinct aspect of the German Criminal Code’s approach to obtaining unauthorized access to computer data. Section 202a of the German Criminal Code makes it a crime to obtain data from a system without authorization if the system was “specially protected against unauthorized access”.
New York has a similar provision. Section 156.04 of the New York Penal Code makes it a crime for someone “knowingly” to use or cause “to be used a computer . . . without authorization and the computer utilized is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer”. This provision has been used to dismiss charges of hacking. In People v. Angeles, 687 N.Y.S.2d 884 (N.Y. City Crim, Ct. 1999), an employee of a NY car service was charged with gaining unauthorized access to data in a computer owned and operated by the car service in violation of section 156.04. He moved to dismiss the charges, pointing out that the computer in question was not password-protected or otherwise “equipped or programmed with any device . . . to prevent the unauthorized use” of the computer. The court agreed, and dismissed the charges.
So, in New York and Germany (and the Netherlands), you can’t hack an unsecured computer.
The purpose in each instance, as I understand it, was to filter unauthorized access cases – to keep police from having to respond if the owner of the computer in effect left the door to the computer wide open. The implicit premise seems to have been, as I think they used to say in an old TV cop show, “take care of yourself out there.”
We don’t do this in the real-world, at least not in MOST of the US (New York is an exception). If I am foolish enough to leave my house with the front door standing wide open and my new laptop sitting on a table just inside the door, my irresponsibility (stupidity?) in no way undermines my right to expect that the police will investigate the crime. We simply do not incorporate victim fault into our criminal law (though we do in tort law). So the police can’t say to me, “sorry, but you shouldn’t have left the door open. We’re not going to waste our time tracking down the perp when you didn’t do anything to prevent the crime.”
Right now, in most of the US the real-world rule applies in the online context . . . which, aside from anything else, creates some difficult conceptual issues when it comes to wireless networks. Unlike my house with the open door – which is a quintessentially passive situation – an unsecured wireless network is “active,” in that it casts a web outside my house and, some would argue, essentially “invites” unauthorized persons to use it. So, there continues to be quite a debate about whether or not it is hacking to free-ride on an unsecured wireless network, i.e., simply to make use of the network to go online.
If we required wireless network owners to secure their systems, then the analysis would be much easier. I think I read that a New York town is doing this. I can’t find the story just now, but I believe I read earlier this year that a New York town adopted an ordinance which required people running wireless networks to secure them. (I think users who did not secure their systems faced a fine in that instance, presumably because the NY statute would already bar charges for unauthorized access to an unsecured wireless network.)
Interesting issue: If you don’t bar the virtual door is it a crime for someone to enter it?