Tuesday, September 26, 2006

Can You Hack an Unsecured Computer?

This is a follow-up, in some ways, to my post about holding people criminally liable for not securing their computer systems.

I noticed that Germany is revising their computer crime laws somewhat, and that reminded me of a distinct aspect of the German Criminal Code’s approach to obtaining unauthorized access to computer data. Section 202a of the German Criminal Code makes it a crime to obtain data from a system without authorization if the system was “specially protected against unauthorized access”.

New York has a similar provision. Section 156.04 of the New York Penal Code makes it a crime for someone “knowingly” to use or cause “to be used a computer . . . without authorization and the computer utilized is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer”. This provision has been used to dismiss charges of hacking. In People v. Angeles, 687 N.Y.S.2d 884 (N.Y. City Crim, Ct. 1999), an employee of a NY car service was charged with gaining unauthorized access to data in a computer owned and operated by the car service in violation of section 156.04. He moved to dismiss the charges, pointing out that the computer in question was not password-protected or otherwise “equipped or programmed with any device . . . to prevent the unauthorized use” of the computer. The court agreed, and dismissed the charges.

So, in New York and Germany (and the Netherlands), you can’t hack an unsecured computer.

The purpose in each instance, as I understand it, was to filter unauthorized access cases – to keep police from having to respond if the owner of the computer in effect left the door to the computer wide open. The implicit premise seems to have been, as I think they used to say in an old TV cop show, “take care of yourself out there.”

We don’t do this in the real-world, at least not in MOST of the US (New York is an exception). If I am foolish enough to leave my house with the front door standing wide open and my new laptop sitting on a table just inside the door, my irresponsibility (stupidity?) in no way undermines my right to expect that the police will investigate the crime. We simply do not incorporate victim fault into our criminal law (though we do in tort law). So the police can’t say to me, “sorry, but you shouldn’t have left the door open. We’re not going to waste our time tracking down the perp when you didn’t do anything to prevent the crime.”

Right now, in most of the US the real-world rule applies in the online context . . . which, aside from anything else, creates some difficult conceptual issues when it comes to wireless networks. Unlike my house with the open door – which is a quintessentially passive situation – an unsecured wireless network is “active,” in that it casts a web outside my house and, some would argue, essentially “invites” unauthorized persons to use it. So, there continues to be quite a debate about whether or not it is hacking to free-ride on an unsecured wireless network, i.e., simply to make use of the network to go online.

If we required wireless network owners to secure their systems, then the analysis would be much easier. I think I read that a New York town is doing this. I can’t find the story just now, but I believe I read earlier this year that a New York town adopted an ordinance which required people running wireless networks to secure them. (I think users who did not secure their systems faced a fine in that instance, presumably because the NY statute would already bar charges for unauthorized access to an unsecured wireless network.)

Interesting issue: If you don’t bar the virtual door is it a crime for someone to enter it?

4 comments:

  1. I came across your blog using the "next blog" icon. I've read your GPS posts and this post on the unsecured computer as "fair game" for otherwise criminals. I've enjoyed all three.

    Over the past ten years or so I've followed, sporadically, how law is reacting to technology. I can buy a book at the used book store, without compensation to the author; but, I can't burn a copy of Word for my home computer. From an ethical viewpoint I am taking in either situation. The only distinction I find in the two takings is that technology has made a small problem for creators big by making the taking easier. In my head, ethically, I do not feel guilty when buying used book. I would feel guilty stealing a software program by burning it. Being a lawyer, I'm often caught between my legal training and my ethical ponderings. Enough. Again, enjoyed your posts.

    ReplyDelete
  2. Anonymous1:51 PM

    Interesting... but the very next section of the law states:

    S 156.10 Computer trespass.
    A person is guilty of computer trespass when he knowingly uses or
    causes to be used a computer or computer service without authorization
    and:
    1. he does so with an intent to commit or attempt to commit or further
    the commission of any felony; or
    2. he thereby knowingly gains access to computer material.
    Computer trespass is a class E felony.


    Which would seem to catch anything that falls through the cracks from the first section, and is classified as a Class E Felony.

    Nothing like the clear letter of the law.

    ReplyDelete
  3. For some reason, New York changed its law after I posted this comment . . . to get rid of the requirement that the system have somehow been secured.

    So, now all the US states follow that approach, while some countries still require a level of security.

    ReplyDelete
  4. I think its disgusting to hack anyone's computer.

    ReplyDelete