Friday, January 16, 2009

Misusing Authorized Access?

In a post I did a couple of years ago, I talked about the “insider” hacking crime: exceeding one’s authorized access to a computer to do . . . something.

The premise of the crime is that we need to make it illegal for insiders – people who legitimately have access to a computer or computer system – knowingly to exceed the scope of that access in order to destroy data, copy data, install a logic bomb that shuts down the system, etc. So the "exceeding authorized access" crime is usually a kind of burglary offense; it makes it illegal to "go" somewhere (in this case, "into" areas of a computer system which you're not supposed to access) in order to cause some kind of "harm."

As I explained in my earlier post, courts often find it an onerous task to decide (and explain) precisely how and why a particular insider exceeding his or her authorized access.

Sometimes, as I’ve noted before, the insider’s employer will have written policies that very specifically define what the insider is authorized to do in terms of using the employer’s computer system; that definition by implication excludes activities other than those that are specifically authorized. So, in situations like this, courts run through the police and then infer that the defendant – the insider – knew that what he or she was doing exceeded what he/she was authorized to do, so the person committed the crime of exceeding authorized access.

Sometimes that analysis is pretty straightforward . . . as when a police officer uses a police computer to look up someone out of simple curiosity. Police departments have policies which state that the computers are only to be used for legitimate police business and the officers who use those computers are given the polices, told to read them and, in some instances, anyway, required to sign a statement saying they have read them and understand them.

Other times it can be a little more ambiguous. An employee can be explicitly authorized to use certain aspects of a computer system; implicit in the explicit authorization is the premise that this quantum of access is being authorized in order for the employee to use the computer system in a way that benefits his/her employer. The problem that can arise here is that the latter is not specifically spelled out, so that while we all know, as a matter of common sense, that the employee HAD to know what he/she was doing was way out of bounds, it’s very difficult, even impossible, to prove that beyond a reasonable doubt.

To prosecute someone for a crime, you have to prove every element, including the mental state, beyond a reasonable doubt; and when the statute makes it a crime to exceed authorized access to a computer system, that means the prosecution has to prove beyond a reasonable doubt that this particular defendant, as an individual, KNEW that at the time he/she did whatever got him/her in trouble.

That means really, knew, as in personally knew “I am not supposed to do this but I am going to go ahead and do it.” When you start using inferences from rules (and a lack of rules) to show that someone MUST have known that what he/she was doing was wrong, you’re not proving the mens rea of “knowingly.” You’re proving what the law calls recklessness, the definition of which is that you were aware of a strong possibility that what you did was not within the scope of your authorization but went ahead.

Some suggest the way to resolve all this is for employers to adopt really clear, really Draconian scope of use policies; the premise here is that such policies would deprive a defendant of the ability to make an “I didn’t know it was wrong” argument. One of my students said he worked for a company that had a policy which said, in part, “I will only use my access to the company’s computer for its benefit.” Well, that sounds pretty solid . . . but what if an employee decides that he wants to check out an aspect of security on his employer’s computer system – even though that is not his job – because he thinks he can highlight a problem and get credit for doing so (maybe even get promoted). He gives it a shot, does something wrong, causes a problem that costs the employer money to fix . . . and is charged with exceeding authorized access. I’m not sure the “use the computer for the company’s benefit” would work to establish that he knowingly exceeded authorized access in this situation. He though he was using the system for the company’s benefit.

Another suggestion is to use computer code to essentially lock people into particular access zones, so that they physically cannot exceed authorized access casually or even accidentally. They have to work at it. I can see how that might work in certain contexts, but I don’t see how it can work in others.

I was thinking about all of that, and I came up with an idea . . . maybe even a good idea. It seems to me that the problem with the “exceeds authorized access” crime is that it’s based on technology too much. In criminal law, every crime is designed to target a specific “harm”. Murder encompasses causing the death of a human being, robbery encompasses taking someone’s property from them by using force, etc.

It seems to me that the real “harm” we’re trying to go at with the “exceeds authorized access” is not so much the fact that you exceeded the scope of your authorized ability to access your employer’s (or some other owner’s) computer system. We only relied on that issue because we couldn’t prosecute you for the other alternative – unauthorized access – since you were an authorized user of the system.

Seems to me it might make sense to reconfigure the “exceeds authorized access” crime to make it a “misused authorized access” crime. Then you focus not on the really rather incidental issue of whether the access the employer (or other perpetrator) used to inflict the “harm” that led to the prosecution, but on the “harm” itself. That is, you focus on whether or not the perpetrator knew that what he/she was doing was not a legitimate use of the computer system. So if a police officer uses a police computer to look for some dirt on an old friend, he knows that’s not a legitimate use of the system; he knows he’s misusing the system.

No comments: