Wednesday, June 03, 2009

"Access" as Over-inclusive

I recently exchanged several emails with Lokkju Brennr, Lokkju brought up an interesting issue about the way law approaches the crime of gaining unauthorized access to a computer (often generically referred to as “hacking” a computer). Before I get to that issue, I want to review how law deals with this crime.

In a post I did a couple of years ago I explained that lawyers usually analogize the crime of gaining unauthorized access to a computer to the crime of criminal trespass: In each instance, you’re doing something you’re not supposed to do and, as a result, are “harming” the owner of the computer/property in some respect.

The “harm” resulting from trespass on physical property seems to be an amalgam of privacy (if you come onto my property without my permission, you’ve violated my privacy) and my right to exclusive possession of the property. The “harm” resulting from unauthorized access to a computer system is . . . a little murkier. I think it definitely encompasses the second “harm” that justifies criminalizing physical trespass, i.e., you’re violating my exclusive right to possess and access my property (my computer/computer system, in this context). And it probably also encompasses the first “harm,” as well, because if you get into my computer system you are in a sense violating my privacy (or at least have acquired the capacity to violate my privacy by getting into the data I don’t want anyone else to know about).

I think the unauthorized access-criminal trespass analogy is far from perfect, but it’s pretty much all we have. It’s difficult, if not impossible, to develop analogies that symmetrically track digital and physical “harms” with any precision. That, however, is not the issue Lokkju Brennr raised. That issue, I think, is both more interesting and more difficult to resolve. Here it is:

The majority of the time when you do an activity, such as a sending an email, you don't know whether or not you have the authorization to do so. For instance, when I sent my initial email to you, even without going into the underlying protocol issues, I did not know if I had authorization to access your email server or not. Now, I could make an educated guess that since you published your email address, it was permissible to contact you - but I did not have any specific authorization.

Lokkju also pointed out that given this state of affairs, unauthorized access statutes effectively criminalize “all normal use of the Internet.” That’s an interesting point; I’m going to use this post to speculate a bit about Lokkju’s point and about how the law deals with it . . . and maybe even how the law might change how it deals with it.

Let’s start with an unauthorized access crime statute. The federal statute is remarkably straightforward: “[Whoever] intentionally accesses a protected computer without authorization and, as a result of such conduct, recklessly causes damage” commits a federal crime. 18 U.S. Code § 1030(a)(5)(B). As I noted in an earlier post, the federal statute does not define “access”, but a number of state statutes do.

Most states define it as “to instruct, communicate with, store data in, retrieve data from or otherwise make use of any resources of a computer, computer system or network.” Arizona Statutes § 13-2301(E)(1). California’s definition is similar but a little more elaborate: “`Access’ means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.” California Penal Code § 502(1).

Okay, U.S. states (and the criminal codes of other countries) define access. But do they define what it means to gain access “without authorization”?

Surprisingly, a few states do. Here’s how Colorado defines it: “`Authorization’ means the express consent of a person which may include an employee’s job description to use said person’s computer, computer network, computer program, computer software, computer system, property, or services as those terms are defined in this [statute.]” Colorado Revised Statutes § 18-5.5-101(1). And here’s how Hawaii defines it: “`Without authorization’ means without the permission of or in excess of the permission of an owner, lessor, or rightful user or someone licensed or privileged by an owner, lessor, or rightful user to grant the permission [to access the computer or computer system].” Hawaii Revised Statutes § 708-890. Minnesota has a slightly different and rather interesting approach to defining authorization:
`Authorization’ means with the permission of the owner of the computer, computer system, computer network, computer software, or other property. Authorization may be limited by the owner by:

(1) giving the user actual notice orally or in writing;
(2) posting a written notice in a prominent location adjacent to the computer being used; or
(3) using a notice displayed on or announced by the computer being used.
Minnesota Statutes § 609.87(2a). And New Hampshire throws in a new element that expands the scope of authorization:
`Authorization’ means the express or implied consent given by a person to another to access or use said person's computer, computer network, computer program, computer software, password, identifying code, or personal identification number.
New Hampshire Revised Statutes § 638:16(II). A few other states also have statutory provisions that define authorization, but they all tend to resemble one of more of these statutes.

So where does that leave us in terms of the issue Lokkju raised? When I send an email to you – to someone who didn’t email me first and whom I don’t know in the real world – how do I know if I’m accessing their email server (or, more accurately, I think, the email server that handles their email) with or without authorization?

As a matter of fact, I don’t. As a matter of fact, I simply assume I have authorization to access that server. All of the statutes quoted above define authorization as acting with the consent/permission of the owner of the computer system (the server); in so doing, they implicitly assume that the person KNOWS they are acting with the permission or consent of the owner of the system (server). Logically, I could argue that they assume (also or in the alternative) that it’s sufficient if I believe I have permission or consent to access the computer. I don’t think a subjective belief (however accurate or erroneous) works here, though, because I think the language of most of the statutes incorporate a higher standard, i.e., I think they predicate authorization as your having obtained some signal, some indication, from the owner of the system that it’s okay for you to access it. (But I could be wrong.)

The New Hampshire statute broadens that by adding “implied consent.” The other statutes expressly or (I would argue) implicitly require that there have been express consent from the owner of the system for access to be authorized. That’s why I believe they require a much higher standard than simple belief (“I thought it was ok, really I did”).

The New Hampshire statute doesn’t tell us how implied consent arises. Pennsylvania’s computer crime statute does shed a little light on this issue. It defines authorization as including “express or implied consent, including by trade usage, course of dealing, course of performance or commercial programming practices.” This language appears in a statute entitled “defense.” Here is the statute in its entirety:
It is a defense to an action brought pursuant to Subchapter B (relating to hacking and similar offenses) that the actor:

(1) was entitled by law or contract to engage in the conduct constituting the offense; or
(2) reasonably believed that he had the authorization or permission of the owner, lessee, licensee, authorized holder, authorized possessor or agent of the computer, computer network, computer software, computer system, database or telecommunication device or that the owner or authorized holder would have authorized or provided permission to engage in the conduct constituting the offense. As used in this section, the term `authorization’ includes express or implied consent, including by trade usage, course of dealing, course of performance or commercial programming practices.
18 Pennsylvania Consolidated Statutes § 7605(2). Connecticut has a similar defense to a charge of unauthorized access statute. Like the Pennsylvania statute, it bases the defense on the fact that the defendant “reasonably believed” that the owner of the computer system or the owner’s agent had authorized the access. Connecticut General Statutes § 53a-251(b)(2). The Connecticut statute, though, throws in another option: It’s also a defense if the person charged with gaining unauthorized access to a computer “reasonably could not have known that his access was unauthorized." So this statute essentially puts the risk on the owner of the system; the owner must make it "reasonably" clear access is not authorized unless you do something, have something, etc.

So where does that leave us? It’s pretty clear that U.S. law, anyway, doesn’t address the issue Lokkju raised, i.e., the problem of letting someine know whether their access is authorized prior to their act of accessing a system. It looks like a few U.S. states (New York has a statute similar to the Pennsylvania defense statute) deal with this issue by giving someone charged with unauthorized access the ability to use their belief that they were authorized to use the system as an affirmative defense. In U.S. criminal law, when someone raises an affirmative defense to a charge, they admit they committed the crime but use the defense to argue that they shouldn’t be convicted. Self-defense and insanity are affirmative defenses; someone charged with murder can concede that they killed the victim but argue that they are not guilty of murder because they acted in self-defense or were insane at the time.

Does that approach seem reasonable? If not, any alternatives?


Lokkju said...

While I think that is a viable approach (as in, politically), at least to start with, I do have two issues with it:

1) You are criminalizing a common behavior, and then leaving a defense open. While that makes sense to do for uncommon behaviors (like shooting someone), I'm not sure it is the right approach to take for something that people do everyday.

2) You are putting different burdens on different people depending on their knowledge of the subject. As an example, a computer expert who did an SQL injection attack (put a "'" into a form entry field) would be criminally liable; but a neophyte would not be. I'm not sure I like the idea of criminalization based on your level of knowledge.

Anonymous said...

I believe much of the ambiguity comes from 1030(a)(5)(B)'s mention of a "protected computer". When that statute was written, "protection" might have just meant using passwords; today it means passwords, SSL, and audits plus physical security and firewalls. Another issue is that even a modern "protected system" can offer services (e.g. web pages) up to the public but restrict other uses. Is the computer then "protected" and against what? Finally, let's presume you are "authorized" to "access" a computer's web server. So you connect to port 80 and enter random garbage, hoping to cause (and causing) a crash. Can the content of your communication change the nature of the access from authorized to unauthorized? I certainly don't know.

Susan Brenner said...

In response to Lokkju:

I agree with #1 . . . since the goal of law, especially criminal law, is to keep people from doing "wrong" things, we really want to make it clear what is "wrong" (and what is not). That's not a big problem with traditional crimes like murder and theft, because we're socialized to understand they're "wrong." I don't think we have a big problem with real world trespass, either; even if I walk by and see your front door standing wide open, I know I'm not supposed to go in.

It's much harder when you get to the more rarefied "wrong" things, like unauthorized access. Looks to me like in this context, we have the reverse of my trespass example, i.e., we tend to assume we can access something unless we're told we can't So we could adopt laws requiring people to, in essence, put up no trespassing signs in cyberspace . . . somehow.

Agreed as to #2 also, both because law is supposed to be knowledge neutral and because it we did that, we'd be encouraging people to deliberately remain ignorance and so be able to get away with more.

Hey, I don't have a solution, at least as yet, so I thought I'd outline the (surprisingly very little) that's out there.

Susan Brenner said...

In response to Anonymous,

When section 1030 talked about a protected computer, it just means that this is a computer the federal government has jurisdiction over, as in jurisdiction to prosecute. The default assumption in U.S. criminal law is that criminal law belongs to the states, not the federal government; federal criminal jurisdiction is supposed to be the exception (for historical reasons). There was a vast expansion of federal criminal jurisdiction in the twentieth century, but the federal government still has to show that there's constitutional basis for its exercising criminal jurisdiction in a specific context.

The way it does that for the section 1030 crimes is to make them apply to protected computers, which section 1030(e)(2) defines as a computer that is exclusively used by the federal government or by a financial institution OR which is used in or in a manner affecting interstate or foreign commerce. The last alternative encompasses any computer that's linked to the Internet, and probably computers that aren't (since they were made, shipped and purchased via interstate commerce).

Jay Levitt said...

IANAL, but I was involved with some of the early AOL-vs-spammer cases. As I recall:

- We added some "you're not authorized to spam" text to the protocol headers, so we could point out that we had effectively placed a sign at the point of entry, as Susan postulates in #3. But it was really a belt-and-suspenders thing, just to say we'd tried.

- We added no-spamming clauses to our Terms of Service. This gets into the Lori Drew question, I think: If unauthorized access is criminal, and if non-government entities can define authorized access in their civil contracts, then haven't you hoisted those civil contracts into criminal law? Not only can't I think of a good answer, but I can't imagine that a good answer could exist. Does this happen in other, non-cyber realms?

- We sent paper cease-and-desist letters to the spammers. This was key, I think; it made the whole implicit authorization question moot. We'd clearly revoked any such implicit authorization.

- We successfully claimed that, since forged headers (e.g. From: were designed to circumvent our spam filters, which are in turn access controls, they were intrinsically fraudulent access. (And trademark violations, too.)

- Lots of other fun stuff. I think the lawsuit archives are still up at said...

Use of a computer can be reasonably differentiated into three levels:

Public access encompasses services enabled and authorized by the owner of the computer for general interaction with other computers. The key is that the owner generally makes such access available and only denies it in specific circumstances. Running an email server, a web server's non-password-protected areas, or a web service with automatic or self-service account creation are all good examples. An unrestricted WiFi access point is similar. It should not be a crime to use the public access facilities in an ordinary way.

Limited access, the next level up, is granted by the owner of the computer to specific people. These services are not automatically available, but typically require identification, authentication and authorization to use these facilities. Examples of limited access include printing services on college campuses, password-protected WiFi services, and indeed most cases where an account holder can have financial transactions or incur costs. Unauthorized access to a limited access facility should be an offense.

Finally, there is administrative access. These are the functions which are normally carried out only by the owner of the machine and specifically designated and authorized persons acting in their place. Windows and Macintosh systems call these functions "Administrator" privileges; UNIX derivatives call them "root". There are applications which have similar features -- databases, other systems -- in all cases it is clear that there is a differentiation between the rights accorded to a general user and the special functions available to a privileged administrator. Unauthorized administrative level access should be treated as a more serious offense.

Some computer systems do not have much, if any, differentiation between access levels -- I'm thinking of cellphones and PDAs, mostly, but also various computerized appliances. Even so, two levels of access can usually be discerned based on common usage. This is a grey area.

Lokkju said...

dsr -
But what about the most common form of hacks - like SQL injections or the like - that simply cause a public facing website to do something other then what the owner of that website intended? Hell, even a buffer overflow is the same idea - the software does what it is told.

Lokkju said...

dsr -

Also, I should mention that what you are defining as three levels of access is very much an oversimplification. Those three may be what you commonly see, but in actuality there is no "protected" or "unprotected" or "administrator" - there is just what the computer is designed to do.

While it is common on a unix system to have a user "root" with a group "wheel" (0:0), this is in no way necessary to the operation of the system - I could use any username, group name, or user number, and as long as I configured the system properly it would behave correctly. The same could be done on a windows system, essentially.

This is the problem with computer law - the people writing it may understand basic usage - but they do not usually understand computer or network architecture.

Atis said...

I belive that when you send an e-mail you do not access compyter system of e-mail recipient. Normaly you access mail server of your own IPS (which could require login/password or could be bind to exact IP address(es)) both when receiving and sending e-mails. then your ISPs mail server sends your e-mail to recipients e-mail server - they communicate between themselves and it's normal behaviour (i.e., it's a way e-mail system works). actually it's very similar to how snail mail works.
recipient's server can reject your e-mail if it doesn't fit rules set on recipients e-mail server (for example, it's sent to non-existant mailbox or is too lage and so on).

Lokkju said...


While partially correct, that does not change the fact that when you send an email, you are causing a remote computer system, that you do not know if you have the authority to access, to be accessed.

Atis said...

what i mean is that it's the way e-mail system is designed to work - it is suposed to be accessed unles configured otherways. like postman has the right to put mail addressed to you in your mailbox. ain't it like that?