Intermediate Form

Cybercrime's Scope

Previous Entry | Home | Next Entry


Volokh conspirator Orin Kerr posted a draft of an article he wrote about the meanings of the words "access" and "authorization" in computer misuse laws. As I'm a graduate student in computer science, I can offer some opinions about his proposed definitions. My research area isn't security, though, so take this with a grain of salt.

(Please note that this refers to a draft of the article, which will probably be changed before it is published. I've secured Professor Kerr's permission before posting this.)

In the article, he addresses computer misuse laws that criminalize "access without authorization" or "unauthorized access". The law is currently vague about the meanings of these terms, with several competing definition having been used by judges. Kerr attempts to come up with a coherent standard for deciding what is and is not unauthorized access.

He proposes that access be construed quite broadly, but all access should be considered authorized unless it circumvents a "code-based" restriction. It seems to me that this will lead to a reasonable interpretation of these laws, although there may be a few edge cases where this interpretation fails. I'll try to address these cases first, and then point out why I'm generally in favor of his definitions.

First, access:

Specifically, I propose that a user accesses a computer any time the user sends a command to that computer that the computer executes. In effect, I would define access as any successful interaction with the computer.

The only flaw I find here is that it seems to assume a model where users issue commands to access computers. This may fail in a world where software components communicate more and more without user interaction, or to implement the will of multiple users.

Take, for example, a hypothetical future version of my custom RSS aggregator program. A command that I run (either manually or from a cron job) causes the collection of RSS files that have been specified by users. The RSS aggregator could then take action based on the contents of these files, such as caching the linked web pages.

It's possible that some combination of input data (and bugs in the code, as unlikely as it for my code to have bugs in it :-) ) could cause some sort of unauthorized access to occur. In this case, who would cause the access? None of the three parties involved knew that any access would happen.

Thankfully, emergent behavior like this is unlikely to actively work to circumvent authorization requirements, which is the focus of Kerr's next proposal:

I propose that courts limit access "without authorization" to accesses that circumvent restrictions by code. Breaches of regulation by contract should as a matter of law be held to be insufficient grounds for access to be considered "without authorization."

The spirit of this seems to be correct, as generally circumventing security enforced by code is a hard task that is unlikely to result from the mere malfunction of code.

It seems that a minor oversight is that this definition does not address authorized circumvention of code-based restrictions. If I hack into a friend's box, with his permission, because he forgot the root password, I should not be treated the same as someone who does that without his permission. Perhaps this is implied somewhere else in the law, but I think it should be made explicit.

I also think issues come up as to who is able to give permission. Would a computer user be liable under this definition if he circumvents a code-based restriction established by a software manufacturer?

Finally, there's the precise definition of circumventing a code-based restriction. If I encounter a Linux-based computer that has been locked with a xlock (a screenaver), it seems that guessing the user's password would count as circumvention. But generally, I'll be allowed to reboot the computer using ctrl-alt-del. If the boot prompt is not password protected, I could then use that to boot the system in single user mode, and access files that way.

I'm not sure if that would be considered circumventing code-based restriction. In that example, no program is being run in a way that violates its intended use, yet the net result is circumvention.

That being said, one of Kerr's justifications for something like these definitions is quite compelling:

The criminal law would end up encouraging users to protect their privacy in the way most likely to be technically effective: by creating accounts and password schemes rather by attempting to establish privacy via mere contractual agreements.

While creating accounts and password schemes is not nearly enough to ensure security, it is a start, and having the law encourage it would help.

Kerr's proposal seems to strike a nice balance. It makes it hard for a person or program to infringe the law unknowingly (say, by violating the terms of a contract), only criminalizing actions that are explicitly undertaken to violate security. This is unlike contract-based interpretations of authorization, which would seem to apply even if a user only performed actions that were not motivated by malice. These are important distinctions where most interactions on behalf of a user are performed by programs that remain ignorant of the law.

- Tom | permalink | changelog | Last updated: 2003-05-09 00:03

Previous Entry | Home | Next Entry


Commenting has been suspended due to spam.