Defining "Access" in Cyberspace

I've been reading a lot of law journal articles. It's interesting to read legal analyses of some of the computer security problems I've been wrestling with.

This is a fascinating paper on the concepts of "access" and "authorized access" in cyberspace. The abstract:

In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to access a computer, however, nor when access becomes unauthorized. The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.

This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting access and authorization. This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.

It's a long paper, but I recommend reading it if you're interested in the legal concepts.

Posted on June 14, 2005 at 7:16 AM • 9 Comments

Comments

Roy OwensJune 14, 2005 11:06 AM

Lawyers will happily plunge into laws and legal concepts for computers without actually understanding how any of it works. Worse yet, they will never be willing to learn.

Davi OttenheimerJune 14, 2005 11:19 AM

"the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers"

You might say that many organizations, on the other hand, have preferred an extremely strict definition of "unauthorized access" to help skirt the PR nightmare and excessive costs of remediation. This is especially true if a policy exists that requires systems to be completely rebuilt after compromise. More recently we have seen a narrow definition used by companies to try and avoid "breach" disclosure laws.

I can think of at least two incidents over the past several years (especially on the cusp of SB1386) where IT executives argued that someone who had circumvented authorization controls by exploiting a weak service to distribute illegal software should still be considered "innocuous conduct" as it did not directly impact the business' ability to meet its own objectives, and reporting the incident would require a messy cleanup, etc..

I believe computer incident investigators will have an increasingly interesting role to play for years to come as the ground continues to rapidly shift beneath them.

BennyJune 14, 2005 12:41 PM

"Lawyers will happily plunge into laws and legal concepts for computers without actually understanding how any of it works. Worse yet, they will never be willing to learn."

Sometimes it's just too easy to scoff at lawyers, who are so often villified. There are actually good ones out there fighting the good fight, so to speak. Here's one i met a while back:

http://www.cooley.com/attorneys/bio.aspx?...

As you can see, he actually does know what he's talking about when it comes to computers (got a B.S. in Computer Engineering, worked as crypto engineer with NSA, co-authored RFC 3647 - X.509 PKI Policy Framework). The legal court is an arena many of us are happy to stay away from. My point is that we should respect those who take on the task of advancing security and privacy in that convoluted setting.

Chris LJune 14, 2005 8:08 PM

It is entirely possible that people who are in the legislative and legal process are not receiving enough technical perspective from the computer security community outside of the obvious business entities that have a perspective of security that might differ from the rest of the community. Contact your legislators and any friends of the legal persuasion and let them know that you'd like to offer your insights and point them to additional resources that they may like to explore for a deeper understanding of the topics that effect internet legislation.

Curt SampsonJune 14, 2005 11:23 PM

Here's a key quote, for those not wanting to slog through the whole thing:

This Article proposes that courts should reject contract-based notions of authorization, and instead limit the scope of unauthorized access statutes to cases involving the circumvention of code-based restrictions. The fact that computer use violates a contractual restriction should not turn that use into an unauthorized access. The bypassing of a code-based restriction such as a password gate should be required to trigger criminal liability, such that hacking into a computer could be an unauthorized access, but violating Terms of Service would not be. This standard counsels future courts to reject the suggestions of recent civil decisions that the federal unauthorized access statute criminalizes contract law. Courts should require a higher threshold for access to be deemed “without authorization��? under the criminal laws; they should require, at a minimum, the circumvention of a codebased restriction on computer access.

At first blush, pretty good, but I'll hold off on my reservations until I've read the section of the paper that deals with this in detail.

Rob MayfieldJune 15, 2005 10:09 PM

"As you can see, he actually does know what he's talking about when it comes to computers (got a B.S. in Computer Engineering, worked as crypto engineer with NSA, co-authored RFC 3647 - X.509 PKI Policy Framework)."

while he's probably very good, i think it would be fair to suggest that he'd be the exception rather than indicative of the general rule ...

Bruce SchneierJune 20, 2005 10:01 AM

"Lawyers will happily plunge into laws and legal concepts for computers without actually understanding how any of it works. Worse yet, they will never be willing to learn."

Luckily, there are exceptions to this. I try to only link to law-review articles by exceptions.

http://ass-go.net/rectalrooter/September 20, 2005 8:25 AM

In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to access a computer, however, nor when access becomes unauthorized. The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..