What is "unauthorized access"? [LWN.net]

Much of a security-oriented administrator's work has to do with the prevention of unauthorized access to a set of computing resources. So it is interesting to note that, as laid out in this paper by Orin S. Kerr, few people have really tried to nail down what "unauthorized access" really means. The paper discusses the issue in great detail; it is 80 pages long, and the author uses more footnotes than Lawrence Lessig or Terry Pratchett. After looking over a few decades of (U.S.) case law and legislation, he puts forward a couple of recommendations which, it is hoped, will help the courts achieve some sort of rational interpretation of the wide variety of computer crime laws in the U.S.

The question of "access" is not as straightforward as one might think. Robert Morris (of the famous Morris Worm) tried to argue that he did not "access" all of the systems that his worm infected. Instead, he only accessed the systems where he launched the worm - and he had legitimate accounts there. The court didn't buy it, but the question remains. Back when the only way to get onto a system remotely was via modem, the act of "accessing" a computer was relatively straightforward. In the current world, however, does somebody "access" a computer by opening an ssh connection, pulling down a web page, sending an email, or sending a ping packet? Did you, gentle reader, "access" the numerous routers these words passed through on the way to your browser?

Once you have a handle on what it means to access a computer, it's time to figure out what "unauthorized" means. Courts have found, for example, that a disgruntled programmer who deleted code from his employer's system engaged in unauthorized access, while a police officer who printed out drivers license photographs of female college students did not. A system administrator who password-protected a set of files was also found to have not engaged in unauthorized access. Violation of an ISP's or web site's terms of service has often been found to be unauthorized access. Verio was found to have made unauthorized accesses to Register.com's whois database for the simple reason that Register.com didn't like it.

Mr. Kerr fears that overly broad interpretations of "unauthorized access" could eventually criminalize the everyday behavior of millions of net users. His recommendations are:

"Access" should be interpreted broadly. "...I propose that a user accesses a computer any time the user sends a command to that computer that the computer executes. In effect, I would define access as any successful interaction with the computer." Pinging the computer, or reaching a login screen, would be sufficient.
The definition of "unauthorized" should be much more narrow. "I propose that courts limit access 'without authorization' to accesses that circumvent restrictions by code. Breaches of regulation by contract should as a matter of law be held to be insufficient grounds for access to be considered 'without authorization.'"

In other words, the author is proposing an anti-circumvention law for computing systems. In this case, anti-circumvention makes some sense; access controls serve as the "lock on the door" of a computer that belongs to somebody else. A person who breaks that lock cannot claim to have authorization. But a person who has simply gone against somebody's wish for how a computer should be used (violating terms of service, sending spam, "deep linking," etc.) should be dealt with using contract law. Nobody should face possible jail time for deep linking.

The proposed interpretation has its own interesting issues, of course. For example, a denial of service attack is not necessarily an unauthorized access (though it can certainly violate other laws). Would sending spam which has been specially crafted to evade filters be circumvention of code-based access control? These questions remain tricky to answer. By looking at them closely, however, we at least stand a chance of having a better idea of what we are talking about.

(Log in to post comments)

What about "obligation" ?

Posted May 15, 2003 8:41 UTC (Thu) by ortalo (subscriber, #4654) [Link]

In my opinion, it is a pity that discussions about computer security always only deal with the notions oriented towards the user. I've always militated in favor of a broader view of security properties, included notions like permission and interdiction, but also and simultaneously obligation.
What about the obligation of a Web server to answer you once you have sent a legitimate and well-formed request? What about the obligation of this ISP to handle your packets timely and with some minimal respect? What about the obligation of this public service that publish tax information to maintain your privacy and respond timely to your requests? What about the obligation to answer to a customer complaint (e.g. when the product you ordered last week arrived broken or did not arrive at all)?

Currently, computers make little room for enforcing or at least examining such properties from the security or normative point of view. However, when you think about it, these are the properties that are most important to individuals: in any societies there are rules that restrict our permissions, but in democratic societies, there are also many rules that *protect* our freedom. Which bits do store the latter in the computer you are using?

Rodolphe

What is "unauthorized access"?

Posted May 15, 2003 12:16 UTC (Thu) by copsewood (subscriber, #199) [Link]

If I have to:

1. purchase a computer running an OS with a monopoly supplier, (don't have much of a choice here unless I'm willing to deny my children access to certain software of educational value which only runs on this platform), and

2. in order to get this OS to work I have to click through a ludicrous and unenforceable so called "agreement" allowing this supplier to access my computer remotely, and

3. if the OS supplier then cracks into my computer to steal information, e.g. about the DVDs I watch etc. is this access "authorised" by me or not ?

I certainly wouldn't mind seeing Microsoft's UK chief up in front of the UK criminal courts and going down for a few years for breach of section 1 (unauthorised reading of data) or section 2 (unauthorised modification of data) of our Computer Misuse act, based on a prior civil case that establishes relevant parts of this click through license as null and void on the grounds of the illegality of this monopoly.

I think Microsoft is treading on very thin ice here.

Missing piece: Accidental exposure of services

Posted May 15, 2003 13:17 UTC (Thu) by bjn (guest, #2179) [Link]

If the definition of "unauthorized" is only tied to circumvention, it seems like it leaves out an important piece. If an outsider discovers that your FTP server accidentally allows overwriting files, and proceeds to do so, I think most people would consider that "unauthorized" but it wouldn't be "circumvention" (the protocol was used as designed, and the server permissions allowed the action).

Consider a real-world analogy: Could someone claim innocence of trespassing if there's a "No Trespassing" sign on the door, but the door is accidentally left unlocked, and nothing was broken in the process of entering?

Missing piece: Accidental exposure of services

Posted May 15, 2003 16:50 UTC (Thu) by Baylink (guest, #755) [Link]

Nope, sorry.

I'm a Libertarian, at heart, if not necessarily in detail, and I have no
problems holding people responsible for a) making sure their systems are
secure or b) requiring their vendor to do so. If you can't secure your
own systems, you shouldn't really have any formal recourse. [ ducking,
looking over shoulder for crackers ;-) ]

If your software is so complex that you can't tell if it's secure, get
simpler software.

But permitting recourse in this sort of situation *guarantees* that
software will never get better.

Missing piece: Accidental exposure of services

Posted May 15, 2003 18:58 UTC (Thu) by copsewood (subscriber, #199) [Link]

Well, a bug in a very good padlock is that someone can put glue into it, in which case the owner might replace this with a cheap padlock which can be more easily broken with a jemmy. Don't laugh, this actually happened to me once, it being a friend who had legitimate access to the garage who cut off the glued lock and replaced it with the cheaper one when I was away. The fact that the cheaper lock was even more buggy than the expensive one didn't make the subsequent break in either legal or invited.

Part of the problem with the analogy to cyberspace is that a system which is cracked into is generally not physically damaged. The actual damage to system owners and users arises through invasion of privacy (unauthorised access to data) or logical damage (unauthorised modification of data). For this reason laws relating to physical space (civil trespassing and criminal burgulary laws) do not readily translate to cyberspace. Here exploitation of a bug to breach the normally intended and understood access controls on a system is not an open invitation by the system owner and IMHO should not be seen as such.

Of course security competitions where the system owner invites hackers to attempt break in to an identified system are a form of authorised access because this has been invited. Also provision of a simple login: prompt has been considered an invitation, but if this is followed by a password: prompt, someone unsure about their authorisation can be expected to know whether they have legitimately been given a password or not.

The fact that someone can break into my house with tools available in any hardware shop does also does not mean that I have issued an open invitation or should be seen to have done so by the courts.

Missing piece: Accidental exposure of services

Posted May 16, 2003 16:23 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Different societies go different ways on this, and they go different ways depending on the details of the door. If it's a single family home, Americans generally go with the selfish dog-in-manger view that it's a trespass. Other cultures don't. If it's a maintenance area of a public building, it's unlikely to be trespassing anywhere.

And so it is with computers. Some people feel violated when someone so much as probes their systems for open ports. Others believe a computer on the internet is public to that extent.

But we don't need to define "unauthorized access" in the FTP deletion of files case. What we have here is vandalism -- malicious destruction of property. It doesn't matter what kind of access the person used to do it.

Contract law isn't enough

Posted May 16, 2003 16:28 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

But a person who has simply gone against somebody's wish for how a computer should be used (violating terms of service, sending spam, "deep linking," etc.) should be dealt with using contract law.

Contract law by itself can't help. You also need a criminal or tort law that says you can't access a computer unless you have contracted for access.

Violating terms of service, which is another way of saying breach of contract, is the only of your examples that can be dealt with by contract law alone. Spammers don't have a contract with the owners of the systems they invade.

Maybe what you meant was "civil" law. I.e. you don't get punished for the access; you can't go to jail. You just pay for the damage you did, if any. I could support that.