Letter to the editor: Legally Defining Access
| From: | Paul Sheer <psheer@openfuel.com> | |
| To: | lwn@lwn.net | |
| Subject: | Letter to the editor: Legally Defining Access | |
| Date: | Thu, 15 May 2003 12:44:55 +0200 |
Defining Computer Access
------------------------
>
> * "Access" should be interpreted broadly. "...I
> propose that a user accesses a computer any time the
> user sends a command to that computer that the
> computer executes. In effect, I would define access as
> any successful interaction with the computer." Pinging
> the computer, or reaching a login screen, would be
> sufficient.
>
> * The definition of "unauthorized" should be much more
> narrow. "I propose that courts limit access 'without
> authorization' to accesses that circumvent
> restrictions by code. Breaches of regulation by
> contract should as a matter of law be held to be
> insufficient grounds for access to be considered
> 'without authorization.'"
>
The broad definition of computer access is correct. The
narrow definition of authorized access needs some work
though. What is "circumventing" exactly? If a piece of
code, due to a human error in the programmer's thinking,
allows access by some means other "typical access", then
can we really say that a circumvention has happened? The
intent of the code is exactly how the code executes on
that CPU.
As a parallel, if a company finds a loophole in a
contract, then that company can exploit the loophole and
be immune to a law suite. If a hacker finds a loophole in
a piece of code, then similarly, he should be allowed to
use that loophole without having to think about how the
programmer may have intended that code to behave.
Put otherwise, a "restriction by code" cannot be defined
in any meaningful way. It implies that code execution does
not implement the algorithm that the code defines!! What
the code does and does not restrict is open to
interpretation only by the CPU of the machine. The CPU is
impartial, therefore we can assume that if a person did
"hack" a machine then that the code did intend it!!!
You can only really define access by the human processes
needed to set up an access. For example, unauthorized
access could be defined to access through impersonating
someone elses creditials: i.e. stealing a login or access
key that was not intended to be used by you.
Under the definition of "...circmvent..." stealing a
password is allowed! :-)
Posted May 22, 2003 2:25 UTC (Thu)
by dkite (guest, #4577)
[Link] (2 responses)
Posted May 22, 2003 21:50 UTC (Thu)
by giraffedata (guest, #1954)
[Link] (1 responses)
You have accidentally made an argument for the other side.
Throughout the western world, real estate rental is controlled by property law, not contract law. The tenant of real estate has the right to enter it as a matter of law -- it has nothing to do with an agreement he may have made with the landlord. People argue the same kind of thing should apply to computers.
On the other hand, most legal scholars think this aspect of real estate law, dating to before the middle ages, is obsolete, and in fact, rental agreements are now near universal and the law is changing to make them more and more significant all the time.
A better analogy for the idea of regulating computer access with contract law would be rental of a car or a boat.
For those of you interested in the legal trivia here -- in the middle ages, tenants usually did not have a rental agreement. They had a deed. The transition in the US happened some time in the late 19th century, but the property law basis of a tenancy is still clearly present.
Posted May 23, 2003 0:39 UTC (Fri)
by dkite (guest, #4577)
[Link]
Posted May 22, 2003 8:24 UTC (Thu)
by beejaybee (guest, #1581)
[Link] (1 responses)
Not if it's been clobbered by introduction of measures designed to promote digital rights management. I think most people would assume that an uninvited stranger inside their house was up to no good, even if they were responsible by omission in the sense that they forgot to lock _all_ the doors & windows. Granted "unauthorized entry" through an unlocked door is less serious than "unauthorized entry" obtained by e.g. demolishing a wall, you're still a victim if this happens to you. So my definition of unauthorized entry to a computer system _would_ include use of a password not issued to you, exploiting a loophole in an access control system etc. as well as measures designed to disable an access contol system. The point is that the latter depend to a greater or lesser extent on an exploit of some kind. My definition of unauthorized entry to a computer system would _not_ include _any_ attempt to gain entry to a system to which I have system administrator rights - even if I'm deliberately trying to find a method by which outsiders could obtain unauthorized access. BTW I would consider system administrator rights to a system to be automatically assigned to any person purchasing or leasing the system hardware. In other words it would be legal for me to purchase an Xbox and use it to try to break into the code so that I could use the hardware for a purpose other than that intended by the manufacturer, or to develop, distribute or even sell a tool enabling other people to break into their own systems, but it would not be legal to attempt to break in to anyone else's Xbox for any reason whatsoever.
Posted May 22, 2003 21:37 UTC (Thu)
by giraffedata (guest, #1954)
[Link]
But would you consider those rights as to be non-negotiable? I.e. could you, with legal force, give up your right to access the system in certain ways in exchange for, say, a discount on the purchase? Or in exchange for the very purchase?
Many people hold that view. But I for one would strenuously object to such an assault on liberty, as well as the devaluing of a powerful bargaining tool of the consumer.
Posted May 22, 2003 9:58 UTC (Thu)
by copsewood (subscriber, #199)
[Link] (2 responses)
As I see it, DMCA or DeCSS type prosecutions should need to prove (in order for such laws to have any natural justice based on physical access precedents) that the intent of the person circumventing an access control procedure was to prepare to breach copyright or steal information, rather than to excercise fair use rights. System administrators don't have absolute rights over a system which may contain many others' confidential email. Even if they have the technical ability to read it, this doesn't authorise them to do so.
Posted May 23, 2003 20:46 UTC (Fri)
by Baylink (guest, #755)
[Link]
And this is precisely what the people paying for the laws are trying to
prevent, IMHO. They don't *want* it to be based on the "intent" of the
"Attacker", because intent is so hard to *prove*.
Alas, the field is so complicated that there is really no way to prove
merely based on the actions themselves that a bad intent is obvious.
Anyone who doesn't believe this is invited to read the preface to Chapman
& Bellovin.
The short version is, the laws are trying to impose Zero Tolerance
policies where they're not really practical.
And I have zero tolerance for
Zero Tolerance.
Posted May 26, 2003 13:21 UTC (Mon)
by beejaybee (guest, #1581)
[Link]
I'd argue that they _do_ have that right _unless_ they give it up to the users. If they promise users that the contents of specified directories (e.g. mail messages) will be treated as confidential, then they have given up the right to browse files stored in those directories. Naturally such an arrangement would be normal on any system acting as a permanent mail store. When a system is used as a store-and-forward mail relay the (temporary) contents of mail messages which may have nothing to do with any authorized user of the system concerned should also be treated as confidential by the sysadmin. Sysadmin privelege carries responsibilities as well as rights; I don't think this is in question. What I won't give way on is that it's the sysadmin's right to decide whether or not to have a specified individual have access rights to the system & what those access rights should be; in the case of "userless" services like mail relays, it's the sysadmin's right to decide whether or not the service will be operated on a specific system, and to enforce any restrictions which might be felt to be neccessary (e.g. bar messages from a particular network because a spammer is known to use it for message flooding).
Posted May 23, 2003 11:38 UTC (Fri)
by MathFox (guest, #6104)
[Link]
As a rule, fair use of public protocols should be permitted for any internet user, unless the owner of the computer system explicitly has requested the user to abstain from (this particular) access to his system. On the other hand, access to restricted protocols should only be permitted to people that have explicit permission from the owner of the system to do so. In many cases the distinction in public and restricted protocols boils down to the presence of authentication code in the implementation of restricted protocols. Unathorised access to a system through a restricted protocol should be seen in the light of the intend of the owner of the computer system; without considerating the means used to acquire the access.
If we compare digital access to physical access, what probably will come about is Letter to the editor: Legally Defining Access
a situation where improper access is what the owner decides.
For example, where I live there are No Trespassing signs on most drives off the
main highway. In most cases, it's an indication that, no it isn't a mountain road, it's
a driveway. It is up to the landowner to prosecute trespassing as they see fit.
What if I intend to engage in otherwise constitutionally protected activities, such
as political discourse, or religious? If the land owner decides to prosecute, tough
luck.
So if a site decides that 'deep linking' is improper, could that be the same as
trespass? They are saying that you can access my property only under certain
conditions. Or one day it's ok, the next it isn't because they got slashdotted. Or, if
a site says that viewing with a web browser is ok, but crawling or port scanning
isn't. Would that be the same as a no trespassing sign?
What if there isn't a gate? It still is trespassing. What if there is a flaw in software
that permits easy access. What is the difference?
If I pay rent on a section of property, I can access it, and it would be a breach of
contract to prevent access. Again, contract law would apply to services we use on
the internet.
I know this doesn't clarify anything. Actually, it makes it more complicated, as real
life can be. One thing for sure, good neighborly behavior and respect for other's
property tend to make access easier. People don't mind if you cut through their
property as long as you close the gate, and don't do it too often. And you stop to
inquire about their health and family on the way by. And you ask permission.
Bad behavior does the exact opposite.
Derek
If I pay rent on a section of property, I can access it, and it would be a breach of
contract to prevent access.
real estate rental not based on contract law
Fascinating. I didn't realize that. real estate rental not based on contract law
The point I was trying to make was that the freedoms we have experienced with
an open internet will probably diminish over time. I've lived in this area since 1982,
and there were few no trespassing signs. Now they are all over, due to the
increase in traffic, increase in property values, etc. At one time you could walk
along the lakefront without any difficulty, now there are barriers put up to prevent
what used to be taken for granted.
I see the same trend on the internet. Not for good. Unfortunately, again as
paralleled in the 'real world', many of the barriers have been erected as a result of
abuse or lack of respect for other's property, or because there is high value tied to
some asset. Email if fantastic, but now laws are being written to make it less free
and accessible due to spammers abusing the freedom.
What concerns me most is the fact that anyone could inadvertently trespass and
be prosecuted, simply by linking, or viewing something. It all depends on the
owner and what they feel that day. Scary.
Derek
"The CPU is impartial...." Letter to the editor: Legally Defining Access
I would consider system administrator rights to a system to be automatically assigned to any person purchasing or leasing the system hardware.
Xbox owner automatically has right to access it?
Whether circumventing an access control procedure is an offence depends upon whether the circumventer is authorised to access the resource or not. Picking the lock on my own house is not an offence if I have forgotten the key, but it is an offence if I pick the lock on someone else's house who hasn't invited me in. The fact that the lock is inherently pickable makes no difference to whether or not this is an offence. There seems to be less controversy about this principle concerning conventional cracking than in connection with DMCA type laws, as the view that maintenance of a computer system with a security weakness presents an open invitation is unlikely to be upheld by any court. Letter to the editor: Legally Defining Access
> As I see it, DMCA or DeCSS type prosecutions should need to prove (in
order for such laws to have any natural justice based on physical access
precedents) that the intent of the person circumventing an access control
procedure was to prepare to breach copyright or steal information, rather
than to excercise fair use rights.
Letter to the editor: Legally Defining Access
"System administrators don't have absolute rights over a system which may contain many others' confidential email. Even if they have the technical ability to read it, this doesn't authorise them to do so."Letter to the editor: Legally Defining Access
A simple way to get out of the problem of defining Authorised Access and/or circumvention is to take a look at common practice. In the case of the internet it is easy to find the rules of common practice, because they are codified by the IETF in RFC's. If you enumerate the IP subprotocols you'll find protocols that expect authentication; let's call them the restricted protocols and protocols that don't require authentication, the public protocols.Letter to the editor: Legally Defining Access