LWN: Comments on "Letter to the editor: Legally Defining Access"

Letter to the editor: Legally Defining Access

beejaybee — Mon, 26 May 2003 13:21:25 +0000

"System administrators don't have absolute rights over a system which may contain many others' confidential email. Even if they have the technical ability to read it, this doesn't authorise them to do so."

I'd argue that they _do_ have that right _unless_ they give it up to the users. If they promise users that the contents of specified directories (e.g. mail messages) will be treated as confidential, then they have given up the right to browse files stored in those directories.

Naturally such an arrangement would be normal on any system acting as a permanent mail store. When a system is used as a store-and-forward mail relay the (temporary) contents of mail messages which may have nothing to do with any authorized user of the system concerned should also be treated as confidential by the sysadmin.

Sysadmin privelege carries responsibilities as well as rights; I don't think this is in question. What I won't give way on is that it's the sysadmin's right to decide whether or not to have a specified individual have access rights to the system & what those access rights should be; in the case of "userless" services like mail relays, it's the sysadmin's right to decide whether or not the service will be operated on a specific system, and to enforce any restrictions which might be felt to be neccessary (e.g. bar messages from a particular network because a spammer is known to use it for message flooding).

Letter to the editor: Legally Defining Access

Baylink — Fri, 23 May 2003 20:46:55 +0000

> As I see it, DMCA or DeCSS type prosecutions should need to prove (in order for such laws to have any natural justice based on physical access precedents) that the intent of the person circumventing an access control procedure was to prepare to breach copyright or steal information, rather than to excercise fair use rights.

And this is precisely what the people paying for the laws are trying to prevent, IMHO. They don't *want* it to be based on the "intent" of the "Attacker", because intent is so hard to *prove*.

Alas, the field is so complicated that there is really no way to prove merely based on the actions themselves that a bad intent is obvious. Anyone who doesn't believe this is invited to read the preface to Chapman & Bellovin.

The short version is, the laws are trying to impose Zero Tolerance policies where they're not really practical.

And I have zero tolerance for Zero Tolerance.

Letter to the editor: Legally Defining Access

MathFox — Fri, 23 May 2003 11:38:44 +0000

A simple way to get out of the problem of defining Authorised Access and/or circumvention is to take a look at common practice. In the case of the internet it is easy to find the rules of common practice, because they are codified by the IETF in RFC's. If you enumerate the IP subprotocols you'll find protocols that expect authentication; let's call them the restricted protocols and protocols that don't require authentication, the public protocols.

As a rule, fair use of public protocols should be permitted for any internet user, unless the owner of the computer system explicitly has requested the user to abstain from (this particular) access to his system. On the other hand, access to restricted protocols should only be permitted to people that have explicit permission from the owner of the system to do so. In many cases the distinction in public and restricted protocols boils down to the presence of authentication code in the implementation of restricted protocols. Unathorised access to a system through a restricted protocol should be seen in the light of the intend of the owner of the computer system; without considerating the means used to acquire the access.

real estate rental not based on contract law

dkite — Fri, 23 May 2003 00:39:01 +0000

Fascinating. I didn't realize that.

The point I was trying to make was that the freedoms we have experienced with
an open internet will probably diminish over time. I've lived in this area since 1982,
and there were few no trespassing signs. Now they are all over, due to the
increase in traffic, increase in property values, etc. At one time you could walk
along the lakefront without any difficulty, now there are barriers put up to prevent
what used to be taken for granted.

I see the same trend on the internet. Not for good. Unfortunately, again as
paralleled in the 'real world', many of the barriers have been erected as a result of
abuse or lack of respect for other's property, or because there is high value tied to
some asset. Email if fantastic, but now laws are being written to make it less free
and accessible due to spammers abusing the freedom.

What concerns me most is the fact that anyone could inadvertently trespass and
be prosecuted, simply by linking, or viewing something. It all depends on the
owner and what they feel that day. Scary.

Derek

real estate rental not based on contract law

giraffedata — Thu, 22 May 2003 21:50:38 +0000

If I pay rent on a section of property, I can access it, and it would be a breach of contract to prevent access.

You have accidentally made an argument for the other side.

Throughout the western world, real estate rental is controlled by property law, not contract law. The tenant of real estate has the right to enter it as a matter of law -- it has nothing to do with an agreement he may have made with the landlord. People argue the same kind of thing should apply to computers.

On the other hand, most legal scholars think this aspect of real estate law, dating to before the middle ages, is obsolete, and in fact, rental agreements are now near universal and the law is changing to make them more and more significant all the time.

A better analogy for the idea of regulating computer access with contract law would be rental of a car or a boat.

For those of you interested in the legal trivia here -- in the middle ages, tenants usually did not have a rental agreement. They had a deed. The transition in the US happened some time in the late 19th century, but the property law basis of a tenancy is still clearly present.

Xbox owner automatically has right to access it?

giraffedata — Thu, 22 May 2003 21:37:41 +0000

I would consider system administrator rights to a system to be automatically assigned to any person purchasing or leasing the system hardware.

But would you consider those rights as to be non-negotiable? I.e. could you, with legal force, give up your right to access the system in certain ways in exchange for, say, a discount on the purchase? Or in exchange for the very purchase?

Many people hold that view. But I for one would strenuously object to such an assault on liberty, as well as the devaluing of a powerful bargaining tool of the consumer.

Letter to the editor: Legally Defining Access

copsewood — Thu, 22 May 2003 09:58:11 +0000

Whether circumventing an access control procedure is an offence depends upon whether the circumventer is authorised to access the resource or not. Picking the lock on my own house is not an offence if I have forgotten the key, but it is an offence if I pick the lock on someone else's house who hasn't invited me in. The fact that the lock is inherently pickable makes no difference to whether or not this is an offence. There seems to be less controversy about this principle concerning conventional cracking than in connection with DMCA type laws, as the view that maintenance of a computer system with a security weakness presents an open invitation is unlikely to be upheld by any court.

As I see it, DMCA or DeCSS type prosecutions should need to prove (in order for such laws to have any natural justice based on physical access precedents) that the intent of the person circumventing an access control procedure was to prepare to breach copyright or steal information, rather than to excercise fair use rights.

System administrators don't have absolute rights over a system which may contain many others' confidential email. Even if they have the technical ability to read it, this doesn't authorise them to do so.

Letter to the editor: Legally Defining Access

beejaybee — Thu, 22 May 2003 08:24:16 +0000

"The CPU is impartial...."

Not if it's been clobbered by introduction of measures designed to promote digital rights management.

I think most people would assume that an uninvited stranger inside their house was up to no good, even if they were responsible by omission in the sense that they forgot to lock _all_ the doors & windows. Granted "unauthorized entry" through an unlocked door is less serious than "unauthorized entry" obtained by e.g. demolishing a wall, you're still a victim if this happens to you.

So my definition of unauthorized entry to a computer system _would_ include use of a password not issued to you, exploiting a loophole in an access control system etc. as well as measures designed to disable an access contol system. The point is that the latter depend to a greater or lesser extent on an exploit of some kind.

My definition of unauthorized entry to a computer system would _not_ include _any_ attempt to gain entry to a system to which I have system administrator rights - even if I'm deliberately trying to find a method by which outsiders could obtain unauthorized access.

BTW I would consider system administrator rights to a system to be automatically assigned to any person purchasing or leasing the system hardware. In other words it would be legal for me to purchase an Xbox and use it to try to break into the code so that I could use the hardware for a purpose other than that intended by the manufacturer, or to develop, distribute or even sell a tool enabling other people to break into their own systems, but it would not be legal to attempt to break in to anyone else's Xbox for any reason whatsoever.

Letter to the editor: Legally Defining Access

dkite — Thu, 22 May 2003 02:25:18 +0000

If we compare digital access to physical access, what probably will come about is
a situation where improper access is what the owner decides.

For example, where I live there are No Trespassing signs on most drives off the
main highway. In most cases, it's an indication that, no it isn't a mountain road, it's
a driveway. It is up to the landowner to prosecute trespassing as they see fit.

What if I intend to engage in otherwise constitutionally protected activities, such
as political discourse, or religious? If the land owner decides to prosecute, tough
luck.

So if a site decides that 'deep linking' is improper, could that be the same as
trespass? They are saying that you can access my property only under certain
conditions. Or one day it's ok, the next it isn't because they got slashdotted. Or, if
a site says that viewing with a web browser is ok, but crawling or port scanning
isn't. Would that be the same as a no trespassing sign?

What if there isn't a gate? It still is trespassing. What if there is a flaw in software
that permits easy access. What is the difference?

If I pay rent on a section of property, I can access it, and it would be a breach of
contract to prevent access. Again, contract law would apply to services we use on
the internet.

I know this doesn't clarify anything. Actually, it makes it more complicated, as real
life can be. One thing for sure, good neighborly behavior and respect for other's
property tend to make access easier. People don't mind if you cut through their
property as long as you close the gate, and don't do it too often. And you stop to
inquire about their health and family on the way by. And you ask permission.

Bad behavior does the exact opposite.

Derek