[NTLUG:Discuss] OT: What constitutes unauthorized access?

[David]

I am not your lawyer, nor am I taking clients at this time.  This is
not intended as legal advice, but just a general discussion of the
issues.  If you want legal advice specific to your situation, consult
with an attorney who understands technology.  If you wish, send me a
private email and I can refer you to counsel.

On Sat, Jun 21, 2003 at 11:00:40AM -0500, Richard Geoffrion wrote:
> If a service is started on a port and is accessible without a password..and
> that service is then put on the 'public' internet...is that an open
> invitation for public access?

Not entirely.  The public may have been granted implied permission to
access your system, but not for every conceivable purpose.  Intent
matters.  If you put up a walkway from the front of your property to
your front door, you've granted implicit permission for people to walk
up to your door.  

That permission doesn't encompass all purposes -- it's limited by the
reasonable sorts of uses you might have intended to permit.  The
postman has your implicit permission to walk up and deliver your mail,
as do random members of the public who might want to ask for
directions.  The neighborhood arsonist, with a Molotov cocktail in his
hand, does not benefit from your implied consent.

> Does someone have to NOTIFY you of their don't access beyond this point
> boundery?

Tradition and common practice tells us what you intended to permit.
In the front-door analogy, the commonly accepted uses are considered
permitted, but that's just an assumption that YOU in particular have
permitted them, because most people do.  You could be more explicit,
for example, posting a "No Solicitations" sign.

> How does that 'jive' with the idea of unauthorized access to my mail server
> for the expressed purpose of sending spam??  Are spammers trespassing into
> MY system by sending unauthorized spam?  Are spammers terrorists??

It's an evolving area, which means that it's hard to predict how a
court might rule.  The general concensus on the Net has clearly turned
against spam, but courts and lawmakers are sometimes technophobic, and
often woefully inexperienced with the Net.  Most of the original
members of the Congressional Internet Caucus had never personally sent
an email by the time they joined that group.

There have been cases where spammers have been held liable in civil cases
under trespass theories.  Making a criminal case would be harder,
because the rule in criminal cases is that only that which is
explicitly banned by the statute is covered.  (Civil cases often
proceed by a reasoned extension from existing principles.)  

There are criminal statutes covering computer misuse, and they are
often very broadly worded.  They cover such things as "unauthorized
access", which could be any sort of access, no matter how minor.  If
you're doing any sort of testing on another person's system, you would
do well to very clearly spell out what they authorize you to do.  Get
it in writing, up front.  

Are spammers terrorists?  The notion is ridiculous on its face, but
these days, so are some of the laws.  The USA PATRIOT act expanded the
definition of terrorist to include computer hacking, so a prosecutor
with an excessive taste for publicity could well try to convict a
spammer under an anti-terror law.  Spam could be unauthorized access,
which could be terrorism.  Isn't the law wonderful?

> Where is the fine line between being a responsible net'citizen and accessing
> someone's computer in an effort to notify and help them protect their
> computing resources -vs- being classified as a trespassser and
> terrorist?

The courts haven't finished drawing that line yet.  I don't expect
they'll be done in my lifetime, even for current network technology.
And given that we technologists move much faster than legislators and
judges, I suspect that this sort of problem will be plaguing your
system-admin descendants for many generations to come.

-- 
David Hayes
david at hayes-family.org