http://www.wired.com/news/columns/circuitcourt/0,70857-0.html By Jennifer Granick May, 10, 2006 A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities. On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers. For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it. The incident might have ended there, but didn't. The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law. Will they ever learn? In 2002, the U.S. Attorney in Texas charged Stefan Puffer with violating section 1030 after Puffer demonstrated to the Harris County District Court clerk that the court's wireless network was readily accessible to attackers. The prosecution claimed that Puffer, a security consultant, unlawfully accessed the system. Puffer argued that he was trying to help the county. A jury acquitted Puffer in about 15 minutes. In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction. The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent. Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant." But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them. In any event, McCarty had arguably already done enough to get himself prosecuted by this Justice Department. The federal statute and copycat state laws prohibit accessing computers or a computer system without authorization, or in excess of authorization, and thereby obtaining information or causing damage. What does it mean to access a networked computer? Any communication with that computer -- even if it's simply one system asking another "are you there?" -- transmits data to the other machine. The cases say that e-mail, web surfing and port scanning all access computers. One court has even held that when I send an e-mail, not only am I accessing your e-mail server and your computer, but I'm also "accessing" every computer in between that helps transmit my message. That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop. One Western District of Washington case, Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., says that when a company employee knows he is going to leave his position to go work for a competitor, but continues to use his computer account and copy information there for the purposes of aiding his new bosses, his access is unauthorized. A federal court in Maryland went the other way in a case with similar facts: In International Association of Machinists and Aerospace Workers v. Werner-Matsuda, a union employee who accessed her computer account for the purposes of helping a rival union recruit members did not violate the law. The statute proscribes unauthorized access, not authorized access for unwanted purposes, said the court. What this means for McCarty is that there are ample legal reasons for the prosecution to drop the charges against him. Yet, there are also ample legal reasons why a security professional, upon finding a database flaw, might worry that the find would bring criminal charges rather than thanks. This situation must change. People need to be able to exercise a little bit of self-help before plugging their data into web forms, and security professionals who happen upon vulnerabilities shouldn't have to choose between leaving the system wide open to attack and prosecution. One solution might be to focus more heavily on whether the user has criminal intent when accessing the system. Another might be to criminalize specific activities on the computer, but not access to a public system itself. A third might be to define unlawful access as the circumvention of some kind of security measure. As we have more cases like McCarty's, McDanel's and Puffer's, perhaps security professionals will pressure state legislatures and Congress to improve the computer crime laws. -=- Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic. © Copyright 2006, Lycos, Inc. _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu May 11 2006 - 02:29:16 PDT