Perhaps the most important rule for penetration testers and security researchers to understand is the prohibition against computer trespass.
There are both common law rules and statutes that prohibit computer trespass under certain circumstances. (Common law rules are laws that have developed over time and are made by judges, while statutes are written rules enacted by legislatures—both types of laws are equally powerful.) There are also Federal (U.S.) statutes and statutes in all 50 U.S. states that prohibit gaining access to computers or computer networks without authorization or without permission.
Many people informally call this trespassing hacking into a computer. While hacking has come to mean breaking into computers, the term clouds the legal and ethical complexities of laws that govern use of computers. Some hacking is legal and valuable, some is illegal and destructive. For this reason, this chapter uses the terms computer trespass and trespasser or unauthorized access and attacker to demarcate the difference between legal and illegal hacking.
All statutes that prohibit computer trespass have two essential parts, both of which must be true for the user to have acted illegally. First, the user must access or use the computer. Second, the access or use must be without permission. The federal statute has an additional element of damage. Damage includes nonmonetary harm such as altering medical records or interfering with the operation of a computer system used for the administration of justice. Damage also includes causing loss aggregating at least $5,000 during any one-year period.[1] In practice, plaintiffs do not have much trouble proving damage because most investigations of a computer intrusion will cost more than $5,000 in labor and time.[2]
Some state statutes define criminal behavior, which means that the attacker can be charged with an offense by the government and, if found guilty, incarcerated. Some state statutes and the federal law define both a crime and a civil cause of action, for which the owner of the computer system could sue the attacker for money.
Pen testers and security researchers discover ways to gain access to computers without authorization. Learning how to get access isn't illegal, but using that information might be. Whether a particular technique is illegal depends on the meaning of access and authorization. For example, let's pose two not-so-hypothetical instances:
A maker of electronic voting machines has left source code for the machines on an anonymous FTP server. I believe the company may have done so inadvertently, but I want to analyze the source code for security flaws. May I download it?
I am the system administrator of a network under attack from zombie machines infected by the Code Red worm. I want to use a tool that will stop the zombies by installing code on them by exploiting the same vulnerability used by Code Red to infect. May I use this tool?
The concept of unauthorized access appears to be deceptively simple. In the real world, shared social values and understandings of property make it relatively clear when someone is trespassing upon the land or property of another. But even here, the trespass rule isn't a bright line. You can go on someone's property to ring the doorbell. It may be acceptable to cut through private property to get to the beach. If a store is open, you can enter even if you don't see a salesclerk inside. When we were kids, we played in all the neighbors' yards, even if they didn't have children themselves. These social conventions have evolved over time, and people tend to understand them, though there are still areas of disagreement.
Computers are much newer than land, and we have less history and less shared understandings about our rights and responsibilities with regards to networked machines. What does it mean to access or use a computer? Is port scanning access or use? What about sending email, visiting, or having someone visit my web page? Metaphorically, you send email to another person's machine, but we would not say that setting up a web page gains access to visitors' machines. Technically, in each case, two networked machines exchange electrons. Is either, or are both, accessing computers?
The law has taken an expansive view of access, one based on the physical exchange of electrons and the uses of computing cycles. Essentially, every use of a networked computer is access. Cases say accessing computers includes:
Because basically every communication with a networked computer is access, the dividing line between legal and illegal behavior is whether the user has permission or authorization.
Some statutes use the word authorization, others use permission. The idea is that access without permission is improper and therefore should be illegal.
Obviously, we rarely get explicit permission to use a networked computer. Usually, we assume we have permission—otherwise, why would the machine be on a network? However, there are times when files are physically accessible but other circumstances suggest that the owner does not want people to look at them. There are times when we stumble upon something we think the owner would rather we didn't have; for example, candid audio recordings of the governor talking about his ideas on immigration policy, a misplaced password file, or the source code for controversial electronic voting machines. Do we always assume that a user has permission to access unless the owner specifies otherwise? Should we assume that users do not have permission unless the owner clearly states that they do? Or is there some middle ground?
The law has tried to distinguish between situations where users can assume permission and ones where otherwise accessible files remain off limits. Files that are password-protected are off limits, even if someone with an account allows you to use their information to log on.[3] A former employee who signs a noncompete agreement cannot access the company web site to do price research for his new employer.[4] If the owner decides that a user should not be searching the site and sues, that alone is proof that the user did not have permission.[5] An employee who knows he is leaving the business cannot access customer lists for the purposes of taking that information to his new employer.[6] However, a union organizer can access membership rolls to bring that information to a rival union.[7]
Even lawyers find these rules confusing, contradictory, and unworkable. Bright-line rules are clear but are inevitably either under- or over-protective. More flexible standards get the answer right when the cases fall in a grey area, but make it difficult to predict what the legal outcome will be. Computer trespass law seems to have the worst of both worlds.
One problem is that it is hard to define when access is acceptable and when it is not. Another problem may be with the fundamental idea that computer access should be controlled by the owner's personal preferences, particularly if the owner is not willing to invest in security measures to protect its information or system. Consider this hypothetical example:
I have a web site that talks about my illegal sales of narcotics. When you visit my site, there's a banner that says you may only visit this site if you are not a cop. If law enforcement visits, have they violated the law because they accessed my web site without my permission?
Real-world examples abound: unsecured machines store the code for flawed electronic voting machines; or documents showing cigarette companies were aware of and took advantage of the addictive effects of nicotine; or files proving that the telephone company is giving customer calling records and copies of sent email to the government for warrant-less surveillance. Owners may not want us to have this information, but does that mean the law should make it off-limits?
There are also common law rules that prohibit computer trespass. At common law, there was a tort called trespass to chattel. (A tort is a civil wrong, for which you can be sued. A chattel is an item of personal property, like a car or an ox.) The rule was that if you take someone else's personal property, or use it in such a way that the owner's control and enjoyment over that item is diminished, you could be sued for trespass to chattels.
The trespass to chattels tort fell out of use for several decades, until spam came along. Enterprising lawyers decided to reinvigorate the tort to attack spam, arguing that unwanted bulk email interfered with ISPs right to control their computer servers. These claims were basically successful, until the case of Intel v. Hamidi.[8] In that case, Mr. Hamidi wanted to send email to current Intel employees complaining about the company's labor policies. Intel tried to block Hamidi's emails, and when he circumvented their efforts, they sued him in California, claiming that by sending the email he was trespassing on their computer system. The California Supreme Court ultimately rejected that claim, holding that in California, the tort required the plaintiff to show some harm to the chattel, and Intel failed to show that Hamidi's emails harmed their computer system in any noticeable way. They only showed that his emails were distracting to employees and system administrators.
The lesson from Hamidi is that common law, like the federal statute, requires some kind of harm to the computer system or to some government interests. Remember, though, that state statutes are rarely so limited. Under most state statutes, the plaintiff need not show any damage, only unauthorized access or use. Many state statutes allow both civil and criminal claims. Even if you are certain that your use of a networked computer isn't going to do any harm to the computer system or to data stored there, in theory, you might still cross the legal line in your state or in the state in which the target computer is located.
You are a system administrator for a university. Your network is getting bombarded with traffic from zombie computers infected with a computer virus. There is software on the market that you can use to stop the attack. The software will infiltrate the zombie machines through the same vulnerability that allowed the virus to infect them. It will then install code on the zombies that will stop the attack. Is it legal to use this "active defense" tool to protect your system?
Let's look at U.S. Federal law. Section 1030 prohibits the intentional transmission without authorization of a software program that causes damage to a computer used in interstate commerce. You would intentionally use the active defense software against the zombies. Code would then be placed on the zombie machines without the owners' permission. Damage means any impairment to the integrity of a computer system. Integrity is implicated when the system is altered in any way, even if no data is taken. To sue, a plaintiff would need $5,000 in damage. Damage costs can include the cost of investigation and of returning the system to its condition prior to the attack.
If I owned a zombie machine affected by your active defense program, I'd have the basic elements of a legal claim. I might not sue, of course. There may not be enough money at stake, I may not be able to prove that you were the cause of harm, instead of the virus or some other contaminant. Probably no prosecutor would be interested in a case like this. But active defense arguably crosses the legal line.
There are some legal defenses you could raise. The common law recognizes necessity and self-defense as excuses for otherwise illegal behavior. Both defenses are pretty narrow. You have to show that you had no other option, and that your response was proportionate to the harm being done to you and did no more harm than necessary.
There have never been any cases analyzing the legality of active defense-type programs or of the applicability of these defenses to computer security practices. This example is not intended to scare network administrators away from using active defense. I use this to illustrate that the law of computer trespass is broad and covers a lot of behavior you might otherwise think is legitimate. Perhaps no one will ever sue over active defense, and society and the courts will come to accept it as perfectly legitimate. The point the reader should be able to identify is that it is possible to make a logical argument that active defense violates the law. This risk is one that sys admins must take into account.
Despite this gloomy view of the functionality of the computer trespass law, there are ways that you can greatly reduce the chances of getting sued or worse:
Get permission first.
Do research on your own machines.
Don't cause harm to a victim.
Report findings directly to the system administrator or vendor.
Don't ask for money for your findings.
Report to people likely to fix it or heed the information, not to people likely to misuse it.
Remember, the litmus test in computer trespass is that the user does not have authorization or permission. Before you pen test or do research, get permission. Get it in writing. The more detailed the permission, the less there is to fight about later on. The permission can list the tasks you'll perform and the machines on which you'll perform them.
If you can't get permission to test on someone else's machine, do the research on your own machines. Then you can give yourself permission.
For those times when you are not going to be able to get permission from the owner of the computer you must access, you will do better if you do not take any actions to harm the interests of the computer owner beyond the mere trespass. While state law may not require proof of damage, prosecutors, judges, and juries are influenced by whether they think the user was a good guy or a bad guy.
For example, in 1997, I represented a young man who was learning about computer security and wanted to test whether his ISP's web site had a popular misconfiguration that allowed access to the encrypted password file. He typed in the URL where the password file was often improperly stored and found the file. Technically, that completed the crime. He accessed the password file and he did not have permission to do so. I doubt than any federal prosecutor would have been very interested in the case at this point.
What happened next was that my client ran a password-cracking tool against the file and distributed the cracked username and password pairs over an open IRC channel. The ISP did not like this and neither did the FBI investigators or the Department of Justice. In my opinion, my client would not have been charged if he had not distributed the cracked passwords to the public in the chat room. Doing so is not an element of the crime. However, it did make my client look like a bad guy, out to hurt the ISP.
In reality, the perceived ethics of the user (perceived by a jury or a judge) affect whether he will be charged and convicted. For example, in 2002, the U.S. Attorney in Texas charged Stefan Puffer with violating federal law after Puffer demonstrated to the Harris County District Court clerk that the court's wireless system was readily accessible to attackers. A jury acquitted Stefan Puffer in about 15 minutes. One juror said she believed that Puffer intended to improve the court's wireless security, not to cause damage. In another case, in 2006, the Los Angeles United States Attorney's Office criminally charged a man who found a database programming error in a University of Southern California online application web site, and then copied seven applicants' personal records and anonymously sent them to a reporter to prove that the problem existed. The prosecutor said during a press conference that he didn't fault the man for accessing the database to test whether it was secure. "He went beyond that and gained additional information regarding the personal records of the applicant." The man eventually pled guilty.
These cases illustrate that the technical definitions of access and authorization matter less than doing what seems right. In today's computer trespass law, remember that ethics carries equal weight to written and common law: do not act to intentionally harm the interests of the computer owner, no matter how insecure the machine may be.
[1] See 18 U.S.C. 1030 for full text of the federal statute.
[2] For more on calculating loss in computer crime cases, see "Faking It: Calculating Loss in Computer Crime Cases," published in I/S: A Journal of Law and Policy for the Information Society, Cybersecurity, Volume 2, Issue 2 (2006), available at http://www.is-journal.org/v02i02/2isjlp207-granick.pdf.
[3] Konop v. Hawaiian Airlines, 302 F.3d 868 (9th Cir. 2002).
[4] EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003).
[5] Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004).
[6] Shurgard Storage Centers Inc. v. Safeguard Self Storage Inc., 119 F.upp.2 1121 (W.D. Wash. 2000).
[7] Int'l Assoc. of Machinists and Aerospace Workers v. Werner-Matsuda, 390 F.Supp.2d 479 (D. Md. 2005).
[8] Intel v. Hamidi, 30 Cal.4th 1342 (2003).