[ISN] Spot a Bug, Go to Jail

InfoSec News isn at c4i.org
Thu May 11 05:22:03 EDT 2006


http://www.wired.com/news/columns/circuitcourt/0,70857-0.html
 
By Jennifer Granick
May, 10, 2006

A new federal prosecution again raises the issue of whether computer
security experts must fear prison time for investigating and reporting
vulnerabilities.

On April 28, 2006, Eric McCarty was arraigned in U.S. District Court
in Los Angeles. McCarty is a professional computer security consultant
who noticed that there was a problem with the way the University of
Southern California had constructed its web page for online
applications. A database programming error allowed outsiders to obtain
applicants' personal information, including Social Security numbers.

For proof, the man copied seven applicants' personal records and
anonymously sent them to a reporter for SecurityFocus. The journalist
notified the school, the school fixed the problem, and the reporter
wrote an article about it.

The incident might have ended there, but didn't.

The school went through its server logs and easily traced the activity
back to McCarty, who had made no attempt to hide his tracks. The FBI
interviewed McCarty, who explained everything to the agents. Then the
U.S. Attorney's Office in Los Angeles charged the security expert with
violating 18 U.S.C. 1030, the federal computer crime law.

Will they ever learn? In 2002, the U.S. Attorney in Texas charged
Stefan Puffer with violating section 1030 after Puffer demonstrated to
the Harris County District Court clerk that the court's wireless
network was readily accessible to attackers. The prosecution claimed
that Puffer, a security consultant, unlawfully accessed the system.
Puffer argued that he was trying to help the county. A jury acquitted
Puffer in about 15 minutes.

In 2004, Bret McDanel was convicted of violating section 1030 when he
e-mailed truthful information about a security problem to the
customers of his former employer. The prosecution argued that McDanel
had accessed the company e-mail server by sending the messages, and
that the access was unauthorized within the meaning of the law because
the company didn't want this information distributed. They even
claimed the integrity of the system was impaired because a lot more
people (customers) now knew that the system was insecure.

Notwithstanding the First Amendment's free speech guarantees, the
trial judge convicted and sentenced McDanel to 16 months in prison. I
represented him on appeal, and argued that reporting on security flaws
doesn't impair the integrity of computer systems. In an extremely
unusual turn of events, the prosecution did not defend its actions,
but voluntarily moved to vacate the conviction.

The McCarty prosecution, brought by the same office that so
egregiously mishandled the McDanel incident, is in the same vein. As
with Puffer and McDanel, the government will have to prove not only
that McCarty accessed the school system without authorization, but
also that he had some kind of criminal intent.

Likely, they will point to the fact that McCarty copied some applicant
records. "It wasn't that he could access the database and showed that
it could be bypassed," Michael Zweiback, an assistant attorney for the
Department of Justice's cybercrime and intellectual property crimes
section, told the SecurityFocus reporter. "He went beyond that and
gained additional information regarding the personal records of the
applicant."

But if he wanted to reveal USC's security gaffe, it's not clear what
else he could have done. He had to get a sampling of the exposed
records to prove that his claims were true. SecurityFocus reported
that USC administrators initially claimed that only two database
records were exposed, and only acknowledged that the entire database
was threatened after additional records were shown to them.

In any event, McCarty had arguably already done enough to get himself
prosecuted by this Justice Department.

The federal statute and copycat state laws prohibit accessing
computers or a computer system without authorization, or in excess of
authorization, and thereby obtaining information or causing damage.

What does it mean to access a networked computer? Any communication
with that computer -- even if it's simply one system asking another
"are you there?" -- transmits data to the other machine. The cases say
that e-mail, web surfing and port scanning all access computers. One
court has even held that when I send an e-mail, not only am I
accessing your e-mail server and your computer, but I'm also
"accessing" every computer in between that helps transmit my message.

That means the law frequently rests on the definition of
"authorization." Many cases suggest that if the owner doesn't want you
to use the system, for whatever reason, your use is unauthorized. In
one case I took on appeal, the trial court had held that searching for
airline fares on a publicly available, unprotected website was
unauthorized access because the airline had asked the searcher to
stop.

One Western District of Washington case, Shurgard Storage Ctrs., Inc.
v. Safeguard Self Storage, Inc., says that when a company employee
knows he is going to leave his position to go work for a competitor,
but continues to use his computer account and copy information there
for the purposes of aiding his new bosses, his access is unauthorized.
A federal court in Maryland went the other way in a case with similar
facts: In International Association of Machinists and Aerospace
Workers v. Werner-Matsuda, a union employee who accessed her computer
account for the purposes of helping a rival union recruit members did
not violate the law. The statute proscribes unauthorized access, not
authorized access for unwanted purposes, said the court.

What this means for McCarty is that there are ample legal reasons for
the prosecution to drop the charges against him. Yet, there are also
ample legal reasons why a security professional, upon finding a
database flaw, might worry that the find would bring criminal charges
rather than thanks.

This situation must change. People need to be able to exercise a
little bit of self-help before plugging their data into web forms, and
security professionals who happen upon vulnerabilities shouldn't have
to choose between leaving the system wide open to attack and
prosecution.

One solution might be to focus more heavily on whether the user has
criminal intent when accessing the system. Another might be to
criminalize specific activities on the computer, but not access to a
public system itself. A third might be to define unlawful access as
the circumvention of some kind of security measure. As we have more
cases like McCarty's, McDanel's and Puffer's, perhaps security
professionals will pressure state legislatures and Congress to improve
the computer crime laws.

-=-

Jennifer Granick is executive director of the Stanford Law School
Center for Internet and Society, and teaches the Cyberlaw Clinic.
 
© Copyright 2006, Lycos, Inc.





More information about the ISN mailing list