[Infowarrior] - Spot a Bug, Go to Jail

[Richard Forno]

Spot a Bug, Go to Jail
http://www.wired.com/news/columns/circuitcourt/1,70857-0.html
 
By Jennifer Granick| Also by this reporter
02:00 AM May, 10, 2006

A new federal prosecution again raises the issue of whether computer
security experts must fear prison time for investigating and reporting
vulnerabilities.

On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los
Angeles. McCarty is a professional computer security consultant who noticed
that there was a problem with the way the University of Southern California
had constructed its web page for online applications. A database programming
error allowed outsiders to obtain applicants' personal information,
including Social Security numbers.

For proof, the man copied seven applicants' personal records and anonymously
sent them to a reporter for SecurityFocus. The journalist notified the
school, the school fixed the problem, and the reporter wrote an article
about it.

The incident might have ended there, but didn't.

The school went through its server logs and easily traced the activity back
to McCarty, who had made no attempt to hide his tracks. The FBI interviewed
McCarty, who explained everything to the agents. Then the U.S. Attorney's
Office in Los Angeles charged the security expert with violating 18 U.S.C.
1030, the federal computer crime law.

Will they ever learn? In 2002, the U.S. Attorney in Texas charged Stefan
Puffer with violating section 1030 after Puffer demonstrated to the Harris
County District Court clerk that the court's wireless network was readily
accessible to attackers. The prosecution claimed that Puffer, a security
consultant, unlawfully accessed the system. Puffer argued that he was trying
to help the county. A jury acquitted Puffer in about 15 minutes.

In 2004, Bret McDanel was convicted of violating section 1030 when he
e-mailed truthful information about a security problem to the customers of
his former employer. The prosecution argued that McDanel had accessed the
company e-mail server by sending the messages, and that the access was
unauthorized within the meaning of the law because the company didn't want
this information distributed. They even claimed the integrity of the system
was impaired because a lot more people (customers) now knew that the system
was insecure.

Notwithstanding the First Amendment's free speech guarantees, the trial
judge convicted and sentenced McDanel to 16 months in prison. I represented
him on appeal, and argued that reporting on security flaws doesn't impair
the integrity of computer systems. In an extremely unusual turn of events,
the prosecution did not defend its actions, but voluntarily moved to vacate
the conviction.

The McCarty prosecution, brought by the same office that so egregiously
mishandled the McDanel incident, is in the same vein. As with Puffer and
McDanel, the government will have to prove not only that McCarty accessed
the school system without authorization, but also that he had some kind of
criminal intent.

Likely, they will point to the fact that McCarty copied some applicant
records. "It wasn't that he could access the database and showed that it
could be bypassed," Michael Zweiback, an assistant attorney for the
Department of Justice's cybercrime and intellectual property crimes section,
told the SecurityFocus reporter. "He went beyond that and gained additional
information regarding the personal records of the applicant."

But if he wanted to reveal USC's security gaffe, it's not clear what else he
could have done. He had to get a sampling of the exposed records to prove
that his claims were true. SecurityFocus reported that USC administrators
initially claimed that only two database records were exposed, and only
acknowledged that the entire database was threatened after additional
records were shown to them.

In any event, McCarty had arguably already done enough to get himself
prosecuted by this Justice Department.

The federal statute and copycat state laws prohibit accessing computers or a
computer system without authorization, or in excess of authorization, and
thereby obtaining information or causing damage.

What does it mean to access a networked computer? Any communication with
that computer -- even if it's simply one system asking another "are you
there?" -- transmits data to the other machine. The cases say that e-mail,
web surfing and port scanning all access computers. One court has even held
that when I send an e-mail, not only am I accessing your e-mail server and
your computer, but I'm also "accessing" every computer in between that helps
transmit my message.

That means the law frequently rests on the definition of "authorization."
Many cases suggest that if the owner doesn't want you to use the system, for
whatever reason, your use is unauthorized. In one case I took on appeal, the
trial court had held that searching for airline fares on a publicly
available, unprotected website was unauthorized access because the airline
had asked the searcher to stop.

One Western District of Washington case, Shurgard Storage Ctrs., Inc. v.
Safeguard Self Storage, Inc., says that when a company employee knows he is
going to leave his position to go work for a competitor, but continues to
use his computer account and copy information there for the purposes of
aiding his new bosses, his access is unauthorized. A federal court in
Maryland went the other way in a case with similar facts: In International
Association of Machinists and Aerospace Workers v. Werner-Matsuda, a union
employee who accessed her computer account for the purposes of helping a
rival union recruit members did not violate the law. The statute proscribes
unauthorized access, not authorized access for unwanted purposes, said the
court.

What this means for McCarty is that there are ample legal reasons for the
prosecution to drop the charges against him. Yet, there are also ample legal
reasons why a security professional, upon finding a database flaw, might
worry that the find would bring criminal charges rather than thanks.

This situation must change. People need to be able to exercise a little bit
of self-help before plugging their data into web forms, and security
professionals who happen upon vulnerabilities shouldn't have to choose
between leaving the system wide open to attack and prosecution.

One solution might be to focus more heavily on whether the user has criminal
intent when accessing the system. Another might be to criminalize specific
activities on the computer, but not access to a public system itself. A
third might be to define unlawful access as the circumvention of some kind
of security measure. As we have more cases like McCarty's, McDanel's and
Puffer's, perhaps security professionals will pressure state legislatures
and Congress to improve the computer crime laws.

- - -
Jennifer Granick is executive director of the Stanford Law School Center for
Internet and Society, and teaches the Cyberlaw Clinic.