politeness in computing

Does Saying "Please Log In" Give Anyone and Everyone the Right to Be in Your System?

by John Nicholson
<[email protected]>

John Nicholson is an attorney in the Technology Group of the firm of Shaw Pittman in Washington, D.C. He focuses on technology outsourcing, application development and system implementation, and other technology issues.

Welcome to the first of what I hope will be a series addressing legal issues facing system administrators and the technical community in general.[1] Future columns will deal with free speech, privacy, and censorship; intellectual property; export issues; policies and procedures and how they relate to system administrator liability; computer crime; and other issues or situations that you raise. If you have questions about a particular issue facing you, or comments on a particular column, please feel free to send them to me.

This column addresses one of the great debates in system administration — whether you can prosecute someone for cracking your system if it says "Please log in" at the prompt. After all, if it says "Please log in" and someone does that, whether authorized or not, that person has only done what you asked, right?

Dealing with the law is a lot like dealing with computer systems — law has its own language, areas of specialization with specific rules (which can sometimes interact in very strange, unexpected, and counterintuitive ways), and processes and procedures. Just as with technology, once you understand how the law works, you can apply that knowledge and understanding to new situations.

Like computer systems, law is built on the structure of history. In law, that structure is the laws that have been passed by Congress or the states and the decisions made by courts — some dating as far back as colonial or Roman times.

When a U.S. court is faced with a particular issue, the first question the judge (or judges) will ask is whether or not there is a U.S. federal or state law addressing the issue. If there is such a law, then the judge will look to see if a higher court that is directly in line above that court has interpreted how the law applies to the issue. For example, if you are in a U.S. district court, then the judge will look at decisions made by the circuit court that is directly above that district court, as well as to the U.S. Supreme Court. If one of those two courts has ruled on the issue, then that is considered a binding precedent to which the lower court will defer.

If there is no similar decision from a higher court directly in line above that lower court, then the lower court will look to decisions made by other higher courts and other courts at the same level as the deciding court. For example, a district court will look for rulings from other U.S. circuit courts and other U.S. district courts.

If there is no specific law on the subject, the judge will follow the same procedure as above, looking at decisions of other courts. This is the analysis in which the decisions from English, colonial, and even Roman courts can come into play. A great deal of U.S. property law, for example, is based on what is called the "common law" established by English courts before the U.S. declared its independence. This is important because if there is no binding precedent, as is often the case with the technology arena, courts will frequently look to analogous areas of the law, public-policy considerations, and common sense to determine an appropriate course.

At this point, you may be wondering when I'm going to answer the question I've posed; but understanding how the different components of a system interact is the key to understanding the answer.

To analyze this question, we first look to see if there is any federal or state law addressing it. The Federal Computer Fraud and Abuse Act (CFAA)[2] states

Whoever . . . (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; . . . shall be punished as provided in subsection (c) of this section.[3]

Section 1030 of the CFAA defines a "protected computer" as

a computer (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in interstate or foreign commerce or communications

and defines "damage" as

any impairment to the integrity or availability of data, a program, a system, or information, that (A) causes loss aggregating at least $5,000 in value during any 1 year period to one or more individuals;[4] (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; (C) causes physical injury to any person; or (D) threatens public health or safety.

For the purposes of this article, importantly, the Act does not discuss whether the login prompt of a system has warnings about accessing the system or just says "Please log in." The law merely says "without authorization." So, the question remains: does saying "Please log in" automatically authorize anyone to be in your system?

Since the relevant federal law covers virtually every computer but does not specifically address the issue, I will focus on court decisions interpreting the Act rather than look for state statutes.[5] Since this is a hypothetical case, and the federal district or state is indefinite, I will look at decisions from all federal courts.

In the case of U.S. v. Sablan,[6] Sablan had recently been fired from the Bank of Hawaii's Agana, Guam, branch for circumventing security procedures in retrieving files. Sablan left a bar where she had been drinking with a friend and entered the closed bank through an unlocked loading-dock door. She went to her former work site (using a key she had kept) and used an old password to log into the bank's mainframe. Sablan contended that she then called up several computer files and logged off. The government asserted that Sablan changed several of the files and deleted others. Under either party's version of the story, Sablan's actions severely damaged several bank files.

Sablan was convicted of violating §1030 of the CFAA at trial; on appeal, Sablan argued that she did not intend to damage the bank's files, and that §1030 required that she have such an intention. The court held that the intention requirement in the act required only that the unauthorized user intend to gain access to the system, not that the user intend to cause damage. Nowhere in the analysis of the case did the court focus on whether the bank's system had a warning on it or the invitation "Please log in."

In the case of U.S. v. Czubinski,[7] Czubinski was an employee of the IRS who, as part of his job, routinely accessed information about taxpayers from one of the IRS data-bases. Using a valid userid and password, Czubinski was able to access income-tax-return information for virtually any taxpayer. IRS Rules of Conduct specified that employees could not use any IRS computer system for other than official purposes. Czubinski, solely out of curiosity, conducted searches and browsed files online that were not related to his job. Czubinski was prosecuted for violating §1030. At trial, Czubinski did not argue that he was authorized to view the files, and the issue of whether the login prompt said "Please log in" or not was not raised. Czubinski was acquitted, however, because he merely looked at the files and did not do any damage, disclose the information that he found, or "obtain anything of value."[8]

Neither the law nor the courts appear to address directly the question of whether the prompt saying "Please log in" automatically authorizes a hacker (or other undesired user) to be in the system. Indirectly, however, the courts have provided two examples of an "unauthorized user," and these examples make intuitive sense. Both Sablan and Czubinski were unauthorized users because the owners of the computers said they were, and neither could have reasonably argued that they did not intend to get into a system they knew they were not supposed to access.

To see why this makes such intuitive sense, let's look to an analogous area of the law, property law, to see if we can analogize someone unauthorized getting into a network to situations in the real world. Let's say your system is your house, the login prompt is the front door, the userid (or other authentication device) is the equivalent of looking through the peephole to see who's at the door, and the password is the key. Assuming your network has a prompt that says "Please log in," is there a real-world equivalent and should it make a difference to whether or not you can prosecute an unauthorized user?

Scenario 1
Suppose that you are home for the evening and lock the door to your house. Suddenly you hear the lock turn and a complete stranger who has picked the lock comes in. Is that person committing a crime even if you have a "Welcome" mat down on the front porch? Of course — she is guilty of breaking and entering and trespassing. The "Welcome" mat is not considered a blanket invitation to everyone to come into your house. By analogy, if someone comes to the door of your network and hacks in, that person is not welcome, even if the login prompt says "Please log in." The logic here is relatively simple — the "Welcome" mat (or "Please log in") invitation applies only to those people you actually want to be there. The invitation to "Please log in" is an invitation for the person at the door to prove his identity (userid or other authentication device) and use his "key" (password) to open the door.

Scenario 2 (Modified Czubinski Scenario)
Since Scenario 1 seems obvious, let's make it a little more questionable. You still have the "Welcome" mat on your front porch. Suppose a friend needs to pick something up at your house. You give your friend a key to your house and tell your friend that what he needs will be on the dining room table. Your friend goes to your house, walks in, and, in addition to picking up what he was supposed to, your friend goes exploring through the house, sees some money in the bedroom, and takes it. Has your friend committed a crime, despite the fact that you gave him a key? Yes. You authorized your friend to enter your house to perform a specific activity. Your friend exceeded the rights that you had granted and took property he was not allowed to take.

In this case, as in Czubinski, you knew the identity of the person going into your house (the userid), he had the right key (password), and he was there with your permission. But, your friend exceeded the rights that he had been granted. Where Czubinski merely looked, your friend took something of value. In property law as well as under §1030, your friend has committed a crime.

Scenario 2a
Say that in Scenario 2 your friend, instead of stealing money, goes exploring through your house. While in the bedroom, he knocks a valuable vase off the dresser, shattering the vase. Is your friend liable for the vase? Under property law and the logic of §1030, probably. Your friend was not authorized to be in the bedroom, and he intended to go somewhere that he was not authorized to go, so he is still liable for any damage he causes.

Scenario 3 (The Sablan Scenario)
Your significant other has a key to your house. When you break up, your ex keeps the key. (You still have the "Welcome" mat on your front porch.) After spending a night drinking, your ex comes over to your house, uses the key, and either intentionally (the prosecution's story) or accidentally (Sablan's story) breaks something. Under the logic of §1030, your ex intended to enter your house without authorization, and is liable for any damage she does while in there, regardless of whether it was intentional or not. Even if your ex does no damage, she is still trespassing, because you have revoked her authorization to be there.

Conclusion
Section 1030 of Title 18 of the U.S. Code criminalizes unauthorized access to a computer system and intentional damage to a computer system by an authorized user where the computer system is used in interstate or foreign commerce or communications. Neither the statute nor the cases specify whether saying "Please log in" at the prompt automatically authorizes any person to access your system. Because neither focuses on the issue, we might assume that the answer to the question seemed obvious at the time — that the system owner gets to define who is authorized and who is not. (But we all know what happens to those who assume, especially when it comes to politicians and technology.) However, in this case, the assumption is probably valid. Looking at the way another area of the law deals with analogous situations, and applying common sense, we can say that saying "Please log in" should not grant anyone the right to access your system, just as placing a "Welcome" mat outside your door does not give anyone the right to enter your house.

NOTES
[1] This article provides general information and represents the author's views. It does not constitute legal advice and should not be used or taken as legal advice relating to any specific situation.

[2] 18 U.S.C. §1030.

[3] 18 U.S.C. §1030(a)(5).

[4] The law does not specify how to calculate the damage caused. It is easy to see how virtually any intrusion can cause a loss of more than $5,000 when the cost of your time and any consultant's time spent dealing with the problem is factored in.

[5] The federal law covers any computer used in interstate or foreign commerce (which covers virtually any workstation, server, or mainframe at a business) or communications (which covers virtually every other computer). Since the federal law covers virtually every computer, it's the minimum standard that would be used to prosecute any hacker. Individual states might enact tougher laws, but using state laws in cyberspace involves tricky issues of location. Realistically, for a state law to be used, both the hacked computer and the hacker have to be in the same state.

[6] 92 F.3d 865 (9th Cir. 1996).

[7] 106 F.3d 1069 (1st Cir. 1997).

[8] Id. at 1078.