Computer Crime Laws Chill Discovery of Customer Privacy Threats
Have you ever wanted to test whether an e-commerce website is keeping your data secure? The federal Computer Fraud and Abuse Act -- and state statutes modeled on that law -- are so overbroad and vague that your curiosity could get you in deep legal water. When you access your account with an online retailer, the URL often contains a series of numbers. What if those numbers, instead of being randomly generated, appear to be unencrypted personal information, like the last four digits of your credit card, or your California Bar number. What would happen if you edited the URL to contain a different credit card or Bar number? Perhaps it would give you access to someone else's account. That's something you'd want to know because it means your information is also unsecured and the company has something important to fix.
You'd better think twice before testing your theory. Federal and state laws that criminalize unauthorized access to computers also hobble the rights of customers and security experts to use their own browsers to test whether a computer server adequately protects their data from thieves and fraudsters. This is true even if you don't damage, delete, alter or change anything and are acting solely with the intent to protect yourself and others. Under the Computer Fraud and Abuse Act, codified at 18 U.S.C. 1030, obtaining any information from a simple unauthorized access is a misdemeanor punishable by up to a year in jail, while the existence of other factors (such as causing damage or taking medical information) may make such access a felony. 18 U.S.C. 1030(a)(2)(c), (c)(2)(a). California's computer crime law (Penal Code section 502) also prohibits a number of unauthorized activities with computers and computer networks. Merely accessing a computer system without permission is an infraction under California law. (c)(7), (d)(3).
The problem is that the definition of authorization or permission in computer crime law is both uncertain and narrow. We lack advance permission for almost everything we do on the Internet. Instead, authorization is implied from the circumstances. But while we have hundreds of years of jurisprudence to figure out what happens when particulate matter from a coal mining operation on one parcel floats over to another, or what happens when neighbors are annoyed by the next door mink farm (apparently, the minks are stinky and loud), we don't have that understanding on the web, where the only things transferred are bits and bytes of data. Courts have reacted to this uncertainty in a knee jerk fashion by finding that anything the owner of the web server has prohibited, or even which the user could have known he wouldn't like, is not authorized. In effect, this means that to prove lack of authorization, the prosecutor can trot the website owner into court and simply ask "Did you give this person permission to change the customer ID number in the URL and test whether that revealed personal information?" If the answer is "no", the access was unauthorized.
Making a server owner's subjective preference with regard to uses of Internet connected computers the dividing line between legal and illegal behavior is a real problem. Even if you don’t circumvent any security measures, if you access a web server to test whether your account information or unencrypted passwords are available to hackers, or to download potentially embarrassing recorded comments by the Governor, or to get price information so that your company can market competitive products and services, you could be breaking the law.
Which leaves us with prosecutorial discretion. Not all web activities that technically violate the law are prosecuted. In fact, federal prosecutors will rarely if ever file only misdemeanor charges, and state prosecutors do not pursue such infractions. This doesn't mean there's nothing to worry about, however. When criminal laws are so broad, then anyone may be prosecuted if he or she strikes the authorities the wrong way. That's the current situation, and it has led to overreaching based on distaste for the defendant, not the illegality of his act. Federal prosecutors in Los Angeles put a man in prison for 16 months merely because he sent emails warning customers that their webmail service was insecure. The defendant's intentions had to be bad, argued the prosecutor, because the man was wearing a DEFCON t-shirt at the time of his arrest. Lori Drew, the Missouri mother involved in events on MySpace that drove her young neighbor to suicide, is being prosecuted by that same United States Attorney's Office for violating community norms enumerated in the social network's terms of service. "Hackers" or other perceived troublemakers face penalties while "security researchers" and "academics" are left alone for the same conduct, the difference being whether you wear a black t-shirt, a blue button down, or patches on the elbows.
We need a new paradigm for computer crime law. Former federal prosecutor Orin Kerr, now a law professor at George Washington University, has proposed that courts reject both implied and contract-based notions of authorization and limit the scope of unauthorized access statutes to cases involving the circumvention of code-based restrictions. This proposal solves some, though not all, of the problems with the current statutes. We need more academics, lawyers, and technologists thinking about how to enable users to explore how webservers store their information without opening that information up to attackers who intend to invade privacy or misuse data for their own economic gain.