Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

A Radical Idea for Determining Authorized Access Under Federal Law

May 26, 2015

One of the chief criticisms of the Computer Fraud and Abuse Act, the federal anti-hacking statue, is that it's too vague. It bans unauthorized computer access, but offers scant guidance as to what "unauthorized" computer access actually means. The Christian Science Monitor (thanks Sean Harrington) carried an interesting story on this subject.

For instance, the Seventh Circuit Court of Appeals has ruled that someone could be found guilty of computer fraud for using a company computer against the interests of that business. In a different case, the Ninth Circuit ruled that the Seventh Circuit standard was overly broad.

Orin Kerr, a professor of law at George Washington University, has been a critic of the law's ambiguity. He holds the fairly radical notion that we should not define "unauthorized access" by law but rather that judges should rely on social norms to determine what should be considered computer trespass. His draft paper, titled "Norms of Computer Trespass", more fully articulates that position.

Mr. Kerr has represented defendants in computer trespass cases, including the appeal for the Andrew 'weev' Auernheimer when Mr. Auernheimer downloaded thousands of AT&T customer e-mail addresses. The case was controversial, both because Auernheimer was a notorious Internet troll, and because the e-mail addresses were stored on sites that weren't password protected. The question became whether downloading information that's accessible to anyone with the Web address is really criminal hacking.

Kerry says that it isn't. In fact, he says, anything the public can see without entering a password should be fair game, because that's the standard he thinks most Internet users would apply.

We've seen versions of this in family law – husband takes a shower and lives his smartphone (no PIN) on his bureau and wife reads steamy texts to his mistress. No problem – if she cracks or guesses a PIN, THAT is a problem. The texts were effectively "open." Another case: Husband shares his e-mail password with his wife and then leaves her – she uses the password to read his e-mails while they are separated. The judge finds that, though he is a moron for not changing his password, she should have known that she no longer had authorized access.

The trouble, as always, is that judges will have different concepts of "social norms" which will result in varying decisions. But that is no different from the present reality. Not sure Mr. Kerr's idea is a solution, but it is an interesting take on the problem.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson