December 22, 2024

Archives for May 2003

Kerr on Cybercrime Laws

Orin Kerr has written an.interesting paper, “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes,” in which he argues for a new way of understanding the prohibition, in the Computer Fraud and Abuse Act (CFAA) and other laws, on “access … without authorization” to a computer. It’s a long, dense law review article, but it’s definitely worth reading if you are interested in cybercrime law.

Both “access” and “authorization” turn out to be harder to interpret than one might think. Kerr argues convincingly that courts have interpreted these words inconsistently, and that the trend has been toward an overly broad interpretation that would effectively criminalize any violation of the Terms of Use of any online service. While such violations may be breaches of contract subject to civil lawsuit, it is unwise to criminalize every breach of contract. Criminal law is a sharp tool to be used only when necessary.

While he would narrow the interpretation of the CFAA, Kerr would not eliminate the CFAA entirely. He provides two main examples of the kind of acts he would still criminalize. The first example involves stealing or guessing a password to gain access to a password-protected service running on somebody else’s computer. More generally, he would ban any circumvention of an authentication mechanism used to control access to somebody else’s computer. The second example involves computer attacks that exploit a program bug (such as a buffer overflow) to seize control of a program running on somebody else’s computer.

Thus far, I was reasonably convinced by Kerr’s arguments. But now we come to the part that I found harder to swallow, in which he argues that “courts …should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.”

Talk of banning “circumvention” may raise ugly comparisons to the DMCA, but that’s a red herring. Kerr makes clear that he is talking only about code-based restrictions on access to other people’s computers. The egregious aspects of the DMCA, by contrast, are, first, that it allows someone to lock you out of parts of your own computer, and second, that it includes a broad ban on certain technologies. Kerr’s proposal suffers from neither of these flaws. While enshrining “circumvention” as a central concept in cybercrime law might be inconvenient rhetorically for DMCA opponents, it’s no problem substantively.

My skepticism about Kerr’s formulation is based instead on two issues. First, I suspect that “circumvention” may turn out to be just as slippery a term as “authorization.” Password-guessing is clearly circumvention, but that’s an easy case. When the facts are more complicated, judges will have a harder time figuring out what is circumvention and what is just clever action.

Here’s an example. Suppose you lock the front door of your house. If I pick the lock, that’s circumvention. But suppose I enter through the back door. Have I circumvented the front door lock? What if I crawl in an open window next to the front door? Is that a circumvention? “Circumvention,” like “authorization,”ends up entangled in a subtle calculus of expectations and social norms.

Kerr’s example of a buffer-overflow attack illustrates another problem with “circumvention.” Suppose that a bad guy sends your computer a sort of “ping of death” packet, and that because of a bug in your operating system, this packet allows him to seize control of your computer. What exactly is the “code-based restriction” that he has circumvented? You could argue that he has circumvented the absence of a method for controlling your machine from afar; but it seems like a stretch to claim that that absence is a “code-based restriction.”

What really happened in this example is that the bad guy exploited a difference between the way you thought your system worked, and the way it actually did work. This is a useful distinction that courts have recognized (as Kerr notes), but it doesn’t seem to fit neatly within Kerr’s framework.

My second objection to Kerr’s conclusion is more fundamental. Kerr’s strong argument for carefully tailored cybercrime law compels him to justify having a broader “circumvention” ban rather than a set of more narrow bans on specific actions, such as circumvention of certain authentication features. He does offer some justification, but I am not yet convinced. (It’s also worth noting that Kerr’s approach may be expedient, even if it’s not the best possible solution from a purely theoretical standpoint. For example, it may be easier to convince courts to adopt a “circumvention” interpretation of the CFAA than it would be to get either courts or Congress to rewrite cybercrime law around a family of narrower prohibitions.)

Finally, Kerr’s paper is a valuable reminder of how much we rely on the discretion of prosecutors and judges to make cybercrime law work. So far, this discretion has moderated the defects in current law, but that’s no excuse for complacency. We need to talk about what the law should be. Kerr’s paper is a valuable contribution to that discussion.

Super-DMCA Update (Texas)

The Texas version of the Super-DMCA has been passed by the relevant committees in both the state House and Senate. It will probably come to a vote in the Senate later this week. If you’re a Texas resident, this would be good time to contact your state senator!

iLoo: Joke, Blunder, or Both?

Business Week reports on the saga of iLoo, the Internet-enabled portable toilet announced last week by a British subsidiary of Microsoft. Microsoft is now claiming that this was just an April Fools’ joke, despite a body of evidence to the contrary.

The ordinary custom is to announce April Fools’ jokes on April 1. This one was announced on May 2. I know missed deadlines are a way of life in the software industry, but this is ridiculous.

You really should read the whole article. But if you can’t, here’s the end:

[An MSN UK spokesman] said that MSN UK, however, has engaged in pranks before. He noted that the group once announced that it had wired up a park bench for Internet access. He then corrected himself, stating that the bench, in fact, was a real demonstration.

New Media: Success or Failure?

Mary Hodder at bIPlog points to Steve Lohr’s odd piece, “New Media: Ready for the Dustbin of History?” in Sunday’s New York Times. Mary argues that Lohr’s thesis – that the Internet has failed, except as a vehicle for e-commerce – is bunk. I agree.

Lohr makes two errors. First, he mistakes the financial failure of dotcom startups for a lack of social impact. Yes, many people lost money when the dotcom bubble burst. But the Internet kept chugging along, and the pace of real innovation (as opposed to “let’s sell pet food on the Net” pseudo-innovation) didn’t change.

The airlines are a perfect illustration of this profit-as-social-impact fallacy. The airline business has been, at best, a break-even proposition over its entire history. Despite their lack of profitability, the airlines have given us (relatively) cheap and easy air travel, and transformed our lives.

Lohr’s second fallacy is mistake the bad forecasts of a few prognosticators for the failure of an industry. Some of the “new media” visionaries turned out to be wrong in their detailed visions, but that doesn’t mean that online media were irrelevant.

It’s hard to predict the future. We shouldn’t be too surprised that the vision of online magazine Slate, as forecast by editor Michael Kinsley in 1996, hasn’t completely come to pass. Despite its midcourse corrections, Slate has been a cultural success, earning a dedicated readership and publishing a lot of good writing.

Internet pioneers should remember that it’s not always easy being on the cutting edge. Sometimes you lose money. Sometimes you misjudge the future. Even so, you’re creating something that changes the world.

Declan on Spam

Don’t miss Declan McCullagh’s column this week, in which he offers a particularly astute view of how to address the spam problem. In a nutshell, he argues that we need to change the economic incentives for the spammers, and he discusses some practical ways to do that.