Modern field guide to security and privacy

Orin Kerr's radical idea for reforming anti-hacking laws

Law professor Orin Kerr argues that social norms are the best ways of determining what's 'authorized' and 'unauthorized' computer access, a critical component of the federal anti-hacking law that critics complain is too ambiguous.

  • close
    A padlocked home in the Bronx, New York.

    Orin Kerr wants computer security law to be based in social norms, which in part might mean access would only be unauthorized when resolute security measures are in place.
    Julie Jacobson / AP
    View Caption
  • About video ads
    View Caption

One of the chief criticisms of the Computer Fraud and Abuse Act, the federal anti-hacking statue, is that it's too vague. It bans unauthorized computer access, but gives little guidance as to what "unauthorized" computer access actually means. 

For instance, the Seventh Circuit Court of Appeals has ruled that someone could be found guilty of computer fraud for using of a company computer against the interests of that business. In a different case, the Ninth Circuit ruled that the Seventh Circuit standard was overly broad. 

Orin Kerr has long been a critic of the law's ambiguity. But his solution isn't to change the statute to better define authorization, but to not defining it at all. Mr. Kerr, a professor of law at George Washington University, argues in a draft paper released last week titled "Norms of Computer Trespass" that judges should rely on social norms to determine what is and isn't commonly considered trespass.

Mr. Kerr has represented defendants in computer trespass cases, including the appeal for the Andrew 'weev' Auernheimer when Mr. Auernheimer downloaded thousands of AT&T customer e-mail addresses. The case was controversial, both because Auernheimer was a notorious Internet troll, and because the e-mail addresses were stored on sites that weren't password protected. The question became whether downloading information that's accessible to anyone with the Web address is really criminal hacking.

Kerry says that it isn't. In fact, he says, anything the public can see without entering a password should be fair game, because that's the standard he thinks most Internet users would apply. Passcode spoke with Kerr about authorization and social norms. Edited excerpts follow.

Passcode: Why is defining authorization such a problem?
Kerr: The problem is that the law says you can't access a computer without authorization, and it doesn't say what authorization means. So authorized in what way? By whom? And how? So, courts have really struggled because they don't have a framework from which to decide what counts as authorization.

An easy example is in terms of service, where you visit a website, and there's a strongly worded notice in the corner that says you're not allowed to visit this website. OK, so what do you do with that? You've got language that says one thing, but on the other hand the website is open. So is that authorization or not? It depends on whether you'd go with the words or whether you'd go with kind of the environment of the Internet. And so, the idea of this paper is that concepts of authorization boil down to social norms.

Passcode: An example you use throughout the paper is entering a house. 

Kerr: So let's say you could get in through somebody's chimney. No one would think, "Oh, the chimney's open. I'll just go in there." And how do you know that the chimney is out of bounds? It's because of our social experience that tells us that entering is through a door, not through a chimney. We don't have labels that say that. That's just our common experience. The tricky part is that you have to identify what are these norms. What are these social practices and understandings they govern? And it's tough for judges because the judges are not tech savvy, they don't use computers as much as a lot of other people do; so they're kind of in the position of the proverbial martian from outer space trying to figure out if it would be okay to enter a house through a chimney.

Passcode: So, how should judges be defining the norms? 

Kerr: I think you need to classify the kind of virtual space. I think it's critical to realize that websites are different from authenticated accounts. A physical example of this would be, let's say you see a flower store and you want to go in and buy flowers. We think it’s OK to peer into the window, and see if there's anyone inside. And then you can try the handle of the door and open it, and if there's nobody inside you can walk around the store. That's all considered totally fine, it's what everybody does. But that would be clearly a trespass if you did it at somebody's private home. We have a totally different set of understanding of what a store is and what a house is.

And so, my argument is that we need to make the same kind of context sensitive point on the Internet websites are intrinsically public. When you post something on a website, you publish it to the world and it's not a trespass to visit your website. On the other hand, once you set up individualized accounts, you’re creating a private space. I see that as really the dividing line between an open Internet and a closed Internet.

Passcode: In the paper, you apply that standard to well known CFAA cases, including Andrew 'weev' Auernheimer taking data from a publicly visible website and Aaron Swartz possibly abusing the Massachusetts Institute of Technology network to download academic papers in bulk. And you come up with interesting results.

Kerr: I represented [Auernheimer] on appeal, so it will not be surprising I think that accessing a publicly available website is not unauthorized access and it was legal to visit the website.

With Aaron Swartz, once you have an account-based system, which the MIT network did, there’s a clear way that [the network owners] can withdraw access from the use of that account. Swartz was somebody who kept creating a new accounts each time his last one was canceled. I argue that at some point so many repeat cancellations would signal that the computer owner wanted the user to get off the network, and that that point had been crossed in the Swartz case. So whether it should have been a felony is a different question, but I think it should have been an unauthorized access. 

Passcode: You’ve been very active soliciting comments on this draft paper, including posting the abstract to a Washington Post blog you contribute to. Why is public comment so important for this paper, specifically?
Kerr: I would love feedback especially from non-lawyer audiences to the article. It’s sort of funny lawyer view, an article that kind where the premise is, "Hey, lawyers, you should be listening to the non-lawyers: Listen to the computer nerd." I'd love to hear from more computer people – anyone reading this – about whether they think that I've accurately captured the norms.


We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.