Modern field guide to security and privacy

Orin Kerr's radical idea for reforming anti-hacking laws

Law professor Orin Kerr argues that social norms are the best ways of determining what's 'authorized' and 'unauthorized' computer access, a critical component of the federal anti-hacking law that critics complain is too ambiguous.

Julie Jacobson / AP
A padlocked home in the Bronx, New York. Orin Kerr wants computer security law to be based in social norms, which in part might mean access would only be unauthorized when resolute security measures are in place.

One of the chief criticisms of the Computer Fraud and Abuse Act, the federal anti-hacking statue, is that it's too vague. It bans unauthorized computer access, but gives little guidance as to what "unauthorized" computer access actually means. 

For instance, the Seventh Circuit Court of Appeals has ruled that someone could be found guilty of computer fraud for using of a company computer against the interests of that business. In a different case, the Ninth Circuit ruled that the Seventh Circuit standard was overly broad. 

Orin Kerr has long been a critic of the law's ambiguity. But his solution isn't to change the statute to better define authorization, but to not defining it at all. Mr. Kerr, a professor of law at George Washington University, argues in a draft paper released last week titled "Norms of Computer Trespass" that judges should rely on social norms to determine what is and isn't commonly considered trespass.

Mr. Kerr has represented defendants in computer trespass cases, including the appeal for the Andrew 'weev' Auernheimer when Mr. Auernheimer downloaded thousands of AT&T customer e-mail addresses. The case was controversial, both because Auernheimer was a notorious Internet troll, and because the e-mail addresses were stored on sites that weren't password protected. The question became whether downloading information that's accessible to anyone with the Web address is really criminal hacking.

Kerry says that it isn't. In fact, he says, anything the public can see without entering a password should be fair game, because that's the standard he thinks most Internet users would apply. Passcode spoke with Kerr about authorization and social norms. Edited excerpts follow.

Passcode: Why is defining authorization such a problem?
 
Kerr: The problem is that the law says you can't access a computer without authorization, and it doesn't say what authorization means. So authorized in what way? By whom? And how? So, courts have really struggled because they don't have a framework from which to decide what counts as authorization.

An easy example is in terms of service, where you visit a website, and there's a strongly worded notice in the corner that says you're not allowed to visit this website. OK, so what do you do with that? You've got language that says one thing, but on the other hand the website is open. So is that authorization or not? It depends on whether you'd go with the words or whether you'd go with kind of the environment of the Internet. And so, the idea of this paper is that concepts of authorization boil down to social norms.

Passcode: An example you use throughout the paper is entering a house. 

Kerr: So let's say you could get in through somebody's chimney. No one would think, "Oh, the chimney's open. I'll just go in there." And how do you know that the chimney is out of bounds? It's because of our social experience that tells us that entering is through a door, not through a chimney. We don't have labels that say that. That's just our common experience. The tricky part is that you have to identify what are these norms. What are these social practices and understandings they govern? And it's tough for judges because the judges are not tech savvy, they don't use computers as much as a lot of other people do; so they're kind of in the position of the proverbial martian from outer space trying to figure out if it would be okay to enter a house through a chimney.

Passcode: So, how should judges be defining the norms? 

Kerr: I think you need to classify the kind of virtual space. I think it's critical to realize that websites are different from authenticated accounts. A physical example of this would be, let's say you see a flower store and you want to go in and buy flowers. We think it’s OK to peer into the window, and see if there's anyone inside. And then you can try the handle of the door and open it, and if there's nobody inside you can walk around the store. That's all considered totally fine, it's what everybody does. But that would be clearly a trespass if you did it at somebody's private home. We have a totally different set of understanding of what a store is and what a house is.

And so, my argument is that we need to make the same kind of context sensitive point on the Internet websites are intrinsically public. When you post something on a website, you publish it to the world and it's not a trespass to visit your website. On the other hand, once you set up individualized accounts, you’re creating a private space. I see that as really the dividing line between an open Internet and a closed Internet.

Passcode: In the paper, you apply that standard to well known CFAA cases, including Andrew 'weev' Auernheimer taking data from a publicly visible website and Aaron Swartz possibly abusing the Massachusetts Institute of Technology network to download academic papers in bulk. And you come up with interesting results.

Kerr: I represented [Auernheimer] on appeal, so it will not be surprising I think that accessing a publicly available website is not unauthorized access and it was legal to visit the website.

With Aaron Swartz, once you have an account-based system, which the MIT network did, there’s a clear way that [the network owners] can withdraw access from the use of that account. Swartz was somebody who kept creating a new accounts each time his last one was canceled. I argue that at some point so many repeat cancellations would signal that the computer owner wanted the user to get off the network, and that that point had been crossed in the Swartz case. So whether it should have been a felony is a different question, but I think it should have been an unauthorized access. 

Passcode: You’ve been very active soliciting comments on this draft paper, including posting the abstract to a Washington Post blog you contribute to. Why is public comment so important for this paper, specifically?
 
Kerr: I would love feedback especially from non-lawyer audiences to the article. It’s sort of funny lawyer view, an article that kind where the premise is, "Hey, lawyers, you should be listening to the non-lawyers: Listen to the computer nerd." I'd love to hear from more computer people – anyone reading this – about whether they think that I've accurately captured the norms.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.