Shostack + Friends Blog Archive

 

Obligation to Secure

unlocked.jpg

Chronicles of Dissent has a good article on this topic, “If you don’t secure your data, it’s not unauthorized access.”

A court in Pennsylvania ruled that it’s not illegal to get information you really shouldn’t have if you got it from a search engine or the search engine’s caches.

This is important because there have also been some stupid cases where someone has been prosecuted for “unauthorized” access to wireless networks and this provides clarity, too. If you didn’t secure your network, and my laptop finds it, it’s your problem, not mine.

However, I also agree that if I am told that a network isn’t free, even if it’s open, I shouldn’t use it. (That case was one in which someone used a cafés wireless network repeatedly after being told that it’s for customers.) I think of it as the difference between a fence and a no-trespassing sign. (I was once in a hotel and saw the SSID “STAY THE HECK OFF MY NETWORK” — except that it didn’t say “heck,” it used a different first two letters. It was clear that proceeding further would in fact be digital trespass.)

Read the article, and if you are so inclined the larger law report.

Photo “Unlocked door” by coveman.

7 comments on "Obligation to Secure"

  • Dissent says:

    We seem to be on slightly different sides of this argument. If I forget to lock the door to my house or even forget to close the door, does that mean you can lawfully enter, look around, and maybe rifle through my lingerie drawer? Assume that there is no “no trespassing” sign on my front door.
    And can you lawfully take photos of my belongings and then share them with your friends and family?
    Or isn’t that the correct analogy?
    A door being open does not equal “authorized access.” Whatever happened to “Mother, may I?”
    I do believe that people and companies and agencies are responsible for trying their best to secure data, but I also think we err if we don’t establish a general “permission required” standard to archive. And yes, I know I’m in the minority on this.

  • David Brodbeck says:

    I think it’s a complicated question, Dissent, because sometimes it’s difficult to tell when something is authorized and when it isn’t. If Google indexes a page with people’s social security numbers, it’s probably obvious I’m not supposed to look at it. But what if it indexes a list of names and salaries? Should it be assumed that access is authorized or unauthorized? At some workplaces this is confidential information, but at others it’s public.
    What if I’m in a coffee shop and I find an open wireless network with the SSID of ‘Linksys’. Should I assume it’s intentionally open for customers, or should I assume it’s an incompetently installed network in the apartment upstairs and use is unauthorized?

  • The debate has been raging for years on what the definition of “access” is within the CFAA – Computer Fraud and Abuse Act.
    Check out: http://cyberlaw.stanford.edu/freetags/cfaa
    and or do a search for “CFAA Trespass to Chattels” and you’ll find a wealth of information.
    Essentially, courts have traditionally read access and authorization in the online world to mean something analogous to the physical world, even when its hard to apply the exact same standard.
    Roughly speaking, any time you access a computer contrary to the owner’s specific authorization, you risk accessing the system without authorization and in violation of the CFAA.
    Several proposals have been made to clearly define the word “access” in the context of the CFAA, and to also apply the standard of a required access control mechanism before the unauthorized pieces kick in. None of these have made their way into the law yet.
    A pretty simple case really of the law being vague and not getting fixed despite bogus interpretations by the courts.

  • Mordaxus says:

    I agree with you, Dissent. An unlocked door does not mean you’re welcome to come in. A lawnmower left in the yard doesn’t mean you can borrow it.
    But yes, if you leave your lawnmower in the front yard, I may take a picture of it and do what I wish with it. I don’t need to ask, “may I” because the photons bouncing off of your lawn are in the public space.
    Similarly, I think that if you find my data in a web cache, it’s my problem, not yours.
    I also think that if you leave your wireless network open, it isn’t my fault if my laptop decides to connect. I use WEP on my wireless network and am very happy with it. It is the most effective No Tresspassing sign I’ve seen for networking.

  • Dissent says:

    Thanks to all of you for your comments, and those links.
    Mordaxus: I’m not sure when you say “my problem” if you mean you as the person whose record is exposed or you as the person who was supposed to secure the data…?
    If I find data in a web cache, it is the problem of the person or agency who was supposed to secure the data, but does that give me the right to download it and maybe upload it to my own site or use it? What if data that landed up in a web cache are patient records? What if they are top military secrets that a federal agency didn’t secure properly? (Yes, I know you’re all thinking, “C’mon, Dissent, no federal agency could ever be THAT bad!”)
    The people who get harmed are those whose information is exposed. And yet if we take the “it’s your problem” approach, someone could get away with taking others’ unintentionally exposed personal information and uploading it intentionally, without the individuals’ consent. So it can’t just be your problem. We have to put some responsibility on those who would download or otherwise use information that is accidentally exposed.
    It’s really not “Finders, keepers,” is it?
    Looking at the first link Andy provided, it’s clear that different circuit courts are reaching different conclusions. If Congress won’t straighten out this mess, I wonder if SCOTUS will decide it’s ripe for review.

  • sonofdot says:

    To some extent I agree with Dissent’s comments, except for the flaws in the analogy.
    The problem is, this isn’t the same as leaving your front door unlocked. It’s much more analogous to putting up “Open House” signs and then complaining that the visitors looked in the closet. If you didn’t mark the closet “Do Not Enter” or “Authorized Personnel Only” then you’ve implicity invited everyone who attends your open house to inspect every nook and cranny that you haven’t marked as off limits (or better yet, prevented access to by locking the doors).
    But in this case, we’re talking about a public website, which by definition was not password protected or require other authorization. So if the website contained content that should not have been exposed to the public, then that content should not have been on the website in the first place, or should have been protected by some authorization method.
    Basically, you can’t publish your information to the public via the web, and then expect the public to determine which parts of that information should be considered private and which shouldn’t. Whether you exposed the information intentionally or unintentionally isn’t part of the equation.

  • BDJ says:

    When you put something on a public website it is not analogous to leaving the back door unlocked in your home. It is more like you took your personal belongings into the street and then expected no one to mess with them.
    An even better analogy would be if a business opened a storefront office and placed their business sensitive data (e.g., a company ledger) on a table on the sidewalk for all to see. The business owner can’t complain about people reading the ledger if he publishes it.
    As the previous commentator noted, don’t open up your website to the public and complain about privacy violations. No one is directly connected to the Internet in this fashion without making an effort to be so connected. With that connectivity to a public forum comes the responsibility to protect oneself from unwanted exposure.

Comments are closed.