This case has engendered considerable discussion among people who work with computers. Many feel that the law criminalizes common practice in the computer field, and that Randal's conviction is a miscarriage of justice. Some of this discussion can be reviewed at Friends of Randal Schwartz.
I am an electrical engineer and a computer programmer. I live and work in Massachusetts. I will not argue here whether 164.377 is a good or bad law; that is for the people and state of Oregon to decide. Neither can I offer any informed legal opinion, as I am not a lawyer. Rather, I will try to provide an engineering perspective on some of the issues raised by 164.377, and suggest some grounds on which those issues might be decided.
The second is that reasoning by analogy is commonly employed whenever the law must evolve to accommodate changing technology. Is this new device, or situation, or social relationship like any that has gone before? Can it be treated by existing law? Or must there be entirely new statute to cover it?
Of course, analogies are not dispositive. The fact that a computer is like some other thing does not mean that it is that other thing, or that the law must treat it as such. The arguments that I make below will be credible precisely to the extent that the analogies that support them are compelling.
The discussion at Friends of Randal Schwartz is rife with analogies. A computer is like a building, a computer is like a car, a computer is like a telephone... The number of analogies that people employ in this discussion and the variety of conclusions that they draw from those analogies suggest that there is not yet a common understanding of social and legal issues concerning computers. At the very least, the matter bears further consideration.
I discuss below five major issues that I see in connection with 164.377
In the case of Oregon v. Schwartz, Intel's internal policies were held dispositive. Randal was found to be in violation of those policies, and convicted accordingly. This has the effect of elevating corporate policies to the status of law, with corresponding penalties for violating them.
In fact, many of these problems appear to have been present at Intel. Intel supposedly makes copies of its policies available at kiosks; Randal seems never to have seen these. Different departments at Intel had different standards for computer security. Randal was given different directions, at different times, by different managers regarding computer security. And none of these directions were written.
Despite all this, the underlying problem here is not Intel's internal policies or communication. The underlying problem is that there is not a common understanding among people who use computers of how authorization is established with regard to computers, and 164.377 doesn't provide one, either. Randal Schwartz genuinely believed that he was authorized to do the things that he did. Tragically, he was mistaken.
In principle, the question of authorization is as complex in the case of automobiles as it is in the case of computers. Nonetheless, most people manage to conduct their lives without incurring convictions for auto theft. They do not do this through careful study of relevant statute. They do it by following a few simple, widely understood guidelines for driving cars.
For example, giving someone the keys is generally held to grant them permission to drive the car. There could be exceptions, but this rule will get you the right answer almost every time. And should there be some misunderstanding, it will be cleared up quickly enough when you find that you cannot easily start the car without the keys.
This is not a facetious point. I got up one morning, checked out of my hotel, got into my rental car, and found that the key wouldn't turn. After a few moments confusion, I realized that I was actually in someone else's rental car: same make, same model, same color, same agency—different license plate. If cars were started with a push button—say, as army jeeps were in World War II—I could have been across town trying to explain the situation to a police officer before I realized my mistake.
Today, computers are becoming as ubiquitous as automobiles. They are in homes, schools and businesses. The are linked together into huge networks. They may be left unattended. They are used by people who understand neither technical nor legal issues concerning them. Questions of authorization are going to arise. Without some simple, widely understood rules governing the use of computers, there are going to be misunderstandings. When these occur, people will be left to the complexity of law and the vagaries of corporate policies. There will be more Randal Schwartzes.
The state of Massachusetts recently passed a law formally recognizing such systems. The law puts users on notice that when a computer controls access through a system of IDs and passwords, access to the computer by anyone without a valid ID and password is unauthorized.
Had this been the standard in Oregon v. Schwartz, Randal might have been acquitted. He definitely had valid IDs and passwords for some computers at Intel, and he might have respected a law forbidding access to those for which he did not.
164.377 is quite general in its definition of "computer", "data" and "access". For example, paragraph (1)(b) provides:
"Computer" means, but is not limited to, an electronic device which performs logical, arithmetic or memory functions by the manipulations of electronic, magnetic or optical signals or impulses, and includes all input, output, processing, storage, software or communication facilities which are connected or related to such a device in a system or network.
This sort of language is commonly employed to ensure that a statute is sufficiently general to cover its intended subject matter. And 164.377 probably does cover all the things that people usually think of as computers. However, it also covers some things that people may not think of as computers.
According to 164.377(1)(b), the following devices are unquestionably computers
As discussed above, 164.377 does not define "authorization". Nonetheless, 164.377 has been in force for some time now, and people continue to leave messages on telephone answering machines throughout the state of Oregon. Were all these messages somehow authorized? Or have the victims simply failed to press charges? This may seem like a frivolous question, but it is easy enough to construct a case that could end up in court. Consider:
A man and a woman argue. The woman shouts, "I never want to hear from you again!" The next day, the man calls and leaves a message on her answering machine. The message is not obscene, harassing or threatening. There are not grounds to prosecute under even the most progressively drafted anti-stalking law. Is this nonetheless a computer crime? A class C felony?
One problem with this approach is that it injects the weight and complexity of law into many everyday matters that people are used to managing on an informal basis. To see just how many, you need only look around you and start counting computers. The list given above is illustrative, but not exhaustive.
If I walk onto my neighbor's property and open his unlocked garage door, I have committed a trespass. If I stand on my own property and open it by activating his automatic garage door opener with my own hand-held remote control, I have committed computer crime.
Suppose a bar has a television set, and the patrons disagree on what channel to watch. One patron, unwilling to accede to either the consensus of the group or the dictates of management, reaches up and turns the channel knob himself. Management objects; he persists; management presses charges. The patron is probably guilty of a misdemeanor: disorderly conduct, disturbing the peace, or the like. On the other hand, if the patron uses a remote control to change the channel, he is guilty of a felony: computer crime.
A telephone with a redial button is a computer. Open it up, examine its workings: you will find a CPU, RAM, ROM, a stored program, input and output facilities—all the essential elements of a computer by either 164.377(1)(b) or by any technical definition.
Of course, most people still believe that they know the difference between a computer and a telephone, and the law could try to stand on that common distinction. However, unanalyzed concepts won't hold up when someone's money—or liberty—is at stake. If the state wants to maintain a distinction between computers and telephones, then it is going to have to establish some principled basis for that distinction.
There has recently been speculation in the trade press that as the difference between PCs and TVs continues to shrink, the market will not support two separate industries that make essentially the same product. This speculation was followed by debate as to whether the PC manufacturers will then subsume the TV manufacturers, or vice-versa.
The problem here is that use is converging as fast as design. I have already mentioned that you can watch TV on your Macintosh. And there is software available today that allows two people to carry on a voice conversation using two computers that are connected, not via the telephone system, but via the internet. Right now, this software is not widely used, but that could change if many people realize that it is an easy way to make free long-distance telephone calls.
164.377 apparently treats a private matter: the property rights of people who own and operate computers. However, the only time that 164.377 is actually necessary to protect these rights is when a computer has been connected to a public communication network.
A public communication network is a very public space, and connecting a computer to one puts it into this space in a very public way. There are certainly competing interests when this is done.
Many people use communication networks for many purposes. They send and receive data over these networks as they see fit for their own convenience or benefit. These are public interests.
An individual connects a computer to such a network in order to obtain these same conveniences and benefits. However, to protect his property rights, he must ensure that no one can use the network to alter his computer, or obtain from it information that he wishes to keep secret. These are private interests.
Mediating between these interests is a complex problem, involving both technical and social issues. We need first to explore, understand and debate these issues; next to make basic policy decisions regarding them, and finally to carefully draft statute to implement those policies.
Having read 164.377, I doubt that any of this was done. 164.377 is entirely concerned with the property rights of people who own and operate computers. It appears to have been drafted not only in disregard of the public interests that are at stake here, but without even an understanding that there are other interests to be considered.
Nonetheless, 164.377 is current statute, and as such, it expresses an implicit policy on these matters. Under this policy, the law guarantees both the security and privacy of computers that are connected to public networks. An individual may put his computer into this public space in any manner that he chooses: he need meet no standard of care in order to obtain the protection of statute. All others must be scrupulously careful, upon pain of felony conviction, not to disturb that computer in any way, or even to communicate with it.
Let's look at these points in detail.
The law then codifies this policy. Drivers may park in designated locations, at designated times. Property rights of drivers are protected: no one may take or otherwise disturb cars so parked. However, drivers give up some privacy rights: passers by may look at parked cars, and may even peer through the windows to see what is inside.
In a situation like this, there is not much need for a computer crime law. The only possible access to the computer requires breaking and entering, which is a crime treated by previously existing statute.
In this case, access to the computer requires, at the least, wiretapping. Here as well, there is little need for a computer crime law. Wiretapping is a serious offense in its own right, and is treated by previously existing statute.
In this case, computer security is potentially a problem. However, because the people operating the computers are not very concerned about it, there is still little call for new statute.
Even so, there are some practical limits to the public access that a street affords. In principle, anyone may see a car that is parked on a street; in practice, they must actually be on that street. To a person on another street, in another city or on another continent, the car might as well be in a locked, windowless garage. People sometimes rely on this to maintain a minimal degree of privacy in a public place. For example, a person might park their car around a corner, in order to keep it out of sight of someone else.
There are no corners on a computer network.
When a computer is connected to a public network, it is immediately and equally accessible to anyone within reach of a telephone jack, within range of a cellular telephone station, or within the footprint of a communications satellite—anywhere in the world. A public computer network is a very public space.
Thus, connecting a computer to a network not only puts it into a very public space, but necessarily engages it in a very public, ongoing conversation with other computers.
Many people use computer networks for just these purposes. They communicate with each other, they obtain information from other computers, or they make information on their own computer available so that others may access it. The technical capability and the legal right to use networks for these purposes are public interests.
However, businesses are also concerned with computer security. If a computer contains confidential information, they must ensure that no one else can use the network to obtain that information. And, of course, they must ensure that no one can use the network to alter or tamper with their computers. The ability of a business to use networks for its own purposes is a private interest.
A corollary to this is that the only way to obtain access to a computer by means of a network is to ask for it. When one computer wants information from another, it sends a request. The other computer then returns the requested information—or it doesn't.
The substantive problem in maintaining the security of a computer that is connected to a network is not preventing people from sending it requests. People are going to send requests to any computer that is connected to a network. Rather, it is ensuring that it only responds to the right requests, from the right computers.
This problem presents various technical difficulties; solving it requires a certain amount of care and skill. However, good, robust solutions, such as firewalls, are available today on the open market. Even better solutions, based on cryptographic techniques such as public-key encryption, digital signatures and zero-knowledge proofs, are known, although the market for these is not well-developed at present. These techniques can be used to make computers extremely secure—in any case, more secure than the buildings that house them or the people that attend them.
For example, some people use the Windows operating system to run their computers. Computer security was not one of the original design goals of Windows, and there are fundamental technical obstacles to making a Windows system secure. However, Windows offers many other benefits and conveniences, and many people use it despite its security flaws. Whenever someone connects a Windows system to a computer network, they are—whether they realize it or not—trading security for convenience.
This is generally the standard when people speak to each other. If my competitor asks me for proprietary information, it is up to me to refuse him. If I do give him the information he seeks, I have no recourse at law. More realistically, I might accidentally leave confidential information in a public place—say, on a park bench. Once I do this, the law no longer protects its confidentiality.
164.377 implicitly establishes a policy on computer access. This policy is diametrically opposite from the standard used in ordinary conversation. Under 164.377, responsibility for preventing unauthorized access to a computer lies entirely with person attempting the access. This responsibility is absolute. Someone may put proprietary information on a computer, connect that computer to a global network, and configure the computer to provide that information to anyone—identified or not—who asks for it. 164.377 then provides criminal penalties for anyone who accesses that information without authorization.
For an example that ties together several of the problems with 164.377, imagine that I record some confidential information as the outgoing message on my telephone answering machine. I then give my telephone number to an associate and authorize him to call and listen to the message. Unfortunately, someone else looks up my number in the telephone book, calls my machine and hears the message.
My answering machine is a computer. I did not authorize anyone else to access it. I can press charges under 164.377.
Computers are not people; networks are not park benches. The law can distinguish between these things, and society may decide, as a matter of policy, to treat them differently. However, the policy established by 164.377 is fundamentally incompatible with the way computer networks are currently used, from both a technical and a social standpoint. I'll give two examples of this incompatibility.
For example, networks that use TCP/IP protocols have a facility called "ping". Ping is used to find out if a computer is connected to the network. One computer sends a ping request to a second. The second returns an acknowledgement. The first computer then knows that the second one is, indeed, present and functioning.
Ping is a simple facility, but there are other, more complex, parts of the protocol that also require responses. A computer that does not provide these responses is simply not going to function on the network. It may even cause other parts of the network to malfunction.
Under 164.377, sending a ping request to a computer is strictly illegal, unless it is authorized by the owner of the computer. There are various ways around this problem. It might be established that connecting a computer to a network implicitly authorizes others to send ping requests. Alternately, it could be established that a ping request is in some way insubstantial, and therefore not within the scope of 164.377. At present, however, none of this has been done, and 164.377 apparently outlaws normal use of TCP/IP protocols.
At the very core of the Web is something called a "link". A link allows a user to jump from one document to another. It works regardless of where the documents are. They could both be on the user's computer, or they could be on two different computers on opposite sides of the world. Links tie billions of documents on millions of computers all around the world into an integrated whole, and provide a way for users to move around that whole in a meaningful way.
In practice, what people tend to do on the Web is go exploring. One document links to a second, the second to a third, and so on. This ability to explore is one of the most powerful and useful features of the Web. When people explore, they take it for granted that anyone making information available on the Web intends for others to access it.
164.377 denies this. 164.377 holds that access to any computer for any reason is illegal unless it has been authorized. If users start looking at links and worrying about whether they are authorized to follow them, then the entire World Wide Web will disintegrate.
Few people look directly to statute to guide their everyday actions. The law is far too complex for that. Rather, most people are guided by a few simple principles: lying is wrong; stealing is wrong; hurting others is wrong. For many people, the values that they learned in childhood are more compelling than any statute.
At the same time, the government hasn't the resources to ensure that every person obeys every law. An orderly society relies heavily on the fact that most people, most of the time, are law-abiding.
Serious problems can arise when statute disagrees with common practice or values. This happened with prohibition in the 1920s, and is currently the case with narcotics laws.
First, the computer field is relatively lucrative. People who work with computers are usually well-paid, and consider themselves to have a stake in the system. They are averse to things that could threaten their careers, such as illegal activity.
Along the same lines, programmers consider themselves to be professionals, and value their reputation accordingly. An employer may hire programmers of greater or lesser skill; however, very few will hire a programmer of less than the highest personal integrity.
Pragmatic concerns for their careers are important, but for most programmers, the matter is much deeper than that. Typically, people are attracted to computers because they understand their power and beauty. Working with computers gives them an opportunity to exploit that power, and to create something of significance.
Most programmers value computers, just as artists value works of art. Few artists would deface or destroy the work of another, even if they disliked it. Similarly, few programmers would corrupt or destroy a computer system—to do so is simply counter to the values that they hold.
At the same time, few programmers have any compunctions about accessing computer systems—even systems that they are clearly not supposed to access. An artist takes it for granted that a work of art is there to be appreciated: paintings to be looked at; music to be listened to. Similarly, a programmer takes it for granted that computer systems are there to be accessed, explored, examined or copied, limited only by his own technical capability to do so.
What's more, none of this runs counter to the naive values that people typically use to guide their actions. For example, most people know that it is wrong to damage or destroy the property of another; however, accessing a computer does not damage it. Most people know that theft is wrong; however, copying a file does not deprive the owner of the original, and is therefore not commonly viewed as theft.
I am not suggesting here that programmers need not obey the law. Rather, I am suggesting that they are not, of their own accord, going to obey this law, because it is contrary to common practice in their field, and because it is contrary to their own deeply held values.
If the state of Oregon actually wants people to obey 164.377, it might consider undertaking a public education campaign. People need to know that this law has been passed, that it mandates a strict standard of behavior, and that they can be prosecuted for violating it.
Publicizing the case of Oregon v. Schwartz might be a good place to start. It is a compelling illustration that the law is real, that good intentions and personal integrity are not relevant, and that there can be some very subtle issues involved in establishing whether someone is properly authorized to access a computer.
It would be easy enough for an employer to grant authorization, say, to access a computer "as necessary to carry out assigned duties." However, blanket statements like this will not serve. Indeed, Randal Schwartz believed that he was carrying out his assigned duties when he did the things for which he was convicted. Similarly, authorization given orally cannot be relied upon. The chances and consequences of misunderstanding are simply too great.
Rather, employers should sign a document specifying exactly what computers an employee is authorized to access, what files they are authorized to read and write, what programs they are authorized to run, and so on. Employees will need to carefully safeguard this document: it may be all they have to rely on should their authorization ever be called into question.
From time to time, employers will doubtless need to amend these documents. They may find it convenient to do this orally; however, employees would be well advised not to act on any amendment until it has been given to them in writing.
All of this will impose a certain amount of overhead on businesses that operate computers in the state of Oregon. However, I can't see any other way to manage the problem.
People in other states might be traced through telephone lines and then extradited to Oregon. The same thing can be done for people in other countries, but it is much more difficult.
A recent case involved people in Germany breaking into computers in California. These intruders were caught only because one computer operator spent many months working doggedly to find them. He had to monitor his computer systems incessantly. He had to secure warrants in several states and countries. He had to get several telephone companies to execute traces. Finally, he had to devise and lay his own traps to identify the intruders.
A similar campaign to find intruders based in, say, South America, could encounter insurmountable legal and technical obstacles. The People's Republic of China might not cooperate in an investigation of this sort. And intelligence agencies of foreign governments are not going to be much deterred by 164.377.
When someone is looking at the remains of a corrupted disk drive, or reading their own trade secrets in the morning paper, it helps them little to know that the person responsible is now a criminal. People to whom computer security matters have to prevent others from compromising their computers in the first place.
In fact, the government has done just the opposite. It turns out that the federal government doesn't want people to have secure networks, because secure networks are difficult to wiretap. The government is particularly intent on preventing people from using strong encryption to protect network communications.
The federal government is doing everything in its power to obstruct and delay the use of strong encryption. It restricts the export of encryption software. It promotes the clipper chip. It harasses Phil Zimmerman. And it certainly isn't promoting the development of secure networks.
On a personal note, I must say that I find all of this rather galling. It is as if the federal government forbade people to put locks on their doors, while the state promised to shoot trespassers on sight. The goal of good government should be secure homes, not dead trespassers.
If the state of Oregon wants to improve computer security, the most effective thing it could do might be to petition its congressional delegation to change federal policy on this matter.
Internally, no employee would touch a computer until they had received authorization. As described above, this would have to be written, detailed and specific. Manufacturing, programming and accounting would halt. Even receptionists would stop answering calls—the telephone system is a computer.
Intel would have to draft documents authorizing employees to access its computers. This would take more or less time, depending on the complexity of the job. IC fabs could probably be back on-line within a few days. At the other extreme, negotiating the necessary authorization for a programmer could take weeks—months if corporate counsel needs to review the document.
Externally, no computer outside of Intel would communicate with any computer inside of Intel. Universities, businesses, network providers, individuals: all would sever their communication links with Intel.
Intel could draft documents authorizing access to their computers over public networks. However, others might decide that it wasn't worth the time, trouble or risk to understand and act on this authorization. They might simply decline to reestablish communication links with Intel computers.
Intel could suddenly find its computers very secure—and very useless.
Throughout the state of Oregon, people are accessing computers just as they always have, and 164.377 is being routinely ignored. The problem with this is that 164.377 thereby becomes an unenforced law. Unenforced laws are generally considered to be bad. They transfer power from the people to the government, and from the judiciary to the executive.
For example, police like the 55 MPH speed limit not because anybody actually obeys it, but precisely because no one does. When every car on the interstate is traveling at least 60 MPH, the police are free to stop anyone they choose, for any reason, without being bothered by niceties like "probable cause" or "reasonable suspicion".
Unenforced laws are also subject to abuse by corrupt or over-zealous prosecutors. They can be used to coerce witnesses into perjuring themselves. They can be used to secure a plea-bargain, when the evidence might not support a conviction. They can be used to bludgeon political opponents, or minorities.
As always, people who are politically powerful, or well liked, or simply minding their own business and not causing anyone trouble are going to get through the day without being accused of computer crime, even if they are technically guilty of such. Rather, it is people who are disliked, or involved in some sort of dispute, or who have embarrassed someone more powerful than themselves who are going to find themselves on the wrong end of 164.377. And as Randal Schwartz discovered, you can move from the first category to the second without even realizing it.