Remarks on Oregon vs. Schwartz

Recently, the state of Oregon enacted a computer crime statute, 164.377. On July 25, 1995, Randal Schwartz was convicted of three felony counts under this statute, as a result of his activities while working as an independent contractor for Intel Corporation.

This case has engendered considerable discussion among people who work with computers. Many feel that the law criminalizes common practice in the computer field, and that Randal's conviction is a miscarriage of justice. Some of this discussion can be reviewed at Friends of Randal Schwartz.

I am an electrical engineer and a computer programmer. I live and work in Massachusetts. I will not argue here whether 164.377 is a good or bad law; that is for the people and state of Oregon to decide. Neither can I offer any informed legal opinion, as I am not a lawyer. Rather, I will try to provide an engineering perspective on some of the issues raised by 164.377, and suggest some grounds on which those issues might be decided.

Analogies

Some of the discussion below involves analogies between computers and more familiar objects, such as cars or streets or billboards. There are two reasons for this. The first is that analogies allow people to understand and think about issues concerning computers, without necessarily having to understand computers themselves.

The second is that reasoning by analogy is commonly employed whenever the law must evolve to accommodate changing technology. Is this new device, or situation, or social relationship like any that has gone before? Can it be treated by existing law? Or must there be entirely new statute to cover it?

Of course, analogies are not dispositive. The fact that a computer is like some other thing does not mean that it is that other thing, or that the law must treat it as such. The arguments that I make below will be credible precisely to the extent that the analogies that support them are compelling.

The discussion at Friends of Randal Schwartz is rife with analogies. A computer is like a building, a computer is like a car, a computer is like a telephone... The number of analogies that people employ in this discussion and the variety of conclusions that they draw from those analogies suggest that there is not yet a common understanding of social and legal issues concerning computers. At the very least, the matter bears further consideration.

I discuss below five major issues that I see in connection with 164.377

Authorization

164.377 (3) and (4) provide that accessing or altering a computer without authorization is a crime. However, it does not define "authorization", or specify any means by which authorization may be made, discerned, proven or contested.

In the case of Oregon v. Schwartz, Intel's internal policies were held dispositive. Randal was found to be in violation of those policies, and convicted accordingly. This has the effect of elevating corporate policies to the status of law, with corresponding penalties for violating them.

Who's in charge around here?

Many people familiar with the case find this disturbing. Anyone who has worked in a large organization knows that corporate policies lack the structure and protection of law. They may be ambiguous or contradictory. They may be poorly disseminated. They may be interpreted differently by different departments, or at different times. They may be widely disregarded, or countermanded by managers who technically haven't the authority to do so.

In fact, many of these problems appear to have been present at Intel. Intel supposedly makes copies of its policies available at kiosks; Randal seems never to have seen these. Different departments at Intel had different standards for computer security. Randal was given different directions, at different times, by different managers regarding computer security. And none of these directions were written.

Despite all this, the underlying problem here is not Intel's internal policies or communication. The underlying problem is that there is not a common understanding among people who use computers of how authorization is established with regard to computers, and 164.377 doesn't provide one, either. Randal Schwartz genuinely believed that he was authorized to do the things that he did. Tragically, he was mistaken.

Hey Dad, Can I have the keys?

The problem of establishing authorization is not unique to computers. It arises whenever one person has almost anything at all to do with the property of another. For example, driving someone else's car is legal, or not, depending precisely on whether I have their authorization to do so, or not.

In principle, the question of authorization is as complex in the case of automobiles as it is in the case of computers. Nonetheless, most people manage to conduct their lives without incurring convictions for auto theft. They do not do this through careful study of relevant statute. They do it by following a few simple, widely understood guidelines for driving cars.

For example, giving someone the keys is generally held to grant them permission to drive the car. There could be exceptions, but this rule will get you the right answer almost every time. And should there be some misunderstanding, it will be cleared up quickly enough when you find that you cannot easily start the car without the keys.

This is not a facetious point. I got up one morning, checked out of my hotel, got into my rental car, and found that the key wouldn't turn. After a few moments confusion, I realized that I was actually in someone else's rental car: same make, same model, same color, same agency—different license plate. If cars were started with a push button—say, as army jeeps were in World War II—I could have been across town trying to explain the situation to a police officer before I realized my mistake.

Judicial road kill

Thirty years ago, none of this was relevant to computers. Computers were multi-million dollar machines. They were not connected to communications networks. They were never left unattended. The only people with any kind of access to them were a few highly-trained engineers and technicians. Questions of authorization simply didn't arise.

Today, computers are becoming as ubiquitous as automobiles. They are in homes, schools and businesses. The are linked together into huge networks. They may be left unattended. They are used by people who understand neither technical nor legal issues concerning them. Questions of authorization are going to arise. Without some simple, widely understood rules governing the use of computers, there are going to be misunderstandings. When these occur, people will be left to the complexity of law and the vagaries of corporate policies. There will be more Randal Schwartzes.

Passwords

Many computer systems control access through a system of user IDs and passwords. People who use computers generally understand such systems in much the same way that they understand car keys: knowing their ID and password establishes their authority to use the computer. And like a car key, having an ID and password provides a good check against misunderstanding, because you cannot easily access the computer without them.

The state of Massachusetts recently passed a law formally recognizing such systems. The law puts users on notice that when a computer controls access through a system of IDs and passwords, access to the computer by anyone without a valid ID and password is unauthorized.

Had this been the standard in Oregon v. Schwartz, Randal might have been acquitted. He definitely had valid IDs and passwords for some computers at Intel, and he might have respected a law forbidding access to those for which he did not.

Unintended consequences

164.377 is quite general in its definition of "computer", "data" and "access". For example, paragraph (1)(b) provides:

"Computer" means, but is not limited to, an electronic device which performs logical, arithmetic or memory functions by the manipulations of electronic, magnetic or optical signals or impulses, and includes all input, output, processing, storage, software or communication facilities which are connected or related to such a device in a system or network.

This sort of language is commonly employed to ensure that a statute is sufficiently general to cover its intended subject matter. And 164.377 probably does cover all the things that people usually think of as computers. However, it also covers some things that people may not think of as computers.

According to 164.377(1)(b), the following devices are unquestionably computers

As all these things are computers, 164.377 applies equally to all of them. Depending on the original intent of the statute, this could have unintended consequences. Some of these are discussed below.

Unauthorized messages

Calling an answering machine accesses it; leaving a message alters it. Sending a FAX accesses, and probably alters, the receiving FAX machine. Placing a call through a PBX accesses, and arguably alters it. The only remaining question is whether these actions were authorized.

As discussed above, 164.377 does not define "authorization". Nonetheless, 164.377 has been in force for some time now, and people continue to leave messages on telephone answering machines throughout the state of Oregon. Were all these messages somehow authorized? Or have the victims simply failed to press charges? This may seem like a frivolous question, but it is easy enough to construct a case that could end up in court. Consider:

A man and a woman argue. The woman shouts, "I never want to hear from you again!" The next day, the man calls and leaves a message on her answering machine. The message is not obscene, harassing or threatening. There are not grounds to prosecute under even the most progressively drafted anti-stalking law. Is this nonetheless a computer crime? A class C felony?

Rules of the road

One approach to this question would be to develop principles of law by which people may know when they are authorized to use a computer, and by which they may prove that such authorization was made, should it be called into question. For example, there might be a conclusive—or should it be rebuttable?—presumption that connecting an answering machine to a public telephone network grants everyone else permission to leave messages on that machine. Different rules could apply to answering machines connected to private telephone networks. When an answering machine is connected to a private telephone network, and the private network is connected to a public telephone network—well, that's when the lawyers get involved.

One problem with this approach is that it injects the weight and complexity of law into many everyday matters that people are used to managing on an informal basis. To see just how many, you need only look around you and start counting computers. The list given above is illustrative, but not exhaustive.

Upping the ante

Minor infractions suddenly become much more serious if a computer is somehow involved.

If I walk onto my neighbor's property and open his unlocked garage door, I have committed a trespass. If I stand on my own property and open it by activating his automatic garage door opener with my own hand-held remote control, I have committed computer crime.

Suppose a bar has a television set, and the patrons disagree on what channel to watch. One patron, unwilling to accede to either the consensus of the group or the dictates of management, reaches up and turns the channel knob himself. Management objects; he persists; management presses charges. The patron is probably guilty of a misdemeanor: disorderly conduct, disturbing the peace, or the like. On the other hand, if the patron uses a remote control to change the channel, he is guilty of a felony: computer crime.

Quitting the game

Faced with examples like this, it is tempting to simply declare that telephones and televisions and answering machines are not computers, and draft new statute to that effect. This neatly sidesteps the whole issue of computer crime, at least where household appliances are concerned, and restores the status quo ante for all but computer professionals. The problem with this approach is that the distinctions that it seeks to make in law no longer exist in reality.

What's a telephone?

Thirty years ago, computers and telephones were different things. They looked different, they were made from different parts, they operated according to different principles, they were used for different purposes. Today, none of this is true.

A telephone with a redial button is a computer. Open it up, examine its workings: you will find a CPU, RAM, ROM, a stored program, input and output facilities—all the essential elements of a computer by either 164.377(1)(b) or by any technical definition.

Of course, most people still believe that they know the difference between a computer and a telephone, and the law could try to stand on that common distinction. However, unanalyzed concepts won't hold up when someone's money—or liberty—is at stake. If the state wants to maintain a distinction between computers and telephones, then it is going to have to establish some principled basis for that distinction.

What's a TV?

And it's not just telephones. From an engineering standpoint, there is less and less difference between a personal computer (PC) and a television set. Apple Computer actually sells a Macintosh that can display standard television pictures.

There has recently been speculation in the trade press that as the difference between PCs and TVs continues to shrink, the market will not support two separate industries that make essentially the same product. This speculation was followed by debate as to whether the PC manufacturers will then subsume the TV manufacturers, or vice-versa.

What's it for?

Rather than base distinctions on design, or intended function, the law could base distinctions on actual use. For example, a telephone is anything used to carry on a voice conversation; a television is anything used to display television programs.

The problem here is that use is converging as fast as design. I have already mentioned that you can watch TV on your Macintosh. And there is software available today that allows two people to carry on a voice conversation using two computers that are connected, not via the telephone system, but via the internet. Right now, this software is not widely used, but that could change if many people realize that it is an easy way to make free long-distance telephone calls.

Data convergence

The identity between various kinds of computers is ultimately grounded in an even more fundamental identity between the various kinds of data that they treat. For example, it is now recognized that the differences between computer networks, telephone networks and cable TV networks are inessential. Historically, these industries have been separated by both technological and regulatory barriers. The technological barriers are rapidly disappearing, and the federal government is now eliminating the regulatory barriers, as well.

Enough, already

In summary, it is going to be very difficult to draw distinctions at law between various kinds and uses of computers in our society. And without such distinctions, the full weight of 164.377 will follow computers into every area of our lives that they touch.

Private use of public spaces

Much law is concerned with mediating between public and private interests. Basic decisions about how to balance competing interests are usually made from a policy standpoint. The law then codifies policy.

164.377 apparently treats a private matter: the property rights of people who own and operate computers. However, the only time that 164.377 is actually necessary to protect these rights is when a computer has been connected to a public communication network.

A public communication network is a very public space, and connecting a computer to one puts it into this space in a very public way. There are certainly competing interests when this is done.

Many people use communication networks for many purposes. They send and receive data over these networks as they see fit for their own convenience or benefit. These are public interests.

An individual connects a computer to such a network in order to obtain these same conveniences and benefits. However, to protect his property rights, he must ensure that no one can use the network to alter his computer, or obtain from it information that he wishes to keep secret. These are private interests.

Mediating between these interests is a complex problem, involving both technical and social issues. We need first to explore, understand and debate these issues; next to make basic policy decisions regarding them, and finally to carefully draft statute to implement those policies.

Having read 164.377, I doubt that any of this was done. 164.377 is entirely concerned with the property rights of people who own and operate computers. It appears to have been drafted not only in disregard of the public interests that are at stake here, but without even an understanding that there are other interests to be considered.

Nonetheless, 164.377 is current statute, and as such, it expresses an implicit policy on these matters. Under this policy, the law guarantees both the security and privacy of computers that are connected to public networks. An individual may put his computer into this public space in any manner that he chooses: he need meet no standard of care in order to obtain the protection of statute. All others must be scrupulously careful, upon pain of felony conviction, not to disturb that computer in any way, or even to communicate with it.

Let's look at these points in detail.

Public vs. private

Much law is concerned with mediating between public and private. For example, people park their cars on the street. The car is private; the street is public. Drivers benefit considerably, because parking on the street is convenient and inexpensive. Pedestrians are slightly inconvenienced, because they may not pass where cars are parked, but must walk around. Having considered these interests, our society has decided, as a matter of policy, to permit this private use of public space.

The law then codifies this policy. Drivers may park in designated locations, at designated times. Property rights of drivers are protected: no one may take or otherwise disturb cars so parked. However, drivers give up some privacy rights: passers by may look at parked cars, and may even peer through the windows to see what is inside.

Computer security

There is no need for any special statute to protect the security of computers that are operated in private. It is only when computers are connected to public networks that laws such as 164.377 are relevant. To see this, let's look at some approaches to computer security.

Military

People who care—really care—about computer security do not connect their computers to communications networks. Military and intelligence organizations typically take this approach. Computers that contain sensitive information are placed in a large, sealed room: essentially a vault. People enter the vault to use the computers; they leave when they are done. At night, the vault is locked. There are no connections between the computers and the outside world.

In a situation like this, there is not much need for a computer crime law. The only possible access to the computer requires breaking and entering, which is a crime treated by previously existing statute.

Industrial

People who care—but not so much—about computer security do not connect their computers to public communication networks. They may connect them to private networks. Businesses sometimes take this approach. Some actually build their own network; others lease lines from the telephone company.

In this case, access to the computer requires, at the least, wiretapping. Here as well, there is little need for a computer crime law. Wiretapping is a serious offense in its own right, and is treated by previously existing statute.

Academic

People who are not very concerned about computer security connect their computers to public communication networks. Academic institutions do this. Indeed, the mission of universities is to spread knowledge far and wide; restricting access to computers and the data that they contain is not usually a priority.

In this case, computer security is potentially a problem. However, because the people operating the computers are not very concerned about it, there is still little call for new statute.

Legislative

Recently, people who care about computer security, such as businesses, have begun connecting their computers to public networks. When this is done, access to the computer may be made over the network. However, this access involves neither breaking, entering, taking or wiretapping, and is therefore not treated by previously existing statute. Only by drafting new statute, such as 164.377, can the state prohibit this sort of access.

Public spaces

People typically give up some privacy rights when they enter a public space. If someone keeps a car in their own garage, no one else may see it. However, when they drive it on the street, others may look at it.

Even so, there are some practical limits to the public access that a street affords. In principle, anyone may see a car that is parked on a street; in practice, they must actually be on that street. To a person on another street, in another city or on another continent, the car might as well be in a locked, windowless garage. People sometimes rely on this to maintain a minimal degree of privacy in a public place. For example, a person might park their car around a corner, in order to keep it out of sight of someone else.

There are no corners on a computer network.

When a computer is connected to a public network, it is immediately and equally accessible to anyone within reach of a telephone jack, within range of a cellular telephone station, or within the footprint of a communications satellite—anywhere in the world. A public computer network is a very public space.

Public conversation

What's more, it is not possible to connect a computer to a network without communicating with other computers on that network. A physical connection may be made, but the physical substrate of the network is inessential. The essence of a computer network is the protocols—the rules—by which computers on that network communicate. If a computer is physically connected to a network, but does not communicate according to these protocols, then it is effectively not on the network.

Thus, connecting a computer to a network not only puts it into a very public space, but necessarily engages it in a very public, ongoing conversation with other computers.

Person to person

People who do not understand computer networks may not appreciate their very public nature. For example, they may imagine that a computer that uses a network is making a telephone call. However, a telephone call typically involves two parties, known or identified to each other, and carries a reasonable expectation of privacy.

Conference call

A better analogy would be that a computer that uses a network is joining a large, ongoing conference call. Thousands and thousands of other computers all around the world are also on the line. Parties incessantly join and leave the call; they talk or listen as they please. Most of these parties are unknown, and identification is unreliable. No one who understands computer networks has any expectation of privacy regarding this communication.

Public interests

The technology that underlies large public computer networks has been developed at academic and scientific institutions over the last two or three decades. This technology reflects the values of the institutions that developed it. It is designed to facilitate communication and the free exchange of information. Much of it has been released to the public domain, so that everyone may enjoy these benefits.

Many people use computer networks for just these purposes. They communicate with each other, they obtain information from other computers, or they make information on their own computer available so that others may access it. The technical capability and the legal right to use networks for these purposes are public interests.

Private interests

In recent years, businesses have begun to understand the benefits of computer networks. They too wish to enjoy these benefits. By connecting their computers to public networks, they can obtain valuable information from computers all around the world. Employees and computers at different locations can easily communicate with each other, or with vendors and customers who are also on the network. Some businesses create a corporate image for themselves on the network.

However, businesses are also concerned with computer security. If a computer contains confidential information, they must ensure that no one else can use the network to obtain that information. And, of course, they must ensure that no one can use the network to alter or tamper with their computers. The ability of a business to use networks for its own purposes is a private interest.

Network security

People who do not understand computer networks may imagine that unauthorized access to a computer involves something like breaking, entering or taking. This is false. No force or physical agent may be transmitted across a computer network. A computer network is strictly a communications channel: a means for computers to talk to each other.

A corollary to this is that the only way to obtain access to a computer by means of a network is to ask for it. When one computer wants information from another, it sends a request. The other computer then returns the requested information—or it doesn't.

The substantive problem in maintaining the security of a computer that is connected to a network is not preventing people from sending it requests. People are going to send requests to any computer that is connected to a network. Rather, it is ensuring that it only responds to the right requests, from the right computers.

This problem presents various technical difficulties; solving it requires a certain amount of care and skill. However, good, robust solutions, such as firewalls, are available today on the open market. Even better solutions, based on cryptographic techniques such as public-key encryption, digital signatures and zero-knowledge proofs, are known, although the market for these is not well-developed at present. These techniques can be used to make computers extremely secure—in any case, more secure than the buildings that house them or the people that attend them.

Network insecurity

Despite this, many computers that are connected to public networks are insecure. Some people simply don't understand the security implications of connecting a computer to a network. Others understand the issue, but are unwilling to bear the expense or inconvenience of taking appropriate security measures.

For example, some people use the Windows operating system to run their computers. Computer security was not one of the original design goals of Windows, and there are fundamental technical obstacles to making a Windows system secure. However, Windows offers many other benefits and conveniences, and many people use it despite its security flaws. Whenever someone connects a Windows system to a computer network, they are—whether they realize it or not—trading security for convenience.

Network policy

Regardless of the technical details, the simple fact remains that someone trying to gain access to a computer on a network can only ask. It is up to the other computer to grant that access or not, as it sees fit. On this analysis, it is at least reasonable to argue that responsibility for preventing unauthorized access to a computer lies with the owner of that computer.

This is generally the standard when people speak to each other. If my competitor asks me for proprietary information, it is up to me to refuse him. If I do give him the information he seeks, I have no recourse at law. More realistically, I might accidentally leave confidential information in a public place—say, on a park bench. Once I do this, the law no longer protects its confidentiality.

164.377 implicitly establishes a policy on computer access. This policy is diametrically opposite from the standard used in ordinary conversation. Under 164.377, responsibility for preventing unauthorized access to a computer lies entirely with person attempting the access. This responsibility is absolute. Someone may put proprietary information on a computer, connect that computer to a global network, and configure the computer to provide that information to anyone—identified or not—who asks for it. 164.377 then provides criminal penalties for anyone who accesses that information without authorization.

For an example that ties together several of the problems with 164.377, imagine that I record some confidential information as the outgoing message on my telephone answering machine. I then give my telephone number to an associate and authorize him to call and listen to the message. Unfortunately, someone else looks up my number in the telephone book, calls my machine and hears the message.

My answering machine is a computer. I did not authorize anyone else to access it. I can press charges under 164.377.

Computers are not people; networks are not park benches. The law can distinguish between these things, and society may decide, as a matter of policy, to treat them differently. However, the policy established by 164.377 is fundamentally incompatible with the way computer networks are currently used, from both a technical and a social standpoint. I'll give two examples of this incompatibility.

Technical

In order to function on a network, a computer must conform to the protocols that govern communication on that network. These protocols typically require that the computer respond to certain requests.

For example, networks that use TCP/IP protocols have a facility called "ping". Ping is used to find out if a computer is connected to the network. One computer sends a ping request to a second. The second returns an acknowledgement. The first computer then knows that the second one is, indeed, present and functioning.

Ping is a simple facility, but there are other, more complex, parts of the protocol that also require responses. A computer that does not provide these responses is simply not going to function on the network. It may even cause other parts of the network to malfunction.

Under 164.377, sending a ping request to a computer is strictly illegal, unless it is authorized by the owner of the computer. There are various ways around this problem. It might be established that connecting a computer to a network implicitly authorizes others to send ping requests. Alternately, it could be established that a ping request is in some way insubstantial, and therefore not within the scope of 164.377. At present, however, none of this has been done, and 164.377 apparently outlaws normal use of TCP/IP protocols.

Social

One of the most important developments in computer networks in the last few years is the World Wide Web. The Web is a large and growing collection of computers that communicate by means of a particular protocol, called HyperText Transport Protocol (HTTP). Initially, the Web was viewed as a toy. Later, it was seen to be a useful tool. Currently, there is speculation that it could fundamentally change the way people design, build and use computer systems.

At the very core of the Web is something called a "link". A link allows a user to jump from one document to another. It works regardless of where the documents are. They could both be on the user's computer, or they could be on two different computers on opposite sides of the world. Links tie billions of documents on millions of computers all around the world into an integrated whole, and provide a way for users to move around that whole in a meaningful way.

In practice, what people tend to do on the Web is go exploring. One document links to a second, the second to a third, and so on. This ability to explore is one of the most powerful and useful features of the Web. When people explore, they take it for granted that anyone making information available on the Web intends for others to access it.

164.377 denies this. 164.377 holds that access to any computer for any reason is illegal unless it has been authorized. If users start looking at links and worrying about whether they are authorized to follow them, then the entire World Wide Web will disintegrate.

Who owns the street?

Computer networks are public spaces, and the public uses them as such. 164.377 now establishes a policy whereby any private person my use a public network for their own private purpose, and then imposes on the public the entire burden of not interfering with that private use. If we established a similar policy with respect to public streets, they would quickly become impassable. I believe that 164.377, if enforced, will likewise make public computer networks unusable.

Common practice & ethics

164.377 is at variance with common practice and ethics in the computer field.

Statute vs. ethics

Usually, the dictates of law are in general agreement with common practice and ethics in society. Most fundamentally, this is because the law is ultimately a codification of those practices and ethics. However, there are also practical considerations.

Few people look directly to statute to guide their everyday actions. The law is far too complex for that. Rather, most people are guided by a few simple principles: lying is wrong; stealing is wrong; hurting others is wrong. For many people, the values that they learned in childhood are more compelling than any statute.

At the same time, the government hasn't the resources to ensure that every person obeys every law. An orderly society relies heavily on the fact that most people, most of the time, are law-abiding.

Serious problems can arise when statute disagrees with common practice or values. This happened with prohibition in the 1920s, and is currently the case with narcotics laws.

The hacker ethic

People outside the computer field sometimes have a distorted view of the profession. For example, Hollywood often portrays programmers as rogues, mad scientists or terrorists. In fact, most people who work with computers have a very strong ethical sense. This sense derives from several factors.

First, the computer field is relatively lucrative. People who work with computers are usually well-paid, and consider themselves to have a stake in the system. They are averse to things that could threaten their careers, such as illegal activity.

Along the same lines, programmers consider themselves to be professionals, and value their reputation accordingly. An employer may hire programmers of greater or lesser skill; however, very few will hire a programmer of less than the highest personal integrity.

Pragmatic concerns for their careers are important, but for most programmers, the matter is much deeper than that. Typically, people are attracted to computers because they understand their power and beauty. Working with computers gives them an opportunity to exploit that power, and to create something of significance.

Most programmers value computers, just as artists value works of art. Few artists would deface or destroy the work of another, even if they disliked it. Similarly, few programmers would corrupt or destroy a computer system—to do so is simply counter to the values that they hold.

At the same time, few programmers have any compunctions about accessing computer systems—even systems that they are clearly not supposed to access. An artist takes it for granted that a work of art is there to be appreciated: paintings to be looked at; music to be listened to. Similarly, a programmer takes it for granted that computer systems are there to be accessed, explored, examined or copied, limited only by his own technical capability to do so.

What's more, none of this runs counter to the naive values that people typically use to guide their actions. For example, most people know that it is wrong to damage or destroy the property of another; however, accessing a computer does not damage it. Most people know that theft is wrong; however, copying a file does not deprive the owner of the original, and is therefore not commonly viewed as theft.

Public education

As described above, most programmers have a strong ethical sense regarding computers. This sense might be summarized as "look, but don't touch." However, 164.377 now mandates, "don't touch, don't even look." There is therefore a very significant discrepancy between this statute and common practice in the computer field. Whenever statute disagrees with common practice, there are likely to be problems.

I am not suggesting here that programmers need not obey the law. Rather, I am suggesting that they are not, of their own accord, going to obey this law, because it is contrary to common practice in their field, and because it is contrary to their own deeply held values.

If the state of Oregon actually wants people to obey 164.377, it might consider undertaking a public education campaign. People need to know that this law has been passed, that it mandates a strict standard of behavior, and that they can be prosecuted for violating it.

Publicizing the case of Oregon v. Schwartz might be a good place to start. It is a compelling illustration that the law is real, that good intentions and personal integrity are not relevant, and that there can be some very subtle issues involved in establishing whether someone is properly authorized to access a computer.

Authorization documents

As a practical matter, the lesson that people should draw from Oregon v. Schwartz is that they need to obtain authorization before they access any computer system. This authorization should be specific, detailed and written.

It would be easy enough for an employer to grant authorization, say, to access a computer "as necessary to carry out assigned duties." However, blanket statements like this will not serve. Indeed, Randal Schwartz believed that he was carrying out his assigned duties when he did the things for which he was convicted. Similarly, authorization given orally cannot be relied upon. The chances and consequences of misunderstanding are simply too great.

Rather, employers should sign a document specifying exactly what computers an employee is authorized to access, what files they are authorized to read and write, what programs they are authorized to run, and so on. Employees will need to carefully safeguard this document: it may be all they have to rely on should their authorization ever be called into question.

From time to time, employers will doubtless need to amend these documents. They may find it convenient to do this orally; however, employees would be well advised not to act on any amendment until it has been given to them in writing.

All of this will impose a certain amount of overhead on businesses that operate computers in the state of Oregon. However, I can't see any other way to manage the problem.

Computer security

Presumably, 164.377 was intended to make computers more secure. However, it is unlikely to accomplish this, for two reasons. The first is that the state of Oregon can't generally enforce its laws upon the rest of the world. The second is that effective computer security must be engineered, not legislated.

The short arm of the law

164.377 is the law in the state of Oregon. However, computer networks are global. People all over the world can access computers that are inside Oregon. People all over the world can violate 164.377. However, the father someone is from Oregon, the harder it is going to be for the state to identify, apprehend and prosecute them.

People in other states might be traced through telephone lines and then extradited to Oregon. The same thing can be done for people in other countries, but it is much more difficult.

A recent case involved people in Germany breaking into computers in California. These intruders were caught only because one computer operator spent many months working doggedly to find them. He had to monitor his computer systems incessantly. He had to secure warrants in several states and countries. He had to get several telephone companies to execute traces. Finally, he had to devise and lay his own traps to identify the intruders.

A similar campaign to find intruders based in, say, South America, could encounter insurmountable legal and technical obstacles. The People's Republic of China might not cooperate in an investigation of this sort. And intelligence agencies of foreign governments are not going to be much deterred by 164.377.

Legislated security

Effective computer security cannot be legislated, because, for the most part, law is reactive. First someone breaks the law, then the police arrest him. Law enforcement can deter some, but not all, crime.

When someone is looking at the remains of a corrupted disk drive, or reading their own trade secrets in the morning paper, it helps them little to know that the person responsible is now a criminal. People to whom computer security matters have to prevent others from compromising their computers in the first place.

Engineered security

As it happens, effective computer security can be engineered. Some techniques for doing this are described above, under Network Security. As a practical matter, the biggest obstacle to computer security is not lawless behavior on the network, it is the failure of computer operators to make use of existing security techniques.

Obstructed security

There could be a role for government in this matter. Many police departments will advise homeowners on ways to make their homes more secure. Similarly, the government could promote the development and use of secure network protocols.

In fact, the government has done just the opposite. It turns out that the federal government doesn't want people to have secure networks, because secure networks are difficult to wiretap. The government is particularly intent on preventing people from using strong encryption to protect network communications.

The federal government is doing everything in its power to obstruct and delay the use of strong encryption. It restricts the export of encryption software. It promotes the clipper chip. It harasses Phil Zimmerman. And it certainly isn't promoting the development of secure networks.

On a personal note, I must say that I find all of this rather galling. It is as if the federal government forbade people to put locks on their doors, while the state promised to shoot trespassers on sight. The goal of good government should be secure homes, not dead trespassers.

If the state of Oregon wants to improve computer security, the most effective thing it could do might be to petition its congressional delegation to change federal policy on this matter.

Be careful what you wish for...

It is perhaps entertaining to imagine the difficulties that would ensue if everyone actually obeyed 164.377—at least with respect to Intel.

Internally, no employee would touch a computer until they had received authorization. As described above, this would have to be written, detailed and specific. Manufacturing, programming and accounting would halt. Even receptionists would stop answering calls—the telephone system is a computer.

Intel would have to draft documents authorizing employees to access its computers. This would take more or less time, depending on the complexity of the job. IC fabs could probably be back on-line within a few days. At the other extreme, negotiating the necessary authorization for a programmer could take weeks—months if corporate counsel needs to review the document.

Externally, no computer outside of Intel would communicate with any computer inside of Intel. Universities, businesses, network providers, individuals: all would sever their communication links with Intel.

Intel could draft documents authorizing access to their computers over public networks. However, others might decide that it wasn't worth the time, trouble or risk to understand and act on this authorization. They might simply decline to reestablish communication links with Intel computers.

Intel could suddenly find its computers very secure—and very useless.

Don't worry—be happy

In fact, none of this is going to happen. Businesses are not going to alert their employees to the implications of 164.377, because it would be disruptive. Employees are not going to notice the law, because people do not run their lives by reference to statute. Even within Intel, the case of Oregon v. Schwartz has attracted little attention. There are no reports of employees quitting in fear of prosecution, or even of employees refusing to access computers without written authorization.

Throughout the state of Oregon, people are accessing computers just as they always have, and 164.377 is being routinely ignored. The problem with this is that 164.377 thereby becomes an unenforced law. Unenforced laws are generally considered to be bad. They transfer power from the people to the government, and from the judiciary to the executive.

For example, police like the 55 MPH speed limit not because anybody actually obeys it, but precisely because no one does. When every car on the interstate is traveling at least 60 MPH, the police are free to stop anyone they choose, for any reason, without being bothered by niceties like "probable cause" or "reasonable suspicion".

Unenforced laws are also subject to abuse by corrupt or over-zealous prosecutors. They can be used to coerce witnesses into perjuring themselves. They can be used to secure a plea-bargain, when the evidence might not support a conviction. They can be used to bludgeon political opponents, or minorities.

As always, people who are politically powerful, or well liked, or simply minding their own business and not causing anyone trouble are going to get through the day without being accused of computer crime, even if they are technically guilty of such. Rather, it is people who are disliked, or involved in some sort of dispute, or who have embarrassed someone more powerful than themselves who are going to find themselves on the wrong end of 164.377. And as Randal Schwartz discovered, you can move from the first category to the second without even realizing it.


Notes

convicted
State of Oregon v. Randal Schwartz, Washington County Circuit Court C94-0322CR
activating his automatic garage door opener with my own hand-held remote control
This is no longer a hypothetical case. See DMCA vs. The Garage Door Opener
free
The marginal cost to the user of bandwidth on the internet is typically zero.
recent case
Clifford Stoll, "The Cuckoo's Egg", Doubleday, 1989

Steven W. McDougall / resume / swmcd@world.std.com / 1995 October