« "Much excitement and feverish activity, but little concert of thoughtful purpose" | Main | Captain Euro And the Boggling Mind »

Ignorance is Bliss, and Apparently Not Criminal

Finally, the Senate Report on the 'hacking' of Judiciary files by Republicans has been announced. The technically illiterate, such as the Washington Post, or those willing to jump to conclusions like Calpundit are amazed at what they seem to describe as dramatic new revelations. Of course, if you've been reading here over the past few weeks, you know the score.

Except there is a dramatic revelation: the stupidity of Senator Leahy's flunky is even worse than I might ever have guessed. Now, knowing how careful I am to avoid unnecessary offense, some of you might be surprised at the strong words. I use them only because I'm furious.

This entire scandal is only happening because some untrained newbie was assigned to the Committee, and made the most basic mistake: he didn't secure the home drives of new committee members. That Senator Leahy can show his head in public is amazing: this is a staffing error of the most magnificent incompetence. Whatever should happen to the Republicans involved, some Democratic heads should roll on this one, starting with a Chief of Staff. [1]

The details are in the cut below. I probably don't have time to do this kind of analysis, but I think it's important that someone who's been there speaks out on this one.

What the Report Said Happened
The report gives a very clear idea of what happened. Calpundit has leaped to a number of bizarre conclusions, such as that, "whatever method Lundell used couldn't have been all that obvious if he had to watch a computer tech in order to figure it out." But this is ridiculous. I wouldn't stumble on this flaw, not because I don't know how to do it, but because on any system on which I've been involved, no mistake this dumb has ever been made.

Let's give a step-by-step, idiot's guide to how the files were 'hacked,' that you can play along with at home if you're on a network and running Windows XP. (If you're a CLS student on Columbia's netware network, this may indeed work a treat. Your mileage may vary, though--if you're not on a client-server network, you are running a different operating system, or your system administrator didn't get his training from a CrackerJack box and he's limited your access, none of this may work.)

1. Double click on My Network Neighborhood on your desktop.
2. Click on the 'View Workgroup Computers' link on the left. (Your mileage may vary from here.)
3. You should now see a selection that allows you to do all sorts of things. I'm on a competently-run network right now, so my access is limited, but you should be able to see a network directory, your connections to other computers, and a certain number of share directories. You can map these to network drives, if you'd like. This is perfectly acceptable, 'good practice,' and something a 'power user' ought to be permitted to do.
4. Now, if you're on a corporate network, you might run across a directory somewhere that says USER, or something like that. After hitting these folders, you should start getting all sorts of interesting errors. "You do not have access to this folder," for instance. You might even see what looks like folders assigned to specific users, but not be able to enter them. Unless you're on a server run by Senator Leahy, in which case, go to town.

(This process, incidentally, is almost certainly what the user saw over the SysAdmin's shoulder. It's not basic computer use, but it doesn't take rocket science, either. Many of my users knew how to do this back in the Senate, mostly because they didn't know how to use their network drives. The only reason I'd not have stumbled across this is that it's too damn easy: unless you were conducting a security audit, no one who knows about this would even bother to try it. Unless your SysAdmin's a monkey.

My guess is that what happened was this: The SA comes over to fix Mr. User's computer. The User watches with interest, because, well, he's got not much better to do. The user understands how Network Neighborhood works. At some point, SA wants to get some files off his machine, or some other directory, and although he's still logged on as Mr. User, he clicks directly into his home directory. "Hmmm?" says Mr. User, who figures something's not right. "That shouldn't happen. If I can get into the SysAdmin's folder, who else has vulnerable folders?" It's not that the process is complex, as Calpundit implies: you'd just assume that no hole that blatant was there until you saw someone do it.)

A Brief Digression on Incompetence
The SAA report linked to above is 'redacted,' which means that every actor is mentioned as 'Mr. ________.' Trying to figure an accurate chronology from a document in which all the actors are the same is difficult, but piecing it together, the salient bit is this:

Our investigation revealed that some user home directories were set to �open� permissions and other home directories were set to �strict� permission. This appears to be a result of the Judiciary Committee Network having two System Administrators during the time frame in question. One System Administrator had very strict account policies in place and the other did not. An analysis of the creation date and permissions of various user accounts was performed and supports this. (Attached at �M� is a chart H: Drive Permissions Analysis Including Start/Creation Dates).
Users accounts created prior to August 2001 were generally created with �strict� permissions; those established after that date were �open.� Of the 126 users whose folders were available for forensic analysis, there were only nine exceptions to this general pattern. Four of these exceptions were Nominations Unit staff whose files Mr. _____ admitted protecting.

This is a bit misleading. One system administrator didn't have an 'open' policy. The report strongly suggests he simply didn't know what he was doing. I've worked on more networks than most people my age, and I've never met one with unsecured user home drives. Securing a user's home directory is one of the basics of Senate systems training, and anyone who's been to the course will have nicely printed step-by-step instructions. Of course, Senator Leahy didn't require this:

Like some other Senate offices, the Judiciary Committee has historically been staffed with Systems Administrators who preferred to perform most computer-related tasks themselves. This has been true even if they had only minimal technical experience before becoming the Committee�s System Administrator. There is no minimum level of proficiency required to obtain a System Administrator position, and there was a considerable variance in the proficiency levels of the Committee�s different system administrators. Notably, the records of the Senate Joint Office of Education and Training reflect that Mr. _____ only attended two technical training classes during his tenure, neither relating to the NT Administration.

The SAA is correct in this respect, but fails to mention exactly how ridiculous this is. Most staffs have highly technically-competent SysAdmins, or at least they did in my day. I don't recall meeting anyone who would have thought this was a reasonable security setup. These are home directories that were unsecured. And Leahy obviously didn't require whoever he hired to attend even a simple five-day course.

I'm being scathing of Senator Leahy particularly because there's no excuse for this, and it's endemic of a problem I experienced while I was at the Senate. Despite the Sergeant At Arms providing amazing training courses, the time which Senators will give their (often underpaid) staffers to attend them is often miserly. In this case, it cost the Senator dearly, because this is the kind of security problem that should never happen. Words do not exist to express my disdain for a man who puts an almost completely untrained college graduate in charge of a server on a highly partisan network.

Why Does This Matter
OK, so Leahy doesn't train his people, and the staffer involved wasn't barely competent. Why does this excuse the Republican staffers involved? The answer lies in the way that computer security operates.

Throughout this scandal, there's been a lot of debate, both here and elsewhere, about the appropriate metaphor which can be used to relate this to the technologically inexperienced. Simply put, I've abandoned this approach, because I'm not sure such a metaphor exists. Is it 'keys left on the table' or 'wallet lying in the Capitol rotunda?' Such questions are futile. A computer system is metaphorically similar to 'space' in a way, but because a server is configured, it's also similar to a 'servant.' We can dance around the issue like this all day long, but the only thing it will prove is that no comparative given by a Sysadmin to a non-administrator will be absolutely relevant.

The basic idea of a client-server network is that the user, through a client computer, makes requests of the server. The server, which is administered by a systems administrator, then checks whether the user has been authorized. If she has, the computer serves up the information, be it a listing of directory contents, a file, or a piece of system data. When you log on, you identify yourself, and the network should then be able to tell what you have access to see, and what you don't.

This means that the SA's role is key. He's the agent to whom the owner or operator of the network (in this case, Leahy) gives the responsibility of assigning permission. He's the man who grants access, and if access is improperly granted, it's on his head, not the users.

There's good reason for giving him the responsibility: an SA's responsibility should be the protection of his users. He's supposed to be more skillful, more competent, and more aware of his network than anyone wandering about it, so that his users don't have to worry about unauthorized access. Indeed, by definition no access of a user who is properly authenticated can be unauthorized: whatever authorization he has derives from the permissions assigned to him by the SA. Only if he 'hacks' the system, i.e. exceeds the permission given to him by the SA can his access be unauthorized. Simply put, Miranda didn't steal any files because Senator Leahy gave them to him.

Why make this distinction? It protects users who aren't skillful against trouble. The last time I posted about this, I gave a concrete example, which I'll repeat here:
Click this link.

Congratulations. You're now seeing a directory listing Three Years of Hell's images, which I've left completely unsecured. You can take a peek in any of the directories to see some of my artwork, the pictures I occasionally post here, and whatever else. However, you could always have seen that directory without me explicitly linking to it. If you've got even a layman's knowledge of HTML, right clicking on my homepage and looking at the code would have shown you that directory. Now, suppose I had some private information in there--my grades from last term, for instance, which I'd uploaded so that an employer could check them--and you opened it up.

Do you think you would have done something criminal? Immoral? Why? Sure, right-clicking on my page and reading my source code is a bit more involved than most users bother with, but it's not rocket science, and anyone who's set up a blog would know how. Because I 'obviously didn't mean to provide it?' But I'm a trained and experience professional--indeed, my training is exactly what a Senate user should expect it to be--and I can be expected to secure that which I think should be secret. It's a viable assumption that I simply didn't care.

The fact that the onus is on me to secure my files may encourage those with ill-will to go snooping. But it also protects people from liability for what they think is perfectly innocent. The model is that you're permitted to see whatever the owner has instructed the server to serve. In this case, Leahy delegated the task very, very badly, but that doesn't change the basic assumptions that lie underneath network security from day one.

But certainly this is all ungentlemanly, isn't it?
Some of you are saying, "Well, that's all very technical, Tony, isn't it, but this is just wrong. Whoever did this knew they were acting unethically, whatever the view from the SysAdmin's office?"

I'm sure they knew it was naughty, but that doesn't mean unethical. Indeed, it's one of those cases where the more you know about the activity, the further from unethical it looks. To the New York Times, this is 'hacking' and thus obviously theft. To a Democratic systems administrator, it's an ethical lapse on the part of the Democrats. As he points out, if Leahy were the head of several types of companies, he might be facing criminal charges right now.

But don't take my word for it. Take Senator Kennedy's.

Late last year, one of his aides opened her mailbox to find an email from a staffer in Senator Hatch's office. Attached to this email was a memo that was clearly misdirected. Nonetheless, she sent it on to several colleagues. Senator Kennedy's talking points on this matter include the line: "There was no impropriety, as the information sent to [Olati Johnson] was not confidential or privileged information." Kennedy had no problem with an aide handing on a document that clearly didn't belong to her when it had been misappropriated through the fault of a user. But when it was misdirected through the fault of an administrator, a standard which should be higher, he's talking of the next Watergate.

Simply put, Kennedy wouldn't have any problem with "impropriety" if it hadn't been Democrats caught with their pants around their ankles. And despite the fact that even Democratic security specialists think this is pathetic, there's not a sign that Leahy or Kennedy have any appreciation of the egg on their face.

Once more I'll say that I'm not really happy with how the Republican staffers handled themselves. In a certain sense, this is ungentlemanly, and whatever I think of Kennedy's standards, a gentleman's should be higher. But this shouldn't be criminal. Making in 'unethical' exposes actually ignorant users to the risk of breaking the law without knowing they've done it. And frankly, it didn't require several thousand dollars and months of the Sergeant at Arm's time to figure out what any SysAdmin could have told you months ago: if you put someone untrained in charge of the castle gates, don't be surprised when the drawbridge is down.

[1] I've probably just made certain that I never get hired in the Senate again, since insulting Chiefs of Staff isn't a great career option. But in this case, whoever was responsible deserves it.

TrackBack

Listed below are links to weblogs that reference Ignorance is Bliss, and Apparently Not Criminal:

» An interesting follow-on to the "hacking" assertions in the Senate from Opinion8 - More than one man's opinion
If this topic (first discussed in the earlier posting on March 5) is of any interest to you at all, you might also see the article at "Three Years of [Read More]

» Open Access from King of Fools
There is an excellent analysis of Memogate over at Everything I Know is Wrong. It would appear that the claims that the system was hacked are not correct; at least without grossly distorting the definition of hacking. There is an... [Read More]

» Open Access from King of Fools
There is an excellent analysis of Memogate over at Everything I Know is Wrong. It would appear that the claims that of Republican hacking is far from correct; at least without grossly distorting the definition of hacking. Aside from his... [Read More]

» Open Access from King of Fools
There is an excellent analysis of Memogate over at Everything I Know is Wrong. It would appear that the claims that of Republican hacking is far from correct; at least without grossly distorting the definition of hacking. Aside from his... [Read More]

» Open Access from King of Fools
There is an excellent analysis of Memogate over at Everything I Know is Wrong. It would appear that the claims that of Republican hacking is far from correct; at least without grossly distorting the definition of hacking. Aside from his... [Read More]

» Open Access from King of Fools
There is an excellent analysis of Memogate over at Everything I Know is Wrong. It would appear that the claims that of Republican hacking is far from correct; at least without grossly distorting the definition of hacking. Aside from his... [Read More]

Comments

What's even more interesting is that Democrat staffers have apparently been leaking Republican memos to the press as well: http://www.krempasky.com/blog/archives/001496.html
Tony! Dammit, man! _That_doesn't_follow_. I suppose Democratic heads should have rolled if the Watergate office had been left unlocked? The caveat that it's surely "ungentlemanly" (we must speak about your choice of that gentlemanliness as your summum bonum, by the way) doesn't excuse this latest dramatic oversight of the critical issue. Still faithful,
Tony the Pony: First, please see above the bit about the inapplicability of metaphors. Should heads have rolled if a security officer at the Watergate office had given the keys (and legitimate, authorized access passes) to those who broke in, for some reason unbeknownst to common sense? Should the person who hired this man be next on the block if it's shown that he hired someone unqualified, and that it resulted in the keys being given away? And should the person at the top of this particular chain of command, who signed off on the hiring, be ashamed of himself for presiding over such pathetic organization? The answer to all of these is quite clearly yes. Secondly, while the SAA's report was obviously written to avoid Democratic embarassment (a flagrant security flaw is called an "open security policy"), it's not at all clear that a law was violated here, which differs pretty strongly from the Watergate hotel. I'll get into the statutory construction later (it should revolve around the word 'entitled,' not 'authorized,' since the staffer was definitely authorized), but the case is simply not that clear at all. Heck, after my moot court brief's done, I might use my newly-developed skills to actually cite the relevant cases... As I said, the use of metaphor to discuss this particular scenario is counterproductive. Those who conducted the Watergate break-in were not legitimate users of the Democratic office. (Closer to 'hackers,' to use your stretched metaphor.) No one gave them authorization for anything, nor authenticated that access. And the office wasn't shared between two differing partisan sides. I think from now on, I'll stick to my non-metaphorical explanation. Anyone who decides to post a metaphor, I'll simply show where it deviates from a client-server network. There's been far too much confusion created by people stretching their metaphors to a breaking point.)
TtP: Incidentally, at my last employer, leaving the doors or windows unlocked if you were the last person out of the door at night was grounds for dismissal. We had several thousand dollars worth of computer equipment. So I'm not even sure if your rhetorical question stands. Certainly my old boss would have answered, "Yes."
Tony, No doubt that masters prefer their servants to keep their bailments secure from thieves &c. But the consequences when those servants fail is generally a private matter, whereas the dispute between the owner and the thief is definitely of public significance. If you'll excuse one more metaphor, imagine a trial against a ... let's say, horse thief who had stolen an animal left unsecured by the owner's agent. If in his defense the horse thief interjected, "Surely we ought to be looking at how negligent the agent was in this case; he took not even the basic steps to protect that which was entrusted to him!" ... That would be pretty quickly ruled out of order, agreed? Look, I'm sure that the internal staff relations will change in response to this. If Senator Leahy wants to fire his computer hack, well, that's up to him. If he wants to fire his CoS, he's out of his mind. But since he evidently doesn't, outside commentators opining on the compelling evidence that he's wrong for the decision he's made are playing a fun little game called "The Real Scandal Is..." [This game generates fun positions of the following form: "Notwithstanding that (insert matter embarrassing to the speaker of some significance), the _real_ scandal is (specious non-sequitur and/or trivial matter embarrassing to the speaker's opponents)."] I stand by my metaphor, by the way. If Bill Safire had rejoined to my contrapositive Watergate example that it was really the Democrats' fault for failing to lock the door and who could blame a couple of intruders if the door's unlocked?, he'd be rightly accused of hackery. As for your conclusion---"Miranda didn't steal any files because Senator Leahy gave them to him"---no! no! no! That doesn't follow at all! Quite obviously, the legal answer to whether or not some is entitled to view certain documents cannot turn on whether it's possible for that person to do so. Have you ever seen a crim law question resolved that way? It should be obvious, but a person having access to files they weren't intended to see has signicance _only_ as a method for determining the possible criminality of that person's intent in the event that he does see them. Maybe he mistakenly thought he was in fact entitled to see them, in which case he's off the hook. Or maybe he knew very well what he was doing. Whether he had easy access to the files certainly can be very good evidence of his intent, and in some cases very well may make it impossible to prove intent beyond a reasonable doubt. In such a case, easy access would be dispositive, but _only_ as an evidentiary matter. It does not operate as a complete defense in itself. [Indeed you seem to concede as much, since "it's not at all clear that a law was violated here" I presume means that neither is it clear that _no_ law was violated?] Think of all your crim law cases, especially those concerning intent, mistake of fact, perceived excuse & other such mushy concepts. Context almost always plays a very big part in them, no? You or I or any other law student could imagine a situation where a paper was left on a desk in plain sight, and yet clearly was not intended to be shared and any peeping would be wrongful. Likewise you can imagine a case where someone could hack an easy system, and yet be unaware that he was viewing materials he hasn't a right to view. It is essential to keep in mind what question you're supposed to be asking. "The model is that you're permitted to see whatever the owner has instructed the server to serve." If that is indeed the legal rule in this case, I'll... well, I'll recant. But I'll be pretty surprised to see that, too. Onward: Your citation to a "Democratic systems administrator" (it's not entirely clear from your phrasing that it's an SA who happens to be a Democrat, not another Democratic committee staff's SA or the like), when followed up, actually makes it pretty unlikely that anyone who did this would be facing criminal charges but for his employment by the US Senate. The examples given in the NR piece are completely specious---the first legally "requires" security only in preservation of a claim against potential snoopers, and the others all apparently involve a fiduciary duty to third parties (e.g., a health insurance company that negligently leaks the private medical records of all its clients). Finally: I've answered the Kennedy counter by noting the supremacy of context, see supra, but I would register some confusion. Is it your position that nothing computer-y can be analogized to things non-computer-y, but that all things computer-y are always perfect metaphors for each other? Sorry to go on so long; it's distracted me from the rest of your site, which I tend to enjoy very very much. But---I say again---you are thoroughly mistaken in premises, argument, and conclusion here. (No more than that, though.) Sincerely, TtP
TtP: To handle these one at a time: Quite obviously, the legal answer to whether or not some is entitled to view certain documents cannot turn on whether it's possible for that person to do so. You are ignoring the positive nature of the action of the sysadmin, however. Whether it is possible to do so is certainly not relevant. Whether he is explicitly permitted to do so--whether he's been granted access-- certainly is. Again, your vision is obscured by your metaphors. And of course, your metaphors haven't changed. You're still positing that there were 'intruders' here. However, the definition of an 'intruder' on a computer system is far different from that of a horse thief, Watergate break-in, or indeed any metaphor you're bothering to mention. Your metaphors lack any analog to (a) logging onto a system; or (b) having user permissions actively set by a third party who is an agent of the system. Sorry, but it's you whose premises are faulty here--or would you care to argue on the technical merits of the case instead of a faulty metaphor? I presume means that neither is it clear that _no_ law was violated. Of course not. First, the statute quoted by the SAA defines 'unauthorized access' in a more expansive way than technical computer terminology would warrant: "to use such access to obtain or alter information in the computer that the access-er is not entitled so to obtain or alter." So the question is whether someone with access to a document is normally considered to be 'entitled' to it. Most sysadmins would say yes, but I'll need to look at the case law. On the other hand, unless you find me caselaw which goes the other way, this isn't as open and shut as you claim. Furthermore, there's no interpretation of 'entitled to' which will land Miranda in hot water but won't do the same to Kennedy's staffer. After all, she will have used her authorized access to her computer system to forward a mail to which she knew full well she wasn't entitled. The fact that such action might be criminalized is one good reason not to read the statute that way. Likewise you can imagine a case where someone could hack an easy system, and yet be unaware that he was viewing materials he hasn't a right to view. No. Pretty much by definition, you can't hack a system without viewing items you're not authorized to view. I suppose you might mention such extreme cases as the 'authorized' hackers in movies like Sneakers or real-life individuals performing security testing, but in general anyone who is hacking a system like that has explicit permission to break the authorizations. If you can imagine it, please give me details, but I can't think of an 'easy hack.' I'm wagering your definition of 'hacking' is faulty, though. If that is indeed the legal rule in this case, I'll... well, I'll recant. But I'll be pretty surprised to see that, too. I'm writing my moot court brief. You've got as much LEXIS access as I do: cite me a river if you think it'll come out differently. But as a former Sysadmin, I hope that's the rule that courts adopt, because any other is going to have some pretty bizarre outcomes. Either the legal rules will have to change, or the paradigm on which computer security is built will have to. Is it your position that nothing computer-y can be analogized to things non-computer-y, but that all things computer-y are always perfect metaphors for each other? No, because there's no metaphor here at all. Someone used their access to a computer system to receive their email, which had information that they (arguably) were not entitled to. They distributed that information to others who were not entitled to it. The situations aren't metaphorically similar. They're literally comparable: individual A gives individual B access to information they shouldn't have, even though B is logged on properly. B hands that information to C. Everything revolves around the interpretation of 'entitled to.' None of your metaphors have had anything similar to that structure. (Indeed, the 'horse thief' metaphor, if I break my own rules here, might be similar to: A ('thief') goes to B ('stablehand/agent'), and inquires about a horse. "May I have this horse?" says A. "Yes," says B. "You're welcome to him. He belongs to you now." C later claims theft, even though B is his agent authorized to transfer title to horses at his discretion.) Again, you're being blinded by your need to see metaphor here. Look at the facts and the structure of the actual system.
Ah but the real point is not whether heads roll or not. Its not going to collapse the political process if a few staffers get the boot. What we want to know is whether the good men of high moral and ethical standards you elect to decided that on finding 4500? documents lying around they should return them unread - or mention the problem to someone. It is inconceivable that a conversation on the following lines didn't take place 1. "Woha, where did we get this document" 2. "There's an unsecured network drive, we sucked down everything they've got" 1. "Cool" Of course we'd like to think that among the ethical elite we choose to be governed by we'd have got 1. "Woha, where did we get this document" 2. "There's an unsecured network drive, we sucked down everything they've got" 1. "Well that's just plain wrong. Delete the stuff you copied and tell the Senator to give his security guy a rollocking. We do things above the board in this office" I don't see why it should read like satire to assume our politicians are honest, or indeed to suggest that they should be expected to be honest. The folks in question read things they knew were private, and that's wrong.
The folks in question read things they knew were private, and that's wrong. Discuss.
In which case, let's talk about those 'good men of high ethical standards.' We've already established that Kennedy wouldn't have had any problem with such behavior--unless he's fired his own staffer--and would quite willingly take partisan advantage of it. Now, if we take a look at the contents of those memos--what TtP and company would like not to do--we find most of them by varying degrees insulting, unethical, or immoral. The problem with "that's wrong," Martin, is that if you wish to establish that ethical standard for the Judiciary Committee, we may as well dissolve it. The question isn't whether staffers met some amorphous ethical standard--I've admitted that it's not gentlemanly--but whether any rules were broken. And that's not so clear. Which brings us to the problem I've got with Leahy's staffer. If he'd done his bloody job right, we'd not be having this conversation, because there'd be no question that rules were broken. But I've not been able to find a single case under 18 U.S.C. � 1030(a)(5) in which someone's been prosecuted for 'unauthorized access' where they've not done some actual hacking or, in a big stretch, violated some other explicit term of use. Tony the Pony up there spouts 'criminal,' but I've not seen a case nor statute out of him yet. The reason the incompetence of Leahy's staffer is important is that there's no doubt this would be criminal if he'd not given staffers of both parties permission to see each other's home directories. But as it is, the case is simply not made.
Tony, You think this is about my misuse of metaphor. It's not. It's about your inability to see the law of computers as a legal question, instead of as a computer question. Which is understandable from a computer person. But still lamentable from a law student. But first let me commend you. You do a very nice job of moving the goal posts. Very nice, verrry nicely done indeed. You want to talk about my metaphors? I don't. You want to bring the inquiry back to Leahy's staff and their incompetence? Nope. You want to argue about whether all elements of a criminal charge have been made out here? Have the conversation with someone else. The question I've tried to answer, and the only one I'm interested in, is this: "Why does this [the faulty security of the Democratic servers] excuse the Republican staffers involved?" Your answer, "Miranda didn't steal any files because Senator Leahy gave them to him," is ridiculous on its face, because Leahy quite obviously did nothing like "give" these files to Miranda. I haven't my OED, but Webster's will do: "give (vt): 1a: to confer the ownership of without receiving a return : make a present of; b: to assign the future ownership of _by will_" (emphasis added). In fact it seems rather difficult to conceive of the word "give" as something not done intentionally. And you cannot argue that it was the intent of Sen. Leahy to allow this access. Nor, indeed, that he took any affirmative step towards such an end. So I have to come up with my own answer, which has been that it doesn't "excuse" the Republicans at all. Their wrongfulness or criminality depends on all the elements of traditional legal analysis; there's no "excuse" element that can obviate that inquiry. Nor have I ever argued that the four corners of any charge are made out here---hence my point about the question still being open. Again, you'd like to shift things a little, so that if it's not an "open and shut" case then you win, but that's, sadly, not the conversation we were having. And no, I cheerfully concede not using "hack" in any technically correct sense. You know computers. I don't, and I don't particularly want to. _What's more_, it's not necessary for me to know anything about them to answer this question, because---as you've no doubt discovered this far along in law school---the law adopts the common practice of a regulated field only by grace, not as a matter of right. Sometimes it's enough that steamships don't happen to see a need themselves for radios; sometimes it's not. See The TJ Hooper. Your fondest wish for a legal rule that matches the computer paradigm is, sadly, a matter of faith, rather than good legal prediction. Furthermore, it's not at all clear than any bizarre outcomes would result from the legal regime imposing its own order on the relations of servers. I'm having a hard time thinking of any unanswerable question or unattractive dilemma that will result. By all means, suggest one---you're certainly better versed in computers than I am. And as for the Kennedy matter---"there's no interpretation of 'entitled to' which will land Miranda in hot water but won't do the same to Kennedy's staffer"? Really? Let's try... oh, "Someone is entitled to the use of the thing when she owns it, or knows or has reason to believe that the true owner has willingly consented to her use of it." That seems basic enough to me. And, although I'm sure you'll switch horses immediately and deny this, it kind of exculpates Kennedy's staffer. If someone emails me something, that doesn't seem like an affirmative sign that I'm entitled to it? The DNC and RNC intercept each other's blast faxes all the time and use them in press releases whenever possible---can the legal rule really be that semipublished material can yet not be entitled use of the recipient, absent special circumstances? I'll leave the significant computer sign to you, but the easy legal difference is the affirmative action of the owner in sending the material, as opposed to the negative absence of security measures. The law, especially the criminal law, places a lot of weight on the distinction between the affirmative doing of a thing and the negative not-doing of another. Lastly, my use of "intruder" was pretty unambiguously in reference to the Watergate burglars. Accuse me of metaphor all you want, but when I'm comparing Watergate to Watergate, it's technically a tautology. Further, I don't think I was "spouting criminal" in any sense.
TtP: For all that my effort is 'lamentable in a law student,' you've certainly not put forward an alternative standard, cited any case law where a court has determined as you have (and there is a body of law out there), or shown where a court has ever considered legal terminology regarding 'access' to differ from the technical. The more I've looked into it (there should be a detailed post tomorrow) the more confident I am of my statements. As for yours: "Miranda didn't steal any files because Senator Leahy gave them to him," is ridiculous on its face, because Leahy quite obviously did nothing like "give" these files to Miranda. Uncontested facts: (a) Leahy hired his Sysadmin. I've never met a Sysadmin yet who isn't authorized by his employer to grant access to files on a server. Maybe you know differently. I'd consider this a 'positive step' on the part of Leahy. (b) The SysAdmin gave Miranda (or rather, the Republican staffer, a different individual) access to those directories. (c) The staffer downloaded a file from a server. When he did so, the server checked for access permissions given to the staffer. Since the SysAdmin had provided him with authorization, the server--under complete control of the SysAdmin--gave the file to the staffer. It's this 'request/authorization/access' model that lets one get to "Leahy gave him the documents." Admittedly, it's at some remove, but Leahy hired his agent; his agent set the server with specific (albeit default) instructions; the server, pursuant to those instructions, gave the document to the staffer. (This, incidentally, is why your definition of 'hacking' is important. Hacking is getting in the way of those intentional assignments. It's going beyond what's given.) Now, if you think that the legal world interprets this any differently, please tell me. However, the closest I've been able to come to any court considered 'unauthorized access' to include one who has legitimately logged into a computer terminal is United States v. Morris, 928 F.2d 504. Technically, there's a host of distinguishing features here, but it might actually get close to what you're talking about. Not enough to be convincing, but close. Further, some of the analysis is bad, and I can't find where that analysis (i.e. use of a finger daemon was 'unauthorized') was followed anywhere. So if you think that it's a bad job of legal prediction, please show me why. So far you've said that it's contrary to your intuitive assumptions, but haven't shown where either (a) a court has interpreted computer law differently from how I'd expect it to do; or (b) given some principle under which I should expect it to. There's been a lot of rhetorical questions, and for someone who doesn't want to debate metaphors, you've made lots of them. Please, show me where a court will act this way. As for perverse consequences: take the text of 18 U.S.C.S. 1030(a)(2). So assume the link in the article above (to an unsecured image directory) were actually on the Department of Energy's homepage. You intentionally access the directory as an anti-nuke activist who wants to parody their site, so you download all the files in that directory. However, unbeknownst to you or anyone, you also download a file that the webmaster put up there, a file full of top-secret information. If you interpret 'exceeds authorized access' to mean anything except the technical definition--what access you've been given by the server owner--your anti-nuke activist just committed a crime. By placing on the user a requirement to know the 'rules' of any particular folder absent any explicit statement to what they are, a court would risk criminalizing a fair few web-surfers completely unaware that what their doing is wrong. (Indeed, since quite a few web-owners wouldn't mind this kind of 'intrusion,' it would put a burden on a WebAdmin to explicitly state what was and was not accessible, beyond simply assigning permissions.) Finally, as for the Kennedy staffer: no, I'll be consistent and say that neither she nor Miranda ought to be in trouble. Nonetheless, your attempt to distinguish fails. It's even clearer in a missent email (only sent to Republican staffers, not a 'blast fax' or semipublic at all) to the receipient of the email that they're not entitled to it, than to someone on a network with what even the Sergeant at Arms calls an 'open security policy' (as opposed to the error it is). Kennedy makes no suggestion--nor does anyone--that the staffer believed the email was meant for her. An obviously misdirected email doesn't give any greater sign of 'intention' than an obviously incorrect permission setting. It beggars belief that a Kennedy staffer is going to think that she alone, out of a bundle of Republicans, was meant to be sent a strategy email. (And this assumes the real recipient isn't explicitly listed on the text of the memo, which is unlikely.) Whatever the merits of that interpretation, no one is arguing that this fits the facts of Kennedy's staffer. No, I'll be consistent and say that someone who explicitly allows access to information unintentionally should bear the cost of that mistake, if their operating a shared or open network. Kennedy's gal is in the clear. I agree that the only difference you can make if you rule otherwise would be very fuzzy line-drawing on the basis of the intention of the granter of access as to what's really hidden, and the knowledge of the recipient regarding the extent to which their access was really 'authorized.' But that's not at issue with the Kennedy staffer, who absolutely no one pretends thought the email was hers by willing consent of Delrahim (the sender).
Well no. In cases like this I don't think it is about the rules because as your tortured arguing shows the rules weren't envisaged as covering this situation and to anyone who isn't trapped in law school or earning their money by enforcing and interpreting rules (lawyers) clearly don't. Quite why they can't say 'sorry guv, we were caught with our hands in the till it's a fair cop' and resign from whatver committees they sit on is beyond me.
Of course ignorance isn't criminal; if it was most of the United States would be one big prison camp....
I think this conversation has passed me by but I need to make one comment about Tony the Pony's contribution. Tony ought to recuse himself from any discussion about Kennedy staffers or computers. This is because he is too close to one subject and too distant from the other.
IANAL, but I've been in computer security and systems administration for lo these many years, and Anthony is right. The sysadmin who left those shares open is a disgrace to the profession, and would have been summarily drummed out of S.A.G.E. (the System Administrators Guild) for such errant behaviour. Of course any S.A.G.E. member would never have done what they did if they'd even taken a GLANCE at any of the membership publications on best practices. Oh, and as both the GOP and Donkey members of the committe were using the same organization's server and network, there was almost certainly no criminal act in their accessing those documents. And as there were political and not monetary damages, it's even doubtful the good Senator could bring a tort for insufficient care against the incompetant admin., if he felt like actually punishing someone really badly. Pure unprofessionalism of the worst sort by the admin in question, who ever they are.
Tony, Once again you do an admirable job of missing the issue. I'll clarify: It's the meaning of "give" that's important in your statement, not the chain of command between Leahy and his staff. Yet it's the very thing you presume in your answer. And by affirmative step, I mean something more than any but-for cause necessary to the chain of causation. As your model stands currently, Senator Leahy putting his pants on in the morning would qualify as a 'positive step.' What I mean, by contrast, is some affirmative step made by the true owner or his agent that would provide good reason to the recipient that she is permitted to use &c. &c. (Sorry---Willy Wonka was on last night.) And it's not the height of formalism to insist upon this; although the 1L class doesn't emphasize it very well, the difference between action and inaction, active and passive, &c. &c. (sorry), is analytically quite critical to the criminal law. I'm not terribly interested in providing a separate standard, as that was never the question I wanted to answer. I'll wait while you scroll upwards to one of the times I repeated what that question was---no, what the hey, I'll say it again: I'm only interested in your claim that the Leahy staff's negligent grant of _access_ was the equivalent of granting _authorization_. That amounts to an argument of legal defense, excuse, or justification, and it's patent nonsense. Okay, I'm not particularly good at Lexis, but here's one: 274 F.3d 577 is in a completely different posture, but interprets "exceeds authorized use" pretty clearly to sweep in actions like those here. Oh, hell! I'll use the statutory definition, which includes for unauthorized-use: accessing "a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." Now, tell me: If authorization were coextensive with access, how could one use his access to obtain stuff to which he _wasn't_ entitled? Recall the principle of statutory interpretation that we generally try not to construe statutes to make them redundant and/or ridiculous. As for your anti-nuclear activist's accident: The absence of mens rea, I believe, has been conceded? Then no, no she hasn't committed a crime. But let's presume a different fact pattern: Do you really want to immunize her for all knowing or even intentional misuse she might do with nuclear secrets simply for the reason that the website was left open? Really? I mean, really? Nuclear secrets? Can that _really_ be the rule, Tony? Does open access completely make someone a rights-bearing giftee? Feh. It's late enough, for both of us, I suppose. (And whatchutalkin'bout, Joel?)
Tony the Pony: The admin in question did not take 'reasonable care in securing the system in accord with best industry practices'. If they had suffered monetary damages their insurance company (were they a commercial entity) would have laughed at them when they tried to make a claim on their liability policy. I'm not guessing here, as I've been involved with numerous similar cases as both a corporate admin (for a hosting company and a medium-ish ISP), and as a security and network infrastructure consultant. You also must put up annoying notices like the following on all sign in screens, or you might even be liable for spying on intruders without notice (in actual hostile penetration attempts, which this was not. It was what's known in the industry as 'doorknob twisting'). Here's a suitably nasty sign-on disclaimer that will let you READ YOU OWN LOGS without running afoul of the law yourself if you need to catch a badie: "This system is for the use of authorized users only. Individuals using ths computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials." Even with such notice, you also have to have clearly defined written policy stating what constitutes 'authorized levels of authority', such as 'no reading of other parties Committee Documents', else you have no metric for what exceeds it.
TtP: First, Joel, be nice. I don't need another comment going down in flamewar. Indeed, I'm glad David mentioned what he did. You see, the Explorica case you cite, TtP, is actually an example of what David's talking about. If you look through the case, you'll see that in order to prove that use 'exceeded authorized access,' the plaintiff couldn't rely simply on security measures. Instead, there had to be something other agreement which precluded the access, over and above computer security: "EF is likely to prove such excessive access based on the confidentiality agreement between Gormley and EF." (at 582) And footnote 16 of the same opinion shows that the ruling isn't reaching to the idea of dispelling 'open access.' I was actually looking at Explorica a couple of days ago--it's actually not as persuasive as U.S. v. Morris. As for you question regarding the definition of "exceeding authorized use," there's two ways in which someone would not be entitled to information even though they had access. The first would be the situation in Explorica: the information's there, and one has access to it, but there's a pre-existing agreement that you're not going to use it. (In that case, a broad confidentiality agreement.) The second might include downloading a MSWord file that (for what it's worth) has a password on it, or indeed any encrypted file. (Actually, a third would include accessing a computer legitimately, but then altering one's legitimate level of access.)
I don't think "be nice" is in Joel's vocabulary, but I've only known him for three years. He might surprise me yet.
What is this "nice" concept? Sounds like a pinkie commie plot to me!
Okay, I give up. If you look closely, you'll find that Mr. Mercer's actually a better witness for my case. He and you are still approaching this question as computer people. Stop it! Be legal people! (Patronizing refresher from first semester---first, is the "expressly agrees" contract valid? Second, would tort law value such a disclaimer of liability?) As far as Explorica, I cannae remember if I copped to this or not, but my research was entirely slipshod and shouldn't be trusted. But in Explorica, while the contractual agreement was the method by which the court established the duty, I saw no language to the effect that it was _necessary_ to establish such a duty. And it hasn't been the case that privity was essential for the creation of legal rights for quite some time. Indeed it seemed quite clear to me from the court's interpretation that they were unconcerned with the foundation of the legal relationship, and were more interested in showing that having some authorization to pursue information from a computer source does not give you unlimited authorization to pursue all information from it. Again, my research was entirely slipshod. The question, Tony, which you have not answered, remains: How does the open access of the Senate Democrats' files establish a legal defense for any Republican staffers who looked at them? In your shorthand, how did Leahy "give" the files to Miranda? You can tell me: 1) how irresponsible the Democrat systems administrator was; 2) whether Senator Leahy needs to fire someone for this sort of management; 3) whether your previous boss would have fired you for the same; 4) whether I'm misusing metaphors. I don't care. I don't care about any such response. It's not relevant to the question, which is, in case it's slipped your mind once again, is: How does Senator Leahy hiring a sysadmin who negligently left access open to Republican staffers amount to an affirmative defense?
Ahem... TtP... As I have said time and time again, it doesn't amount to an affirmative defense. Before one can invoke an affirmative defense to a crime, there must be a crime to which the defendant may be properly accused. As you've said, you can't prove the 'four corners' of an indictment, and my contention is that because Leahy's agent provided his staffers with adequate permission to access these files, there is no crime to which all elements may be proven. An 'affirmative defense' then becomes... well, just a bit irrelevant. You keep asking the question, because it's a very good question for you. In order to get to an affirmative defense, I must simply assume that the prosecution's case has been made. Further, without some idea of what one would be providing an affirmative defense to (e.g. digital 'trespass' as in the allegation in Hamidi; violation of the CFAA?), it becomes a very difficult and open-ended question indeed.
If you must assume it, you must assume it arguendo only. And if you'll kindly point where you disclaimed intending it as a defense, I'd be grateful. I don't see it, and I've searched for "defense," "excuse," "justif-," "exculp-" & the like. Not exhaustive, to be sure. So if I'm missing something... Of course, what really concerns me is this passage: "Why does this excuse the Republican staffers involved? The answer lies in the way that computer security operates. . . . if access is improperly granted, it's on his head, not the users. . . . Simply put, Miranda didn't steal any files because Senator Leahy gave them to him." Which sounds like ... well, an affirmative claim of nonculpability. Which we sometimes call an "defense." (Sorry, I just realized that I was using the term-of-art "affirmative defense" sloppily.) A defense to what? Well, it seems pretty obvious on its face what you're talking about---namely, it looks like you're either disputing the actus element ("taking" information/data or something similar), or the wrongfulness element ("without permission"/"without authorization"/"without entitlement" etc.). Was that not your intent? If not, it seems like I've been woefully confused. Let me caution on one thing: I can't prove Miranda's guilt, but I'm in no position to prove anything. My quibble, from the very beginning, is that your conclusion (that Miranda couldn't have done anything unlawful) _did not follow_ from your minor premise (that Leahy's SA had left his files "open access"). My affirmative claim is that access is neither identical nor dispositive of _entitlement_. Please, tell me where I've gone wrong.
Tony, if there is no written policy for the institution stating who is authorized to access which resources, the permissions as they actually exist are all there is to go on. I'm not a lawyer, and don't have access to Lexis, so I can't give you citations, but that is indeed the legal reality. Without a written access policy, the physical file perms are all that there is to guide a random user as to what they are allowed to see.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

NOTICE TO SPAMMERS, COMMENT ROBOTS, TRACKBACK SPAMMERS AND OTHER NON-HUMAN VISITORS: No comment or trackback left via a robot is ever welcome at Three Years of Hell. Your interference imposes significant costs upon me and my legitimate users. The owner, user or affiliate who advertises using non-human visitors and leaves a comment or trackback on this site therefore agrees to the following: (a) they will pay fifty cents (US$0.50) to Anthony Rickey (hereinafter, the "Host") for every spam trackback or comment processed through any blogs hosted on threeyearsofhell.com, morgrave.com or housevirgo.com, irrespective of whether that comment or trackback is actually posted on the publicly-accessible site, such fees to cover Host's costs of hosting and bandwidth, time in tending to your comment or trackback and costs of enforcement; (b) if such comment or trackback is published on the publicly-accessible site, an additional fee of one dollar (US$1.00) per day per URL included in the comment or trackback for every day the comment or trackback remains publicly available, such fee to represent the value of publicity and search-engine placement advantages.

Giving The Devil His Due

And like that... he is gone (8)
Bateleur wrote: I tip my hat to you - not only for ... [more]

Law Firm Technology (5)
Len Cleavelin wrote: I find it extremely difficult to be... [more]

Post Exam Rant (9)
Tony the Pony wrote: Humbug. Allowing computers already... [more]

Symbols, Shame, and A Number of Reasons that Billy Idol is Wrong (11)
Adam wrote: Well, here's a spin on the theory o... [more]

I've Always Wanted to Say This: What Do You Want? (14)
gcr wrote: a nice cozy victorian in west phill... [more]

Choose Stylesheet

What I'm Reading

cover
D.C. Noir

My city. But darker.
cover
A Clockwork Orange

About time I read this...


Shopping

Projects I've Been Involved With

A Round-the-World Travel Blog: Devil May Care (A new round-the-world travel blog, co-written with my wife)
Parents for Inclusive Education (From my Clinic)

Syndicated from other sites

The Columbia Continuum
Other Blogs by CLS students