Defining “Authorized”

I read an interesting post on Ido Kanner’s blog about the Egilman civil case. Egilman sued an individual after that individual accessed his web site using credentials of another user.

Rather than bringing his case under Title 18, Section 1030 (which governs “unauthorized access to a protected computer system”), Egilman chose to file his case under the Digital Millennium Copyright Act (DMCA) as an anti-circumvention violation. Egilman’s claim was that using a password without permission from the site owner amounted to “circumvention of a technological measure that effectively controls access to a work protected under this title [DMCA].”

The judge reviewing the case, of course, threw it out, finding no indication that an intent to circumvent existed. Rather than circumventing the protection, the defendant was simply complying with it. Egilman’s decision to pursue the case in this manner is indeed puzzling until one looks at the statute involved.

Title 18, Section 1030, offers three potential points of prosecution that would’ve been relevant to Egilman. Any person who commits any of the following actions is guilty of a felony under Section 1030:

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

[...]

(C) information from any protected computer if the conduct involved an interstate or foreign communication;

[...]

(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

[...]

(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—
(A) such trafficking affects interstate or foreign commerce;

[...]

Given the federal court’s jurisdiction over this issue, Egilman could reasonably have convinced a judge that the defendant obtained information from a protected computer without authorization in violation of paragraph 2, or that the defendant obtained something of value without authorization in violation of paragraph 4. A less-straightforward, but still plausible case could’ve been made for illegal trafficking of a password in violation of paragraph 6.

Instead, Egilman chose to label the misuse of the password to be circumvention of a protective measure intended to protect copyrighted works shielded from public access by the site’s simple password authentication system. Though the merits of password authentication are another debate for another day, the question I was asking at this point is why in the world Egilman chose to pursue the crime as a DMCA violation?

In this case, it appears Egilman chose this avenue of prosecution because the malicious user was actually authorized for the purposes of Section 1030.

For many sites, a mere username and password pairing authorizes you to access protected portions of a site’s content. Some blog hosts, for instance, require nothing more than a valid e-mail address to setup an account, after which a simple username and password suffices for access to that account. Many content providers include no mention (not even in their lengthy Terms of Use agreements, that nobody reads but me) that using an account you did not create is an unauthorized use of the services that site provides.

In such cases, unauthorized means of obtaining a password (exploitation of software flaws, brute-force cracking attempts, etc.) are obviously illegal under Section 1030. The more murky legal territory surrounds cases where an attacker possesses a valid (authorized) set of credentials via some other means, in spite of not being the authorized user. This could even include cases where the attacker was informed of the credentials by a user who had obtained them illegally. This is true because Section 1030 requires an attacker to “intentionally access a computer without authorization or exceed authorized access” or to “knowingly access a protected computer without authorization” before a crime has been committed. Computer crime laws in most other nations have similar standards of criminal conduct (i.e., the prosecuting plaintiff must prove intent).

In the case of someone who had illegally acquired a password revealing it to an attacker-to-be, the leaker would face conviction under paragraph six (language that is, again, modeled in most of the developed world), but the attacker who used the stolen password could conceivably argue ignorance by claiming that he/she had no idea the access was unauthorized.

Further, a defendant charged under paragraph six could make a compelling argument that because accessing an account created by another user is not unauthorized according to the TOU (provided the credentials are otherwise lawfully obtained — an exercise to the reader) a crime has not been committed.

As a security professional, I understand that access to be unauthorized, as do most in this field. However, the legal system doesn’t provide the grounds to prosecute an offender based solely on that assertion. That means a user who willingly reveals credentials may expose himself/herself to damage and you to lost hours, without leaving you any legal recourse. In a world where people still cough up the goods to random strangers in return for candy bars and coffee, that’s an unacceptably high risk.

But don’t panic… the legal system doesn’t force you to accept the costs of moronic users. It only offers you the opportunity to do so if you don’t cover all your bases. The solution to this potential legal pitfall (and the way to avoid being caught in Egilman’s situation) is to ensure that all users who could potentially be asked to authenticate themselves are aware that using credentials to log in is a testimony by the user to be the owner of the account they correspond to as well as the credentials themselves. It won’t deter criminals, just make them easier to nab if they strike.

At the very least, Terms of Use agreements should be updated to include terms similar to the following:

You agree that you will not disclose your [insert site] account name or password to anyone under any circumstances. You agree to notify [insert site] as expeditiously as possible if you believe that your account details have been compromised. Willful disclosure of account information to a third party may result in the termination of your account at our discretion.

Use of [insert site] user identities not created by you for your personal use is not authorized by [insert site] and is a violation of these terms of use.

This absolves sites of the responsibility to deal with passwords that have been disclosed voluntarily (stolen passwords are another story) by defining that to be prohibited conduct in violation of the TOU. Further, a TOU agreement amended in this fashion also defines use of another user’s credentials to be a violation of the TOU, and specifically unauthorized.

Problem solved, right? Wrong.

Most providers only require a TOU to be read as a precondition of creating an account, with the assumption being that creating an account is a prerequisite to utilizing services. This perceived dependency, in reality, may not exist in a case such as this. Therefore, concern could arise as to whether the TOU is binding upon a person who logs in with another user’s credentials, as this person was never asked to read the TOU.

The solution to this problem? Require agreement to the TOU to log in. This can be in the form of a checkbox, text in the realm used for HTTP authentication, or say… a line or two of text between the input fields and the submit button on a login form:

Logging into this site indicates your agreement to use the services provided according to our terms of use. For more information, please read the agreement [link].

Finally… problem solved. For today. Legal issues are boring, and I’m no superstar lawyer, but not addressing this one could lead to pain down the road… even for non-legal folk.

Share