Villanueva, Haidee: Scope of Unauthorized Access

Introduction:

As technology grows by leaps and bounds, the laws have to be made more responsive to changing times. The lack of a legal framework or insufficient laws in our country, to address problems of validity of electronic transactions is a significant barrier to the growth of e-commerce. For decades now there is still unresolved issues in the internet the lack of boundaries of information, the free-flowing, borderless nature of cyberspace has revolutionized communication and commerce. However, not all freedom are absolute, it can never be unbridle freedom, otherwise it will result In a chaos. So what is unauthorized access in the internet? When does access become unauthorized? Our legislature must establish policies, standards and access and proper use of the internet and computer resources.

Definitions

Addresses = Every device on the Internet has an address that allows other devices to locate and communicate with it. An Internet Protocol (IP) address is a unique number that identifies a device on the Internet.

Computer = is “a machine that manipulates data according to a list of instructions.”

Domain = A group of Internet devices that are owned or operated by a specific individual, group, or organization. Devices within a domain have IP addresses within a certain range of numbers, and are usually administered according to the same set of rules and procedures. Domain Name = Identifies a computer or group of computers on the Internet, and corresponds to one or more IP addresses within a particular range.

Unauthorized Access = The gaining of access to a computer, without or in excess of authority, to obtain information. Access can be achieved by simply stealing or guessing a user’s password, or a detailed program can be created to allow the intruder to gain access. Internet = A global network of computers and other electronic devices that communicate with each other via standard telephone lines, high-speed telecommunications links, and wireless transmissions. Due to the structure of the Internet, connections between devices on the Internet often cross state and international borders, even when the devices communicating with each other are in the same state.
Hacking=is the practice of modifying computer hardware and software to accomplish a goal outside of the creator’s original purpose.

Server = A centralized computer that provides services for other computers connected to it via a network.

Objective

To be able to define what is access to a computer and when does access to a computer become unauthorized.

Scope

unauthorized access may have taken place? In our present law we are still on a look out as how to define unauthorized access to a computer really means, when is it legal or when is not . In the United States there are already cases that made a distinction on the manner or intent of the user of a computer.

State v. Allen

Allen had used his computer repeatedly to dial up a Southwestern Bell Telephone computer that controlled long-distance telephone switches and could be manipulated to allow a user to place free long-distance calls. When Allen dialed up the Bell computers, he was confronted with a prompt requiring him to enter a username and password. Investigators speculated that Allen had guessed a password correctly and later erased the proof of his activity by deleting the logs. However, the forensic evidence established only that Allen had repeatedly dialed up the Bell computers and viewed the password prompt. Allen was charged with accessing the Bell computer without authorization in violation of the Kansas computer crime statute. Before the Kansas Supreme Court, Allen argued that there was no evidence he had actually accessed the Bell computer. The government relied on the broad statutory definition of access, fairly common among early state computer crime statutes, which stated that access means “to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer.”The court responded that this definition was so broad that if taken seriously it would render the statute unconstitutionally vague. If “access” really meant “to approach,” the court noted, “any unauthorized physical proximity to a computer could constitute a crime.” In light of its overbreadth, the court refused to apply the definition, concluding that “the plain and ordinary meaning should apply rather than a tortured translation of the definition that is provided.” The court explained: Webster’s defines “access” as “freedom or ability to obtain or make use of.” This is similar to the construction used by the trial court to find that no evidence showed that Allen had gained access to Southwestern Bell’s computers. Until Allen proceeded beyond the initial banner and entered appropriate passwords, he could not be said to have had the ability to make use of Southwestern Bell’s computers or obtain anything. Therefore, he cannot be said to have gained access to Southwestern Bell’s computer systems as gaining access is commonly understood.” This concept of “access” appears to adopt the virtual reality approach, in which the correct username and password grants a user access to the files “inside” the computer, but the wrong username and password denies the user that access. Absent evidence that Allen had passed through the password prompt to find the information inside, he had not actually accessed the Bell computer.

State v. Riley

Joseph Riley had configured his computer to dial up the computers of the Northwest Telco Corporation and guess random passwords; a correct password allowed the user to place free long-distance telephone calls. The evidence showed that Riley repeatedly had dialed the Telco access number and guessed passwords, although it was unclear whether he had guessed correctly and placed free calls. Riley argued on appeal that he had not accessed the Telco computers. The Washington statute contained a definition of “access” essentially identical to that in the Kansas statute from Allen. In Riley, however, the court relied on the statutory definition to conclude that Riley had in fact accessed the Telco computers: Riley’s repeated attempts to discover access codes by sequentially entering random 6-digit numbers constitute “approach[ing]” or “otherwise mak[ing] use of any resources of a computer.” The switch is a computer. Long distance calls are processed through the switch. Riley was approaching the switch each time he entered the general access number, followed by a random 6-digit number representing a customer access code, and a destination number. Therefore, Riley’s conduct satisfied the statutory definition of “access” and so was properly treated as computer trespass.”

United States v. Morris

Robert Tappan Morris was a graduate student at Cornell in the late 1980s who authored a computer program known as a “worm” which was designed to exploit several weaknesses in Internet security.Morris hoped that the code would spread across the thennascent Internet to illustrate four common security flaws: a bug in common e-mail software, SENDMAIL; a bug in an Internet query function known as the “finger daemon”; a design flaw that allowed computers to use privileges on one computer to obtain privileges on another; and the use of simple, easy-to-guess passwords. Morris designed the code so that it would try various of these means of infecting its targets, and then once it succeeded it would try other computers. Morris released the worm from a computer at MIT on November 2, 1988, but the worm quickly spread out of control and replicated itself so often that it eventually shut down a good portion of the early Internet. Morris was charged with violating 18 U.S.C. §1030(a)(5)(A), which at the time prohibited “intentionally access[ing] a Federal interest computer without authorization” if damage resulted. A jury convicted Morris at trial. On appeal, Morris argued that his computer access was not without authorization because he had rights to access several of the infected computers, including computers at Cornell, Harvard, and Berkeley—schools where Morris apparently held legitimate accounts. Morris based his argument on a distinction between two closely related types of abuse of authorization: access “without authorization” and access that “exceeds authorized access.” Some unauthorized access statutes prohibit only access without authorization; others prohibit both access without authorization and access that exceeds authorization. The court rejected Morris argument. According to the court, Morris had accessed computers without authorization because he had used weaknesses in several programs to obtain access in unintended ways. As the court put it, Morris did not use those programs “in any way related to their intended function.” The SENDMAIL program was an e-mail program, and the finger daemon was designed to let users query information about other users. However, Morris “did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.”

Shurguard Storage Centers, Inc. v. Safeguard Self Storage, Inc.

Shurgard involved a civil dispute between two business competitors in the self-storage business. According to the complaint, the defendant lured away several of the plaintiff’s employees, including an employee named Eric Leland who had access to the plaintiff’s confidential business plan and other trade secrets. Before leaving the plaintiff’s company, Leland e-mailed several of the plaintiff’s trade secrets and other proprietary information to the defendant. The plaintiff later sued the defendant under 18 U.S.C. §1030(a)(2)(C), on the theory that Leland had “intentionally access[ed] [the plaintiff’s] computer without authorization,” or in excess of authorization, and thereby obtained information from the plaintiff’s computer in violation of the federal unauthorized access statute.The defendant then moved to dismiss under Federal Rule of Civil Procedure 12(b)(6), on the ground that Leland had not accessed the plaintiff’s computers without authorization or in excess of authorization. The district court disagreed. The court adopted the plaintiff’s theory of authorization, which was that “the authorization for its . . . employees ended when the employees began acting as agents for the defendant.” The court found its guidance in the Restatement (Second) of Agency: “Unless otherwise agreed, the authority of an agent terminates, if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.” Applying this standard, the court concluded that the defendant’s employees “lost their authorization and were ‘without authorization’ when they allegedly obtained and sent the proprietary information to the defendant via e-mail.” In support of its holding, the court turned to the CFAA’s legislative history, which the court argued showed a congressional design broadly to prohibit computer misuse, especially where intellectual property rights were at issue.

Fugarino v.State

Fugarino was a computer programmer whose behavior at work became increasingly bizarre. When Fugarino learned that another employee had been hired at the company, Fugarino became enraged, telling another employee that the company’s code was “his product, that no one else was going to work on his code, that nobody was going to take his place and that he was ‘going to take his code with him.’” Fugarino then started deleting sections of code from the employer’s network.When the employer confronted him, Fugarino told the employer that “the blood of his dead son” was in the code and that the owner “would never get to make any money from that code.” On appeal following his conviction, Fugarino argued that his conduct was not knowingly without authority. The Georgia court disagreed. Fugarino lacked authority because “[t]he owner of the company . . . did not give Fugarino authority or permission to delete portions of the company’s program.” Further, “the vindictive and retaliatory manner in which Fugarino deleted large amounts of computer code” demonstrated that he knew that he lacked authority to delete the code.

EF Cultural Travel BV v. Explorica, Inc.

Explorica involves another civil dispute between two business competitors—in this case, the well-established student travel business, EF, and an upstart competitor, Explorica. Explorica’s vice president, Philip Gormley, was a former vice president at EF who had signed a confidentiality agreement with EF promising not to disclose any of EF’s “technical, business, or financial information, the use or disclosure of which might reasonably be construed to be contrary to the interests of EF.” When Gormley arrived at Explorica, he decided that Explorica could compete with EF by undercutting EF’s prices available from its public website. Gormley instructed a computer consultant to design an automated “scraper” program that could query EF’s website for tour prices and then send the EF price list to Explorica. Each use of the scraper sent 30,000 queries to the EF computer. Explorica used the scraper twice, enough to allow it to learn and then undercut EF’s tour prices, all unbeknownst to EF. When EF learned of the scraper program, it sought a preliminary injunction against Explorica’s use of the scraper on the ground that (among other things) it violated the federal unauthorized access statute by accessing EF’s computers either without authorization or by exceeding authorized access.The district court agreed, reasoning that use of the scraper was so far beyond the “reasonable expectations” of EF that it was clearly unauthorized. On appeal, the First Circuit affirmed the district court’s injunction, concluding that the use of the scraper likely violated the statute because its use implicitly breached the confidentiality agreement that Gormley had signed with EF. The court reasoned that Gormley’s decision to use a scraper on EF’s site (as well as his help designing the scraper) relied on his insider’s knowledge of EF’s website and business practices. However, Gormley had signed a contract with EF promising not to disclose any information about EF in a way that might be against EF’s interests. Because the scraper was used against EF’s interests, the court reasoned, Explorica’s use of the scraper relied on information obtained in violation of the contractual agreement. As a result, use of the scraper exceeded authorized access to EF’s computer and violated §1030. The opinion acknowledged that any user could manually query the EF website to learn EF’s prices, but concluded that the scraper’s “wholesale” approach “reeks of use—and, indeed, abuse—of proprietary information that goes beyond any authorized use of EF’s website.

Love Bug Virus

Two young Filipino computer programming students named Reonel Ramones and Onel de Guzman, became the target of a criminal investigation by our National Bureau of Investigation (NBI) agents. The NBI received a complaint from Sky Internet, a local Internet service provider (ISP). The ISP claimed that they have received numerous calls from European computer users, complaining that a computer virus denominated as “ILOVEU” virus was sent to their computers through the said ISP. As events would later show, the “ILOVEU” virus was able to replicate itself in as many addresses as there are in a single computer’s address menu to which it was originally sent The computer user enticed by the title “ILOVEU” and thinking it is a romantic e-mail message, would click on the message. He would then unknowingly unleash the same to other addresses found in his computer. By mathematical progression, the virus was able to contaminate not only Philippine computers, it jumped off to Asian users, and subsequently to the United States and Europe. Billions of dollars in Internet transactions were lost, innumerable corporate, banking and financial files were erased. It is believed that military and defense files worldwide were likewise affected. This is not to mention the inconvenience suffered by millions of computer users as a result of clogged and heavy traffic in the internet. After several days of surveillance and investigation of ISPs that the virus used, the NBI was able to trace a frequently appearing telephone number, which turned out to be that of Mr. Ramones’ Manila apartment. His place was searched by the NBI and Mr. Ramones was consequently arrested and placed on inquest investigation before our Department of Justice (DOJ). Mr. De Guzman was likewise arrested in Manila. At that point, the NBI was at a loss as to what felony or crime to charge the two with in court. There were some agents who theorized that they may be charged with violation of our Republic Act No. 8484 or the Access Device Regulation Act, a law designed mainly to penalize credit card fraud. The reason supposedly being that both used, if not stole, pre-paid Internet cards which enabled him to use several ISPs. Another school of thought within the NBI opined that Messrs. Ramones and de Guzman could be charged with malicious mischief, a felony involving damage to property under the Philippines’ Revised Penal Code, which was, it should be mentioned, enacted in 1 932. The problem, however, with malicious mischief, is that one of its elements, aside from damage to property, was intent to damage. In this case, Mr. De Guzman claimed during custodial investigation that he merely unwittingly released the virus.

To show his intent, the NBI investigated the AMA Computer College, the programming school in Manila where Mr. De Guzman dropped out on his senior year. There, it was found that not only was Mr. De Guzman quite familiar with computer viruses, he, in fact, proposed to create one, In his undergrad thesis, he proposed the commercialization of a Trojan virus, one that innocently enters another computer but would later steal passwords, addresses, and files therefrom, much like the Trojan horse of Greek mythology. He contended that through the Trojan virus, the user would be able to save on, if not totally make do without, prepaid Internet usage cards since passwords could be obtained by the virus. Needless to state, his thesis was rejected by school administrators for being “illegal.” Thus, he was forced to drop out.

Despite the worldwide media attention on the case, the DOJ first resolved to dismiss the charge against Mr. Ramones. The panel of DOJ prosecutors composed to determine probable cause against him saw at Mr. Ramones could not be indicted on either a violation of the Access Device Act or under the antiquated penal provisions on malicious mischief. It should be noted that in the Philippines, being a civil law jurisdiction, the legal doctrine “nullum crimen, nulla poena sine lege” is strictly adhered to. There is no crime where there is no law punishing it. It was resolved that our Access Device Regulation Act punishes the trafficking, control, custody or possession of credit card-making or altering equipment, without being in the business thereof. Since a prepaid Internet usage card is not an “access device” within the purview of the law, the law cannot be given a broader scope as to include computer hacking or uploading a computer virus. As to the charge of malicious mischief, the charge was likewise dismissed because only one local ISP was impleaded as a private complainant. The DOJ found that there was no tangible evidence that Mr. Ramones specifically intended to damage or injure that ISP’s facilities. Mr. Ramones was thus released from custody. It is rumored that he is now employed with a British computer software firm. A few weeks later, Mr. De Guzman was likewise released on the same grounds.

Conclusion:

Based on the readings of the cases and our own love bug virus we should define unauthorized access as any use of a computer in excess as to what you have been told or allowed to do and access to a computer should be understand as any successful interaction with the computer. Even if one is granted lawful access to a part of computer or to have access to other parts of the network but if you use it for a different purpose other than what you are suppose to do that is already unauthorized access. Another example would be if an employee uses a corporate computer during office hours and that employee used his computer in a way that was beyond the scope of the excess or implied consent of the owner of the computer should be treated as unauthorized access. The same goes if a person while using the internet and then come across with the question whether or not he agrees with the term of the agreement , then he accepts but violates the term of agreement must also be treated as a case of unauthorized access.

A person who uses a computer without the consent of the owner is to be considered as illegal access to a computer. In other words he knowingly and willfully uses a computer without the consent of a the person who is to authorized to give consent. If these are made clear in our law and implemented strictly a lot of crimes maybe prevented. An example of these is the recent case of Dr. Hayden Kho, the person who uploaded those video must be answerable for unauthorized access because he committed something that he was not supposed to do. A person who illegally obtained information or who have access to such information but uses the same for illegal purpose or uses it in a way that he was not allowed clearly an indication of a violation and must be held answerable. Just imagine if those sensitive and personal information about a depositor in banks, and then someone who have access to those information uses it for illegal transactions. Illegal access to a computer and unauthorized access is a tool for the violators of a copyrights. Statutes must be drafted that any computer misuse would result to unauthorized access.
Currently our law is not specific on many things about the misuse of computer, it remains to be seen whether our measure to prevent and redress computer crimes will prove to be successful what is too obvious is that we have to have more definite statue to address the problems of unauthorized access to cope with the enormous computer crimes that we encounter. Our ultimate goal is to achieve an appropriate balance in the law, providing strong and effective rights, but within reasonable limits and with fair exceptions.


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: