Date: 22 Dec 92 15:31:52 EST
From: Ken Citarella <70700.3504@COMPUSERVE.COM>
Subject: 4--Balancing Computer Crime Statutes and Freedom

        An Illustration of How Computer Crime Statutes Try To
        Balance Competing Interests of Security and Freedom
              -- and Come Up With Interesting Answers

                copyright 1992, Kenneth C. Citarella
                (CompuServe; 70700,3504)

        Computers deserve protection.  If we did not all agree on that
state legislatures and the Congress would not have passed computer
crime statutes.  Exactly how much protection to afford them, however,
is the crux of the problem.  Sometimes resolving that gets confused
with a desire to avoid criminalizing inquisitive and youthful computer
intruders.

        The New York State computer crime statutes illustrate this
confusion.  The basic computer crime in New York is Unauthorized Use
of a Computer, a misdemeanor.  A person commits this crime when he
uses, or causes to be used, a computer without authorization, and the
computer is programmed to prevent unauthorized use.  Thus, the
unauthorized use of any computer in New York which does not have
user-id/password security or some equivalent is arguably lawful under
this statute.  Moreover, under the definition of "uses a computer
without authorization", the unauthorized user must be notified orally,
in writing, or by the computer itself that unauthorized users are not
welcome.

        There are, therefore, two threshold protections that a system
owner must install to have his computer come under the protection of
the New York unauthorized use statute.  First, there must be
protective programming; second, there must a warning to the
prospective intruder.  These obligations do not seem excessive
regarding misuse by an employee or other user with limited access to
the computer in question.  It is difficult to include with everyone's
employment materials a written warning regarding unauthorized use of
the computer, and it is certainly common enough to issue user-ids and
passwords.

        Consider, however, the remote unauthorized user.  If a
business has a computer with an unlisted modem number, has issued
user-ids and passwords to its authorized users, has dial back modems,
and has encrypted log-in procedures,  its computer may still not be
protected by the unauthorized use statute.  Should an intruder locate
the modem number by random demon dialling, guess at a password and
encryption code, and enter the system to install and operate a pirate
bulletin board, it may not be a criminal act.  As long as the intruder
does not access government records, medical records, or corporate
secrets, alter any file or program, or download anything from the
system, there may not be a crime.  As long as the system did not
display a warning that unauthorized users were not welcome, the crime
of unauthorized use cannot occur.  Thus, the legislature has elevated
the display of a few words almost certain to deter no one to far
greater legal importance than actual technical protective steps, all
in the name of not criminalizing our inquisitive youths.  Yet, if
technical security procedures cannot convince them not to intrude upon
a system, what importance can be attached to the displayed warning?
Aren't unlisted phones, passwords, and other standard security
procedures sufficient warning in and of themselves?  Or, is form
really more important than substance?

        It is curious to note that the legislature seized upon notice
as the prerequisite for computer crime law protection.  It is a crime
to enter and drive away with a car without permission, even if the car
door is open, the key in the ignition, and the engine running.  It is
a crime to enter a premises without permission, even if the door is
open, the lights on, and dinner on the table.  In either scenario,
notice is implicit in the intruder's knowledge that he does not belong
there.  The prosecutor must prove the absence of permission at trial,
just as he rightly should in a computer crime case.  But under current
legislation, egregious computer intrusions must go unprosecuted if,
despite extensive technical protection, three little words --
"Authorized Users Only" -- do not appear to warn an intruder not to
enter where he already knows he does not belong.

        If computers are ever to become as integrated into our lives
as cars and homes should they not be afforded the same protection
under the criminal law?

((The author is a Deputy Bureau Chief of the Frauds Bureau in the
District Attorney's Office, Westchester County, New York.  The
opinions expressed herein are purely personal and do not necessarily
reflect the opinions or policies of the District Attorney's Office.))

Downloaded From P-80 International Information Systems 304-744-2253