Computer Security and the Law on Today's Internet

by Timothy J. Walton


picture
I. Computer Invasion

II. Basis for Suit

    A. Negligence
    B.Trespass
IV.What They've Got On You

V. What You Can Call Your Own

VI. Is There Any Privacy Left?


This information accurate Fall, 1997 only.

Just as there are laws against tapping your neighbor's phone or rifling through his office file drawer, there are laws intended to prohibit computer invasion. A federal law provides for a fine with or without imprisonment. This doesn't stop hackers from attacking though. No one can say for sure how many computers are accessed by unauthorized outsiders, mainly because administrators whose networks have been compromised are hesitant to admit it.

If criminal penalties aren't enough to deter renegades from breaking into systems, the victims can sue for civil damages. There are a number of grounds for a civil suit. One is negligence.

It might seem odd to claim that intentional conduct like intruding into a computer system could be called negligence, but if damages result, there may be a case. Even though many hackers are motivated by the thrill of breaking into a "secure" system and are not interested in causing damage, damage may still occur.

When an intruder dials into a system and gains access by defeating its security, his actions may be labeled as simple trespass. Trespass can also apply to improper use of systems meant for free access, such as public Bulletin Boards or Web servers. It is trespass if a user acts beyond the intended function of the system, such as uploading files or changing data. In some well-publicized cases, hackers changed the Web pages of US government agencies and British political parties. While their actions may have looked like harmless "pranks," taxpayer dollars were spent to analyze the break-in, create security measures for future protection, and secure other areas from attack.

Businesses are also hurt by electronic intruders. The clean-up and heightened security costs are absorbed by the consumer. Some theorize that a number of these break-ins go beyond the work of random thrill-seeking hackers; and they believe that paid computer jockeys are conducting industrial espionage. Today's business competitors, local and overseas, are taking advantage of the ex-Legion of Doom members now old enough to want a Lexus.

What They've Got on You


Unless your home computer is set up to accept incoming calls, it is probably safe from intrusion. But a determined hacker can attack in other ways. There are an increasing number of computers amassing huge databases of information. These databases' content range from lifelong medical histories for insurance companies to employee earnings. Credit card company computers log the spending habits of millions of consumers. These institutions try to keep security tight because they know that they are prime targets. But they are not necessarily the first to know when they have a security problem.

The spread of information on the Internet can be unpredictable as well as uncontrollable. Tsutomu Shimomura, a computer security expert, wrote about the problem of sharing computer weaknesses in his 1996 book, Takedown. Frustrated with CERN's desultory movements toward notification regarding the methods of a skilled and malicious hacker he wrote: "It was likely that within a month the details of the break-in would be widespread in the computer underground anyway, making copycat attacks inevitable. The only people who wouldn't know about it would be those responsible for actually protecting the security of the computers on the Internet."

Some groups take a "learn-as-you-go" attitude toward security, so individuals must be circumspect. Until just this year, the Social Security Administration was providing semi-private information to anybody that could type nine numbers.

Is there recourse if somebody accesses your private information on a computer other than your own? Generally before you can sue someone you have to be able to show damages. But the real challenge in such a case is amassing the evidence to prove wrongdoing. And since the perpetrator is most likely broke, the effort may ultimately be fruitless.

What You Can Call Your Own


Privacy on the Internet is a quirky issue. Many people mistakenly believe that what they write in email is private. This is not true and it is absolutely false when it comes to email on a computer owned by your employer. Employees can have no expectation of privacy, even if the email is written over a lunch break or outside work hours.

Even if you are writing from a private account, your Internet Service Provider (or online community such as CompuServe or AOL) can read any of your email and may even be making backup copies as a matter of course. All it takes is the consent of the System Administrator for the FBI or other law enforcement to gain access to all the email you have ever written. All of this can be done without your permission or even your knowledge.

Is There Any Privacy Left?


Does the law protect the individual on the Internet? It sometimes doesn't seem so. This is partly because people don't have the money to fight protracted legal battles or lobby for protective legislation. Also, computer-related privacy issues are cloudy and untested, and both citizens and courts are reluctant to swim the murky waters.

Many Americans take their civil rights for granted and assume they are protected. But the average law-enforcement agent is far behind the computer-awareness curve, and the judicial system is equally lagging.

The Internet is often referred to as a "New Frontier" and likened to the rowdy days of the Old West. As hackneyed as the metaphor has become, it is apt. Imposing order through the application of law is still a new concept. As yet, the new marshal has not stridden into town, and because of the nature of the community, he is unlikely to appear in any recognizable garb. The strongest force to appear on the Internet to date has been the community voice. This means that everyone, from the America Online surfer to the Government Security Administrator, is the collective town marshal. Internet voices can be used to uphold a public standard which values privacy. But this can only be true as long as everyone is realistic enough to recognize that, as on city streets, privacy is not absolute.

Timothy J. Walton is a civil litigator in California who has been exploring issues associated with computer law for several years. A Web page of his devoted to Internet privacy law was featured in Internet World Magazine's "Best of 1996" issue.


Disclaimer

© 1997 Timothy J. Walton
All Rights Reserved