The SANS Technology Institute

Leadership Laboratory

Leadership Lab: Information Technology and the Law

This series of essays explores the many aspects of technology law relating to computer and information security.

Let Credit Card Industry Allocate Data Security Risks by Negotiation - March 12th, 2007
Data Thefts - Give the Public the Disclosure It Seeks - March 22nd, 2007
Network Neutrality - Updated July 3rd, 2007
Can Cyber Criminals Consent to Being Watched and Foiled? - May 14th, 2007
The Dangers of Too Much Data Privacy - May 28th, 2007
Assembly Bill (AB) 779 Suffers from Sloppy Draftsmanship - October 12th, 2007
New Merchant Liability for Losing Credit Card Data - June 14th, 2007
ChoicePoint Marked New Era in Data Security Law - May 31st, 2007

Can Cyber Criminals Consent to Being Watched and Foiled?

May 14th, 2007
By Benjamin Wright, J.D.

Computer crime laws protect our use of the Internet, but they also raise issues for security professionals trying to thwart cyber criminals. For example, the federal Wiretap Act generally forbids the interception of electronic communications, and the federal Computer Fraud and Abuse Act generally prohibits entry into Internet computers without authority. These laws can cause a reputable professional to pause before probing a botnet too intrusively. They can also cause a bank security officer to hesitate before harassing a phishing site, which is stealing bank customer user IDs and passwords. Were it not for the Computer Fraud and Abuse Act, the officer might be tempted to stuff the site with junk versions of those IDs and passwords.

From a security perspective, when something needs to be done about a botnet or a phishing site, the very laws that are supposed to fight cyber crime may on their face deter responsible defensive measures. Of course, instead of a professional taking steps on her own, she should consider calling law enforcement. But calling the police is not necessarily a satisfying option. The police do not always have the time, resources or jurisdiction to do something about every Internet criminal threat.[1]

Yet if we conclude that nothing can be done about many criminal botnets and phishing, then we don't understand the full story.

Consent to a Security Hack
Criminal law has long recognized that citizens are sometimes justified in taking limited measures against criminals. Concepts such as citizen's arrest, self-defense and abatement of a nuisance can serve as defenses to allegations that a citizen committed a crime when reacting to criminal activity. These concepts support reasonable actions by citizens, which are in proportion to the threat.

A related idea in criminal law is that of consent. If someone consents to you coming onto their property, then you are not committing the crime of trespass when you do enter the property. Consent was a relevant factor when a University of Wisconsin system administrator hacked into the personal computer of a student. According to a federal appeals court, the student consented to the hack.

The University of Wisconsin story happened like this: A university system administrator had good reason to believe that a certain personal computer, which was hooked to the university network, was a serious threat to a mail server on the network. So the administrator hacked into and gathered information about the PC. The information from the PC indicated that the student using it was engaged in illegal hacking activity around the Internet. This information led to the student's arrest and conviction. In US v. Heckenkamp the student argued that the administrator's hack into his machine violated his right to privacy (his 4th Amendment right to be free from unreasonable government searches). But the appellate court ruled that the administrator's actions did not violate the student's rights.[2] A key reason cited by the court is that the student had consented to university policies when he attached his computer to the network and those policies recognized the right of the university to take limited security actions. The court said the administrator's hack was a reasonable security effort to protect the mail server that was under threat.

In other words, the court said the student made a bargain when he connected to the university's infrastructure. The bargain was that if the university allowed him to connect, then he allowed the university to execute security measures, even measures that compromised his usual rights under law. Thus the university could take steps against him that are normally illegal, but they were not be illegal because the student had consented to them.

Reasonable Limits to Consent
The concept of consent is important in the security field, but it is also tricky. It would be unfair, for instance, if a criminal could avoid being punished by forcing their victim to "consent" to a beating before she beat them. So the law places reasonable limits to the ability of people to consent to actions taken against them. These reasonable limits protect innocent people.

But, because the limits are based on reasonableness, they probably provide more protection to sympathetic people like consumers and less protection to people in less need of sympathy, such as corporations or aggressive cyber criminals.

Practical Implications
Given what we've just learned about consent and criminal law, how can we apply it to efforts to stop botnets and phishers?

We've learned that a student can consent to terms that render assertive security actions against him to be legal. So it would seem that similar terms could be consented to by the visitor to a Web site. The terms might say, "by using our site you consent to us investigating and foiling any illegal activities by you connected with our site." By posting terms like these, a Web administrator is helping itself make a case that its security activities against visitors are within the law (although I've not yet found a judicial decision specifically confirming this interpretation of law).

Thus, it seems that a bank has incentive to post terms like these on its Web site: "If you access our site in connection with an effort to engage in phishing, then you consent to us surveilling, harassing and retaliating against your phishing activities." With terms like these, the bank is compiling evidence that it is within its rights to spy on phishers targeting it and to stuff their phishing sites with junk data. The bank is building the case that its justified security measures do not violate laws like the Wiretap Act and the Computer Fraud and Abuse Act.

We discuss these and related issues in greater depth in the course I author and teach, LEG425, Applying Law to Emerging Dangers.[3]

Benjamin Wright is an attorney based in Dallas, Texas, and instructor for a series of courses on IT security law, promoted by The SANS Institute.

This article provides general education and not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

1. Ryan Naraine, “Is the Botnet Battle Already Lost?,” E-Week, October 16, 2006, http://www.eweek.com/print_article2/0,1217,a=191391,00.asp.)
2. Kevin Poulsen, "Court Okays Counter-Hack of eBay Hacker's Computer," Threat Level, April 6, 2007, http://blog.wired.com/27bstroke6/2007/04/court_okays_cou.html
3. http://www.sans.org/training/description.php?tid=862