decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
The collision of law and technology | 144 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
The collision of law and technology
Authored by: jbb on Tuesday, January 29 2013 @ 12:39 AM EST
The communication chasm I mentioned above reminds me of a theme in many of Stanislaw Lem's books: it is impossible to communicate with something sufficiently "other". I think this might have been at the heart of Aaron's suicide. I think he may have despaired at his inability to communicate with those who were wielding great power over him; he suffered from the curse of Cassandra. It can be very alienating to know that you are right but be at the mercy of people who just don't have a clue. It reminds me of my definition of freedom:
free·dom [free-duhm]
noun
1) Not having to suffer from the mistakes of others.
One strange thing about this definition is that the more intelligent, aware, and insightful someone is the less free they are (until they become enlightened).

---
Our job is to remind ourselves that there are more contexts
than the one we’re in now — the one that we think is reality.
-- Alan Kay

[ Reply to This | Parent | # ]

Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples
Authored by: PJ on Tuesday, January 29 2013 @ 12:58 AM EST
Well, since he asks for comments, you could
place that comment on his site. I'd use
Tor or something with the same purpose,
assuming it's not illegal
yet.

: )

[ Reply to This | Parent | # ]

Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples
Authored by: Anonymous on Tuesday, January 29 2013 @ 08:09 AM EST
I think that the people WE put in charge are by definition
technically incompetent in any technical area; they are
politicians. People who are truly technically competent in
any technical area tend not to go into politics.

The system we haen it was created had minimal technical
issues to deal with. Over the past many years technology
has become a larger and larger part of our society.
However, the system we have has not changed with it. Because of that I don't
think the US as a nation can ever
adopt a rational approach for dealing with all the issues
arising from the steadily increasing influence of technology
on our society with the current system we have for electing
leaders. Perhaps a technical competency test should be
required before a person can run for office.

[ Reply to This | Parent | # ]

Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples
Authored by: bugstomper on Tuesday, January 29 2013 @ 08:14 AM EST
The issue has been brought up in the comments. It isn't as simple as you might
think at first when you equate a random string in a URL with a password. It is
true that the string could be as effective as a strong password. But strength
may not be the only issue. For example, consider Question 1 in which Sally has
set her email password to "password" and someone else guesses it. Is
that analogous to having a weak lock on your door which is easy to pick,
therefore should be consider unauthorized access? Or, as one comment suggested,
is a password of "password" an indication that Sally had no intention
of blocking access to the email account but was forced by the email software to
enter something for the password?

If a weak password could act like an easily picked lock on a door to indicate
that entrance is unauthorized, perhaps a strong random URL could in some cases
not indicate that entrance is unauthorized. For example, when you share a Google
Doc document via URL, the system creates a unique URL with a random string that
nobody would guess. It warns you that anyone who has this URL can access the
document and they can give the URL to anyone they want. In other words, don't
treat the URL as a password. How is it different from having password protection
and giving someone the password? If you send someone a link you would have to be
explicit that the link is a secret otherwise they may very well pass the link on
to someone just as they might with any other link to a news item that someone
sends them. The fact that the link contains a unique random string is not
unusual for many news or blog sites that generate unique permalinks for their
articles with no expectation that the links remain hidden.

Even the description of Question 5 can be altered only slightly to get rid of
the part that is jarring to the technically minded - "Joe wants to know who
has been admitted to the college, and he figures out that the random string in
the URL is just an unsalted truncated MD5 hash of the number between 1 - 5000 of
the application. He writes a script to get all 5000 application results."
Now, is this the same as Sally having a password which is weak, or do we say
that Sally is authorizing access to anyone who gets the URL however they end up
getting it?

[ Reply to This | Parent | # ]

The technical impossibility is - in my humble opinion - moot to the question
Authored by: Anonymous on Tuesday, January 29 2013 @ 12:16 PM EST

Today, 128 bit encryption can be brute forced in significantly less time then 10 years ago. If one was bright enough, and quick enough, one could have acquired 10 PS3's, hooked them in a grid and have quite the handy little computing unit to work with.

In my humble opinion the question posed is appropriate for discussion. It's a metaphor for a situation which could happen in any number of ways - technologically applied or not.

Aren't we interested in having fair laws applied with regards technology? Fair relative to equivalent situations which don't include technologies?

Fair Laws which will stand the test of time regardless of the advancement of technology?

Let's put the situation slightly differently:

    5. Sally is a college admissions counselor who decides to let applicants know if they have been admitted by [having them come into the office and review a written response which Sally then files back in the filing cabinet]. Joe wants to know who has been admitted to the college, [so he enters Sally's office while she is at the cafeteria and takes photos of as many of] the letters indicating the admissions [as possible]. In your view, should accessing the [filing cabinet] to collect the decisions be considered permitted authorized access or prohibited unauthorized access?
In my humble opinion, the answer to the question as outlined with a physical filing cabinet should be treated no differently then the web site access. In both cases, Joe has just raised some issues to be considered. These are all applicable regardless of how many Joe actually acquired.
    Privacy: Joe has no business knowing whether or not my submission was accepted
    Privacy: Joe has no business knowing my personal information that is included in the submission
    Tresspassing: While Joe may have had reasonable grounds to believe he had business when he had his meeting with Sally, he's not got the same grounds when he enters Sally's office while Sally is out
To focus on the current technological landscape and it's limitations is to be - in my humble opinion - ignorant of the potential breaches that have occurred. We're part of the technology field. We're experienced. We know how fast the "impossible" turns into the possible. Even assuming the worst case scenario - a brute force usage as you describe - can't be relied on to be limitations for too long. And more often then not, math algorithms, changes in tactics, etc. tend to be more effective in acquiring that in a reasonable time rather than a brute force method.

I think we're doing both Society and ourselves a great disservice if we focus on the technological limitations instead of speaking to the heart of the situation. We're not helping find a better resolution quicker. We're bogging it down with technical details which - in my humble opinion - don't affect the fact that a privacy breach has been comitted. Whether that privacy breach was done via a computer or walking through an unlocked door and accessing an unlocked filing cabinet doesn't alter the fact the it was still a breach of privacy.

RAS

[ Reply to This | Parent | # ]

Aaron’s Law, Drafting the Best Limits of the CFAA, And A Reader Poll on A Few Examples
Authored by: OpenSourceFTW on Tuesday, January 29 2013 @ 02:57 PM EST
The question ignores a bigger matter: Why are you putting personal information
up with no password? Isn't that a privacy violation in itself. That hash is not
sufficient, I could accidentally stumble upon someone's info. Security through
obscurity is not a good idea.

As for whether this is unauthorized access or not, that's a tricky question.
Clearly trying to brute force this could tie up the server, and be considered
DOS. This would be exceeding access I think.

The question is this: what is the difference between accessing information in an
unlocked cabinet and on a server where it is not locked down? In a cabinet,
there is an expectation of privacy (you have to be in that room, and it is
generally understood that a cabinet is private). On the internet, content is
generally assumed to be public unless otherwise stated. You don't need to be in
that "room" to access the content.

Not a simple answer.

[ Reply to This | Parent | # ]

What does Joe actually have access to?
Authored by: Anonymous on Wednesday, January 30 2013 @ 05:52 AM EST
A couple of the comments replying to this seem to want to put the
scenario in non-electronic terms in order to decide on moral
purity without the confusing complications of technology.

This is fine I guess, but if you do so, I don't think you can say
"Joe has access to an unlocked cabinet".

He doesn't have access to the cabinet -- he has access to a publicly
accessible help desk, staffed by a "lobotomized desk worker" (the
webserver). By giving that worker a slip of paper with a number on
it, the worker will go and retrieve the file details (really fast!)
and give them to Joe, no matter how many times he asks.

--Ash

[ Reply to This | Parent | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )