decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Computer Crime Law Goes to the Casino | 189 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
The url was skillfully crafted indeed
Authored by: Anonymous on Friday, May 03 2013 @ 07:34 PM EDT
The innocent url with ?pw=eOH7KvedHxS3iYRa at its tail would
for sufficiently knowledgeable folks be recognized as an
attempt to lock the contents behind a password.

What i'm trying to argue, is that your argument of "don't let
anyone access without the "key"" is quite valid, but on the
Internet, the "eOH7KvedHxS3iYRa" could very well *be* the
key.

It is not even such a bad key: The password strength of the
example url is -by rough estimate- 26 lower-case letters + 26
upper-case letters + 10 digits to-the-power of 16 characters.
Which gives an about 1 in 47000000000000000000000000000
chance of getting it right for each random attempt to access.
With a somewhat bigger number (2048 bits key size is
considered quite secure), you actually enter into the realm
where you can reasonably expect that no-one will find the url
by accident.

But I think that the basic problem lies elsewhere: Extending
your library analogy, let's assume that the normal procedure
in the library is that -upon requesting access to the book-
you are provided with the number code for the lock of the box
that the book is kept in. To keep the analogy in sync with I
propose that, no separate account is to be kept by the
library of who requested access, nor of to whom the number
has been given.

An innocent visitor to the fictional library, unaware of
procedure, could by accident manage to open the box first
time. An evil book-snatcher might have his lucky day and
crack the number lock first time. For Big Brother the
librarian, the problem is how to tell the two apart.
As for code-cracking: That would be like allowing Big Brother
to drop his ton of bricks on anyone found attempting many
times (but: how many..) to open the lock. Allowing that would
however endanger innocent mr. Fuzzyhead who has a hard time
remembering and entering that odd number he has been given.
Basically: Big Brother has a rotten job.

What I found missing in the reasoning so far is the
responsibility of the person who puts the private information
in the public in the first place.

I think one solution to the previous problems would be to -at
the very least partially- shift the burden. If we follow that
reasoning all the way: To boldly assert that anyone who puts
something intended to be private out on the public Internet
is responsible for making the access restrictions strong
enough.

Once information is exposed in public, regardless of how
anyone got at it, the access was authorized: By the person
who set up the combination of public access and the password.
That person knowingly delegated the safekeeping of the
private information to a password mechanism. That person
should not complain if the password turns out to be
ineffective, but ensure that the restrictions are appropriate
for the level of privacy required for that information.

The breaking & entering analogy of a house can -I think- not
apply because while a house is firstly and well-known to be a
private place, the the opposite applies to the Internet: it
is first and foremost public.

[ Reply to This | Parent | # ]

Computer Crime Law Goes to the Casino
Authored by: Anonymous on Friday, May 03 2013 @ 09:34 PM EDT
Original poster here. I think we agree. In particular I
take your point that the book remains accessible to anybody
who knows the secret of where to find it. That's why the
book is under a leaf in a public park, not on private land.

It is not unreasonable to say that an action becomes
criminal based on intent. You could imagine a statute,
designed to encourage whatever policy would benefit from
more books hidden under leaves, that outlaws the methodical
overturning of leaves in the park. That's really not so
very different from outlawing the methodical trying of
different positions of a combination lock.

But trying combinations on a lock is NOT criminal, unless
that lock is (lawfully) defending a private space.

Grimmelman argues that a secret URL "defends" a page in
exactly the same way as a secret password. That's quite
true from a mechanical perspective, but the law is different
from physics. (There's a great essay called "what color are
your bits" that gets at this point rather well.) Intent does
matter. With a password mechanism, the user is on notice of
the existence of the lock. With an obscure URL, that is
not true.

It is technically possible to write code that takes the
password either in the usual way or as part of the URL; in
fact a lazy programmer could easily do that by accident,
since many other fields are perfectly OK to pass by either
mechanism.
But anybody who allows passwords to be passed as part of the
URL is a fool, and should forfeit any expectation of being
protected by anti-hacking laws. It's like leaving your door
unlocked. An intruder might possibly be part of a
conspiracy and/or could commit a burglary once inside; but
the intrusion itself is not felonious.

[ Reply to This | Parent | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )