Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Law Review Article Argues Port Scanning Illegal

By ThrowawayAccount in MLP
Sun Jun 10, 2001 at 02:04:04 PM EST
Tags: Security (all tags)
Security

The Journal of Technology Law and Policy has a good article on computer security and privacy. In the last section the author marches through some laws that apply to the Internet and shows how they apply and why his way of deciding what kind of access to a computer breaks the law and what kinds don't is better. (Its based on property and expectations of privacy.) It's interesting to see the computer security from a lawyer's point of view. Especially interesting are his claims that using nmap is illegal, despite the VC3 v. Moulton case. I'm not sure I agree with him, but he definitely makes a pretty sobering case.


The author makes a strong case that nmap use/port-scanning violate current laws. Its clear that the article's author ISN'T sympathetic to criminalizing nmap use and thinks that the laws are too strict and would degrade Internet usage if they were used all the time. Instead, he argues that the property/privacy rights you have in Internet-connected computers should be limited to the technical measures you take to secure them. I guess he'd say you don't have an expectation of privacy in an unsecured computer.

But he also says that if you only had legal rights when you technically denied access, the law would be pretty useless. So he develops a complicated metaphor: the Internet is like the range on the Wild West, anything not fenced in is OK for public use, but if you hop over somebody's fence, even if its ineffective, you're trespassing. Apparently based on the Supreme Court's reading of property rights in the Wild West. Like I said, interesting, but not necessarily persuasive.

I want to ask how we should view expectations of privacy on the Internet. Everybody knows the door knob metaphor regarding port scans, but this guy has proposed something else. Does the Wild West metaphor work?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Do you buy the Wild West metaphor for privacy/property rights on the Internet?
o That's a plate of steaming BS 18%
o Sounds right on 9%
o I'd have to read the article 9%
o I like the door knob metaphor better 18%
o If you even ping my machine, you should go to jail 9%
o If it isn't nailed down, its fair game 34%

Votes: 32
Results | Other Polls

Related Links
o good article
o nmap
o VC3 v. Moulton
o Also by ThrowawayAccount


Display: Sort:
Law Review Article Argues Port Scanning Illegal | 5 comments (5 topical, editorial, 0 hidden)
Property rights, resource consumption and internet (2.00 / 2) (#1)
by jesterzog on Sun Jun 10, 2001 at 12:19:54 AM EST

I don't have time to read the article right now unfortunately, so my opinion on this might not be relevant.

Isn't it really just about indicating property? If I fenced in some land but left the gate open for people to wander in, I wouldn't mind people coming in. If I fenced in some land but left the gate shut, I wouldn't want people to climb over the fence.

The problem issues are when there's no fence, or when the gate is left open accidently. I might leave the gate open, but that doesn't mean I want people entering. If it's clear that it's my property and people aren't invited, they should be considered trespassing - unless they have a valid reason, like to knock on my door. Even then, I wouldn't want people coming to knock on my door if I'd made it clear to them in the past that they shouldn't.

Without a fence, it should still be considered trespassing if it's clearly signposted that people shouldn't be there, but I think I'd only have myself to blame if people ignored the signs and I hadn't made a reasonable effort to stop them.

In summary, I think trespassing and property rights is defined by the stated intention of the property owner. If there's a notice somewhere stating that you shouldn't be there, or if it's obvious (through security measures) that you're not wanted, then you're trespassing.

I'm still not sure how this relates to port scans, except it probably reflects differences between internet society and real-world society.

If it cost people significant money and resources every time a door-to-door sales representative walked up your front path, society would not be as tolerant of door-to-door salespeople. Most likely there would be special bylaws and rules associated with visiting people in an unsolicited way.

Things like spam and port scans are significant problems on the internet when they're mis-used, because they cost other people significant money and resources without any gain. I don't see why it should be unusual to expect similar rules or bylaws developing on the net. Exactly what they should look like would be difficult to figure out, though. ie. You could argue that it's impossible to know for certain that someone doesn't want to read your unsolicited spam until you ask them...


jesterzog Fight the light


Clarifications (none / 0) (#2)
by Highlander on Sun Jun 10, 2001 at 11:40:10 AM EST

I must admit I skimmed over some parts pretty fast; let's hope this is useful to someone who hasn't read the article.

In contrast to the headline for this MLP, the linked article does not say that portscanning in itself is illegal; it says it is legal; however, when the scanning elicits additional information about the operating system by employing unusual methods (e.g. Xmas flagged packet scan), this to return to the property metaphore, this is like pointing a flashlight and binoculars at someelses property for peepin'.

The linked article also starts applying this reasoning to the DMCA and to software that adds features unwanted by the computer owner.

Here, the linked article argues that the (social) contract for what is allowed and what is not allowed is not defined, and the issue requires a more detailed analysis that it is currently given.

Moderation in moderation is a good thing.

port scanning is like... (none / 0) (#3)
by ThwartedEfforts on Sun Jun 10, 2001 at 02:53:56 PM EST

I view port scanning just like walking down the street past a house and looking at it to determine if the windows are broken or the front door is wide open.

Not quite (none / 0) (#4)
by kostya on Sun Jun 10, 2001 at 09:57:25 PM EST

At least, not with nmap.

Nmap is like walking down a street, pulling up on every window to see if they are locked, checking every door to see if it will open, writing every entrance way down--from chimney to coal chute.

No, nmap is not nearly that innocent. It is like "casing a joint"--whether you intend to rob the house or not, the methods are the same.

I say this as someone who uses the tool and has it used on me. I use it only after I am pretty sure I have cause. It is a fairly obvious and intrusive tool that lights up firewall logs like 4th of July fireworks show.

Your "strolling down the road" would be traceroute. Checking the door might be telnet--but it would be the equivalent of walking up on the porch, trying the door nob or perhaps ringing the door bell.



----
Veritas otium parit. --Terence
[ Parent ]
nmap is less than a lockpick (1.00 / 1) (#5)
by ThwartedEfforts on Mon Jun 11, 2001 at 02:09:15 PM EST

Some fine points, but I still disagree.

Using traceroute is like looking at a map of the city to determine where the building is.

The only reason nmap "lights up firewall logs" is because you have your firewall set up to do that. This is the same as having security cameras monitoring your building's borders and then going apeshit when you see loiters. Of course, it becomes more serious when those loiters start testing the locks on the windows and opening them up -- this is like using telnet.

People in general have no reason to test the locks on your door or window, and people in general have no reason to use nmap on your servers. But that doesn't mean that using nmap, for whatever reason, is bad, or means you are up to something -- just like if I take a picture of a building it doesn't mean I'm going to come back and burn it and down. The difference is, though, nmap can be a non-invasive test of security, unlike checking the locks on your doors, which pretty much have to open in order to determine if they can open.

Nmap is more benign than a lockpick kit. Nmap is like some object that will tell me if a lockpick will work on a certain lock, but it doesn't actively break in.

[ Parent ]

Law Review Article Argues Port Scanning Illegal | 5 comments (5 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!