Pleasant@Rutgers.ARPA (03/31/83)
HUMAN-NETS Digest Thursday, 31 Mar 1983 Volume 6 : Issue 16
Today's Topics:
Computers and the Law - Texas Computer Crime Law (8 msgs)
----------------------------------------------------------------------
Date: 29 March 1983 04:24 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: Texas Legislature to consider a Computer Crime Law
Date: Saturday, 26 March 1983, 01:50-EST
From: Christopher C. Stacy <CStacy at MIT-MC>
... there are no laws that I know about which concern themselves
directly with the misuse of vacuum cleaners. ... So why are
people concerning themselves with laws about computers?
I agree. We should be careful to make special laws for special tools
only when those special tools permit kinds of crime not covered by
older laws, and only in ways appropriate to the level of threat
involved. In many cases I'd rather see old definitions adjusted
(like amend the definition of "property" to include confidential
data stored in a memory device) instead of creating a whole class of
"computer crime" separate from existing theft laws.
Sec. 33.01 DEFINITIONS. In this chapter:
(2) "Computer software" means instructions or statements
that permit a computer system to perform a useful function.
I wonder what "useful" means?
I think you're being too picky. "Useful" means it accomplishes some
purpose that a human or pseudo-human (company, government agency)
wants performed. For example, adding the contents of register 4 to
the contents of register 6 and depositing the results in register 6
isn't useful, but accepting input from the terminal until
end-of-line and parsing that line of text as an arithmetic
expression an printing out the result of evaluating that expression
IS useful. Thus the ability of the PDP-10 CPU to execute the
instruction ADD 6,4 isn't useful in itself, but the Macsyma program
is. A bunch of random instructions generated by noise, that don't do
anything useful, just hang the cpu after a few microseconds,
wouldn't be considered "software" under this proposed Texas
defintion. -- In summary, the definition seems to hit the nail on
the head, even if it's not mathematically perfect (hardly any legal
definition is anyway).
(3) "Computer system" means a device or set of devices that
stores data in an intangible form, or that, in response to
instructions or data given to it, analyzes data, converts
data from one form into another, or produces new data.
It seems to me that humans (and other animals, and plants) are
included in this definition. So are telephones, thermostats,
and vacuum cleaners.
Yes. This definition needs to be amended to exclude biological
units. Telephone headsets aren't computer systems, but the central
office and the relaynodes *are* and ought to be included. That way
if you tap into the telephone system's computers to disrupt
communications and cause many people to die due to inablity to
contact their doctor by telephone, you'd be subject to this new law
wheras under old law you might get off because "all you did is talk
to the telephone computer, and freedom of speech is protected". -- I
rather doubt thermostats and vacuum cleaners store data. They take
input from a dial or switch, and continuously react to it, but they
never store the setting internally, they just keep reacting to the
current setting, and as soon as you change it they act like the old
setting never existed.
Sec. 33.03. BREACH OF SECURITY SYSTEM.
(a) A person commits an offense if, without the effective
consent of the operator of the computer system, he
intentionally:
(3) gives information concerning a computer security
system to another person.
I don't understand how this last can be reconciled with free
speech.
I agree, this ought to be limited to secret keys, not info about the
general algorithm. For example, if I told somebody that Crocker Bank
used plastic cards plus 4-digit identification numbers manually
typed in, as I am doing right here, I'd be violating that new
proposed Texas law! But if I started passing out pepole's 4-digit
numbers without their permission, that'd be something the law should
cover. I wonder if anybody in the Texas legislature is on this
mailing list? We'd make a good sounding board for any laws relating
to computers, to see if they have serious flaws like this.
Besides, what "information" are they talking about? I imagine
that if I decided a random fact (such as "grass is green") was a
part of my computer security, that I could attempt to have
anyone who repeated the fact criminally prosecuted.
Hmmm, ordinarily I'd say this is frivilous, but recent cases with
national security where somebody doing independent research happens
to come up with a system similar to some secret system, and suddenly
this independent research is declared top secret, get me to
worrying.
------------------------------
Date: 29 March 1983 04:50 EST
From: Robert Elton Maas <REM @ MIT-MC>
Subject: Re: HUMAN-NETS Digest V6 #11
Yup, a pocket calculator with memory would certainly (in my opinion)
be a "computer" under both this proposed Texas law and under the
proposed USA law a couple years back. There ought to be a way to
prevent baiting. Like if you leave your calculator on a desk and
somebody comes along and presses one of the buttons to see if it
worked, that would be a crime under both proposed laws. But it
really shouldn't, because you didn't take adequate security
measures. If it's in your purse or briefcase (etc.) and somebody
gets in there without your permission and uses your calculator, that
probably should be a crime, because people aren't supposed to get in
your purse or briefcase in the first place.
(What if you pass out on the street, somebody looks in your purse to
see who you are so they can notify your family and doctor, and they
see your calculator and play with it. I wonder if that should be a
crime? I think if you had some valuable program on it (suppose it's
an HP-41c) and they accidentally deleted it they ought to get fined
and/or sued for the loss you thereby suffered? That'll teach them to
keep their finger off computers that don't belong to them and which
they don't understand what to do and what not to do.)
What if you are working out your income tax, and you go to the store
for a refill for your pen. While you're out your apartment manager
comes in to fix something, and sees the papers and not realizing
they're important throws them away. You come back and find a week's
work lost. -- This has nothing to do with computers, yet you've
suffered a similar loss to if your disk file were deleted by some
intruder. I think the law is too specific to computers and ought to
cover all sorts of data or work loss regardless of whether a
computer was involved or not. I.e. the law is aiming at the mystique
of computers instead of where the problem really lies, damage or
theft of valuable data and other products of work/labor, or
interference with legitimate operations.
------------------------------
Date: Tue 29 Mar 83 02:41:10-PST
From: Edjik <NCP.EGK@SU-GSB-HOW at SU-SCORE>
i think the real problem is having laws made that deal with highly
technical issues, by people who have an extremely limited technical
background.
------------------------------
Date: 29 Mar 1983 10:39:03-PST
From: Robert P. Cunningham <cunningh@Nosc>
Reply-to: cunningh@Nosc
Subject: Texas bill 193
Section 33.05 of the bill (Interfering with computers) appears to
apply to an electrical utility which sends power spikes and thereby
glitches a computer system. Similarly, it also might apply to a
phone company which allowed its lines to become noisy and interfere
with telecommunications involving computer systems.
In fact, since phone company switching systems (ESS) employ embedded
computers, the bill's definition of a 'computer system' may also
incidentally apply to the phone system. Will that make it a
misdemeaner to give out an unlisted phone number?
Bob C.
------------------------------
Date: 29 March 1983 14:18 cst
From: Heiby at HI-MULTICS (Ronald W.)
Subject: Texas Computer Crime Bill
Effective consent is not defined in the bill. I assume that the
phrase is defined somewhere in Texas or common law. If I find a
list of the user ids and passwords lying around un-protected and
un-encrypted in a public system directory where the system
administrator left it, have I been given effective consent to look
at it? To make use of the information in it?
An area that the bill does not address at all is the entire issue of
protecting customers of a computer service bureau from the service's
operator or his/her staff.
Ron H.
------------------------------
Date: 29 March 1983 16:04-EST (Tuesday)
From: Paul Fuqua <PF @ MIT-XX>
Subject: Texas Computer-Crime Laws (70+ lines)
That's my home state. Wouldn't want to live anywhere else, but
the lawmaking *does* become a bit strange sometimes. What other
state needed to pass a constitutional amendment to legalize bingo
for non-profit groups?
When I first read the computer-crime bill, I was somewhat
dismayed. It was so broad, so vague. I felt all those concerns
already voiced. Then I read it again. It's not a *bad* bill.
Finesse the definitions for a moment (rely on intuitive meanings),
and read it again. "Access for fraudulent purpose" is written just
fine. "Unauthorized access" part 2 (alteration or damage of the
system, software, or data) is OK. "Interference (*intentional*
interference) with service" is also written properly.
What doesn't work? The sections concerning "breach of security
system" and the initial part of "unauthorized access" (using the
system in a manner not permitted by the operator). Why don't they
work? Because the definition of "computer system" is vague. The
concepts themselves are roughly akin to trespassing. If someone
wishes to fence their property and not allow you to walk across,
they can do so; so can a computer operator refuse you access to his
machine (I don't want to talk about easements and discrimination).
I'm somewhat of a hacker, too; nevertheless, it's "trespassing."
So, the crux of the whole issue is the definition of "computer
system." Some (old) unabridged dictionary I leafed through a moment
ago defined "computer" as "a mechanical or electronic device capable
of performing repetitious mathematical operations at high speed."
It's not great, but it's better than the vague definition given in
the bill. At least a vacuum cleaner doesn't qualify. Digital
watches and microwave ovens could slip in, if they contain
processors (as most of them do). That "intangible" business is also
a problem, but I suspect it is necessary either because of the
judicial decision mentioned, or to be compatible with the
software-sales-tax bill. Storage is not necessarily intangible, but
legislators are not computer people.
"Computer system" is not an easy thing to define, however. We
want to include the systems that banks and other institutions use to
store their records, but exclude processor-containing objects such
as calculators, watches, and microwave ovens. We cannot define by
example, because that is incompatible with the supposed timelessness
of law. I propose "a mechanical or electronic device or set of
devices that, in response to data or instructions given to it and/or
stored in it, analyses data, converts data from one form into
another, or produces new data, at a high rate of speed."
I hope that covers processors without covering microwave ovens
(although it could be said that they work fast, too). Perhaps a
specific exclusion is needed. I wanted to include the phrase
"through mathematical and logical operations," but I think it's too
restrictive. There are also days when DEC-20s do not work at a high
rate of speed (try mit-xx between 4 and 6). My proposal still
doesn't handle the problem of "what if someone uses my calculator
and I don't want them to", but somehow there is made a distinction
between trespassing on land and borrowing a tool without permission,
both of which involve the concept of property.. Let's steal from
that. Of course, the Dynabook will mess that idea up. Help.
I realize I've thrown around a lot of terms in an imprecise or
incorrect way, and there are a lot of items still needing
definition. If we come up with something good, we can send it in
and keep the Texas Legislature from screwing up.
pf
ps Regarding the "emergency" provision: will avoiding two readings
of the bill in each house really make a difference in
time-to-passage?
pps Many laws exist not to prevent actions, but to allow
governmental action against an offender when they deem it
necessary. In both Cambridge and Dallas, it is illegal to park
on the street for longer that 24 hours without moving, but it
is only rarely enforced in Dallas, because there are still
plenty of parking spaces. I hope the "breach of security"
provision, if passed, is treated in such a manner.
------------------------------
Date: 29 Mar 83 21:35:15-EST (Tue)
From: "Peter N. Wan" <wan.gatech@UDel-Relay>
Subject: Re: Texas computer law
The Texas computer law reads very much like the one that was passed
as the Georgia Computer Systems Protection Act. My initial
reactions after reading the Georgia law were pretty much the same as
the ones expressed here; i.e., that freshmen playing games on their
computer course accounts could be prosecuted for misuse of the
system, etc. The way that I see it, present laws would probably be
sufficient to rectify criminal activity if our judges and jurors
were knowledgable enough about computers and information technology
to apply them. For instance, stealing someone's password and
logging in would correspond to breaking and entering, etc. Proving
theft would be another matter, however. Our current concepts of
theft involve the change of possession of something; stealing a
computer program does not deprive the original possessor of
possession. It just allows someone else to have control of
essentially the same item. I feel that we need laws to address only
those areas that cannot possibly be covered by current legislation.
And we certainly do not need the ambiguous, poorly-worded pieces of
legislation that we are currently getting to address computer
problems.
------------------------------
Date: Wed 30 Mar 83 10:49:08-PST
From: LAWS@SRI-AI.ARPA
Subject: Computer Systems
I looked up the IEEE definition of "computer system". It is
basically a communicating configuration of computer hardware.
"Computer hardware" is hardware for processing computer data. I
didn't follow this all the way down (or around), but "computer data"
seems to be easier to define than the other terms; it has to do with
information that is not directly usable by humans.
-- Ken Laws
------------------------------
End of HUMAN-NETS Digest
************************