informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/politics/SPUNK/sp001201.txt

370 lines
18 KiB
Plaintext
Raw Blame History

"Freedom Isn't Given It's Taken"
The Anarchives Volume 2 Issue 8
The Anarchives Published By
The Anarchives The Anarchy Organization
The Anarchives tao@lglobal.com
Send your e-mail address to get on the list
Spread The Word Pass This On...
--/\-- Unauthorized
/ / \ \ Access Of
---|--/----\--|--- A Computer
\/ \/
/\______/\ by Jesse Hirsh
In early march of 1995 I was arrested for "Unauthorized Use Of A Computer".
Three large, white, plain-clothes detectives from 52 division in downtown
toronto came to my house, promptly arrested me, took me to a holding
cell, and conducted a strip search (looking for codes I guess). I was
held in custody for four hours (7:30 pm to 11:30 pm), and released as a
result of substantial protest made by friends and family at the sergeants
desk.
I was being accused of breaking into the computer systems at the
University Of Toronto for the purpose of publishing "Anarchist
newsletters".
The sysadmin of ecf.utoronto.ca, one Professor Jack Gorrie
<gorrie@ecf.utoronto.ca>, saw someone on his system publishing Anarchist
materials, assumed I was a malicious "hacker", turned over all records of
my email, news posts, key strokes, you name it, to the police at 52
division. The police realizing how dangerous these "hacker anarchist"
types are, had to come to my house to cuff me, bring me down, and strip
search me.
All because I was using my brother and his friends' account. I was new to
the Internet, and naively felt I had freedom of speech.
Turns out that freedom, like freedom in the real world, must be
authorized. Although my brother and his friend had no problem with my
using the account, they of course are not the recognized "authorities".
Only Jack Gorrie <gorrie@ecf.utoronto.ca>, the system administrator, has
system authority. And good ole Jack, like many engineers, doens't like
Anarchists.
Instantly I learned the total lack of privacy (without encryption that
is) on the Internet, and the simplicity of complete electronic surveillance.
All my actions were turned over to the police, a stack of papers six
inches thick. And of course this was their copy to keep. ;)
I was to face trial for a possible six months in prison, just for
exercising my democratic rights and responsibilities.
Of course the end result was that the charges were dropped, although this
was not until several months later (sept 7, 95), after several
appearances in court, and after my agreeing to pay $400 to the skule.
But nevertheless, this incident was indicative of a lot of emerging
trends in our so-called information-highway:
1. What right do Sysadmins have in turning our shit over to the cops?
2. If there are "authorities" on the Internet, then clearly it's not an
example of anarchy, which of course implies no authorities.
3. Where does the role of democracy fall within the practice of
electronic surveillance? Did I have any rights in the first place?
4. Who enforces University regulations; the University? or the cops?
I could have raised a lot of shit by dropping this publicly months ago
when it was all going on, but to be honest I was scared shitless.
I didn't want to be a guinea-pig for a law that had yet to make it to a
court of law.
My life had been thrusted into the public realm, and I was desperate to
get it back.
Fortunately I have good friends and family, who knew a good activist
lawyer who was dedicated to keeping my ass clean.
It's also worth noting that my brother, who at the time was completing
his master's degree at an amerikkkan engineering lab was investigated by
the FBI, upon prompting by the Toronto police. The FBI obviously found
nothing wrong, but again, hastle where it should not have been.
I could go on ranting about many of the other socio-political
implications of these actions, but the purpose of this piece is merely to
inform.
Included in this message is a legal-summary of the case etc., written by
friends of mine in LoGIC (Legal group for the Internet in Canada). Any
other enquiries or what have you can be directed to me at jesse@lglobal.com
Any complaints, flames, or random rantings can be sent to
<a href="mailto:gorrie@ecf.utoronto.ca">gorrie@ecf.utoronto.ca</a> ;)
_______________________________________________________________________
* * * * * * * * L o G I S T I C S * * * * * * * *
-----------------
Vol. 01 No. 01 September 1995 danshap@io.org
A Publication of LoGIC: The Legal Group for the Internet in Canada
LoGISTICS: danshap@io.org (Daniel Shap)
LoGIC e-mail: sherlock@io.org (Dov Wisebrod)
Mailing List: logic-l@io.org
WWW (under construction): http://www.io.org/~logic/
_______________________________________________________________________
In This Issue:
==============
2. The Jesse Hirsh Case
3. What YOU Can Do!
-----------------------------------------------------------------------
2. The Jesse Hirsh Case
========================
On Thursday, September 7, 1995, at 10am in Courtroom 126 of Toronto's Old
City Hall, Jesse Hirsh was scheduled to go on trial. He was charged with
"unauthorized use of a computer system" contrary to section 342.1 of the
Criminal Code of Canada.
Jesse had been caught using his step-brother's university computer
account, as well as the account of another friend, to publish an
anarchist newsletter to the Internet. Upon his arrest, Jesse assured the
police that he had been given permission to use the accounts. However,
the prosecution adopted the position that, since the university had a
strict policy against allowing its users to share computer accounts,
Jesse's step-brother and friend had not been permitted to give Jesse the
necessary authorization to make use of their accounts. In other words,
it didn't make any difference that his step-brother and friend knew that
he was using the accounts, all that mattered was that he had actually
used them.
Jesse quickly set about hiring himself a good lawyer (Bob Kellerman) and
prepared to confront the case against him. After many months of anxious
waiting, Jesse's day in court finally arrived. On the morning of the
trial -- mere minutes before the Court was called into session -- the
prosection suddenly withdrew the charges. Jesse agreed to pay to the
University of Toronto the sum of $400.00 as a token in satisfaction of
the cost of using its computers. (The University had claimed $1600.00!) He
was free to go.
For Jesse, the prosecution's withdrawal signified the end of a long and
harrowing journey. After countless sleepless nights, lying awake and
worrying about the possibility of a criminal record -- or worse still, a
jail sentence -- he could finally rest easy. But for Canadians
everywhere, Jesse's story raises the ominous spectre of more cases like
it in the future.
Section 342.1
-------------
(1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or other
device, intercepts or causes to be intercepted, directly or
indirectly, any function of a computer system, or
(c) uses or causes to be used, directly or indirectly, a computer
system with intent to commit an offence under paragraph (a) or
(b) or an offence under section 430 in relation to data or a
computer system
is guilty of an indictable offence and liable to imprisonment for a
term not exceeding ten years, or is guilty of an offence punishable on
summary conviction.
Section 342.1 of the Criminal Code of Canada is part of a series of new
"high tech" crimes that were introduced a few years ago as Bill C-34. The
law was also amended to expand the definition of "mischief" (see section
430) to include anyone who wilfully obstructs, interrupts, interferes,
alters or destroys data.
The purpose of 342.1 was, among other things, to prohibit anyone from
making use of a computer system "fraudulently and without colour of
right". In other words, if Jesse knew that his step-brother and friend
were not permitted to grant him permission to access their accounts, but
he used them anyway, then he would probably be guilty of a crime. On the
other hand, if Jesse genuinely believed that his brother and friend could
grant him permission to make use of the accounts, then he would likely
possess the necessary "colour of right" to avoid a conviction.
In creating a new category of crime which prohibits the unauthorized use of
a computer system, the Canadian legislature was, presumably, trying to
pass a law which would allow the police to control computer hackers. The
term "hacker" is generally held to mean one of two different things: (1)
anyone who likes to fiddle around (a technical term) with computers and
their software; or (2) a person who breaks into computer systems. From
the university's perspective, Jesse "broke in" to its computer because
the university never authorized him to use those accounts. On the other
hand, Jesse wasn't really a "hacker" in the true sense of the word
because his step-brother and friend gave him the passwords.
Unfortunately, the Criminal Code doesn't draw such a fine distinction.
According to the law, if you use a computer system that you weren't
suppose to, and you know it, then you're guilty of an offence and could
be liable to imprisonment "for a term not exceeding ten years". But the
law's clear-cut distinction between authorized and unauthorized use may
have some very serious implications for Canadians everywhere. That's
because many of the service contracts that Canadians enter into every day
contain language which limits their right to transfer or assign the use
of the service to any other person.
For example, if you have an inter-branch banking card, the kind that you
use to withdraw money from an automatic teller machine (ATM), then you've
probably already signed an agreement with the bank that reads something
like this:
This card belongs to the bank and is not the personal property of
the card holder. The card holder agrees not to give this card or
the password to anyone and the card holder will notify the bank as
soon as possible if and when it is discovered that someone other
than the card holder knows or may know the password...
Accordingly, if you give your bank card to a friend (or spouse, or family
member) so that he or she can pay your bills or make a withdrawal for
you, your friend could be charged under section 342.1 of the Criminal
Code.
The same type of restrictions may apply to your telephone answering
service (arguably a computer system) and to your Prodigy or Compuserve
accounts. In each case, the account and password are intended "for your
eyes only".
"But would anyone actually prosecute these cases?" you might ask.
Wouldn't banks and phone companies rather deal with these issues
privately, rather than drag them through the courts and risk all the
publicity and possible embarrassment associated with a trial? The answer,
in most cases, is "Yes." Banks do prefer to deal with these types of
cases privately. In fact, one Toronto bank manager told me that even
though Canadian banks are facing a growing number of cases in which
people are caught using their friend's banking cards, the banks prefer to
deal with the matter privately.
On the other hand, universities and employers are two groups of computer
owners who actually welcome the publicity and exposure associated with
criminal trials. Universities administer gigantic computer systems which
are used by thousands of staff and students on a daily basis. The people
who are hired to run these computers have a tremendous responsibility
and, generally speaking, not enough resources to do their jobs properly.
As a result, the universities prefer to see unauthorized users prosecuted
under the criminal law, since it provides a powerful form of deterrence
against future abuses. The rationale is that if people know that they're
likely to face criminal charges if they're caught misusing a university
computer, maybe they'll think twice before they abuse their own, or
someone else's, account.
The Policy Problem
------------------
The idea that universities or employers can rely on the criminal law to
protect their computer systems (and their telephone systems - see section
326 of the Criminal Code, which prohibits the theft of a
telecommunication service) raises the following important question: to
what extent should the criminal law be used to enforce private
agreements?
It's an interesting question and one that deserves further looking into
(see "What YOU Can Do!" below) On the one hand, anyone who gives their
password to a friend is an accomplice to a crime and could be prosecuted
as such under section 21 of the Criminal Code. On the other hand,
giving your password to someone is merely a breach of your contractual
agreement with the owner of the computer system. Should you be liable for
criminal sanctions for the mere breach of a contract? And if you
shouldn't be liable, why should the person who you gave the password be
liable? The easy answer is, of course, that the person to whom you gave
the password hasn't entered into a contractual arrangement with the owner
of the computer. But imagine for a moment that the person you gave the
password to has entered into an agreement with the computer owner (e.g.
another university student). If you give the password to that person, can
the computer owner still try to go outside the terms of the private
agreement that binds you and seek criminal sanctions?
Another interesting question is whether the password has to be given to
anyone at all in order to constitute an offence under section 342.1. Say,
for example, that you are a university student with a computer account.
The university has informed you that the account can be used only for the
purposes of your course work and e-mail, but not for reading Usenet news.
After diligently using your account for the sole purposes of calculating
integrals and sending e-mail to your Aunt May in Alberta, you finally
submit to the overwhelming temptation to read alt.sex.walter_mathau.
After several months, and countless computer cycles later, you are
informed by the university's computing staff that they have been
"monitoring your activities" and that you have made "unauthorized use of
a computer" system. Should the university be restricted to the terms of
its contract with you, or can it go outside the contract and request
criminal sanctions?
If it seems far-fetched that the university would press charges in the
circumstances just described, try to imagine this scenario. A private
detective needs to get the criminal record of a person she's
investigating to see if she can dig up any smut. She calls up her
policeman friend, who happens to work in the records department, and asks
him to pull the file. He sits down at his computer terminal and calls up
the record, then he prints it and gives it to the his detective friend.
Section 342.1(c) states the everyone who, fraudulently and without colour
of right "uses or causes to be used, directly or indirectly, a computer
system" is guilty of an offence. While it's true in this example that the
private detective doesn't have a contract with the police department to
shield her from criminal prosecution, the police officer who actually
used the computer does. Should the police officer be charged with the
unauthorized use of a computer system or should his employer be
restricted to the terms of the employment contract?
In the final analysis, Canadians have to ask themselves if they are
satisfied with the existing laws, like s. 342.1, designed to protect
society against the unlawful use of computer systems. Ultimately, it will
be left to all Canadians to decide if they feel that the existing laws
are too broad or too narrow. Some people may argue that the law is fine as
it stands and that it's only a question of degree and willingness to
enforce the law. As one criminal law teacher put it, "it's a crime to
steal pencils from your office, but it's never enforced." Well, hardly
ever.
-----------------------------------------------------------------------
3. What YOU Can Do!
====================
LoGIC would like to prepare a cogent, persuasive and ultimately useful
commentary for the Canadian Department of Justice on several of the
provisions in the Criminal Code of Canada. As part of the commentary, we
would like to address some of the issues de alt with above concerning
sections 326 and 342.1. If you, or any paralegals, law students,
associates, partners or plain 'ol concerned citizens, would like to write
a paper on this (or any other) topic, please do! Then send it to LoGIC
c/o sherlock@io.org or danshap@io.org.
If you don't want to write a paper (or even if you do) and you have some
extra research time on your hands :) please consider examining the
following points and writing to us with a brief description of your
findings:
1) Any cases which cite 326, 327, 342. 1 and 430 (re: data). To date we
know of the following:
R. v. Brais (1972), 7 C.C.C. (2d) 301
R. v. Renz (1974), 18 C.C.C. (2d) 492
R. v. McLaughlin (1980), 53 C.C.C. (2d) 417
R. v. Miller and Miller (1984), 12 C.C.C. (3d) 466
R. v. Lefave (1984), 15 C.C.C. (3d) 287
R. v. Fulop (1988), 46 C.C.C. (3d) 427
R. v. Duck (1985) 21 C.C.C. (3d) 529
2) If anyone could provide us with digital versions of the above cited
cases for our collection, we would also be grateful.
3) A summary of the distinction between "obtaining" and "using" a
service, as set out in the case of R. v. Miller and Miller, cited above.
4) All Canadian cases dealing with the public forum doctrine. This
doctrine, which allows for protests in public places, may be applicable
to computer environments.
_______________________________________________________________________
* * * * * * * * L o G I S T I C S * * * * * * * *
-----------------
Vol. 01 No. 01 September 1995 danshap@io.org
_______________________________________________________________________
To subscribe to the Anarchives send a message to majordomo@lglobal.com
subscribe anarchives
Check out the TAO web pages:
http://www.lglobal.com/TAO/
Reference in New Issue View Git Blame Copy Permalink