"Freedom Isn't Given It's Taken" The Anarchives Volume 2 Issue 8 The Anarchives Published By The Anarchives The Anarchy Organization The Anarchives tao@lglobal.com Send your e-mail address to get on the list Spread The Word Pass This On... --/\-- Unauthorized / / \ \ Access Of ---|--/----\--|--- A Computer \/ \/ /\______/\ by Jesse Hirsh In early march of 1995 I was arrested for "Unauthorized Use Of A Computer". Three large, white, plain-clothes detectives from 52 division in downtown toronto came to my house, promptly arrested me, took me to a holding cell, and conducted a strip search (looking for codes I guess). I was held in custody for four hours (7:30 pm to 11:30 pm), and released as a result of substantial protest made by friends and family at the sergeants desk. I was being accused of breaking into the computer systems at the University Of Toronto for the purpose of publishing "Anarchist newsletters". The sysadmin of ecf.utoronto.ca, one Professor Jack Gorrie , saw someone on his system publishing Anarchist materials, assumed I was a malicious "hacker", turned over all records of my email, news posts, key strokes, you name it, to the police at 52 division. The police realizing how dangerous these "hacker anarchist" types are, had to come to my house to cuff me, bring me down, and strip search me. All because I was using my brother and his friends' account. I was new to the Internet, and naively felt I had freedom of speech. Turns out that freedom, like freedom in the real world, must be authorized. Although my brother and his friend had no problem with my using the account, they of course are not the recognized "authorities". Only Jack Gorrie , the system administrator, has system authority. And good ole Jack, like many engineers, doens't like Anarchists. Instantly I learned the total lack of privacy (without encryption that is) on the Internet, and the simplicity of complete electronic surveillance. All my actions were turned over to the police, a stack of papers six inches thick. And of course this was their copy to keep. ;) I was to face trial for a possible six months in prison, just for exercising my democratic rights and responsibilities. Of course the end result was that the charges were dropped, although this was not until several months later (sept 7, 95), after several appearances in court, and after my agreeing to pay $400 to the skule. But nevertheless, this incident was indicative of a lot of emerging trends in our so-called information-highway: 1. What right do Sysadmins have in turning our shit over to the cops? 2. If there are "authorities" on the Internet, then clearly it's not an example of anarchy, which of course implies no authorities. 3. Where does the role of democracy fall within the practice of electronic surveillance? Did I have any rights in the first place? 4. Who enforces University regulations; the University? or the cops? I could have raised a lot of shit by dropping this publicly months ago when it was all going on, but to be honest I was scared shitless. I didn't want to be a guinea-pig for a law that had yet to make it to a court of law. My life had been thrusted into the public realm, and I was desperate to get it back. Fortunately I have good friends and family, who knew a good activist lawyer who was dedicated to keeping my ass clean. It's also worth noting that my brother, who at the time was completing his master's degree at an amerikkkan engineering lab was investigated by the FBI, upon prompting by the Toronto police. The FBI obviously found nothing wrong, but again, hastle where it should not have been. I could go on ranting about many of the other socio-political implications of these actions, but the purpose of this piece is merely to inform. Included in this message is a legal-summary of the case etc., written by friends of mine in LoGIC (Legal group for the Internet in Canada). Any other enquiries or what have you can be directed to me at jesse@lglobal.com Any complaints, flames, or random rantings can be sent to gorrie@ecf.utoronto.ca ;) _______________________________________________________________________ * * * * * * * * L o G I S T I C S * * * * * * * * ----------------- Vol. 01 No. 01 September 1995 danshap@io.org A Publication of LoGIC: The Legal Group for the Internet in Canada LoGISTICS: danshap@io.org (Daniel Shap) LoGIC e-mail: sherlock@io.org (Dov Wisebrod) Mailing List: logic-l@io.org WWW (under construction): http://www.io.org/~logic/ _______________________________________________________________________ In This Issue: ============== 2. The Jesse Hirsh Case 3. What YOU Can Do! ----------------------------------------------------------------------- 2. The Jesse Hirsh Case ======================== On Thursday, September 7, 1995, at 10am in Courtroom 126 of Toronto's Old City Hall, Jesse Hirsh was scheduled to go on trial. He was charged with "unauthorized use of a computer system" contrary to section 342.1 of the Criminal Code of Canada. Jesse had been caught using his step-brother's university computer account, as well as the account of another friend, to publish an anarchist newsletter to the Internet. Upon his arrest, Jesse assured the police that he had been given permission to use the accounts. However, the prosecution adopted the position that, since the university had a strict policy against allowing its users to share computer accounts, Jesse's step-brother and friend had not been permitted to give Jesse the necessary authorization to make use of their accounts. In other words, it didn't make any difference that his step-brother and friend knew that he was using the accounts, all that mattered was that he had actually used them. Jesse quickly set about hiring himself a good lawyer (Bob Kellerman) and prepared to confront the case against him. After many months of anxious waiting, Jesse's day in court finally arrived. On the morning of the trial -- mere minutes before the Court was called into session -- the prosection suddenly withdrew the charges. Jesse agreed to pay to the University of Toronto the sum of $400.00 as a token in satisfaction of the cost of using its computers. (The University had claimed $1600.00!) He was free to go. For Jesse, the prosecution's withdrawal signified the end of a long and harrowing journey. After countless sleepless nights, lying awake and worrying about the possibility of a criminal record -- or worse still, a jail sentence -- he could finally rest easy. But for Canadians everywhere, Jesse's story raises the ominous spectre of more cases like it in the future. Section 342.1 ------------- (1) Every one who, fraudulently and without colour of right, (a) obtains, directly or indirectly, any computer service, (b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system, or (c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction. Section 342.1 of the Criminal Code of Canada is part of a series of new "high tech" crimes that were introduced a few years ago as Bill C-34. The law was also amended to expand the definition of "mischief" (see section 430) to include anyone who wilfully obstructs, interrupts, interferes, alters or destroys data. The purpose of 342.1 was, among other things, to prohibit anyone from making use of a computer system "fraudulently and without colour of right". In other words, if Jesse knew that his step-brother and friend were not permitted to grant him permission to access their accounts, but he used them anyway, then he would probably be guilty of a crime. On the other hand, if Jesse genuinely believed that his brother and friend could grant him permission to make use of the accounts, then he would likely possess the necessary "colour of right" to avoid a conviction. In creating a new category of crime which prohibits the unauthorized use of a computer system, the Canadian legislature was, presumably, trying to pass a law which would allow the police to control computer hackers. The term "hacker" is generally held to mean one of two different things: (1) anyone who likes to fiddle around (a technical term) with computers and their software; or (2) a person who breaks into computer systems. From the university's perspective, Jesse "broke in" to its computer because the university never authorized him to use those accounts. On the other hand, Jesse wasn't really a "hacker" in the true sense of the word because his step-brother and friend gave him the passwords. Unfortunately, the Criminal Code doesn't draw such a fine distinction. According to the law, if you use a computer system that you weren't suppose to, and you know it, then you're guilty of an offence and could be liable to imprisonment "for a term not exceeding ten years". But the law's clear-cut distinction between authorized and unauthorized use may have some very serious implications for Canadians everywhere. That's because many of the service contracts that Canadians enter into every day contain language which limits their right to transfer or assign the use of the service to any other person. For example, if you have an inter-branch banking card, the kind that you use to withdraw money from an automatic teller machine (ATM), then you've probably already signed an agreement with the bank that reads something like this: This card belongs to the bank and is not the personal property of the card holder. The card holder agrees not to give this card or the password to anyone and the card holder will notify the bank as soon as possible if and when it is discovered that someone other than the card holder knows or may know the password... Accordingly, if you give your bank card to a friend (or spouse, or family member) so that he or she can pay your bills or make a withdrawal for you, your friend could be charged under section 342.1 of the Criminal Code. The same type of restrictions may apply to your telephone answering service (arguably a computer system) and to your Prodigy or Compuserve accounts. In each case, the account and password are intended "for your eyes only". "But would anyone actually prosecute these cases?" you might ask. Wouldn't banks and phone companies rather deal with these issues privately, rather than drag them through the courts and risk all the publicity and possible embarrassment associated with a trial? The answer, in most cases, is "Yes." Banks do prefer to deal with these types of cases privately. In fact, one Toronto bank manager told me that even though Canadian banks are facing a growing number of cases in which people are caught using their friend's banking cards, the banks prefer to deal with the matter privately. On the other hand, universities and employers are two groups of computer owners who actually welcome the publicity and exposure associated with criminal trials. Universities administer gigantic computer systems which are used by thousands of staff and students on a daily basis. The people who are hired to run these computers have a tremendous responsibility and, generally speaking, not enough resources to do their jobs properly. As a result, the universities prefer to see unauthorized users prosecuted under the criminal law, since it provides a powerful form of deterrence against future abuses. The rationale is that if people know that they're likely to face criminal charges if they're caught misusing a university computer, maybe they'll think twice before they abuse their own, or someone else's, account. The Policy Problem ------------------ The idea that universities or employers can rely on the criminal law to protect their computer systems (and their telephone systems - see section 326 of the Criminal Code, which prohibits the theft of a telecommunication service) raises the following important question: to what extent should the criminal law be used to enforce private agreements? It's an interesting question and one that deserves further looking into (see "What YOU Can Do!" below) On the one hand, anyone who gives their password to a friend is an accomplice to a crime and could be prosecuted as such under section 21 of the Criminal Code. On the other hand, giving your password to someone is merely a breach of your contractual agreement with the owner of the computer system. Should you be liable for criminal sanctions for the mere breach of a contract? And if you shouldn't be liable, why should the person who you gave the password be liable? The easy answer is, of course, that the person to whom you gave the password hasn't entered into a contractual arrangement with the owner of the computer. But imagine for a moment that the person you gave the password to has entered into an agreement with the computer owner (e.g. another university student). If you give the password to that person, can the computer owner still try to go outside the terms of the private agreement that binds you and seek criminal sanctions? Another interesting question is whether the password has to be given to anyone at all in order to constitute an offence under section 342.1. Say, for example, that you are a university student with a computer account. The university has informed you that the account can be used only for the purposes of your course work and e-mail, but not for reading Usenet news. After diligently using your account for the sole purposes of calculating integrals and sending e-mail to your Aunt May in Alberta, you finally submit to the overwhelming temptation to read alt.sex.walter_mathau. After several months, and countless computer cycles later, you are informed by the university's computing staff that they have been "monitoring your activities" and that you have made "unauthorized use of a computer" system. Should the university be restricted to the terms of its contract with you, or can it go outside the contract and request criminal sanctions? If it seems far-fetched that the university would press charges in the circumstances just described, try to imagine this scenario. A private detective needs to get the criminal record of a person she's investigating to see if she can dig up any smut. She calls up her policeman friend, who happens to work in the records department, and asks him to pull the file. He sits down at his computer terminal and calls up the record, then he prints it and gives it to the his detective friend. Section 342.1(c) states the everyone who, fraudulently and without colour of right "uses or causes to be used, directly or indirectly, a computer system" is guilty of an offence. While it's true in this example that the private detective doesn't have a contract with the police department to shield her from criminal prosecution, the police officer who actually used the computer does. Should the police officer be charged with the unauthorized use of a computer system or should his employer be restricted to the terms of the employment contract? In the final analysis, Canadians have to ask themselves if they are satisfied with the existing laws, like s. 342.1, designed to protect society against the unlawful use of computer systems. Ultimately, it will be left to all Canadians to decide if they feel that the existing laws are too broad or too narrow. Some people may argue that the law is fine as it stands and that it's only a question of degree and willingness to enforce the law. As one criminal law teacher put it, "it's a crime to steal pencils from your office, but it's never enforced." Well, hardly ever. ----------------------------------------------------------------------- 3. What YOU Can Do! ==================== LoGIC would like to prepare a cogent, persuasive and ultimately useful commentary for the Canadian Department of Justice on several of the provisions in the Criminal Code of Canada. As part of the commentary, we would like to address some of the issues de alt with above concerning sections 326 and 342.1. If you, or any paralegals, law students, associates, partners or plain 'ol concerned citizens, would like to write a paper on this (or any other) topic, please do! Then send it to LoGIC c/o sherlock@io.org or danshap@io.org. If you don't want to write a paper (or even if you do) and you have some extra research time on your hands :) please consider examining the following points and writing to us with a brief description of your findings: 1) Any cases which cite 326, 327, 342. 1 and 430 (re: data). To date we know of the following: R. v. Brais (1972), 7 C.C.C. (2d) 301 R. v. Renz (1974), 18 C.C.C. (2d) 492 R. v. McLaughlin (1980), 53 C.C.C. (2d) 417 R. v. Miller and Miller (1984), 12 C.C.C. (3d) 466 R. v. Lefave (1984), 15 C.C.C. (3d) 287 R. v. Fulop (1988), 46 C.C.C. (3d) 427 R. v. Duck (1985) 21 C.C.C. (3d) 529 2) If anyone could provide us with digital versions of the above cited cases for our collection, we would also be grateful. 3) A summary of the distinction between "obtaining" and "using" a service, as set out in the case of R. v. Miller and Miller, cited above. 4) All Canadian cases dealing with the public forum doctrine. This doctrine, which allows for protests in public places, may be applicable to computer environments. _______________________________________________________________________ * * * * * * * * L o G I S T I C S * * * * * * * * ----------------- Vol. 01 No. 01 September 1995 danshap@io.org _______________________________________________________________________ To subscribe to the Anarchives send a message to majordomo@lglobal.com subscribe anarchives Check out the TAO web pages: http://www.lglobal.com/TAO/