Self-Help in Cyberspace: Offense, Defense, and Both at the Same Time Professor Peter P. Swire Ohio...
-
Upload
avery-rollins -
Category
Documents
-
view
215 -
download
0
Transcript of Self-Help in Cyberspace: Offense, Defense, and Both at the Same Time Professor Peter P. Swire Ohio...
“Self-Help in Cyberspace:Offense, Defense, and Both at
the Same Time”Professor Peter P. Swire
Ohio State University
Consultant, Morrison & Foerster LLP
Critical Infrastructure Conference
George Mason University Law School
May 9, 2003
Overview
Defining “self-help” Offense, defense, and both UCITA self-help Berman bill Conclusions
I. Defining “Self-Help”
Broad definition:– Any action to prevent or resolve a dispute
without official assistance of government official or neutral 3d party
Narrow definition:– Repo actions to get back property when a
debtor has not performed under a contract Today: start broad, then look at narrow
II. Offense and Defense in Self-Help Offense in cyber-security: an attack on their
system– Send virus– High port attack– And so on
This is typically a crime (Computer Fraud and Abuse Act) and/or intentional tort (trespass to chattels)
When is Offense Justified?
Privileges from traditional criminal and tort law– Defense of property: allowed to use proportional
force to repel the attack– If someone is attacking your physical property,
usually cannot counter-attack– Usually not “self defense” because physical
person is not threatened by cyber-attack– In short, narrow privilege to use offense
When is Offense Justified?
What about offensive cyber-attacks in time of war?
Would generally be lawful where the war is lawful– But, “perfidy” and limits on the U.S. Army
pretending to be an authorized computer user– Limits on collateral damage -- perhaps unlawful
to attack zombie computer that fronts for the true adversary
Defense in Cyber-security
Presumptively lawful:– Firewalls– Anti-virus– And so on
This is “my” system and I lawfully can protect it with the equivalent of locked doors, internal security, and bright outside lighting
Both Offense and Defense
“Interactive” computer systems– My bits interact with your web page– My software mixes with your data– We lack the clear boundaries of real property
law Your cookies on my hard drive (are you attacking
me?) My surfing may exceed your stated terms of use (am
I attacking you?)
Both Offense and Defense
Suppose your software is on my system I want to de-bug or reverse engineer the
software (circumvent the protective coating around your software)
Defense because it concerns (potentially malicious) activities inside my system?
Offense because I am circumventing the protections of your software?
Both Offense and Defense
Hence, the controversy in the anti-circumvention rules in Sec. 1201 of the DMCA
Compelling security principle that the defender can know what is inside the security perimeter
Compelling intellectual property argument that protection is needed to stop widespread piracy
How to Resolve Circumvention?
Sorry. Can’t do that today. Analysis here shows the systematic
challenges that Sec. 1201 will pose for those who want to have security within their system perimeter
Quite likely need more input from security community in ongoing debate
III. Between Offense and Defense -- UCITA The “narrow” or “traditional” type of self-
help A lender/seller “gets back” its own property
– Repo a car– Cut off the buyer’s access to software, where
the buyer no longer has a legal right to it
UCITA
This is partly “defense” by seller– The buyer has no right to the property
Basic common law questions:– Is there an offensive tort or crime?– Is the offense privileged?– Key candidate for that is “consent”, like
consent to battery (boxing), or to trespass (license to come onto property)
Is UCITA Self-Help Good?
UCITA described by Joel Wolfson For software that expires in 30 days, few
problems– No offense involved– Possible concerns about consent, so that the
hospital system does not suddenly shut off
UCITA
Entry into buyer’s system to shut off software? Significant “offense” The battle in UCITA was over meaning of
“consent”– No mass market licenses– No collateral damage– Consent must be specific to the self-help provision
In favor of UCITA Self-Help?
In favor:– The argument for contracts generally– Expands range of possible bargains, increasing
efficiency and choice
Worries about UCITA Self-Help
Concern of a security externality Contrast a system with many “back doors” or
“Trojan horses” under UCITA to one where this self-help is prohibited
Technical question how much these holes in defense will undermine overall security of networked systems
Benefits of contracts vs. security externality
IV. Between Offense and Defense: Berman Bill Joel Wolfson has described it Basic idea: where have wrongful conduct
(copyright infringement) the owner can destroy the infringing material
Physical world: car owner could destroy the car held by borrower who didn’t pay or by a thief
Berman Bill
Common law– Some authority for strong self-help if the thief
holds your car -- break into the yard, etc.– No privilege of consent, however, as in UCITA
“Offensive”– Launch computer attack– A stranger’s computer
Berman Bill More Worrisome than UCITA Self-Help Security externality of Berman
– “Breach of the peace” worries where authorize attacks on strangers
– Current draft allows a lot of collateral damage– Unclear effects on infringers vs.system owners (what if
a University server is destroyed?) Legal line drawing problems
– Similar authority to delete hate speech, defamation, obscene material, anti-government political speech, etc.?
Conclusions
Framework of common law and privileges such as defense of property and consent
Framework of offense (usually bad), defense (usually good) and both (usually hard)
Need more legal research into physical world analogies
Ultimately, benefits from self-help vs. costs to building insecure systems
Contact Information
Professor Peter Swire phone: 240-994-4142 email: [email protected] web: www.peterswire.net