For all those who don’t know, Gl0worm’s antics have spawned another definition of “Don’t Be a Jerk”. From the registration agreement:
Seems like Ed, et al. DID take this, and potential future html abusers seriously. Glad to see it.
Sue from El Paso
Does being married to another poster make me part of a clique?
Experience is what you get when you didn’t get what you wanted.
Konrad, I beg your pardon, but I’m not sure you’re correct. The on-line Merriam-Webster defines vandalism as “willful or malicious destruction or defacement of public or private property.” If a web page is the property of a person, it seems to me, from a fair reading of that definition, that it could be “vandalized.”
That is, indeed, a more fruitful area of inquiry. I agree that trying to prosecute someone for changing a web page, using the same law crafted for the prosecution of spray-painting a stop sign, would not work. So you’re very right, Konrad, when you suggest that calling it “vandalism” is less than technically accurate.
In Virginia, as an example, there is a crime called “Computer trespass.” (Code of Virginia, § 18.2-152.4) It provides that it is a crime for anyone to, inter alia: “…[without authorization], use a computer [to]: 1. Temporarily or permanently remove, halt, or otherwise disable any computer data, computer programs, or computer software from a computer or computer network.”
The punishment ranges from a Class 3 misdemeanor to a Class 6 felony, depending on the amount of monetary damage caused.
So, Konrad, you’re quite correct when you suggest that “vandalism” is not a technically accurate legal term to apply here. But I hope you’ll consider that as a descriptive term, it has some value. But for the legally accurate description of the crime, perhaps we should use “computer trespasser.”
Well that’s what I’m trying to say, it does not fall under the legal definition of vandalism. After all, we are talking about whether or not charges could be pressed. You can’t call the cops and say “According to my dictionary this person vanalized my computer”.
When it comes to computer tresspass that’s something completely different and I don’t think it can be applied to this case either. Gloworm was granted access to the board and she used the priveliges that her account was granted (html codes). There’s no law that she can be charged with breaking.
I am the first to admit that the laws haven’t exactly caught up with the technology.
But let me give you an example. In my company’s home office (not the Pentagon; I work for a defense contractor and we have a corporate office in Northern Virginia) we recently terminated a subcontractor working there.
He was supposed to administer, among other things, the routers and firewall protecting the corporate network from the Internet. In accordance with that job, he had root (administrator-level) access to both the screening and choke router, and to the firewall.
He did not, however, set the company policy. The corporate access policy was set by a company executive, and all employees and subcontractors were required to sign a form indicating that they understood the rules.
This particular subcontractor did a lot of work from home. Although the policy specifically forbid it, he “punched a hole” in the firewall allowing a Windows NT mapped drive to be created from the Internet to internal servers. This way, he could map a drive to his work directory from his home computer. He also disabled the logging feature of the firewall for his work IP address. He did this, we think, so that he could visit porn sites at work without any record being made of it.
Both these actions allowed him to circumvent corporate policy.
When this was discovered, we banned him from the office, deleted his accounts, and asked the Commonwealth’s attorney to charge him with ‘computer trespass.’ Now, you say:
Note that the situation here is somewhat analogous. This person was also legitimately granted access to our network, and used the privileges his account had. But nonetheless, what he did was a violation of Virginia’s computer trespass law, because he used those privileges without valid authorization.
Although the charges were eventually dropped in exchange for his agreement not to contest the termination of his contract, we believe that the charges would have stood up in court.
Unfortunately, because we couldn’t prove a specific monetary damage, it would have been prosecuted as a Class 4 misdemeanor in Virginia. The maximum penalty for that level of offense is a $250 fine - no jail time.
Now, I grant you that the situation with gloworm is far from clear. For example, she could say that she was never told she wasn’t supposed to use HTML to cover up the board’s advertisements. She might claim that as far as she knew, she was authorized to do anything that HTML let her do. To violate any law requires a mens rea, a “guilty mind.” The mens rea for different crimes is different; there are general intent and specific intent crimes, and she might easily claim she lacked the requisite mens rea to be guilty of computer trespass.
But those would all be questions of fact for a jury to decide – would the jury believe her if she said that she thought she was authorized to block the ads? I don’t know… but I can easily make the case that what she did was a violation of the law, and she can make a case that it wasn’t.
But when you say,
I’m not sure I agree. At the very least, she could be charged with a violation of this law. Convicted would be an uphill battle, without doubt.
So this guy in your office that got fired, he could have been charged even though he wasn’t doing what he was doing for malicious reasons?
Correct. “Malize” is not an element of the offense of computer trespass. It is an element of some crime, though.
Don’t confuse malice with mens rea. Malice is a species of mens rea, but not all mens rea is malice. Does that make sense?
Sheesh.
Z and C aren’t even next to each other. How did that one happen?
Bricker: The main difference between the 2 cases is that your guy was doing somemething he was not authorized to do. He penetrated the security of the site. He gained access to the computer in a way he wasn’t supposed to. That is computer tresspass.
Gloworm did not gain access to any computer in any way that she wasn’t supposed to. That’s why it can’t be computer tresspass.
Let’s say that, while at work, your guy chose to erase some data from the computers. Could he be charged with computer tresspass? No. He was doing something that he was given access to. He would then be charged for breach of contract and he would be sued for the damages. (There doesn’t need to be a contract on paper, when he took the job he was obviously entering in a contract to do certain duties in exchange for a salary.)
Gloworm can’t be charged for computer tresspass for the same reasons as the above example. If there were some kind of user agreement that you agreed to on joining the site then she could be charged with breach of contract. (assuming that the agreement disallowed messing with the html) Right now there is no law, including computer tresspass, that she could be charged with. The SDMB is a public website with certain features which she used. Nothing illegal there.
Actually, I’m going to disagree with you. If my guy had erased data without authorization, his conduct would fall squarely within the ambit of behavior that is prohibited by the computer trespass law. If he erased data with authorization, on the other hand, he would be acting legally.
But your example may highlight why we’re disagreeing about this case. By George, I think we’ve got it!
Let’s say my guy erased a bunch of data because one of the server volumes was nearly full. And let’s say we got furious at him, because the company president’s personal Mah Jongg game was erased, and we sought to have him charged under this law.
We might say, in effect, “Hey - nothing we ever did or said to you authorized you to delete data. Therefore, your deletion was unauthorized, and a crime.”
But he might respond, “Look, when you asked me to administer this system, it carries with it a clear implication that I have the authority to prevent system crashes. I erased the data on that volume as an exercise of that authority.”
He might be a terrible systems admin in that example, but I agree he’s no criminal.
You are correct that he would also be breaching his contract, but that would be a concern for the civil courts, not the criminal courts.
Drawing the analogy to gloworm’s case, we might now be saying, “Look - when we let you post here, it was with the clear understanding that you confine your posting to the text boxes that the system set up.”
Gloworm might respond, “Sez you! You authorized me to post, and authorized me to use HTML in my posts. As far as I can see, that meant I could use HTML to post my messages. If you didn’t want people to mask your ads, you should have told me. But I masked that ad as a valid exercise of the authority you gave me to post.”
Is that a fair analysis?
That is indeed where we disagree. Computer tresspass refers to the actual act of breaking past security, what happens afterwards is not taken into account except in assessing the damage the violator is to be charged with.
This guy would not be charged with computer tresspass but with breach of contract. If you invite someone to your house and they steal your cat that is not break & enter. That is just theft, even if you specifically state that by entering your house they agree not to steal your cat.
The rest of your post pretty much sums up the arguments.
Anyway the most important thing is the authorization part. Computer tresspass is a criminal offence. There is no way you’re going to prove beyond a reasonable doubt that what gloworm did was 1. Not authorized 2. that it damaged the site.
Authorization means that is was something her access level could do. By giving her access to use html codes you have de facto given her authorization. That might not hold up in a civil case, especially if she had agreed to some sort of behaviour code, but it would in a criminal case.
But, Konrad, remember the actual words of the law that defines the crime:
I think you may be seeing the word “trespass” and drawing an analogy to physical trespass. But the crime of computer trespass, at least in Virginia, means to, without authorization, “…temporarily or permanently remove, halt, or otherwise disable any computer data, computer programs, or computer software from a computer or computer network.”
It doesn’t say you have to break past security at all.
This is turning into a really interesting discussion. I’m confused, though.
What happened to ‘ignorance of the law is no excuse?’ If I walk into a store, put a thousand dollars worth of stuff into my pockets, and walk out, can I justify doing so on the grounds that I didn’t know I was supposed to pay for it?
Felice
“There’s always a bigger fish.”
Well, I don’t have to prove that it damaged the site. That’s not an element of the offense.
But I would have to prove that she acted without authorization; you’re one hundred percent correct. And your argument, above, about authorization, is reasonably strong.
I agree it would be practically impossible to convict her.
No.
Why not? Because you know or reasonably should know that you must pay for merchandise from a store. Although if you can raise sufficient facts about your particular situation that make it possible that you really didn’t know you have to pay for merchandise… it might become an issue of fact to be decided by a jury. In other words, you explain to the jury why you didn’t know that you had to pay, and if they buy your explanation, you would have negated an element of the crime.
But that’s a huge road to climb.
Oh, how interesting. So when I was 18 and moved to a state with a drinking age of 21, coming from a country with no legal drinking age, I could have gotten away from an underage drinking conviction on the grounds that I really didn’t know I had to be 21? Shucks, I wish I’d know that XX number of years ago!
Another word on the “ignorance of the law is no excuse” phrase.
In general, that’s true. You are presumed to know the law, and are responsible for breaking its prohibitions.
But a law can be written in a way as to be incredibly vague, so that a person of ordinary understanding would not know exactly what conduct is prohibited. In such a case, the law may be challenged on constitutional grounds as “void for vagueness.” The idea is that a vague law offends the due process clause. If a law doesn’t tell a resonable person what conduct it forbids, then that reasonable person isn’t getting “due process of law.”
What sparked this, though, was the discussion of mens rea. In this is found, among other things, the common-law mistake of fact defense. Suppose, in the “$1,000 worth of merchandise” situation above, that a store employee came up to you and told you that you were the store’s one millionth customer, and that you had won a thousand dollars worth of free stuff. So you pack your pockets full and leave, with the employee waving goodbye.
Outside, you’re arrested. It turns out that the “store employee” was just a guy wearing a name badge, playing a prank. Are you guilty of theft?
No. Because you lacked the requisite mental state, you were not committing the crime of theft.
Now, if the store didn’t believe you, and thought you were in cahoots with the guy, they might press charges, and you might have to stand trial. Then it would be up to the fact-finder (the jury, or the judge in a bench trial) to hear the testimony and weigh the credibility of everyone they hear.
The mental state of a person committing an act almost always is an element of the offense. Even if the legislature doesn’t write it in to the law, due process demands that someone mean to commit a crime before they can be convicted of a crime – OR that they are acting dangerously and negligently, and so can be held accountable if a crime happens.
Let’s say you fire a shot down the street to test your rifle… and you accidently hit and kill someone. You had no intent to kill them. But you acted in a way that no reasonably prudent person would. So if someone dies as a result, you are guilty of a crime – but not as serious a crime as if you aimed and shot at the victim deliberately.
Then there’s the doctrine of transferred intent… but I’ve babbled and hijacked enough.
Once, probably. Provided, of course, that you were (a) at least the drinking age of the jurisdiction in which you were last travelling and (b) there was no sign prominently posted stating that you have to be 21YO to drink in the establishment in which you were caught.
An aside: I am interested in which jurisdictions have no drinking age. Could you name one or more? Usually I hear that applied to Mexico (which I believe has 18YO in most states), the Philippines (18 or 21YO), and Japan (20YO).
Germany, as a matter of fact.
Felice: Germany has a drinking age, it’s just not enforced.
Bricker sez:
Doesn’t matter. Unless both gloworm and the SDMB are in Virginia it will be dealt with under federal law. (I’m pretty sure that’s the way the legal system works. Either way, I’ve never heard of an internet-related crime being prosecuted by a state. They probably hand it over because they don’t know anything about computers.)
The feds usually prosecute for either 1) fraud or 2) hacking through security. Like I said before, what happens after you break through, with few exceptions, counts only towards your sentencing and not what you’re charged with. One exception is if you hack into a system and steal credit card #'s they can charge you with with both crimes. But that’s only because stealing CC #'s is a crime by itself.
Officially, no. Realistically, it will probably never get to court for less than a few thousand dollars of damage. They’ll usually scare the defendant with threats of jail and so on and hope that he’ll either settle out of court or plea bargain.
For what gloworm did they won’t care. In fact, I was exagerating when I said they’d laugh. That would be giving the matter too much attention. They’d probably just hang up as you’re talking to them or transfer you to a random number.