The inspiration for this question is old and has been rattling around my head for months now, but I can’t find a concise answer. If the answer is, “It depends…” then so be it but I think there is probably a more clear-cut yes or no.
We all know that hacking is illegal and wrong, but what about guessing someone’s password? I am not talking about credit cards or bank accounts where one could do actual damage, but more like email accounts. And how would the “forgot your password” secret questions and answers play into that?
Hypothetically (and this is purely hypothetical) if someone who knew me guessed that I used “password001” as my email password, then logged in, read my email but did nothing with the contents ie did not make it public, print it out or act on it in any way, would they have committed a crime? What about he same scenario where they can’t guess the password but instead chose “forgot my password” and knew that my first car was an 81 Chevy or that my mother’s maiden name was DuPree? Depending on the email system they could then reset my password (and I would be locked out) or get access to the password itself. Would that be criminal?
Now I personally know better than to use a guessable password or even guessable secret question answers, and there is nothing interesting in my email anyway…but I am curious about the details of the legality.
When Sarah Palin’s yahoo account was “hacked” it wasn’t really…the guy just answered her secret questions and got access. In that case he actually made the emails public which opens a new set set of issues, but what if he hadn’t? Would it have been a crime and would it have been newsworthy? I know that was Sarah Palin, thus we heard about it, but what if he had used the same technique to get into my email account or yours or anyone who is not in the public eye. Worse? The same?
Most jurisdictions define computer crimes in terms of accessing systems to which you do not have legitimate access. Whether you gain that access by guessing the password or exploiting a web server loophole does not matter - you did not have a legitimate right to access the system, so your access was illegal.
I’d think it would be similar to going into someones closed retail business by guessing the combo lock on the back door. If you guessed right, entered the store, wandered around but took nothing and disturbed nothing and left, you could still be prosecuted for breaking and entering as well as trespassing.
That makes sense. But now I have a follow up question…If we are talking about ordinary people with ordinary, boring email accounts (or facebook, or myspace, etc.) is it a crime that will be heavily prosecuted as in “don’t do it or you will definitely go to jail” or is it a crime that will be dealt with but not as harshly as in “don’t do it or you will definitely pay fines and have a record”?
Would local law enforcement (or the FBI? I don’t know who deals with these things) laugh at me if I called them to report my gmail account had been compromised or that my ex-boyfriend changed the password or would they go after them to the fullest extent of the law?
They’d probably send a car over and unleash the stern talking to of god on him, but unless it’s recurring or a public figure it probably wouldn’t go beyond that (unless they also took the last 4 digits of your SSN or used it to recover your bank account password or impersonate you).
I agree in theory, but “trespassing” and “breaking and entering” are very well defined terms and compromising an account are not those. Much like the illegal downloading of copyrighted material is the same as “theft” but in legal terms it is not theft, but something else entirely.
I think what I am looking for (out of idle curiosity only) is the legal differentiations if any between hacking (using technology, programs etc. to break into an account) and simply guessing a password. Are they the same crime or is it something else?
If youre accessing something you do not have explicit access to and circumvent security, most likely youre violating one of many computer trespassing laws either on the state or federal levels. Just because its email and not banking doesnt make it right or legal.
Most likely. That person could report this to the authorities and get your arrested. See the Sarah Palin yahoo email hacker. He did exactly that. He was charged with a felony.
That’s kind of what I thought. Unless there is some actual damage or potential damage (identity theft etc.) it doesn’t seem high on the list of what I want my police department running around dealing with anyway.
But when it happens to a public figure, we hear so much about it (naturally) and it makes me wonder if every 15 year old boy who hacks into his girlfriends email account to see what she has been saying about him is potentially on his way to prison.
If it relates to a relationship, then it could also be a computer harassment related offense, which gives a whole new range of options for LEOs to apply.
The biggest issue is proving who accessed the email system from where - that involves ISP and mail provider records and information requests.
LOL that’s true too. But what happened is I googled this question particularly with regard to gmail and yahoo accounts earlier and got pages full of hits from what appeared to be young men looking for ways to hack girlfriends’ emails (or in some cases young women looking to hack into boyfriends’ accounts) and they all claimed to have a very good reason to do so.
That’s why I eventually turned to here where I could just ask my stupid question and get an answer rather than having to wade through the “how-to s” or “help me do it” requests. For the record I have no interest in hacking anyone’s account nor am I encouraging it in any way…I just wondered about the criminal aspect of it.
That’s why I was using my email as an example. It’s easy to find the laws regarding federal computers and disseminating the information and/or identity theft. What’s vaguer is the ordinary person (me) with nothing of interest using a home computer being hacked or password-guessed by another ordinary person with nothing to gain from it and who doesn’t do anything with it but annoy me. Is that crime as serious as identity theft or is it even a crime?
In your cite, it says:
.
So would that apply to the person who just guessed the password, logged on and read some emails, then went away without ever doing anything with the email they had read?
The cops in my town, would not do anything unless I could show them a crime had actually been committed. How am I going to show/prove to the local police detective that a crime really was done?
HOw the heck am I going to provide evidence not only that a crime* was* committed, but also how am I going to give enough evidence to the cops and to a judge to show them who did it in order to get a search warrant and an arrest warrant ?
How would I even know that somebody hacked my account? …or who did it? (Sarah Palin did not know anybody did it to her until he publicized what he found. If that Democrat’s son had not told anyone that he had hacked into Sarah’s account, she would still not know about it)
What exactly do I tell the police when I call 911 and the desk sargent answers the phone and asks me how they can help me? Of course, I would need a real live detective to come to my house, and not just the uniformed boys in blue that ride around in patrol cars all day catching speeders.
I dont think my local police station is even equiped to tackle something that a person only “suspects” might have happened.
Seems to me that it would be even harder to get the FBI to come to my house.
What if I could not prove that any particular person actually did it, but I could give a list of 10 guys who might have done it? …then would the FBI check out all 10 of them?
What if my account was not actually hacked into, but I wanted the police to go after somebody, for them to find out, and told the police that I think somebody might have accessed my account?
I saw a case like this in court last year. Someone had accessed her partner’s email account, and found proof of them having an affair. This lead to them splitting up. The partner had the woman charged with some computer trespass offense. There was no problem proving it, because she never tried to deny. The judge seemed annoyed about the whole thing, and the police prosecutor was a bit sheepish. It ended up with her being found guilty, but no conviction recorded, so no fine or anything. I don’t know if it would always play out like that. This was in NSW, Australia.
That is interesting. I wonder how it would have played out if she had denied it. As mentioned above, it would be hard to prove (if the guilty party didn’t confess it) without isp logs etc. and I think you would need enough proof to get those released…and even then if it was the same ip address…it just gets worse I think. But now I am going to research “computer trespassing” laws. Thanks.
The law in most jurisdictions is that unauthorized access to a computer is an offense.
As mentioned, the key is proving it. If the person realizes, say, after confronting the spouse/friend that they had better clam up, then it boils down to he said/she said once they deny it. If tehre’s not suficient proof for conviction, the prosecutor will likely not bother with charges.
At worst, the perp gets a free ride down to the police station and a grilling or a good-cop/bad-cop routine and a bunch of threats. If they are smart enough to still not crack, then where’s the proof? Maybe they’ll bother with IP addresses, but then there’s still the matter of who was driving the keyboard. In the ideal situation, the perp lives alone and nobody else uses his/her computer - so who else could it be? But if the perp told nobody except their cheating partner what they did (and the partner obviously has an axe to grind - relationship issues) why take it to court?
Is it worth a complete investigation and forensic check of the computer hard disk over what may turn out to be a suspended sentence or case dismissed? How hard would the police investigate a case where someone breaks into a store by guessing the combination, wanders around and takes nothing, doe no damage, and leaves locking the door behind them?
BTW, downloading a song is not “theft”, legal or moral. It’s copyright violation. The RIAA would like you to call it theft, but it’s not. You are not physically taking anything from the other party… unless you conceded that downloading when you have no intention to buy the song is NOT theft.
