DnA 6-4: The california anti-hacking laws
Written 11/30/93
by The Shadow
This article only talks about California's criminal penalties for hacking. There are civil remedies, and provisions that permit the feds to seize all equipment used in hacking, as well. I've chosen California's law because I live there, and because it is one of a number of virtually identical "Computer Crime" laws that have been passed in various laws over the last decade. There may also be Federal anti-hacking laws, but I haven't looked at them yet. Furthermore, there are separate laws that deal with phreaking, carding, and other matters. I'm not dealing with any of those in this article, but if the interest level is high enough, I may write about the other laws in future DnA issues.
First, the bad news. California's anti-hacking laws are pretty broad. No, I take that back. They are incredibly broad. "Computer Crime" is defined by California Penal Code section 502. If you haven't read it before, I urge you to read it now. Why? for three reasons. First, we, as hackers, need to know what we're getting ourselves into legally. That way, if we cross the line (we almost always do) when we hack, we do it consciously. Second, if we are caught, we need to be aware of why the feds are asking a particular question-- in effect, what part of the case against us are they trying to make? Third -- and most important -- we need to know how we can get around the law, or at least, minimize any penalties if we are caught. 1/
_______
1/ By the way, I hope that if ANY of you get caught and questioned, your first response is, "I want to talk to a lawyer before I discuss anything with you." See, that means the feds have to stop questioning you, and let you talk to a lawyer before they continue. With the advice of a good lawyer, you know what you're getting yourself into before answering any questions. And regardless of what any cop says, they don't "go easier on you" if you "cooperate" by telling them everything. They hate you and fear you, and all they care about is making a case against you. Only the D.A. can cut you a deal. Read about Robert W. Clark's ordeal in Phrack 4.3 if you have any doubts.
The heart of California Penal Code section 502 reads:
"Any person who commits any of the following acts is guilty of a public offense:
- Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.
- Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.
- Knowingly and without permission uses or causes to be used computer services.
- Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.
- Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.
- Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.
- Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network in violation of this section.
- Knowingly introduces any computer contaminant into any computer, computer system, or computer network."
The law also defines most of the terms used above. "Computer network" is defined as "any system which provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities."
"Data" is defined as "a representation of information, knowledge, facts, concepts, computer software, computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device."
"Access" means "to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network."
"Permission" is not defined in the statute, but where a term is not defined, you use the ordinary English meaning. "Permission" is defined in the American Heritage Dictionary, second edition, as "formal consent."
"Computer contaminant" is defined to include virii, trojans, and anything else that damages a computer's software.
Well, that's the heart of it. Let's look at each of the sections above and try to determine what they mean, and how they apply to hackers.
"(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data."
The section above should not apply to the pure hacker. It is obviously intended to catch people working the "Salami scheme," and similar scenarios. (For those of you not familiar with it, the Salami scheme is the one that skims a small amount of money off a lot of accounts in some relatively undetectable pattern and transfers it to the "hacker" in some way.) But read the section again. You apparently violate it if you "access" and "without permission" "use any data" in order to "obtain data." Arguably if you download a user list and use that list to obtain another user's password, you've violated the section! But you also violate this section if you "access and without permission...use ...any computer...to obtain...data." For example, if you are in a computer store, go over to a computer and "without permission" use the demo of the CD-ROM Encyclopedia Britannica to look up an entry without first asking for permission -- i.e., formal consent -- you've just commited a computer crime!
Let's look at the next section.
"(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network."
It's fairly clear that this section was intended to make trashing illegal. But there's a flaw in the section. It requires you to "knowingly access" the documentation. And as you saw in the definition above, "access" requires you "to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network." If you trash, you are not gaining entry to any part of a computer, so you can't violate this section by trashing!!
Let's look at section three.
"(3) Knowingly and without permission uses or causes to be used computer services."
What the fuck is this!!?? "Computer services" is defined in the law as "computer time, data processing, or storage functions, or other uses of a computer, computer system or computer network." So, in other words, if you use a computer in any way without permission, you're fucked.
Section four makes the following illegal:
"(4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network."
This section makes it illegal to change any info on a computer. Not a big problem if you are into traditional hacking, and not into doing any damage to a system you are on. But, if you alter the user list to give yourself an account, you've violated this section.
Section five:
"(5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network."
This refers to actual damage. I think we all know that if you crash a system or lock an authorized user out, we've committed a crime. This is the section that makes it a crime.
Section six:
"(6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section."
This section says that if you help someone break into a system, you're as guilty as if you were breaking in yourself. That's standard law. "Aiding and abbetting" is always considered the same as actually doing the act, and there's nothing particularly unusual about this section.
Section seven:
"(7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network in violation of this section."
I've pondered this one for days. I don't think it adds anything that isn't already there in the other sections. But it's here, anyway.
Section eight:
"(8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network."
Well, this is obvious. Using a virus, trojan, or other destructive program to trash a system is illegal. This part of the law was passed later, in 1989, so apparently the legislature felt that the other sections of the law do not apply to destruction of a computer system by virii or trojans. That's important to know, because if you are ever nabbed for uploading a virus and are charged with one of the other sections, you might be able to get the charges dismissed.
Now, what happens if you are convicted under any of these sections? Well, obviously it will depend on a lot of different things. But, here is what the authorized penalties are. The lightest penalties provided are for a first violation of sections six, seven or eight where there is no injury. A first violation gets you a maximum fine of $250 and no jail time. However, for violations that cause damage, for violations of the other sections, and for second violations, the penalty goes up increasingly, up to a maximum of $10,000 and 3 years in jail.
Pretty broad, eh? Well, that's the bad news. Now the good news. If you find yourself charged with violating any of these sections, there are some defenses you might try, some of which you would have to do before you even start to hack a system.
First, paragraph (h) of the law provides that none of the above conduct is illegal "to any person who accesses his or her employer's computer system, computer network, computer program, or data when acting within the scope of his or her lawful employment."
This means that if you are acting in the "lawful course of your employment" on your employer's computer system or network or using your employer's data, none of the above sections can be used to prosecute you.
Second, paragraphs (h) and (i) provide that, even if you are NOT acting in the "lawful course of your employment," you can not violate sections 2, 3, 4 or 7 on your employer's computer system or network or by using your employer's data, as long as you don't cause any harm and the value of "computer services" used is less than $100.
What does this mean? Well, it means that, if you want to avoid illegal hacking, use your "social engineering" skills to get a temporary or part-time job at the company whose computers you plan to hack. If you are a student, hacking into a school system, get a work study or other part time job at some admin office for a few days while you are hacking. Yeah, I know, it feels a lot safer hacking from the relative anonymity of a remote computer terminal. You can still do that. You don't have to be on the job while hacking--just an "employee." And besides, if it's not illegal, who cares whether you are discovered? What are they going to do, fire you?
Third, the breadth of the law itself can be used against it. You see, there's this little thing in the 5th and 14th Amendments of the Constitution called the "Due Process" clause. It says that the government can't deprive you of life, liberty or property "without Due Process of law." That has been interpreted to mean that, essentially, if a law is so broad that it prohibits a lot of legal conduct along with the illegal conduct, and the law is not "rationally related" to the evil that it is trying to prohibit, it is unconstitutional. "Due process" also makes it unconstitutional for a law to be so vague that you can't reasonably understand what is illegal.
This "Computer Crime" law came about as the result of a lot of paranoia about hackers, and in making itself as broad as it did, it appears to prohibit a LOT of legitimate conduct. Therefore, this law potentially violates "due process" and is unconstitutional. So, if you are ever in a situation where you are on trial for a violation of this law, show this article to your lawyer and ask him or her whether s/he thinks you should challenge the law as a "due process" violation.
A fourth potential defense to the law relies on common sense. In the case of Mahru versus Superior Court, volume 237 of the California Reporter, page 298, one of the only two cases decided under Penal Code Section 502, the California Court of Appeal in Los Angeles said:
"The urge to spite others is one of the more miserable concomitants of human intelligence. Compared to human behavior as a whole, relatively few forms of spiteful conduct are [criminal]. More often they are merely upsetting and reprehensible. The legislature could not have meant, by enacting section 502, to bring the Penal Code into the Computer Age by making annoying or spiteful acts criminal offenses whenever a computer is used to accomplish them. Individuals and organizations use computers for typing and other routine conduct in the course of their affairs, and sometimes in the course of these affairs they do vexing, annoying, and injurious things. Such acts cannot all be criminal."
Page 300. This quote clearly expresses the Court's concern over the breadth of the statute. What the Court seems to be doing here is trying to save an unconstitutional statute by saying that, just because an act appears to violate the statute, it may not be a crime. Instead, the court will look at whether what you did is inherently evil, or just a "vexing, annoying or injurious" prank. In the Mahru case, a company had a contract to provide data processing services to a credit union. The company put its terminal in the credit union, and helped credit union employees operate it. The credit union later broke its contract with the data processing company and hired another company to provide data processing services. The first company re-named some of the programs on the system and did not run the procedures to bring the tellers on line, so that the relatively computer-illiterate credit union employees could not use the system. The court held that this did not violate Penal Code section 502.
What does all this mean? Well, first of all, it's just one more reason that the law can be said to be unconstitutionally vague. Second of all, it probably means that, unless you do some serious damage to the system, you're not likely to get hit very hard for hacking, if you are hit at all. (Perhaps this is why the only other case decided under Penal Code section 502, People of California versus Gentry, California Reporter volume 285, page 591, involved a "credit repair scam," where the computer crime charge was just one of a number of fraud charges against the defendant, who created fake IDs for his clients, went into TRW's records, and created fake credit histories so that they could get credit.)
So, if you want to avoid criminal prosecution, use common sense. Don't trash a system once you are inside. If you decide to trash it, the penalties are more severe, so you darned well had better not go around bragging about it.
And, in the meantime, if you think that this law is ridiculously draconian and paranoid (I do), do something about it. There are a lot of ways to get involved with changing your world, and files on some of them can be found on DnA. Check it out, and don't be one of the mindless, directionless minions that accept tyranny, facism and mediocrity in lawmaking and government. Make a difference. Educate yourself on what's out there, and change what you don't like!
-=-=-=-=-=-=-=-=-
If you have any questions about any of the things in this article, I can be found both on the DnA and on the Digital Decay BBSes in Orange County, California.