US law struggles to keep up with new capabilities in collaborative computing environments
I suppose any article on the law should include a disclaimer at the top. I am not a lawyer, nor do I play one on the Internet. Take everything you read here with a largish block of salt.
Computer security has always had a law enforcement aspect, but the law consistently lags behind the technical cutting edge. Recent advancements in software design and the advent of geographically distributed applications puts the law even further behind than usual. The time has come to rethink computer security law in light of advances in software architecture.
A Brief History of U.S. Computer Law
Federal computer law in the United States began in earnest with the Computer Fraud and Abuse Act of 1986 (CFAA), which was a rewrite of a failed 1984 statute. CFAA covers six types of computer crime, all of which involve unauthorized access to someone else's computer. The law has a clear focus on access over a network.
Another law introduced in 1986, the Electronic Communications Privacy Act (ECPA), criminalized unauthorized network sniffing and other interception of data. Once again, note the emphasis on the network. Marck Rasch's excellent introduction to computer security law covering these statutes in greater detail is worth a quick read.
As computer crime evolved to include malicious exploits such as viruses and worms, early statutes began to show their age. A 1992 amendment extended the law to cover the authors of malicious code and denial-of-service attacks. Still, current computer law focuses much more attention on network security than on anything else.
In late 1998, the U.S. Congress enacted the Digital Millennium Copyright Act (DMCA). The law criminalizes both the production and distribution of technology meant to circumvent copyright protection mechanisms. In other words, it restricts certain activities surrounding digital rights management (DRM) and other security technologies that are meant to enforce copyright laws. It also heightens penalties for copyright infringement on the Internet. The European Union has a very similar law.
The DMCA is not without controversy. Many people believe that it goes too far to uphold the rights of copyright holders, even to the point of stifling competition. Ironically, the raison d'etre for the DMCA (bolstering DRM with the law) may be itself eroding.
Princeton professor Ed Felten argues that "as the inability of DRM technology to stop peer-to-peer infringement becomes increasingly obvious to everybody, the rationale for DRM is shifting." Eventually debate over DRM will shift away from copyright enforcement, he says. Felten made this argument at the Usenix Security conference in 2006, and later blogged about the ideas.
Another way that computer security law is evolving is through case law that sets precedents. Precedent-setting involves extending existing bodies of law, such as wirefraud law, to apply to computer security.
Exploiting Online Games Is Legal?
At the eCrime Researcher's Summit this month, academics and law enforcement gathered in Pittsburgh to discuss spam, phishing, and massively distributed applications. I gave a keynote based on my work in online game security.
One interesting aspect of online games is the legal limbo they inhabit when it comes to security. Put simply, the state of computer law regarding cheating in online games is murky at best. Nobody is sure what is legal and, more importantly, what is not.
The problem is that it's possible to convert hacking skills into money by conjuring up virtual items in a game, either by exploiting a bug or by creating and using a bot. These exploits can then be sold in a burgeoning online market.
Malicious hackers have flocked to the online game domain because there is money to be made. Due to the sheer size of the middle market, the U.S. Secret Service acknowledges that online games such as Second Life and World of Warcraft have been used to launder money.
In addition, it is possible to cheat by manipulating the parts of a massively distributed online game that exist on your own PC. That is, the game client program on a gamer's PC interacts with the central game servers over the Internet, and cheating can be accomplished without any network security shenanigans by focusing attacks on the client software.
By attaching a debugger to the game program on the PC, or by manipulating the game program by poking memory values directly on the PC, a gamer can cheat... on his or her own PC. Greg Hoglund and I describe these and other techniques commonly used to hack games in our new book, Exploiting Online Games.
Think about the old game hacking chestnut that involved editing a high score file on your PC to make your Tetris score seemingly untouchable. There's nothing illegal about that! The question is where to draw the legal line when it comes to manipulating things on your own PC. If parts of a massively distributed online game reside on a PC, can you change them? What's at stake is virtual property and lots of money.
The whole notion of virtual property rights in online games is a tricky one. Games such as Ultima Online, Second Life, and World of Warcraft have their own virtual economies that involve licensing and developing virtual property. Middle market companies like IGE can convert virtual wealth into hard currency.
Property rights in Second Life have already led to interesting legal entanglements. Marc Bragg, a Pennsylvania lawyer, discovered and exploited a bug in Second Life program allowing him to bid on virtual real estate that wasn't yet open for auction. By URL parameter tampering, Bragg became a virtual real estate baron. Linden Labs, the game company behind Second Life, took a dim view of this approach and canceled his account.
In a pending lawsuit, Bragg argues that Linden Labs unfairly confiscated $8,000 worth of his virtual land holdings by shutting down his account. But Linden Labs and some Second Life players counter that Bragg was hacking their systems. (Bragg made money by renting his virtual land to other Second Life players.) Who is right? To me, the law is not very clear.
When Linden Labs first started, they used to say that users owned property in Second Life. Now they say that users own licenses to the property, legally similar to software licenses in the real world. That's a subtle but important change in perspective and it doesn't make the legal situation any clearer.
That brings us to the infamous End User License Agreement (EULA). The DMCA and the EULA are the two main legal weapons in the game companies' anti-cheating arsenal. However, EULAs have a spotty track record when it comes to the law. In many cases, EULA terms "agreed to" by software users have not held up in court.
Some people believe the idea of EULAs has not been appropriately tested in court, thus the EULAs can't be valid. This is a misunderstanding of contract law. The only way EULAs have been challenged successfully in the past is by objecting to the contract terms. In some cases, only certain terms are found objectionable. As a result, EULAs sometimes hold up in court and sometimes dont.
Ultimately, the state of the law and its application to online game security is unclear. Because of the amount of money involved in online games, this legal limbo is a bad situation.
The Law Must Evolve
If you believe, as I do, that online games are a harbinger of computer security attacks that may evolve along with SOA, software as a service, and Web 2.0 architectures, you can see the legal problem that we're creating for ourselves. (See Online Games to Cause Software Security Issues.)
The kinds of legal tangles we see today in online games are the same kinds of legal tangles we're likely to encounter in other domains. If a system includes critical functionality that runs on machines that belong to others (including potential attackers), it is not at all obvious how the law is to be applied or when. The law is once again in catch up mode when it comes to computer security.
Gary McGraw is CTO of Cigital Inc. Special to Dark Reading