Is BO Legal?

Is It Ethical?

Friday, 9 October 1998


I've been asked a number of times whether the use of Back Orifice is illegal.

The issues are not simple. The terms and the laws vary from place to place.

(Please do not take anything I say here as legal advice. I am not a lawyer.)

What is at legal issue with something like BO is usually referred to as "computer tresspass," "unauthorized use," and/or "unauthorized access."

Jurisdiction (the question of whose law or authority applies) becomes a major issue in matters of computer intrusion over the Internet. How to deal with a crime done on a computer system by someone 9,000 miles away in an entirely different country? This is a question I don't think is usually solved in any but a case-by-case manner.

Within the US a similar complexity applies because each of the 50 states has its own laws, and the differences in those laws can be dramatic.

I'm not altogether sure of all the bases on which jurisdiction is determined, but I have some broad understandings I believe to be accurate with respect to US law, to wit; I believe one would have to access a Washington State computer to get in trouble under Washington law; and I suspect the Washington State law might _not_ apply if, say, someone in Washington hacked into a California system. Federal law applies mainly to crimes that extend beyond State jurisdiction but State laws may ALSO apply. Thus the Washington-California example would have to be prosecuted under California or Federal law or both. (If I'm wrong in any of this I invite anyone more knowledgeable than I to correct me.)

So what about the laws themselves? How do they define what's illegal?


US Federal Law

I have looked up a number of references to US Federal law including the laws themselves (not easy reading), but this summary appears to agree with everything I have read and is by far the most concise (as much as legalese ever IS concise). This is a big quote, but worth reading...

From Crime Online (Critical Issues in Cyberspace - Copyright 1996 Frank A. Cona & Michael D. Palage) http://www.ipwarehouse.com/IP_Library/Drexel_Course/com_crime.htm:

Federal Computer Crime Laws

There have been a number of federal and state laws enacted to address criminal activity online. These laws define various acts as criminal and proscribe remedies for users or system operators who find themselves victims of such crimes. These laws also provide checks against improper government intrusion in their investigation of criminal activity.

1. Computer Fraud and Abuse Act (CFAA)

The CFAA1 was first enacted in 1984 to combat to combat computer crime generally. It was revised in 1994 under the "Computer Abuse Amendments Act". The CFAA addresses three particular types of criminal activity: trespass or unauthorized entry by users into an online system, users exceeding their authorized access to the online system, and users exchanging information on how to gain unauthorized access to computers. The CFAA does not apply to all criminal attacks against an online system, but only those which fall within the activities defined in the statute.

Trespass and exceeding authorized access are treated similarly under the CFAA. A user who commits a crime against an online system or its operator is not necessarily protected from the CFAA just because the user is registered with the system and has authorized access to the system generally. If the user knowingly exceeds the scope of that authorization, and meets other statutory conditions, then the user is treated the same as any other trespasser under the CFAA.

a. Fraudulent Trespass

A fraudulent trespass is any unauthorized entry made with an intent to "defraud," that results in both "furthering the fraud" and the trespasser obtaining something of value in the process. Fraudulent trespass deals primarily with telephone fraud committed through computer systems. A good example of this is "phone phreaking" which involves using a telephone company switching system to obtain free telephone service.

Fraudulent trespass can also apply to a situation where two users are sending something of value back and forth which is intercepted by a third person. For example, suppose two system owners and operators are collaborating on a confidential, proprietary business document by email correspondence and a third planner intercepts the document. The third planner has received an item of value and has most likely violated the CFAA.

b. Destructive Trespass

Any unauthorized access which is coupled with actions that intentionally cause damage to a "computer, computer system, network, information, data, or program," or results in withholding or denial of the use of a "computer, computer system, network, information, data, or program," and causes at least $1,000 total loss within the course of one year is considered a destructive trespass under the CFAA.

The prohibition against destructive trespass is extremely valuable to online systems and their operators. This portion of the CFAA can be used against a wide variety of crimes. This provision applies not only to deliberate attempts to destroy part or all of a system, but also to the propagation of computer viruses or other dangerous programs through the online system. The only requirement is that the resultant damage be at least $1000 over the course of one year, which is very easily reached.

Thus the destructive trespass provision of the CFAA would apply not only to the direct destruction of a computer systems, but to attempt to crash the system, and to any programs - or any other user's programs or system -- that was damaged as a result of a computer virus passing through the system. The penalty for destructive trespass is significant. If found guilty, violators can be jailed for up to five years.

c. Reckless Trespass

Reckless trespass involves any unauthorized access which is coupled with reckless actions which, though not deliberately harmful, still cause damage to a "computer, computer system, network, information, data, or program," or result in withholding or denial of the use of a "computer, computer system, network, information, data, or program," resulting in at least $1000 total loss over the course of a year. Reckless trespass was added to the CFAA in 1994, and is virtually identical with destructive trespass except that the acts involved are not intended to be harmful. The penalty for reckless trespass is also lighter than that for destructive trespass. The maximum jail sentence for reckless trespass is only one year. This provision recognizes the fact that sometimes trespassers are simply exploring the system, particularly in regard to the Internet.

An extreme example of the application of this provision was the "Morris Worm" which disabled a significant portion of the Internet for several days in 1990. Morris had launched a computer worm which was programmed to travel from site to site over the Internet to gather information from the various servers it encountered. However, a flaw in the program caused the worm to disable many of the servers it came across, halting operation of the portion of the Internet affected. Morris was jailed for releasing the program. As a result of this event, several safeguards were implemented across the Internet to prevent such a result from happening again.

End of quote.

I recommend reading the entire referenced page. See also Summary of Federal Computer Crimes at http://rampages.onramp.net/~dgmccown/a-fedcc.htm.

As I read them, all the Federal laws are specifically refer to either INTENT TO CAUSE HARM, or doing actual damage of some kind. They do not seem to make just any unauthorized access into a crime. The exception is that any unauthorized access at all of certain Government systems definitely is a crime.

As far as I can tell, there's no Federal law that seems to proscribe a benign entry into a Back Orificed computer, even without the user's knowledge or express permission. Just my non-legal opinion, but I believe it is an informed one.

US State laws are however another matter altogether.


Washington State Law

There are 50 States in the US, and therefore 50 different laws. I have nowhere near the time or resources to research them all. However, I live in Washington State and I have a fairly recent text of the entirety of the "Revised Code of Washington," which is the bulk of Washington statutes. There I found what appears to be the one exact applicable law:

REVISED CODE OF WASHINGTON (RCW):

"RCW 9A.52.110 Computer trespass in the first degree. (1) A person is guilty of computer trespass in the first degree if the person, without authorization, intentionally gains access to a computer system or electronic data base of another; and (a) The access is made with the intent to commit another crime; or (b) The violation involves a computer or data base maintained by a government agency. (2) Computer trespass in the first degree is a class C felony. [1984 c 273 1.]

"RCW 9A.52.120 Computer trespass in the second degree. (1) A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic data base of another under circumstances not constituting the offense in the first degree. (2) Computer trespass in the second degree is a gross misdemeanor. [1984 c 273 2.]

"RCW 9A.52.130 Computer trespass--Commission of other crime. A person who, in the commission of a computer trespass, commits any other crime may be punished for that other crime as well as for the computer trespass and may be prosecuted for each crime separately. [1984 c 273 3.]"

Personally, I have a distaste for catch-all laws. 9A.52.120 above appears almost unbelievably broad in its implications. It appears to say that ANY access AT ALL "without authorization" is be considered trespass.

In my very un-lawyerly opinion, it seems to me this law might be subject to challenge on the basis that it is so all-inclusive and fails to take a great deal of possible circumstance into consideration.

I don't wish to argue in favor of unwanted intrusions, but in the strictest of legal interpretations, the very presence of Back Orifice on a computer might be construed as "authorization" to enter. Of course it is normally installed without the user's knowledge. On the other hand, usually, the user installed it himself!

But I would take this very seriously and as an indication of what other State laws may contain.


New York State Law

There's a lengthy reference to New York State law at http://www.hackersclub.com/km/laws/laws/new_york.txt which is of interest.

I find it remarkable that New York law defines "computer trespass" and "unauthorized use" as distinctly separate offenses. Tresspass is the more serious.

Also interestingly, New York's "unauthorized use" requires that "the computer utilized is equipped or programmed with any device or coding system, a function of which is to prevent the unauthorized use of said computer or computer system." I doubt whether this could be said of any Win95 system without special-purpose software installed.

Win95/98 arguably has no real provision "to prevent" anything aside from the fact it doesn't ordinarily share resources on the dial-up connection.

Anyway, this New York reference seems to me more in line with a sensible definition of "unauthorized use" than the Washington law.

In New York, it appears that to "trespass" one must first gain "unauthorized access," then go beyond it to theft of data (but only of certain types) or to commit some other crime.

The catch-all Washington law (above) on the subject is another matter. I would venture to say that charges might conceivably be brought against any BO intruder, even if he did no damage whatsoever, on the basis of the Washington law.


Is It Ethical?

Regardless of the fact that the legal issues are complex, I think the ethical issues are very easily understood.

Breaking into other people's computers is not, in general, the least bit OK.

Furthermore, I don't advocate it. My own brief exploits with BO, which I describe on my main BO page, are something I do not recommend to others, for a variety of reasons, but most of all for their own protection.

BO's data packets are recognizable and traceable. Countermeasures are in increasing use. If you poke around looking for open Orifices long enough, your ISP is going to receive a complaint -- more likely multiple complaints -- from other ISPs and/or individuals who have traced your transmissions.

Regardless how innocent your actual intent, your ISP is justified in assuming you're up to no good if you're using the BO client. You'll probably lose your account, even if you've done nothing remotely illegal.

Helping BO victims as I did is no longer a safe activity, well-motivated and even entirely ethical though it may be.

As I see it, any use of the BO client should be very limited indeed. I remain willing to use it only on a known machine at a known address and with absolutely explicit permission. I no longer EVER perform ping sweeps.

A few persons have emailed me asking my help showing them how to use BO on their "friends" who have done similar things to them. I absolutely do not help them nor ever recommend any such thing. It's not safe, it's not legal, and it's not ethically justified.

Although some of the information on this site may prove helpful to a few people with nefarious plans, it is not for their purposes that I present it, but for those who need this kind of information in order to protect themselves.


PCHelp Home
BO Home