FreeBSD 3.2

Chuck Swiger cswiger at mac.com
Sat Feb 5 11:33:47 PST 2005 

Ted Mittelstaedt wrote:
[ ... ]
>>> Seriously - from a legal perspective you have absolutely no obligation
>>> to follow their restrictions unless of course they were smart enough to
>>> have you sign a piece of paper before they let you in the door.  No
>>> contractual relationship exists between you and them now, you can
>>> ignore what they tell you to do with impunity as long as you don't
>>> break any civil laws, ie: theft, malicious mischief, etc.  All they can
>>> do is tell you your not welcome in the door anymore.
>>
>> Ted, it's better to give no advice than bad advice. This is especially
>> true when the issue is a legal matter, and you are not a lawyer.
> 
> Oh I always love these kinds of statements.  Even if I am a lawyer
> (which I'll say I'm not, to save you from arguing that I am not)
> guess what - unless I'm retained by you or the OP for the purposes
> of giving legal advice, even as a lawyer, my advice has no legal
> significance whatsover.  Yes, that's true - a lawyer's advice has
> no significance - unless paid for.

You're simply wrong.  Attorney-client privilege applies even when a lawyer has 
not been paid-- it starts when a client initially discusses a matter with the 
intent of retaining the lawyer, even the lawyer decides not to take the case 
and no money changes hands.  United States v. United Shoe Machinery Corp. is 
often cited as “the” test for privilege:

"The privilege applies only if (1) the asserted holder of the privilege is or 
sought to become a client; (2) the person to whom the communication is made 
(a) is a member of the bar of a court, or his subordinate and (b) in 
connection with the communication is acting as a lawyer; (3) the communication 
related to a fact of which the attorney was informed (a) by his client (b) 
without the presence of strangers (c) for the purpose of securing primarily 
either (i) an opinion on law or (ii) or legal services or (ii) assistance in 
some legal proceeding, and not (d) for the purpose of committing a crime or 
tort; and (4) the privilege has been (a) claimed and (b) not waived by the 
client."

This privilege is of great significance with regard to discovery.

> I am qualified here on this topis as an expert witness however, and
> as a matter of fact, lawyers pay people like me to explain how
> laws like this apply to the real world.

Oh, I've served as an expert witness, too.  I was paid to evaluate software to 
determine whether copyright infringement had occured because the technical 
skills required to evaluate software require skills which people who are not 
experts with computers don't have.

Being paid to give expert advice on a topic doesn't make me a legal expert any 
more than the lawyer who paid me was expecting me to provide legal advice-- 
that's what the lawyer does, not me.  (And not you, either.)

> And of course I'll also gloss over the whole issue that your implying
> that laws are uninterpretable by the average person unless they are
> a lawyer.  Riiggghhttt.  So I guess you get a lawyer every time you
> get a parking ticket, eh?  ;-)

The law applies regardless of whether the average person is able to understand 
a specific matter or not.  However, for the sake of example, if you are not an 
accountant, then you probably [1] cannot be held guilty of *willfully* 
violating accounting laws which are only comprehensible to an accountant (or 
to a lawyer specializing in that area of law).  That doesn't mean someone who 
isn't an accountant can't commit fraud, it means that accountants who commit 
fraud are punished more severely than average people because they willfully 
violated the professional standards of their profession.

Likewise, someone who has served as a legal expert on computer matters is 
expected to have a greater understanding of the ethics and professional 
responsibilities involved with computer usage.  For example, because I am a 
network manager responsible for a network infrastructure including electronic 
mail systems, I know that I have a legal obligation to report child 
pornography in spam (ie, an email containing pictures as a MIME attachment, or 
a link to a porn web site) if and when I become aware of such filth.

------
[1]: But this becomes more complicated when you are expected to discuss 
matters with your accountants as part of your responsibilities: there are 
several high-profile cases going on right now involving CEOs who claimed to 
know nothing about accounting or financial irregularities who are still being 
prosecuted....

>>See 18 USC 1030:
>>
>>http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_0000
>>1030----000-.html
> 
> 
> Interesting cite, let's look a bit more closely though:
> 
> (a)(1) "having knowingly accessed a computer without authorization"
> 
> He has authorization to -access- the computer.  Note that access is
> not spelled out as a definition in section (e)
> 
> (a)(1) "or exceeding authorized access"
> 
> OK, so here we have something - as you could argue that updating
> the system is exceeding the authorized access on the machine, right?
> 
> Except that, continuing on in this section:
> 
> "and by means of such conduct...unauthorized disclosure for reasons of
> national defense"
> 
> Ok, so section (a)(1) isn't applicable.  So continuing on:
> 
> (a)(2) "exceeds authorized access, and thereby obtains-...
> information from any department or agency of the United States"
> 
> I'll skip (a)(2)(a) and (a)(2)(c) as they obviously aren't applicable.
> So it sounds like you might have a case here - except for one problem,
> that a backup-reformat-reinstall isn't accessing information in
> the computer over and above his authorized access.  I'll admit this
> is a grey area and can be argued both ways - but bear with me and
> follow along.

Computer people attempt to understand the law as if it were a deterministic 
construct which means exactly what it says, and as if a specific section is 
completely well defined in the absence of other laws.  This works for code 
(well-written code, anyway), because software people try very hard to provide 
well-defined interfaces which are self-contained and do not involve side 
effects or hidden changes to global state.

Unfortunately, this approach does not always work for the law; and sometimes 
it doesn't work at all.  Legal terms sometimes have a specific meaning-- what 
we might call jargon-- which is not the same understanding of the term that 
average people have.

What you fail to understand or take into account is that this law, originally 
designed to apply to atomic secrets held by top-security government computers, 
can also be applied to other protected information defined in other laws.

What kinds of other information?  The three that come to mind are financial 
information, medical and healthcare records, and educational records.  Go look 
up a few cases where a student hacked into a school computer in order to 
change grades and see for yourself what laws they were prosecuted under.

> He obviously has permission for a certain level of access already
> on this machine.  

"Obviously?"  If he was accused of breaking the law, and claimed that "I 
obviously had permission to do whatever I want to this computer", just how 
would he prove this supposedly obvious claim?

In my last message, I gave a really good suggestion, which was...

[ ...a lot of nonsense removed, tired of detailed response... ]
>> US-government-owned computer without getting written
>> permission first.
>  
> Absolutely nothing in that section you cited said anything
> about written permission, I have no idea where your getting
> that from at all.

...getting written permission means that the changes you make in good faith to 
a computer system owned by someone else are "authorized".

And you can prove it if you needed to.

> EXCEPT, I have it - you are probably saying this because you
> have a high expectation that him updating the system will break
> things - resulting in justifyable anger and annoyance of the
> owner - resulting in possible legal actions where a piece of
> paper might get his ass out of the sling.

Very good.  Only you've got it backwards.

I didn't evaluate his chances of breaking the system because my concern was 
that he should obtain permission before reinstalling because that is the right 
thing to do.  The fact that having written authorization might well "keep his 
ass out of the sling" if there was a problem is a secondary concern, albeit 
still very important.

[ ...more stuff, but I'm not going to continue... ]

-- 
-Chuck

More information about the freebsd-questions mailing list