What Is Computer Hacking?
With the recent Van Buren decision, the Supreme Court limited the scope of the Computer Fraud and Abuse Act and brought it more in line with what security experts would understand to be "hacking". But, what does that mean?
In this article, I will try to explain the technical background that is relevant to understanding the CFAA, and potentially other anti-hacking laws, but I am not an attorney. This is a technologist's perspective, not a legal treatise.
While the CFAA is the United State's primary anti-hacking law, it does not use the term "hacking". Rather, it forbids accessing a computer "without authorization" or "exceeding authorized access". Until now, the courts have been split as to what it means to exceed authorized access. The Van Buren decision adopts the idea of a "gate", a technical protection measure that serves as a barrier to accessing a computer system or a part of that system. For example, you might need a password to be able to log in to the system. That's a gate. A computer system might allow your account to access some files, but not others; that's also a gate.
Under Van Buren, if someone bypasses a gate to access a system or part of a system, the CFAA would still apply. In lay terms, bypassing a gate is hacking. If the user merely does something the system's owner would prefer they not do (the defendant in Van Buren was a police officer who accessed records on a police system he had access to, but for his own purposes), the CFAA does not apply. This comports with the way that most IT and security professionals understand "hacking".
Computer hacking, as the term is used by technologists, generally involves either tricking a legitimate user into giving away access to an account or system, or using a technical program or command to get a computer system to give the hacker access when it should not. For example, a hacker who sends an email pretending to be from a company's IT department in order to trick an employee into giving up their password is hacking. A person who downloads a hacking tool from the web and uses it to gain access to an email server without having to log in is hacking. If a company gives their system administrator the ability to read any user's email and he uses that access to read his supervisor's email, that's not hacking.
Hackers use a variety of techniques to manipulate computer programs and bypass access controls. In most real-world hacking incidents, they use several techniques as they work their way through a system or network. Speaking from a technical perspective, it shouldn't be too difficult to show that most of these techniques "bypass a gate". For example, a hacker might:
• Guess a user's password to gain access to a system
• Steal additional passwords from a system
• Run a program to elevate their access from a regular user to a system administrator
• Overwhelm a program by providing more data than it expects in order to corrupt the memory inside the program
• Input special sequences of characters into a web form to trick the site into running a command
• Embed aor program into a document or spreadsheet to trick a user into executing it
Conversely, there are many other actions that, while they might raise a company's hackles, would not generally be considered hacking. For example:
• Using a fake name on a website
• Access a file or record you have access to for your own purposes
• Automating the copying or downloading of files
• Automating requests to a database
While most technology professionals would not consider these to be hacking, they are more challenging to explain to a lay person. For example, users generally access websites by clicking on links in a web browser. This limits the speed and manner in which they navigate the site. Programmers, however, can write software that interact with websites in an automated fashion. If you create a website and the pages are named "page1", "page2", etc., it would be easy to write a program that tries to open and download from "page1" through "page99999". A programmer could also write a program to open the website, scan the page for any links, open all of those links, scans for additional links, visit those links, and repeat ad infinitum. That's outside the experience of most web users, but not unusual for people developing software, indexing websites, etc.
The Van Buren decision should make it easier to understand what conduct the CFAA does and does not apply to. It will still be important, however, to analyze the facts of each case to determine exactly what happened. Technical experts can provide assistance by explaining the events that occurred and by sharing crucial background and contextual information to help courts determine whether specific actions meet the criteria or not.
Steven is the founder of Trace Digital Forensics, LLC and has over twenty years of experience in technology. He has examined computers and mobile devices in criminal and civil cases, and in numerous internal investigations. He has a master's degree in Computer Science, and several certifications including the EnCase Certified Examiner (EnCE), Magnet Certified Forensics Examiner (MCFE), and Certified Information Systems Security Professional (CISSP).
Copyright Trace Digital Forensics, LLC
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.