As I wrote in an earlier post, a judge in North Dakota recently ruled against David Ritz. Ritz is an anti-spammer who was sued by Sierra Corporate Design, Inc. The full judgment is here, I will attempt to summarize it.
The basis of the case is that Ritz believed that Sierra was a spamming company and gained unauthorized access to Sierra’s computers. Ritz conducted zone transfers to get this information. Zone transfers are the means by which a primary authoritative domain name server copies the domain structure to a secondary authoritative domain name server for the purpose of redundancy. So, basically, Ritz got access to IP address and domain information from Sierra. He used basic Unix tools to do it, but in the judge’s words, this access was unauthorized since Ritz was not a network administrator.
The court then further found that Ritz was guilty of malice by what he did with the information. Allegedly, he pressured some Usenet ISP’s to cancel some messages posted to through its service and convincing others to de-peer with it. Basically, the court says he stole information, concealed his identity while doing it (thereby confirming his guilt – why conceal what you are doing if it’s legit) and blackmailed others with the information he acquired.
Among the court’s findings:
The Court rejects the test for "authorization" articulated by defendant’s expert, Lawrence Baldwin. To find all access "authorized" which is successful would essentially turn the computer crime laws of this country upside down. Any backer could allege that any form of access was authorized because he was able to penetrate the system, regardless of whether the commands utilized were well-formed.
This is difficult for me to comment on because I am not a lawyer, but used to want to be one when I was back in high school (I could have been a great lawyer). According to the above statement, Ritz’s expert said that if you try to get the information and it’s given to you, then you are authorized to access the information. The judge has rejected that statement and is saying that unless you are explicitly authorized to receive it, then by default you are not authorized. Among the findings of fact, the judge says that Microsoft itself, as well as various other, authorities all refer to zone transfers conducted by an individual other than the network administrator or an authoritative name server as "unauthorized."
I’m not sure about this. This seems to be a gray area within the law. In the United States Constitution, it explicitly lists the powers of the Executive. If it’s not mentioned, then there this room for debate (which explains why the powers of the Executive and Legislative branches have expanded since Confederation). In other words, simply because Microsoft says zone transfers are only to be conducted by network administrators, unless the criminal code explicitly defines what is authorized access and what is not unauthorized access, the judiciary will continue to create law from the bench.