Tuesday, 16 March 2010

Property law for IT people

Property (as defined in legal terms) as is associated with servers, routers and information systems in general is known in the law as consisting of "chattels". Servers are chattels. The data are Intellectual Property.

There are a standard bundle of rights associated with property:
1 The right to control use of the property ,
2 The right to receive benefit from the property,
3 The right to assign, transfer or sell the property ,
4 and the right to exclude others from the property.

In the case of port scans we are looking at point 4, the right to exclude and point 1, the right to control. Rights as defined and used in this email are based on the Anglo-Saxon idea of exclusive right. This right is equivalent to the Civil law (Roman) idea of Dominus (see. Dominus enim dicit for those who like Latin). The dominus is more restrictive than common law property rights and Civil law (or codified law) rights of property are absolute rather than distributable as in the
English common law.

For this reason I shall confine this to the common law view of rights as much as possible. This view is one that is more commonly held in the "West" and Civil codified laws are more restrictive and more likely to enforce the rights of a property holder.

The rights we need to look at as was noted are the right of control and the right of exclusion.

The "right of control" is the right to determine how the property is used. "Uses" were originally the equitable or beneficial interests in the property. The right of control allows the system owner to determine how the system is to operate according to law. The system owner has the right to state that they do not allow ping (or any ICMP for example). To enforce this they could filter any ICMP traffic.

If in this example the system owner had determined that they would stop all ICMP traffic to/from the server, they could state this and than any access via ICMP would be a violation of the property rights. If the system owner had not taken steps to notify the public through some means (eg a terms notice on the primary web site) than the rights still exist but are not enforceable in law. This means that the act of trying to ping this server is illegal but there is no way to enforce this right.

To enforce the right the system owner has to do something to bring the right of control to the notice of the person who seeks to violate this right. An example here is a banner on a telnet login. The action is still illegal as stated, but there is not an action to enforce the right without the notification. The notification does not need to be ongoing. It just needs to occur. It does not even need to be particularly verbose or even grammatically correct. The notification does not even need to be sent using the same protocol. Sending an email off to the attacker would satisfy the requirement.

A simple manner of transmitting intent is to have ICMP responses allowed. By allowing this traffic and using ingress and egress filters, and sending ICMP type 3 replies. In particular type 3/13 replies could be sent (Communication Administratively Prohibited). Upon receiving this response, the person scanning has effectively received notification (eg like a banner). There is no legal requirement that they take notice of the packet, just that it is delivered.

Other ICMP types that would effect this include;
3/9 The destination network is administratively prohibited
3/10 The destination host is administratively prohibited.
3/11 The network is unreachable for Type Of Service.
3/12 The host is unreachable for Type Of Service.

Sending ICMP 3/9 is the most effective solution. (This is easy to configure on Cisco routers, other routers may or may not be able to achieve this). On receipt of the first packet, the person scanning is effectively notified. If they than "scan" or "test" any port on the network, they are effectively breaching the conditions as they have been notified to (similar to trespass on real property when you have asked the trespasser to leave and you have rights to the land).

If the person ports scans the site and ingress filters are configured to send ICMP 3/9 replies as soon as a packet is received to any port on any server other than the validly allowed ports, there is a breach. In this case, continued scanning becomes a breach of rights with an attached enforceable action. In this case you have the ability to litigate the person scanning the site civilly for a port scan and nothing more (i.e. no real damage).

Why do some people wait till you see a banner and log to that point? When you see the banner this becomes a course of action. If you keep scanning after seeing the banner, than you have an action in criminal terms and you do not need to have damage to be able to seek action.

The right of exclusion is the right to dictate what others can do. This means that the property owner has the right to exercise control and to dictate what level of access (if any) another has to the property. In respect to the Internet, access from your gateway to another server is completed under an effect of easement. There are both public and private easements. A public easement is one that grants the right to a large group of individuals or to the public in general. This in the terms of the Internet is analogous to the backbone routers.

A DOS or DDoS attack against DNS or the backbone routers is in effect the same as blocking access to someone who has an easement. It is a trespass upon the right of easement and creates a cause of action for civil suit. In most jurisdictions this is also not codified or in statute as a criminal offence. It is still illegal as a civil breach when not directly excluded.

Exclusion allows the property owner (in our case the system owner) to designate what actions are acceptable. They only need to state that an action is against the policy of the site for this to become an enforceable action, further, where the system is a state owned system (take US Federal government for example) all access is considered to be expressly controls unless access is expressly allowed.

What does this mean? A port scan, if the system owner does not welcome them is a violation of the property rights of the system owner. They breach the rights of exclusivity. The whether we see the system and its data as a "choses in possession" or a "choses in action" the act has to be one that is acceptable to the system owner. If we look to the Civil law, we have an analogous system with respect to movable property or movables.

Breach of an owner or possessors rights is a transgression in the nature of property law. There are actions for recovery or tort, but these require that there generally has been damage. None the less, a transgression of either the right to control or the right to exclude is still a violation of the fundamental rights of the owner of the property. A property law violation is not (generally) a criminal act without damage. This does not stop it from being illegal.

It is illegal in that it also can act to void a contract. If for example party A contracts party B to scan the systems of party C using a port scanner, party A could after receiving the report decide not to pay B for the services as the action is considered illegal and an illegal contract is not enforceable. There would be no punitive effect from this, but this does not change the action into a legal act.

Clear as mud? Well I hope that this has created a little more understanding of the law, rights and why they apply. To complicate this we could also look at equitable rights, but this would only lose more readers.

Damage the property or actually get access to the system and then we get into a who new area. This is where the criminal offences come to play.

No comments: