This situation is not easy in the real world, and is infinitely more complicated in the virtual world.

In the real world, we have centuries of experience with boundaries. We know without being told about the difference between a sidewalk and a street and a house. We know almost all the time about the difference between a private residence and a commercial establishment. Even in an establishment like a hotel, we know the difference between the lobby, the business offices and the guest suites. Even within the guest suites, we fundamentally understand the difference between the desk drawers and the luggage. These invisible lines of "authorization" come from common and shared experiences.

Shades of gray

Even with these experiences, the law of "trespass" or authorization is tricky. Can you enter your neighbor’s house because the door is open? What if you smell smoke? There is actual authorization ("Go ahead, c’mon in."), implied authorization by circumstances (for example, you may access a public website), and emergency implied authorization. Even authorized access can become a trespass if you do something that is not permitted.

Under the Morris "intended functionality" test, a "cookie" or applet or active x control may be "authorized" to run on a computer, but it is not a stretch to say that a program designed to look like a cookie, but which runs malicious programs or is designed to do damage, may constitute "trespass." It’s OK to send mail but not OK to send mail bombs, even though both "access" your computer.

On the other hand, there is a huge difference between ability to access and authorization to access. And that’s where David Ritz got into trouble.

Are you the admin?

The North Dakota court made a factual finding that Ritz used certain UNIX commands including host -l to accomplish a "zone transfer." The court noted that zone transfers are primarily used to create a redundant domain structure or for troubleshooting in the event of problems with the domain structure. The court observed that "in those instances, however, the person conducting the diagnosis acts with the authorization of the operator of the system and is usually the network administrator for the system." The court also noted that there were no other purposes of a zone transfer, and that "Microsoft itself, as well as various other, authorities all refer to zone transfers conducted by an individual other than the network administrator or an authoritative name server as unauthorized."

While my independent research on the subject indicates that the judge has overstated the issue, the clear purpose of the zone transfer is to allow the authorized system administrator to replicate the DNS structure. As one web posting by venerable security guru D.J. Bernstein -- of the crypto case Bernstein v. United States fame -- noted:




AXFR is also sometimes used by unauthorized third parties who want to sneak a peek at a site's data. Many years ago, these peeks were practically always successful, because almost all sites had promiscuous AXFR servers; these days, however, promiscuous AXFR servers are widely discouraged and increasingly uncommon.

(From a snoop's perspective, the difference between AXFR and normal queries is that normal queries force the snoop to guess the relevant domain names, while AXFR reveals the domain names for free. The notion that DNS data is entirely public does not match the reality of private high-entropy domain names at many sites.)

Thus there is a disconnect between the concepts of "accessible by a member of the public" and "intended to be public." The court also noted that, at least on the issue of damages resulting from the unauthorized access, the information Ritz obtained about the Sierra internal domain structure "in the hands of outsiders with malicious intent, threatens the integrity of Sierra's computer system."