Security Incidents mailing list archives
Re: Port Scans are Legal
From: ethan preston <prestone () BULLDOG GEORGETOWN EDU>
Date: Mon, 18 Dec 2000 23:36:50 -0500
OK, this is going to drive me crazy unless I say something now. It can't be said port scanning is legal without qualification. Moulton v. VC3 interpreted two statutes, Georgia's computer crime statute and the Federal computer crime statute. Both statutes have a damage requirement; the court did indeed find that the cost of investigating port scans did not constitute "damage" under those statutes. This is not a huge leap in judicial interpretation; the Kansas Supreme Court in State v. Allen also found that costs of investigation could not be used to meet the "damages" requirement of the statute. The precedential value of Moulton v. VC3 is limited to the Georgia and federal computer crime laws. State statutes that punish "access" or communication with a computer that exceed authorization _without any damage requirement whatsoever_ are quite common. They are in the majority, not the minority. Of the first seven states I looked at, Alabama, Alaska, Arizona, Arkansas, California, Connecticut, and Delaware, only Arkansas and Alaska required additional elements beyond access. I'd guesstimate a similar ratio among the rest of the states. Most of these statutes are broadly worded, and even a port scan would probably qualify as "accessing" a computer. Moreover, civil common law torts, like trespass on chattels (which punishes people who interfere with other's personal property, like kicking another's dog), can still be applied (successfully.) The most recent example of this is the eBay v. Bidder's Edge decision. The problem with these laws is that they are overexpansive and badly drafted. Additionally, there's a bootstrapping problem. By the time a user receives notice from the computer that a particular activity is unauthorized, that user has already accessed and communicated with the computer and is, technically, liable. Many (most?) state computer crime laws technically criminalize any packets sent to a system connected to the Internet, if they arrive "without authorization." Many courts are going to balk at interpreting the statutes that broadly because it would criminalize or assign liability to even innocent users. Those laws are too broadly worded to provide predictable legal results. The law still hasn't provided a clear distinction between network uses that will get you in trouble and those that won't. ----- Original Message -----
The question come up here every few weeks, and it looks like any doubt has been erased for now. Port scanning is not illegal in the USA
Current thread:
- Port Scans are Legal Crist Clark (Dec 18)
- Re: Port Scans are Legal Dan Riley (Dec 18)
- Re: Port Scans are Legal claymore (Dec 19)
- Re: Port Scans are Legal Brett Glass (Dec 19)
- What is a crime, WAS RE: Port Scans are Legal Christopher Byrne (Dec 19)
- <Possible follow-ups>
- Re: Port Scans are Legal ethan preston (Dec 19)
- Re: Port Scans are Legal f4 (Dec 19)
- Re: Port Scans are Legal Dan Riley (Dec 18)