Re: Port Scans are Legal

[ethan preston <prestone () BULLDOG GEORGETOWN EDU>]

OK, this is going to drive me crazy unless I say something now. It can't
be said port scanning is legal without qualification.

Moulton v. VC3 interpreted two statutes, Georgia's computer crime
statute and the Federal computer crime statute. Both statutes have a
damage requirement; the court did indeed find that the cost of
investigating port scans did not constitute "damage" under those
statutes. This is not a huge leap in judicial interpretation; the Kansas
Supreme Court in State v. Allen also found that costs of investigation
could not be used to meet the "damages" requirement of the statute.

The precedential value of Moulton v. VC3 is limited to the Georgia and
federal computer crime laws. State statutes that punish "access" or
communication with a computer that exceed authorization _without any
damage requirement whatsoever_ are quite common. They are in the
majority, not the minority. Of the first seven states I looked at,
Alabama, Alaska, Arizona, Arkansas, California, Connecticut, and
Delaware, only Arkansas and Alaska required additional elements beyond
access. I'd guesstimate a similar ratio among the rest of the states.
Most of these statutes are broadly worded, and even a port scan would
probably qualify as "accessing" a computer. Moreover, civil common law
torts, like trespass on chattels (which punishes people who interfere
with other's personal property, like kicking another's dog), can still
be applied (successfully.) The most recent example of this is the eBay
v. Bidder's Edge decision.

The problem with these laws is that they are overexpansive and badly
drafted. Additionally, there's a bootstrapping problem. By the time a
user receives notice from the computer that a particular activity is
unauthorized, that user has already accessed and communicated with the
computer and is, technically, liable.

Many (most?) state computer crime laws technically criminalize any
packets sent to a system connected to the Internet, if they arrive
"without authorization." Many courts are going to balk at interpreting
the statutes that broadly because it would criminalize or assign
liability to even innocent users. Those laws are too broadly worded to
provide predictable legal results. The law still hasn't provided a clear
distinction between network uses that will get you in trouble and those
that won't.

----- Original Message -----
> The question come up here every few weeks, and it looks like any doubt
> has been erased for now. Port scanning is not illegal in the USA