Re: ICMP mapping, questioning legality!!

[Steve Stearns <sterno () GEMINI BIGBROTHER NET>]

On Tue, 12 Sep 2000, David Knapp wrote:

> I had the same question - is port scanning legal in California?  I was
> told that it is in fact illegal - see California Penal Code section
> 502(2)(c) - i believe for the specific wording.

IANAL but this law seems pretty badly worded, so the legality of port
scanning would likely come down to the interpretation of a judge on how
"permission" is granted.  Section (c)(2) says that a person can be
punished who "knowingly accesses and WITHOUT PERMISSION [my emphasis]
takes copies, or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting documentation,
whether existing or residing internal or external to a computer, computer
system, or computer network."

Now, one could interpret that the information contained in a port scan
effectively contained data from and about the computer system/network.  If
that scan was done without authorization, then you'd theoretically be in
violation of this statute.  Now, according to their definition,
"access" effectively means initiating any communication with any part of
the computer (read the statute if you want the exact wording), so merely
connecting to a socket could be interpreted as "accessing".

The problem as I see it is that by this definition, accessing the website
on somebody's computer could be a violation of this statute because they
don't bother to express in the statute how "permission" is given.  One
could argue that the website was put up for public access and thus
permission is implied, but one could say the same thing about any service
running on an internet connected system.  If it is connected to the
internet, it could be implied that it was intended to be publicly
accessible.

Of course I wouldn't want to put this law to test :)

---Steve