Actions in law

["Craig Wright" <cwright () bdosyd com au>]

Hello,
First what is misunderstood by some is that the response to a property right is a general duty on other people not to 
interfere with the "res" (thing). Some people assume that the law is there to protect the rights of the individual to 
do whatever they wish unless this act is expressly forbidden. This is a mistake. The historical origins of the law go 
to Roman civilisation and than follow into the feudal customs of the 12th - 14th centuries.

The law was developed to protect the rights of the property owner first and foremost (An ethical argument as to this 
being unjust is irrelevant to the point). Illegal means not legal. It does not mean against the law. There is a 
difference. Not legal can mean that there is not an express right to do the action.

The cases mentioned in a previous post and in particular the following one have demonstrated this:
Harrison v. Carswell (Harrison v. Carswell (1975), [1976] 2 S.C.R. 200)

The defendant argued that they had a right to protest. This is a right under law for freedom of speech and expression. 
The Mall owner stated a property right to exclude. The owner of the mall won. The where able to effect an injunction on 
the protester stopping them from entering the mall property and surrounds (i.e. the areas that customers may go).

The case has been criticised of course by people who want to be able to protest anywhere. It is held that though there 
was a right of protest, the rights of the property owner are superior. You can protest, but somewhere else - easy...

I stated I would get to remedy and action. There are first "Action in personam". This is where the property owners can 
take action against the defendant personally. This is a civil action and the property owner is entitled to damages for 
violation of their rights in relation to a res, or thing.

This is as chattels are viewed as fungible and therefore compensable monetarily by the courts.

A person "is subject to liability to another for trespass, irrespective of whether he thereby causes harm to any 
legally protected interest of the other, if he intentionally . . . enters land in the possession of the other, or 
causes ... a third person to do so." RESTATEMENT (SECOND) OF TORTS § 158 (1965) see Bradley v. American Smelting & 
Refining Co., 104 Wn.2d 677, 681, 709 P.2d 782 (1985).

Trespass as I have previously stated is the wrongful interference with other persons or with their possession of goods 
or land. To constitute a trespass the interference must be unauthorised, direct and done voluntarily.

Referring to the case above and applying this to the action of port scanning. The Tort associated with Trespass is 
determined "irrespective of whether he thereby causes harm to any legally protected interest of the other". This does 
not mean that you need a firewall for protection. This refers to "good title". Title is (simplified) the right of 
ownership. The invoice for the computer, the contract with the hosting company all provide good title.

The Restatement (Second) of Torts § 217 defines trespass to chattels as "intentionally... dispossessing another of the 
chattel, or using or intermeddling with a chattel in the possession of another." Port scanning is using the resources 
of the server. This need not be a significant use of the resources, just one that is in any manner measurable. 
Measurable could be in cycles per second.

This would allow a case to proceed. I can not state that I would expend money on this, but it could none the less 
proceed. To take action in this manner the site value would need to be determined. This is not a recoverable cost for 
the claimant. They could take the action, but the cost of valuation if not already done (and some companies do this - 
eg Sar.OX accounts under IP).

A possible first action the site owner could seek is an equitable injunction against the person doing the scanning or 
how has done the scanning. Any subsequent port scanning on any of the site owners systems would be a breach of orders 
of the court and constitute a contempt. Contempt may be enforced using a penal sentence (i.e. goal).

In this action damages would be awarded to the site owner. This would cover 50-70% of their legal costs (i.e. not full 
recovery) and the nominally assigned amount of impact toy the system (likely to be rounded up by the court to a dollar 
- euro, pound ...whatever). This would exclude cases where the server has a high value, high turnover (HVHT). In HVHT 
cases the cost per cycle for the scan may be measured in real terms. A scan of Amazon for example could be a rather 
expensive exercise if they decide to exercise their rights. Cycles based on the reported turn over of Amazon could come 
to $422 per port scanned (see SEC filings, 2004) - a complete 65k scan would make this an effective action for them (as 
long as the person doing the port scan had something to recover - a 14 yo is not likely to have this amount of funding).

The legal costs (and the person port scanning would have to pay their own costs) are where the site owner could effect 
a punitive effect against the person scanning the site. The costs could be in total in the order of $50,000 to $400,000 
depending on the court that the action was started in. The higher the court, the more the cost.

Will companies do this. Sony v Sharman Networks was a case that demonstrates that corporations will act to protect 
their rights even at a cost to the corporation. The costs to Sony exceeded anything they could hope to recover. They 
still took the action.

Corporations are starting to learn that they can use civil litigation to quash actions that they see as "distasteful". 
Given time, a corporate with enough time and money will decide to make a point. This will occur without the need of 
damage even.

This action will cost the corporation (likely in the order of $10,000 to 150,000 after recovery), but for some 
corporations, this is [as far as legal issues go] petty cash. Eventually one is going to make a point and the person 
scanning will at the least be up for a lot of money. Then future (like it or not) is going to be one where corporations 
take action to dictate policy.

So to finish. Telling someone that port scanning is ok is negligent. I do not care if you happen to engage in this 
activity yourself without authorisation, but telling another that it is ok is simply irresponsible. If we (in 
Information technology) wish to be treated as professionals, than it is high time we started to act in this manner.

On a different point of view. Ethics. To quote from the THE TEN COMMANDMENTS OF COMPUTER USE:
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not use or copy software for which you have not paid.
Thou shalt not use other people's computer resources without authorization.
Thou shalt not appropriate other people's intellectual output.
Thou shalt think about the social consequences of the program you write.
Thou shalt use a computer in ways that show consideration and respect.

Connecting to all ports on a server is use without authorisation.

Regards,
Craig

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------