Tuesday, April 17, 2012
“Breaking and Entering” Through Open Doors: Website Scripting Attacks and the Computer Fraud and Abuse Act, Part 2
Two notes: 1) Apologies to Prawfs readers for the delay in this post. It took my student and I longer than anticipated to complete some of the technical work behind this idea. 2) This post is a little longer than originally planned, because last week the Ninth Circuit en banc reversed a panel decision in United States v. Nosal which addressed whether the CFAA extends to violations of (terms of) use restrictions. In reversing the panel decision, the Ninth Circuit found the CFAA did *not* extend to such restrictions.
The idea for this post originally arose when I noticed I was able to include a hyperlink in a comment I made on a Prawfs' post. One of my students (Nick Carey) had just finished a paper discussing the applicability of the Computer Fraud and Abuse Act (CFAA) to certain types of cyberattacks that would exploit the ability to hyperlink blog comments, so I contacted Dan and offered to see if Prawfs was at risk, as it dovetailed nicely with a larger project I'm working on regarding regulating cybersecurity through criminal law.
The good news: it's actually hard to "hack" Prawfs. As best we can tell the obvious vulnerabilities are patched. It got me thinking, though, that as we start to clear away the low-hanging fruit in cybersecurity through regulatory action, focus is likely to shift to criminal investigations to address more sophisticated attackers.
Sophisticated attackers often use social engineering as a key part of their attacks. Social engineering vulnerabilities generally arise when there is a process in place to facilitate some legitimate activity, and when that process can be corrupted -- by manipulating the actors who use it -- to effect an outcome not predicted (and probably not desired). Most readers of this blog likely encounter such attacks on a regular basis, but have (hopefully!) been trained or learned how to recognize such attacks. One common example is the email, purportedly from a friend, business, or other contact, that invites you to click on a link. Once clicked on, this link in fact does not lead to the "exciting website" your friend advertised, but rather harvests the username and password for your email account and uses those for a variety of evil things.
I describe this example, which hopefully resonates with some readers (if not, be thankful for your great spam filters!), because it resembles the vulnerability we *did* find in Prawfs. This vulnerability, which perhaps is better called a design choice, highlights the tension in legal solutions to cybercrime I discuss here. Allowing commenters to hyperlink is a choice -- one that forms the basis for the "open doors" component of this question: should a user be held criminally liable under federal cybercrime law for using a website "feature" in a way other than that intended (or perhaps desired) by the operators of a website, but in a way that is otherwise not unlawful.
Prawfs uses TypePad, a well-known blogging software platform that handles (most) of the security work. And, in fact, it does quite a good job -- as mentioned above, most of the common vulnerabilities are closed off. The one we found remaining is quite interesting. It stems from the fact that commenters are permitted to use basic HTML (the "core" language in which web pages are written) in writing their comments. The danger in this approach is that it allows an attacker to include malicious "code" in their comments, such as the type of link described above. Since the setup of TypePad allows for commenters to provide their own name, it is also quite easy for an attacker to "pretend" to be someone else and use that person's "authority" to entice readers to click on the dangerous link. The final comment of Part 1 provides an example, here.
A simple solution -- one to which many security professionals rush -- is just to disable the ability to include HTML in comments. (Security professionals often tend to rush to disable entirely features that create risk.) Herein lies the problem: there is a very legitimate reason for allowing HTML in comments; it allows legitimate commenters to include clickable links to resources they cite. As we've seen in many other posts, this can be a very useful thing to do, particularly when citing opinions or other blog posts. Interestingly, as an aside, I've often found this tension curiously to resemble that found in debates about restricting speech on the basis of national security concerns. But that is a separate post.
Cybercrime clearly is a substantial problem. Tradeoffs like the one discussed here present one of the core reasons the problem cannot be solved through technology alone. Turning to law -- particularly regulating certain undesired behaviors through criminalization -- is a logical and perhaps necessary step in addressing cybersecurity problems. As I have begun to study this problem, however, I have reached the conclusion that legal solutions face a structurally similar set of tradeoffs as do technical solutions.
The CFAA is the primary federal law criminalizing certain cybercrime and "hacking" activities. The critical threshold in many CFAA cases is whether a user has "exceeded authorized access" (18 U.S.C. § 1030(a)) on a computer system. But who defines "authorized access?" Historically, this was done by a system administrator, who set rules and policies for how individuals could use computers within an organization. The usernames and passwords we all have at our respective academic institutions, and the resources those credentials allow us to access, are an example of this classic model.
What about a website like Prawfs? Most readers don't use a login and password to read or comment, but do for posting entries. Like most websites, there is a policy addressing (some of) the aspects of acceptable use. That policy, however can change at any time and without notice. (There are good reasons this is the case, the simplest being it is not practical to notify every person who ever visits the website of any change to the policy in advance of such changes taking effect.) What if a policy changes, however, in a way that makes an activity -- one previously allowed -- now impermissible? Under a broad interpretation of the CFAA, the user continuing to engage in the now impermissible activity would be exceeding their authorized access, and thereby possibly running afoul of the CFAA (specifically (a)(2)(C)).
Some courts have rejected this broad interpretation, perhaps most famously in United States v. Lori Drew, colloquially known as the "MySpace Mom" case. Other courts have accepted a broader view, as discussed by Michael Risch here and here. I find the Drew result correct, if frustrating, and the (original) Nosal result scary and incorrect. Last week, the Ninth Circuit en banc reversed itself and adopted a more Drew-like view of the CFAA. I am particularly relieved by the majority's understanding of the CFAA overbreadth problem:
The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.
(United States v. Nosal, No. 10-10038 (9th Cir. Apr. 10, 2012) at 3864.)
I think the court recognizes here that an overbroad interpretation of the CFAA is similar to extending a breaking and entering statute to just walking in an open door. The Ninth Circuit appears to adopt similar thinking, noting that Congress' original intent was to address the issue of hackers breaking into computer systems, not innocent actors who either don't (can't?) understand the implications of their actions or don't intend to "hack" a system when they find the system allows them to access a file or use a certain function:
While the CFAA is susceptible to the government’s broad interpretation, we find Nosal’s narrower one more plausible. Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking, recognizing that, “[i]n intentionally trespassing into someone else’s computer files, the offender obtains at the very least information as to how to break into that computer system.” S. Rep. No. 99-432, at 9 (1986) (Conf. Rep.).
(Nosal at 3863.)
Obviously the Ninth Circuit is far from the last word on this issue, and the dissent notes differences in how other Circuits have viewed the CFAA. I suspect at some point, unless Congress first acts, the Supreme Court will end up weighing in on the issue. Before that, I hope to produce some useful thoughts on the issue, and eagerly solicit feedback from Prawfs readers. I've constructed a couple of examples below to illustrate this in the context of the Blawg.
Consider, for example, a change in a blog's rules restricting what commenters may link to in their comments. Let's assume that, like Prawfs, currrently there are no specific posted restrictions. Let's say a blog decided it had a serious problem with spam (thankfully we don't here at Prawfs), and wanted to address this by adjusting the acceptable use policy for the blog to prohibit linking to any commercial product or service. We probably wouldn't feel much empathy for the unrelated spam advertisers who filled the comments with useless information about low-cost, prescriptionless, mail-order pharmaceuticals. We definitely wouldn't about the advance-fee fraud advertisers. But what about the practitioner who is an active participant in the blog, contributes to substantive discussions, and occassionally may want to reference or link to their practice in order to raise awareness?
Technically, all three categories of activity would violate (the broad interpretation of) (a)(2)(C). Note that the intent requirement -- or lack thereof -- in (a)(2)(C) is a key element of why these are treated similarly: the only "intent" required for violation is intent to access. (a)(2)(C) does not distinguish among actors' intent beyond this. As I have commented elsewhere (scroll down), one can easily construct scenarios under a "scary" reading of the CFAA where criminal law might be unable to distinguish between innocent actors lacking any reasonable element of what we traditionally consider mens rea, and malicious actors trying to takeover or bring down information systems. At the moment, I tend to think there's a more difficult problem discerning intent in the "gray area" examples I constructed here, particularly the Facebook examples when a username/password is involved. But I wonder what some of the criminal law folks think about whether intent really *is* harder, or if we could solve that problem with better statutory construction of the CFAA.
Finally, I've added one last comment to the original post (Part 1) that highlights both how easy it is to engage in such hacking (i.e., this isn't purely hypothetical) and how difficult it is to address the problem with technical solutions (i.e., those solutions would have meant none of this post -- or of my comments on the Facebook passwords post -- could have contained clickable links). I also hope it adds a little bit of "impact factor." The text of the comment explains how it works, and also provides an example of how it could be socially engineered.
In sum, the lack of clarity in the CFAA, and the resulting "criminalization overbreadth," is what concerns me -- and, thankfully, apparently the Ninth Circuit. In the process of examining whether Prawfs/TypePad had any common vulnerabilities, it occurred to me that in the rush to defend against legitimate cybercriminals, there may develop significant political pressure to over-criminalize other activities which are not proper for regulation through the criminal law. We have already seen this happen with child pornography laws and sexting. I am extremely interested in others' thoughts on this subject, and hope I have depicted the problem in a way digestible to non-technical readers!
TrackBack URL for this entry:
Listed below are links to weblogs that reference “Breaking and Entering” Through Open Doors: Website Scripting Attacks and the Computer Fraud and Abuse Act, Part 2: