Blaming the Good Samaritan

In the early 90's, I attended an academic conference in Hawaii. At one presentation, a colleague from the University of California at Berkeley whom I'll refer to as "the supervisor," told a story of young hackers, who he referred to as the Urchins.

 There should be a way for Good Samaritans to be seen for what they achieve, not for being criminals due to the embarrassment of the organization accessed. 

The Urchins, according to the supervisor, remotely accessed several corporate mainframes as a way of learning and found vulnerabilities in their systems. They told the supervisor, who contacted the effected companies and told them of the illicit access and the vulnerabilities. He explained what he was told by the Urchins: There was no intent to do harm and they only wanted to notify the companies of weaknesses in their systems.

To the companies, the motive did not matter. The only information they wanted was the name of the Urchins, so they could talk with them. The supervisor refused. Thirty days later, the Urchins accessed the same systems again through the same vulnerabilities. Even though the companies had been warned, they did nothing.

More than a decade later, we find ourselves in the same situation.

Earlier this month, SecurityFocus reported that a 20-year-old student at Carleton University in Ottawa, Ontario, faces criminal charges because he allegedly breached the security of the school's network. The school did not detect the attack on its own: The student sent a 16-page report detailing the security issues and potential solutions to network administrators and other students.

While the university is fixing the vulnerabilities, it seems less interested in solving its security problems and more interested in prosecuting the 'offenders.'

This is a classic instance of a case that should beg protection under a Good Samaritan law. Historically, Good Samaritan laws are legislation designed to protect from blame those who choose to aid others who are injured or ill. An example is giving voluntary first aid in the case of an auto accident and being shielded from legal prosecution.

Whether a person should get amnesty for hacking into a Web site without permission for the sole purpose of checking security is not a new question. In 2002, SecurityFocus asked:

Do good intentions count in a network intrusion, or should well-meaning hackers be prosecuted just like any other computer criminal?

In 2006, the prosecution of Eric McCarty served as a signpost for security researchers who poke around other people's systems to test their security: Be ready to face the legal consequences. The year before, MrCarty, a prospective student at the University of Southern California (USC) used simple database injection techniques to retrieve the names and Social Security numbers of seven prospective students to demonstrate a flaw in the university's online application system. He contacted SecurityFocus , which acted to relay information to the university. McCarty was later prosecuted and plead guilty. He received six months of home detention and a felony on his record.

These actions, as with the student at Carleton University, point to the inability of the law to prosecute wrongful acts but shield those who have good intentions and do no harm. Presently, unauthorized access, even with good intent, is seen as an unlawful action. In the minds of law enforcement, unauthorized access is unauthorized access.

There should be a way for Good Samaritans to be seen for what they achieve, not for being criminals due to the embarrassment of the organization accessed. While this is a slippery slope, being a fine line between honest investigation and hacking, the law needs to catch up with reality. Companies cannot or do not catch all vulnerabilities in their public-facing systems and honest help is a good thing. At present, the only legal way to investigate systems is to get permission for penetration testing. It is unlikely that administrators at Carlton University would have ever given the student such permission.

So, any would-be Good Samaritans who see potential security problems and only wish to help solve them, have a simple choice: Don't do anything, or face criminal prosecution. This is a lose-lose situation.