West's case sidesteps a few of these difficulties. He didn't attempt to publish the vulnerability at the Poteau Daily News, and, according to his lawyer, didn't intentionally copy valuable security software as Mitnick did.

But his case is powerfully relevant. Experts say that his actions at the Poteau site -- from finding the hole to downloading a competitor's publishing software and a file which had the passwords and log-ins that offered access to that software -- reignite many of the difficult questions that the technology community and courts are still trying to answer.

Does everyone have a right to look under the hood of every product they buy, of every Web site they can access? Once someone finds a possible vulnerability, must he or she inform whatever company might be affected by it? If someone exploits a vulnerability in order to verify that it exists, should the access be considered criminal, or does it depend on what is gained through the act of exploitation? Or, even more subjectively, does it depend on the intent of the hacker?

Even before West discovered the Poteau Daily News flaw, he had some experience with such queries. A few months prior, he noticed that his bank's online services included his account number in the URL, so by plugging in other numbers, he could (and allegedly did) access other peoples' accounts. He never changed these accounts, and told the bank about the flaw. They fixed it, without calling the cops.

West could have been prosecuted for his bank discovery too, just as was Randal Schwartz. The courts haven't given any clear answers to the burning questions surrounding computer access, says lawyer Granick. Although other people have found holes and been prosecuted for accessing private files, and in some cases for extortion -- charges that arise when people demand money for information on how to patch a given hole -- few of these cases went to trial. Most were settled without a judge's decision. There are exceptions, such as the DeCSS case, in which the publisher of the magazine 2600 was enjoined from distributing code that decrypts DVDs. But for the most part, the courts haven't clarified the laws surrounding security, so enforcement tends to be subjective.

"The whole concept of 'unauthorized access' is in question," Granick says. "There isn't enough case law to go on."

So, in the absence of legal authority, can the ambiguities be eliminated, or at least diminished? Granick, Smith, Levy and other security experts suggest that a formal, accepted set of guidelines -- voted on and supported by the security industry -- would improve the situation.

Granick argues that the resulting code should treat the Internet as an entity unto itself, rather than some kind of electronic home.

"The problem lies with the notion of 'went in,'" she says. "There's a barrier to going into a house or store that doesn't make sense in a computer context. If you type something in and see something you're not supposed to see, it's not the same as walking into someone's house. It's more like walking by a window without the shades being drawn."

Schwartz holds to a similar line. "There must be safe harbor for the people trying to help," he says, because otherwise holes will proliferate. When the law doesn't allow researchers the freedom to find and plug holes, bugs will go unreported; fear will keep the helpful away, leaving room for the intentionally malicious. "Everyone loses," he says. "And as the law currently stands, it's the whistleblowers (like me) that stand to lose the most."

But others disagree with Granick's logic. Tony Morgan, co-owner of Cyberlink, the ISP that wrote the software West copied, argues that West didn't just see the vulnerability. "He exploited it," Morgan says. "Finding the hole wasn't wrong; I back the hackers and crackers on that. The illegal part is when someone takes or destroys something. We feel that [in West's case] the line was crossed."

And Morgan -- who claims the software West downloaded could be sold for about $5,000 -- isn't the only one arguing that computers should be treated like offline property.

"If you screw with a service [as opposed to a product], you're screwing with someone's property," says Levy of Bugtraq. "Most people who have been doing security research for a while wouldn't have done what Brian did. Most people would know that the first thing you should do is get a waiver to verify the vulnerability."

On the other hand, the DMCA is also problematic precisely because it treats digital content as its own unique animal. While traditional copyright law allows people to, say, copy a book for a school project, the DMCA makes no room for such fair uses of digital content. Simply showing people how to unlock an electronic book, as Sklyarov is now discovering, becomes cause for imprisonment.

People already think the Internet and other new technologies are more unique than they actually are, says Schneier. And because the general public errs on the side of fear rather than respect, he says "the law needs to be technologically neutral."

David Touretzky, a computer science professor at Carnegie Mellon who testified at the DeCSS trial, believes that new technologies should be treated like your local bank.

"It's a place of business, open to the public," he says. "But not every inch is open to the public. Suppose I go wandering down the hall and walk into some guy's private office and walk over to the desk and take a look at the papers lying out in plain view. Am I guilty of breaking and entering? No. Am I trespassing? Well, yeah, but the building was open the public."

At this point, because he would be somewhere he wasn't supposed to be, "the bank would be right to ask me to leave, maybe even tell me never to come back again," he says. "But having me arrested for wandering into an office? Nah. That would be overkill."

Still, with so many ideas swirling about, can a coherent set of guidelines ever form? At least one security expert -- Chris Wysopal, head of research and development at the security firm @Stake -- is making the attempt. But Wysopal, a former hacker who's known online as "Weld Pond," has just begun gathering industry input. Even though the Net would be better off "with a set of moral codes," says Schneier, the community probably won't come up with anything useful anytime soon.

"The only way to do it is through case law," he says. "That's how we did it with phones and wiretaps, and that's how it will happen here." West should not be punished harshly for his mistakes, he says, but regardless, the case may actually improve the present security environment. The only problem, he adds, is that the law moves slowly.

"It will take years to figure this out," Schneier says. "When the legal system hits Internet time, the results are a mess."

Brian West probably agrees.

Recent Stories

Ask the pilot
Seat ploppers, tray slammers, lousy airport terminal design and other pet peeves. Plus: Will U.S. airlines hit Cuban tarmac thanks to Obama?
Ask the pilot
Propped up by a culture of fear, TSA has become a bureaucracy with too much power and little accountability. Where will the lunacy stop?
Ask the pilot
Flying isn't much fun, but for now people keep doing it anyway. What can the airlines do to keep their customers happy?
Slick John McCain and the offshore oil ruse
The safety and economics of offshore drilling are distractions from the much larger challenges that humanity faces: Climate change and peak oil.
Ask the pilot
The smell of smoke in the cockpit, and it's back to Boston for a planeload of fixated Japanese tourists.

Daily Newsletter

Get Salon in your mailbox!