10. The Boundaries of Cybersecurity: Ethics, Rights, and Laws 275 student ID card, Alice confirmed that the nine digit number in the URL was indeed her student ID number. From her web apps class she knew about URL query strings, and how arguments could be passed to web servers in the URL so that the appropriate dynamic web page could be retrieved for the user. In this case, she speculated that the query being sent to the backend database was parameterized by the student ID number passed in the URL—that is how the web server knew to return her transcript and not some other student’s. But this led immediately to another thought: what if she changed the student ID number in the URL to another student’s ID number? Would the website return the other student’s transcript? If so, this would allow her to access information that she knew she was not authorized to see, but she could not resist indulging her curiosity. Her roommate was already in bed for the night, and like always, had left her student ID card out on her desk. Alice reached over, grabbed the ID, and replaced the nine digit number in the URL with the student ID number printed on the back of her roommate’s card. With heart racing in anticipation, Alice hit the enter key, and voila, it worked! She was staring at her roommate’s transcript! Not caring terribly much about the grades her roommate had received, Alice scanned the page quickly and closed her web browser, pleased that she had pulled off such a neat trick. During breakfast the next morning at the dining hall, Alice could not wait to tell her classmate Bob, a pentester, about her discovery. When she told him, however, the concerned expression on his face quickly dampened her mood. Bob informed Alice that if school officials found out what she had done, she could not only face university disciplinary measures, but she could also be charged with a federal crime known as the Computer Fraud and Abuse Act. Alice hoped that Bob was overreacting, but she realized she needed to learn more about this law, and how it might apply to her actions. In the story, Alice used her computer to read her roommate’s transcript on the registrar’s website. Did Alice violate CFAA? Alice demonstrated intentionality by grabbing her roommate’s ID card and manually copying the numbers into the URL. Alice was not supposed to have access to her roommate’s transcript, therefore, viewing her roommate’s transcript exceeded her authorized access. Viewing the transcript is considered “obtaining information” even though Alice did not make a copy or take a picture of it. The university web server is an Internet-connected computer so it meets the “protected computer” criteria. So on the surface, maybe Bob was right to be concerned. However, in her defense, Alice’s lawyer would likely home in on the definition of “exceeds authorized access.” The lawyer could argue that Alice had actually been given access to her roommate’s transcript by the university IT department. The website should have had measures in place to safeguard the transcripts by making sure the viewed transcript matched the logged in user’s ID; because it didn’t, they tacitly gave everyone access. Bottomline, charging Alice with the
RkJQdWJsaXNoZXIy MTM4ODY=