1. Self-Help in Cyberspace: Offense, Defense, and Both at the Same Time Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Critical Infrastructure Conference George Mason University Law School May 9, 2003

2. Overview n Defining self-help n Offense, defense, and both n UCITA self-help n Berman bill n Conclusions

3. I. Defining Self-Help n Broad definition: – Any action to prevent or resolve a dispute without official assistance of government official or neutral 3d party n Narrow definition: – Repo actions to get back property when a debtor has not performed under a contract n Today: start broad, then look at narrow

4. II. Offense and Defense in Self- Help n Offense in cyber-security: an attack on their system – Send virus – High port attack – And so on n This is typically a crime (Computer Fraud and Abuse Act) and/or intentional tort (trespass to chattels)

5. When is Offense Justified? n Privileges from traditional criminal and tort law – Defense of property: allowed to use proportional force to repel the attack – If someone is attacking your physical property, usually cannot counter-attack – Usually not self defense because physical person is not threatened by cyber-attack – In short, narrow privilege to use offense

6. When is Offense Justified? n What about offensive cyber-attacks in time of war? n Would generally be lawful where the war is lawful – But, perfidy and limits on the U.S. Army pretending to be an authorized computer user – Limits on collateral damage -- perhaps unlawful to attack zombie computer that fronts for the true adversary

7. Defense in Cyber-security n Presumptively lawful: – Firewalls – Anti-virus – And so on n This is my system and I lawfully can protect it with the equivalent of locked doors, internal security, and bright outside lighting

8. Both Offense and Defense n Interactive computer systems – My bits interact with your web page – My software mixes with your data – We lack the clear boundaries of real property law n Your cookies on my hard drive (are you attacking me?) n My surfing may exceed your stated terms of use (am I attacking you?)

9. Both Offense and Defense n Suppose your software is on my system n I want to de-bug or reverse engineer the software (circumvent the protective coating around your software) n Defense because it concerns (potentially malicious) activities inside my system? n Offense because I am circumventing the protections of your software?

10. Both Offense and Defense n Hence, the controversy in the anti- circumvention rules in Sec. 1201 of the DMCA n Compelling security principle that the defender can know what is inside the security perimeter n Compelling intellectual property argument that protection is needed to stop widespread piracy

11. How to Resolve Circumvention? n Sorry. Cant do that today. n Analysis here shows the systematic challenges that Sec. 1201 will pose for those who want to have security within their system perimeter n Quite likely need more input from security community in ongoing debate

12. III. Between Offense and Defense -- UCITA n The narrow or traditional type of self- help n A lender/seller gets back its own property – Repo a car – Cut off the buyers access to software, where the buyer no longer has a legal right to it

13. UCITA n This is partly defense by seller – The buyer has no right to the property n Basic common law questions: – Is there an offensive tort or crime? – Is the offense privileged? – Key candidate for that is consent, like consent to battery (boxing), or to trespass (license to come onto property)

14. Is UCITA Self-Help Good? n UCITA described by Joel Wolfson n For software that expires in 30 days, few problems – No offense involved – Possible concerns about consent, so that the hospital system does not suddenly shut off

15. UCITA n Entry into buyers system to shut off software? n Significant offense n The battle in UCITA was over meaning of consent – No mass market licenses – No collateral damage – Consent must be specific to the self-help provision

16. In favor of UCITA Self-Help? n In favor: – The argument for contracts generally – Expands range of possible bargains, increasing efficiency and choice

17. Worries about UCITA Self-Help n Concern of a security externality n Contrast a system with many back doors or Trojan horses under UCITA to one where this self-help is prohibited n Technical question how much these holes in defense will undermine overall security of networked systems n Benefits of contracts vs. security externality

18. IV. Between Offense and Defense: Berman Bill n Joel Wolfson has described it n Basic idea: where have wrongful conduct (copyright infringement) the owner can destroy the infringing material n Physical world: car owner could destroy the car held by borrower who didnt pay or by a thief

19. Berman Bill n Common law – Some authority for strong self-help if the thief holds your car -- break into the yard, etc. – No privilege of consent, however, as in UCITA n Offensive – Launch computer attack – A strangers computer

20. Berman Bill More Worrisome than UCITA Self-Help n Security externality of Berman – Breach of the peace worries where authorize attacks on strangers – Current draft allows a lot of collateral damage – Unclear effects on infringers vs.system owners (what if a University server is destroyed?) n Legal line drawing problems – Similar authority to delete hate speech, defamation, obscene material, anti-government political speech, etc.?

21. Conclusions n Framework of common law and privileges such as defense of property and consent n Framework of offense (usually bad), defense (usually good) and both (usually hard) n Need more legal research into physical world analogies n Ultimately, benefits from self-help vs. costs to building insecure systems

22. Contact Information n Professor Peter Swire n phone: 240-994-4142 n email: peter@peterswire.net n web: www.peterswire.net