Welcome to the SecAware blog

I spy with my beady eye ...

8 Sept 2012

The limits of 'plain English' security policies

Being naturally optimistic (or 'realistic' as I put it), I generally look on the bright side of life - cue Monty Python.  Where appropriate I'm happy to cut a few corners in the interests of saving time and effort, believing that on the whole things will work out just fine.  

However, 'where appropriate' is an important caveat since, paradoxically, I'm also a perfectionist by nature, which means not cutting corners but doing things properly.  

Yes indeed, there is conflict lurking deep in my psyche.

Anyway, today this issue came to mind while reading the opinion accompanying a judgment on a legal case involving the (alleged) appropriation by a departing employee of his soon-to-be-former employer's proprietary information.  Please pore over the case notes for the full story and don't take anything I say as gospel, but for now suffice to say that the appeals court confirmed that there was no case to answer under the US Computer Fraud and Abuse Act (CFAA).  The facts underlying the case do not appear (to my legally-untrained eye) to be in dispute: the departing employee evidently did access proprietary information from his former employer and pass it to his new employer.  The central legal argument relates to the question of whether he had or had not been authorized to access the information at that point.  

The former employer alleged that the employee broke the terms of its security policies, and as such was not authorized and hence breached the CFAA.  The relevant parts of the CFAA are summed up in the opinion piece thus: "Among other things, the CFAA renders liable a person who (1) "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer," in violation of § 1030(a)(2)(C); (2) "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value," in violation of § 1030(a)(4); or (3) "intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage[,] or . . . causes damage and loss," in violation of § 1030(a)(5)(B)-(C)."

Later, the opinion notes that "To protect its confidential information and trade secrets, [the former employer] instituted policies that prohibited using the information without authorization or downloading it to a personal computer. These policies did not restrict [the soon-to-be-former employee's] authorization to access the information, however."  The remainder of the opinion, and the ultimate judgement, largely revolves around the precise (not to say arcane) legal definitions relating to the question of exactly what constitutes authorization.

In plain English, while the company believed the policy meant Miller did not have the authority to access the information, the fact that he was able to do so meant that, in practice, he was authorized.  Arguably he should not have accessed it, but he could - and indeed did - do so.  And therein lies the rub.

The judges quote and give weight to common English language (dictionary) definitions of certain terms used in the CFAA, determining that ""access" means "[t]o obtain, acquire," or "[t]o gain admission to."  Oxford English Dictionary (3d ed. 2011; online version 2012). Moreover, per the CFAA, a "computer" is a high-speed processing device "and includes any data storage facility or communications facility directly related to or operating in conjunction with such device." § 1030(e)(1). A computer becomes a "protected computer" when it "is used in or affecting interstate or foreign commerce." § 1030(e)(2)."

I can only guess why the "3d ed. 2011; online version 2012" (whatever that means!) Oxford English Dictionary, specifically, is given such credibility by the court: presumably it has become accepted practice in the courts and legal profession to refer to the a particular edition of the OED as a definitive source, and I suppose it suits the wider community's interests to agree on a single reference even if, perhaps, that agreement is not, itself, enshrined in law.  There is of course an argument that it doesn't particularly matter which specific source is the reference, just so long as everyone accepts it.  The fact that there are a vast number of other documented and potentially just as 'definitive' definitions for those terms is, it seems, irrelevant, as is the fact that language is constantly evolving, hence there is a distinct possibility that later editions of the OED will redefine the terms.  

I rather suspect that the lawyers would love to argue incessantly about definitions, on their clients' shilling of course, while the clients, the judges and the Ordinary Man would rather they just Got On With It. 

The real point of my diatribe is that words matter.  A lot.  Definitions and meanings are important - especially if something ends up before the courts, which is not uncommon in respect of disputes arising from corporate policies and procedures.  And if a case goes to appeal, the stakes are raised another notch.

If the former employer's policies had explicitly defined the terms and words they used (for example, referring to such-and-such an edition of whatever dictionary), there is a distinct possibility that their definitions would have been given more weight, although they would still not have been able to override the court's interpretation of the relevant statutes if there was conflict.  I idly wonder whether the company publishing and maintaining an information security glossary might have affected the outcome of this case ... but then I idly wonder whether I might have prospered or had a breakdown if I had studied law at college instead of genetics!


No comments:

Post a Comment