When is hacking OK?

The ever-astute and vigilant Rebecca Tushnet reported yesterday on Egilman v. Keller & Heckman, from the District of D.C., which found that guessing a correct username and password and using that combination to access a website without permission of its owner does not constitute “circumvention” of a “technological measure” under the DMCA.

I only wish someone would explain to me how this is different from obtaining the “secret handshake” in StreamBox or the CSS key in the DeCSS case. In those cases too, the code used is in fact the correct, actual key — otherwise it wouldn’t work. (At the very least, I want a better explanation of the difference between “decrypting” and, say, “guessing.” What if the password wasn’t guessed on the first try? What if it took ten tries? What distinguishes that from a basic computerized password attack? Cf. the great 1980s movie Wargames, in which Matthew Broderick’s character substitutes a social-engineering attack, logging in as the computer’s creator, for his slower programmed assault on what he thinks is a gaming computer.)

5 thoughts on “When is hacking OK?

  1. Do the cited cases postdate the DMCA? Maybe the distinction hasn’t been crafted. Instinctively to me, “guessing” is a handfull-of-times kind of thing you do without assistance of a machine and based on some inspiration other than the perception of an obvious universe of possible permutations.

  2. BTW, I think coders want us to call this “cracking,” since “hacking” originated as a word for elegant coding and still gets used to refer to such (as in “a nice hack”).

  3. D’oh! But you probably know that. I forgot the principle that all’s fair in headline writing, including puns not otherwise fit for human consumption.

  4. Clearly hacking is not hacking if you don’t have skillz. If you are a partner at a law firm or a small business owner you don’t have the knowhow to circumvent technological measures. To be less cynical, hacking is hacking when it is not social engineering.

    MT: Yes DMCA is in play. To quote:

    Circumvention, as defined in the DMCA, is limited to actions that “descramble,” “decrypt,” “avoid, bypass, remove, deactivate or impair a technological measure.” 17 U.S.C. § 1201(a)(3) […] As such, the court concludes that using a username/password combination as intended—by entering a valid username and password, albeit without authorization—does not constitute circumvention under the DMCA.

    Of course, analogous behavior in the real world would be replicating an authentication token such as a driver’s license or a video rental card. Presumably both of those actions are fraud of some sort. So the DMCA isn’t necessary to proscribe the behavior of the defendant in this case.

  5. It’s more like using an authentic driver’s license that’s not your own. It’s impersonation. I suppose that falls under “fraud.” But it’s not counterfeiting.

Comments are closed.