Is password-lending a crime?

[Peachy]

Interesting analysis of this legal case.

The case, decided last Monday, arose out of a dispute between two competing companies, Inquiry Management Systems (IMS), and Berkshire Information Systems, both of which tracked magazine advertisements for their clients. Employees of Berkshire obtained a userid and password from a client of IMS, and used them to access IMS's website and tracking service. This act violated the customer's agreement with IMS.From there, the Berkshire employees either read, or downloaded (or both) certain copyrighted information about the tracking of magazine advertisements, which of course, they used to compete with IMS.Is this an unfair and deceptive trade practice? Sure! Inducing a breach of contract between IMS and its customer? Absolutely! Fraud? Sure, why not.But IMS sued Berkshire for computer crime, and a violation of the DMCA.

[nlinecomputers]

Just like all DMCA cases this isn't a copyright issue but a theft of service issue and it should be treated as such. Or more correctly this should be treated as a case of industrial espionage and theft of trade secrets. For which we already have laws. It just like most proposed gun laws. They want to add more laws to items already covered under law but not enforced.And where the **** is the customer in all of this? Shouldn't they be held accountable for giving the password away? The article is not clear on if this was a case of a given password or a stolen password.

[Guest LilBambi]

The case in New York demonstrates several things. First, criminal statutes that allow civil lawsuits (like the RICO statute and others) inevitably result in distortions of the criminal law -- with potentially bad consequences for criminal defendants. They unnecessarily expand the scope of what is criminal.Second, even though the statute has been amended at least a half a dozen times, it's still hard for the courts to tell the difference between "damage" -- harming the system -- and "damages" -- harming the owner of the system in a way that results in quantifiable loss. It's time for Congress, or the Supreme Court, to clarify the matter once and for all. And while they're at it, they should take another hard look at what's meant by "unauthorized" access.

Right on the money!Nathan, I agree ... where is the person who allowed their UID/PWD to be used by the Berkshire employee and why isn't he being held accountable for his actions??

[Guest LilBambi]

I knew I had read about a password thing recently, and just found it in the SANS.org NewsBites from last week.Hacker* Sentenced To Prison For One Year - Former ViewSonic employee had pleaded guilty to accessing a protected computer and causing damage.

A former employee at computer-monitor maker ViewSonic Corp. was sentenced Monday to one year in prison for hacking into the company's computer system and wiping out critical data central to running its foreign operations.Andrew Garcia, 39, worked as a network administrator at the company's Walnut, Calif., office, where he maintained computer servers and had access to system passwords for managers.Garcia pleaded guilty in October to one count of "accessing a protected computer and recklessly causing damage" at ViewSonic, according to the U.S. Attorney's Office, Central District of California in Los Angeles. ViewSonic reported more than $1 billion in annual revenue in 2003.U.S. District Judge John F. Walter sent Garcia to prison for having accessed ViewSonic's computer system on April 14, 2002, approximately two weeks after he had been terminated, deleting critical files on a server he maintained while employed by the company. The loss of those files made the server inoperative, and ViewSonic's Taiwan office was unable to access important data for several days.

* UNETHICAL Hacker!! I get so upset with these media bozos lumping all hackers together like that!

[Tushman]

Just like all DMCA cases this isn't a copyright issue but a theft of service issue and it should be treated as such.  Or more correctly this should be treated as a case of industrial espionage and theft of trade secrets.  For which we already have laws.  It just like most proposed gun laws.  They want to add more laws to items already covered under law but not enforced.And where the **** is the customer in all of this?  Shouldn't they be held accountable for giving the password away?  The article is not clear on if this was a case of a given password or a stolen password.

nline, i agree with you whole heartedly. This is no different than walking into an office and stealing a laptop or confidential information. Just because it involves computers and an intangible medium via the internet doesn't mean it's any less of a crime.Also, crime's like Garcia is not uncommon. All the more reason why companies need a multi-layered approach in securing their most confidential data.