Date: Thursday, August 31, 1995
Time: 6:30 pm
Host: Max Allen
Place: CBC Building, Downtown Toronto
Special thanks to Max Allen who arranged for us to have a great dinner at the meeting. Thanks Max!
I'd like to take this opportunity to extend a very warm welcome to all of our new members who joined us for the first time at this meeting, namely: Michael Kot, Jesse Hirsh, Prof. Janisch and Ken Campbell.
I'd also like to thank Jesse Hirsh for joining us at this meeting and sharing his difficult situation with us.
The following issues were dealt with during the meeting:
Please note that the Lobbyist Registration Act, and its associated reports, are available online.
Holding up the LoGISTICS press run was news that the LoGIC Web site has been born. Thanks to Paul Chvostek and Ken Campbell, the inaugural page may be viewed here. It contains LoGIC's Mandate and will be subject to major change in the weeks ahead. The URL (address) itself is also subject to change, so take care linking the site and publicizing it. When the link is established permanently, LoGIC will be notified through the mailing list. That said, surf's up!
A "graffiti board" would be a means by which anyone visiting our Web site could leave a short message without being required to include their name or e-mail address. The messages would be collected using Netscape 1.1's form feature and would be sorted by subject heading. Other users could browse these postings and respond to them. If someone posts something really controversial (e.g. obscene or copyright protected) we'd have to decide what our course of action would be.
Graffiti boards exist at the several other sites, including HotWired and Hallucinet. However, both of these sites require that the user's name and e-mail address be including in a posting.
On Thursday, September 7, 1995, at 10am in Courtroom 126 of Toronto's Old City Hall, Jesse Hirsh was scheduled to go on trial. He was charged with "unauthorized use of a computer system" contrary to section 342.1 of the Criminal Code of Canada.
Jesse had been caught using his step-brother's university computer account, as well as the account of another friend, to publish an anarchist newsletter to the Internet. Upon his arrest, Jesse assured the police that he had been given permission to use th e accounts. However, the prosecution adopted the position that, since the university had a strict policy against allowing its users to share computer accounts, Jesse's step-brother and friend had not been permitted to give Jesse the necessary authorization to make use of their accounts. In other words, it didn't make any difference that his step-brother and friend knew that he was using the accounts, all that mattered was that he had actually used them.
Jesse quickly set about hiring himself a good lawyer (Bob Kellerman) and prepared to confront the case against him. After many months of anxious waiting, Jesse's day in court finally arrived. On the morning of the trial -- mere minutes before the Court was called into session -- the prosection suddenly withdrew the charges. Jesse agreed to pay to the University of Toronto the sum of $400.00 as a token in satisfaction of the cost of using its computers. (The University had claimed $1600.00!) He was free to go.
For Jesse, the prosecution's withdrawal signified the end of a long and harrowing journey. After countless sleepless nights, lying awake and worrying about the possibility of a criminal record -- or worse still, a jail sentence -- he could finally rest easy. But for Canadians everywhere, Jesse's story raises the ominous spectre of more cases like it in the future.
(1) Every one who, fraudulently and without colour of right,is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.
- (a) obtains, directly or indirectly, any computer service,
- (b) by means of an electro-magnetic, acoustic, mechanical or other
- device, intercepts or causes to be intercepted, directly or
- indirectly, any function of a computer system, or
- (c) uses or causes to be used, directly or indirectly, a computer
- system with intent to commit an offence under paragraph (a) or
- (b) or an offence under section 430 in relation to data or a
- computer system
Section 342.1 of the Criminal Code of Canada is part of a series of new "high tech" crimes that were introduced a few years ago as Bill C-34. The law was also amended to expand the definition of "mischief" (see section 430) to include anyone who wilfully1 obstructs, interrupts, interferes, alters or destroys data.
The purpose of 342.1 was, among other things, to prohibit anyone from making use of a computer system "fraudulently and without colour of right". In other words, if Jesse knew that his step-brother and friend were not permitted to grant him permission to access their accounts, but he used them anyway, then he would probably be guilty of a crime. On the other hand, if Jesse genuinely believed that his brother and friend could grant him permission to make use of the accounts, then he would likely possess the necessary "colour of right" to avoid a conviction.
In creating a new category of crime which prohibits the unauthorized use of a computer system, the Canadian legislature was, presumably, trying to pass a law which would allow the police to control computer hackers. The term "hacker" is generally held to mean one of two different things: (1) anyone who likes to fiddle around (a technical term) with computers and their software; or (2) a person who breaks into computer systems. From the university's perspective, Jesse "broke in" to its computer because the university never authorized him to use those accounts. On the other hand, Jesse wasn't really a "hacker" in the true sense of the word because his step-brother and friend gave him the passwords.
Unfortunately, the Criminal Code doesn't draw such a fine distinction. According to the law, if you use a computer system that you weren't suppose to, and you know it, then you're guilty of an offence and could be liable to imprisonment "for a term not exceeding ten years". But the law's clear-cut distinction between authorized and unauthorized use may have some very serious implications for Canadians everywhere. That's because many of the service contracts that Canadians enter into every day contain language which limits their right to transfer or assign the use of the service to any other person.
For example, if you have an inter-branch banking card, the kind that you use to withdraw money from an automatic teller machine (ATM), then you've probably already signed an agreement with the bank that reads something like this:
This card belongs to the bank and is not the personal property of the card holder. The card holder agrees not to give this card or the password to anyone and the card holder will notify the bank as soon as possible if and when it is discovered that someone other than the card holder knows or may know the password...
Accordingly, if you give your bank card to a friend (or spouse, or family member) so that he or she can pay your bills or make a withdrawal for you, your friend could be charged under section 342.1 of the Criminal Code.
The same type of restrictions may apply to your telephone answering service (arguably a computer system) and to your Prodigy or Compuserve accounts. In each case, the account and password are intended "for your eyes only".
"But would anyone actually prosecute these cases?" you might ask. Wouldn't banks and phone companies rather deal with these issues privately, rather than drag them through the courts and risk all the publicity and possible embarrassment associated with a trial? The answer, in most cases, is "Yes." Banks do prefer to deal with these types of cases privately. In fact, one Toronto bank manager told me that even though Canadian banks are facing a growing number of cases in which people are caught using their friend's banking cards, the banks prefer to deal with the matter privately.
On the other hand, universities and employers are two groups of computer owners who actually welcome the publicity and exposure associated with criminal trials. Universities administer gigantic computer systems which are used by thousands of staff and students on a daily basis. The people who are hired to run these computers have a tremendous responsibility and, generally speaking, not enough resources to do their jobs properly. As a result, the universities prefer to see unauthorized users prosecuted under the criminal law, since it provides a powerful form of deterrence against future abuses. The rationale is that if people know that they're likely to face criminal charges if they're caught misusing a university computer, maybe they'll think twice before they abuse their own, or someone else's, account.
The idea that universities or employers can rely on the criminal law to protect their computer systems (and their telephone systems - see section 326 of the Criminal Code, which prohibits the theft of a telecommunication service) raises the following important question: to what extent should the criminal law be used to enforce private agreements?
It's an interesting question and one that deserves further looking into (see "What YOU Can Do!" below) On the one hand, anyone who gives their password to a friend is an accomplice to a crime and could be prosecuted as such under section 21 of the Criminal Code. On the other hand, giving your password to someone is merely a breach of your contractual agreement with the owner of the computer system. Should you be liable for criminal sanctions for the mere breach of a contract? And if you shouldn't be liable, why should the person who you gave the password be liable? The easy answer is, of course, that the person to whom you gave the password hasn't entered into a contractual arrangement with the owner of the computer. But imagine for a moment that the person you gave the password to has entered into an agreement with the computer owner (e.g. another university student). If you give the password to that person, can the computer owner still try to go outside the terms of the private agreement that binds you and seek criminal sanctions?
Another interesting question is whether the password has to be given to anyone at all in order to constitute an offence under section 342.1. Say, for example, that you are a university student with a computer account. The university has informed you that the account can be used only for the purposes of your course work and e-mail, but not for reading Usenet news. After diligently using your account for the sole purposes of calculating integrals and sending e-mail to your Aunt May in Alberta, you finally submit to the overwhelming temptation to read alt.sex.walter_mathau. After several months, and countless computer cycles later, you are informed by the university's computing staff that they have been "monitoring your activities" and that you have made "unauthorized use of a computer" system. Should the university be restricted to the terms of its contract with you, or can it go outside the contract and request criminal sanctions?
If it seems far-fetched that the university would press charges in the circumstances just described, try to imagine this scenario. A private detective needs to get the criminal record of a person she's investigating to see if she can dig up any smut. She calls up her policeman friend, who happens to work in the records department, and asks him to pull the file. He sits down at his computer terminal and calls up the record, then he prints it and gives it to the his detective friend. Section 342.1(c) states the everyone who, fraudulently and without colour of right "uses or causes to be used, directly or indirectly, a computer system" is guilty of an offence. While it's true in this example that the private detective doesn't have a contract with the police department to shield her from criminal prosecution, the police officer who actually used the computer does. Should the police officer be charged with the unauthorized use of a computer system or should his employer be restricted to the terms of the employment contract?
In the final analysis, Canadians have to ask themselves if they are satisfied with the existing laws, like s. 342.1, designed to protect society against the unlawful use of computer systems. Ultimately, it will be left to all Canadians to decide if they feel that the existing laws are too broad or too narrow. Some people may argue that the law is fine as it stands and that it's only a question of degree and willingness to enforce the law. As one criminal law teacher put it, "it's a crime to steal pencils from your office, but it's never enforced." Well, hardly ever.
LoGIC would like to prepare a cogent, persuasive and ultimately useful commentary for the Canadian Department of Justice on several of the provisions in the Criminal Code of Canada. As part of the commentary, we would like to address some of the issues de alt with above concerning sections 326 and 342.1. If you, or any paralegals, law students, associates, partners or plain 'ol concerned citizens, would like to write a paper on this (or any other) topic, please do! Then send it to LoGIC c/o Dov Wisebrod or Daniel Shap.
If you don't want to write a paper (or even if you do) and you have some extra research time on your hands :) please consider examining the following points and writing to us with a brief description of your findings:
In this, the first issue of LoGISTICS, I would like to start a new tradition by posing a specific Internet-related legal question which I would like to see debated in the mailing list. While we may not resolve any great legal questions this way, we will at least be paying L.I.P. service to them!
Section 327 of the Criminal Code of Canada concerns the crime of "Possession of a Device to Obtain Telecommunication Facility or Service". In the case of R. v. Duck (1985), 21 C.C.C. (3d) 529 (Ont. Dist. Ct.), the Court held that a computer program on a computer disc by which the accused could make long-distance telephone calls without charge constitutes an instrument or device within the meaning of this section. Do programs such as VocalTek's Internet Phone software, licensed to Microsoft's Windows 95, constitute an instrument or device within the meaning of this section?