[cap-talk] bundling designation and authority

Sandro Magi smagi at naasking.homeip.net
Thu Oct 13 09:19:30 EDT 2005


Ian G wrote:
> Sandro Magi wrote:
> 
>> He clearly stated his intent by explaining that he was investigating 
>> the legitimacy of the website involved.
> 
> Right.  So his intent does not actually trigger
> the "guilty mind" test that Nick writes of, nor
> does it trigger clause 1.1 of the statute that
> David posted.  IMHO.

But you are assuming "guilty mind" means he had malicious intent. I do 
not believe this is what is meant. Someone who cracks a system, but does 
no damage except inform the sysadmin, is still guilty under the law. The 
"guilty mind" in the UK case is satisfied because the defendant 
knowingly fabricated an unauthorized URL and attempted to access it. His 
intent was to gain additional information by unauthorized URL. I believe 
this is sufficient, but I'm not a lawyer, so I can't be certain.

>> Thus, the legitimacy as specified in RFCs is irrelevant. BT did not 
>> provide a link to the URL the defendant attempted to access, thus his 
>> access was unauthorized [1].
> 
> 
> I think I would prefer to say that the court
> accepted the doctrine of "only presented links"
> rather than say that the RFC is irrelevant.

The links that were presented express DEC's intention to grant access to 
only these URLs.

The defendant, being a computer expert, knew DEC's intention that only 
these URLs were authorized.

The defendant knowingly attempt to access unauthorized URLs anyway.

If you know full well that I don't want trespassers, yet you trespass 
anyway, are you not guilty? The law attempts as far as possible to reuse 
precedent where it makes sense. Seems to me, the conclusion follows 
directly from the same sort of logic surrounding private property.

> If we go down the track of saying that the
> RFCs are irrelevant, then we quickly come into
> an area where the whole web site lacks founding
> because it has not actually published any alternate.

I just meant that it was irrelevant in this case.

> Which leads me to the thought that the doctrine
> of "only presented links" is and can only be
> valid as an *extension* to the RFC.  It must by
> nature take the RFC and then extend from it,
> and as a corollary it also must present somewhere
> its extension, in writing, for it to carry enough
> weight to battle the RFC.
> 
> Therefore, the RFC must be relevant.

The RFC is irrelevant because it makes no authorization claims. This 
case is likely more about intent (as explained above and below).

>> The fact that the link was not explicitly provided but was fabricated 
>> by the defendant is the difference here.
> 
> Yes, these seem to be facts.  But are they facts of
> relevence?  Again it boils down to "you can enter
> this site but you must follow these rules:  which
> are ... where?"  As David Hopwood described, the
> rules of the RFC explicitly permits typing of new
> URLs.  And the custom of the net follows that.

Indeed. But as I explained above, being a computer expert the defendant 
knew what he was doing, and knew that the URL might grant him 
information not originally intended to be granted to users. This is a 
violation of the law, as quoted in prior e-mails, regardless.

>> You are using the RFC as an implicit authorization/contract that the 
>> web server must satisfy;
> 
> Yes, that's a reasonable characterisation.  Actually,
> I'd say it is quite explicit.  It's written, it's
> standardised, widely promulgated.  If they did not
> follow the "auth/contract" they would not have a
> website, no?

They could implement a subset of the RFC and still have a website that 
is browsable and transparent to most users.

>> if it were really a contract it would hold legal weight. RFCs do not 
>> hold weight as far as I know; seems to me, an RFC is merely an 
>> informal agreement between co-operating parties.
> 
> No, that's not good logic.  In contract law, the
> presence of a formal contract with CONTRACT on
> the heading is not necessary to form a contract.
> 
> In determining what the contract is, the court
> looks at many things, and fits it into the
> framework of contract law.  One of the things
> they look at is the agreements between the
> parties, and the customs of the industry;  by
> all the tests that could be construed, the RFCs
> do hold weight and would pass as "material"
> documents in contract discussions.
> 
> (Which isn't to predict the eventual discussion,
> but a priori, it is not easy to rule out RFCs
> as being not contracts.)
> 
> (I speak of common law here, things are different
> under UCC and civil code ... and IANAL...)

Could you really sue a company for not following an RFC to the letter? 
Depends on what they advertise I suppose. If they advertise full RFC 
compliance, then they are misleading you if they do not. What if they 
merely sell you a "web server"? I suppose the common understanding in 
the industry is that a "web server" implements the RFC, so that can 
likely be successfully argued as well.

But as I explained above, authorization and intent are separable 
concerns. This is what I mean when I say the RFC is irrelevant in this case.

Sandro


More information about the cap-talk mailing list