Computer Security Law 101 should be a mandatory course for all freshman computer science majors. Save the advanced programming classes for sophomore year. Otherwise, these promising students may use their new skills to break the law -- without even knowing they're doing it.
These aren't small transgressions like driving 10 miles per hour over the speed limit. These aren't mere civil suits. These are felony charges. We're not talking about small fines. We're talking about fines that add up to tens of thousands of dollars. We're not talking about community service. We're talking about incarceration. And we're not talking about 30 days in jail. We're talking about 30 years in prison.
Sometimes the people charged with these crimes have no idea they are committing a crime. Others know but don't fully understand or appreciate the severity of the punishments they could face.
There are several striking examples of this -- Gary McKinnon, Eric McCarty, and Daniel Cuthbert, for starters. More recently, a Canadian computer science student was expelled for actions he took after discovering a vulnerability in software the school was using.
Just a few weeks ago, Aaron Swartz -- the young IT genius charged with illegally accessing JSTOR, MIT's subscription-only database of scientific and literary journals -- committed suicide. Some of Swartz's friends and family have said the prosecuting attorneys' harsh treatment drove Swartz, who had long suffered with depression, to take his own life. From a New York Times report:
In an effort to provide free public access to JSTOR, [Swartz] broke into computer networks at M.I.T. by means that included gaining entry to a utility closet on campus and leaving a laptop that signed into the university network under a false account, federal officials said.
Mr. Swartz turned over his hard drives with 4.8 million documents, and JSTOR declined to pursue the case. But Carmen M. Ortiz, a United States attorney, pressed on, saying that "stealing is stealing, whether you use a computer command or a crowbar, and whether you take documents, data or dollars."
The US Computer Fraud and Abuse Act has established severe punishments for computer-related crimes. In my personal opinion, the text of the law and the way it is enforced show that legislators and the judicial system woefully misunderstand computers, information security, and cybercrime. Although Swartz's alleged actions were clearly intentional, not accidental, the potential punishments -- millions of dollars in fines and/or up to 35 years in prison -- seem vastly out of proportion with the nature of the crime.
But like it or not, that's the law as it stands now. Maybe universities' computer science departments can't easily change the law, but they can certainly teach their students about it.
Breaking the law isn't the only danger that IT security researchers must avoid. Corporate and university policies can also get them into trouble. Dawson College in Montreal expelled Ahmed Al-Khabaz for violating the computer science department's code of professional conduct.
While trying to develop a mobile app that would let Dawson students access their academic records, Al-Khabaz discovered a vulnerability in the university's software. When he reported the vulnerability to the school, he was told it would be fixed. A month later, he checked to see if it had been repaired. Here's where he really got himself in trouble -- as the expulsion letter describes it, he "attempted to gain unauthorized access to College and external information systems and injected SQL code, a clear violation of the Dawson IT policy."
Al-Khabaz admitted to both of these intrusions. Two weeks later, the computer science department recommended that he be expelled for not exhibiting behavior appropriate to the computer science profession.
The computer science code's definition of "inappropriate behavior" is very broad -- so broad that I'm amazed any undergraduate students ever make it to graduation. The code bars "display of deportment or habits (for example personal hygiene) outside the normally accepted standards in the work place," along with "continual rudeness." (I'm sad to say that, at some businesses, continual rudeness seems to be essential to success.)
Al-Khabaz told the National Post last week:
I was acing all of my classes, but now I have zeros across the board. I can't get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won't be able to get it. My academic career is completely ruined.
Giving students the skills to probe the security of computer systems without at least making them aware of the risks is tantamount to teaching kids to drive without telling them that they have to stop at red lights. It's past time for professors and IT leaders to take responsibility for educating our youth about computer security law. All the STEM programs in the world aren't going to help us create the IT professionals of the future if those talented young people end up scared off, in prison, or worse.