Decius wrote: Although he was aware that the FBI was already seeking a warrant to search Heckenkamp's computer in order to serve the FBI’s law enforcement needs, Savoy believed that the university's separate security interests required immediate action. Just as requiring a warrant to investigate potential student drug use would disrupt operation of a high school ... requiring a warrant to investigate potential misuse of the university's computer network would disrupt the operation of the university and the network that it relies upon in order to function. Moreover, Savoy and the other network administrators generally do not have the same type of "adversarial relationship" with the university’s network users as law enforcement officers generally have with criminal suspects.
This case is going to have widespread ramifications. Overall I'm pretty unhappy with this conclusion and I think this will be abused left and right in ways these judges wouldn't have intended or approved of. There is a wide varience in competence among system's administrators, particularly between different Universities. Technical schools that have complex networks tend to attract smart people to their IT staffs who could probably handle this deputization responsibly. However, smaller schools with less interesting technology tend to have less competent admins... People who have difficulty understanding the difference between a security breach, and someone doing something with the network that they don't understand or haven't explicitly approved, but isn't a security breach. I suspect that some of these people will take an unreasonably broad view of their powers under this ruling. (The same thing can also be said of private computer network administrators, who might also be deputized by this. Its not clear whether this ruling would fit outside the context of a University. It might.) In general, people had always assumed that retalitory hacking was illegal. Here, the 9th has actually managed to make the wild west of the Internet a little bit wilder. I think ultimately that undermines the purpose that the Court is supposed to be serving. I hope this goes up to the SCOTUS.
This is actually very interesting. The way they ruled was that the sysadmin didn't break the law because he was acting in a manner analogous to a homeowner dealing with an intrusion. I would think rather than counter-hacking, dealing with the root level hack would have been better, but that's just my thought. Something else that shows up reading the actual opinion, but not in the summary here is that the limit of the search, basically doing ID on the machine, not checking the contents of it, is why it was not ruled an illegal search. Even if it had been ruled that way it wouldn't have helped the hacker because he was getting tracked independently, but the limited scope kept it from crossing the line. This is seriously slipperly slope territory but the judge drew what looks to be a reasonable line (identification, not investigation). How it actually works out in detail is a completely different question. RE: 9th Circuit Appeals Courth Authorizes University Admins to Hack Student Computers |