Norway

[NO] "Internet-User Beware!", Says Norway's Supreme Court

IRIS 1999-2:1/1

Nils Klevjer Aas

Norwegian Film Institute

Anyone connected to the Internet must expect outsiders to probe their system for security holes, Norway's Supreme Court held in a recent verdict, thereby implying that unprotected data is public. The case started as a piece of investigative journalism, when a staff member of an Oslo-based data security firm assisted a news team from national broadcaster NRK-TV in trying to break into the data system of the University of Oslo. Trying - unsuccessfully - to log on to different machines in the University's IT network from outside as a "guest" and as an "anonymous" user, the data engineer also made a comprehensive review of security breaches in the network. No sensitive data or files were removed during the operation, and the information gathered from the exercise has not been misused since.

The engineer and the company were charged with breach of Article 145 of the Penal Code, which has applied since 1979 to unauthorised accessing of IT-stored information ("data burglary"), and of Article 393, regarding unauthorised and detrimental use of the property of others. The company was found guilty and fined NOK 100.000 (EUR 14.000), plus payment of court costs and (minor) indemnities by the first-instance court. The engineer was fined NOK 10.000. The Appeals Court rejected the data burglary charge, but upheld the conviction on unlawful use of property. In a slim three-to-two decision, the Supreme Court threw out both charges, acquitting the engineer and the company. The judges found that anyone connected to the Internet must accept that "the machine may receive queries about what information it has to offer" and prompting a data server to respond to such questions was not unlawful use of the property of others.