Late last year Norman was acquitted in the Supreme Court of Norway. This ruling has been noticed and commented upon by news agencies and magazines all over the world. We will hereby supply some information and comment upon the possible implications of the ruling.

Note that the ruling is not, as far as we know, translated into English. The attempt to translate the ruling as well as the judges arguments into English is ours and should be regarded as such.

1. Background

The background for the lawsuit is that Norman in the end of 1995, in preparation for a TV story, looked into the fact that computers connected to the Internet leave trails and offer information which may regarded as security risks for the computers themselves and any network they are part of.

When a user surf the web his/her IP address is left on the visited servers. This address may then be used to find out who the user is by using open programs and protocols. The visiting computer may also be contacted to see what services it offers (if any) to Internet users.

To start with the Norman employee 15 December 1995 used commands available in the standard protocols Telnet, SMTP (Simple Mail Transfer Protocol) and Finger. Such commands are issued towards computers connected to the Internet literally millions of times each day. The default user ID "Guest" was used in an attempt to log on to one such computer. The account "Guest" is a standard account to use when logging into computers which are open for guest login. No attempts whatsoever was done trying to guess user names and/or passwords with the exception for such open accounts. No attempt was done trying to gain access using user account "Administrator" and guess this accounts password.

After this a portscan was conducted towards a few ports on four different computers. A port scan will normally reveal the services which run on specified ports. The application used could not log the responses from the ports. Furthermore, the program was not a tool created to communicate on any visible ports.

2 January 1996 the organisation reported this to the police which fined Norman. This fine was not accepted and the case went to court.

2. What the courts have said

This case has been tried in three different court levels.

Norman was accused of two different charges:

Illegal break-in to gain information which someone has attempted to protect. (This is the paragraph which may be used to find someone guilty of "hacking".)

Illegal use of property belonging to another. (I.e. use of computers belonging to another organisation.)

In the lowest court level Norman as well as the person employed by Norman was found guilty on both counts. Norman appealed this judgement to the higher court level.

The result in the next level of court was that Norman was acquitted on the most serious charge - illegal break-in, and found guilty of the less serious illegal use of another organisation’s property. Both the prosecutor and the defendant (Norman) appealed this ruling to Norway’s Supreme Court which is this country’s highest legal instance.

In the Supreme Court 15 December 1998, Norman as a company as well as Norman’s employee was acquitted on both counts. The acquittal on the charge of illegal break-in was unanimous by all the five judges.

3. How the judges saw this

Regarding "Illegal break-in"

The judges argued that by using the user name "Guest" one could only get access to information on a computer if the information there was not supposed to be protected. No attempt to gain access to any computer with supposedly protected user names/passwords was tried.

Neither the use of portscanning did from the Supreme Court’s point of view give away any kind of protected information.

The Supreme Court thus argued that these actions did not qualify as attempts to get protected information and therefore not illegal according to the law paragraph in question.

Regarding "Use of other’s property"

The accused was acquitted with three votes against two on this.

The judge who formulated the majority’s point of view argued that it could not be regarded as unauthorized use to ask a computer connected to the Internet which services it did offer. Someone who connects a computer to the Internet and configure it to respond to enquires about services, should be regarded as one who elects to connect the computer to the Internet as a general information system.

4. Implications on what hackers can do according to Norwegian law

The implications of the Supreme Court’s ruling are greatly misinterpreted by news agencies, newspapers and magazines, especially International ones. There have been headlines and articles, which state that this ruling makes it legal to "hack" computers in Norway.

When one studies the Supreme Court’s ruling there is no basis for such an interpretation. Hopefully the summary above makes this clear.

9 February there was a conference in Oslo, Norway which discussed the ruling and its implications. Both the lawyer who was the prosecutor of the case in the Supreme Court as well as Norman’s defending lawyer presented their view on the case and possible implications. Even though the lawyers obviously did not agree on everything in this case, both were crystal clear that the ruling by the Norwegian Supreme Court could not in any was justify that hacking could be regarded as legal in Norway from now on.

If someone do login attempts on a computer by using non-generic user names and tries to guess passwords, it is quite another situation than the one which the Supreme Court ruled upon. One may guess that if someone gains access to information by such means, the courts in Norway would find that person guilty of an illegal break-in.

Per Olav Førland