Nick Szabo's Papers and Concise Tutorials                 Comments and criticisms to
                                                                               

Rights, Remedies, and Security Models

Copyright (c) 2004 by Nick Szabo
redisribution with express permission of author only.

Introduction

This paper will explore the connection between terms and concepts such as rights, duties, assignment, and delegation as they are used in computer security and law. Computer security has borrowed these terms, along with many other means and ends, from law. We will shed light on the delegation-of-authority problem, "design by contract", and related issues using more refined or appropriate legal analogies.

Indeed, computer security can be seen as an attempt to create a self-enforcing subset of law in and for cyberspace. Security concepts such as access control lists (ACLs) and capabilities try to create a language of mechanism-enforced rights of access to services and information while limiting assignment or delegation. More recent ideas such as digital rights management (DRM), distributed capabilities, cryptography (broadly defined), smart contracts, and so on try to do this in a distributed context.

Computer security would benefit both from borrowing more legal ideas, and from clarifying the meaning of those already borrowed. To this end, this article introduces certain concepts and terminology from the Anglo-American common law, comparing and contrasting these to computer security.

Security Underpinnings

The common law, a system of judge-made law used for much of contract, tort, and property law in Anglo-American countries, is far older and more highly evolved than computer security. It is no surprise that it covers many more kinds of relationships and edge cases than computer security. The threat model of common law is far more comprehensive than that of computer security. Furthermore, its security model is different, tending to cover physical objects (individuals, land and movable goods) as well as intangible objects modeled on them by analogy (corporations, commercial paper, intellectual property, etc.).

Law as security is based on physical or financial remedies -- ejectment from land, specific performance of a transfer of land or goods, monetary damages, an injunction to not use property in a certain way, and so on, ultimately backed up by the threat of force against identified and tracked individuals and their property. Computer security, in contrast, relies on self-enforcing mechanisms and logging combined with out-of-band remedies (reputation, human intervention to remove access, or recourse to the legal system). Self-enforcing mechanisms, when they can work, are far more efficient and far less dangerous to society than legal remedies, but they allow for coverage of a far narrower range of conflicts among computer users than the law covers among traditional kinds of disputes. Remedies are the lowest layer of a security protocol, with the rules defining access and relationships layered on top of them.

Rights, Duties, and Privileges

Legal concepts and terminology can, for example, shed light on the computer security problem of delegation of authority. Authorties in computer security usually correspondto two distinct concepts in law -- rights and duties. A common law right is the ability to sue and hold liable somebody who violates the right. A right is often symbolized as a sword -- a sword that strikes if the right is violated. A duty is simply an obligation corresponding to a common law right. If the duty is breached, the obligee can sue and hold liable the obligor. To take on a legal duty is to make oneself vulnerable to the law, to allow a Sword of Damocles to be hung over ones head. A third idea in common law is a privilege, symbolized as a shield. A privilege allows one to violate a right and provides a defense if sued. For example, there is a common-law privilege in some states in the U.S. to trespass on someone's real property to recover stolen personal property.

Delegation versus Assignment

In computer security one speaks generally and often rather vaguely of delegating authority. In contract law one "assigns rights" and "delegates duties", and these are very distinct operations with distinct properties. With some exceptions any contract right can be assigned by the obligee without consent of the obligor. Some duties can also be so delegated (especially ones involving financial obligations or standard/fungible goods). However, most duties cannot be delegated by the obligor without permission of the obligee. These are default rules -- one can also expressly declare in a contract whether certain rights are assignable or duties delegable.

When one assigns rights, the assignment simultaneously (from the point of view of a judge looking back at the transaction) extinguishes the right in the assignor and creates it in the assignee. When one delegates a duty, however, the delegator doesn't get off the hook. The delegator becomes a surety for breach of contract by the delagatee. If the delagatee doesn't perform, the delegator is put back on the hook for the performance. When computer security lumps together rights and duties into authorities, it loses the crucial idea of the original obligor as a surety for subsequent obligors. This is necessary for an authority that includes a duty not just a right. For example, an e-mail client may have the authority to use an e-mail server. But this authority can imply both a (non-legal) right and a (non-legal) duty -- the right to send e-mail, and the duty to not send spam. When a computer security analyst worries about delegation of authority, he is usually worried about the abuse of that authority. The issue is clarified by thinking about that abuse as a violation of a duty to not abuse the authority. One can then look to legal patterns for solutions. For example, following contract law, one could hold the original holder of an authority accountable for any subsequent abuse of that authority -- i.e. upstream holders of an authority are sureties for downstream holders. On the other hand, if there is no significant threat of harm (e.g. for the authority to use a megabyte of disk space), and thus a right but no duty (the obligee can use the disk space for whatever he wants, with no way to overload the system), the problem is merely one of assigning a right, and is far easier -- the computer security mechanism need not keep track of the intermediate authority holders or indeed even keep track of the identity of holders at all. A scarce object architecture would facilitate the construction of online services where abuse is not a worry -- transmuting difficult delegation problems into easy assignment problems by architecting the service to present itself as "scarce" like physical objects.

Running with the Person versus Running with the Property

Contractual rights and duties run with persons. They are assigned, delegated, owed and performed by, and owed to persons. In property law, such rights and duties may "run with the property", i.e. be restricted to possessors of certain property. An example is an easement, an agreement giving certain non-possessors a permanent right to make a certain use of a property. A common kind of easement is the right-of-way easement, which allows the obligee to use part of a property for a path or road. The current possessor of the property burdened by the easement (the servient property) has a duty to allow the obligee to use the easement.

An easement can be in gross, meaning that the obligee is a named person. An in gross obligee can assign his right as if it were a contractual right. However, the duty runs with the servient property i.e. the duty lies with the possessor of the servient property. If Alice agrees to let CableComm string cable across her land, CableComm can by default assign this right to DigitalData, EveElectric, or whoever. However, since the duty runs with the property, the only way Alice can delegate the duty is to transfer possession of the property. The new possessor now owes the duty to allow the current obligee to string the cable.

If, however, the easement is appurtenant, both the obligee and the obligor are the current possessors of the appurtenant properties. For example, Alice agrees to give her neighbor Bob a permanent right-of-way to drive on a road through her land to get to the public highway. Alice and Bob may sell or devise their properties, and so on, but the easement always is a duty of the current possessor of the servient property to the current possessor of the dominant property. The current possessor of the dominant property cannot assign the right without selling or devising the property the right and the property are inseparable. Ditto for the duty of the possessor of the servient property.

A license is a revocable easement. You use these every day -- you gain an implied license when you enter a restaurant to eat, or a grocery store to shop, for example.

Object-oriented programming has a concept called "design by contract" where a set of tests, called pre-conditions and post-conditions, must be passed for the contract between a client and server object to be satisfied. In capability security, one speaks of authority to call an object as a capability, and by analogy a right. A more accurate legal analog for distributed object security may be an easement or license between objects, rather than a contract between persons. The servient vs. dominant duality maps nicely to server vs. client. The passing of an exclusive capability corresponds to the assignment of an in gross easement or license. The passing of a non-exclusive license or easement is seen to be something that is very uncommon and troublesome in the law (outside of copyright law, where, unlike for physical property and persons, use does not exhaust the resource).

The Origins of "Authority" in Computer Security

"Authority" as used in computer security originally derived its meaning from a different branch of law -- the law of master and servant. This security model deals with the ability of the master (or employer) to control the authority he delegates to the servant (or employee). The master uses mechanisms to limit his need to trust his servant. Trust in the master is unquestioned. Such a model was and mostly still is appropriate for a military or corporate hieararchy. Albeit, some other mechanism is needed to hold officers and executives (or system administrators working for them who hold the "root password") accountable, since this model of computer security does not. Talk of authority as such is, however, unfit for a situation of mutual suspicion -- the latter is the assumption of contract and property law.

Conclusion

Common law is a highly evolved system of security for persons and property. Its categories and distinctions provide a rich field of concepts to be mined for computer security, and can help clarify computer security problems and solutions. The distinctions between rights and duties, as well as concepts from property law such as easements and licenses, can help clarify problems and the efficacy of solutions regarding delegation of authority and other computer security problems.

Comments and criticisms to

Nick Szabo's Papers and Concise Tutorials