19

A mother is talking on the phone. The person on the phone says, "Hi, this is your son's school. We're having some computer trouble." The mom responds, "Oh dear — did he break something? The other person answers, "In a way — ... Did you really name your son Robert'); DROP TABLE Students;--?" The mom says, "Oh, yes. Little Bobby Tables, we call him." The other persons says, "Well, we've lost this year's student records. I hope you're happy." The mom says, "And I hope you've learned to sanitize your database inputs."

I think it's obvious that Little Bobby Tables's mom has broken the law. Let's assume this is his legal name and does not break any naming laws; it's still probably illegal, because she obviously gave him that name with intent to harm computer systems.

However, when Robert'); DROP TABLE Students;-- grows up, he will also have to type the name into many online forms - and it may have the same effect. Would he be commiting a crime by entering his legal name into a computer if the name was intentionally chosen by his parents to harm computer systems?

This is not a duplicate of an existing question about this comic. That question is about the consequences for the mother, while this one is about the future consequences for the child after he becomes an adult. The title of that question does ask about the child, but the body is about the parent.

Someone
  • 17,523
  • 13
  • 96
  • 197

6 Answers6

30

It depends on the mens rea element of any given statute.

If Bobby's home state makes it a crime to purposefully enter harmful data into a computer system, he is unlikely to ever run afoul of that law while conducting legitimate business; his purpose is to pay his taxes or renew his driver's license or sign up for classes.

However, if he moves to a state where it is a crime to knowingly enter harmful data into a computer system, he could face liability if he's learned what his name means and knows the system won't sanitize the input.

If he moves to a state where it is a crime to negligently enter harmful data into a computer system, he's on the hook once he knows the effects of entering his name.

And if he moves to a state where it is a strict-liability offense to enter harmful data into a computer system, he is on the hook every time he causes a problem by entering his name, regardless of whether he understands the consequences of doing so.

PC Luddite
  • 107
  • 6
bdb484
  • 66,944
  • 4
  • 146
  • 214
17

If Bobby was born in Germany, he won't have this problem. German laws requires the parents to select a name appropriate for the gender of the newborn, and DROP TABLES is not a suitable name for a boy (or a girl, for that matter). The parents would have to try and explain to the registry clerk that there is a culture where '); is a perfectly normal name, the clerk would be unlikely to believe that, and the matter would go to court -- where much less absurd names have been rejected as being akin to child abuse.

If Bobby immigrated to Germany, there would be an official transliteration of foreign characters into German documents (mostly following the ISO standards). Here it may get tricky, since ', ) and ; are valid characters of the standard latin character set, just not alphabetic. Still, a clerk who lets that pass would never live the embarassment down.

So Bobby (or Bobby's parents) would have to win a precedent-making lawsuit to make the name possible. And after that makes national headlines, the excuses for sloppy input validation/escaping run thin.

A nice question would be if Bobby, should he win the court cases, now has a right to be addressed in his full name in official communications ...

o.m.
  • 22,932
  • 3
  • 45
  • 80
7

For someone born in France, no consequences, because it would never happen. The état civil officer registering the name of newborns has the power to veto names that "seem contrary to the interest of the child". The relevant text is Code Civil, Article 57. Parents can contest the decision, to be adjudicated by a court.

Famous examples include:

  • In 1999, Mr and Mrs Renaud tried to call their daughter Mégane. This was initially blocked by the état civil officer, on the basis of it being suspiciously close to Renault Mégane, a then-new French car model. A judge later ruled the daughter could be named Mégane after all.

  • In 2009, a couple decided to call their child Titeuf, a French comic series. This was blocked, and the decision was confirmed by the courts. Because it went up to the highest jurisdiction of the land, this decision is now legal precedent.

  • In 2015, the name Nutella was blocked (a brand of hazelnut spread). The same year, Fraise (French for "strawberry") was also blocked. In both cases, parents changed the name.

While only the French alphabet is allowed for use in names (excluding e.g. ñ) plus space and dash, beyond that there is no hard rule to what names are allowed. A line of computer code would definitely never be allowed as a name.

For anyone else with such a legal name, then it would most likely be a crime.

There is a Code Pénal chapter concerning the relevant computer crimes. Articles 323-1, 323-2, and 323-3 forbid entering or staying into a data system fraudulently, or to introduce, modify or delete data, to modify the operation of the system.

French law does recognise lack of intent as exonerating, however it also recognises imprudence and négligence (Art. 121-3). It would be quite difficult to convince a court that you did not know your name was malicious code and would disrupt a computer system. Using the mother's argument (i.e. the operator should have had better security) would almost certainly play against you in showing you were aware of the risks involved in using your name.

If your name isn't transparently computer code but simply a regular name in a different culture, it would likely be recognised as an innocent happenstance.

AmiralPatate
  • 804
  • 5
  • 7
6

This has already happened, with a name that's not inherently malicious.

Some badly-designed systems parse values and convert their names from strings to something else automatically. An example I've heard is actress Rachel True, whose last name has locked her out of Twitter as well as iCloud.

ulatekh
  • 169
  • 1
2

Believe it or not, this is not an unfamiliar problem for bureaucracies.

See this for another example in comedy, and a certain style of solution:

Derek (drops lighter) Nippl-e

The standard way of handling it is that bureaucracies have rules about how names must be represented in writing.

In the Anglophone world, a typical requirement is that names be represented only with letters of the English alphabet.

In terms of "legal" names - that is, presumably meaning a name recorded at the registry office upon a standard set of life events like birth, marriage, or death - the registrar (an official employed by the state) may also control the proposed registration of names which he thinks are motivated by mischief or would contribute to mischievous ends.

The string Robert'); DROP TABLE Students;-- is not therefore a person's "name" in an English-based legal jurisdiction. It is not a name firstly because it does not consist only of English letters, and secondly because (even when shorn of the punctuation elements) a registrar could well suspect mischief and therefore refuse the registration of such a name for any official purpose of the state.

In terms of whether entering such a string into a computer system would be criminal, that is likely to be highly dependent on context, including whether it was done with a malicious purpose.

If the purpose of making the entry was not malicious - for example, if some waggish computer programmer chose it as a screen name, and then "damage" was caused (i.e. the computer belonging to the bureaucracy reacted differently than the bureaucracy would have preferred) - then I doubt it would be a criminal act.

There is not in general any requirement for the public operating or making entries into computer systems, when explicitly or implicitly authorised to operate the computer as a member of the public, to understand technical matters or (even if they do understand technical matters) to anticipate how the computer may react adversely to their use.

Nor are they required to understand what opinion the bureaucracy may have on whether certain reactions by the computer are desirable for their ends, and the mere fact that a computer has reacted adversely in the opinion of the bureaucracy which owns and programs it, does not determine the question of whether the operator was engaged in a criminal act by triggering that adverse reaction.

By analogy, if we had a `Robert Jump-Off-Roof Tables" who submitted his name to a bureaucracy, and a human clerk administering records with this name then proceeded to the roof of the building and jumped off, a court may well decide that the result is too remote for the mere submission of that name to be a criminal act.

It might be too remote even if the submission was performed mischievously to see what reaction it provoked amongst the clerical staff, because no reasonable person would think that a clerk should react to seeing such a name by jumping off a roof, even if they did in fact do so. Likewise, if a computer reacts to certain inputs in ways that are unreasonable.

Steve
  • 3,383
  • 9
  • 17
1

From the cartoon, I don't think it is obvious that he typed in his name. My first assumption was that school administrators and teachers are typing in his name. If that is correct then there is no actus reus on his part and therefore no crime has been committed.

If he is typing his name in then the analysis regarding mens rea holds.

Does the cartoon require that he use his given name (is Tables his surname?) as a username to have this effect?

For a fascinating article on the laws in the U.S. concerning naming children, read here.

LMR
  • 167
  • 1
  • 6