Maximum Security:
A Hacker's Guide to Protecting Your Internet Site and Network
  
31
Reality Bytes: Computer Security and the Law
This chapter discusses law as it applies to the Internet both here and abroad.
For the most part, my analysis is aimed toward the criminal law governing the Internet.
The United States
My timeline begins in 1988 with United States v. Morris, the case of the
Internet worm. I should, however, provide some background, for many cases preceded
this one. These cases defined the admittedly confused construct of Internet law.
Phreaks
If you remember, I wrote about phone phreaks and their quest to steal telephone
service. As I explained, it would be impossible to identify the precise moment in
which the first phreak hacked his or her way across the bridge to the Internet. At
that time, the network was still referred to as the ARPAnet.
Concrete evidence of phreaks accessing ARPAnet can be traced (at least on the
Net) to 1985. In November of that year, the popular, online phreaking magazine Phrack
published its second issue. In it was a list of dialups from the ARPAnet and several
military installations.
Cross Reference: The list of dialups from
ARPAnet can be found in Phrack, Volume One, Issue Two, "Tac Dialups taken
from ARPAnet," by Phantom Phreaker. Find it on the Net at http://www.fc.net/phrack/files/p02/p02-1.html.
By 1985, this activity was being conducted on a wholesale basis. Kids were trafficking
lists of potential targets, and networks of intruders began to develop. For bright
young Americans with computers, a whole new world presented itself; this world was
largely lawless.
But the story goes back even further. In 1981, a group of crackers seized control
of the White House switchboard, using it to make transatlantic telephone calls. This
was the first in a series of cases that caught the attention of the legislature.
The majority of sites attacked were either federal government sites or sites that
housed federal interest computers. Although it may sound extraordinary, there was,
at the time, no law that expressly prohibited cracking your way into a government
computer or telecommunication system. Therefore, lawmakers and the courts were forced
to make do, applying whatever statute seemed to closely fit the situation.
As you might expect, criminal trespass was, in the interim, a popular charge.
Other common charges were theft, fraud, and so forth. This all changed, however,
with the passing of the Computer Fraud and Abuse Act of 1986. Following the enactment
of that statute, the tables turned considerably. That phenomenon began with U.S.
v. Morris.
United States of America v. Robert Tappan Morris
The Internet worm incident (or, as it has come to be known, the Morris Worm) forever
changed attitudes regarding attacks on the Internet. That change was not a gradual
one. Organizations such as CERT, FIRST, and DDN were hastily established in the wake
of the attack to ensure that something of such a magnitude could never happen again.
For the security community, there was vindication in Morris' conviction. Nonetheless,
the final decision in that case would have some staggering implications for hackers
and crackers alike.
The government took the position that Morris had violated Section 2(d) of the
Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030(a)(5)(A)(1988). That act targeted
a certain class of individual:
- ...anyone who intentionally accesses without authorization a category of computers
known as "[f]ederal interest computers" and damages or prevents authorized
use of information in such computers, causing loss of $1,000 or more...
For those of you who aren't attorneys, some explanation is in order. Most criminal
offenses have several elements; each must be proven before a successful case can
be brought against a defendant. For example, in garden-variety civil fraud cases,
the chief elements are
- That the defendant made a false representation
- That the defendant knew the representation was false
- That he or she made it with intent that the victim would rely on it
- That the victim did rely on the representation
- That the victim suffered damages because of such reliance
If a plaintiff fails to demonstrate even one of these elements, he or she loses.
For example, even if the first four elements are there, if the victim lost nothing
in the fraud scheme, no case will lie (that is, no case brought upon such a claim
will successfully survive a demurrer hearing).
NOTE: This is different from criminal
law. In criminal law, even if the fifth element is missing, the defendant can still
be tried for fraud (that is, damages are not an essential requirement in a criminal
fraud case).
To bring any case to a successful conclusion, a prosecutor must fit the fact pattern
of the case into the handful of elements that comprise the charged offense. For example,
if intent is a necessary element, intent must be proven. Such elements form the framework
of any given criminal information filing. The framework of the Morris case was based
on the Computer Fraud and Abuse Act of 1986. Under that act, the essential elements
were
- That Morris intentionally (and without authorization) accessed a computer or
computers
- That these were federal interest computers
- That in his intentional, unauthorized access of such federal interest computers,
Morris caused damage, denial of service, or losses amounting to $1,000 or more
The arguments that ultimately went to appeal were extremely narrow. For example,
there was furious disagreement about exactly what intentionally meant within
the construct of the statute:
- Morris argues that the Government had to prove not only that he intended the
unauthorized access of a federal interest computer, but also that he intended to
prevent others from using it, and thus cause a loss. The adverb "intentionally,"
he contends, modifies both verb phrases of the section. The government urges that
since punctuation sets the "accesses" phrase off from the subsequent "damages"
phrase, the provision unambiguously shows that "intentionally" modifies
only "accesses."
Morris' argument was rejected by the Court of Appeals. Instead, it chose to interpret
the statute as follows: that the mere intentional (unauthorized) access of the federal
interest computer was enough (that is, it was not relevant that Morris also intended
to cause damage). The defense countered this with the obvious argument that if this
were so, the statute was ill- conceived. As interpreted by the Court of Appeals,
this statute would punish small-time intruders with the same harsh penalties as truly
malicious ones. Unfortunately, the court didn't bite. Compare this with the UK statutes
discussed later, where intent is definitely a requisite.
The second interesting element here is the requirement that the attacked computers
be federal interest computers. Under the meaning of the act, a federal interest computer
was any computer that was intended:
- ...exclusively for the use of a financial institution or the United States Government,
or, in the case of a computer not exclusively for such use, used by or for a financial
institution or the United States Government, and the conduct constituting the offense
affects such use; or which is one of two or more computers used in committing the
offense, not all of which are located in the same State.
The first and second requirements were exclusive. The following description was
a second paragraph:
- ...which is one of two or more computers used in committing the offense, not
all of which are located in the same State.
In other words, from the government's point of view, any two or more computers
located in different states were federal interest computers within the construct
of the act. This characterization has since been amended so that the term now applies
to any action undertaken via a computer in interstate commerce. This naturally has
broad implications and basically reduces the definition to any computer attached
to the Internet. Here is why:
The legal term interstate commerce means something slightly different from
what it means in normal speech. The first concrete legal applications of the term
in the United States followed the passing of the Sherman Act, a federal antitrust
bill signed by President Benjamin Harrison on July 2, 1890. The act forbade restraint
of "...trade or commerce among the several states, or with foreign nations."
As defined in Blacks Law Dictionary (an industry standard), interstate commerce is
- Traffic, intercourse, commercial trading, or the transportation of persons or
property between or among the several states of the Union, or from or between points
in one state and points in another state...
From this, one might conclude that interstate commerce is only conducted when
some physical, tangible good is transferred between the several states. That is erroneous.
The term has since been applied to every manner of good and service. In certain types
of actions, it is sufficient that only the smallest portion of the good or service
be trafficked between the several states. For example, if a hospital accepts patients
covered by insurance carriers located beyond the borders of the instant state, this
is, by definition, interstate commerce. This is so even if the patient and the hospital
are located within the same state.
However, there are limitations with regard to the power of Congress to regulate
such interstate commerce, particularly if the activity is intrastate but has only
a limited effect on interstate commerce. For example, in A. L. A. Schecter Poultry
Corp. v. United States (1935), the Supreme Court:
- ...characterized the distinction between direct and indirect effects of intrastate
transactions upon interstate commerce as "a fundamental one, essential to the
maintenance of our constitutional system." Activities that affected interstate
commerce directly were within Congress' power; activities that affected interstate
commerce indirectly were beyond Congress' reach. The justification for this formal
distinction was rooted in the fear that otherwise "there would be virtually
no limit to the federal power and for all practical purposes we should have a completely
centralized government."
In any event, for the moment, the statute is sufficiently broad that the government
can elect to take or not take almost any cracking case it wishes, even if the attacking
and target machines are located within the same state. And from inside experience
with the federal government, I can tell you that it is selective. Much depends on
the nature of the case. Naturally, more cracking cases tend to pop up in federal
jurisdiction, primarily because the federal government is more experienced in such
investigations. Many state agencies are poorly prepared for such cases. In fact,
smaller county or borough jurisdictions may have never handled such a case.
This is a training issue more than anything. More training is needed at state
and local levels in such investigations and prosecutions. These types of trials can
be expensive and laborious, particularly in regions where the Internet is still a
new phenomenon. If you were a prosecutor, would you want to gamble that your small-town
jury--members of which have little practical computer experience--will recognize
a crime when they hear it? Even after expert testimony? Even though your officers
don't really understand the basic nuts and bolts of the crime? Think again. In the
past, most crackers have been stupid enough to confess or plea bargain. However,
as cracking becomes more of a crime of financial gain, plea bargains and confessions
will become more rare. Today, cracking is being done by real criminals. To them,
the flash of a badge doesn't mean much. They invoke their Fifth Amendment rights
and wait for their lawyer.
Cross Reference: You can find the full
text version of the Computer Fraud and Abuse Act of 1986 at http://www.law.cornell.edu/uscode/18/1030.html.
On the question of damages in excess of $1,000, this is a gray area. Typically,
statutes such as the Computer Fraud and Abuse Act allow for sweeping interpretations
of damages. One can claim $1,000 in damages almost immediately upon an intrusion,
even if there is no actual damage in the commonly accepted sense of the word. It
is enough if you are forced to call in a security team to examine the extent of the
intrusion.
This issue of damage has been hotly debated in the past and, to the government's
credit, some fairly stringent guidelines have been proposed. At least on a federal
level, there have been efforts to determine reliable formulas for determining the
scope of damage and corresponding values. However, the United States Sentencing Commission
has granted great latitude for higher sentencing, even if damage may have been (however
unintentionally) minimal:
- In a case in which a computer data file was altered or destroyed, loss can be
measured by the cost to restore the file. If a defendant intentionally or recklessly
altered or destroyed a computer data file and, due to a fortuitous circumstance,
the cost to restore the file was substantially lower than the defendant could reasonably
have expected, an upward departure may be warranted. For example, if the defendant
intentionally or recklessly damaged a valuable data base, the restoration of which
would have been very costly but for the fortuitous circumstance that, unknown to
the defendant, an annual back-up of the data base had recently been completed thus
making restoration relatively inexpensive, an upward departure may be warranted.
This to me seems unreasonable. Defendants ought to be sentenced according to the
actual damage they have caused. What would have been, could have been, and should
have been are irrelevant. If the intention of the commission is that the loss be
measured by the cost to restore the file, this upward departure in sentencing is
completely inconsistent. Effectively, a defendant could be given a longer prison
sentence not for what he did but what he could have done. Thus, this proposed amendment
suggests that the actual loss has no bearing on the sentence, but the sentencing
court's likely erroneous notion of the defendant's intent (and his knowledge of the
consequences of his actions) does.
At any rate, most states have modeled their computer law either on the Computer
Fraud and Abuse Act or on principles very similar. The majority treat unauthorized
access and tampering, and occasionally, some other activity as well.
California
California is the computer crime and fraud capital of the world. On that account,
the Golden State has instituted some very defined laws regarding computer cracking.
The major body of this law can be found in California Penal Code, Section 502. It
begins, like most such statutes, with a statement of intent:
- It is the intent of the Legislature in enacting this section to expand the degree
of protection afforded to individuals, businesses, and governmental agencies from
tampering, interference, damage, and unauthorized access to lawfully created computer
data and computer systems. The Legislature finds and declares that the proliferation
of computer technology has resulted in a concomitant proliferation of computer crime
and other forms of unauthorized access to computers, computer systems, and computer
data. The Legislature further finds and declares that protection of the integrity
of all types and forms of lawfully created computers, computer systems, and computer
data is vital to the protection of the privacy of individuals as well as to the well-being
of financial institutions, business concerns, governmental agencies, and others within
this state that lawfully utilize those computers, computer systems, and data.
Cross Reference: Visit http://www.leginfo.ca.gov/
to see the California Penal Code, Section 502 in full.
The statute is comprehensive. It basically identifies a laundry list of activities
that come under its purview, including but not limited to any unauthorized action
that amounts to intrusion or deletion, alteration, theft, copying, viewing, or other
tampering of data. The statute even directly addresses the issue of denial of service.
The penalties are as follows:
- For simple unauthorized access that does not amount to damage in excess of $400,
either a $5,000 fine or one year in imprisonment or both
- For unauthorized access amounting to actual damage greater than $400, a $5,000
fine and/or terms of imprisonment amounting to 16 months, two years, or three years
in state prison or one year in county jail
As you might expect, the statute also provides for comprehensive civil recovery
for the victim. Parents should take special note of subsection (e)1 of that title:
- For the purposes of actions authorized by this subdivision, the conduct of an
unemancipated minor shall be imputed to the parent or legal guardian having control
or custody of the minor...
That means if you are a parent of a child cracking in the state of California,
you (not your child) shall suffer civil penalties.
Another interesting element of the California statute is that it provides for
possible jurisdictional problems that could arise. For example, say a user in California
unlawfully accesses a computer in another state:
- For purposes of bringing a civil or a criminal action under this section, a person
who causes, by any means, the access of a computer, computer system, or computer
network in one jurisdiction from another jurisdiction is deemed to have personally
accessed the computer, computer system, or computer network in each jurisdiction.
I do not know how many individuals have been charged under 502, but I would suspect
relatively few. The majority of computer cracking cases seem to end up in federal
jurisdiction.
Texas
In the state of Texas, things are a bit less stringent (and far less defined)
than they are in California. The Texas Penal Code says merely this:
- A person commits an offense if the person knowingly accesses a computer, computer
network, or computer system without the effective consent of the owner.
Cross Reference: Find the Texas Penal
Code on the Web at http://www.capitol.state.tx.us/statutes/pe/pe221.htm.
In all instances where the defendant's actions are undertaken without the intent
"to obtain a benefit or defraud or harm another," the violation is a Class
A misdemeanor. However, if the defendant's actions are undertaken with such intent,
this can be a state jail felony (if the amount is $20,000 or less) or a felony in
the third degree (if the amount exceeds $20,000).
There is one affirmative defense:
- It is an affirmative defense to prosecution under Section 33.02 that the actor
was an officer, employee, or agent of a communications common carrier or electric
utility and committed the proscribed act or acts in the course of employment while
engaged in an activity that is a necessary incident to the rendition of service or
to the protection of the rights or property of the communications common carrier
or electric utility.
It is also interesting to note that the term access is defined within the
construct of the statute to mean the following:
- ...to approach, instruct, communicate with, store data in, retrieve or intercept
data from, alter data or computer software in, or otherwise make use of any resource
of a computer, computer system, or computer network.
Does this suggest that scanning the TCP/IP ports of a computer in Texas is unlawful?
I believe that it does, though the statute has probably not been used for this purpose.
Other States
Most other states have almost identical laws. Nevertheless, there are a few special
points that I would like to focus on, by state. Some are interesting and others are
amusing. Table 31.1 offers a few examples.
Table 31.1. Interesting United States computer crime
provisions.
| State |
Provision |
| Alaska |
One can commit the crime of (and be subject to punishment for) deceiving a machine.
This is so even though a machine is neither a sentient being nor capable of perception.
Hmmm. |
| Connecticut |
Provides for criminal and civil penalties for disruption of computer services (even
the degradation of such services). Clearly, ping and syn_flooding are therefore crimes
in Connecticut. |
| Georgia |
Crackers, take note: Do not perform your cracking in the state of Georgia. The penalties
are stiff: 15 years and a $50,000 fine. Ouch. |
| Hawaii |
The system breaks unauthorized use and access into two different categories, and
each category has three degrees. Just taking a look inside a system is a misdemeanor.
Fair enough. |
| Minnesota |
This state has a special subdivision that provides for penalties for individuals
who create or use destructive computer programs. |
Information about computer crime statutes can be obtained from the Electronic
Frontier Foundation. EFF maintains a list of computer crime laws for each state.
Of particular interest is that according to the EFF's compilation, as of May 1995,
the state of Vermont had no specific provisions for computer crimes. This would either
suggest that very little cracking has been done in Vermont or, more likely, such
crimes are prosecuted under garden-variety trespassing-theft laws.
Cross Reference: EFF's Web site is located
at http://www.eff.org/. EFF's list of computer crime laws for each state
(last updated in May, 1995) can be found at http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/Legal/comp_crime_us_state.laws.
The Law in Action
Despite the often harsh penalties for computer crimes, crackers are rarely sentenced
by the book. The average sentence is about one year. Let's take a look at a few such
cases:
- A New York youngster named Mark Abene (better known as Phiber Optik) compromised
key networks, including one division of Bell Telephone and a New York television
station. A United States District Court sentenced Abene to one year in prison. (That
sentence was handed down in January 1994.) Abene's partners in crime also received
lenient sentences, ranging from a year and a day to six months in federal prison.
- John Lee, a young student in New York, was sentenced to a year and a day in federal
prison after breaching the security of several telecommunications carriers, an electronics
firm, and a company that designed missiles.
To date, the longest period spent in custody by an American cracker was served
by Californian Kevin Poulsen. Poulsen was unfortunate enough to crack one site containing
information that was considered by the government to be defense related. He was therefore
charged under espionage statutes. Poulsen was held for approximately five years,
being released only this past year after shaking those spying charges. As reported
in the L.A. Times:
- ...the espionage charge was officially dropped Thursday as part of the agreement
crafted by Poulsen's lawyer and the U.S. attorney's office. In exchange, he pleaded
guilty to charges of possessing computer access devices, computer fraud, and the
use of a phony Social Security card, according to his defense attorney, Paul Meltzer.
There is a strong unwillingness by federal courts to sentence these individuals
to the full term authorized by law. This is because, in many instances, to do so
would be an injustice. Security personnel often argue that cracking into a network
is the ultimate sin, something for which a cracker should never be forgiven. These
statements, however, are coming from individuals in constant fear that they are failing
at their basic occupation: securing networks. Certainly, any security expert whose
network comes under successful attack from the void will be angry and embarrassed.
Shimomura, oddly enough, has recovered nicely. (This recovery is no doubt therapeutic
for him as well, for he produced a book that had national distribution.) But the
basic fact remains: One of the most talented security specialists in the world was
fleeced by Kevin Mitnik. It is irrelevant that Mitnik was ultimately captured. The
mere fact that he cracked Shimomura's network is evidence that Shimomura was dozing
on the job. So, statements from security folks about sentencing guidelines should
be taken with some reservation.
In reality, the previous generation of crackers (and that includes Mitnik, who
was not yet old enough to drive when he began) were not destructive. They were an
awful nuisance perhaps, and of course, telephone service was often stolen. However,
damage was a rare aftermath. In contrast, the new generation cracker is destructive.
Earlier in this book, I discussed a university in Hawaii that was attacked (the university
left a gaping hole in its SGI machines). In that case, damage was done and significant
effort and costs were incurred to remedy the problem. Similarly, the theft of source
code from Crack Dot Com (the makers of the awesome computer game, Quake) was malicious.
This shift in the character of the modern cracker will undoubtedly trigger stiffer
sentences in the future. Social and economic forces will also contribute to this
change. Because the network is going to be used for banking, I believe the judiciary
will take a harsher look at cracking. Nonetheless, something tells me that American
sentences will always remain more lenient than those of, say, China.
China
China has a somewhat harsher attitude towards hackers and crackers. For example,
in 1992, the Associated Press reported that Shi Biao, a Chinese national, managed
to crack a bank, making off with some $192,000. He was subsequently apprehended and
convicted. His sentence? Death. Mr. Biao was executed in April, 1993. (Note to self:
Never crack in China.)
In any event, the more interesting features of China's laws expressly related
to the Internet can be found in a curious document titled The Provisional Regulation
on the Global Connection via Computer Information Network by the People's Republic
of China. In the document, several things become immediately clear. First, the
Chinese intend to control all outgoing traffic. They have therefore placed certain
restrictions on how companies can connect:
- A computer network will use the international telecommunications paths provided
by the public telecommunications operator of the Bureau of Posts and Telecommunications
when accessing the Internet directly. Any sections or individuals will be prohibited
from constructing and using independent paths to access the Internet.
Moreover, the Chinese government intends to intercept and monitor outgoing traffic:
- The existing interconnected networks will go through screening and will be adjusted
when necessary in accordance with the regulations of the State Council, and will
be placed under the guidance of the Bureau of Posts and Telecommunications. Construction
of a new interconnected network will require a permission from the State Council.
Cross Reference: The Provisional Regulation
on the Global Connection via Computer Information Network by the People's Republic
of China can be found on the Web at http://www.smn.co.jp/topics/0087p01e.html.
The Chinese intend to implement these controls in a hierarchical fashion. In their
scheme, interconnected networks are all screened through the government communications
infrastructure. All local networks are required to patch into these interconnected
networks. Lastly, all individuals must go through a local network. Through this scheme,
they have effectively designed an information infrastructure that is easily monitored.
At each stage of the infrastructure are personnel responsible for that stage's network
traffic.
Moreover, there are provisions prohibiting the traffic of certain materials. These
prohibitions naturally include obscene material, but that is not all. The wording
of the article addressing such prohibitions is sufficiently vague, but clear enough
to transmit the true intentions of the State:
- Furthermore, any forms of information that may disturb public order or considered
obscene must not be produced, reproduced, or transferred.
Reportedly, the Chinese government intends to erect a new Great Wall of China
to bar the western Internet. These reports suggest that China will attempt to filter
out dangerous western ideology.
China is not alone in its application of totalitarian politics to the Internet
and computers. Let's have a look at Russia.
Russia and the CIS
President Yeltsin issued Decree 334 on April 3, 1995. That decree granted extraordinary
power to the Federal Agency of Government Communications and Information (FAPSI).
The decree prohibits:
- ...within the telecommunications and information systems of government organizations
and enterprises the use of encoding devices, including encryption methods for ensuring
the authenticity of information (electronic signature) and secure means for storing,
treating and transmitting information...
The only way that such devices can be used is upon review, recommendation, and
approval of FAPSI. The decree also prohibits:
- ...legal and physical persons from designing, manufacturing, selling and using
information media, and also secure means of storing, treating and transmitting information
and rendering services in the area of information encoding, without a license from
FAPSI.
In the strictest terms, then, no Russian citizen shall design or sell software
without a license from this federal agency, which in fact acts as information police.
American intelligence sources have likened FAPSI to the NSA. As the article "Russian
Views on Information-Based Warfare" by Timothy L. Thomas notes:
- FAPSI appears to fulfill many of the missions of the U.S. National Security Agency.
It also fights against domestic criminals and hackers, foreign special services,
and "information weapons" that are for gaining unsanctioned access to information
and putting electronic management systems out of commission, and for enhancing the
information security of one's own management systems.
Cross Reference: "Russian Views on
Information-Based Warfare" can be found on the Web at http://www.cdsar.af.mil/apj/thomas.html.
Despite this cloak-and-dagger treatment of the exchange of information in Russia
(the Cold War is over, after all), access in Russia is growing rapidly. For example,
it is reported in Internetica in an article by Steve Graves that even CompuServe
is a large ISP within the Russian Federation:
- CompuServe, the largest American online service, has local access numbers in
more than 40 Russian cities, ranging from Moscow and St. Petersburg to Vladivostok.
Access is provided through SprintNet, which adds a surcharge to the connect-time
rate. Although CompuServe itself does not charge any more for connections than it
does in the U.S., the maximum connection speed is 2400 baud, which will greatly increase
the time required for any given access, particularly if Windows-based software is
used.
Cross Reference: Access Steve Graves's
article at http://www.boardwatch.com/mag/96/feb/bwm19.htm.
Despite Mr. Yeltsin's decrees, however, there is a strong cracker underground
in Russia. Just ask CitiBank. The following was reported in The St. Petersburg
Times:
- Court documents that were unsealed Friday show that Russian computer hackers
stole more than $10-million from Citibank's electronic money transfer system last
year. All but $400,000 of that has been recovered, says a CitiBank spokeswoman. None
of the bank's depositors lost any money in the fraud but since it happened, Citibank
has required customers to use an electronic password generator for every transfer.
The hackers' 34-year-old ringleader was arrested in London three months ago, and
U.S. officials have filed to have him extradited to the United States to stand trial.
Unfortunately, there is relatively little information on Russian legislation regarding
the Internet. However, you can bet that such legislation will quickly emerge.
The EEC (European Economic Community)
In this section, I address European attitudes and laws concerning computers and
the Internet. Nonetheless, although the United Kingdom is indeed a member of the
European Union, I will treat them separately. This section, then, refers primarily
to generalized EU law and proposals regarding continental Europe.
It is interesting to note that European crackers and hackers often have different
motivations for their activities. Specifically, European crackers and hackers tend
to be politically motivated. An interesting analysis of this phenomenon was made
by Kent Anderson in his paper "International Intrusions: Motives and Patterns":
- Close examination of the motivation behind intrusions shows several important
international differences: In Europe, organized groups often have a political or
environmental motive, while in the United States a more "anti-establishment"
attitude is common, as well as simple vandalism. In recent years, there appears to
be a growth in industrial espionage in Europe while the United States is seeing an
increase in criminal (fraud) motives.
Cross Reference: Find "International
Intrusions: Motives and Patterns" on the Web at http://www.aracnet.com/~kea/Papers/paper.shtml.
For these reasons, treatment of Internet cracking and hacking activity in Europe
is quite different from that in the United States. A recent case in Italy clearly
demonstrates that while freedom of speech is a given in the United States, it is
not always so in Europe.
Reportedly, a bulletin board system in Italy that provided gateway access to the
Internet was raided in February, 1995. The owners and operators of that service were
subsequently charged with some fairly serious crimes, as discussed by Stanton McCandlish
in his article "Scotland and Italy Crack Down on `Anarchy Files'":
- ...the individuals raided have been formally charged with terroristic subversion
crimes, which carry severe penalties: 7-15 years in prison...The BITS BBS [the target]
carried a file index of materials available from the Spunk [underground BBS] archive
(though not the files themselves), as well as back issues of Computer Underground
Digest (for which EFF itself is the main archive site), and other political and non-political
text material (no software).
Cross Reference: Mr. McCandlish's article
can be found on the Web at http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/eff_raids.article.
This might sound confusing, so let me clarify: The files that prompted the raid
(and subsequent indictments) were the type that thousands of Web sites harbor here
in the United States, files that the FBI would not think twice about. An interesting
side note: In the wake of the arrests, a British newspaper apparently took great
license in reporting the story, claiming that the "anarchy" files being
passed on the Internet and the targeted BBS systems were endangering national security
by instructing mere children to overthrow the government. The paper was later forced
to retract such statements.
Cross Reference: To read some of those
statements, see the London Times article "Anarchists Use Computer Highway
for Subversion" by Adrian Levy and Ian Burrell at http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/uk_net_anarchists.article.
In any event, the Europeans are gearing up for some Orwellian activity of their
own. In a recent report to the Council of Europe, proposals were made for techniques
dealing with these new technologies:
- In view of the convergence of information technology and telecommunications,
law pertaining to technical surveillance for the purpose of criminal investigations,
such as interception of telecommunications, should be reviewed and amended, where
necessary, to ensure their applicability. The law should permit investigating authorities
to avail themselves of all necessary technical measures that enable the collection
of traffic data in the investigation of crimes.
European sources are becoming increasingly aware of the problem of crackers, and
there is a strong movement to prevent cracking activity. No member country of the
Union has been completely untouched. The French, for example, recently suffered a
major embarrassment, as detailed in the article "French Navy Secrets Said Cracked
by Hackers," which appeared in Reuters:
- Hackers have tapped into a navy computer system and gained access to secret French
and allied data, the investigative and satirical weekly Le Canard Enchaine
said...Hackers gained access to the system in July and captured files with acoustic
signatures of hundreds of French and allied ships. The signatures are used in submarine
warfare to identify friend and foes by analyzing unique acoustic characteristics
of individual vessels.
The United Kingdom
The United Kingdom has had its share of computer crackers and hackers (I personally
know one who was recently subjected to police interrogation, search and seizure).
Many UK sources suggest that English government officials take a decidedly knee-jerk
reaction to computer crimes. However, the UK's main body of law prohibiting cracking
(based largely on Section 3(1) of the Computer Misuse Act of 1990) is admittedly
quite concise. It covers almost any act that could be conceivably undertaken by a
cracker. That section is written as follows (the text is converted to American English
spelling conventions and excerpted from an article by Yaman Akdeniz):
- A person is guilty of an offense if (a) he does any act which causes an unauthorized
modification of the contents of any computer; and (b) at the time when he does the
act he has the requisite intent and the requisite knowledge.
You will notice that intent is a requisite element here. Thus, performing an unauthorized
modification must be accompanied by intent. This conceivably could have different
implications than the court's interpretation in the Morris case.
A case is cited under that act against an individual named Christopher Pile (also
called the Black Baron), who allegedly released a virus into a series of networks.
Pile was charged with (and ultimately convicted of) unlawfully accessing, as well
as damaging, computer systems and data. The sentence was 18 months, handed down in
November of 1995. Pile is reportedly the first virus author ever convicted under
the act.
Akdeniz's document reports that English police have not had adequate training
or practice, largely due to the limited number of reported cases. Apparently, few
companies are willing to publicly reveal that their networks have been compromised.
This seems reasonable enough, though one wonders why police do not initiate their
own cracking teams to perform simulations. This would offer an opportunity to examine
the footprint of an attack. Such experience would likely prove beneficial to them.
Finland
Finland has traditionally been known as very democratic in its application of
computer law. At least, with respect to unauthorized snooping, cracking, and hacking,
Finland has made attempts to maintain a liberal or almost neutral position regarding
these issues. Not any more. Consider this statement, excerpted from the report "Finland
Considering Computer Virus Bill" by Sami Kuusela:
- Finnish lawmakers will introduce a bill in the next two weeks that would criminalize
spreading computer viruses--despite the fact that many viruses are spread accidentally--This
means that if someone in Finland brings a contaminated diskette to his or her workplace
and doesn't check it with an anti-virus program, and the virus spreads into the network,
the person will have committed a crime. It would also be considered a crime if a
virus spreads from a file downloaded from the Internet.
Cross Reference: Check out http://www.wired.com/news/politics/story/2315.html
to see Kuusela's report.
At this stage, you can undoubtedly see that the trend (in all countries and jurisdictions)
is aimed primarily at the protection of data. Such laws have recently been drafted
as proposals in Switzerland, the UK, and the United States.
This trend is expected to continue and denotes that computer law has come of age.
Being now confronted with hackers and crackers across the globe, these governments
have formed a type of triage with respect to Internet and computer laws. At this
time, nearly all new laws appear to be designed to protect data.
Free Speech
Users may erroneously assume that because the Communications Decency Act died
a horrible death in Pennsylvania, all manners of speech are free on the Internet.
That is false. Here are some examples:
- Hate crimes and harassment are against the law--In 1995, an individual at the
University of Irvine in California was indicted for such activity. According to the
article "Ex-student Indicted for Alleged Hate Crime in Cyberspace," prosecutors
alleged that the student sent "...a threatening electronic message to about
60 University of California, Irvine, students on Sept. 20." The student was
therefore "...indicted on 10 federal hate-crime charges for allegedly sending
computer messages threatening to kill Asian students."
Cross Reference: Visit http://www.nando.net/newsroom/ntn/info/111496/info15_1378.html
to see the article "Ex-student Indicted for Alleged Hate Crime in Cyberspace."
- Forwarding threats to the President is unlawful--In one case, a man was arrested
for sending messages to the President, threatening to kill him. In another, less
controversial case, seventh graders were arrested by the Secret Service for telling
Mr. Clinton that his "ass" was "theirs."
In reference to harassment and racial slurs, the law already provides a standard
that may be (and has been) applied to the Internet. That is the Fighting Words
Doctrine, which seems to revolve primarily around the requirement that the words
must be specifically directed toward an individual or individuals. Merely stating
that "all blondes are stupid" is insufficient.
The Fighting Words Doctrine can be understood most clearly by examining Vietnamese
Fisherman's Ass'n v. Knights of the Ku Klux Klan. The case revolved around repeated
harassment of Vietnamese fisherman by the KKK in Galveston Bay. The situation involved
the KKK members approaching (by boat) a vessel containing Vietnamese fisherman. According
to Donald A. Downs in his article "Racial Incitement Law and Policy in the United
States: Drawing the Line Between Free Speech and Protection Against Racism,"
the KKK:
- ...wore full military regalia and hoods on their faces, brandished weapons and
hung an effigy of a Vietnamese fisherman and circled within eyesight of the fisherman.
The court in that case found the actions of the KKK to amount to fighting words.
Such speech, when directed against an individual or individuals who are in some way
a captive audience to those words, is not protected under the First Amendment. Similarly,
threats against the President of the United States amount to unprotected speech.
And, such threats, where they are extortive or unconditional and specific to the
person so threatened, amount to unprotected speech.
These laws and doctrines can be applied in any instance. Whether that application
is ultimately successful remains another matter. Certainly, posting such information
on a Web page or even in a Usenet group may or may not be narrow enough of a directive
to call such laws (threats to the President are the obvious, notable exceptions).
The law in this area is not entirely settled.
Summary
Internet law is a new and exciting area of expertise. Because the Internet is
of such extreme public interest, certain battles, such as the dispute over adult-oriented
material, are bound to take a decade or more. All Netizens should keep up with the
latest legislation.
Finally, perhaps a word of caution here would be wise: If you are planning to
undertake some act upon the Internet and you are unsure of its legality, get a lawyer's
opinion. Not just any lawyer, either; talk to one who really knows Internet law.
Many attorneys may claim to know Internet law, but the number that actually do is
small. This is important because the Information Superhighway is like any other highway.
You can get pulled over, get a ticket, or even go to jail.
Resources
Berne Convention For The Protection Of Literary And Artistic Works.
EFF's (Extended) Guide to the Internet--Copyright Law.
Big Dummy's Guide to the Internet--Copyright Law.
Revising the Copyright Law for Electronic Publishing.
The E-Challenge for Copyright Law.
Copyright Law FAQ (3/6): Common Miscellaneous Questions.
Copyrights, Trademarks, and the Internet. Donald M. Cameron, Tom S. Onyshko,
and W. David Castell.
New U.S. Copyright Board of Appeals Established.
Copyright Law of the United States. US Code-Title 17, Section 107. Fair
Use Clause.
Copyright Law, Libraries, and Universities: Overview, Recent Developments,
and Future Issues. Kenneth D. Crews, J.D., Ph.D. Associate Professor of Business
Law. College of Business. This is an excellent source.
Recent Caselaw and Legislative Developments in Copyright Law in the United
States.
Copyright Law and Fair Use.
The First Amendment vs. Federal Copyright Law.
Software Copyright Law.
Electronic Copyright Law in France.
U.S. Copyright Office General Information and Publications.
Copyright Clearance Center (CCC).
Copyright Reform in Canada: Domestic Cultural Policy Objectives and the Challenge
of Technological Convergence.
10 Big Myths About Copyright Explained. An attempt to answer common myths
about copyright on the Net and cover issues related to copyright and Usenet/Internet
publication.
Intellectual Property and the National Information Infrastructure.
Sources for General Information
Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses!
Akdeniz, Y. Web Journal of Current Legal Issues, May 24, 1996.
The Computer Fraud and Abuse Act of 1986.
Crime on the Internet.
The U.S. House of Representatives Internet Law Library Computers and the Law.
EFF "Legal Issues and Policy: Cyberspace and the Law" Archive.
New Computer Crime Statutes Close Loopholes.
Federal Guidelines for Searching and Seizing Computers. U.S. Department
of Justice Criminal Division Office of Professional Development and Training. The
Report of the Working Group on Intellectual Property Rights.
National Information Infrastructure Protection Act of 1996.
Fraud and Related Activity in Connection with Access Devices.
Digital Telephony Bill.
Computer Law Briefs.
© Copyright, Macmillan Computer Publishing. All
rights reserved.
|
