Computer Crime Issues

(LJ) If one metaphor poorly expresses the function of a virtual transaction, how might a lawyer protect the client interest in a courtroom setting?  Metaphors are powerful and potentially misleading if one does not understand the underlying process.  One could imagine a scenario where the plaintiff or prosecutor gets to pitch the first metaphor and gets the court comparing the situation based on that metaphor, and then the defense, who will also need a metaphor to explain the virtual transactions, will be at a disadvantage.  Perhaps metaphors are too dangerous for adversary proceedings where the realities of the situation are far too abstract because of the technical nature of the interactions?
(DF) What legal rules provide the best incentive for self-protection by private parties, such as hospitals or utility companies, against on-line terrorist attacks? The best incentives to report attacks?

(PYS) Microsoft actively maintains a software package called Computer Online Forensic Evidence Extractor (COFEE), a set of utilities designed to help law enforcement gather forensic data from suspects’ computers. Hackers responded by releasing DECAF, a program designed to interfere with the operation of COFEE on a given machine. This is an example of the technological “arms race” between private citizens and the government. Should tools like DECAF, designed specifically to thwart law enforcement, be illegal? Why or why not?

(PYS) What liability should accrue to the various parties involved with a particular Distributed Denial-of-Service attack?

• The party launching the attack?

• The party who wrote the code that enabled the attack?

• The hosting site containing the files loaded onto the zombie machines?

• The owners of the zombies? Do the owners of the zombies have a cause of action against the other parties? What are their damages (assuming that the zombie only runs the DDoS code when the CPU is idle, and there is no per-minute charge for Internet connection)? Should it matter whether they also allow their machine to be a zombie for benign purposes (e.g., SETI analysis)?

(LJ) A few of the cybercrimes have legitimate non-criminal alternatives: you could have your CPU stolen involuntarily or you could voluntarily provide CPU to SETI.  You could suffer from a DDOS attack because someone dislikes your website or you could get slashdotted (the same idea but with a different motive) by a popular site because your site has caught their rapt attention and a mass of consumers now finds you interesting.   Can we use these positive components to get people making informed decisions about their technologies?  Perhaps I would want to "rent out" my CPU, and given my knowledge of the value, invest in anti-theft security for it?

(LJ) While it seems likely the crimes will continue either way, perhaps the more benevolent versions of the activities can be distinguished to help people understand the limitations and ethical challenges presented by virtual activity?  How might we develop legal rules that distinguish CPU thieves from would-be SETI efforts?  How might we protect slashdotters from the DDOS stigma and consequences?

(DF) Suppose someone posts negative "information" about a company after selling the stock short. Under what circumstances does this count as illegal stock manipulation? Does the information have to be false? Consider a recent mini-flap in the world of electric cars.

(KW) Crimes such as drug trafficking rely on the anonymity of cash to complete their transactions, and crimes muggings and burglaries are motivated by cash.  If the world eventually moves to a cashless society (perhaps primarily ecash), will it curb these types of crimes, or are they adaptable making it harder for law enforcement to track and make arrests?
(KW) The Computer Fraud and Abuse Act provides criminal and civil penalties against persons who wrongfully access computers.   However, in order to successfully bring a civil claim, a loss of at least $5000 must be met, but the loss must be a cost (e.g. the cost to conduct computer forensics) and not stolen intellectual property.  Should there be a way to quantify items such as PII (personally identifiable information) so that a victim may add it to their total loss, or is the current law a fair assessment of compensation?

DF: David Friedman
KW: Kristie Weber
Lisa Jensen
PYS: Previous Year's Student

Legal research from past years

Legal Research this year: Analysis of CFAA Unauthorized Access Requirement and of ECPA

Table of contents page

Course page

My Home Page