Computers, Crimes, and Privacy

School of Law

Santa Clara University

Spring 1997

Lecture Notes Outline

D. Friedman

• I. Mechanics: Seminar
  • A. First half of the course I provide the material, lead the discussion.
  • B. Second half, student paper presentations. A few guest lecturers.
  • C. Everyone does a paper. Everyone does a presentation. Papers are due last day of class.
  • D. Prior to the presentation, give me material and links in machine readable form, I put it on the class web page for other students to look at before your presentation.
  • E. Materials:
    • 1. Two books (one, The Hacker Crackdown, available on the web)
    • 2. Cases, other readings.
    • 3. Links on the class web page
    • 4. My lecture notes.
    • 5. I have other materials for students who want to use them, including a lot of posts from Cyberia-L, a computer law Listserve.
  • F. You can also communicate with me via EMail. DDFr@Best.com
  • G. I hope to learn too. Together we will explore the world we are gong to be living in.
• II. Law and Technology
  • A. Protection without copyright:
    • 1. c. 1900, the U.S. did not recognize British copyrights, yet ...
    • 2. British authors got sizable revenues from American publications, because ...
    • 3. The printing technology of the time, with high typesetting costs in money and time, gave the first mover a big advantage. He could pay his fixed costs out of early sales then, if necessary, cut his price (put out a "fighting edition") to prevent the pirate publisher from ever recouping his fixed costs.
  • B. Copyright without protection:
    • 1. Currently, it may be illegal to photocopy a book or article without the copyright holder's permission, but there is very little he can do to stop it.
    • 2. Similarly for making a copy of a computer program for a friend.
    • 3. What the copyright holder can prevent is large scale, public sale of copies made in violation of copyright, or the use of many such copies by a large organization--large enough to contain at least one whistle blower.
  • C. So we have an interaction between what the law says and what it can, in fact, control--with the latter depending in part on technology.
  • D. The history of computer law provides us with some evidence of how law evolves--what happens when existing legal rules are faced with a new set of problems for which they were not designed..
• III. Three topics:
  • A. Computer crime:
    • 1. What it is
    • 2. How it fits into the current structure of law
      • a. Is information property? Is transporting pirated Presley records accross state lines a violation of a law against interstate transportation of stolen property? No.
      • b. How is it valued? Bell South. Lund v Virginia.
      • c. Alternatives to criminal law: Civil law. Trade Secret. Copyright. ...
    • 3. How it ought to be dealt with.
      • a. By analogy
      • b. By new legislation
      • c. By realspace contract, property, etc.
  • B. Old privacy issues
    • 1. Protection against false information being distributed. (defamation law?)
    • 2. Protection against true information being distributed. (Privacy) Fair Credit Reporting Act. Is such protection desirable--or does it mean protecting people's ability to defraud other people, by hiding information about themselves? Is it doable?
    • 3. Protection against government collection and distribution of information.
  • C. New privacy issue: Privacy via encryption.
    • 1. Computers as promoters of privacy
    • 2. Criminal implications
    • 3. Other (?) social implications.
  • D. Law, Technology and Metaphor
    • 1. Is a computer "break-in" a
    • 2. Break-in?
    • 3. Fraud?
    • 4. Legal act.

    ---

• I. Today the present, future, and papers. Next week into the past.
• II. Strong Privacy: The technology (see the FAQ from RSA Data Security, Inc.'s homepage.). The following is my somewhat simplified explanation, given in more detail in my article (hardcopy available):
  • A. Public Key encryption for privacy.
    • 1. Two keys
    • 2. Non-invertable
  • B. Digital Signature
  • C. Digital Cash
    • 1. Desideratum: Neither bank nor snoops can trace
    • 2. My scheme
      • a. Send dollar with long number, bank undertakes to give the dollar to anyone who tells them the number, or to change the number on instructions accompanied by the number ...
      • b. Transaction: Give payee number. He sends it to the bank withthey are to change it into. The bank posts the fact that the transaction went through on some publicly accessible place.
    • 3. For Chaum's version of digital cash, which is actually being implemented, see the web. www.digicash.com
  • D. Anonymous remailers
  • E. Authentication problems: Centralized or decentralized. Phil Zimmerman built a decentralized system for keeping track of who has what public key into PGP. Verisign certificates are a fancier way of doing the same thing.
• III. The Supporting Technology: power, bandwidth, VR
  • A. Once we can create the illusion of being present through virtual reality, ...
  • B. Large parts of what we do, including the way many people make their living (including lawyers), can be done over the net.
  • C. Now encryption issues become central privacy etc. issues.
• IV. Implications of strong privacy
  • A. Transactions, conversations, etc. are technologically private. Interception is impractical, whether or not illegal.
  • B. Can combine anonymity with brand name reputation, since you can prove "who" you are via a digital signature without anyone knowing what body where is associated with that identity!
  • C. Obvious advantage: freedom of speech, assembly, etc. are techno secure.
  • D. advantage/disadvantage: Information sales and purchases are unobservable, hence cannot be taxed or regulated.
  • E. Disadvantage: Criminal firms with brand name--murder inc. Pirate publishers.
  • F. Defense via prohibition or via technology?
    • 1. Contract substitutes for intellectual property? Maybe.
    • 2. True names: if the person who wants you dead doesn't know your real name or what continent you live on, it's hard to arrange to have you killed.
  • G. Private Law. Nozick. Crypto-Anarchy. (See my article )

Some comments on my suggested ideas for papers

Is ITAR Constitutional? Is it enforceable? [ITAR classified encryption software as a munition, so you needed state department (now Commerce dept) permission to export software that you could legally sell in the U.S.]

Clipper 1, 2, 3?: Is there a constitutional (and politically and technologically viable) way of controlling encryption? [Clipper 1 was the clipper chip, Clipper 2 is the attempt to require that private encryption software provide for escrowed keys accessible to a court order, Clipper 3 could be any way of achieving the same objective--giving government access to cryptographically protected communications]

Protecting Intellectual Property on the Net: Law or Technology? [Do we try to make copyright enforceable, perhaps by making software for overcoming copy protection illegal, or do we try to use encryption and similar techniques to make it possible for the owners of intellectual property to directly control who uses it?]

The Legal System in a World of Strong Privacy

Can Hubert Humphrey police the Internet? [the attorney General of Minnesotta has announced that offering gambling on the net where his citizens can get at it is in violation of Minnesotta law and will be prosecuted--see link. ]

Does Cyberspace Need Its Own Laws? [Alternatives include generalizing existing law to apply to cyberspace, depending on existing law as applied to realspace objects--for instance, computers and phone lines--to control behavior, depending on contract, ...]

Norms of the Net: How are They Enforced, Do They Work? [There are a lot of behavioral norms, for instance on Usenet News, that get enforced by social pressure. Is that an adequate approach? Does it remain adequte as the size of the net community grows?]

Who Has Jurisdiction in Cyberspace? [If someone in Minnesota gambles in a cybercasino physically located in the Bahamas, with the messages forwarded across computers in four other states and two other countries, whose law applies?]

Can pornography and gambling be regulated on the Internet: Legal and technical issues.

Obscenity and Harassment: Legal and Technical Approaches

Online Defamation [Is it slander? Libel? Why do we treat them differently, and which is it more like?]

Viruses: The facts and their legal implications.

Hard Disks, Encryption, and the Fifth Amendment--can you refuse to give the police your password?

Computer Crime in the Twenty-first Century

Shareware: An Experiment in Unprotected Intellectual Property

Cyberpunk: Does SF Get the Legal Issues Right? (True Names, Snowcrash, Trouble and Her Friends, ...)

Privacy and Computer Crime in a World of Many Nations

The Church of Scientology vs anon.penet.fi [See link]

Universities, Free Speech, Harassment: Recent Cases and General Conclusions

[Cornell case, which some see as suppression of unpopular free speech by a university, and Caltech case. See links for both]

----

The Development of Computer Law

 
• I. Lund v. Virginia (1977)
  • A. Facts
    • 1. Student had not gotten authorised to use the computer, should have, could have.
    • 2. $5,000-$26,000 "worth" of time spent.
    • 3. Mechanism: Funny money allotments. Key and account number, box #.
    • 4. Convicted of grand larceny for stealing $100 or more. Appealed.
  • B. Legal issues:
    • 1. What was stolen and what was it worth?
    • 2. No evidence that cards or keys were stolen, or worth >$100
    • 3. Taking of "goods or chattels" doesn't apply to taking computer time, services don't count (there was an old NY case about using a factory to produce things without the owners' knowledge. You buy inputs, sell product. Not theft because no property was taken--just services.)
    • 4. Va claims that the printouts (physical goods) were worth >$5000, taken by fraud.
    • 5. Court rejects cost as a measure of value, finds only scrap paper value proved.
  • C. One consequence was to spur computer crime statutes, which specifically cover computer services, unauthorised access, etc.
  • D. How should you value what was taken?
    • 1. Cost of production?
      • a. Do you price it as funny money (numbers used for internal accounting--each department gets a budget of $X to be spent only on buying computer time), or
      • b. Try to estimate a real shadow price--the cost your use imposed on the owner?
    • 2. Value to the thief?
    • 3. Value to anyone else is aprox zero.
    • 4. The issue of valuation comes back in the BellSouth case.
  • E. Was it really stolen?
  • F. Should this be criminal or civil?
    • 1. VPI gave him his degree, so presumably they don't strongly disapprove of what he did.
    • 2. Why are some offenses criminal and some civil? Which should this be?
• II. U.S. v. Seidlitz (1978)
  • A. Facts:
    • 1. Seidlitz set up security, etc. for an FEA computer facility.
    • 2. After leaving, he was caught hacking the security to download a chunk of WYLBUR over the phone
    • 3. by the use of a "spy function" which recorded his transactions with the computer.
    • 4. Phone company traced the call to Seidlitz's office.
    • 5. FBI searched office, found printout of WYLBUR source code, etc.
  • B. Legal issues:
    • 1. Was the spy function illegal?
      • a. Not if with consent by one party to the transaction? Who were the parties?
      • b. Was it an "aural" acquisition? No. Is any telephone tap "aural?" "Regardless of its ability to detect sound" sounds as though the judge doesn't understand telephone technology.
      • c. Recording what the computer was doing isn't a wiretap--more like bugging the office where one end of a phone conversation is taking place (with consent of its owner?)
      • d. And it wasn't (very much) a government action, despite FEA initiation.
    • 2. Was he defrauding them or simply preparing to demonstrate a security loophole?
    • 3. Did he take "property?"
  • C. The issues:
    • 1. Analogising a computer to a person: Who gives consent, is monitoring bugging or wiretapping, ... . "by means of false or fraudulent pretenses, representations, or promises ..." (Fed wire fraud statute). Representations to whom? Fraud implies human being fooled? Is picking a combination lock fraud?
    • 2. What really happened? Later in the semester we will look at a more recent case, involving Intel, where it seems pretty clear that the "break-in" was an innocent attempt to check the system's security by someone involved in setting it up.
    • 3. Lots of copies of WYLBUR out there--could it really be protected by secrecy? Copyright (1978)?
    • 4. Could he have stolen it easier earlier?
    • 5. Would he have made a printout of source code rather than kept it in machine readable form?
    • 6. Are all crimes crimes? Suppose I still have keys to U of Chicago Law School, because I never bothered to return them. If I am there over Christmas break and use them to go check a cite in the library, I may be technically trespassing (even breaking and entering?), but nobody associated with the institution would think of it that way.
• III. U.S. v Jones: (1977)
  • A. Facts of the scheme:
    • 1. Supervisor altered the numbers in the computerised system for accounts payable, so that checks went to A.L.E. Jones rather than to Whirlpool.
    • 2. Jones cashed the checks.
    • 3. Got caught.
  • B. The Law:
    • 1. The relevant statute does not apply to interstate transport of forgeries.
    • 2. Are these checks forgeries?
      • a. If real checks obtained by fraud, she is guilty, but ...
      • b. If forged checks, she is innocent (of this crime)
    • 3. The computer "really issued" the checks so they were real checks fraudulently obtained? (appeals court view)
    • 4. Or the computer was the tool Everston used to forge the checks, by changing the vendor number (before the checks were printed). (District Courts view)
  • C. The issues:
    • 1. How to analogise putting the wrong number into a computer to the sorts of things people did at the time the common law rule developed.
    • 2. What if he had altered the books so as to get the company to believe it owed money to Jones and write a check?
• IV. Versaggi (1987)
  • A. Facts:
    • 1. Versaggi worked for Kodak, had phone access to their computer systems.
    • 2. There were two unexplained incidents of phone lines going down.
    • 3. Kodak set up a script to monitor off site access to the system, record to disk everything that went to the offsite person's screen.
    • 4. From that plus phone bills, Kodak concluded that Versaggi did it.
  • B. Law: New computer law, computer tampering in the second degree:
    • 1. "intentionally alters in any manner or destsroys computere data or a computer program of another person" when he has no right to do so.
    • 2. Versaggi argued that he didn't alter the program, he used it.
    • 3. Court found that issuing commands to the software "altered" a computer program!
  • C. Issues:
    • 1. Did he alter a computer program? Do I alter my home wiring when I turn on the lights?
    • 2. Evidence: Could he have been framed? This issue will arise again in the Caltech case.

• I. Review:
  • A. The cases:
    • 1. Lund v Virginia: Unauthorised use of hard to price services.
    • 2. U. S. v. Seidlitz: ex-Consultant making unauthorised download.
    • 3. U.S. v. Jones: Real honest computer crime--but not very computer.
    • 4. Versaggi: long distance minor sabotage.
  • B. The issues raised:
    • 1. How should the law treat unauthorised use?
      • a. Not a new issue, but ...
      • b. A newly important one, because
      • c. Invisible or unobtrusive use is a lot easier on a computer, especially a multi-user one, than a factory, and ...
      • d. Since marginal cost of use may be very low, there are problems for evaluating damages.
    • 2. How do you price stolen services?
      • a. Cost to victim or value to thief? Old issue in trade secret cases.
      • b. Arguably the larger of the two, because if you didn't steal the service you would have bought it, hence stealing it deprives the owner of the income from selling it to you, and ...
      • c. We want to use the largest possible value (i.e. the highest you would have paid if necessary), so as not to give people an incentive to substitute stealing things for bargaining for them.
      • d. So far we are observing the issue in criminal cases, where precise value is unimportant--merely more or less than $100 (Lund), $5000 (Bell South).
      • e. What is the cost to the victim? Marginal cost, which may be hard to estimate for a computer that has large fixed cost and somewhat random level of use. Like estimating the cost one more car imposes on a highway.
    • 3. Should these offenses be criminal or civil? More generally, why do we have both legal systems?
      • a. The fact that the cost is going to a specific victim is an argument for civil.
      • b. If there is only a low probability of apprehension, that is an argument for criminal.
    • 4. How do you fit computer facts into existing law?
      • a. Who is the other side of the phone conversation in U.S. v Seidlitz?
      • b. Is intercepting a conversation which never took aural form wiretapping within the meaning of the act? This echoes the older question of whether wiretapping is a search and/or seizure within the meaning of the constitution.
      • c. Is tricking a computer into writing you checks fraud or forgery?
      • d. What counts as altering a computer program or data?
    • 5. How do you interpret facts in a very different factual environment?
      • a. Suppose you are the ex-security consultant for a museum, and want to persuade them that their protection is inadequate.
      • b. You draw up a plan for stealing their painting and show it to them.
      • c. You don't steal the painting--because the loss of the painting is obvious, will upset them, might damage the painting, you might get shot by a guard, .... . More generally, executing your plan in realspace is dangerous, expensive, and does visible damage.
      • d. But Seidlitz might plausibly have done the equivalent in cyberspace. Ditto for the recent Intel case.
      • e. And there are related evidentiary issues in Versaggi (apparently dealt with adequately) and the Caltech case (not).
• II. Technological digression:
  • A. How things work, of interest both because you will be using the technology and because it is the environment of the things we are studying.
  • B. Oldest technology: Single computer, not linked to anything. Still problems:
    • 1. Unauthorised access by someone who can manage physical access and password access.
    • 2. Especially plausible with a multi-user machine.
    • 3. Four approaches to getting password:
      • a. Trick someone into giving it to you--human engineering. AOL warns its customers that it will never ask them for their password--because it is afraid that someone posing as an AOL employee might.
      • b. Watch over someone's shoulder.
      • c. Piggy-back. Sit down at his terminal when he has gone off and forgotten to log off. Or ...
      • d. Obtain the password by trial and error. Especially practical if you are authorised at some level, so can run a program on the computer designed to try out lots of passwords.
      • e. Obtain it by finding it in the computer. Again easier if you are authorised at some level.
      • f. Ultimate objective--obtain superuser privileges, sysop privileges, ... .
    • 4. Once you have it, you can
      • a. Steal information
      • b. Misdirect the computer so as to steal cash or goods (Jones).
      • c. Alter information in your favor, or against someone else.
      • d. Lots of sf examples. Power. Pranks--connect police station number to phone-sex number.
  • C. Single computer, with phone-in lines.
    • 1. Now you don't need physical access
      • a. You do need the right phone number. But those may spread through networks. Should it be illegal to give them out? First amendment? What about posting credit card numbers on bulletin boards?
      • b. And you have to worry about the call being traced.
      • c. Unless you are a competent Phone Freek. That also keeps down phone bills. See Hacker Crackdown for details.
    • 2. You still need to get through password protection
      • a. Which may be an interesting game
      • b. And you can use your computer (by now, people have personal computers) to help. Your computer is being used as a terminal--and a safecracker.
    • 3. You are a whole lot more flexible in your approach--can call many different computers without elaborate research into physical entry issues
    • 4. It becomes much more practical to socially network with other crackers. Moving towards anonymity. At both ends--exchanging information with handles, not people, and cracking into computers without being physically present.
  • D. Internet or equivalent--networked computers.
    • 1. No phone bill problem.
    • 2. Now you only have to be a cracker, not a phone freek, to be able to conceal origin etc.
    • 3. Crack into someone's account over the phone. Don't do anything there that will call attention to you (lots of unlimited usage accounts nowadays). Use that as your base.
    • 4. Some computers are set up to be operated remotely. Analogous to C above.
    • 5. Others (mine, for example) are on the net only to exchange information. So you need some way of tricking them into giving you control. Get them to download a bogus program. Or find a bug in a real program that lets you do things you shouldn't.
    • 6. Networked computers talk to each other. So possibility for spreading viruses (or the internet Worm).
    • 7. Or low tech versions of computer crime over networks--piracy, slander, harassment.
• III. How the web works: theory and practice.
  • A. What it is. Files on web servers, hypertext links.
  • B. How to use it:
    • 1. Provider end. Create HTML file, ftp to a web server. Lots of free trial offers.
    • 2. User end. Browser. Click on links.
    • 3. Two strategies for finding stuff:
      • a. Search engine such as Altavista
      • b. Follow links. Some limitation to that. . Political links may or may not take you to places where people argue on the other side.
      • c. Combine the two strategies--find relevant pages through a search engine, then follow their links.
      • d. You can use the search engine to trace backward links by searches for the URL of the site they link to.
  • C. Privacy and commerce elements:
    • 1. A lot of it is funded by ads. A web ad is inherently superior to a hardcopy ad--because it is also a link.
    • 2. Can also have on-line payments.
    • 3. A seller+browser combination can guarantee privacy without any action by the user.
    • 4. Of course, that depends on trusting the seller.
      • a. Can you blackmail someone with the fact that he is reading porn?
      • b. Not most people--but maybe if you find the right ones.
      • c. Did I discover a new crime last year? I observed the following post, to an inappropriate group.

    ---

    I believe that it is okay to have sex before marriage unlike some people. This way you can expirence different types of sex and find the right man or woman who satifies you in bed. I you wait until marriage then what if your mate can not satisfy you, then you are stuck with him. Please write me and give me your thoughts on this. You can also tell me about some of your ways to excite a woman because I have not yet found the right man to satisfy me. (on alt.privacy, from a .edu address)

    ---

    Conjecture: the originator of the post plans to conduct email conversations with people who respond, then ask them if they think their wives would like to see a transcript. Most won't care (or don't have wives), but a few will pay up. Mass market blackmail. Alternative: a nasty practical joke on the person whose email address was used.
    • 5. Note that, absent a well developed system of digital signatures, public key reputations, etc., anonymity undercuts confidence in the seller--as in this example.

     

• IV. The rest of the internet: Web is so popular because because it is easy to use.
  • A. EMail
    • 1. Text + attachments. The latter can be images, programs, ...
    • 2. Messages get from sender to recipient by bouncing from machine to machine.
    • 3. They can be intercepted en route, and are stored on your mail server until you retrieve them. So somebody could get at them either by having control over some intermediate computer and saving a copy of each passing packet, or by having control of your mail server, or by hacking into your mail server and reading its contents.
    • 4. Suppose you delete lots of email on your hard disk. It may still be there--to be found by someone else. Delete does not really erase, it simply tells the computer that it is free to reuse the space the deleted message was occupying. Until something else is written to that space, the deleted material is still there and can be read.
    • 5. EMail permits very cheap mass mailings--a current issue. AOL. How to defend?
      • a. You could give correspondents a code to put in their subject headings, then set your mailreader to filter out everything that doesn't include that code. But doing that is a nuisance, and means strangers cannot EMail you, even if you would like them to.
      • b. We could establish legal rules requiring mass mailings to identify themselves as such by something in their subject line--letting you filter them out.
  • B. Usenet news.
    • 1. How it works.
      • a. It looks to the user like a very large collection of bulletin boards on a wide range of topics (about 21,000 on my ISP's News Server), accessible worldwide.
      • b. But it is actually a decentralized system--there is no one machine that hosts a given Newsgroup.
      • c. When you post, your message goes to whatever News Server you use--a computer (probably belonging to your ISP or university or employer) that stores and forwards newsgroup postings.
      • d. Next time your news server talks to another news server, each one sends the other any new postings that it doesn't have.
      • e. So your post gradually spreads across the world, from server to server.
      • f. When you use a newsreader to read a newsgroup, you are seeing all messages in that group currently on your news server.
    • 2. Even if you don't have access to a news server (SCU did not provide one, save for a few local groups, last time I checked), you can access postings by using one of the free search engines on the web, such as Altavista or Deja News. You can search by newsgroup, poster, date, key words, ... .
    • 3. How to control SPAM?
      • a. Somebody who wants to advertise something can (but isn't supposed to) post his ad to lots and lots of newsgroups, at essentially no cost to him, thus making it harder for people reading the group to find the messages that they are actually interested in.
      • b. One solution is CancelMoose, a program (apparently owned by someone in Canada), which looked for posts going to many different groups and firges bogus cancel messages cancelling those posts. (Such messages are supposed to come from the poster--but the relevant sender information can easily be forged).
      • c. Currently, CancelMoose has created and is pushing a more flexible system, in which anyone can issue messages telling people to cancel a news posting. Such messages are to be signed with the issuer's private key. The recipient programs his computer to specify whose cancel messages it will accept.
      • d. If this becomes the standard, it lets any individual or group distribute filters filtering out (or in) messages it disapproves (or approves) of. Every user can decide whose filters, if any, to believe.
      • e. This provides a possible solution not only to SPAM but to pornography etc.
    • 4. How to control defamation
      • a. How does online defamation fit into existing law? Is it slander or libel?
      • b. Who is responsible if something defamatory appears online. AOL or Compuserve if it is on one of their boards? Every ISP whose news server carries the post? The author? What if he posted anonymously.
      • c. Cubby v Compuserve and Stratton Oakmont v Prodigy are two cases on this issue, one finding that Compuserve is in the position of a bookstore, not responsible for checking the books it sells for defamation, and one finding that Prodigy, because it makes some attempt to control what appears, is in the position of a publisher and is responsible. The latter case was appealed, then settled, so we don't know if it would have been upheld.
  • C. Telenet is a mechanism that lets someone at one computer control a different computer over the net, as if he were sitting at its keyboard--subject to whatever password restrictions etc. the second computer imposes.
  • D. ftp (file transfer protocol) is a procedure for transferring files from one computer to another over the net. You can make files available to anyone with the suitable password, or you can set them up for anonymous ftp, making the accessible to anyone.

  ---

• I. The Hacker Crackdown: The sociology of computer crime
  • A. What the cops know that ain't so:
    • 1. The Bell crash
      • a. Why should they believe the official version; perhaps
      • b. It was designed to prevent embarassment, or
      • c. avoid encouraging a repeat.
    • 2. Would we be better off if we didn't report plane bombings, successful hijackings?
      • a. Other people wouldn't get the idea, but ...
      • b. If everyone knew we didn't report them
      • c. There would be a lot of false suspicion.
    • 3. Hacker self-glorificationf also encourages police suspicions.
  • B. Illegal industries are poorly known; paranoia may reign
  • C. "Hacker" and "Hacks."
    • 1. A "hack" was an odd and ingenious way of doing/designing something.
    • 2. A programmer seeing his first elephant might describe it as an impressive hack--"it picks up things how!?!"
    • 3. The word "Narc" has had a similar change through back etymology (deducing its meaning from a false guess at its origin). It originally meant a police spy, possibly from a Romany word for "nose." People heard it as nark=narc=narcotics agent.
    • 4. And "hacking" now implies something illegal and possibly destructive.
    • D. Is it wrong? There are a lot of ways of using technology for purposes it was not intended for that are not illegal.
      • 1. Suppose I want to know if you are home for some legal purpose you disapprove of--serving you with legal papers, for example.
      • 2. I call you up, and if you answer I hang up and send the process server.
      • 3. That is not why you have a phone--but what I am doing is not illegal.
      • 4. How do you distinguish that from someone whistling into a telephone to get free long distance service, or dialing up a computer in order to use it in ways not intended by its owner?
    • E. Consider ways of enforcing rules in hacker/phone phreak culture: instead of executing someone you turn him in to the police. Your weapon is information rather than force.
  • F. Believing what people want to believe:
    • 1. Hackers want to believe they do no harm, computers are overpriced, ...
    • 2. Police want to believe that hackers are thieves.
    • 3. And that markets are organizations: Mafia. You can fight an organization.
    • G. The files that were on the BBS's the police seized--should they have been there? similar information (on how to commit crimes) is in books sold openly. Should such be banned? Is the 1st amendment a good idea?
  • H. Sting operations don't require phone taps.
  • I. There may be a delicate balance between not treating hackers badly enough to make them want to commit largescale vandalism and not treating them well enough to make hacking an attractive and popular hobby.

   

• II. U.S. v. Robert Riggs (and Craig Neidorf)
  • A. What happened:
    • 1. Riggs copied a text document from a Bell South computer--it had a secrecy warning at the top.
    • 2. Neidorff edited it and published it in Phrack
    • 3. The file zipped back and forth across state lines in the process.
  • B. Is it fraud?
    • 1. If you get the file by calling up a secretary and persuading her that you are someone she is supposed to send it to, then yes.
    • 2. If you get it by "persuading" a combination lock to let you in at night to steal the document, no.
    • 3. This case is somewhere between the two.
  • C. No fiduciary relationship between Riggs and Bell South--is this deprivation of an intangible right (requires a fiduciary relationship to be fraud) or of property (does not)?
  • D. Is what was transmitted a thing? "goods, wares or merchandise."
    • 1. Transmitting money counts.
    • 2. Does transmitting Bell's proprietary information count as transmitting "goods, ... ?" Yes, if affixed to a tangible medium. What if the medium is not stolen (U.S. v. Brown)?
    • 3. This court holds that it counts even if what was transmitted is not tangible--others have disagreed.
    • 4. Anyway--the court says that computer storage is more like paper than like memory.
    • 5.But no computer was transported--just the information. What if trade secret information had been transmitted by a phone conversation?
  • E. Is what was transferred the type of property that can be "stolen, converted or taken by fraud?"
  • F. Was it "transferred?" " Like the money in the case dealing with wire transfers of funds, the information in the E911 text file was accessible at Neidorf's computer terminal in Missouri before he transferred it, and the information was also accessible at the Lockport, Illinois computer bulletin board after Neidorf transferred it." But in this case, it was still where it started as well.
  • F. Dowling v U.S. holds that copyright violation does not qualify. Pirated records, when transported across state lines, are not subject to the Federal Stolen Property statute. The criminal owned the records, and the intellectual property was not "goods, wares or merchandise."
  • G. This court holds that trade secret can be stolen even if copyright can only be infringed.
  • H. Are "Hacker" and "Legion of Doom" prejudicial terms?
  • I. The real story:
    • 1. The Sysop of the BBS on which the document was stored reported it, the information got to Southern Bell security months before the document's publication, and nothing was done. Under trade secret law, this would be evidence against the claim that it was a trade secret. The judge in U.S. v. Riggs asserted that Bell South "closely guarded" the information.
    • 2. Every document produced by Southern Bell for internal use had the same secrecy warning.
    • 3. The information was administrative, not technical. Maybe helpful for verbal fraud, but ...
    • 4. Southern Bell sold a document with more extensive information to anyone for $13.
    • J. Is there a first amendment issue here? Neidorff is being charged with publishing something, not stealing it.
  • K. Law enforcement was trying to "send a message"--discourage communication of information useful in committing crimes--i.e.
    • 1. BBS's and electronic journals that published
    • 2. Other people's phone ID and credit card numbers
    • 3. Information on how to get such things and
    • 4. Information on how to get entry to other people's computers.
    • 5. Worried, in this case, that the information might be used to sabotage the 911 system.
  • L. Is this a legitimate objective?
    • 1. Books on "how to get even," "Anarchist's Cookbook," etc. are protected by the First Amendment.
    • 2. They tried to achieve the objective by harassment--siezing computer systems as evidence and then (in many cases) neither indicting people nor returning the seized systems.
    • 3. Is this, as the court in Neidorff seems to believe, part of a comspiracy to defraud? Where do you draw the line between planning crimes and telling people how to commit crimes?
    • 4. What was the "phoenix project?"
  • M. Does Neidorff have legal recourse against the Feds? Against Bell South (which claimed the document was worth $80,000). Should he? Is Bell guilty of abuse of process?
    • 1. Bell's figure was a (much inflated?) estimate of the cost of producing the document. But ...
    • 2. They still had it. The relevant figure ought to be either
    • 3. The cost to them of the info getting out or the value to the thief.
    • 4. Both were trivial, since they were freely selling a document containing the same information.

     

• III. Unix source code cases. 1990.
  • A. Law enforcement was following a trail from BBS to BBS via EMail
  • B. Found a respectable computer consultant, who ...
  • C. Had lots of Unix source code on his computer, and traded with similar people to get more.
  • D. Is he a criminal with millions of dollars of stolen property?
    • 1. Obviously not--Bell can sue if there is any damage (there probably is not).
    • 2. If Bell does sue, they may find it harder to get contractors in the future.
    • 3. Again--civil or criminal? Theft or conversion? This time a question of what the law is.
  • E. Typically in such a case his equipment is seized but no charges are ever made! (Not here)
  • F. What is happening? It is useful to have source code when doing subcontracting work. Bell is restrictive about giving it out. So A has source code for one part of Unix, B has it for another, they trade in order that neither has to persuade Bell to give him the code when and if he actually needs it. (conjecture)
  • G. Should Bell worry about such behavior? If intellectual property is easy to steal, the best strategy may be to enforce your rights against people who misuse it, not against ones who simply have it.
  • H. If Bell gets people like this thrown in jail, they may find it harder to hire consultants next time.
  • I. Conjecture: Bell's right hand did not know what its left hand was doing. Bell Telephone people are trying to intimidate hackers and phone phreaks; Bell Unix people would not want their consultants arrested for harmless acts, even if they are in violation of contract.

   

• IV. Review: Issues raised by the criminal cases.
  • A. What is computer fraud? Is using a fake password analogous to lying to a person or to opening someone else's combination lock?
  • B. What is information?
    • 1. In what sense does copying it deprive the owner of it?
    • 2. Does transporting it count as transporting "goods, wares or merchandise?"
      • a. Does it depend on the form in which it is transported--phone call or diskette?
      • b. Does it depend on who owns the diskette?
      • c. Does it depend on whether it is copyrighted or a trade secret?
    • 3. Can it be "stolen, converted or taken by fraud?"
    • 4. How do you measure its value?
      • a. Production cost? Clearly wrong.
      • b. Value to thief--perhaps, or ...
      • c. Cost to victim.
      • d. Note that Neidorff is a clear example of why the victim might lie about the value.
  • C. Where is the line between civil and criminal in computer cases?

   

• V. Steve Jackson case:
  • A. The facts:
    • 1. Steve Jackson Games had only a tenuous connection to anything illegal--an employee (Blankenship, aka Mentor) had Phrack on his board (Phoenix), and had posted talk about a planned password decryption service.
    • 2. Phoenix was an ideological board with no stolen credit cards, codes, etc., on it. Blankenship invited telephone people to come on the board and argue with hackers.
    • 3. Kluepful is the guy who was told about the 911 document and chose not to do anything about it.
    • 4. Izenburg ran a BBS on his own machine, connected with Terminus. Foley urged him to admit all sorts of things, none of them true. He let them seize his machine as evidence; he was charged with nothing. Six months later he asked about getting it back, as of two years later he still had not done so.
    • 5. "Erik Bloodaxe," co sys-op of Phoenix, had his stuff seized. Two years later, they still had it. No charge.
    • 6. Secret Service raided Phoenix, seized everything, no charges, two years later still had it--including his wife's thesis. No copy provided.
    • 7. They also raided Steve Jackson Games, apparently on the theory that Jackson's computers might have evidence and that Mentor might be able to erase it if warned.
      • a. Seized work in progress,
      • b. Working equipment,
      • c. Files of BBS EMail system.
      • d. Nobody was charged with anything.
      • e. Warrant was bogus--alleged false statement linking SJG to E911 case, attributed to Kluepfel, who denied it.
    • 8. GURPS Cyberpunk was the almost finished manuscript seized. A book, not a game.
    • 9. The next day, Jackson asked for the book back, so he could finish publishing it. Was told by an agent that it was a "manual for computer crime." Later told the same thing by other agents. He was not told about the connection to the 911 document case until months later when the warrant was unsealed.
      • a. This gave everyone reason to believe for some months that it was a prior restraint case.
      • b. And leaves suspicion that it really was a prior restraint case--that once the Secret Service saw GURPS Cyberpunk, they concluded that Steve Jackson was a bad guy and ought to be treated accordingly.
    • 10. The secret Service claims they did not know of either the Privacy Protection Act or that SJG was a publisher.
    • 11. They were, however, informed of the latter fact during the raid
    • 12. And of both the next day.
    • 13. The Secret Service refused to give copies of anything, did not return the bulk of what was seized for almost four months.
  • B. The Verdict
    • 1. The Secret Service was not liable for defects in the initial warrant application
    • 2. Not liable for damages for the first day of the seizure
    • 3. Liable for damages for the rest of the year for violation of Privacy Protection act in searching a publisher
    • 4. Not liable for damages thereafter because because they were balanced by SJG's gains from publicity
    • 5. Not a violation of the Wire and Electronic Communications ... act interception rules because reading a stored message is not interception,
    • 6. But it does violate the "Stored Wire and Electronic Communications and Transactional Records Access" procedures set out by the act for getting access to stored communications, so $1000/plaintiff statutory damages. What about the other 362 plaintiffs? Collatoral estoppal does not apply to the government, so presumably they all have to litigate if they want their $1000/plaintiff.
  • C. Some narrow legal issues:
    • 1. No damages for day 1, ordinary damages for the next 4 months. Should it be ordinary damages for day 1 (negligence), punitive thereafter (deliberate violation of the law)? But the U.S. waiver of sovereign immunity does not cover punitive damages, so you cannot get them against the government.
    • 2. SJG got damages only for 1990, because of their later gain from publicity. Is that offset proper? If I buy a SJ game out of sympathy for Steve Jackson as a victim of the Secret Service, do I really intend the money to go to reduce their civil liability to him?
    • 3. Suppose the victim was not a publisher--does the Secret Service have a legal obligation to minimize damage? Consider the wife's thesis. Would it be possible to institute a class action covering all such cases, asking for an injunction requiring the Secret Service to institute a policy of prompt copying and return? The data, not the computer, is the evidence.
    • 4. What about requiring them to permit victim to copy?
    • 5. Suppose the police do a legal search of your greenhouse, in the (false) belief that you are growing marijuana, and deliberately leave the doors open, killing all of your valuable plants. Are they liable? Isn't that equivalent to seizing everything and refusing to provide a copy?
  • D. Broader issue: Is the whole campaign in violation of the first amendment?
    • 1. The objective was to suppress the distribution of information in order to suppress crime.
    • 2. When is that legal?
  • E. Still broader issue: What are the limits on police imposition of costs on people they never intend to indict?
    • 1. Old style: beat someone up.
    • 2. Arrest someone, let him cool off in jail over night, drop charges.
    • 3. Seize a computer.
    • 4. All of them work because the police have the threat that, if the victim objects, they could impose larger costs, at some cost to themselves (indict, jail, maybe lose the case).
    • 5. Is this a bad thing, or a necessary adjustment to the real world?
    • 6. How might it be prevented or limited? Should police or police departments be liable, and when?
    • 7. Would that give police an incentive to make dubious indictments instead of dubious seizures?
    • 8. What about obligating them to use the least costly method?
  • F. Sociology issue: "Those Kids aren't Criminals"
    • 1. How does, or should, the law separate acts by those trying to make money, do injury, etc. from equally illegal acts done as a prank, etc.?
    • 2. By age--asking for child drug runners.
    • 3. By intent--criminal copyright infringement example.
    • 4. Moral sanction as one form of deterrence--breaks.
    • 5. Partly this is a problem here because of the inverted hierarchy of age/expertise. The kids know enough more than the grownups to be able to do serious damage.
    • 6. Leopold and Loeb?Those kids' prank consisted of murder.

   

• VI. "Sending a Message"
  • A. If the message was designed to deter legal but wicked acts ...
  • B. Is sending it unconstitutional?
  • C. Steve Jackson--does the SS still think Cyberpunk Hackers is computer crime? They apparently (asserted by a correspondent) still use it in their training videos.
  • D. Why didn't they give back the computers, or their contents?
    • 1. To restrain publication
    • 2. To impose costs
    • 3. Because they did not want to admit they hadn't found anything?
  • E. How do you stop it?
    • 1. Make police civilly liable for costs they impose on someone if the victim is not indicted? But that gives them an incentive to indict innocent people, imposing still more costs.
    • 2.Make them liable if the victim is not convicted? but that gives them an incentive to convict innocent people.
    • 3. Make the police liable if they impose unnecessary costs--i.e. do not get their evidence in the least costly practical way.
    • 4. Note the intimidation problem--victims may not protest if the police could impose still larger costs on them.

   

• VII. Some final comments
  • A. Dorothy Denning will be seen again--as a supporter of the Clipper Chip.
  • B. Are Sterling and others right that the new technology changes organizational structures?
  • C. Does it change the crime/law enforcement/dispute adjudication structure?
    • 1. I can publish my own book from my desktop.
    • 2. My own academic magazine from my web page.
    • 3. My own scam from my modem--with a little more development of ecash privacy.
    • 4. Computer security as a private industry.
      • a. We were told last year that there are 1-6 law enforcement agents in Silicon Valley who specialize in computer crime. Our source was the 1--he is going to give a guest lecture later this semester.
      • b. According to him, the FBI have about seven people specializing in computer crime who have CS degrees or the like--and they are not likely to be in the class of a Mitnick or Morris.
      • c. So maybe it is sensible to rely on a decentralized law enforcement system, consisting mostly of private computer security people.

       

Computer Crime Stuff

• I. Computer Crime:
  • A. Jerry Schneider and Pacific Tel. Got into their order system. Stole/ordered equipment. 40 days in jail. Ended up as a computer security consultant.
  • B. Stanley Mark Rivkin. Working on backup system for a bank wire room.
    • 1. Authorized employee with code system--on a piece of paper in the wire room.
    • 2. Called, identified himself as from Intl div, requested 10.2 Million to his account in NY; from there it went to a Swiss bank.
    • 3. Russalmaz got telegram "from" head of the wire room, identifying Lon stein as representative, purchasing diamonds for the bank.
    • 3. Stein got baggage ticket, flew to luxembourg, looked at pack--diamonds.
    • 4. Told his attorney who had come up with diamond idea, attorney went to FBI
    • 5. Rivkin tried to get an acquantance to sell the diamonds for him, acquaintance saw a news story,went to FBI
    • 6. Asked acquaintance to mail money back to another friend. FBI followed, found him.
    • 7. Out on bail, got someone to try to make relevant contact for a repeat--with an underround FBI agent. 8 year sentence.
    • 8. Apparently he was setup for the second charge because there were legal problems with the first.
    • 8. Expert in computer, not crime. Was he posturing? Did he really intend to go through with it from the start?
  • C. 75% by employees.
  • D. Fry Guy. 1989
    • 1. Call customer of credit Systems of America--which handles credit card numbers and credit info. Get customer's ID info by claiming to be from CSA: acct # and password.
    • 2. Called in as customer, wandered around the computer, got to the staff area, found local resident with valid credit card. So far he could have done it without the computer--there are other ways of finding someone's credit card number and phone number.
    • 3. Rerouted victim's incoming calls to a phone booth in Paducah, from there to him.
    • 4. Called Western Union, wired $687 to its Paducah office to be transferred to a friend, gave victim's credit card. They called back to confirm. Confirmed. Reprogrammed everything.
    • 5. Repeat with another victim.
    • 6.His method required phone hacking. But you could also reverse the process--change phone number in relevant records to the number of the phone booth, so Western Union would call up CSA, get the phone booth's number, call it, and get their confirmation.
  • E. Captain Zap:
    • 1. Hack into credit agency, create good credit rating for an imaginary company.
    • 2. Hack into supplier, create real-world paper trail. Cut order, pay invoice, write delivery manifest, deliver to a mail drop.
    • 3. Caught by connection to the mail drop.
    • 4.$500,000
    • 5. Plea bargain to $1000 fine + 2 1/2 yrs probation. 1981
    • 6. State laws were passed afterwards against such things, fed started 1986.
  • F. First worm at PARC. Intended to do computer housekeeping. Left it one night, found it all over the place, killed it, abandoned the project.
  • G. Virus blackmail?
    • 1. Junk mail diskette with a unique license--an extortion demand. in small print. To list of a UK magazine.
    • 2. Info on AIDS, interactive software about it.
    • 3. Counted bootups, after 90 started encrypting files and hiding programs.
    • 4. Asked for money to be sent to a Panama City address.
    • 5. Did considerable damage.
    • 6. Attempt to call number coincided with U.S. invasion of Panama. Marine answered.
    • 7. Caught the man because he was crazy. Company seal in his bags.
    • 8. Is this a legitimate business device to force people to fulfill his "license" terms? There are some U.S. cases where a software contractor attempted to enforce the contract with the firm the software was for by building in code that would disable the program if he didn't stop it. Not quite so crazy--but still tortious, since the customer was not warned in advance.
    • 9. Extradited to Britain. Got crazy enough not to be tried.
    • 10. A million disks in his house.
    • 11. Would it work if done intelligently?
    • 12. Against one corporation?
  • H. How we would do it:
    • 1. Subvert company, sell short.
    • 2. Time bomb customers, blackmail company.
    • 3. One other way of profiting by a virus--be in the fixit business.
  • I. Leslie Lynn Doucette. Hacker service industry.
    • 1. Gets a number from someone over the phone.
    • 2. Check it by hacking or calling a chat line phone number.
    • 3. PBX has a long distance from 800 option. Use for communication.
    • 4. Voice mail computers as bulletin boards.
      • a. Hacker boards were known, monitored--credit cards could be cancelled.
      • b. Find an empty box in a voice mail system, use it. Low security because ...
      • c. Leave lists of verified codes.
      • d. Subordinates pick up, get money, send to her.
    • 5. Real estate man found his voice mail system overloaded with free riders.
    • 6.Secret Service had tip about Doucette from Canada (convicted, left)
    • 7. Informants said Chicago.
    • 8. They put a Dialed Number Recorder on her phone.
    • 9. Then on her 5 major subordinates.
    • 10. Plea Bargain, 27 months, 1990. Claimed $1.6 million in losses.
  • J. Citibank hack. N.Y. recent. EFT intercept. May or may not have happened
    • 1. By trial and error found addresses for a bunch of Citinet banks.
    • 2. Found a computer that might be for EFT, got in through default password left active, created program to log all transmissions to their file.
    • 3. Next day logged on, bingo. Captured hundreds of transactions, vanished w/o a trace.
    • 4. Opened a numbered Swiss Account. Got birth certificates, new ID and SS#
    • 5. Opened accounts at six banks in Houston and Dallas.
    • 6. Rigged Citicorp computer to send to their Telenet terminal, collected, returned acknowledgement. Real transfers.
    • 7. Then transferred the money to the Swiss bank, then withdrew to U.S. accts $7,333 each (below notice requirement).
    • 8. End of week each got $66,000.
    • 9. Citibank denies the story. Is it true? Posted to a BBS.
  • K. Check kiting story
    • 1. An old idea.
      • a. You take advantage of banks that credit you when you deposit a check instead of when they receive the funds, by ...
      • b. Depositing $1000 in one account,
      • c. writing 10 $1000 checks, depositing them in ten accounts.
      • d. Write ten $1000 checks on each of those, deposit one from each in each of ten new accounts--which now have $10,000 in each of them.
      • e. Repeat for a few more rounds. Transfer money from a new account to your first account to keep your first set of checks from bouncing
      • f. Eventually turn everything into cash and vanish.
    • 2. They used a computer to keep track of all the accounts, where money was need when.
    • 3. The computer crashed. So did the check kiting.
  • L. Extortion scheme. A senior computer employee about to resign
    • 1. Collects all of the backup tapes, including the off site backups
    • 2. Erases what is currently in the computer
    • 3. Then demands a large ransom
    • 4. The company paid--but he was caught making the pickup.
  • M. Will a market in Computer Crime develop?
    • 1. Computer criminals clearly need to take more advantage of the division of labor.
      • a. So that someone who knows how to hack can get together with
      • b. Someone who knows how to get rid of stolen property, hot diamonds, ...
      • c. Someone who knows how to pick up ransom payments, ..
      • d. ...
    • 2. Market in credit card numbers already exist, also
    • 3. in stolen long distance calls: sidewalk enterprise, free calls on pay or cellular.
    • 4. $1.4 million was charged in 4 days against one PBX.
    • 5. Immigrants are a good market, both because they want to make enormously expensive international phone calls and because they are less likely to report you to the police.
    •