Computers, Crimes, and Privacy
School of Law
Santa Clara University
Spring 1997
Lecture Notes Outline
D. Friedman
- I. Mechanics:
Seminar
- A. First half of the course I provide the
material, lead the discussion.
- B. Second half, student paper
presentations. A few guest lecturers.
- C. Everyone does a paper. Everyone does a
presentation. Papers are due last day of class.
- D. Prior to the presentation, give me
material and links in machine readable form, I put it on the
class web page for other students to look at before your
presentation.
- E. Materials:
- 1. Two books (one,
The
Hacker Crackdown, available on the web)
- 2. Cases, other readings.
- 3. Links on the class web page
- 4. My lecture notes.
- 5. I have other materials for students who want to use
them, including a lot of posts from Cyberia-L, a computer
law Listserve.
- F. You can also communicate with me via
EMail. DDFr@Best.com
- G. I hope to learn too. Together we will
explore the world we are gong to be living in.
- II. Law and
Technology
- A. Protection without copyright:
- 1. c. 1900, the U.S. did not recognize British
copyrights, yet ...
- 2. British authors got sizable revenues from American
publications, because ...
- 3. The printing technology of the time, with high
typesetting costs in money and time, gave the first mover a
big advantage. He could pay his fixed costs out of early
sales then, if necessary, cut his price (put out a "fighting
edition") to prevent the pirate publisher from ever
recouping his fixed costs.
- B. Copyright without protection:
- 1. Currently, it may be illegal to photocopy a book or
article without the copyright holder's permission, but there
is very little he can do to stop it.
- 2. Similarly for making a copy of a computer program for
a friend.
- 3. What the copyright holder can prevent is large scale,
public sale of copies made in violation of copyright, or the
use of many such copies by a large organization--large
enough to contain at least one whistle blower.
- C. So we have an interaction between what
the law says and what it can, in fact, control--with the latter
depending in part on technology.
- D. The history of computer law provides us
with some evidence of how law evolves--what happens when
existing legal rules are faced with a new set of problems for
which they were not designed..
- III. Three
topics:
- A. Computer crime:
- 1. What it is
- 2. How it fits into the current structure of law
- a. Is information property? Is transporting pirated
Presley records accross state lines a violation of a law
against interstate transportation of stolen property? No.
- b. How is it valued? Bell South. Lund v Virginia.
- c. Alternatives to criminal law: Civil law. Trade
Secret. Copyright. ...
- 3. How it ought to be dealt with.
- a. By analogy
- b. By new legislation
- c. By realspace contract, property, etc.
- B. Old privacy issues
- 1. Protection against false information being
distributed. (defamation law?)
- 2. Protection against true information being
distributed. (Privacy) Fair Credit Reporting Act. Is such
protection desirable--or does it mean protecting people's
ability to defraud other people, by hiding information about
themselves? Is it doable?
- 3. Protection against government collection and
distribution of information.
- C. New privacy issue: Privacy via
encryption.
- 1. Computers as promoters of privacy
- 2. Criminal implications
- 3. Other (?) social implications.
- D. Law, Technology and Metaphor
- 1. Is a computer "break-in" a
- 2. Break-in?
- 3. Fraud?
- 4. Legal act.
- I. Today the present,
future, and papers. Next week into the past.
- II. Strong Privacy:
The technology (see the FAQ from
RSA Data Security, Inc.'s
homepage.). The following is my somewhat
simplified explanation, given in more detail in
my
article (hardcopy available):
- A. Public Key encryption for
privacy.
- 1. Two keys
- 2. Non-invertable
- B. Digital Signature
- C. Digital Cash
- 1. Desideratum: Neither bank nor snoops can trace
- 2. My scheme
- a. Send dollar with long number, bank undertakes to
give the dollar to anyone who tells them the number, or
to change the number on instructions accompanied by the
number ...
- b. Transaction: Give payee number. He sends it to the
bank withthey are to change it into. The bank posts the
fact that the transaction went through on some publicly
accessible place.
- 3. For Chaum's version of digital cash, which is
actually being implemented, see the web. www.digicash.com
- D. Anonymous remailers
- E. Authentication problems: Centralized or
decentralized. Phil Zimmerman built a decentralized system for
keeping track of who has what public key into PGP. Verisign
certificates are a fancier way of
doing the same thing.
- III. The Supporting
Technology: power, bandwidth, VR
- A. Once we can create the illusion of being
present through virtual reality, ...
- B. Large parts of what we do, including the
way many people make their living (including lawyers), can be
done over the net.
- C. Now encryption issues become central
privacy etc. issues.
- IV. Implications of
strong privacy
- A. Transactions, conversations, etc. are
technologically private. Interception is impractical, whether
or not illegal.
- B. Can combine anonymity with brand name
reputation, since you can prove "who" you are via a digital
signature without anyone knowing what body where is associated
with that identity!
- C. Obvious advantage: freedom of speech,
assembly, etc. are techno secure.
- D. advantage/disadvantage: Information
sales and purchases are unobservable, hence cannot be taxed or
regulated.
- E. Disadvantage: Criminal firms with brand
name--murder inc. Pirate publishers.
- F. Defense via prohibition or via
technology?
- 1. Contract substitutes for intellectual property?
Maybe.
- 2. True names: if the person who wants you dead doesn't
know your real name or what continent you live on, it's hard
to arrange to have you killed.
- G. Private Law. Nozick. Crypto-Anarchy.
(See my
article )
Some comments on my suggested ideas
for papers
Regulating Encryption
Is ITAR Constitutional? Is it enforceable? [ITAR classified
encryption software as a munition, so you needed state department
(now Commerce dept) permission to export software that you could
legally sell in the U.S.]
Clipper 1, 2, 3?: Is there a constitutional (and politically and
technologically viable) way of controlling encryption? [Clipper 1 was
the clipper chip, Clipper 2 is the attempt to require that private
encryption software provide for escrowed keys accessible to a court
order, Clipper 3 could be any way of achieving the same
objective--giving government access to cryptographically protected
communications]
Regulating the Net
Protecting Intellectual Property on the Net: Law or Technology?
[Do we try to make copyright enforceable, perhaps by making software
for overcoming copy protection illegal, or do we try to use
encryption and similar techniques to make it possible for the owners
of intellectual property to directly control who uses it?]
The Legal System in a World of Strong Privacy
Can Hubert Humphrey police the Internet? [the attorney General of
Minnesotta has announced that offering gambling on the net where his
citizens can get at it is in violation of Minnesotta law and will be
prosecuted--see
link. ]
Does Cyberspace Need Its Own Laws? [Alternatives include
generalizing existing law to apply to cyberspace, depending on
existing law as applied to realspace objects--for instance, computers
and phone lines--to control behavior, depending on contract, ...]
Norms of the Net: How are They Enforced, Do They Work? [There are
a lot of behavioral norms, for instance on Usenet News, that get
enforced by social pressure. Is that an adequate approach? Does it
remain adequte as the size of the net community grows?]
Who Has Jurisdiction in Cyberspace? [If someone in Minnesota
gambles in a cybercasino physically located in the Bahamas, with the
messages forwarded across computers in four other states and two
other countries, whose law applies?]
Can pornography and gambling be regulated on the Internet: Legal
and technical issues.
Obscenity and Harassment: Legal and Technical Approaches
Online Defamation [Is it slander? Libel? Why do we treat them
differently, and which is it more like?]
Living With the New World
Viruses: The facts and their legal implications.
Hard Disks, Encryption, and the Fifth Amendment--can you refuse to
give the police your password?
Computer Crime in the Twenty-first Century
Shareware: An Experiment in Unprotected Intellectual Property
Cyberpunk: Does SF Get the Legal Issues Right? (True Names,
Snowcrash, Trouble and Her Friends, ...)
Privacy and Computer Crime in a World of Many Nations
The Church of Scientology vs anon.penet.fi [See
link]
Universities, Free Speech, Harassment: Recent Cases and General
Conclusions
[Cornell case, which some
see as suppression of unpopular free speech by a university, and
Caltech case. See links for both]
----
1/21/97
The Development of Computer Law
- I. Lund v. Virginia
(1977)
- A. Facts
- 1. Student had not gotten authorised to use the
computer, should have, could have.
- 2. $5,000-$26,000 "worth" of time spent.
- 3. Mechanism: Funny money allotments. Key and account
number, box #.
- 4. Convicted of grand larceny for stealing $100 or more.
Appealed.
- B. Legal issues:
- 1. What was stolen and what was it worth?
- 2. No evidence that cards or keys were stolen, or worth
>$100
- 3. Taking of "goods or chattels" doesn't apply to taking
computer time, services don't count (there was an old NY
case about using a factory to produce things without the
owners' knowledge. You buy inputs, sell product. Not theft
because no property was taken--just services.)
- 4. Va claims that the printouts (physical goods) were
worth >$5000, taken by fraud.
- 5. Court rejects cost as a measure of value, finds only
scrap paper value proved.
- C. One consequence was to spur computer
crime statutes, which specifically cover computer services,
unauthorised access, etc.
- D. How should you value what was
taken?
- 1. Cost of production?
- a. Do you price it as funny money (numbers used for
internal accounting--each department gets a budget of $X
to be spent only on buying computer time), or
- b. Try to estimate a real shadow price--the cost your
use imposed on the owner?
- 2. Value to the thief?
- 3. Value to anyone else is aprox zero.
- 4. The issue of valuation comes back in the BellSouth
case.
- E. Was it really stolen?
- F. Should this be criminal or civil?
- 1. VPI gave him his degree, so presumably they don't
strongly disapprove of what he did.
- 2. Why are some offenses criminal and some civil? Which
should this be?
- II. U.S. v. Seidlitz
(1978)
- A. Facts:
- 1. Seidlitz set up security, etc. for an FEA computer
facility.
- 2. After leaving, he was caught hacking the security to
download a chunk of WYLBUR over the phone
- 3. by the use of a "spy function" which recorded his
transactions with the computer.
- 4. Phone company traced the call to Seidlitz's office.
- 5. FBI searched office, found printout of WYLBUR source
code, etc.
- B. Legal issues:
- 1. Was the spy function illegal?
- a. Not if with consent by one party to the
transaction? Who were the parties?
- b. Was it an "aural" acquisition? No. Is any
telephone tap "aural?" "Regardless of its ability to
detect sound" sounds as though the judge doesn't
understand telephone technology.
- c. Recording what the computer was doing isn't a
wiretap--more like bugging the office where one end of a
phone conversation is taking place (with consent of its
owner?)
- d. And it wasn't (very much) a government action,
despite FEA initiation.
- 2. Was he defrauding them or simply preparing to
demonstrate a security loophole?
- 3. Did he take "property?"
- C. The issues:
- 1. Analogising a computer to a person: Who gives
consent, is monitoring bugging or wiretapping, ... . "by
means of false or fraudulent pretenses, representations, or
promises ..." (Fed wire fraud statute). Representations to
whom? Fraud implies human being fooled? Is picking a
combination lock fraud?
- 2. What really happened? Later in the semester we will
look at a more recent case, involving Intel, where it seems
pretty clear that the "break-in" was an innocent attempt to
check the system's security by someone involved in setting
it up.
- 3. Lots of copies of WYLBUR out there--could it really
be protected by secrecy? Copyright (1978)?
- 4. Could he have stolen it easier earlier?
- 5. Would he have made a printout of source code rather
than kept it in machine readable form?
- 6. Are all crimes crimes? Suppose I still have keys to U
of Chicago Law School, because I never bothered to return
them. If I am there over Christmas break and use them to go
check a cite in the library, I may be technically
trespassing (even breaking and entering?), but nobody
associated with the institution would think of it that way.
- III. U.S. v Jones:
(1977)
- A. Facts of the scheme:
- 1. Supervisor altered the numbers in the computerised
system for accounts payable, so that checks went to A.L.E.
Jones rather than to Whirlpool.
- 2. Jones cashed the checks.
- 3. Got caught.
- B. The Law:
- 1. The relevant statute does not apply to interstate
transport of forgeries.
- 2. Are these checks forgeries?
- a. If real checks obtained by fraud, she is guilty,
but ...
- b. If forged checks, she is innocent (of this crime)
- 3. The computer "really issued" the checks so they were
real checks fraudulently obtained? (appeals court view)
- 4. Or the computer was the tool Everston used to forge
the checks, by changing the vendor number (before the checks
were printed). (District Courts view)
- C. The issues:
- 1. How to analogise putting the wrong number into a
computer to the sorts of things people did at the time the
common law rule developed.
- 2. What if he had altered the books so as to get the
company to believe it owed money to Jones and write a check?
- IV. Versaggi (1987)
- A. Facts:
- 1. Versaggi worked for Kodak, had phone access to their
computer systems.
- 2. There were two unexplained incidents of phone lines
going down.
- 3. Kodak set up a script to monitor off site access to
the system, record to disk everything that went to the
offsite person's screen.
- 4. From that plus phone bills, Kodak concluded that
Versaggi did it.
- B. Law: New computer law, computer
tampering in the second degree:
- 1. "intentionally alters in any manner or destsroys
computere data or a computer program of another person" when
he has no right to do so.
- 2. Versaggi argued that he didn't alter the program, he
used it.
- 3. Court found that issuing commands to the software
"altered" a computer program!
- C. Issues:
- 1. Did he alter a computer program? Do I alter my home
wiring when I turn on the lights?
- 2. Evidence: Could he have been framed? This issue will
arise again in the Caltech case.
1/23
- I.
Review:
- A. The cases:
- 1. Lund v Virginia: Unauthorised use of hard to
price services.
- 2. U. S. v. Seidlitz: ex-Consultant making
unauthorised download.
- 3. U.S. v. Jones: Real honest computer crime--but
not very computer.
- 4. Versaggi: long distance minor sabotage.
- B. The issues raised:
- 1. How should the law treat unauthorised use?
- a. Not a new issue, but ...
- b. A newly important one, because
- c. Invisible or unobtrusive use is a lot easier on a
computer, especially a multi-user one, than a factory,
and ...
- d. Since marginal cost of use may be very low, there
are problems for evaluating damages.
- 2. How do you price stolen services?
- a. Cost to victim or value to thief? Old issue in
trade secret cases.
- b. Arguably the larger of the two, because if you
didn't steal the service you would have bought it, hence
stealing it deprives the owner of the income from selling
it to you, and ...
- c. We want to use the largest possible value (i.e.
the highest you would have paid if necessary), so as not
to give people an incentive to substitute stealing things
for bargaining for them.
- d. So far we are observing the issue in criminal
cases, where precise value is unimportant--merely more or
less than $100 (Lund), $5000 (Bell South).
- e. What is the cost to the victim? Marginal cost,
which may be hard to estimate for a computer that has
large fixed cost and somewhat random level of use. Like
estimating the cost one more car imposes on a highway.
- 3. Should these offenses be criminal or civil? More
generally, why do we have both legal systems?
- a. The fact that the cost is going to a specific
victim is an argument for civil.
- b. If there is only a low probability of
apprehension, that is an argument for criminal.
- 4. How do you fit computer facts into existing law?
- a. Who is the other side of the phone conversation in
U.S. v Seidlitz?
- b. Is intercepting a conversation which never took
aural form wiretapping within the meaning of the act?
This echoes the older question of whether wiretapping is
a search and/or seizure within the meaning of the
constitution.
- c. Is tricking a computer into writing you checks
fraud or forgery?
- d. What counts as altering a computer program or
data?
- 5. How do you interpret facts in a very different
factual environment?
- a. Suppose you are the ex-security consultant for a
museum, and want to persuade them that their protection
is inadequate.
- b. You draw up a plan for stealing their painting and
show it to them.
- c. You don't steal the painting--because the loss of
the painting is obvious, will upset them, might damage
the painting, you might get shot by a guard, .... . More
generally, executing your plan in realspace is dangerous,
expensive, and does visible damage.
- d. But Seidlitz might plausibly have done the
equivalent in cyberspace. Ditto for the recent Intel
case.
- e. And there are related evidentiary issues in
Versaggi (apparently dealt with adequately) and
the Caltech case (not).
- II. Technological
digression:
- A. How things work, of interest both
because you will be using the technology and because it is the
environment of the things we are studying.
- B. Oldest technology: Single computer, not
linked to anything. Still problems:
- 1. Unauthorised access by someone who can manage
physical access and password access.
- 2. Especially plausible with a multi-user machine.
- 3. Four approaches to getting password:
- a. Trick someone into giving it to you--human
engineering. AOL warns its customers that it will never
ask them for their password--because it is afraid that
someone posing as an AOL employee might.
- b. Watch over someone's shoulder.
- c. Piggy-back. Sit down at his terminal when he has
gone off and forgotten to log off. Or ...
- d. Obtain the password by trial and error. Especially
practical if you are authorised at some level, so can run
a program on the computer designed to try out lots of
passwords.
- e. Obtain it by finding it in the computer. Again
easier if you are authorised at some level.
- f. Ultimate objective--obtain superuser privileges,
sysop privileges, ... .
- 4. Once you have it, you can
- a. Steal information
- b. Misdirect the computer so as to steal cash or
goods (Jones).
- c. Alter information in your favor, or against
someone else.
- d. Lots of sf examples. Power. Pranks--connect police
station number to phone-sex number.
- C. Single computer, with phone-in
lines.
- 1. Now you don't need physical access
- a. You do need the right phone number. But those may
spread through networks. Should it be illegal to give
them out? First amendment? What about posting credit card
numbers on bulletin boards?
- b. And you have to worry about the call being traced.
- c. Unless you are a competent Phone Freek. That also
keeps down phone bills. See Hacker Crackdown for
details.
- 2. You still need to get through password protection
- a. Which may be an interesting game
- b. And you can use your computer (by now, people have
personal computers) to help. Your computer is being used
as a terminal--and a safecracker.
- 3. You are a whole lot more flexible in your
approach--can call many different computers without
elaborate research into physical entry issues
- 4. It becomes much more practical to socially network
with other crackers. Moving towards anonymity. At both
ends--exchanging information with handles, not people, and
cracking into computers without being physically present.
- D. Internet or equivalent--networked
computers.
- 1. No phone bill problem.
- 2. Now you only have to be a cracker, not a phone freek,
to be able to conceal origin etc.
- 3. Crack into someone's account over the phone. Don't do
anything there that will call attention to you (lots of
unlimited usage accounts nowadays). Use that as your base.
- 4. Some computers are set up to be operated remotely.
Analogous to C above.
- 5. Others (mine, for example) are on the net only to
exchange information. So you need some way of tricking them
into giving you control. Get them to download a bogus
program. Or find a bug in a real program that lets you do
things you shouldn't.
- 6. Networked computers talk to each other. So
possibility for spreading viruses (or the internet Worm).
- 7. Or low tech versions of computer crime over
networks--piracy, slander, harassment.
- III. How the web
works: theory and practice.
- A. What it is. Files on web servers,
hypertext links.
- B. How to use it:
- 1. Provider end. Create HTML file, ftp to a web server.
Lots of free trial offers.
- 2. User end. Browser. Click on links.
- 3. Two strategies for finding stuff:
- a. Search engine such as Altavista
- b. Follow links. Some limitation to that. . Political
links may or may not take you to places where people
argue on the other side.
- c. Combine the two strategies--find relevant pages
through a search engine, then follow their links.
- d. You can use the search engine to trace backward
links by searches for the URL of the site they link to.
- C. Privacy and commerce elements:
- 1. A lot of it is funded by ads. A web ad is inherently
superior to a hardcopy ad--because it is also a link.
- 2. Can also have on-line payments.
- 3. A seller+browser combination can guarantee privacy
without any action by the user.
- 4. Of course, that depends on trusting the seller.
- a. Can you blackmail someone with the fact that he is
reading porn?
- b. Not most people--but maybe if you find the right
ones.
- c. Did I discover a new crime last year? I observed
the following post, to an inappropriate group.
I believe that it is okay to have sex
before marriage unlike some people. This way you can expirence
different types of sex and find the right man or woman who
satifies you in bed. I you wait until marriage then what if
your mate can not satisfy you, then you are stuck with him.
Please write me and give me your thoughts on this. You can also
tell me about some of your ways to excite a woman because I
have not yet found the right man to satisfy me. (on
alt.privacy, from a .edu address)
Conjecture: the originator of the post plans to conduct
email conversations with people who respond, then ask them
if they think their wives would like to see a transcript.
Most won't care (or don't have wives), but a few will pay
up. Mass market blackmail. Alternative: a nasty practical
joke on the person whose email address was used.
- 5. Note that, absent a well developed system of digital
signatures, public key reputations, etc., anonymity
undercuts confidence in the seller--as in this example.
- IV. The rest of the
internet: Web is so popular because because it is easy to
use.
- A. EMail
- 1. Text + attachments. The latter can be images,
programs, ...
- 2. Messages get from sender to recipient by bouncing
from machine to machine.
- 3. They can be intercepted en route, and are stored on
your mail server until you retrieve them. So somebody could
get at them either by having control over some intermediate
computer and saving a copy of each passing packet, or by
having control of your mail server, or by hacking into your
mail server and reading its contents.
- 4. Suppose you delete lots of email on your hard disk.
It may still be there--to be found by someone else. Delete
does not really erase, it simply tells the computer that it
is free to reuse the space the deleted message was
occupying. Until something else is written to that space,
the deleted material is still there and can be read.
- 5. EMail permits very cheap mass mailings--a current
issue. AOL. How to defend?
- a. You could give correspondents a code to put in
their subject headings, then set your mailreader to
filter out everything that doesn't include that code. But
doing that is a nuisance, and means strangers cannot
EMail you, even if you would like them to.
- b. We could establish legal rules requiring mass
mailings to identify themselves as such by something in
their subject line--letting you filter them out.
- B. Usenet news.
- 1. How it works.
- a. It looks to the user like a very large collection
of bulletin boards on a wide range of topics (about
21,000 on my ISP's News Server), accessible worldwide.
- b. But it is actually a decentralized system--there
is no one machine that hosts a given Newsgroup.
- c. When you post, your message goes to whatever News
Server you use--a computer (probably belonging to your
ISP or university or employer) that stores and forwards
newsgroup postings.
- d. Next time your news server talks to another news
server, each one sends the other any new postings that it
doesn't have.
- e. So your post gradually spreads across the world,
from server to server.
- f. When you use a newsreader to read a newsgroup, you
are seeing all messages in that group currently on your
news server.
- 2. Even if you don't have access to a news server (SCU
did not provide one, save for a few local groups, last time
I checked), you can access postings by using one of the free
search engines on the web, such as Altavista or Deja News.
You can search by newsgroup, poster, date, key words, ... .
- 3. How to control SPAM?
- a. Somebody who wants to advertise something can (but
isn't supposed to) post his ad to lots and lots of
newsgroups, at essentially no cost to him, thus making it
harder for people reading the group to find the messages
that they are actually interested in.
- b. One solution is CancelMoose, a program (apparently
owned by someone in Canada), which looked for posts going
to many different groups and firges bogus cancel messages
cancelling those posts. (Such messages are supposed to
come from the poster--but the relevant sender information
can easily be forged).
- c. Currently, CancelMoose has created and is pushing
a more flexible system, in which anyone can issue
messages telling people to cancel a news posting. Such
messages are to be signed with the issuer's private key.
The recipient programs his computer to specify whose
cancel messages it will accept.
- d. If this becomes the standard, it lets any
individual or group distribute filters filtering out (or
in) messages it disapproves (or approves) of. Every user
can decide whose filters, if any, to believe.
- e. This provides a possible solution not only to SPAM
but to pornography etc.
- 4. How to control defamation
- a. How does online defamation fit into existing law?
Is it slander or libel?
- b. Who is responsible if something defamatory appears
online. AOL or Compuserve if it is on one of their
boards? Every ISP whose news server carries the post? The
author? What if he posted anonymously.
- c. Cubby v Compuserve and Stratton Oakmont
v Prodigy are two cases on this issue, one finding
that Compuserve is in the position of a bookstore, not
responsible for checking the books it sells for
defamation, and one finding that Prodigy, because it
makes some attempt to control what appears, is in the
position of a publisher and is responsible. The latter
case was appealed, then settled, so we don't know if it
would have been upheld.
- C. Telenet is a mechanism that lets someone
at one computer control a different computer over the net, as
if he were sitting at its keyboard--subject to whatever
password restrictions etc. the second computer imposes.
- D. ftp (file transfer protocol) is a
procedure for transferring files from one computer to another
over the net. You can make files available to anyone with the
suitable password, or you can set them up for anonymous ftp,
making the accessible to anyone.
- I. The Hacker
Crackdown: The sociology of computer crime
- A. What the cops know that ain't so:
- 1. The Bell crash
- a. Why should they believe the official version;
perhaps
- b. It was designed to prevent embarassment, or
- c. avoid encouraging a repeat.
- 2. Would we be better off if we didn't report plane
bombings, successful hijackings?
- a. Other people wouldn't get the idea, but ...
- b. If everyone knew we didn't report them
- c. There would be a lot of false suspicion.
- 3. Hacker self-glorificationf also encourages police
suspicions.
- B. Illegal industries are poorly known;
paranoia may reign
- C. "Hacker" and "Hacks."
- 1. A "hack" was an odd and ingenious way of
doing/designing something.
- 2. A programmer seeing his first elephant might describe
it as an impressive hack--"it picks up things how!?!"
- 3. The word "Narc" has had a similar change through back
etymology (deducing its meaning from a false guess at its
origin). It originally meant a police spy, possibly from a
Romany word for "nose." People heard it as
nark=narc=narcotics agent.
- 4. And "hacking" now implies something illegal and
possibly destructive.
- D. Is it wrong? There are a lot of ways
of using technology for purposes it was not intended for
that are not illegal.
- 1. Suppose I want to know if you are home for some
legal purpose you disapprove of--serving you with legal
papers, for example.
- 2. I call you up, and if you answer I hang up and
send the process server.
- 3. That is not why you have a phone--but what I am
doing is not illegal.
- 4. How do you distinguish that from someone whistling
into a telephone to get free long distance service, or
dialing up a computer in order to use it in ways not
intended by its owner?
- E. Consider ways of enforcing rules in
hacker/phone phreak culture: instead of executing someone
you turn him in to the police. Your weapon is information
rather than force.
- F. Believing what people want to
believe:
- 1. Hackers want to believe they do no harm, computers
are overpriced, ...
- 2. Police want to believe that hackers are thieves.
- 3. And that markets are organizations: Mafia. You can
fight an organization.
- G. The files that were on the BBS's the
police seized--should they have been there? similar
information (on how to commit crimes) is in books sold
openly. Should such be banned? Is the 1st amendment a good
idea?
- H. Sting operations don't require phone
taps.
- I. There may be a delicate balance between
not treating hackers badly enough to make them want to commit
largescale vandalism and not treating them well enough to make
hacking an attractive and popular hobby.
- II. U.S. v. Robert
Riggs (and Craig Neidorf)
- A. What happened:
- 1. Riggs copied a text document from a Bell South
computer--it had a secrecy warning at the top.
- 2. Neidorff edited it and published it in Phrack
- 3. The file zipped back and forth across state lines in
the process.
- B. Is it fraud?
- 1. If you get the file by calling up a secretary and
persuading her that you are someone she is supposed to send
it to, then yes.
- 2. If you get it by "persuading" a combination lock to
let you in at night to steal the document, no.
- 3. This case is somewhere between the two.
- C. No fiduciary relationship between Riggs
and Bell South--is this deprivation of an intangible right
(requires a fiduciary relationship to be fraud) or of property
(does not)?
- D. Is what was transmitted a thing? "goods,
wares or merchandise."
- 1. Transmitting money counts.
- 2. Does transmitting Bell's proprietary information
count as transmitting "goods, ... ?" Yes, if affixed to a
tangible medium. What if the medium is not stolen (U.S. v.
Brown)?
- 3. This court holds that it counts even if what was
transmitted is not tangible--others have disagreed.
- 4. Anyway--the court says that computer storage is more
like paper than like memory.
- 5.But no computer was transported--just the information.
What if trade secret information had been transmitted by a
phone conversation?
- E. Is what was transferred the type of
property that can be "stolen, converted or taken by
fraud?"
- F. Was it "transferred?" " Like the money
in the case dealing with wire transfers of funds, the
information in the E911 text file was accessible at Neidorf's
computer terminal in Missouri before he transferred it, and the
information was also accessible at the Lockport, Illinois
computer bulletin board after Neidorf transferred it." But in
this case, it was still where it started as well.
- F. Dowling v U.S. holds that copyright
violation does not qualify. Pirated records, when transported
across state lines, are not subject to the Federal Stolen
Property statute. The criminal owned the records, and the
intellectual property was not "goods, wares or
merchandise."
- G. This court holds that trade secret can
be stolen even if copyright can only be infringed.
- H. Are "Hacker" and "Legion of Doom"
prejudicial terms?
- I. The real story:
- 1. The Sysop of the BBS on which the document was stored
reported it, the information got to Southern Bell security
months before the document's publication, and nothing was
done. Under trade secret law, this would be evidence against
the claim that it was a trade secret. The judge in U.S. v.
Riggs asserted that Bell South "closely guarded" the
information.
- 2. Every document produced by Southern Bell for internal
use had the same secrecy warning.
- 3. The information was administrative, not technical.
Maybe helpful for verbal fraud, but ...
- 4. Southern Bell sold a document with more extensive
information to anyone for $13.
- J. Is there a first amendment issue
here? Neidorff is being charged with publishing something,
not stealing it.
- K. Law enforcement was trying to "send a
message"--discourage communication of information useful in
committing crimes--i.e.
- 1. BBS's and electronic journals that published
- 2. Other people's phone ID and credit card numbers
- 3. Information on how to get such things and
- 4. Information on how to get entry to other people's
computers.
- 5. Worried, in this case, that the information might be
used to sabotage the 911 system.
- L. Is this a legitimate objective?
- 1. Books on "how to get even," "Anarchist's Cookbook,"
etc. are protected by the First Amendment.
- 2. They tried to achieve the objective by
harassment--siezing computer systems as evidence and then
(in many cases) neither indicting people nor returning the
seized systems.
- 3. Is this, as the court in Neidorff seems to believe,
part of a comspiracy to defraud? Where do you draw the line
between planning crimes and telling people how to commit
crimes?
- 4. What was the "phoenix project?"
- M. Does Neidorff have legal recourse
against the Feds? Against Bell South (which claimed the
document was worth $80,000). Should he? Is Bell guilty of abuse
of process?
- 1. Bell's figure was a (much inflated?) estimate of the
cost of producing the document. But ...
- 2. They still had it. The relevant figure ought to be
either
- 3. The cost to them of the info getting out or the value
to the thief.
- 4. Both were trivial, since they were freely selling a
document containing the same information.
- III. Unix source code cases. 1990.
- A. Law enforcement was following a trail
from BBS to BBS via EMail
- B. Found a respectable computer consultant,
who ...
- C. Had lots of Unix source code on his
computer, and traded with similar people to get more.
- D. Is he a criminal with millions of
dollars of stolen property?
- 1. Obviously not--Bell can sue if there is any damage
(there probably is not).
- 2. If Bell does sue, they may find it harder to get
contractors in the future.
- 3. Again--civil or criminal? Theft or conversion? This
time a question of what the law is.
- E. Typically in such a case his equipment
is seized but no charges are ever made! (Not here)
- F. What is happening? It is useful to have
source code when doing subcontracting work. Bell is restrictive
about giving it out. So A has source code for one part of Unix,
B has it for another, they trade in order that neither has to
persuade Bell to give him the code when and if he actually
needs it. (conjecture)
- G. Should Bell worry about such behavior?
If intellectual property is easy to steal, the best strategy
may be to enforce your rights against people who misuse it, not
against ones who simply have it.
- H. If Bell gets people like this thrown in
jail, they may find it harder to hire consultants next
time.
- I. Conjecture: Bell's right hand did not
know what its left hand was doing. Bell Telephone people are
trying to intimidate hackers and phone phreaks; Bell Unix
people would not want their consultants arrested for harmless
acts, even if they are in violation of contract.
- IV. Review: Issues
raised by the criminal cases.
- A. What is computer fraud? Is using a fake
password analogous to lying to a person or to opening someone
else's combination lock?
- B. What is information?
- 1. In what sense does copying it deprive the owner of
it?
- 2. Does transporting it count as transporting "goods,
wares or merchandise?"
- a. Does it depend on the form in which it is
transported--phone call or diskette?
- b. Does it depend on who owns the diskette?
- c. Does it depend on whether it is copyrighted or a
trade secret?
- 3. Can it be "stolen, converted or taken by fraud?"
- 4. How do you measure its value?
- a. Production cost? Clearly wrong.
- b. Value to thief--perhaps, or ...
- c. Cost to victim.
- d. Note that Neidorff is a clear example of why the
victim might lie about the value.
- C. Where is the line between civil and
criminal in computer cases?
- V. Steve Jackson
case:
- A. The facts:
- 1. Steve Jackson Games had only a tenuous connection to
anything illegal--an employee (Blankenship, aka Mentor) had
Phrack on his board (Phoenix), and had posted talk about a
planned password decryption service.
- 2. Phoenix was an ideological board with no stolen
credit cards, codes, etc., on it. Blankenship invited
telephone people to come on the board and argue with
hackers.
- 3. Kluepful is the guy who was told about the 911
document and chose not to do anything about it.
- 4. Izenburg ran a BBS on his own machine, connected with
Terminus. Foley urged him to admit all sorts of things, none
of them true. He let them seize his machine as evidence; he
was charged with nothing. Six months later he asked about
getting it back, as of two years later he still had not done
so.
- 5. "Erik Bloodaxe," co sys-op of Phoenix, had his stuff
seized. Two years later, they still had it. No charge.
- 6. Secret Service raided Phoenix, seized everything, no
charges, two years later still had it--including his wife's
thesis. No copy provided.
- 7. They also raided Steve Jackson Games, apparently on
the theory that Jackson's computers might have evidence and
that Mentor might be able to erase it if warned.
- a. Seized work in progress,
- b. Working equipment,
- c. Files of BBS EMail system.
- d. Nobody was charged with anything.
- e. Warrant was bogus--alleged false statement linking
SJG to E911 case, attributed to Kluepfel, who denied it.
- 8. GURPS Cyberpunk was the almost finished manuscript
seized. A book, not a game.
- 9. The next day, Jackson asked for the book back, so he
could finish publishing it. Was told by an agent that it was
a "manual for computer crime." Later told the same thing by
other agents. He was not told about the connection to the
911 document case until months later when the warrant was
unsealed.
- a. This gave everyone reason to believe for some
months that it was a prior restraint case.
- b. And leaves suspicion that it really was a prior
restraint case--that once the Secret Service saw GURPS
Cyberpunk, they concluded that Steve Jackson was a bad
guy and ought to be treated accordingly.
- 10. The secret Service claims they did not know of
either the Privacy Protection Act or that SJG was a
publisher.
- 11. They were, however, informed of the latter fact
during the raid
- 12. And of both the next day.
- 13. The Secret Service refused to give copies of
anything, did not return the bulk of what was seized for
almost four months.
- B. The Verdict
- 1. The Secret Service was not liable for defects in the
initial warrant application
- 2. Not liable for damages for the first day of the
seizure
- 3. Liable for damages for the rest of the year for
violation of Privacy Protection act in searching a publisher
- 4. Not liable for damages thereafter because because
they were balanced by SJG's gains from publicity
- 5. Not a violation of the Wire and Electronic
Communications ... act interception rules because reading a
stored message is not interception,
- 6. But it does violate the "Stored Wire and Electronic
Communications and Transactional Records Access" procedures
set out by the act for getting access to stored
communications, so $1000/plaintiff statutory damages. What
about the other 362 plaintiffs? Collatoral estoppal does not
apply to the government, so presumably they all have to
litigate if they want their $1000/plaintiff.
- C. Some narrow legal issues:
- 1. No damages for day 1, ordinary damages for the next 4
months. Should it be ordinary damages for day 1
(negligence), punitive thereafter (deliberate violation of
the law)? But the U.S. waiver of sovereign immunity does not
cover punitive damages, so you cannot get them against the
government.
- 2. SJG got damages only for 1990, because of their later
gain from publicity. Is that offset proper? If I buy a SJ
game out of sympathy for Steve Jackson as a victim of the
Secret Service, do I really intend the money to go to reduce
their civil liability to him?
- 3. Suppose the victim was not a publisher--does the
Secret Service have a legal obligation to minimize damage?
Consider the wife's thesis. Would it be possible to
institute a class action covering all such cases, asking for
an injunction requiring the Secret Service to institute a
policy of prompt copying and return? The data, not the
computer, is the evidence.
- 4. What about requiring them to permit victim to copy?
- 5. Suppose the police do a legal search of your
greenhouse, in the (false) belief that you are growing
marijuana, and deliberately leave the doors open, killing
all of your valuable plants. Are they liable? Isn't that
equivalent to seizing everything and refusing to provide a
copy?
- D. Broader issue: Is the whole campaign in
violation of the first amendment?
- 1. The objective was to suppress the distribution of
information in order to suppress crime.
- 2. When is that legal?
- E. Still broader issue: What are the limits
on police imposition of costs on people they never intend to
indict?
- 1. Old style: beat someone up.
- 2. Arrest someone, let him cool off in jail over night,
drop charges.
- 3. Seize a computer.
- 4. All of them work because the police have the threat
that, if the victim objects, they could impose larger costs,
at some cost to themselves (indict, jail, maybe lose the
case).
- 5. Is this a bad thing, or a necessary adjustment to the
real world?
- 6. How might it be prevented or limited? Should police
or police departments be liable, and when?
- 7. Would that give police an incentive to make dubious
indictments instead of dubious seizures?
- 8. What about obligating them to use the least costly
method?
- F. Sociology issue: "Those Kids aren't
Criminals"
- 1. How does, or should, the law separate acts by those
trying to make money, do injury, etc. from equally illegal
acts done as a prank, etc.?
- 2. By age--asking for child drug runners.
- 3. By intent--criminal copyright infringement example.
- 4. Moral sanction as one form of deterrence--breaks.
- 5. Partly this is a problem here because of the inverted
hierarchy of age/expertise. The kids know enough more than
the grownups to be able to do serious damage.
- 6. Leopold and Loeb?Those kids' prank consisted of
murder.
- VI. "Sending a
Message"
- A. If the message was designed to deter
legal but wicked acts ...
- B. Is sending it unconstitutional?
- C. Steve Jackson--does the SS still think
Cyberpunk Hackers is computer crime? They apparently (asserted
by a correspondent) still use it in their training
videos.
- D. Why didn't they give back the computers,
or their contents?
- 1. To restrain publication
- 2. To impose costs
- 3. Because they did not want to admit they hadn't found
anything?
- E. How do you stop it?
- 1. Make police civilly liable for costs they impose on
someone if the victim is not indicted? But that gives them
an incentive to indict innocent people, imposing still more
costs.
- 2.Make them liable if the victim is not convicted? but
that gives them an incentive to convict innocent people.
- 3. Make the police liable if they impose unnecessary
costs--i.e. do not get their evidence in the least costly
practical way.
- 4. Note the intimidation problem--victims may not
protest if the police could impose still larger costs on
them.
- VII. Some final
comments
- A. Dorothy Denning will be seen again--as a
supporter of the Clipper Chip.
- B. Are Sterling and others right that the
new technology changes organizational structures?
- C. Does it change the crime/law
enforcement/dispute adjudication structure?
- 1. I can publish my own book from my desktop.
- 2. My own academic magazine from my web page.
- 3. My own scam from my modem--with a little more
development of ecash privacy.
- 4. Computer security as a private industry.
- a. We were told last year that there are 1-6 law
enforcement agents in Silicon Valley who specialize in
computer crime. Our source was the 1--he is going to give
a guest lecture later this semester.
- b. According to him, the FBI have about seven people
specializing in computer crime who have CS degrees or the
like--and they are not likely to be in the class of a
Mitnick or Morris.
- c. So maybe it is sensible to rely on a decentralized
law enforcement system, consisting mostly of private
computer security people.
Computer Crime Stuff
- I. Computer
Crime:
- A. Jerry Schneider and Pacific Tel. Got
into their order system. Stole/ordered equipment. 40 days in
jail. Ended up as a computer security consultant.
- B. Stanley Mark Rivkin. Working on backup
system for a bank wire room.
- 1. Authorized employee with code system--on a piece of
paper in the wire room.
- 2. Called, identified himself as from Intl div,
requested 10.2 Million to his account in NY; from there it
went to a Swiss bank.
- 3. Russalmaz got telegram "from" head of the wire room,
identifying Lon stein as representative, purchasing diamonds
for the bank.
- 3. Stein got baggage ticket, flew to luxembourg, looked
at pack--diamonds.
- 4. Told his attorney who had come up with diamond idea,
attorney went to FBI
- 5. Rivkin tried to get an acquantance to sell the
diamonds for him, acquaintance saw a news story,went to FBI
- 6. Asked acquaintance to mail money back to another
friend. FBI followed, found him.
- 7. Out on bail, got someone to try to make relevant
contact for a repeat--with an underround FBI agent. 8 year
sentence.
- 8. Apparently he was setup for the second charge because
there were legal problems with the first.
- 8. Expert in computer, not crime. Was he posturing? Did
he really intend to go through with it from the start?
- C. 75% by employees.
- D. Fry Guy. 1989
- 1. Call customer of credit Systems of America--which
handles credit card numbers and credit info. Get customer's
ID info by claiming to be from CSA: acct # and password.
- 2. Called in as customer, wandered around the computer,
got to the staff area, found local resident with valid
credit card. So far he could have done it without the
computer--there are other ways of finding someone's credit
card number and phone number.
- 3. Rerouted victim's incoming calls to a phone booth in
Paducah, from there to him.
- 4. Called Western Union, wired $687 to its Paducah
office to be transferred to a friend, gave victim's credit
card. They called back to confirm. Confirmed. Reprogrammed
everything.
- 5. Repeat with another victim.
- 6.His method required phone hacking. But you could also
reverse the process--change phone number in relevant records
to the number of the phone booth, so Western Union would
call up CSA, get the phone booth's number, call it, and get
their confirmation.
- E. Captain Zap:
- 1. Hack into credit agency, create good credit rating
for an imaginary company.
- 2. Hack into supplier, create real-world paper trail.
Cut order, pay invoice, write delivery manifest, deliver to
a mail drop.
- 3. Caught by connection to the mail drop.
- 4.$500,000
- 5. Plea bargain to $1000 fine + 2 1/2 yrs probation.
1981
- 6. State laws were passed afterwards against such
things, fed started 1986.
- F. First worm at PARC. Intended to do
computer housekeeping. Left it one night, found it all over the
place, killed it, abandoned the project.
- G. Virus blackmail?
- 1. Junk mail diskette with a unique license--an
extortion demand. in small print. To list of a UK magazine.
- 2. Info on AIDS, interactive software about it.
- 3. Counted bootups, after 90 started encrypting files
and hiding programs.
- 4. Asked for money to be sent to a Panama City address.
- 5. Did considerable damage.
- 6. Attempt to call number coincided with U.S. invasion
of Panama. Marine answered.
- 7. Caught the man because he was crazy. Company seal in
his bags.
- 8. Is this a legitimate business device to force people
to fulfill his "license" terms? There are some U.S. cases
where a software contractor attempted to enforce the
contract with the firm the software was for by building in
code that would disable the program if he didn't stop it.
Not quite so crazy--but still tortious, since the customer
was not warned in advance.
- 9. Extradited to Britain. Got crazy enough not to be
tried.
- 10. A million disks in his house.
- 11. Would it work if done intelligently?
- 12. Against one corporation?
- H. How we would do it:
- 1. Subvert company, sell short.
- 2. Time bomb customers, blackmail company.
- 3. One other way of profiting by a virus--be in the
fixit business.
- I. Leslie Lynn Doucette. Hacker service
industry.
- 1. Gets a number from someone over the phone.
- 2. Check it by hacking or calling a chat line phone
number.
- 3. PBX has a long distance from 800 option. Use for
communication.
- 4. Voice mail computers as bulletin boards.
- a. Hacker boards were known, monitored--credit cards
could be cancelled.
- b. Find an empty box in a voice mail system, use it.
Low security because ...
- c. Leave lists of verified codes.
- d. Subordinates pick up, get money, send to her.
- 5. Real estate man found his voice mail system
overloaded with free riders.
- 6.Secret Service had tip about Doucette from Canada
(convicted, left)
- 7. Informants said Chicago.
- 8. They put a Dialed Number Recorder on her phone.
- 9. Then on her 5 major subordinates.
- 10. Plea Bargain, 27 months, 1990. Claimed $1.6 million
in losses.
- J. Citibank hack. N.Y. recent. EFT
intercept. May or may not have happened
- 1. By trial and error found addresses for a bunch of
Citinet banks.
- 2. Found a computer that might be for EFT, got in
through default password left active, created program to log
all transmissions to their file.
- 3. Next day logged on, bingo. Captured hundreds of
transactions, vanished w/o a trace.
- 4. Opened a numbered Swiss Account. Got birth
certificates, new ID and SS#
- 5. Opened accounts at six banks in Houston and Dallas.
- 6. Rigged Citicorp computer to send to their Telenet
terminal, collected, returned acknowledgement. Real
transfers.
- 7. Then transferred the money to the Swiss bank, then
withdrew to U.S. accts $7,333 each (below notice
requirement).
- 8. End of week each got $66,000.
- 9. Citibank denies the story. Is it true? Posted to a
BBS.
- K. Check kiting story
- 1. An old idea.
- a. You take advantage of banks that credit you when
you deposit a check instead of when they receive the
funds, by ...
- b. Depositing $1000 in one account,
- c. writing 10 $1000 checks, depositing them in ten
accounts.
- d. Write ten $1000 checks on each of those, deposit
one from each in each of ten new accounts--which now have
$10,000 in each of them.
- e. Repeat for a few more rounds. Transfer money from
a new account to your first account to keep your first
set of checks from bouncing
- f. Eventually turn everything into cash and vanish.
- 2. They used a computer to keep track of all the
accounts, where money was need when.
- 3. The computer crashed. So did the check kiting.
- L. Extortion scheme. A senior computer
employee about to resign
- 1. Collects all of the backup tapes, including the off
site backups
- 2. Erases what is currently in the computer
- 3. Then demands a large ransom
- 4. The company paid--but he was caught making the
pickup.
- M. Will a market in Computer Crime
develop?
- 1. Computer criminals clearly need to take more
advantage of the division of labor.
- a. So that someone who knows how to hack can get
together with
- b. Someone who knows how to get rid of stolen
property, hot diamonds, ...
- c. Someone who knows how to pick up ransom payments,
..
- d. ...
- 2. Market in credit card numbers already exist, also
- 3. in stolen long distance calls:
sidewalk enterprise, free calls on pay or cellular.
- 4. $1.4 million was charged in 4 days
against one PBX.
- 5. Immigrants are a good market, both
because they want to make enormously expensive international
phone calls and because they are less likely to report you
to the police.
-
On to part II of the Outline
Back to Table of Contents
Page
Back to Course Home Page