[iwar] [fc:Every.Man.a.Cyber.Crook]

From: Fred Cohen (fc@all.net)
Date: 2002-01-11 21:44:35


Return-Path: <sentto-279987-4280-1010814232-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 11 Jan 2002 21:51:07 -0800 (PST)
Received: (qmail 15330 invoked by uid 510); 12 Jan 2002 05:48:33 -0000
Received: from n21.groups.yahoo.com (216.115.96.71) by all.net with SMTP; 12 Jan 2002 05:48:33 -0000
X-eGroups-Return: sentto-279987-4280-1010814232-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.190] by n21.groups.yahoo.com with NNFMP; 12 Jan 2002 05:33:42 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_1_3); 12 Jan 2002 05:43:51 -0000
Received: (qmail 6471 invoked from network); 12 Jan 2002 05:43:51 -0000
Received: from unknown (216.115.97.172) by m4.grp.snv.yahoo.com with QMQP; 12 Jan 2002 05:43:51 -0000
Received: from unknown (HELO red.all.net) (12.232.72.98) by mta2.grp.snv.yahoo.com with SMTP; 12 Jan 2002 05:43:50 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g0C5iZ909675 for iwar@onelist.com; Fri, 11 Jan 2002 21:44:35 -0800
Message-Id: <200201120544.g0C5iZ909675@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 11 Jan 2002 21:44:35 -0800 (PST)
Subject: [iwar] [fc:Every.Man.a.Cyber.Crook]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Every Man a Cyber Crook

By Mark Rasch, Business Week, 1/11/2002
<a href="http://www.businessweek.com/technology/content/jan2002/tc2002019_2840.htm">http://www.businessweek.com/technology/content/jan2002/tc2002019_2840.htm>

Federal anti-hacking law permits cybercrime victims to sue their
attackers. So why is that software companies, webmasters and computer
makers are the ones being hauled into court? 
Shortly after it enacted the federal computer crime law, Congress
amended it to allow victims to sue their attackers in federal court for
damages. It is now proving to be a costly mistake. 
It seemed like a good idea at the time. Federal prosecutors have limited
time and resources, and don't have the ability to prosecute every
hacker. Civil litigants are often most directly affected by the actions
of hackers, and providing for civil remedies allows those who suffer
economic loss to be compensated. 
But in practice, private litigants have rarely used the civil provisions
to pursue computer hackers, who, after all, usually don't have very deep
pockets. Instead, unfettered by the Department of Justice's
interpretation of federal law, litigants have used the computer crime
laws to go after computer hardware manufacturers for product liability,
Internet companies for software design, spammers and protesters for
commercial and other protected First Amendment speech, and website
operators for the installation and tracking of computer cookies. 
These unintended uses of the computer crime statute, and the court's
permitting the suits to proceed in many cases, creates a genuine risk
that ordinary business activity and protected speech will be deemed to
rise to the level of a computer crime, subject to federal prosecution. 
SPAM YOURSELF TO JAIL. Spam -- that is, unsolicited commercial email --
is annoying and can be costly in terms of time, money, and system
resources. In some instances it can result in a civil fine for each
piece of email. Recently, a number of civil litigants have used the
federal computer crime statute to go after those who sent spam. 
A spammer who bypassed AOL's spam filters in violation of the company's
Terms of Service was determined to have violated federal criminal law by
an Iowa federal court in August. 
And in December, the computer crime law was used to slam a former Intel
employee who obtained a list of Intel employee's email addresses and
spammed up to 29,000 of them. 
The former employee offered to remove any individuals that requested to
be removed from his mailing list, but refused Intel's requests that he
cease sending emails entirely. Intel sued, alleging that the spam cost
Intel valuable computer and personnel resources, and therefore
constituted an unauthorized "trespass to chattels" in cyberspace. The
damages, Intel alleged, was the collective cost of Intel employees' time
while reading the unsolicited mail messages. The California appellate
court agreed, and enjoined the former employee from sending any such
emails. 
These cases are disturbing. Spamming shouldn't be encouraged, and it
does cost ISPs money. Remember however that the cases invoke the federal
computer crime statute, meaning that prosecutors could use the same
statutes to stifle unpopular speech, government criticism, or other
expression protected by the Constitution simply because it employs the
mechanism of mass electronic mailing. 
In contrast, laws that target spam specifically, in Washington State and
elsewhere, carefully balance commercial speech against the cost to the
recipient. The criminal statute contains no such balance, and the courts
in these cases imposed none. 
AMERICA ONLINE AND IN PRISON? AOL was on the receiving end of several
lawsuits alleging criminal violations of the computer crime statute for
the configuration of its software. In April, a class of plaintiffs
alleged that when they installed version 5.0 of the AOL software, it
changed the host systems' configurations and settings to interfere with
non-AOL communications and software services. The plaintiffs alleged
that AOL knowingly caused the transmission of a program which
"intentionally causes damage without authorization to a protected
computer" or "intentionally accesses a protected computer without
authorization, and as a result of such conduct causes damage." 
While rejecting the claim on the grounds that there was no allegation of
an aggregate of $5,000 damages, the court found that AOL's installation
of software features was likely performed without authorization or in
excess of authorization, and therefore could violate federal criminal
law. 
A similar suit in federal court in Florida in August determined that AOL
software may violate the criminal code by installing itself and failing
to disclose that it might cause long distance telephone charges to
subscribers. 
In July, a lawsuit in a federal court in New York alleged that
Netscape's SmartDownload feature similarly violated federal criminal law
by installing software onto a host computer without authorization. The
court refused to enforce Netscape's mandatory arbitration provisions on
its website, and permitted the suit to go forward. 
Later that month a federal court in Minnesota considered a suit against
Sony for alleged product defects in its floppy disk drives that, under
rare circumstances, might causes information to be overwritten and lost.
While the court concluded that no actionable damages occurred, the court
said it "was persuaded by the Plaintiffs that Sony's actions could,
theoretically, be actionable" under the federal computer crime statute
as it then existed. 
Amendments to the law in November made it clear that the computer crime
statute was never intended to act as a product liability assurance
statute, and would make such suits against hardware manufacturers more
difficult. 
But together, these cases should be a wake up call for Web designers,
ISPs and software companies. JavaScript, Active X controls, automatic
updates and other software features may frequently be downloaded to a
user's computer -- in many cases without the user's informed knowledge
or consent. Such coding may affect the operation of the computer, and
may even affect functionality or access to data. If damage occurs, not
only may the software designer or user be liable for civil damages, but
under the precedents established, they may run the risk of
incarceration. 
GIVE COOKIES -- GO TO JAIL? A number of cases this year have alleged
that giving or tracking cookies not only violated acceptable trade
practices and privacy regulations, but constituted criminal violations
of the federal statute. Lawsuits against Toys R Us in October alleged
that the use of JavaScript cookies to obtain information about customers
violated the criminal code because the cookies "accessed" the users'
computers without their authorization, and obtained information in the
personal computer systems without authorization. The court rejected this
interpretation because the plaintiff had neither plead nor proven that
that unauthorized access caused economic loss. A similar federal lawsuit
against another company in September in Washington State had the same
result. 
The courts in both cases tacitly accepted the principle that cookies
constitute an unauthorized access to a computer, and may defraud the
owner of valuable privacy information. 
It is important to note that the reason for the dismissal was because
aggregation of damages wasn't allowed. In November of this year, as part
of the anti-terrorism legislation, Congress amended the federal computer
crime statute to permit the aggregation of damages. Thus, in the future,
such "cookie" suits -- and criminal prosecutions -- may go forward. 
WEBPAGE SCREEN SCRAPING AND CRIME. Finally, in mid-December a federal
court in Boston found that the practice of screen scraping violated the
fraud provisions of the computer crime statute. 
Former employees of a travel agency focusing on high school students
formed a new company, and sought to obtain the former employer's
proprietary pricing information. It was their hope that they could
undercut the former employer's prices and thereby obtain a competitive
advantage. 
Of course the prices charged were available on the former employer's Web
pages. The defendants, using their inside knowledge of the plaintiff's
"tour codes," designed a Web robot that would repeatedly access the web
page and request pricing information for different classes of tours. 
The court found that by using proprietary tour code data in violation of
a non-disclosure agreement, the defendants exceeded authorized access to
the data on the Web site, even though it would have been possible to
discover the codes "through repeated searching and deciphering of the
URLs." The court found that the use of the website in this manner was
unauthorized, and therefore a criminal violation. 
A LITIGIOUS LEGACY. When Congress added the civil damages provision to
the Computer Fraud and Abuse Act a few years ago, they certainly didn't
know that these provisions would be used against pornographers,
spammers, screen scrapers, computer manufacturers, and ISPs. 
In fact, as is often the case when Congress permits private litigants to
dictate the scope and meaning of a criminal statute, the results of the
litigation has not always pleased the Department of Justice or Congress,
and has recently forced Congress to amend the statute to clarify its
meaning and intent. 
Nevertheless, these civil litigants are helping to define the scope of
what it means to be a computer criminal. In the future, we can expect
the Department of Justice to pick up the baton, and use the precedents
established by civil litigants against some unlikely "computer
criminals." 
Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive
Systems Inc. in Reston, Virginia, a computer security and network design
consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the
head of the U.S. Department of Justice Computer Crime Unit and
prosecuted a series of high profile computer crime cases from 1984 to
1991.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST