Security Incidents mailing list archives
Re: Who's liable?
From: Kelly Martin <kmartin () pyrzqxgl org>
Date: Sat, 13 Oct 2001 18:39:16 -0500
On Sat, Oct 13, 2001 at 06:57:13PM -0400, Rob Keown wrote:
If the site from which the attack is launched is ignorant of any criminal activity then there is no *criminal* recourse.
That's not necessarily true. Under federal law, if you are deliberately ignorant of (that is, you take affirmative efforts to avoid having knowledge of) some fact or condition, then you can be held to have had "knowledge" of that fact or condition, and if that leads to criminal liability, then so be it. Also, in general, there are lots of things where you can be criminally liable for things you didn't know about, if you were reckless with respect to them. The classic example is the act of throwing a rock off a tall building. You have no knowledge that this rock will hit anyone (either in particular or generally), but you are reckless towards the possibility that the rock will hit someone and are thus criminally liable for the consequences if it does.
Should this change? I don't think there is any legal precedent for someone who is not "aware" of criminal intent to be held culpable.
I read a case in my criminal law class of a shop owner who was held vicariously and criminally liable for the acts of a non-employee in the shop without the shopowner's permission. The law did not place any requirement of culpability on the part of the shop owner (not even negligence); liability was absolute. However, the Supreme Court did limit the scope of vicarious absolute liability offenses to strictly financial penalties. The Court has held that the Constitution requires at least a threshhold level of individual culpability for liability for an offense which can lead to incarceration. IMO, it is Constitutionally permissible for a state to make it a criminal offense for a person to operate a computer system in such a manner that a substantial, avoidable risk exists that that computer system may be used in the furtherance of illegal acts, especially if the operator of the computer is or should have been aware of the substantial risk. Whether any existing law does so is another question. Kelly ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Who's liable?, (continued)
- Re: Who's liable? Jay D. Dyson (Oct 13)
- Re: Who's liable? - fbi Alvin Oga (Oct 13)
- Re: Who's liable? Alvin Oga (Oct 13)
- RE: Who's liable? Chris Mason (Oct 13)
- RE: Who's liable? Liam Burrow (Oct 13)
- RE: Who's liable? Russell Berry (Oct 13)
- RE: Who's liable? Brian Taylor (Oct 14)
- Re: Who's liable? Frank (Oct 14)
- RE: Who's liable? Michael Conlen (Oct 14)
- RE: Who's liable? Rob Keown (Oct 13)
- Re: Who's liable? Kelly Martin (Oct 13)
- Re: Who's liable? Doug Foster (Oct 14)
- Re: Who's liable? Kelly Martin (Oct 14)
- RE: Who's liable? Shashi Dookhee (Oct 14)
- Re: Who's liable? HarryM (Oct 14)
- Re: Who's liable? macdaddy (Oct 14)
- Message not available
- Re: Who's liable? Jason Giglio (Oct 14)
- Re: Who's liable? Kelly Martin (Oct 13)
- Re: Who's liable? Jay D. Dyson (Oct 13)