Security Incidents mailing list archives

Re: Who's liable?

From: Kelly Martin <kmartin () pyrzqxgl org>
Date: Sat, 13 Oct 2001 18:39:16 -0500

On Sat, Oct 13, 2001 at 06:57:13PM -0400, Rob Keown wrote:

If the site from which the attack is launched is ignorant of any criminal
activity then there is no *criminal* recourse.


That's not necessarily true.  Under federal law, if you are
deliberately ignorant of (that is, you take affirmative efforts to
avoid having knowledge of) some fact or condition, then you can be
held to have had "knowledge" of that fact or condition, and if that
leads to criminal liability, then so be it.

Also, in general, there are lots of things where you can be criminally
liable for things you didn't know about, if you were reckless with
respect to them.  The classic example is the act of throwing a rock
off a tall building.  You have no knowledge that this rock will hit
anyone (either in particular or generally), but you are reckless
towards the possibility that the rock will hit someone and are thus
criminally liable for the consequences if it does.

Should this change? I don't think there is any legal precedent for someone
who is not "aware" of criminal intent to be held culpable.


I read a case in my criminal law class of a shop owner who was held
vicariously and criminally liable for the acts of a non-employee in
the shop without the shopowner's permission.  The law did not place
any requirement of culpability on the part of the shop owner (not even
negligence); liability was absolute.  However, the Supreme Court did
limit the scope of vicarious absolute liability offenses to strictly
financial penalties.  The Court has held that the Constitution
requires at least a threshhold level of individual culpability for
liability for an offense which can lead to incarceration.

IMO, it is Constitutionally permissible for a state to make it a
criminal offense for a person to operate a computer system in such a
manner that a substantial, avoidable risk exists that that computer
system may be used in the furtherance of illegal acts, especially if
the operator of the computer is or should have been aware of the
substantial risk.  Whether any existing law does so is another
question.

Kelly

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Who's liable?, (continued)
- Re: Who's liable? Jay D. Dyson (Oct 13)
  - Re: Who's liable? - fbi Alvin Oga (Oct 13)
- Re: Who's liable? Alvin Oga (Oct 13)
- RE: Who's liable? Chris Mason (Oct 13)
- RE: Who's liable? Liam Burrow (Oct 13)
- RE: Who's liable? Russell Berry (Oct 13)
  - RE: Who's liable? Brian Taylor (Oct 14)
- Re: Who's liable? Frank (Oct 14)
- RE: Who's liable? Michael Conlen (Oct 14)
- RE: Who's liable? Rob Keown (Oct 13)
  - Re: Who's liable? Kelly Martin (Oct 13)
    - Re: Who's liable? Doug Foster (Oct 14)
    - Re: Who's liable? Kelly Martin (Oct 14)
    - RE: Who's liable? Shashi Dookhee (Oct 14)
    - Re: Who's liable? HarryM (Oct 14)
    - Re: Who's liable? macdaddy (Oct 14)
    - Message not available
    - Re: Who's liable? Jason Giglio (Oct 14)
- RE: Who's liable? Kelley, John (Oct 13)
- RE: Who's liable? Kelley, John (Oct 13)
- RE: Who's liable? Rob Keown (Oct 14)
- RE: Who's liable? Bullock, Steve (ISS Helsingborg) (Oct 14)