Interesting People mailing list archives
IP: Re: proving guilt
From: Dave Farber <farber () cis upenn edu>
Date: Fri, 24 Dec 1999 17:16:08 -0500
From: "Andrew Grosso" <Agrosso () worldnet att net> To: <farber () cis upenn edu> Subject: Re: proving guilt Date: Thu, 23 Dec 1999 08:42:11 -0500 As a former federal prosecutor, I read Russ' comments with some interest. I agree with his ultimate conclusions but differ with the logic he uses to get to them. Put simply, tracing a computer crime to one person, and proving that what he did is a crime, posses difficulties which are common to many other categories of crimes, both reactive and white collar. For example, the very first jury trial I prosecuted concerned a bank robbery where none of the five witnesses could identify the perpetrator, and where I had no photograph or finger print evidence. The proof consisted of a large number of indicators each of which pointed to the defendant. Taken individually, none of them could prove the defendant did it; taken together, they demonstrated beyond a reasonable doubt that no one else could have committed the offense. A more serious problem is defining what constitutes a "computer crime," and what constitutes a serious computer crime worth prosecuting. The court dockets are growing with examples of people, usually young ones, who pull pranks or otherwise explore or push the limits of computer technology, and are then charged with or investigated for the crime of the century. Examples which quickly come to mind are LaMachia, Neidorf, Kaspureff, Thomas, Zimmermann. Activity which would barely merit a glance from a police officer becomes the subject of Department of Justice press releases and arrest warrants simply because a computer or the Internet is involved. Now, Congress is getting into the Act: the No Electronic Theft Act, the amendments to the Computer Crime and Abuse Act, the Digital Millennium Copyright Act, the Economic Espionage Act . . . . Each makes it easier for law enforcement to prosecute a crime on the Net, but does it a way which loosens the definition of what is a crime. Freedoms and the exercise of individuality are no less precious because they are enjoyed on the Internet than in a public park. Chilling the exercise of intellectual freedom is not the way to add safety to the Internet, and creating felons out of curious high school kids who explore the limits of computer security are not the wisest means of building the new world. I suggest that it is incumbent upon the computer community to insure that criminalized conduct be limited to conduct that needs to be criminalized, and that the state does not water down its definitions of felony crimes to anything that proscribes what is merely inconvenient, or is curiosity which has gotten out of control, as the unintended consequence of trying to make it easier for law enforcement to prove their cases. -----Original Message----- From: Dave Farber <farber () cis upenn edu> To: ip-sub-1 () majordomo pobox com <ip-sub-1 () majordomo pobox com> Date: Thursday, December 23, 1999 5:53 AM Subject: IP: proving guiltDate: Wed, 15 Dec 1999 09:27:09 -0500 From: Russ <Russ.Cooper () rc on ca> Subject: Re: Melissa perpetrator faces five years in prison (RISKS-20.68) IMO, there many risks that the case against Mr. Smith for Melissa may bring to reality. 1. That a GUID may be accepted in court as a "signature" uniquely identifying a particular human being. At best the GUID is circumstantial, and it is far to easy to show GUIDs belonging to others (mistakenly or intentionally) resident on your machine. 2. That it may be accepted as possible to prove the route which aparticularvirus has traveled to get to the point where its deemed "in the wild", and presumably therefore actionable, solely on the basis of computer evidence. 2a. What is the crime? Making the virus, or releasing it "in the wild"? Surely making a virus is not a crime, so the test comes down to proving who released it "in the wild". Since that action must be done with intent, computer data alone, demonstrating that a particular file originated from a particular disk, still does not prove intent. If I were to co-opt Peter's machine and use it to send a virus to a Usenet list, should Peter be held liable for the damages of the virus? 2b. How is it proven? Computer data is malleable, and while Word documents may store revision information, and even information from RAM totally unrelated to the original document, it is possible that all of that information can be placed into another file either in addition to, or replacing, the 2nd document's original information. As such, its again circumstantial evidence of origin and even ownership. It is quite easy to villainize virus writers and infectors in the same way "two Arab men" were responsible for the Oklahoma bombing. An entireindustryis available for testimony as to the damage suffered by Corporate America every day as a result of the actions of the few virus writers. The NIPC,andtherefore the FBI, are desperate to show they have the savvy to catch Cyber-criminals and justify their stance and actions. IOWs, there's a significant weight against Mr. Smith if we allowprosecutiontestimony to go unchallenged for the vapor-thoughts it may well be. It must be shown that such conclusions, based solely on computer data, can easilybemanufactured against anyone. I have thought long and hard about how it may be possible to prove an individual is guilty of a particular computer crime. A confession, today, could be given simply to garner the publicity and reap the benefits after the jail term is served (do you think any conference would not pay to have Mr. Smith talk after he was released, if he could speak intelligibly? ... book deals ... guest spots ...) Criminals used to take the rap and not talk in order to get the loot when they were released ...;-] Without another human being present during each of the steps required to release a virus into the wild with malicious or harmful intent, aconvictionon circumstantial computer evidence would lead to many serious problems, IMO. If the above evidence, assuming its present and the basis of the case against Mr. Smith, is accepted in court and the jury finds its credible, it will be far too easy to convict innocent individuals of computer crimes in the future. Smith may well be guilty, and he is not my focus here. We must ensure that his conviction does not establish the wrong precedence's, lest we give the "enemy" the ammunition to get each and every one of us convicted of something, somewhere, based on the same quality of evidence. I remind you that I, like most of you, have not seen the evidence against Mr. Smith and this is based solely on the media reports about its content ... therefore, I may be totally off-base ... but the risk is real nomatter.Russ - NTBugtraq Editor
Current thread:
- IP: Re: proving guilt Dave Farber (Dec 24)