A Hacker's Guide to Protecting Your Internet Site and Network
Reality Bytes: Computer Security and the Law
This chapter discusses law as it applies to the Internet both here and abroad. For the most part, my analysis is aimed toward the criminal law governing the Internet.
The United States
My timeline begins in 1988 with United States v. Morris, the case of the Internet worm. I should, however, provide some background, for many cases preceded this one. These cases defined the admittedly confused construct of Internet law.
If you remember, I wrote about phone phreaks and their quest to steal telephone service. As I explained, it would be impossible to identify the precise moment in which the first phreak hacked his or her way across the bridge to the Internet. At that time, the network was still referred to as the ARPAnet.
Concrete evidence of phreaks accessing ARPAnet can be traced (at least on the Net) to 1985. In November of that year, the popular, online phreaking magazine Phrack published its second issue. In it was a list of dialups from the ARPAnet and several military installations.
By 1985, this activity was being conducted on a wholesale basis. Kids were trafficking lists of potential targets, and networks of intruders began to develop. For bright young Americans with computers, a whole new world presented itself; this world was largely lawless.
But the story goes back even further. In 1981, a group of crackers seized control of the White House switchboard, using it to make transatlantic telephone calls. This was the first in a series of cases that caught the attention of the legislature.
The majority of sites attacked were either federal government sites or sites that housed federal interest computers. Although it may sound extraordinary, there was, at the time, no law that expressly prohibited cracking your way into a government computer or telecommunication system. Therefore, lawmakers and the courts were forced to make do, applying whatever statute seemed to closely fit the situation.
As you might expect, criminal trespass was, in the interim, a popular charge. Other common charges were theft, fraud, and so forth. This all changed, however, with the passing of the Computer Fraud and Abuse Act of 1986. Following the enactment of that statute, the tables turned considerably. That phenomenon began with U.S. v. Morris.
United States of America v. Robert Tappan Morris
The Internet worm incident (or, as it has come to be known, the Morris Worm) forever changed attitudes regarding attacks on the Internet. That change was not a gradual one. Organizations such as CERT, FIRST, and DDN were hastily established in the wake of the attack to ensure that something of such a magnitude could never happen again. For the security community, there was vindication in Morris' conviction. Nonetheless, the final decision in that case would have some staggering implications for hackers and crackers alike.
The government took the position that Morris had violated Section 2(d) of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030(a)(5)(A)(1988). That act targeted a certain class of individual:
For those of you who aren't attorneys, some explanation is in order. Most criminal offenses have several elements; each must be proven before a successful case can be brought against a defendant. For example, in garden-variety civil fraud cases, the chief elements are
If a plaintiff fails to demonstrate even one of these elements, he or she loses. For example, even if the first four elements are there, if the victim lost nothing in the fraud scheme, no case will lie (that is, no case brought upon such a claim will successfully survive a demurrer hearing).
To bring any case to a successful conclusion, a prosecutor must fit the fact pattern of the case into the handful of elements that comprise the charged offense. For example, if intent is a necessary element, intent must be proven. Such elements form the framework of any given criminal information filing. The framework of the Morris case was based on the Computer Fraud and Abuse Act of 1986. Under that act, the essential elements were
The arguments that ultimately went to appeal were extremely narrow. For example, there was furious disagreement about exactly what intentionally meant within the construct of the statute:
Morris' argument was rejected by the Court of Appeals. Instead, it chose to interpret the statute as follows: that the mere intentional (unauthorized) access of the federal interest computer was enough (that is, it was not relevant that Morris also intended to cause damage). The defense countered this with the obvious argument that if this were so, the statute was ill- conceived. As interpreted by the Court of Appeals, this statute would punish small-time intruders with the same harsh penalties as truly malicious ones. Unfortunately, the court didn't bite. Compare this with the UK statutes discussed later, where intent is definitely a requisite.
The second interesting element here is the requirement that the attacked computers be federal interest computers. Under the meaning of the act, a federal interest computer was any computer that was intended:
The first and second requirements were exclusive. The following description was a second paragraph:
In other words, from the government's point of view, any two or more computers located in different states were federal interest computers within the construct of the act. This characterization has since been amended so that the term now applies to any action undertaken via a computer in interstate commerce. This naturally has broad implications and basically reduces the definition to any computer attached to the Internet. Here is why:
The legal term interstate commerce means something slightly different from what it means in normal speech. The first concrete legal applications of the term in the United States followed the passing of the Sherman Act, a federal antitrust bill signed by President Benjamin Harrison on July 2, 1890. The act forbade restraint of "...trade or commerce among the several states, or with foreign nations." As defined in Blacks Law Dictionary (an industry standard), interstate commerce is
From this, one might conclude that interstate commerce is only conducted when some physical, tangible good is transferred between the several states. That is erroneous. The term has since been applied to every manner of good and service. In certain types of actions, it is sufficient that only the smallest portion of the good or service be trafficked between the several states. For example, if a hospital accepts patients covered by insurance carriers located beyond the borders of the instant state, this is, by definition, interstate commerce. This is so even if the patient and the hospital are located within the same state.
However, there are limitations with regard to the power of Congress to regulate such interstate commerce, particularly if the activity is intrastate but has only a limited effect on interstate commerce. For example, in A. L. A. Schecter Poultry Corp. v. United States (1935), the Supreme Court:
In any event, for the moment, the statute is sufficiently broad that the government can elect to take or not take almost any cracking case it wishes, even if the attacking and target machines are located within the same state. And from inside experience with the federal government, I can tell you that it is selective. Much depends on the nature of the case. Naturally, more cracking cases tend to pop up in federal jurisdiction, primarily because the federal government is more experienced in such investigations. Many state agencies are poorly prepared for such cases. In fact, smaller county or borough jurisdictions may have never handled such a case.
This is a training issue more than anything. More training is needed at state and local levels in such investigations and prosecutions. These types of trials can be expensive and laborious, particularly in regions where the Internet is still a new phenomenon. If you were a prosecutor, would you want to gamble that your small-town jury--members of which have little practical computer experience--will recognize a crime when they hear it? Even after expert testimony? Even though your officers don't really understand the basic nuts and bolts of the crime? Think again. In the past, most crackers have been stupid enough to confess or plea bargain. However, as cracking becomes more of a crime of financial gain, plea bargains and confessions will become more rare. Today, cracking is being done by real criminals. To them, the flash of a badge doesn't mean much. They invoke their Fifth Amendment rights and wait for their lawyer.
On the question of damages in excess of $1,000, this is a gray area. Typically, statutes such as the Computer Fraud and Abuse Act allow for sweeping interpretations of damages. One can claim $1,000 in damages almost immediately upon an intrusion, even if there is no actual damage in the commonly accepted sense of the word. It is enough if you are forced to call in a security team to examine the extent of the intrusion.
This issue of damage has been hotly debated in the past and, to the government's credit, some fairly stringent guidelines have been proposed. At least on a federal level, there have been efforts to determine reliable formulas for determining the scope of damage and corresponding values. However, the United States Sentencing Commission has granted great latitude for higher sentencing, even if damage may have been (however unintentionally) minimal:
This to me seems unreasonable. Defendants ought to be sentenced according to the actual damage they have caused. What would have been, could have been, and should have been are irrelevant. If the intention of the commission is that the loss be measured by the cost to restore the file, this upward departure in sentencing is completely inconsistent. Effectively, a defendant could be given a longer prison sentence not for what he did but what he could have done. Thus, this proposed amendment suggests that the actual loss has no bearing on the sentence, but the sentencing court's likely erroneous notion of the defendant's intent (and his knowledge of the consequences of his actions) does.
At any rate, most states have modeled their computer law either on the Computer Fraud and Abuse Act or on principles very similar. The majority treat unauthorized access and tampering, and occasionally, some other activity as well.
California is the computer crime and fraud capital of the world. On that account, the Golden State has instituted some very defined laws regarding computer cracking. The major body of this law can be found in California Penal Code, Section 502. It begins, like most such statutes, with a statement of intent:
The statute is comprehensive. It basically identifies a laundry list of activities that come under its purview, including but not limited to any unauthorized action that amounts to intrusion or deletion, alteration, theft, copying, viewing, or other tampering of data. The statute even directly addresses the issue of denial of service.
The penalties are as follows:
As you might expect, the statute also provides for comprehensive civil recovery for the victim. Parents should take special note of subsection (e)1 of that title:
That means if you are a parent of a child cracking in the state of California, you (not your child) shall suffer civil penalties.
Another interesting element of the California statute is that it provides for possible jurisdictional problems that could arise. For example, say a user in California unlawfully accesses a computer in another state:
I do not know how many individuals have been charged under 502, but I would suspect relatively few. The majority of computer cracking cases seem to end up in federal jurisdiction.
In the state of Texas, things are a bit less stringent (and far less defined) than they are in California. The Texas Penal Code says merely this:
In all instances where the defendant's actions are undertaken without the intent "to obtain a benefit or defraud or harm another," the violation is a Class A misdemeanor. However, if the defendant's actions are undertaken with such intent, this can be a state jail felony (if the amount is $20,000 or less) or a felony in the third degree (if the amount exceeds $20,000).
There is one affirmative defense:
It is also interesting to note that the term access is defined within the construct of the statute to mean the following:
Does this suggest that scanning the TCP/IP ports of a computer in Texas is unlawful? I believe that it does, though the statute has probably not been used for this purpose.
Most other states have almost identical laws. Nevertheless, there are a few special points that I would like to focus on, by state. Some are interesting and others are amusing. Table 31.1 offers a few examples.
Table 31.1. Interesting United States computer crime provisions.
Information about computer crime statutes can be obtained from the Electronic Frontier Foundation. EFF maintains a list of computer crime laws for each state. Of particular interest is that according to the EFF's compilation, as of May 1995, the state of Vermont had no specific provisions for computer crimes. This would either suggest that very little cracking has been done in Vermont or, more likely, such crimes are prosecuted under garden-variety trespassing-theft laws.
The Law in Action
Despite the often harsh penalties for computer crimes, crackers are rarely sentenced by the book. The average sentence is about one year. Let's take a look at a few such cases:
To date, the longest period spent in custody by an American cracker was served by Californian Kevin Poulsen. Poulsen was unfortunate enough to crack one site containing information that was considered by the government to be defense related. He was therefore charged under espionage statutes. Poulsen was held for approximately five years, being released only this past year after shaking those spying charges. As reported in the L.A. Times:
There is a strong unwillingness by federal courts to sentence these individuals to the full term authorized by law. This is because, in many instances, to do so would be an injustice. Security personnel often argue that cracking into a network is the ultimate sin, something for which a cracker should never be forgiven. These statements, however, are coming from individuals in constant fear that they are failing at their basic occupation: securing networks. Certainly, any security expert whose network comes under successful attack from the void will be angry and embarrassed. Shimomura, oddly enough, has recovered nicely. (This recovery is no doubt therapeutic for him as well, for he produced a book that had national distribution.) But the basic fact remains: One of the most talented security specialists in the world was fleeced by Kevin Mitnik. It is irrelevant that Mitnik was ultimately captured. The mere fact that he cracked Shimomura's network is evidence that Shimomura was dozing on the job. So, statements from security folks about sentencing guidelines should be taken with some reservation.
In reality, the previous generation of crackers (and that includes Mitnik, who was not yet old enough to drive when he began) were not destructive. They were an awful nuisance perhaps, and of course, telephone service was often stolen. However, damage was a rare aftermath. In contrast, the new generation cracker is destructive. Earlier in this book, I discussed a university in Hawaii that was attacked (the university left a gaping hole in its SGI machines). In that case, damage was done and significant effort and costs were incurred to remedy the problem. Similarly, the theft of source code from Crack Dot Com (the makers of the awesome computer game, Quake) was malicious.
This shift in the character of the modern cracker will undoubtedly trigger stiffer sentences in the future. Social and economic forces will also contribute to this change. Because the network is going to be used for banking, I believe the judiciary will take a harsher look at cracking. Nonetheless, something tells me that American sentences will always remain more lenient than those of, say, China.
China has a somewhat harsher attitude towards hackers and crackers. For example, in 1992, the Associated Press reported that Shi Biao, a Chinese national, managed to crack a bank, making off with some $192,000. He was subsequently apprehended and convicted. His sentence? Death. Mr. Biao was executed in April, 1993. (Note to self: Never crack in China.)
In any event, the more interesting features of China's laws expressly related to the Internet can be found in a curious document titled The Provisional Regulation on the Global Connection via Computer Information Network by the People's Republic of China. In the document, several things become immediately clear. First, the Chinese intend to control all outgoing traffic. They have therefore placed certain restrictions on how companies can connect:
Moreover, the Chinese government intends to intercept and monitor outgoing traffic:
The Chinese intend to implement these controls in a hierarchical fashion. In their scheme, interconnected networks are all screened through the government communications infrastructure. All local networks are required to patch into these interconnected networks. Lastly, all individuals must go through a local network. Through this scheme, they have effectively designed an information infrastructure that is easily monitored. At each stage of the infrastructure are personnel responsible for that stage's network traffic.
Moreover, there are provisions prohibiting the traffic of certain materials. These prohibitions naturally include obscene material, but that is not all. The wording of the article addressing such prohibitions is sufficiently vague, but clear enough to transmit the true intentions of the State:
Reportedly, the Chinese government intends to erect a new Great Wall of China to bar the western Internet. These reports suggest that China will attempt to filter out dangerous western ideology.
China is not alone in its application of totalitarian politics to the Internet and computers. Let's have a look at Russia.
Russia and the CIS
President Yeltsin issued Decree 334 on April 3, 1995. That decree granted extraordinary power to the Federal Agency of Government Communications and Information (FAPSI). The decree prohibits:
The only way that such devices can be used is upon review, recommendation, and approval of FAPSI. The decree also prohibits:
In the strictest terms, then, no Russian citizen shall design or sell software without a license from this federal agency, which in fact acts as information police. American intelligence sources have likened FAPSI to the NSA. As the article "Russian Views on Information-Based Warfare" by Timothy L. Thomas notes:
Despite this cloak-and-dagger treatment of the exchange of information in Russia (the Cold War is over, after all), access in Russia is growing rapidly. For example, it is reported in Internetica in an article by Steve Graves that even CompuServe is a large ISP within the Russian Federation:
Despite Mr. Yeltsin's decrees, however, there is a strong cracker underground in Russia. Just ask CitiBank. The following was reported in The St. Petersburg Times:
Unfortunately, there is relatively little information on Russian legislation regarding the Internet. However, you can bet that such legislation will quickly emerge.
The EEC (European Economic Community)
In this section, I address European attitudes and laws concerning computers and the Internet. Nonetheless, although the United Kingdom is indeed a member of the European Union, I will treat them separately. This section, then, refers primarily to generalized EU law and proposals regarding continental Europe.
It is interesting to note that European crackers and hackers often have different motivations for their activities. Specifically, European crackers and hackers tend to be politically motivated. An interesting analysis of this phenomenon was made by Kent Anderson in his paper "International Intrusions: Motives and Patterns":
For these reasons, treatment of Internet cracking and hacking activity in Europe is quite different from that in the United States. A recent case in Italy clearly demonstrates that while freedom of speech is a given in the United States, it is not always so in Europe.
Reportedly, a bulletin board system in Italy that provided gateway access to the Internet was raided in February, 1995. The owners and operators of that service were subsequently charged with some fairly serious crimes, as discussed by Stanton McCandlish in his article "Scotland and Italy Crack Down on `Anarchy Files'":
This might sound confusing, so let me clarify: The files that prompted the raid (and subsequent indictments) were the type that thousands of Web sites harbor here in the United States, files that the FBI would not think twice about. An interesting side note: In the wake of the arrests, a British newspaper apparently took great license in reporting the story, claiming that the "anarchy" files being passed on the Internet and the targeted BBS systems were endangering national security by instructing mere children to overthrow the government. The paper was later forced to retract such statements.
In any event, the Europeans are gearing up for some Orwellian activity of their own. In a recent report to the Council of Europe, proposals were made for techniques dealing with these new technologies:
European sources are becoming increasingly aware of the problem of crackers, and there is a strong movement to prevent cracking activity. No member country of the Union has been completely untouched. The French, for example, recently suffered a major embarrassment, as detailed in the article "French Navy Secrets Said Cracked by Hackers," which appeared in Reuters:
The United Kingdom
The United Kingdom has had its share of computer crackers and hackers (I personally know one who was recently subjected to police interrogation, search and seizure). Many UK sources suggest that English government officials take a decidedly knee-jerk reaction to computer crimes. However, the UK's main body of law prohibiting cracking (based largely on Section 3(1) of the Computer Misuse Act of 1990) is admittedly quite concise. It covers almost any act that could be conceivably undertaken by a cracker. That section is written as follows (the text is converted to American English spelling conventions and excerpted from an article by Yaman Akdeniz):
You will notice that intent is a requisite element here. Thus, performing an unauthorized modification must be accompanied by intent. This conceivably could have different implications than the court's interpretation in the Morris case.
A case is cited under that act against an individual named Christopher Pile (also called the Black Baron), who allegedly released a virus into a series of networks. Pile was charged with (and ultimately convicted of) unlawfully accessing, as well as damaging, computer systems and data. The sentence was 18 months, handed down in November of 1995. Pile is reportedly the first virus author ever convicted under the act.
Akdeniz's document reports that English police have not had adequate training or practice, largely due to the limited number of reported cases. Apparently, few companies are willing to publicly reveal that their networks have been compromised. This seems reasonable enough, though one wonders why police do not initiate their own cracking teams to perform simulations. This would offer an opportunity to examine the footprint of an attack. Such experience would likely prove beneficial to them.
Finland has traditionally been known as very democratic in its application of computer law. At least, with respect to unauthorized snooping, cracking, and hacking, Finland has made attempts to maintain a liberal or almost neutral position regarding these issues. Not any more. Consider this statement, excerpted from the report "Finland Considering Computer Virus Bill" by Sami Kuusela:
At this stage, you can undoubtedly see that the trend (in all countries and jurisdictions) is aimed primarily at the protection of data. Such laws have recently been drafted as proposals in Switzerland, the UK, and the United States.
This trend is expected to continue and denotes that computer law has come of age. Being now confronted with hackers and crackers across the globe, these governments have formed a type of triage with respect to Internet and computer laws. At this time, nearly all new laws appear to be designed to protect data.
Users may erroneously assume that because the Communications Decency Act died a horrible death in Pennsylvania, all manners of speech are free on the Internet. That is false. Here are some examples:
In reference to harassment and racial slurs, the law already provides a standard that may be (and has been) applied to the Internet. That is the Fighting Words Doctrine, which seems to revolve primarily around the requirement that the words must be specifically directed toward an individual or individuals. Merely stating that "all blondes are stupid" is insufficient.
The Fighting Words Doctrine can be understood most clearly by examining Vietnamese Fisherman's Ass'n v. Knights of the Ku Klux Klan. The case revolved around repeated harassment of Vietnamese fisherman by the KKK in Galveston Bay. The situation involved the KKK members approaching (by boat) a vessel containing Vietnamese fisherman. According to Donald A. Downs in his article "Racial Incitement Law and Policy in the United States: Drawing the Line Between Free Speech and Protection Against Racism," the KKK:
The court in that case found the actions of the KKK to amount to fighting words. Such speech, when directed against an individual or individuals who are in some way a captive audience to those words, is not protected under the First Amendment. Similarly, threats against the President of the United States amount to unprotected speech. And, such threats, where they are extortive or unconditional and specific to the person so threatened, amount to unprotected speech.
These laws and doctrines can be applied in any instance. Whether that application is ultimately successful remains another matter. Certainly, posting such information on a Web page or even in a Usenet group may or may not be narrow enough of a directive to call such laws (threats to the President are the obvious, notable exceptions). The law in this area is not entirely settled.
Internet law is a new and exciting area of expertise. Because the Internet is of such extreme public interest, certain battles, such as the dispute over adult-oriented material, are bound to take a decade or more. All Netizens should keep up with the latest legislation.
Finally, perhaps a word of caution here would be wise: If you are planning to undertake some act upon the Internet and you are unsure of its legality, get a lawyer's opinion. Not just any lawyer, either; talk to one who really knows Internet law. Many attorneys may claim to know Internet law, but the number that actually do is small. This is important because the Information Superhighway is like any other highway. You can get pulled over, get a ticket, or even go to jail.
Berne Convention For The Protection Of Literary And Artistic Works.
EFF's (Extended) Guide to the Internet--Copyright Law.
Big Dummy's Guide to the Internet--Copyright Law.
Revising the Copyright Law for Electronic Publishing.
The E-Challenge for Copyright Law.
Copyright Law FAQ (3/6): Common Miscellaneous Questions.
Copyrights, Trademarks, and the Internet. Donald M. Cameron, Tom S. Onyshko, and W. David Castell.
New U.S. Copyright Board of Appeals Established.
Copyright Law of the United States. US Code-Title 17, Section 107. Fair Use Clause.
Copyright Law, Libraries, and Universities: Overview, Recent Developments, and Future Issues. Kenneth D. Crews, J.D., Ph.D. Associate Professor of Business Law. College of Business. This is an excellent source.
Recent Caselaw and Legislative Developments in Copyright Law in the United States.
Copyright Law and Fair Use.
The First Amendment vs. Federal Copyright Law.
Software Copyright Law.
Electronic Copyright Law in France.
U.S. Copyright Office General Information and Publications.
Copyright Clearance Center (CCC).
Copyright Reform in Canada: Domestic Cultural Policy Objectives and the Challenge of Technological Convergence.
10 Big Myths About Copyright Explained. An attempt to answer common myths about copyright on the Net and cover issues related to copyright and Usenet/Internet publication.
Intellectual Property and the National Information Infrastructure.
Sources for General Information
Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses! Akdeniz, Y. Web Journal of Current Legal Issues, May 24, 1996.
The Computer Fraud and Abuse Act of 1986.
Crime on the Internet.
The U.S. House of Representatives Internet Law Library Computers and the Law.
EFF "Legal Issues and Policy: Cyberspace and the Law" Archive.
New Computer Crime Statutes Close Loopholes.
Federal Guidelines for Searching and Seizing Computers. U.S. Department of Justice Criminal Division Office of Professional Development and Training. The Report of the Working Group on Intellectual Property Rights.
National Information Infrastructure Protection Act of 1996.
Fraud and Related Activity in Connection with Access Devices.
Digital Telephony Bill.
Computer Law Briefs.
Previous chapter Next chapter Contents
© Copyright, Macmillan Computer Publishing. All rights reserved.
With any suggestions or questions please feel free to contact us