Maximum Security:

A Hacker's Guide to Protecting Your Internet Site and Network

31 Reality Bytes: Computer Security and the Law

This chapter discusses law as it applies to the Internet both here and abroad. For the most part, my analysis is aimed toward the criminal law governing the Internet.

The United States

My timeline begins in 1988 with United States v. Morris, the case of the Internet worm. I should, however, provide some background, for many cases preceded this one. These cases defined the admittedly confused construct of Internet law.

Phreaks

If you remember, I wrote about phone phreaks and their quest to steal telephone service. As I explained, it would be impossible to identify the precise moment in which the first phreak hacked his or her way across the bridge to the Internet. At that time, the network was still referred to as the ARPAnet.

Concrete evidence of phreaks accessing ARPAnet can be traced (at least on the Net) to 1985. In November of that year, the popular, online phreaking magazine Phrack published its second issue. In it was a list of dialups from the ARPAnet and several military installations.

Cross Reference: The list of dialups from ARPAnet can be found in Phrack, Volume One, Issue Two, "Tac Dialups taken from ARPAnet," by Phantom Phreaker. Find it on the Net at http://www.fc.net/phrack/files/p02/p02-1.html.

By 1985, this activity was being conducted on a wholesale basis. Kids were trafficking lists of potential targets, and networks of intruders began to develop. For bright young Americans with computers, a whole new world presented itself; this world was largely lawless.

But the story goes back even further. In 1981, a group of crackers seized control of the White House switchboard, using it to make transatlantic telephone calls. This was the first in a series of cases that caught the attention of the legislature.

The majority of sites attacked were either federal government sites or sites that housed federal interest computers. Although it may sound extraordinary, there was, at the time, no law that expressly prohibited cracking your way into a government computer or telecommunication system. Therefore, lawmakers and the courts were forced to make do, applying whatever statute seemed to closely fit the situation.

As you might expect, criminal trespass was, in the interim, a popular charge. Other common charges were theft, fraud, and so forth. This all changed, however, with the passing of the Computer Fraud and Abuse Act of 1986. Following the enactment of that statute, the tables turned considerably. That phenomenon began with U.S. v. Morris.

United States of America v. Robert Tappan Morris

The Internet worm incident (or, as it has come to be known, the Morris Worm) forever changed attitudes regarding attacks on the Internet. That change was not a gradual one. Organizations such as CERT, FIRST, and DDN were hastily established in the wake of the attack to ensure that something of such a magnitude could never happen again. For the security community, there was vindication in Morris' conviction. Nonetheless, the final decision in that case would have some staggering implications for hackers and crackers alike.

The government took the position that Morris had violated Section 2(d) of the Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030(a)(5)(A)(1988). That act targeted a certain class of individual:

...anyone who intentionally accesses without authorization a category of computers known as "[f]ederal interest computers" and damages or prevents authorized use of information in such computers, causing loss of $1,000 or more...

For those of you who aren't attorneys, some explanation is in order. Most criminal offenses have several elements; each must be proven before a successful case can be brought against a defendant. For example, in garden-variety civil fraud cases, the chief elements are

That the defendant made a false representation

That the defendant knew the representation was false

That he or she made it with intent that the victim would rely on it

That the victim did rely on the representation

That the victim suffered damages because of such reliance

If a plaintiff fails to demonstrate even one of these elements, he or she loses. For example, even if the first four elements are there, if the victim lost nothing in the fraud scheme, no case will lie (that is, no case brought upon such a claim will successfully survive a demurrer hearing).

NOTE: This is different from criminal law. In criminal law, even if the fifth element is missing, the defendant can still be tried for fraud (that is, damages are not an essential requirement in a criminal fraud case).

To bring any case to a successful conclusion, a prosecutor must fit the fact pattern of the case into the handful of elements that comprise the charged offense. For example, if intent is a necessary element, intent must be proven. Such elements form the framework of any given criminal information filing. The framework of the Morris case was based on the Computer Fraud and Abuse Act of 1986. Under that act, the essential elements were

That Morris intentionally (and without authorization) accessed a computer or computers

That these were federal interest computers

That in his intentional, unauthorized access of such federal interest computers, Morris caused damage, denial of service, or losses amounting to $1,000 or more

The arguments that ultimately went to appeal were extremely narrow. For example, there was furious disagreement about exactly what intentionally meant within the construct of the statute:

Morris argues that the Government had to prove not only that he intended the unauthorized access of a federal interest computer, but also that he intended to prevent others from using it, and thus cause a loss. The adverb "intentionally," he contends, modifies both verb phrases of the section. The government urges that since punctuation sets the "accesses" phrase off from the subsequent "damages" phrase, the provision unambiguously shows that "intentionally" modifies only "accesses."

Morris' argument was rejected by the Court of Appeals. Instead, it chose to interpret the statute as follows: that the mere intentional (unauthorized) access of the federal interest computer was enough (that is, it was not relevant that Morris also intended to cause damage). The defense countered this with the obvious argument that if this were so, the statute was ill- conceived. As interpreted by the Court of Appeals, this statute would punish small-time intruders with the same harsh penalties as truly malicious ones. Unfortunately, the court didn't bite. Compare this with the UK statutes discussed later, where intent is definitely a requisite.

The second interesting element here is the requirement that the attacked computers be federal interest computers. Under the meaning of the act, a federal interest computer was any computer that was intended:

...exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government, and the conduct constituting the offense affects such use; or which is one of two or more computers used in committing the offense, not all of which are located in the same State.

The first and second requirements were exclusive. The following description was a second paragraph:

...which is one of two or more computers used in committing the offense, not all of which are located in the same State.

In other words, from the government's point of view, any two or more computers located in different states were federal interest computers within the construct of the act. This characterization has since been amended so that the term now applies to any action undertaken via a computer in interstate commerce. This naturally has broad implications and basically reduces the definition to any computer attached to the Internet. Here is why:

The legal term interstate commerce means something slightly different from what it means in normal speech. The first concrete legal applications of the term in the United States followed the passing of the Sherman Act, a federal antitrust bill signed by President Benjamin Harrison on July 2, 1890. The act forbade restraint of "...trade or commerce among the several states, or with foreign nations." As defined in Blacks Law Dictionary (an industry standard), interstate commerce is

Traffic, intercourse, commercial trading, or the transportation of persons or property between or among the several states of the Union, or from or between points in one state and points in another state...

From this, one might conclude that interstate commerce is only conducted when some physical, tangible good is transferred between the several states. That is erroneous. The term has since been applied to every manner of good and service. In certain types of actions, it is sufficient that only the smallest portion of the good or service be trafficked between the several states. For example, if a hospital accepts patients covered by insurance carriers located beyond the borders of the instant state, this is, by definition, interstate commerce. This is so even if the patient and the hospital are located within the same state.

However, there are limitations with regard to the power of Congress to regulate such interstate commerce, particularly if the activity is intrastate but has only a limited effect on interstate commerce. For example, in A. L. A. Schecter Poultry Corp. v. United States (1935), the Supreme Court:

...characterized the distinction between direct and indirect effects of intrastate transactions upon interstate commerce as "a fundamental one, essential to the maintenance of our constitutional system." Activities that affected interstate commerce directly were within Congress' power; activities that affected interstate commerce indirectly were beyond Congress' reach. The justification for this formal distinction was rooted in the fear that otherwise "there would be virtually no limit to the federal power and for all practical purposes we should have a completely centralized government."

In any event, for the moment, the statute is sufficiently broad that the government can elect to take or not take almost any cracking case it wishes, even if the attacking and target machines are located within the same state. And from inside experience with the federal government, I can tell you that it is selective. Much depends on the nature of the case. Naturally, more cracking cases tend to pop up in federal jurisdiction, primarily because the federal government is more experienced in such investigations. Many state agencies are poorly prepared for such cases. In fact, smaller county or borough jurisdictions may have never handled such a case.

This is a training issue more than anything. More training is needed at state and local levels in such investigations and prosecutions. These types of trials can be expensive and laborious, particularly in regions where the Internet is still a new phenomenon. If you were a prosecutor, would you want to gamble that your small-town jury--members of which have little practical computer experience--will recognize a crime when they hear it? Even after expert testimony? Even though your officers don't really understand the basic nuts and bolts of the crime? Think again. In the past, most crackers have been stupid enough to confess or plea bargain. However, as cracking becomes more of a crime of financial gain, plea bargains and confessions will become more rare. Today, cracking is being done by real criminals. To them, the flash of a badge doesn't mean much. They invoke their Fifth Amendment rights and wait for their lawyer.

Cross Reference: You can find the full text version of the Computer Fraud and Abuse Act of 1986 at http://www.law.cornell.edu/uscode/18/1030.html.

On the question of damages in excess of $1,000, this is a gray area. Typically, statutes such as the Computer Fraud and Abuse Act allow for sweeping interpretations of damages. One can claim $1,000 in damages almost immediately upon an intrusion, even if there is no actual damage in the commonly accepted sense of the word. It is enough if you are forced to call in a security team to examine the extent of the intrusion.

This issue of damage has been hotly debated in the past and, to the government's credit, some fairly stringent guidelines have been proposed. At least on a federal level, there have been efforts to determine reliable formulas for determining the scope of damage and corresponding values. However, the United States Sentencing Commission has granted great latitude for higher sentencing, even if damage may have been (however unintentionally) minimal:

In a case in which a computer data file was altered or destroyed, loss can be measured by the cost to restore the file. If a defendant intentionally or recklessly altered or destroyed a computer data file and, due to a fortuitous circumstance, the cost to restore the file was substantially lower than the defendant could reasonably have expected, an upward departure may be warranted. For example, if the defendant intentionally or recklessly damaged a valuable data base, the restoration of which would have been very costly but for the fortuitous circumstance that, unknown to the defendant, an annual back-up of the data base had recently been completed thus making restoration relatively inexpensive, an upward departure may be warranted.

This to me seems unreasonable. Defendants ought to be sentenced according to the actual damage they have caused. What would have been, could have been, and should have been are irrelevant. If the intention of the commission is that the loss be measured by the cost to restore the file, this upward departure in sentencing is completely inconsistent. Effectively, a defendant could be given a longer prison sentence not for what he did but what he could have done. Thus, this proposed amendment suggests that the actual loss has no bearing on the sentence, but the sentencing court's likely erroneous notion of the defendant's intent (and his knowledge of the consequences of his actions) does.

At any rate, most states have modeled their computer law either on the Computer Fraud and Abuse Act or on principles very similar. The majority treat unauthorized access and tampering, and occasionally, some other activity as well.

California

California is the computer crime and fraud capital of the world. On that account, the Golden State has instituted some very defined laws regarding computer cracking. The major body of this law can be found in California Penal Code, Section 502. It begins, like most such statutes, with a statement of intent:

It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.

Cross Reference: Visit http://www.leginfo.ca.gov/ to see the California Penal Code, Section 502 in full.

The statute is comprehensive. It basically identifies a laundry list of activities that come under its purview, including but not limited to any unauthorized action that amounts to intrusion or deletion, alteration, theft, copying, viewing, or other tampering of data. The statute even directly addresses the issue of denial of service.

The penalties are as follows:

For simple unauthorized access that does not amount to damage in excess of $400, either a $5,000 fine or one year in imprisonment or both

For unauthorized access amounting to actual damage greater than $400, a $5,000 fine and/or terms of imprisonment amounting to 16 months, two years, or three years in state prison or one year in county jail

As you might expect, the statute also provides for comprehensive civil recovery for the victim. Parents should take special note of subsection (e)1 of that title:

For the purposes of actions authorized by this subdivision, the conduct of an unemancipated minor shall be imputed to the parent or legal guardian having control or custody of the minor...

That means if you are a parent of a child cracking in the state of California, you (not your child) shall suffer civil penalties.

Another interesting element of the California statute is that it provides for possible jurisdictional problems that could arise. For example, say a user in California unlawfully accesses a computer in another state:

For purposes of bringing a civil or a criminal action under this section, a person who causes, by any means, the access of a computer, computer system, or computer network in one jurisdiction from another jurisdiction is deemed to have personally accessed the computer, computer system, or computer network in each jurisdiction.

I do not know how many individuals have been charged under 502, but I would suspect relatively few. The majority of computer cracking cases seem to end up in federal jurisdiction.

Texas

In the state of Texas, things are a bit less stringent (and far less defined) than they are in California. The Texas Penal Code says merely this:

A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.

Cross Reference: Find the Texas Penal Code on the Web at http://www.capitol.state.tx.us/statutes/pe/pe221.htm.

In all instances where the defendant's actions are undertaken without the intent "to obtain a benefit or defraud or harm another," the violation is a Class A misdemeanor. However, if the defendant's actions are undertaken with such intent, this can be a state jail felony (if the amount is $20,000 or less) or a felony in the third degree (if the amount exceeds $20,000).

There is one affirmative defense:

It is an affirmative defense to prosecution under Section 33.02 that the actor was an officer, employee, or agent of a communications common carrier or electric utility and committed the proscribed act or acts in the course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the communications common carrier or electric utility.

It is also interesting to note that the term access is defined within the construct of the statute to mean the following:

...to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer system, or computer network.

Does this suggest that scanning the TCP/IP ports of a computer in Texas is unlawful? I believe that it does, though the statute has probably not been used for this purpose.

Other States

Most other states have almost identical laws. Nevertheless, there are a few special points that I would like to focus on, by state. Some are interesting and others are amusing. Table 31.1 offers a few examples.

Table 31.1. Interesting United States computer crime provisions.

State	Provision
Alaska	One can commit the crime of (and be subject to punishment for) deceiving a machine. This is so even though a machine is neither a sentient being nor capable of perception. Hmmm.
Connecticut	Provides for criminal and civil penalties for disruption of computer services (even the degradation of such services). Clearly, ping and syn_flooding are therefore crimes in Connecticut.
Georgia	Crackers, take note: Do not perform your cracking in the state of Georgia. The penalties are stiff: 15 years and a $50,000 fine. Ouch.
Hawaii	The system breaks unauthorized use and access into two different categories, and each category has three degrees. Just taking a look inside a system is a misdemeanor. Fair enough.
Minnesota	This state has a special subdivision that provides for penalties for individuals who create or use destructive computer programs.

Information about computer crime statutes can be obtained from the Electronic Frontier Foundation. EFF maintains a list of computer crime laws for each state. Of particular interest is that according to the EFF's compilation, as of May 1995, the state of Vermont had no specific provisions for computer crimes. This would either suggest that very little cracking has been done in Vermont or, more likely, such crimes are prosecuted under garden-variety trespassing-theft laws.

Cross Reference: EFF's Web site is located at http://www.eff.org/. EFF's list of computer crime laws for each state (last updated in May, 1995) can be found at http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/Legal/comp_crime_us_state.laws.

The Law in Action

Despite the often harsh penalties for computer crimes, crackers are rarely sentenced by the book. The average sentence is about one year. Let's take a look at a few such cases:

A New York youngster named Mark Abene (better known as Phiber Optik) compromised key networks, including one division of Bell Telephone and a New York television station. A United States District Court sentenced Abene to one year in prison. (That sentence was handed down in January 1994.) Abene's partners in crime also received lenient sentences, ranging from a year and a day to six months in federal prison.

John Lee, a young student in New York, was sentenced to a year and a day in federal prison after breaching the security of several telecommunications carriers, an electronics firm, and a company that designed missiles.

To date, the longest period spent in custody by an American cracker was served by Californian Kevin Poulsen. Poulsen was unfortunate enough to crack one site containing information that was considered by the government to be defense related. He was therefore charged under espionage statutes. Poulsen was held for approximately five years, being released only this past year after shaking those spying charges. As reported in the L.A. Times:

...the espionage charge was officially dropped Thursday as part of the agreement crafted by Poulsen's lawyer and the U.S. attorney's office. In exchange, he pleaded guilty to charges of possessing computer access devices, computer fraud, and the use of a phony Social Security card, according to his defense attorney, Paul Meltzer.

There is a strong unwillingness by federal courts to sentence these individuals to the full term authorized by law. This is because, in many instances, to do so would be an injustice. Security personnel often argue that cracking into a network is the ultimate sin, something for which a cracker should never be forgiven. These statements, however, are coming from individuals in constant fear that they are failing at their basic occupation: securing networks. Certainly, any security expert whose network comes under successful attack from the void will be angry and embarrassed. Shimomura, oddly enough, has recovered nicely. (This recovery is no doubt therapeutic for him as well, for he produced a book that had national distribution.) But the basic fact remains: One of the most talented security specialists in the world was fleeced by Kevin Mitnik. It is irrelevant that Mitnik was ultimately captured. The mere fact that he cracked Shimomura's network is evidence that Shimomura was dozing on the job. So, statements from security folks about sentencing guidelines should be taken with some reservation.

In reality, the previous generation of crackers (and that includes Mitnik, who was not yet old enough to drive when he began) were not destructive. They were an awful nuisance perhaps, and of course, telephone service was often stolen. However, damage was a rare aftermath. In contrast, the new generation cracker is destructive. Earlier in this book, I discussed a university in Hawaii that was attacked (the university left a gaping hole in its SGI machines). In that case, damage was done and significant effort and costs were incurred to remedy the problem. Similarly, the theft of source code from Crack Dot Com (the makers of the awesome computer game, Quake) was malicious.

This shift in the character of the modern cracker will undoubtedly trigger stiffer sentences in the future. Social and economic forces will also contribute to this change. Because the network is going to be used for banking, I believe the judiciary will take a harsher look at cracking. Nonetheless, something tells me that American sentences will always remain more lenient than those of, say, China.

China

China has a somewhat harsher attitude towards hackers and crackers. For example, in 1992, the Associated Press reported that Shi Biao, a Chinese national, managed to crack a bank, making off with some $192,000. He was subsequently apprehended and convicted. His sentence? Death. Mr. Biao was executed in April, 1993. (Note to self: Never crack in China.)

In any event, the more interesting features of China's laws expressly related to the Internet can be found in a curious document titled The Provisional Regulation on the Global Connection via Computer Information Network by the People's Republic of China. In the document, several things become immediately clear. First, the Chinese intend to control all outgoing traffic. They have therefore placed certain restrictions on how companies can connect:

A computer network will use the international telecommunications paths provided by the public telecommunications operator of the Bureau of Posts and Telecommunications when accessing the Internet directly. Any sections or individuals will be prohibited from constructing and using independent paths to access the Internet.

Moreover, the Chinese government intends to intercept and monitor outgoing traffic:

The existing interconnected networks will go through screening and will be adjusted when necessary in accordance with the regulations of the State Council, and will be placed under the guidance of the Bureau of Posts and Telecommunications. Construction of a new interconnected network will require a permission from the State Council.

Cross Reference: The Provisional Regulation on the Global Connection via Computer Information Network by the People's Republic of China can be found on the Web at http://www.smn.co.jp/topics/0087p01e.html.

The Chinese intend to implement these controls in a hierarchical fashion. In their scheme, interconnected networks are all screened through the government communications infrastructure. All local networks are required to patch into these interconnected networks. Lastly, all individuals must go through a local network. Through this scheme, they have effectively designed an information infrastructure that is easily monitored. At each stage of the infrastructure are personnel responsible for that stage's network traffic.

Moreover, there are provisions prohibiting the traffic of certain materials. These prohibitions naturally include obscene material, but that is not all. The wording of the article addressing such prohibitions is sufficiently vague, but clear enough to transmit the true intentions of the State:

Furthermore, any forms of information that may disturb public order or considered obscene must not be produced, reproduced, or transferred.

Reportedly, the Chinese government intends to erect a new Great Wall of China to bar the western Internet. These reports suggest that China will attempt to filter out dangerous western ideology.

China is not alone in its application of totalitarian politics to the Internet and computers. Let's have a look at Russia.

Russia and the CIS

President Yeltsin issued Decree 334 on April 3, 1995. That decree granted extraordinary power to the Federal Agency of Government Communications and Information (FAPSI). The decree prohibits:

...within the telecommunications and information systems of government organizations and enterprises the use of encoding devices, including encryption methods for ensuring the authenticity of information (electronic signature) and secure means for storing, treating and transmitting information...

The only way that such devices can be used is upon review, recommendation, and approval of FAPSI. The decree also prohibits:

...legal and physical persons from designing, manufacturing, selling and using information media, and also secure means of storing, treating and transmitting information and rendering services in the area of information encoding, without a license from FAPSI.

In the strictest terms, then, no Russian citizen shall design or sell software without a license from this federal agency, which in fact acts as information police. American intelligence sources have likened FAPSI to the NSA. As the article "Russian Views on Information-Based Warfare" by Timothy L. Thomas notes:

FAPSI appears to fulfill many of the missions of the U.S. National Security Agency. It also fights against domestic criminals and hackers, foreign special services, and "information weapons" that are for gaining unsanctioned access to information and putting electronic management systems out of commission, and for enhancing the information security of one's own management systems.

Cross Reference: "Russian Views on Information-Based Warfare" can be found on the Web at http://www.cdsar.af.mil/apj/thomas.html.

Despite this cloak-and-dagger treatment of the exchange of information in Russia (the Cold War is over, after all), access in Russia is growing rapidly. For example, it is reported in Internetica in an article by Steve Graves that even CompuServe is a large ISP within the Russian Federation:

CompuServe, the largest American online service, has local access numbers in more than 40 Russian cities, ranging from Moscow and St. Petersburg to Vladivostok. Access is provided through SprintNet, which adds a surcharge to the connect-time rate. Although CompuServe itself does not charge any more for connections than it does in the U.S., the maximum connection speed is 2400 baud, which will greatly increase the time required for any given access, particularly if Windows-based software is used.

Cross Reference: Access Steve Graves's article at http://www.boardwatch.com/mag/96/feb/bwm19.htm.

Despite Mr. Yeltsin's decrees, however, there is a strong cracker underground in Russia. Just ask CitiBank. The following was reported in The St. Petersburg Times:

Court documents that were unsealed Friday show that Russian computer hackers stole more than $10-million from Citibank's electronic money transfer system last year. All but $400,000 of that has been recovered, says a CitiBank spokeswoman. None of the bank's depositors lost any money in the fraud but since it happened, Citibank has required customers to use an electronic password generator for every transfer. The hackers' 34-year-old ringleader was arrested in London three months ago, and U.S. officials have filed to have him extradited to the United States to stand trial.

Unfortunately, there is relatively little information on Russian legislation regarding the Internet. However, you can bet that such legislation will quickly emerge.

The EEC (European Economic Community)

In this section, I address European attitudes and laws concerning computers and the Internet. Nonetheless, although the United Kingdom is indeed a member of the European Union, I will treat them separately. This section, then, refers primarily to generalized EU law and proposals regarding continental Europe.

It is interesting to note that European crackers and hackers often have different motivations for their activities. Specifically, European crackers and hackers tend to be politically motivated. An interesting analysis of this phenomenon was made by Kent Anderson in his paper "International Intrusions: Motives and Patterns":

Close examination of the motivation behind intrusions shows several important international differences: In Europe, organized groups often have a political or environmental motive, while in the United States a more "anti-establishment" attitude is common, as well as simple vandalism. In recent years, there appears to be a growth in industrial espionage in Europe while the United States is seeing an increase in criminal (fraud) motives.

Cross Reference: Find "International Intrusions: Motives and Patterns" on the Web at http://www.aracnet.com/~kea/Papers/paper.shtml.

For these reasons, treatment of Internet cracking and hacking activity in Europe is quite different from that in the United States. A recent case in Italy clearly demonstrates that while freedom of speech is a given in the United States, it is not always so in Europe.

Reportedly, a bulletin board system in Italy that provided gateway access to the Internet was raided in February, 1995. The owners and operators of that service were subsequently charged with some fairly serious crimes, as discussed by Stanton McCandlish in his article "Scotland and Italy Crack Down on `Anarchy Files'":

...the individuals raided have been formally charged with terroristic subversion crimes, which carry severe penalties: 7-15 years in prison...The BITS BBS [the target] carried a file index of materials available from the Spunk [underground BBS] archive (though not the files themselves), as well as back issues of Computer Underground Digest (for which EFF itself is the main archive site), and other political and non-political text material (no software).

Cross Reference: Mr. McCandlish's article can be found on the Web at http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/eff_raids.article.

This might sound confusing, so let me clarify: The files that prompted the raid (and subsequent indictments) were the type that thousands of Web sites harbor here in the United States, files that the FBI would not think twice about. An interesting side note: In the wake of the arrests, a British newspaper apparently took great license in reporting the story, claiming that the "anarchy" files being passed on the Internet and the targeted BBS systems were endangering national security by instructing mere children to overthrow the government. The paper was later forced to retract such statements.

Cross Reference: To read some of those statements, see the London Times article "Anarchists Use Computer Highway for Subversion" by Adrian Levy and Ian Burrell at http://www.eff.org/pub/Legal/Foreign_and_local/UK/Cases/BITS-A-t-E_Spunk/uk_net_anarchists.article.

In any event, the Europeans are gearing up for some Orwellian activity of their own. In a recent report to the Council of Europe, proposals were made for techniques dealing with these new technologies:

In view of the convergence of information technology and telecommunications, law pertaining to technical surveillance for the purpose of criminal investigations, such as interception of telecommunications, should be reviewed and amended, where necessary, to ensure their applicability. The law should permit investigating authorities to avail themselves of all necessary technical measures that enable the collection of traffic data in the investigation of crimes.

European sources are becoming increasingly aware of the problem of crackers, and there is a strong movement to prevent cracking activity. No member country of the Union has been completely untouched. The French, for example, recently suffered a major embarrassment, as detailed in the article "French Navy Secrets Said Cracked by Hackers," which appeared in Reuters:

Hackers have tapped into a navy computer system and gained access to secret French and allied data, the investigative and satirical weekly Le Canard Enchaine said...Hackers gained access to the system in July and captured files with acoustic signatures of hundreds of French and allied ships. The signatures are used in submarine warfare to identify friend and foes by analyzing unique acoustic characteristics of individual vessels.

The United Kingdom

The United Kingdom has had its share of computer crackers and hackers (I personally know one who was recently subjected to police interrogation, search and seizure). Many UK sources suggest that English government officials take a decidedly knee-jerk reaction to computer crimes. However, the UK's main body of law prohibiting cracking (based largely on Section 3(1) of the Computer Misuse Act of 1990) is admittedly quite concise. It covers almost any act that could be conceivably undertaken by a cracker. That section is written as follows (the text is converted to American English spelling conventions and excerpted from an article by Yaman Akdeniz):

A person is guilty of an offense if (a) he does any act which causes an unauthorized modification of the contents of any computer; and (b) at the time when he does the act he has the requisite intent and the requisite knowledge.

You will notice that intent is a requisite element here. Thus, performing an unauthorized modification must be accompanied by intent. This conceivably could have different implications than the court's interpretation in the Morris case.

A case is cited under that act against an individual named Christopher Pile (also called the Black Baron), who allegedly released a virus into a series of networks. Pile was charged with (and ultimately convicted of) unlawfully accessing, as well as damaging, computer systems and data. The sentence was 18 months, handed down in November of 1995. Pile is reportedly the first virus author ever convicted under the act.

Akdeniz's document reports that English police have not had adequate training or practice, largely due to the limited number of reported cases. Apparently, few companies are willing to publicly reveal that their networks have been compromised. This seems reasonable enough, though one wonders why police do not initiate their own cracking teams to perform simulations. This would offer an opportunity to examine the footprint of an attack. Such experience would likely prove beneficial to them.

Finland

Finland has traditionally been known as very democratic in its application of computer law. At least, with respect to unauthorized snooping, cracking, and hacking, Finland has made attempts to maintain a liberal or almost neutral position regarding these issues. Not any more. Consider this statement, excerpted from the report "Finland Considering Computer Virus Bill" by Sami Kuusela:

Finnish lawmakers will introduce a bill in the next two weeks that would criminalize spreading computer viruses--despite the fact that many viruses are spread accidentally--This means that if someone in Finland brings a contaminated diskette to his or her workplace and doesn't check it with an anti-virus program, and the virus spreads into the network, the person will have committed a crime. It would also be considered a crime if a virus spreads from a file downloaded from the Internet.

Cross Reference: Check out http://www.wired.com/news/politics/story/2315.html to see Kuusela's report.

At this stage, you can undoubtedly see that the trend (in all countries and jurisdictions) is aimed primarily at the protection of data. Such laws have recently been drafted as proposals in Switzerland, the UK, and the United States.

This trend is expected to continue and denotes that computer law has come of age. Being now confronted with hackers and crackers across the globe, these governments have formed a type of triage with respect to Internet and computer laws. At this time, nearly all new laws appear to be designed to protect data.

Free Speech

Users may erroneously assume that because the Communications Decency Act died a horrible death in Pennsylvania, all manners of speech are free on the Internet. That is false. Here are some examples:

Hate crimes and harassment are against the law--In 1995, an individual at the University of Irvine in California was indicted for such activity. According to the article "Ex-student Indicted for Alleged Hate Crime in Cyberspace," prosecutors alleged that the student sent "...a threatening electronic message to about 60 University of California, Irvine, students on Sept. 20." The student was therefore "...indicted on 10 federal hate-crime charges for allegedly sending computer messages threatening to kill Asian students."

Cross Reference: Visit http://www.nando.net/newsroom/ntn/info/111496/info15_1378.html to see the article "Ex-student Indicted for Alleged Hate Crime in Cyberspace."

Forwarding threats to the President is unlawful--In one case, a man was arrested for sending messages to the President, threatening to kill him. In another, less controversial case, seventh graders were arrested by the Secret Service for telling Mr. Clinton that his "ass" was "theirs."

In reference to harassment and racial slurs, the law already provides a standard that may be (and has been) applied to the Internet. That is the Fighting Words Doctrine, which seems to revolve primarily around the requirement that the words must be specifically directed toward an individual or individuals. Merely stating that "all blondes are stupid" is insufficient.

The Fighting Words Doctrine can be understood most clearly by examining Vietnamese Fisherman's Ass'n v. Knights of the Ku Klux Klan. The case revolved around repeated harassment of Vietnamese fisherman by the KKK in Galveston Bay. The situation involved the KKK members approaching (by boat) a vessel containing Vietnamese fisherman. According to Donald A. Downs in his article "Racial Incitement Law and Policy in the United States: Drawing the Line Between Free Speech and Protection Against Racism," the KKK:

...wore full military regalia and hoods on their faces, brandished weapons and hung an effigy of a Vietnamese fisherman and circled within eyesight of the fisherman.

The court in that case found the actions of the KKK to amount to fighting words. Such speech, when directed against an individual or individuals who are in some way a captive audience to those words, is not protected under the First Amendment. Similarly, threats against the President of the United States amount to unprotected speech. And, such threats, where they are extortive or unconditional and specific to the person so threatened, amount to unprotected speech.

These laws and doctrines can be applied in any instance. Whether that application is ultimately successful remains another matter. Certainly, posting such information on a Web page or even in a Usenet group may or may not be narrow enough of a directive to call such laws (threats to the President are the obvious, notable exceptions). The law in this area is not entirely settled.

Summary

Internet law is a new and exciting area of expertise. Because the Internet is of such extreme public interest, certain battles, such as the dispute over adult-oriented material, are bound to take a decade or more. All Netizens should keep up with the latest legislation.

Finally, perhaps a word of caution here would be wise: If you are planning to undertake some act upon the Internet and you are unsure of its legality, get a lawyer's opinion. Not just any lawyer, either; talk to one who really knows Internet law. Many attorneys may claim to know Internet law, but the number that actually do is small. This is important because the Information Superhighway is like any other highway. You can get pulled over, get a ticket, or even go to jail.

Resources

Berne Convention For The Protection Of Literary And Artistic Works.

http://www.law.cornell.edu/treaties/berne/overview.html

EFF's (Extended) Guide to the Internet--Copyright Law.

http://soma.npa.uiuc.edu/docs/eegtti/eeg_105.html

Big Dummy's Guide to the Internet--Copyright Law.

http://www.bio.uts.edu.au/www/guides/bdgtti/bdg_101.html

Revising the Copyright Law for Electronic Publishing.

http://www.leepfrog.com/E-Law/Revising-HyperT.html

The E-Challenge for Copyright Law.

http://www.utsystem.edu/OGC/IntellectualProperty/challenge.htm

Copyright Law FAQ (3/6): Common Miscellaneous Questions.

http://www.lib.ox.ac.uk/internet/news/faq/archive/law.copyright-faq.part3.html

Copyrights, Trademarks, and the Internet. Donald M. Cameron, Tom S. Onyshko, and W. David Castell.

http://www.smithlyons.com/it/cti/index.htm

New U.S. Copyright Board of Appeals Established.

http://www.jurisdiction.com/einh0002.htm

Copyright Law of the United States. US Code-Title 17, Section 107. Fair Use Clause.

http://lfcity.com/cpy.html

Copyright Law, Libraries, and Universities: Overview, Recent Developments, and Future Issues. Kenneth D. Crews, J.D., Ph.D. Associate Professor of Business Law. College of Business. This is an excellent source.

http://palimpsest.stanford.edu/bytopic/intprop/crews.html

Recent Caselaw and Legislative Developments in Copyright Law in the United States.

Copyright Law and Fair Use.

http://www-sul.stanford.edu/cpyright.html

The First Amendment vs. Federal Copyright Law.

http://www.krusch.com/real/copyright.html

Software Copyright Law.

http://www.lgu.com/cr_idx.htm

Electronic Copyright Law in France.

http://www.spa.org/consumer/bus/franc.htm

U.S. Copyright Office General Information and Publications.

http://lcweb.loc.gov/copyright/

Copyright Clearance Center (CCC).

http://www.copyright.com/

Copyright Reform in Canada: Domestic Cultural Policy Objectives and the Challenge of Technological Convergence.

http://www.ucalgary.ca/~gagow/cpyrght.htm

10 Big Myths About Copyright Explained. An attempt to answer common myths about copyright on the Net and cover issues related to copyright and Usenet/Internet publication.

http://www.clari.net/brad/copymyths.html

Intellectual Property and the National Information Infrastructure.

http://www.uspto.gov/web/ipnii/

Sources for General Information

Section 3 of the Computer Misuse Act 1990: an Antidote for Computer Viruses! Akdeniz, Y. Web Journal of Current Legal Issues, May 24, 1996.

http://www.ncl.ac.uk/~nlawwww/1996/issue3/akdeniz3.html

The Computer Fraud and Abuse Act of 1986.

http://www.law.cornell.edu/uscode/18/1030.html

Crime on the Internet.

http://www.digitalcentury.com/encyclo/update/crime.html

The U.S. House of Representatives Internet Law Library Computers and the Law.

http://orbus.pls.com:8001/his/95.GBM

EFF "Legal Issues and Policy: Cyberspace and the Law" Archive.

http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/Legal/

New Computer Crime Statutes Close Loopholes.

http://www.ljx.com/securitynet/articles/0325nlj.htm

Federal Guidelines for Searching and Seizing Computers. U.S. Department of Justice Criminal Division Office of Professional Development and Training. The Report of the Working Group on Intellectual Property Rights.

http://www.uspto.gov/web/offices/com/doc/ipnii/

National Information Infrastructure Protection Act of 1996.

http://www.epic.org/security/1996_computer_law.html

Fraud and Related Activity in Connection with Access Devices.

http://www.law.cornell.edu/uscode/18/1029.html

Digital Telephony Bill.

http://www.eff.org/pub/Privacy/Digital_Telephony_FBI/digtel94.act

Computer Law Briefs.

http://sddtsun.sddt.com/~columbus/CBA/BBriefs/Wernick.html