[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Legal Aspects of Computer Crime (LACC)
_ _____ _____
| | /\ / ____| / ____|
| | / \ | | | |
| | / /\ \ | | | |
| |____ / ____ \ | |____ | |____
|______| /_/ \_\ \_____| \_____|
Legal Aspects of Computer Crime
"echo subscribe lacc|mail [email protected]"
WHEN YOU HAVE SUBSCRIBED
------------------------
Send in a brief synopsis of who you are and why you are interested
in Computer Crime as your first message to the list (this helps
to stimulate discussion and debate as well as provide a sense
of the LACC community). As a [small] example:
"Hello, My name is Jane Reynor. I am an articled clerk at the
Director of Public Prosecutions. I have been assigned as an
assistant legal researcher to the prosecution of a bank officer
involved in fraudulent EDI transactions. My interest in computer
crime stems not just from the case we are working on, but also
from an otherwise unrelated passion for computer networking that
I suffered under during my period as undergraduate."
REASONS FOR INCEPTION
---------------------
The growing infusion of computers and computing devices into society
created a legislative and common law vacuum in the 1980's. State
prosecutors attempted to apply traditional property protection and
deception laws to new technological crimes. By and large they were
successful in this endeavor. There were however a very few but well
publicized failed cases against computer "hackers" (notably R vs
Gold - UK House of Lords and the E911 case). To the informed, these
cases demonstrated not so much a legislation vacuum, but prosecution
incompetence in choosing which statute to lay charges under and
mis-management by prosecuting cases where the real offence of the
defendant was merely the embarrassment of the powerful.
In an atmosphere of increased government reliance on computer
databases and public fear and hostility towards computerization of
the workplace, legislatures rushed to criminalise certain types of
computer use. Instead of expanding the scope of existing
legislation to more fully encompass the use of computers by
criminals, changing phrases such as "utter or write" to "utter,
write or transmit" (the former being the prosecutions undoing in the
well publicized Gold case) as had been done with the computerization
of copyright law, an entirely new class of criminal conduct was was
introduced. The computer had been seen not just as another tool that
criminals might use in committing a crime but something altogether
foreign and removed from the rest of society and established Law.
The result was a series of naively drafted, overly broad and
under-defined statutes which criminalised nearly all aspects of
computer use under certain conditions.
In the early 1990's a fundamental and evolving shift in computer
usage started to occur. Now, it is rare to see a white collar worker
in the work-place without the possession of a computer. In western
countries such as Australia, over one third of households have
computer systems. The computer is no longer the "altogether foreign
and removed from the rest of society" device it once was. It has
come out of the domain of the technical specialist and into the main
stream.
Even our notoriously slow moving legal profession is adopting it as
an essential tool. But there is another change. A qualitative one
important to our discussion.
When you link hundreds of thousands of computers together and thus
the people that use them together you find something remarkable
occurs. An event that you could never have predicted by merely
summing the discrete components involved. A unique virtual society
forms. Despite being designed with computer networking in mind,
computer crime legislation copes very poorly with non homogeneous
authorization [i.e partial authorization].
Societies are based around a common knowledge of history, beliefs,
and current events. Each member of a society can be pinpointed as
belonging to the society in question by the ideas, beliefs and
knowledge held in common with other societal members. Any new member
to a society learns this knowledge only because it is passed onto
them; directly by other members or indirectly via its media, works of
literature, music and art.
Successful large scale computer networks like the Internet form for
one reason and one reason only; information sharing. When a critical
mass of diversity, interests, user population and information
exchange is reached, a situation develops that mirrors in all
important aspects a vibrant and evolving society. Citizens of the
Internet have a nearly equal sized voice with which to convey their
thoughts to other members and can do so quickly and without unwanted
distortion. This is a remarkably democratic process compared to the
very real _self_ censorship and top heavy direction that is so
manifest in traditional broadcast and publishing industries.
But unlike the physical societies that have here-to been the norm,
the electronic network society is remarkably non-isolationist. It
continues to draw from, mesh and feed its beliefs into the
traditional societies it was populated out of. This coupling process
between computer network and traditional societies will continue
(at least for English speaking countries -- the cultural barriers
imposed by primary language differences are non-trivial) until a
stage is reached where the boundary between the two is blurred and
intangible.
Most citizens will then fall under the rule of appallingly drafted
computer crimes legislation every day of their lives. In the vast
majority of such legislation directed to address computer crime
everything which can be performed on a computer unless "authorized"
is defined as illegal. One might think that an individual could
authorize themselves to do anything they wished with their own
computer [not so, as France and Russia and the USA have demonstrated
with anti-cryptography and other information processing and content
laws] given their ownership of it.
But how does the Law define this "ownership"? Does ownership of the
"chattel" (CPU, memory, disks and other hardware) imply ownership of
the information created on it? What about employees with "partial
authorization" [examine disturbing outcome of Intel employee
R.Swartz vs the State of Oregon 1995]? If the user of the computer
system isn't the chattel owner, but has been given full control over
it does this imply they are authorized for all interaction with the
data stored on it? Is there such thing as implicit authorization?
Can an operating system grant authorization (implicit or otherwise)
as an authorized agent of the owner/operator? If not, is sending
electronic mail to someone who doesn't want their computer system to
receive it "unauthorized insertion of data"?
In a networked topology a typical computer user may use or otherwise
interact with hundreds or even thousands of other peoples computers
in any given day. What is then the analogous "authorization
topology"? In Law it has previously been the case that which was
not expressly forbidden was generally permitted. Currently the
digital equivalent of moving a chair [modification of trivial data]
in someone else's office is illegal and carries with it in most
countries a 5 to 10 year prison term. It is a sad reflection on the
legislature of the day that the computer _medium_ was criminalised
rather than the intent or damage caused to the victim.
It is unlikely that law reform will occur until current political
concern over computer networks such as the Internet is moderated. If
anything the push so far from political drafters has being to once
again introduce brand new medium criminalising legislation rather
than revitalizing the existing codes. This unfortunate "labeled
arrow" approach will continue as long as there exists an ill
informed and technologically ignorant legislature that finds itself
pliant to the whims of sensationalist media and honed to their
dubious targets. Strong ideals do not equal strong policy.
So ill defined and over broad are the terms used in most computer
crime legislation that typically the pressing of a button on a
silicon wrist watch without permission can be construed as
"insertion of data into a computer without authority" an offense
which carries 10 years penalty in countries such as Australia. The
farse inherent is blatant. Surely the process going on within the
wrist watch is utterly irrelevant. Victemless crimes should be
avoided if at all possible. If interfering with the watch caused
damage, even if that damage was to the intellectual property in the
watch then the crime is one of Criminal Damage [or one of the other
broad ranging damage statutes, depending on jurisdiction]. If
changing the internal state of the watch led to fraud or theft, then
the crime should be one of fraud or theft (possibly by deception).
If pressing the button changed, for instance, the time of the watch
and this lead to a death, then the crime should be that of
manslaughter or murder. Actions that do not damage (or other wise
attempt to negatively effect) the life of human beings directly, or
indirectly by damage or loss of property or fundamental societal
ideals (such as the right to privacy, freedom of association, speech
& movement) should not be crimes. Actions that annoy but do not
damage should also not be crimes, and traditionally are not. Crimes
and the criminal process are serious. Annoyances by definition are
not.
In most Commonwealth countries physical trespass [despite the
general view] is not a crime and with good reason. The Criminal law
system wasn't intended to be the citizen's lacky and enforcer of
personal whim, but rather to protect persons from genuine harm and
preserve social order and the sovereign. Someone trespassing on your
lands may annoy you. It may contradict your authorization. But it
[typically] only becomes illegal when you ask the trespasser to
leave and they refuse, or if their trespassing was directly
associated with the commission or attempted commission of an offence.
It is with this lack of appropriate legislation, precedents and
judicial guidance that judiciary, practitioners, prosecutors, law
enforcement personnel, defendants and drafters of future codes &
policy have to struggle to find resolution.
This list has been created in an attempt to mitigate the lack of
tangible resources people involved with computer crime have at their
disposal. It is hoped that by bringing together knowledgeable legal
professionals together with para-legal personnel and informed lay
persons that information and resources relevant to the difficult
task of analyzing, presenting in court, formulating departmental or
company policy or otherwise dealing with computer crime law and
computer crimes may be shared and intelligent discussion and law
reform stimulated.
nb. this list it is also an appropriate forum to discuss computerized
legal, law enforcement and criminology databases, such as Netmap,
Watson, PROMIS, Lexis, APAIS, CRIM-L, et cetera.
GUIDELINES
----------
In order to keep the semantic content high on this list, please consult
the following before posting:
DO POST DON'T POST
------- ----------
Un/reported decisions. Personal insults.
Commentaries on cases. Signatures >4 lines.
Reviews on relevant books. Quoted replies with more than 30%
Relevant journal articles. quoted from the original.
Information about proposed legislation. Short questions, or questions which
Full text of CC legislation. otherwise do not convey useful
Judicially defined terms. information in their own right.
Articles on new arrests or Gossip about the moderator.
cases. Articles about computer (in)security,
Detailed questions. they should be sent to:
Intelligent commentary. "[email protected]"
Personal experiences with computer "breaking into a computer is the same
crime. as...."
Well thought out analogies. Petitions (if you think they are
Relevant transcripts. exceptionally relevant, send them to
Defense or prosecution strategy. the moderator, who may post them).
Relevant papers, thesis. Chain letters.
Conference announcements and details. Advertising material.
Locations of legal resources. Ethical considerations that are only
Computer forensics information. "opinion".
Trial/court dates, verdicts etc. Content free news reports or
Reviews of legal software. articles.
Pointers to any of the above. Abusive, antagonistic or otherwise,
Cross post relevant information from non information rich or non
other lists or news groups. constructive material.
Relevant affidavits, court documents. Quotes from Dan Quayle.
SUBSCRIBING
-----------
Send mail to:
[email protected]
with the body of:
subscribe lacc
UN-SUBSCRIBING
-------------
Send mail to:
[email protected]
with the body of:
unsubscribe lacc
POSTING
-------
To send a message to the list, address it to:
[email protected]
REPLYING
--------
If you are replying to a message already on the LACC list using your
mail programs reply facility you will almost certainly have to change
the reply address to [email protected]. This is because the LACC mailing
list program is configured to have return replies sent no "nobody" in
order to avoid receiving the replies of "vacation" programs which
automatically send email saying "I've gone to the moon for two weeks to
hunt rare bits".
ARCHIVES
--------
Monthly back issues of lacc since January 96 are available from:
ftp://suburbia.net/pub/mailinglists/lacc
Unfortunately the the 1995 archive was lost in a disk crash. If anyone still
has a copy, then please contact the moderator.
--
"I mean, after all; you have to consider we're only made out of dust. That's
admittedly not much to go on and we shouldn't forget that. But even
considering, I mean it's sort of a bad beginning, we're not doing too bad. So
I personally have faith that even in this lousy situation we're faced with we
can make it. You get me?" - Leo Burlero/PKD
+---------------------+--------------------+----------------------------------+
|Julian Assange RSO | PO Box 2031 BARKER | Secret Analytic Guy Union |
|[email protected] | VIC 3122 AUSTRALIA | finger for PGP key hash ID = |
|[email protected] | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
+---------------------+--------------------+----------------------------------+