Security Incidents mailing list archives
Re: Who's liable?
From: <macdaddy () neo pittstate edu>
Date: Sun, 14 Oct 2001 02:18:33 -0500 (CDT)
On Sat, 13 Oct 2001, Kelly Martin wrote:
On Sat, Oct 13, 2001 at 06:57:13PM -0400, Rob Keown wrote:If the site from which the attack is launched is ignorant of any criminal activity then there is no *criminal* recourse.That's not necessarily true. Under federal law, if you are deliberately ignorant of (that is, you take affirmative efforts to avoid having knowledge of) some fact or condition, then you can be held to have had "knowledge" of that fact or condition, and if that leads to criminal liability, then so be it.
So let's say I'm uu.net or some other gigantic ISP and that the technology is there for me to record every piece of email my users send (and it is there). I don't record every piece of email because that would be far from feasible. The hardware costs alone would be a half million or more. Hundreds of gigabytes of email pass through us each day. How can we record it all? User X at one of my many smaller branch companies sends a piece of email to someone saying they are planning on blowing up a building or hijacking a plane. Since I don't record every byte of email, is my company responsible under federal law by deliberatly choosing to not spend an ungodly amount of money? No.
Also, in general, there are lots of things where you can be criminally liable for things you didn't know about, if you were reckless with respect to them. The classic example is the act of throwing a rock off a tall building. You have no knowledge that this rock will hit anyone (either in particular or generally), but you are reckless towards the possibility that the rock will hit someone and are thus criminally liable for the consequences if it does.
Bad example. My act of throwing the rock, knowing that it *could* cause harm made me liable. This can be twisted into all sorts of forms. I'm a car salesman and I sell a car to a person that gets drunk and hits someone on the road, killing them. As a car salesman I know it could happen. Am I still liable? Is the person that sold that new car owner the alcohol liable, knowing that the person could get drunk from it and go driving (assuming the person was of age and that it wasn't sold in a state that lets religion disallow sales on Sunday)? I sell illegal drugs to someone that misuses them and kills themselves. Am I liable? I blindly shoot a gun into the distance. I don't know where it will hit. It hits someone. Am I liable? Your example can be twisted to play both sides of the field.
Should this change? I don't think there is any legal precedent for someone who is not "aware" of criminal intent to be held culpable.I read a case in my criminal law class of a shop owner who was held vicariously and criminally liable for the acts of a non-employee in the shop without the shopowner's permission. The law did not place any requirement of culpability on the part of the shop owner (not even negligence); liability was absolute. However, the Supreme Court did limit the scope of vicarious absolute liability offenses to strictly financial penalties. The Court has held that the Constitution requires at least a threshhold level of individual culpability for liability for an offense which can lead to incarceration.
Interesting. I'd love to hear the circumstances surrounding the incident.
IMO, it is Constitutionally permissible for a state to make it a criminal offense for a person to operate a computer system in such a manner that a substantial, avoidable risk exists that that computer system may be used in the furtherance of illegal acts, especially if the operator of the computer is or should have been aware of the substantial risk. Whether any existing law does so is another question.
If that's the case than no company would buy computers, knowing that somebody could break in after hours and use them to hack somebody else. They locked the building doors. They have authentication to login to their workstations. The culprits took the time to boot from a floppy and do their business. Maybe they brought a laptop to do the hacking and just used the company's network and high speed internet access to launch the attack. I guess the company never should have considered buying a switches, routers, and internet access knowing that someone hacker could break in and use them to cause damage. If I was that company I'd also reconsider purchasing company cars too. After all the storage garage that they are in could be broken into. Someone could hot wire the cars and jimmy the gate to get them out. I'd hate to be the CEO of the company if one of those cars was a getaway vehicle for a bank robbery because now I'm liable for having something someone wanted to steal and use in a bad way. There are many sides to every arguement. Justin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Who's liable?, (continued)
- RE: Who's liable? Russell Berry (Oct 13)
- RE: Who's liable? Brian Taylor (Oct 14)
- Re: Who's liable? Frank (Oct 14)
- RE: Who's liable? Michael Conlen (Oct 14)
- RE: Who's liable? Rob Keown (Oct 13)
- Re: Who's liable? Kelly Martin (Oct 13)
- Re: Who's liable? Doug Foster (Oct 14)
- Re: Who's liable? Kelly Martin (Oct 14)
- RE: Who's liable? Shashi Dookhee (Oct 14)
- Re: Who's liable? HarryM (Oct 14)
- Re: Who's liable? macdaddy (Oct 14)
- Message not available
- Re: Who's liable? Jason Giglio (Oct 14)
- Re: Who's liable? Kelly Martin (Oct 13)
- RE: Who's liable? Russell Berry (Oct 13)