RE: Warchalking is theft, says Nokia

[InfoSec News <isn () c4i org>]

Forwarded from: Marjorie Simmons <lawyer () carpereslegalis com>

[Disclaimer:    weekend muse -- this is not legal advice
                so do not take it as such.]

<museMode>
Drawing on a building is something we in the US have historically
considered 'graffiti'. Graffiti is generally considered a misdemeanor,
last time I checked anyway, (unless John Ashcroft has been busy again.
Perhaps now its seditious.)

More importantly, in the US, if an act is defined at law as criminal
(aka, not misdemeanor), it requires criminal intent.  Criminal intent
is borne in the perpetrator's state of mind, not the victim's. Extreme
example: what if the 9-11 terrorists chalked the trade towers as a hit
target before Sept 11?  Does that make the denizens of the towers
responsible for their fate because they didn't notice, or because they
did notice but took no action because the actual result was
unthinkable?

If a victim, any victim, is careless, or if they are a dolt who should
know better than to expose their business secrets to the world via an
unsecured wireless network, such carelessness does not magically morph
the victim into a position of criminal responsibility for the purpose
of assessing the criminality of someone else's act performed upon him.

The marking of a target can provide evidence for the prosecution of a
wrongful act later committed, but by itself does not necessarily
constitute a criminal act. Although chalking by itself constitutes no
theft that I can identify, services-theft or data-theft following such
chalking certainly may be assessed as criminal. If the chalker(s) are
also participants in such theft or intend that such marking be used by
others for such theft -- and such theft actually occurs -- such
chalking could be considered as part of a methodology of the criminal
act. Its pretty hard to prove a murder though, without the body, thus,
if there has been no access, or theft of data or services, such
graffiti seems to me simply graffiti.

Perhaps a person's carelessness directly results in his becoming a
crime victim, but though we bemoan such carelessness, the law does not
assign criminal responsibility to the victim without evidence of some
intent on the victim's part that the opening of a door to crime be
intended to actually result in that crime. A more general
carelessness, of course, usually subjects the victim to other pains.

Seems to me Pete's on the right track. Pete's offered some good
examples ... consider this one:

Lawyer A and Lawyer B are on opposite sides of a negotiation. Lawyer C
represents a company which is a stakeholder in the outcome of the
negotiation between A & B, but C is not a party to the negotiation.  
C has never broken the law or any of the legal ethics rules, and his
friends think him a bore. C's client company is desperate to find out
the details of A & B's communication before any deal is struck as the
deal could destroy C's company.  (C's client company, btw, makes
widgets free for the poor.)

C learns that A & B do not use encrypted communications by A & B
telling him so at an unrelated convention that they all attend. C
decides to hire a competent geek to do a bit of selective wardriving
in order to find out what A & B are up to.  C's geek chalks a good
spot for the job and then C's geek sends her one-time contract
employee to grab some in-the-clear data from A & B during
transmission. C thereby learns that A & B's deal, if done, will indeed
destroy C's client company.

C, armed with this new information, takes remedial measures that save
C's client's south end, but that do not disrupt the deal between A &
B.  A & B successfully complete their deal and never find out that
their communications have been compromised. They lose nothing as to
the outcome of their deal and C's client company is saved. C never
again resorts to such measures, and retires on his bonus for saving
his client. C's geek gets religion the next day and races off to
dogooder heaven in Timbuktu. Her contract employee goes back to his
day job as a firefighter in a major American city.

Where is the wrongdoing here?  Is it with A & B uncaringly putting C's
client out of business but for C's intervention, or are moral analyses
even relevant?  Is it with C's directive to C's geek to
surreptitiously peek at the data?  Is it with C's geek's contract
employee in actually accessing data?  Is C's geek's guilt measured the
same as C's, or as C's geek's contract employee?  If C and agents only
got as far as chalking and then stopped -- has a crime been committed?  
Is there any wrongdoing with A & B's carelessness in not protecting
their transmissions? If so, does it change the nature of C's (and his
agents') acts?  Is there a conspiracy here?  Do A & B's clients at
least lose the attorney-client privilege as to this deal because their
lawyers were fools?  (Certain Florida courts have ruled so.)  If so,
does that after-the-fact result change the nature of any prior
criminal act by others at all?

A helpful approach is not to simply ask where the wrongdoing is in any
given situation, but to analyze the nature of each of the wrongful
acts in order to determine what the proper responses and remedies
might be. In so doing, one may more easily sort out responsibility for
the criminal and for the simply careless, and the larger moral
observations from the more compartmentalized ethical obligations of
certain individuals, e.g., due care.  Otherwise we end up chasing
butterflies with sledgehammers.

These are the questions that are, unfortunately, not being assessed
too carefully of late in certain US government circles. With regard to
what constitutes criminality, and with resolve to rectify
vulnerability while keeping within the bounds of Constitutional law in
the US, it seems to me that not since the Civil War have US citizens
had a more compelling need to consider these questions such that
definitions of criminal acts and responses to them may be crafted
accordingly.

</museMode>

Marjorie Simmons

On Monday, September 23, 2002 1:02 am, InfoSec News [SMTP:isn () c4i org] wrote:
| Forwarded from: Pete Lindstrom <plindstrom () hurwitz com>
| 
| Hmmm, not sure if "due care" is a legal term or not, nor whether it
| applies to criminal activity.. It seems to me that "due care" can
| easily fly in the face of personal freedom.
| 
| I would argue that I have every right to hang an ethernet cable out my
| window on my property and not expect someone else to tap in, just like
| I would argue I should be able to leave my keys in the ignition
| without having my car stolen, women should be able to wear thongs at
| the beach without risking a pinch, I should be allowed to let certain
| people use my bike but not others, and I should be able to write
| run-on sentences if I want to (;-)). As long as I am not infringing on
| someone else's rights or creating a dangerous situation, etc., why
| shouldn't I be allowed to?
| 
| Now, does that make me smart? well, no. Naive? Probably (or more
| likely just plain dumb), 

 . . . snip

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.