Nmap Announce mailing list archives
RE: Draft Convention on Cybercrime
From: Marjorie Simmons <lawyer () usit net>
Date: Mon, 5 Jun 2000 16:09:49 -0400
Many of you have written to me with various questions and comments on this thread, ranging from "but what can I do to help?" and "why is this a problem?", to "is such and so an act that would fall under the criminal provisions of xyz law?" I reply here to your questions collectively in the interest of bandwidth conservation and apologize in advance to List members who are not interested in this thread. Tying the intent of tool design to the intent of a distribution and to the intent of a given use (as outlined in the draft of the Treaty) is problematic because categorizing and tying together design, distribution and use intent is defining what makes a action criminal by focusing on a result rather than a process, and thereby attempts to make bananas by crossing apples with oranges. Its trying to makes laws to govern acts that have yet to be _either_ defined or agreed upon as criminal acts, instead of first defining and agreeing on what makes a digital electronic product and its use criminal. It simply puts the cart before the horse. As to the product designer: The laws of product liability govern whether the maker of a product gets held accountable for making an inherently dangerous product, and in the US a products liability action is a civil action, (absent fraud and prior restraint), not a criminal action. Almost always it is fraud in a products liability action that gives rise to criminal liability, because fraud shows wrongful act intent, and intent is key in a products liability criminal action. As to the product user: Unauthorized access of a system, i.e. "without right" is essentially a trespass. Trespass is generally a tort, not a crime, absent some further regulation coupled with notice. Criminal trespass, as unauthorized access in the face of regulation and notice, is intentional access in the face of notice, and is usually, in practice, coupled with some other wrongdoing, e.g., property destruction. The laws governing what constitutes a criminal trespass in a non-electronic venue vary from country to country, and indeed, from state to state in the US. I've observed that in most jurisdictions the courts don't even know what questions to start with in a case of digital trespass, let alone which existing laws might be molded to the issues at hand. However, that is thankfully starting to change. As to the applicability of existing laws: Many of the US states have enacted laws governing what constitutes a digital criminal trespass, but there is no elucidation, that I am aware of, in any US state statute or case law of how and why pinging or scanning ports might constitute such a trespass. (Flame on if I missed one.) The federal Digital Millennium Copyright Act (DMCA) prohibits manufacturing, distributing, and offering to the public the tools or services to perform copyright circumvention or "hacking" of a copyrighted item. This statute could conceivably be interpreted to prohibit pinging and port scanning of someone else's system where the ports so scanned are protected by a firewall or hw/sw design whose copyright owner's claim in that design is colorable. To my knowledge this claim-type has never been brought (yet), but it wouldn't surprise me to see it used by a creative lawyer. Some examples of products & trespass claims: Let's say, that I design a product which injures foreseeably as it is inherently dangerous, e.g., fireworks, and I put the product into the stream of commerce without warnings or controls. You are injured by your use of the fireworks. Now you sue me in a court in the US. You plead inherently dangerous product, no warnings, and no controls, and as you inadvertently shot the fireworks into your neighbor's house, your neighbor has sued you for trespass: result = strict liability on my part and I lose unless I can show your knowledge and negligence somehow offsets the dangerousness of the product. I am not liable to you, however, for your trespass of bottle rockets flying into your neighbor's kitchen. Let's say I make another product that injures because it is put to use in a fashion I didn't intend and in fact warned against when I put it into the stream of commerce, e.g., a pharmaceutical that is intended to treat a specific condition and has controlled availability. In suing me you plead foreseeable recreational drug use: result = no liability on my part because (1) design intent did not encompass the ultimate use in this case, (2) I warned, and (3) I controlled the product's entry into the market in order to guard against use by unintended parties and use in a fashion unintended. If your child dies for OD'ing on your prescription, that is, unfortunately, your problem, in this case. Now lets take a new product: nmap. It (1) is not inherently dangerous, (2) has a legitimate use that will belie any identification as what should be considered contraband (unless you're in China), and (3) it is foreseeable that some might use it in the furtherance of committing a criminal act (a criminal trespass.) Now assume a cracker uses it to scope out a system as a prelude to entering (without right) and destroying property. The crack includes placing some vbs to find and delete some specific files. In such a case, both nmap and vbs are tools used "in furtherance of" the criminal act, they are not the criminal act itself. No products liability for the maker (or for the distributor of the products, absent governmental distribution controls), and for both products, their use as tools in furtherance of a criminal act is but evidentiary in value. The fact that both products could foreseeably be used in furtherance of an illegal act is inconsequential, given that neither is designed to be so used, and notwithstanding the fact that neither M$oft nor Fyodor have, prior to releasing the products into the stream of commerce, warned anyone as to the products' potential for unlawful use. Here then are the biggest problems with the draft of the Treaty: (1) there is no internationally accepted definition of nor agreement upon what constitutes an act of criminal trespass in a traditional, non-electronic form, let alone in a digital venue; (2) there is no internationally accepted definition or legal treatment of a case of criminal electronic products liability; (3) there is rampant ignorance on the part of lawmakers as to how a computer system trespass might happen at all and as to why a computer-oriented product's maker might be criminally liable in a products liability action; and (4) there is, further, no authority (other than perhaps the IETF with a lot of help by some tech-savvy lawyers from a lot of different countries) that could define, to the satisfaction of a multinational political base in a one-size-fits-all fashion, either a digital trespass or a digital products liability criminal act. (5) the very design of the Net and the products designed for its navigation implicitly recognize not just the right of The Ping, but its absolute necessity. "Without right" is what calls for international agreement on what constitutes a criminal trespass. "Designed or adapted [specifically] [primarily] [particularly] for the purpose of committing ..." must be split up into (a) what constitutes criminal products liability for a product maker, (products liability for design of an inherently dangerous product) and (b) what, likewise, constitutes unlawful adaptation (a use that is also a design -- as in an unlawful alteration of a product of potentially controlled distribution) By its terms, the draft of the Treaty assumes that the individual countries will each sufficiently decide what is "without right", but, because of the very interconnectedness of the Net and the implicit connections permissions granted through the design of browser software, amongst other softwares, differing laws from nation to nation on this issue make no sense, as many of you have surmised. I don't know that the problems are exacerbated by the people in the Council's agendas, or that they are stupid, I think the draft of the Treaty's problems lie in the draft's simple short-sightedness fueled by technical ignorance. The ignorance part is easily remedied, but the shortsightedness may not be. All these concepts must be agreed upon transnationally before they are of any use, and certainly before the results of a case with these concepts at issue can be examined and dissected in the genesis of an international legal construct designed to govern them. Without prior incorporation of an international agreement defining what makes a digital criminal trespass, & an inherently dangerous digital product, this draft of the Treaty is not only meaningless but creates further legal issue obscurity. I suggest, (to those of you who want to see legal clarity happen that doesn't outlaw legitimate and respected systems tools), that you (1) contact both the IETF and the Council and strongly suggest they act in concert, (2) contact your governmental representatives with the suggestion in (1), above (3) donate some time to the organization of your choice that speaks with a collective voice on the issues at hand. To those of you who have asked questions specific to a jurisdiction that falls outside the one in which I am licensed, (South Carolina), I must refer you to an attorney licensed in your jurisdiction. The rules governing practicing law require that I not practice outside my jurisdiction absent being associated in a particular matter by an attorney within your jurisdiction. If you need a referral, just let me know. Hope this helps, Marjorie Marjorie Simmons, Esq. PO Box 870 Taylors, SC 29687 864.609.0259 lawyer () usit net ~~~~~~~~~~ "I planted some bird seed. A bird came up. Now I don't know what to feed it." --Steven Wright Warning: Do not drink the battery acid. It doesn't taste good and will hurt you. Also do not bite the tyres, especially while the bike is moving. Our lawyers made us put these warnings in. - An Australian motorcycle manual ~~~~~~~~~~
Current thread:
- Re: Draft Convention on Cybercrime, (continued)
- Re: Draft Convention on Cybercrime Mike Black (Jun 03)
- Re: Draft Convention on Cybercrime dhaag (Jun 03)
- Re: Draft Convention on Cybercrime Bart van Leeuwen (Jun 03)
- Re: Draft Convention on Cybercrime David Dennis (Jun 03)
- Re: Draft Convention on Cybercrime Mike Black (Jun 03)
- Re: Draft Convention on Cybercrime White Vampire (Jun 03)
- Re: Draft Convention on Cybercrime Tyler Allison (Jun 03)
- Re: Draft Convention on Cybercrime Matt Marnell (Jun 03)
- RE: Draft Convention on Cybercrime Marjorie Simmons (Jun 03)
- Re: Draft Convention on Cybercrime Jeff Simmons (Jun 03)
- Re: Draft Convention on Cybercrime Simple Nomad (Jun 04)
- RE: Draft Convention on Cybercrime Marjorie Simmons (Jun 05)