RE: Who's liable?

["Bullock, Steve (ISS Helsingborg)" <SBullock () iss net>]

After spending 20 years in law enforcement I can say that it all boils down
to the 'reasonable man' test.

Simply put, if the company has taken all 'reasonable' steps to protect
against this sort of misuse, they are not liable.  Conversely put, if they
give their staff carte blanche access to do anything, without any logging or
checking they are up the proverbial creek without a paddle.

To us 'mcdaddy's' example of the car thief using the car to commit a crime.
If the cars are in a locked garage, without the keys left in them, the
company would not be liable for any misuse of the vehicle.   On the flip
side, if you leave a car open with the keys in, then you are aiding/abetting
the car theft.

Hope that helps

-----Original Message-----
From: macdaddy () neo pittstate edu [mailto:macdaddy () neo pittstate edu]
Sent: 14 October 2001 09:19
To: Kelly Martin
Cc: incidents () securityfocus org
Subject: Re: Who's liable?


On Sat, 13 Oct 2001, Kelly Martin wrote:

> On Sat, Oct 13, 2001 at 06:57:13PM -0400, Rob Keown wrote:
>
> > If the site from which the attack is launched is ignorant of any
criminal
> > activity then there is no *criminal* recourse. 
>
> That's not necessarily true.  Under federal law, if you are
> deliberately ignorant of (that is, you take affirmative efforts to
> avoid having knowledge of) some fact or condition, then you can be
> held to have had "knowledge" of that fact or condition, and if that
> leads to criminal liability, then so be it.

So let's say I'm uu.net or some other gigantic ISP and that the technology
is there for me to record every piece of email my users send (and it is
there). I don't record every piece of email because that would be far from
feasible.  The hardware costs alone would be a half million or more.  
Hundreds of gigabytes of email pass through us each day. How can we record
it all?  User X at one of my many smaller branch companies sends a piece
of email to someone saying they are planning on blowing up a building or
hijacking a plane.  Since I don't record every byte of email, is my
company responsible under federal law by deliberatly choosing to not spend
an ungodly amount of money? No.

> Also, in general, there are lots of things where you can be criminally
> liable for things you didn't know about, if you were reckless with
> respect to them.  The classic example is the act of throwing a rock
> off a tall building.  You have no knowledge that this rock will hit
> anyone (either in particular or generally), but you are reckless
> towards the possibility that the rock will hit someone and are thus
> criminally liable for the consequences if it does.

Bad example.  My act of throwing the rock, knowing that it *could* cause
harm made me liable.  This can be twisted into all sorts of forms. I'm a
car salesman and I sell a car to a person that gets drunk and hits someone
on the road, killing them.  As a car salesman I know it could happen.  Am
I still liable?  Is the person that sold that new car owner the alcohol
liable, knowing that the person could get drunk from it and go driving
(assuming the person was of age and that it wasn't sold in a state that
lets religion disallow sales on Sunday)?  I sell illegal drugs to someone
that misuses them and kills themselves.  Am I liable?  I blindly shoot a
gun into the distance.  I don't know where it will hit.  It hits someone.
Am I liable?  Your example can be twisted to play both sides of the field.

> > Should this change? I don't think there is any legal precedent for
someone
> > who is not "aware" of criminal intent to be held culpable. 
>
> I read a case in my criminal law class of a shop owner who was held
> vicariously and criminally liable for the acts of a non-employee in
> the shop without the shopowner's permission.  The law did not place
> any requirement of culpability on the part of the shop owner (not even
> negligence); liability was absolute.  However, the Supreme Court did
> limit the scope of vicarious absolute liability offenses to strictly
> financial penalties.  The Court has held that the Constitution
> requires at least a threshhold level of individual culpability for
> liability for an offense which can lead to incarceration.

Interesting.  I'd love to hear the circumstances surrounding the incident.

> IMO, it is Constitutionally permissible for a state to make it a
> criminal offense for a person to operate a computer system in such a
> manner that a substantial, avoidable risk exists that that computer
> system may be used in the furtherance of illegal acts, especially if
> the operator of the computer is or should have been aware of the
> substantial risk.  Whether any existing law does so is another
> question.

If that's the case than no company would buy computers, knowing that
somebody could break in after hours and use them to hack somebody else.
They locked the building doors.  They have authentication to login to
their workstations.  The culprits took the time to boot from a floppy and
do their business.  Maybe they brought a laptop to do the hacking and just
used the company's network and high speed internet access to launch the
attack.  I guess the company never should have considered buying a
switches, routers, and internet access knowing that someone hacker could
break in and use them to cause damage.  If I was that company I'd also
reconsider purchasing company cars too.  After all the storage garage that
they are in could be broken into.  Someone could hot wire the cars and
jimmy the gate to get them out.  I'd hate to be the CEO of the company if
one of those cars was a getaway vehicle for a bank robbery because now I'm
liable for having something someone wanted to steal and use in a bad way.

There are many sides to every arguement.

Justin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com