IP: proving guilt

[Dave Farber <farber () cis upenn edu>]

Date: Wed, 15 Dec 1999 09:27:09 -0500
From: Russ <Russ.Cooper () rc on ca>
Subject: Re: Melissa perpetrator faces five years in prison (RISKS-20.68)
IMO, there many risks that the case against Mr. Smith for Melissa may
bring to reality.
1. That a GUID may be accepted in court as a "signature" uniquely
identifying a particular human being. At best the GUID is circumstantial,
and it is far to easy to show GUIDs belonging to others (mistakenly or
intentionally) resident on your machine.
2. That it may be accepted as possible to prove the route which a particular
virus has traveled to get to the point where its deemed "in the wild", and
presumably therefore actionable, solely on the basis of computer evidence.
2a. What is the crime? Making the virus, or releasing it "in the wild"?
Surely making a virus is not a crime, so the test comes down to proving who
released it "in the wild". Since that action must be done with intent,
computer data alone, demonstrating that a particular file originated from a
particular disk, still does not prove intent. If I were to co-opt Peter's
machine and use it to send a virus to a Usenet list, should Peter be held
liable for the damages of the virus?
2b. How is it proven? Computer data is malleable, and while Word documents
may store revision information, and even information from RAM totally
unrelated to the original document, it is possible that all of that
information can be placed into another file either in addition to, or
replacing, the 2nd document's original information. As such, its again
circumstantial evidence of origin and even ownership.
It is quite easy to villainize virus writers and infectors in the same way
"two Arab men" were responsible for the Oklahoma bombing. An entire industry
is available for testimony as to the damage suffered by Corporate America
every day as a result of the actions of the few virus writers. The NIPC, and
therefore the FBI, are desperate to show they have the savvy to catch
Cyber-criminals and justify their stance and actions.
IOWs, there's a significant weight against Mr. Smith if we allow prosecution
testimony to go unchallenged for the vapor-thoughts it may well be. It must
be shown that such conclusions, based solely on computer data, can easily be
manufactured against anyone.
I have thought long and hard about how it may be possible to prove an
individual is guilty of a particular computer crime. A confession, today,
could be given simply to garner the publicity and reap the benefits after
the jail term is served (do you think any conference would not pay to have
Mr. Smith talk after he was released, if he could speak intelligibly?
... book deals ... guest spots ...) Criminals used to take the rap and not
talk in order to get the loot when they were released ...;-]
Without another human being present during each of the steps required to
release a virus into the wild with malicious or harmful intent, a conviction
on circumstantial computer evidence would lead to many serious problems,
IMO.
If the above evidence, assuming its present and the basis of the case
against Mr. Smith, is accepted in court and the jury finds its credible, it
will be far too easy to convict innocent individuals of computer crimes in
the future.
Smith may well be guilty, and he is not my focus here. We must ensure that
his conviction does not establish the wrong precedence's, lest we give the
"enemy" the ammunition to get each and every one of us convicted of
something, somewhere, based on the same quality of evidence.
I remind you that I, like most of you, have not seen the evidence against
Mr. Smith and this is based solely on the media reports about its content
... therefore, I may be totally off-base ... but the risk is real no matter.
Russ - NTBugtraq Editor