IP: Re: proving guilt

[Dave Farber <farber () cis upenn edu>]

> From: "Andrew Grosso" <Agrosso () worldnet att net>
> To: <farber () cis upenn edu>
> Subject: Re: proving guilt
> Date: Thu, 23 Dec 1999 08:42:11 -0500
>
> As a former federal prosecutor, I read Russ' comments with some interest.  I
> agree with his ultimate conclusions but differ with the logic he uses to get
> to them.
>
> Put simply, tracing a computer crime to one person, and proving that what he
> did is a crime, posses difficulties which are common to many other
> categories of crimes, both reactive and white collar.   For example, the
> very first jury trial I prosecuted concerned a bank robbery where none of
> the five witnesses could identify the perpetrator, and where I had no
> photograph or finger print evidence.  The proof consisted of a large number
> of indicators each of which pointed to the defendant.  Taken individually,
> none of them could prove the defendant did it; taken together, they
> demonstrated beyond a reasonable doubt that no one else could have committed
> the offense.
>
> A more serious problem is defining what constitutes a "computer crime," and
> what constitutes a serious computer crime worth prosecuting.  The court
> dockets are growing with examples of people, usually young ones, who pull
> pranks or otherwise explore or push the limits of computer technology, and
> are then charged with or investigated for the crime of the century.
> Examples which quickly come to mind are LaMachia, Neidorf, Kaspureff,
> Thomas, Zimmermann.  Activity which would barely merit a glance from a
> police officer becomes the subject of Department of Justice press releases
> and arrest warrants simply because a computer or the Internet is involved.
>
> Now, Congress is getting into the Act:  the No Electronic Theft Act, the
> amendments to the Computer Crime and Abuse Act, the Digital Millennium
> Copyright Act, the Economic Espionage Act . . . .  Each makes it easier for
> law enforcement to prosecute a crime on the Net, but does it a way which
> loosens the definition of what is a crime.  Freedoms and the exercise of
> individuality are no  less precious because they are enjoyed on the Internet
> than in a public park.  Chilling the exercise of intellectual freedom is not
> the way to add safety to the Internet, and creating felons out of curious
> high  school kids who explore the limits of computer security are not the
> wisest means of building the new world.
>
> I suggest that it is incumbent upon the computer community to insure that
> criminalized conduct be limited to conduct that needs to be criminalized,
> and that the state does not water down its definitions of felony crimes to
> anything that proscribes what is merely inconvenient, or is curiosity which
> has gotten out of control, as the unintended consequence of trying to make
> it easier for law enforcement to prove their cases.
>
> -----Original Message-----
> From: Dave Farber <farber () cis upenn edu>
> To: ip-sub-1 () majordomo pobox com <ip-sub-1 () majordomo pobox com>
> Date: Thursday, December 23, 1999 5:53 AM
> Subject: IP: proving guilt
>
>
> > Date: Wed, 15 Dec 1999 09:27:09 -0500
> > From: Russ <Russ.Cooper () rc on ca>
> > Subject: Re: Melissa perpetrator faces five years in prison (RISKS-20.68)
> > IMO, there many risks that the case against Mr. Smith for Melissa may
> > bring to reality.
> > 1. That a GUID may be accepted in court as a "signature" uniquely
> > identifying a particular human being. At best the GUID is circumstantial,
> > and it is far to easy to show GUIDs belonging to others (mistakenly or
> > intentionally) resident on your machine.
> > 2. That it may be accepted as possible to prove the route which a
> particular
> > virus has traveled to get to the point where its deemed "in the wild", and
> > presumably therefore actionable, solely on the basis of computer evidence.
> > 2a. What is the crime? Making the virus, or releasing it "in the wild"?
> > Surely making a virus is not a crime, so the test comes down to proving who
> > released it "in the wild". Since that action must be done with intent,
> > computer data alone, demonstrating that a particular file originated from a
> > particular disk, still does not prove intent. If I were to co-opt Peter's
> > machine and use it to send a virus to a Usenet list, should Peter be held
> > liable for the damages of the virus?
> > 2b. How is it proven? Computer data is malleable, and while Word documents
> > may store revision information, and even information from RAM totally
> > unrelated to the original document, it is possible that all of that
> > information can be placed into another file either in addition to, or
> > replacing, the 2nd document's original information. As such, its again
> > circumstantial evidence of origin and even ownership.
> > It is quite easy to villainize virus writers and infectors in the same way
> > "two Arab men" were responsible for the Oklahoma bombing. An entire
> industry
> > is available for testimony as to the damage suffered by Corporate America
> > every day as a result of the actions of the few virus writers. The NIPC,
> and
> > therefore the FBI, are desperate to show they have the savvy to catch
> > Cyber-criminals and justify their stance and actions.
> > IOWs, there's a significant weight against Mr. Smith if we allow
> prosecution
> > testimony to go unchallenged for the vapor-thoughts it may well be. It must
> > be shown that such conclusions, based solely on computer data, can easily
> be
> > manufactured against anyone.
> > I have thought long and hard about how it may be possible to prove an
> > individual is guilty of a particular computer crime. A confession, today,
> > could be given simply to garner the publicity and reap the benefits after
> > the jail term is served (do you think any conference would not pay to have
> > Mr. Smith talk after he was released, if he could speak intelligibly?
> > ... book deals ... guest spots ...) Criminals used to take the rap and not
> > talk in order to get the loot when they were released ...;-]
> > Without another human being present during each of the steps required to
> > release a virus into the wild with malicious or harmful intent, a
> conviction
> > on circumstantial computer evidence would lead to many serious problems,
> > IMO.
> > If the above evidence, assuming its present and the basis of the case
> > against Mr. Smith, is accepted in court and the jury finds its credible, it
> > will be far too easy to convict innocent individuals of computer crimes in
> > the future.
> > Smith may well be guilty, and he is not my focus here. We must ensure that
> > his conviction does not establish the wrong precedence's, lest we give the
> > "enemy" the ammunition to get each and every one of us convicted of
> > something, somewhere, based on the same quality of evidence.
> > I remind you that I, like most of you, have not seen the evidence against
> > Mr. Smith and this is based solely on the media reports about its content
> > ... therefore, I may be totally off-base ... but the risk is real no
> matter.
> > Russ - NTBugtraq Editor