IP: Re: proving guilt

[Dave Farber <farber@cis.upenn.edu>]

>From: "Andrew Grosso" <Agrosso@worldnet.att.net>
>To: <farber@cis.upenn.edu>
>Subject: Re: proving guilt
>Date: Thu, 23 Dec 1999 08:42:11 -0500
>
>As a former federal prosecutor, I read Russ' comments with some interest.  I
>agree with his ultimate conclusions but differ with the logic he uses to get
>to them.
>
>Put simply, tracing a computer crime to one person, and proving that what he
>did is a crime, posses difficulties which are common to many other
>categories of crimes, both reactive and white collar.   For example, the
>very first jury trial I prosecuted concerned a bank robbery where none of
>the five witnesses could identify the perpetrator, and where I had no
>photograph or finger print evidence.  The proof consisted of a large number
>of indicators each of which pointed to the defendant.  Taken individually,
>none of them could prove the defendant did it; taken together, they
>demonstrated beyond a reasonable doubt that no one else could have committed
>the offense.
>
>A more serious problem is defining what constitutes a "computer crime," and
>what constitutes a serious computer crime worth prosecuting.  The court
>dockets are growing with examples of people, usually young ones, who pull
>pranks or otherwise explore or push the limits of computer technology, and
>are then charged with or investigated for the crime of the century.
>Examples which quickly come to mind are LaMachia, Neidorf, Kaspureff,
>Thomas, Zimmermann.  Activity which would barely merit a glance from a
>police officer becomes the subject of Department of Justice press releases
>and arrest warrants simply because a computer or the Internet is involved.
>
>Now, Congress is getting into the Act:  the No Electronic Theft Act, the
>amendments to the Computer Crime and Abuse Act, the Digital Millennium
>Copyright Act, the Economic Espionage Act . . . .  Each makes it easier for
>law enforcement to prosecute a crime on the Net, but does it a way which
>loosens the definition of what is a crime.  Freedoms and the exercise of
>individuality are no  less precious because they are enjoyed on the Internet
>than in a public park.  Chilling the exercise of intellectual freedom is not
>the way to add safety to the Internet, and creating felons out of curious
>high  school kids who explore the limits of computer security are not the
>wisest means of building the new world.
>
>I suggest that it is incumbent upon the computer community to insure that
>criminalized conduct be limited to conduct that needs to be criminalized,
>and that the state does not water down its definitions of felony crimes to
>anything that proscribes what is merely inconvenient, or is curiosity which
>has gotten out of control, as the unintended consequence of trying to make
>it easier for law enforcement to prove their cases.
>
>-----Original Message-----
>From: Dave Farber <farber@cis.upenn.edu>
>To: ip-sub-1@majordomo.pobox.com <ip-sub-1@majordomo.pobox.com>
>Date: Thursday, December 23, 1999 5:53 AM
>Subject: IP: proving guilt
>
>
> >Date: Wed, 15 Dec 1999 09:27:09 -0500
> >From: Russ <Russ.Cooper@rc.on.ca>
> >Subject: Re: Melissa perpetrator faces five years in prison (RISKS-20.68)
> >IMO, there many risks that the case against Mr. Smith for Melissa may
> >bring to reality.
> >1. That a GUID may be accepted in court as a "signature" uniquely
> >identifying a particular human being. At best the GUID is circumstantial,
> >and it is far to easy to show GUIDs belonging to others (mistakenly or
> >intentionally) resident on your machine.
> >2. That it may be accepted as possible to prove the route which a
>particular
> >virus has traveled to get to the point where its deemed "in the wild", and
> >presumably therefore actionable, solely on the basis of computer evidence.
> >2a. What is the crime? Making the virus, or releasing it "in the wild"?
> >Surely making a virus is not a crime, so the test comes down to proving who
> >released it "in the wild". Since that action must be done with intent,
> >computer data alone, demonstrating that a particular file originated from a
> >particular disk, still does not prove intent. If I were to co-opt Peter's
> >machine and use it to send a virus to a Usenet list, should Peter be held
> >liable for the damages of the virus?
> >2b. How is it proven? Computer data is malleable, and while Word documents
> >may store revision information, and even information from RAM totally
> >unrelated to the original document, it is possible that all of that
> >information can be placed into another file either in addition to, or
> >replacing, the 2nd document's original information. As such, its again
> >circumstantial evidence of origin and even ownership.
> >It is quite easy to villainize virus writers and infectors in the same way
> >"two Arab men" were responsible for the Oklahoma bombing. An entire
>industry
> >is available for testimony as to the damage suffered by Corporate America
> >every day as a result of the actions of the few virus writers. The NIPC,
>and
> >therefore the FBI, are desperate to show they have the savvy to catch
> >Cyber-criminals and justify their stance and actions.
> >IOWs, there's a significant weight against Mr. Smith if we allow
>prosecution
> >testimony to go unchallenged for the vapor-thoughts it may well be. It must
> >be shown that such conclusions, based solely on computer data, can easily
>be
> >manufactured against anyone.
> >I have thought long and hard about how it may be possible to prove an
> >individual is guilty of a particular computer crime. A confession, today,
> >could be given simply to garner the publicity and reap the benefits after
> >the jail term is served (do you think any conference would not pay to have
> >Mr. Smith talk after he was released, if he could speak intelligibly?
> >... book deals ... guest spots ...) Criminals used to take the rap and not
> >talk in order to get the loot when they were released ...;-]
> >Without another human being present during each of the steps required to
> >release a virus into the wild with malicious or harmful intent, a
>conviction
> >on circumstantial computer evidence would lead to many serious problems,
> >IMO.
> >If the above evidence, assuming its present and the basis of the case
> >against Mr. Smith, is accepted in court and the jury finds its credible, it
> >will be far too easy to convict innocent individuals of computer crimes in
> >the future.
> >Smith may well be guilty, and he is not my focus here. We must ensure that
> >his conviction does not establish the wrong precedence's, lest we give the
> >"enemy" the ammunition to get each and every one of us convicted of
> >something, somewhere, based on the same quality of evidence.
> >I remind you that I, like most of you, have not seen the evidence against
> >Mr. Smith and this is based solely on the media reports about its content
> >... therefore, I may be totally off-base ... but the risk is real no
>matter.
> >Russ - NTBugtraq Editor
> >
> >
> >