Cyb3r Crim3

August 2006 - Posts
Aug 28

Trojan horses and SODDIs

Posted 08:12 AM by SusanB 2 comment(s)
A Trojan horse program is a type of malware, or malicious software. Like other malware, it installs itself surreptitously on a computer; unlike other types of malware, a Trojan horse lets the person who disseminated it remotely control the computer(s) on which it installed itself. The person who controls the Trojan will have complete access to the data on the compromised computer and can copy it, delete it or put new data on the computer.

The last feature is what I want to talk about today. It's given rise to what is called the "Trojan horse defense." A friend and I wrote a law review article analyzing how prosecutors can rebut the defense. (Susan Brenner, Brian Carrier & Jef Henninger, The Trojan Horse Defense in Cybercrime Cases, 21 Santa Clara Computer and High Technology Law Journal 1 (2004)). The article focuses both on legal arguments and technical issues a prosecutor facing the defense can use to rebut it. It goes into a great deal of detail -- today, I want to talk generally about the Trojan horse defense (THD) and some of the issues it raises.

The THD became notorious in 2003, when Aaron Caffrey used in the United Kingdom. Caffrey was charged, basically, with hacking into the Port of Houston computers and causing them to shut down. His defense attorney conceded the attack came from Caffrey's laptop computer, but claimed Caffrey was not responsible for the attack, that he had, in effect, been "framed" by other hackers who installed Trojan horse programs on his laptop and used them to attack the Port of Houston computers. In an effort to rebut this defense, the prosecution pointed out that no trace of Trojan horse programs had been found on the laptop; the defense countered by explaining that the Trojan hourse programs had been "self-erasing" Trojans, so no trace would remain. The jury clearly bought the defense's argument, as it acquitted Caffrey.

This was not the first instance in which the THD had been used in the UK, but the Caffrey case received far more publicity than the earlier instance(s) in which the defense was raised. News stories pointed out that Caffrey's defense raised serious challenges for prosecutors. As one observer noted, the "case suggests that even if no evidence of a computer break-in is unearthed on a suspect's PC, they might still be able to successfully claim that they were not responsible for whatever their computer does, or what is found on its hard drive." And others pointed out that someone could establish the factual basis for such a defense by having Trojan horse programs on their computer.

As we note in the article, the THD is a new version of a very old defense: the SODDI defense (as it is known in the U.S.). SODDI stands for "some other dude did it." When a defendant raises a SODDI defense, he (or she) concedes that a crime was committed but blames someone else for its commission. The SODDI defense is usually not very successful in real-world prosecutions (the O.J. Simpson case is a major exception). When a defendant raises a SODDI defense in a prosecution for a traditional, real-world crime -- like, say, murder or rape -- he claims the crime was committed by an unknown someone else. Jurors tend to be skeptical of claimes like this, especially if, as is usually the case, the prosecution is able to link the defendant to the crime by showing motive, opportunity and/or incriminating evidence that is in his possession or can be traced to him (DNA, fingerprints, etc.). Jurors are skeptical of claims like this because they understand how the real-world works.

The SODDI defense has been much more successful in cybercrime cases because they involve a context which most jurors don't really understand, or understand enough to buy defense claims like Caffrey's contention about being framed by self-erasing Trojan horse programs.

(I'm not a technically trained person, so I cannot opine on the likelihood of self-erasing Trojans. I know people who are technically trained who do not believe they exist. If they do not exist now, I assume they will at some point, so I don't see this as a particularly important issue, at least not for the prosecution.)

In cybercrime cases, the SODDI defense turns the tables on the prosecution: In a criminal case, the prosecution has the burden of proving all the elements of the crime beyond a reasonable doubt and the defense has the burden of proving an affirmative defense by a preponderance of the evidence.
  • The preponderance standard is much lower than the standard the prosecution must meet, but it ensures that the defense cannot present some purely frivolous theory to the jury.
  • Affirmative defenses concede that a crime has been committed by assert there is some reason why the defendant should not be held liable for it, such as that the defendant is insane or that he acted in self-defense.
To get a THD before the jury, the defense must therefore present credible evidence that would let a "reasonable juror" find that the defense had proven that the crime was virtually committed by Some Other Dude, using a Trojan horse. In the Caffrey case, this evidence came in the form of Aaron Caffrey's testimony to the jury; Caffrey, who admitted he was a hacker, acted as his own expert witness, which was particularly important given that no Trojan horse programs were found on this computer

If a Trojan horse program is found on a defendant's computer, that would provide the factual basis for getting the defense to the jury . . . that along with testimony which establishes what a Trojan horse program is and what it does. Once the defense does this, the ball is now in the prosecution's court: The prosecution must rebut the defense, which means it must prove beyond a reasonable doubt that it was the defendant -- not Some Other Dude Using a Trojan Horse -- who committed the crim(s) charged. This is where the difficulty arises.

The prosecution now is obligated to prove a negative: that it was not Some Other Dude Using a Trojan Horse program who hacked the Port of Houston, collected child pornography or committed some other cybercrime. Proving a negative can be difficult, especially in this context.

As opposed to instances in which a defendant raises a SODDI defense in a real-world criminal case, the prosecution cannot rely on the jury's ability to use their common sense to assess the merits of and then reject the defense as implausible because the defense is grounded in what is still, for many, a distinctly "uncommon" context: the virtual environment of computes, hard drives and cyberspace. Some jurors may know nothing about technology, which really gives them no conceptual framework to use in judging the merits of a THD. This, I think, makes them something of a wild card; their decision to go with the prosecution or the defense may be made arbitrarily, a juror's equivalent of flipping a coin.

Other jurors may know a little about technology, enough to know what viruses are and to have a general idea of what they can do. As far as the prosecution is concerned, a little knowledge may be a dangerous thing: These jurors may understand enough about technology to be willing to believe that Trojan horses (and other types of malware) can do things they may not be able to do at all, or may not have been able to do given the facts in the case before them.

(I'm not sure where I come out on jurors who know a lot about technology. They might be able to analyze and reject the factual foundation of a shaky/untenable THD or they might over-analyze the evidence presented and so buy into the defense. I guess one reason I am not sure where I come out on these jurors is that I think they are likely to be very scarce in the jury pool.)

Assuming, as I think is reasonable, that the jury is made up of people with little or no knowledge of technology, how does the prosecution rebut the defense's presentation of a THD? It seems that the prosecution will have to dissect the technical basis of the defense to do so; the Caffrey prosecution showed that no Trojan horses were on Caffrey's laptop, and asked the jury to infer from this that it was Caffrey, not a Trojan horse program being used by someone else, who shut down the computers at the Port of Houston.

But if Trojan horses are found on the suspect's computer, the prosecution will have to get into the specifics of technology -- its capabilities and limitations -- to rebut the THD. This, I think, creates real difficulties for prosecutors, because it requires that they be able to explain abtruse, technical concepts and processes to a lay jury in a way laypeople can understand and can use that understanding to conduct a critical assessment of the THD presented to them. That can be a very difficult process; it will require, I think, not only expert witnesses, but the skillful use of graphics -- animations, diagrams, maybe physical exhibits -- that can really let jurors grasp what would have had to occur for the THD to be valid and why that did not occur (establishing, by inference, that the THD defense is invalid). Doing all that can be a huge undertaking for the average prosecutor/prosecutor's office, as it requires time, expertise and the money to pay for the creation of the necessary demonstrative evidence (animations, diagrams, etc.).

For now, I suspect the defense enjoys the advantage with regard to the THD, which is why I am surprised that we have not seen it used more in this country (it still seems be be used, often successfully, in the United Kingdom).

The only American case I know of in which it has been used successfully is an Alabama state tax fraud/tax evasion prosecution against Eugene Pitts, a Hoover, Alabama accountant. Pitts was accused of underreporting income on his tax returns for 1997, 1998 and 1999. He admitted there were errors on his returns for those years, but blamed the errors on a computer virus. Although prosecutors pointed out that the alleged virus did not affect the client tax returns Pitts prepared on the same computer, the jury acquitted him of all charges after deliberating for 3 hours . . . another "Caffrey verdict."

I assume the infrequency with which a THD has, been used in this country has something to do with the defense bar's unfamiliarty with technology. Other than that, I cannot imagine why it does not show up more often, especially given the frequency with which the real-world variant of the SODDI defense is used.

Everything I have said in this post has been directed at the prosecution's burden and ability to rebut a THD defense. Everything I have said so far therefore assume the invocation of the defense is frivolous as it was, IMHO, in the Caffrey and Pitts cases. And I think that is likely to be true in many (most?) of the cases in which a THD is used.

It will not, however, be true in every case. As people knowledgeable about computer technology will tell you, a Trojan horse program could easily be used to frame someone for a crime. While it seems exceedingly unlikely ("incredible") that a Trojan horse program could put 15,000 images of child pornography sorted into folders and sub-folders on someone's hard drive without their knowing it, a Trojan horse could be used to frame someone for, fraud, embezzlement or other crimes, even murder.

Think about it:  Do you know everything that is on your hard drive . . . every file folder, every file? I can't imagine that you do, given the amount of data most of us acquire. And how many of us ever check to see what, exactly, is on our hard drive? Maybe other people do; I don't (and I hope I'm not inviting someone to frame me by admitting that . . . ).

The possibility makes me think of the old TV series, The Fugitive. In the TV series (and in the movie), Dr. Richard Kimble is adventitiously framed by the one-armed man who kills Kimble's wife. Kimble's SODDI defense (asserting that the mysterious one-armed man, whom only he saw, killed his wife) fails, and he is convicted of the crime. The same thing could be done, more calculatedly and with far less risk to the framer, by using a Trojan horse program.

Imagine a twenty-first century version of The Fugitive: Kimble's wife becomes ill so he takes her to the hospital, where she dies; the autopsy shows she died of ricin poisoning. As in the series, Kimble and his wife had been fighting; the evidence of marital discord encourages the police to take him seriously as a suspect in her death. Police obtain a search warrant, seize the computer in their home and search it. On its hard drive, they find evidence (downloaded data, evidence of Internet searches) that Kimble researched the toxicity of ricin poisoning and the processes used to extract ricin from castor beans. (They might also find ricin in the house somewhere, maybe in a place Kimble uses.) This would be enough to charge him with his wife's death (absent other contravening facts) and probably enough to convict him (absent a compelling defense).

In this scenario, Kimble could try asserting a THD to disclaim responsibility for the research into ricin poisoning, but the THD would not be as effective here as it could be in a "pure" cybercrime case. Here, a Trojan horse program is being used, in part, to frame someone for a real-world crime, murder. The potential for persuading the jury (correctly, in this instance) that someone used a Trojan horse program to put the ricin data on the computer as part of a larger plot to frame Kimble for his wife's death would be undermined by that fact because the jurors would be likely to concentrate on the real-world aspects of the crime (death, fighting, ricin, opportunity, etc.) and use their common sense (no one said it's infallible) to conclude that he did it.

I could go on, but I hope I've made my point. The Trojan horse defense is a two-edged sword: It can be used by guilty parties seeking to avoid being held liable for what they have done; but it can also be used to frame

Aug 23

Encrypted Hard Drives and the Constitution

Posted 04:29 PM by SusanB 1 comment(s)
I mentioned, in a comment my last post, that I did a presentation for a group a few months ago about Customs Officers’ ability to search the hard drives of laptops being carried by someone entering the country or about to leave the country.  

In my last post I talked about how the border search exception lets (apparently, anyway – so far every federal court to address the issue has upheld the application of the exception in this context) the officers do this, and why.  After I did my presentation on that issue to the group, one of the people in the audience came up to me, quite agitated.  He said he handles computer security (in some capacity, I didn’t quite get the context) for a company, the executives of which often travel into and out of the country carrying laptops.  He said the laptop hard drives have proprietary information on them, and are therefore encrypted.  He was concerned about a Customs Officer’s wanting to see the files on the laptop.

At first, I am afraid I did not take the question that seriously – I told him (which I think is true) that the executives probably are not likely to have their laptops searched (but that was before the recent UK airline bombing plot, so who knows now).  That was a bad answer because it, of course, leaves open the possibility that they might have the laptop hard drives searched.  And he, very reasonably, was not happy with that answer, so he pressed for a better one.  He made it clear that the concept of giving the officer the encryption key was simply not an option because of the very sensitive nature of the information on the laptops.  So we chatted about all this for a bit, and I finally told him his  should probably come up with a procedure for this scenario, decide how they would handle it if it arose.

Let’s take the scenario he presented and parse out the options and the applicable law.  The Customs Officers have a Fourth Amendment right to search “containers” (which, as I said before, includes a hard drive) when someone is entering or about to leave the country.  I’ve run this scenario by prosecutors and based on their reaction and how I analyze the law, it looks to me like the scenario can have three basic resolutions: 
  1. The laptop owner gives the Customs Officer the encryption key and the officer searches the laptop’s hard drive for contraband (data within the scope of a border search);
  2. the laptop owner refuses to give the Customs Officer the encryption key, says he/she has decided not to travel that day and walks away with the laptop (the prosecutors I’ve discussed this with say it would work, so we’ll assume it will, at least for now); and
  3. the laptop owner refuses to give the Customs Officer the encryption key and insists on traveling with it, citing some constitutional rule.
The first two options are self-resolving, so let’s focus on the third one.  The problem we have here is that the Fourth Amendment really does not apply to the act of refusing to hand over the encryption key.  

(Ironically, it would apply if the laptop owner gave up the encryption key, because this would be consenting either to the “seizure” of the key or to letting the agent “search” it.  Or it could be considered a waiver of the Fifth Amendment issue we’re going get to in just a moment.)

See, the Fourth Amendment only applies when government agents (like the Customs Officer) DO something . . . like taking your laptop away from you or breaking down your front door to go in and seize it or turning it on and looking through the unencrypted files against your objection.  The Fourth Amendment does not apply when, as is the case here, you refuse to do something the government wants you to do and they try to make you do it.

The Fifth Amendment applies, in a limited way, if and when the government wants you to do a specific thing:  give “testimony” that “incriminates” you.  There is a major difference between the Fifth Amendment and Miranda, which gives you a right to silence and to counsel; the Fifth Amendment, which is supposedly the foundation of Miranda, gives you neither of those things.  To qualify for Miranda, you have to be in “custody,” i.e., the police have to have restrained your freedom of movement so you cannot just walk away. Since we’re assuming you can walk away, Miranda won’t apply; the Fifth Amendment is the only option.

The Fifth Amendment only applies, though, if you are “compelled” to give testimony.  Being “compelled” is synonymous with being subpoenaed by a court or a grand jury and being ordered to testify; if you won’t, you, a la Judith Miller in Plamegate, will be locked up until you do. That’s being “compelled.”

And that brings us to the first problem with trying to use the Fifth Amendment to refuse to give up the encryption key but still travel.  It doesn’t seem that you can show you’re being “compelled” to do anything – if you can walk away (as in option #2), then you are not being compelled and the Fifth Amendment is off the table.  And there probably are no other constitutional provisions that might apply.

Just for the sake of argument, let’s change things a bit:  The laptop belongs to John Doe.  He refuses to provide the encryption key when the Customs Officers ask for it and starts to walk away.  They say he can go but tell him they’re keeping the laptop because they have probable cause to believe there’s contraband (child porn, say) in it because they have been “tipped” to that by a confidential informant.  That should let them hold onto it under another Fourth Amendment exception (exigent circumstances – holding onto it to prevent Doe from destroying the evidence on it) while they get a warrant to search it.

They get the warrant, but find they cannot search the files because the hard drive is encrypted.  The call Doe and ask for the key and he says he won’t provide it.  They can’t make him do this, so they go to a federal prosecutor who gets a grand jury to subpoena Doe. He appears before the grand jury, is asked for the encryption key, invokes his Fifth Amendment privilege and refuses to provide it.

Can he get away with that?  Or will a judge find he cannot claim the Fifth Amendment privilege and lock him up until he gives up the key?

Good question, one that is not resolved.

To claim the Fifth, Doe has to be compelled (being threatened with being locked up works) to give “testimony” that “incriminates” him.  Incriminates means the evidence can be used to convict him of a crime; you can’t claim the Fifth because evidence would embarrass you or hurt your business or implicate someone else in a crime.  It has to implicate you in a crime.  So, purposes of analysis, we’ll say Doe can shoe that the answer would incriminate him.

Is giving up an encryption key “testimony?”  You might think it is, but it’s not that easy.

The Supreme Court has held that “testimony” is a communication; it does not encompass physical evidence such as blood, hair or even handwriting.  You cannot take the Fifth Amendment to refuse to provide samples of your handwriting because the Supreme Court has held that you’re just providing samples of physical evidence – how you shape letters, how much force you exert, etc.  (You can’t be put under oath and compelled to write answers to questions asked you because the answers would be communications, or testimony.)

In 1988, in Doe v. United States, 487 U.S. 201), the Supreme Court held that someone cannot take the Fifth and refuse to sign a “compelled consent” because signing the consent form does not constitute “testimony.”  The compelled consents (an oxymoron?) were (and are, I assume) used to get into “secret” bank accounts in places like the Cayman Islands.  The person (Doe in this case) was subpoenaed by a grand jury and told to sign a form that gave blanket consent to the bearer (FBI agents) to gain access to any and all bank accounts in his name.  A number of people claimed they should not have to do this, that this was “testifying” against themselves (and could leave to the discovery of incriminating evidence).  The Supreme Court said it was not testimony, it was just physical evidence – the same rationale as the Court applies to handwriting.

In the Doe case, the Court noted, in effect, that someone (i) cannot invoke the Fifth Amendment and refuse to hand over the key to a “strongbox” or a safe deposit box but (ii) but may be able to take the Fifth and refuse to “reveal the combination to his wall safe – by word or deed.”  It depends on whether you are simply handing over physical evidence (like blood or your handwriting) or whether you are “being forced to express the contents of your mind” by communicating.

So, basically, whether one use the Fifth Amendment privilege against self-incrimination as the basis for refusing to give up an encryption key depends on whether doing that is more analogous to handing over a key to a safe deposit box or to giving up the combination to a wall safe.  (I think the Court was assuming the person had memorized the combination, btw.)

(Oh, and Miranda?  Pretty much the same analysis, in that it only applies to “testimony,” to communications.  The issue here, as I noted earlier, is “custody.”  If the agents took Doe into custody and would not let him leave, then they would have to give him the Miranda warnings and honor his invocation of the right to silence or counsel if he did, invoke, either.)




Aug 20

TSA Copying Hard Drives? 4th Amendment Issues?

Posted 04:24 PM by SusanB 2 comment(s)
I'm hearing the TSA is copying the hard drives from laptops (some, I assume, not all) that are taken through airport screening. 

I'm hearing they're using a pretty simple process, to expedite the copying (which, if true, dealt with my initial disbelief that this is happening -- the problem of how much time it would take to do a true mirror image of many/some of the laptops people bring with them to their flights).  What I'm hearing comes from people I think are credible sources, so I'm going to assume it's true, at least for now.

That brings to the issue which I have been asked about, namely, how can they do this?  Isn't this a violation of the constitution?  Don't we have a right to privacy in the contents of our laptop data?

Briefly, the answer to the last question is "yes," and the answer to the second question is, I'm afraid, "no."  And that brings us to the first question:  How can they do this?

The only constitutional provision that would be implicated is the Fourth Amendment, which protects us from "unreasonable searches and seizures."  "Reasonable searches and seizures" are ok.  Searches are "reasonable" if they are conducted pursuant to a search warrant OR if they fall within an exception to the warrant requirement. 

The TSA agents definitely do not have a search warrant.  They must, therefore, be relying on either of two exceptions to the Fourth Amendment's warrant requirement.

One possibility is the border search exception.  The border search exception is one of the oldest 4th Amendment exceptions.  It lets officers/agents search you, your bags, all that without a warrant AND without probable cause or reasonable suspicion (as you can see from the opinion quoted below).  The premise is that governments have the right to control what comes into/out of their border.  We are probably all familiar with this in the context of customs searches of luggage when someone comes into (or goes out of -- the exception applies both way) the United States.

I started noting federal court decisions on the appliability of the border search exception to laptops a few years ago.  I suspect the issue had never come up until then.  The early (2-3 years ago) arguments on this tried to say something courts have found credible in other contexts:  That a laptop is a "container," like luggage, but it is a much more complex container than luggage, can contain so much information it should be treated differently . . . basically as a container+.  That argument has worked elsewhere but has failed miserably in the border search context.  Courts have done what the 9th Circuit does in the case quoted below, said a laptop is a container like any other container and can be searched by customs agents as such.

I can't find law on TSA searches, but I suspect that the same basic rationale is being applied here OR that these searches are based on another exception, the administrative search exception, which supports DUI checkpoints and airport screening generally.  The "administrative search" exception (which some think is about to swallow the Fourth Amendment)  lets the government conduct searches and/or seizures without a search warrant when it is acting for a purpose other than the enforcement of criminal law

So DUI checkpoints are (the Supreme Court has said) NOT about catching people who are driving drunk just so they can be prosecuted; the checkpoints are, instead, about ensuring safety on our highways by discouraging drunk driving. The same thing holds for airport screening:  When we go through the metal detectors and have our luggage screened it's not because the agents are trying to gather evidence to be used to convict us -- each of us -- of a crime.  It is, instead, for a different, administrative purpose -- air travel. 

Now, I wonder how and why checking the contents of someone's hard drive contributes to that administrative function.  If and when this comes up in court, it seems to me that the person whose laptop hard drive was searched can argue that the search was unreasonable in scope, i.e., that copying and seachng the data on someone's hard drive is not sufficiently related to maintaining airport security to bring it within the scope of the adminstrative search exception.

One more point and then I'll quit:  Copying someone's hard drive is, I think, a "seizure" not a "search."  Searches violate privacy, while seizures violate possessory interests.  Since they don't actually "read" the files when they make the copy, there is no compromise of privacy, no "search."  I'd say, though, that there is definitely an interference with possessory interests because (a) the laptop is taken away and "held" while the copy is made and (b) the government "takes" the copy, which means you no longer have exclusive possession and control of the data on the hard drive.

Ninth Circuit border search exception case:

First, we address whether the forensic analysis of Romm's laptop falls under the border search exception to the warrant requirement. We review the legality of a border search de novo. United States v. Okafor, 285 F.3d 842, 845 (9th Cir.2002). Under the border search exception, the government may conduct routine searches of persons entering the United States without probable cause, reasonable suspicion, or a warrant. See United States v. Montoya de Hernandez, 473 U.S. 531, 538, 105 S.Ct. 3304, 87 L.Ed.2d 381 (1985).

For Fourth Amendment purposes, an international airport terminal is the "functional equivalent" of a border. See Okafor, 285 F.3d at 845 (citing Almeida-Sanchez v. United States, 413 U.S. 266, 272-73, 93 S.Ct. 2535, 37 L.Ed.2d 596 (1973)). Thus, passengers deplaning from an international flight are subject to routine border searches. . . .

We assume for the sake of argument that a person who, like Romm, is detained abroad has no opportunity to obtain foreign contraband. Even so, the border search doctrine is not limited to those cases where the searching officers have reason to suspect the entrant may be carrying foreign contraband. Instead, " 'searches made at the border ... are reasonable simply by virtue of the fact that they occur at the border.' " United States v. Flores-Montano, 541 U.S. 149, 152- 53, 124 S.Ct. 1582, 158 L.Ed.2d 311 (2004) (quoting United States v. Ramsey, 431 U.S. 606, 616, 97 S.Ct. 1972, 52 L.Ed.2d 617 (1977)). Thus, the routine border search of Romm's laptop was reasonable, regardless whether Romm obtained foreign contraband in Canada or was under "official restraint."

United States v. Romm, --- F.3d ----, 2006 WL 2042827 (Ninth Circuit Court of Appeals, July 24, 2006).
Aug 18

NSA Surveillance Held Unconstitutional

Posted 08:14 AM by SusanB no comments
As everyone probably knows by now, Anna Diggs Taylor, a federal district judge in Detroit has held that the NSA surveillance program is unconstitutional and therefore unenforceable.  (ACLU v. NSA, U.S. District Court – Eastern District of Michigan).  The implementation of the decision has been stayed, to give the Department of Justice time to appeal the ruling.  (I hope it’s an expedited appeal.)

The judge held that the program violates the First Amendment, as well as the Fourth Amendment (and is illegal for other reasons, as well, including the separation of powers doctrine).  I don’t even want to try to summarize the entire decision here, as you can read it online if you are so inclined.

Instead, I want to comment briefly on her Fourth Amendment analysis . . . which was also brief.  After tracing the history and purpose of the Fourth Amendment – which is to preserve privacy against government intrusions, especially in our homes and other important enclaves -- she concluded that the NSA wiretapping program has “obviously” been implemented “in violation of the Fourth Amendment.”  At the end of her opinion, she explains that none of the justifications the Administration has offered for the current surveillance program – e.g., that the threat of terrorism makes it impracticable to apply for and get wiretapping warrants – have any merit.  As she said, the government’s argument as to “the need for speed and agility is . . . weightless.”

She also found that the program has been implemented in violation of the FISA (Foreign Intelligence Surveillance Act) statutes, which impose special requirements when federal agents are investigating terrorism and related activities (versus plain old “crime”).  And she found that it violates Title III, a set of statutes which Congress adopted in 1968 to implement the Katz decision, the one I mentioned in an earlier post; Katz is important in this context because in Katz the Supreme Court held that wiretapping the content of phone conversations is a “search” under the Fourth Amendment, and so cannot constitutionally be done unless the government gets a search warrant beforehand.

(Now, in another set of decisions the Supreme Court has held, incorrectly, in my view, that "our" Fourth Amendment does not apply to extraterritorial searches directed at non-U.S. citizens.  The basis of those decisions is a principle that goes way back into common law, at a time when there were no telephones, no Internet, no wireless communication, none of that.  This principle has been cited, on occasion, to justify NSA surveillance activities on the theory that the surveillance is only directed at non-U.S. citizens located outside the territorial boundaries of the U.S.  As I said, I think that is an arbitrary and unworkable distinction in the modern world.  It also tends to make us look arrogant -- "its our Fourth Amendment, not yours, so we can do whatever we want if you're not one of us."  But even if you buy the principle, it becomes very complicated to apply in a world of seamless electronic communication -- what if I, say, call someone in Qatar?  Does the Fourth Amendment apply because I am a U.S. citizen calling from here, or does it not apply because I am reaching out to someone outside the U.S.?  There are many other problems with this principle, but you probably get the idea.  It really doesnt come up in this case because the suit was brought on behalf of people in the U.S., but it is another issue that will, I think, have to be addressed at some point.)

I think Judge Taylor’s opinion is very well-reasoned and reaches the correct result.  No one can argue against the need to prevent terrorism, but the government cannot use the threat of terrorism to bypass constitutional procedures that were created to guarantee us certain fundamental rights.  If we allow that, we effectively surrender those rights. 

Aug 14

Cybercrime treaty: criticisms

Posted 08:26 AM by SusanB no comments
As I noted last time, it took the U.S. a surprising long time (almost five years) to ratify the Convention on Cybercrime given (a) that we helped write it and very much lobbied for its adoption and (b) that because we helped write it, we do not need to adopt any new legislation to implement the treaty.  The delay was due to concerns that have been expressed by EFF, EPIC and the ACLU, among others.

Basically, these concerns center on three issues, each of which I am going to address, briefly, in this post.  I’m going to address them in the order they crop up in the Convention.

The first issue is the “misuse of devices” issue.  Article 5 of the Convention requires countries that sign and ratify it to criminalize “the production, sale, procurement for use, import, distribution or otherwise making available of” either (i) “a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with” Articles 2-5 of the Convention or (ii) “a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed.”  A separate provision makes the possession of such items a crime.  Articles 2-5 require parties to criminalize, basically, unauthorized access and unauthorized access with damage to a system or the data it contains.  All of the provisions of Article 5 require that the item be possessed, imported, distributed, etc., with the intent that it be used in the commission of one of these crimes.

Those who are concerned about this argue that the provision sweeps too broadly, that it could be used to prosecute researchers or simply the average citizen who happens to be in possession of an item encompassed by Article 5.  The drafters of the Convention and the U.S. Department of Justice respond that these “innocents” do not need to be concerned because the provision requires not simply possession/distribution/etc. but also that the person have engaged in this conduct with the intent to facilitate the commission of a crime.  I think that is a very good point.  My concern, there, would be that intent is often inferred in cases like this (which are essentially aiding and abetting cases), and inferences of intent can be expansive and sometimes problematic.

The second issue, which I will only summarize because it would take a LONG time to go through all of its aspects, is that the provisions of the Convention which provide for cooperation among law enforcement officers of various countries (i) threaten privacy and (ii) sweep too broadly.  As to (i) I will only say that the Convention clearly reflects the current state of our Fourth Amendment law, which is good and not-so-good.  The basic Fourth Amendment requirements are fine in most respects but, I think, inadequate in others (especially when it comes to obtaining traffic data, i.e., non-content data involved in the transmission of email and other electronic communications).  

As to (ii), the concern lies with Article 14 which says, essentially, that the provisions establishing mechanisms for reciprocal law enforcement cooperation apply when police are investigating (a) crimes defined under the Convention; (b) “other criminal offences committed by means of a computer system;” and (c) “the collection of evidence in electronic form of a criminal offence.”  They therefore can apply to the investigation of ANY crime as long as a computer was involved in its commission.  On the one hand, I can see law enforcement’s position:  If police are investigating a crime and digital evidence is involved, why should it matter if the crime can be technically defined as a “cybercrime?”  Shouldn’t they be able to proceed anyway?  On the other hand, I can see the critics’ issue.  This is, after all, styles as a “cybercrime” convention, so it seems logical, at least, that it should be limited to cybercrimes, i.e., crimes in which the computer plays a central role in the commission of the offense.

Now to third issue, which is probably the source of most criticism of the Convention.  The argument here is that the procedural provisions facilitating cooperation among law enforcement do not require “double criminality.”  As I noted in an earlier post, extradition treaties – treaties that let the U.S. hand Perpetrator X over to Brazil to be prosecuted for a crime committed in that country – require “double criminality,” i.e., require that the act have been a crime in both countries.  The premise is that to do otherwise would be unfair.  There has, for example, been a gentleman in Nebraska who has for years been putting up pro-Nazi websites.  It is a crime to create such a website in Germany, and over the years German authorities asked U.S. authorities to turn this guy over to them for prosecution. U.S. authorities properly refused to do so, because what he is doing is protected speech under our First Amendment.  We can’t turn him over to be prosecuted for what he is lawfully doing here.

Critics of the Convention argue that it does not have a “double criminality” provision that acts as a restraint on its law enforcement cooperation measures, and I would agree . . . no such provision is explicitly included in the Convention.  (It is in Article 24, which governs extradition.)  I do not think, though, that this is a major problem because Article 15 says that each party to the Convention must:

ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

As far as the U.S. is concerned, this imports our Bill of Rights, which guarantees due process which should, aside from anything else, prevent our law enforcement processes from being used to persecute dissidents in other countries.  There’s also the fact that if someone in the U.S. is being investigated by a country for being a political dissident, and U.S. authorities assist with the investigation, that person cannot be extradited from the U.S. (even under the Convention) because it requires double criminality for extradition.

There are other issues that arise under the Convention, and maybe I’ll post on them later.

Bottom line:  it’s far from perfect but it is, I believe, far from being as horrendous as some claim.  





 




Aug 11

Cybercrime treaty

Posted 08:28 AM by SusanB no comments
As you may have heard, the U.S. Senate ratified the “Cybercrime treaty". The "Cybercrime treaty” is the Council of Europe’s Convention on Cybercrime.

The Council of Europe, which consists of 46 countries, was created in 1949 to, among other things, develop agreements that would standardize national laws dealing with various issues.

A number of years ago, the Council of Europe created a committee to develop a treaty that would do this for cybercrime law.  As the preamble to the Convention notes, it was developed because the Council of Europe (and our Department of Justice) determined that it was
necessary to deter action directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as the misuse of such systems, networks and data by providing for the criminalisation of such conduct, as described in this Convention, and the adoption of powers sufficient for effectively combating such criminal offences, by facilitating their detection, investigation and prosecution at both the domestic and international levels and by providing arrangements for fast and reliable international co-operation. . . .
Cybercriminals can, and are, exploiting gaps and inconsistencies in national laws to their advantage: If there is no law criminalizing,  say, the dissemination of a computer virus, then the person responsible for a virus cannot be prosecuted in his home country and cannot be extradited to be prosecuted in other countries harmed by the virus. (It is a basic principle of international law that one cannot be handed over by Country X to Country Z for prosecution unless the conduct at issue was a crime both in Country X and Country Z; this is the principle of "double criminality".)

Other problems arise in the investigation of cybercrimes. Basically, under international law, Country X is not obliged to assist Country Z with the investigation of a crime committed in Country Z unless there is an agreement -- a mutual legal assistance treaty -- in effect between the two. (There are other methods by which Country Z can request assistance from Country X, but they are cumbersome and time-consuming, by which I mean they can take years.)

Cybercriminals can exploit the lack of a treaty between two countries: A cybercriminal can set up operations in Country Z and victimize citizens of Country X, knowing that the authorities in Country Z cannot assist police from Country X in their investigation of these cybercrimes.

In an effort to address this problem, the Council of Europe created a committee and assigned it the task of drafting a cybercrime treaty. After some years of work, the committee produced the Convention on Cybercrime.

The Convention is a lengthy document, the goal of which is to harmonize the national penal law (the law governing offenses) and procedural law (the law governing investigations) that deals with cybercrime. Countries that sign and ratify the Convention (a country must do both to be bound to implement the treaty  pledge to ensure that (i) their law criminalizes a baseline of cybercrime offenses, (ii) their law allows them to assist other parties to the Convention with the investigation of cybercrimes and to extradite cybercriminals in their custody and (iii) their law allows them to provide other mutual assistance to countries in the investigation and prosecution of cybercrime.

The Convention as opened for signature on November 23, 2001.  It was quickly signed by many countries.  As I write this, almost five years later, the Convention has been signed by 44 countries and ratified by 16 of those countries. (The grid currently up on the Convention site doesn’t show that the U.S. has ratified, yet.)

Why has it been ratified by so few countries?

Until this year, the Convention had not been ratified by any of the major European countries. It had been ratified by smaller countries, such as Albania and Croatia, but not by the major players in Europe, the countries one would expect to have been among the first to ratify the Convention. France and Denmark finally ratified the Convention this year, but Italy, Spain, Belgium, the United Kingdom and a number of other countries still have not ratified it.  (Russia still has not signed it.)

The Convention is open to non-European countries under certain conditions, one being that they were involved in its drafting. Four non-European countries -- the United States, Canada, Japan and South Africa -- signed the Convention under this condition. Only the U.S. has ratified it, and that just last week.

(I was at a meeting a couple of weeks ago, spoke to a knowledgeable person from Canada, and was told they are in the final stages of drafting the legislation they need to be able to implement the Convention -- more on that later.)

The delay in our ratifying was surprising because the U.S. Department of Justice was a prime mover in the creation and drafting of the Convention on Cybercrime. The US is a major target of cybercriminals, and therefore has good reason to want global cybercrime law to become a seamless web that facilitates the investigation and prosecution of cyber-perpetrators.

The problem, as I see it, with the Convention is that it is being ratified VERY slowly in Europe (for reasons I can’t understand) and is not available to non-European countries other than those listed above without the consent of the all European countries involved.  I see the second issue as a particular problem, since cybercrime can easily come from smaller, non-European countries (think Nigeria).  It would seem, then, that these are countries the major players (read, the most likely victims of cybercrime) would really want to recruit into this effort.

The other problem I see with regard to getting non-participant, non-European countries to sign and ratify the Convention is that the process of implementing it can be difficult for a country whose legislators have little or no experience with cybercrime law.  Take a look at the Convention and I think you’ll see what I mean.  It is – especially the procedural sections – a very complex document.  Drafting laws to implement its requirements can be a very time-consuming, difficult process for those who have not dealt with these issues before. 

The Convention also creates other issues that, I think, account for why it took the US so long to ratify it.  These issues go to the procedural provisions and concerns that they erode privacy and other civil rights.  I'll do a separate post on that in a day or three.

Aug 08

E-hijacking

Posted 04:33 PM by SusanB 1 comment(s)
According to a story in Fleet Owner (no, I don't normally read it -- someone called the story to my attention) last fall, 3.9 million banking records stored on computer backup tapes were allegedly hijacked, electronically . . . by persons who remain unknown.  The story says the tapes were being shipped, via UPS, from Citigroup in New York to Experian in Texas.  

It also says that the tapes went awry, that they were not lost but were mis-delivered to unknown persons.  The story says the mis-delivery was the result of someone’s altering the electronic manifest for the shipment:  “The manifest was reset from `secure’ to `standard’ while in transit, so it could be delivered without the required three signatures. . . Afterward the manifest was put back to `secure’ and three signatures were uploaded into the system to appear as if proper procedures had been followed.”

What the story seems to be saying is that someone figured out that the shipment could be hijacked electronically, instead of using muscle (the way they do on The Sopranos).  Now, another story appeared a couple of months later.  In this story, UPS denies that the hijacking occurred.  Instead, according to this story, UPS says that the packages broke open in transit and the contents were inadvertently thrown away.  I’m not sure I see that as a great improvement, from the viewpoint of a shipper, but, hey, whatever . . . .

Since the truth of the story seems to be in doubt, I’m going to do what we always do in law school:  use a hypothetical.  So let’s hypothetically assume that Bank X in Seattle uses FXPS, a shipping company, to send a shipment of computer tapes containing Bank X customers’ financial data to Credit Company Y in St. Louis.  Let’s also hypothetically assume that John Doe and Mary Roe decide they are going to hijack the shipment, but do so electronically.

How would Roe and Doe go about doing this?  The original Fleet Owner story says it would have taken “15 or 20 people” to hack the system involved in order to alter the electronic manifest.  Maybe.  If I were going to do something like this (hypothetically, of course) I’d try to compromise an insider or insiders – try to find some people who worked for FXPS in appropriate positions and bribe them (blackmail might work, too) to get them to alter the manifest and have the shipment delivered to me (I mean to Roe and Doe).

Either way, if this didn’t happen here I am sure it can and will happen at some point, to someone.  So let’s go with that concept and get back to my usual topic:  legal issues.

Assume Roe and Doe compromise an insider or three and have the shipment of Bank X customer financial data delivered to them, so they can use it for identity fraud, etc.  Now, obviously, if they commit identity fraud/theft they can be charged with that (I will do a post on the law in that area in a day or four).

What I really find interesting, though, is the question of whether Roe and Doe “stole” the data – whether they can be charged with “theft.”  Generically, “theft” (or “stealing”) is usually defined in terms of taking someone’s property from them without their consent.  A Kentucky statute, for example, says that “a person is guilty of theft by unlawful taking or disposition when he unlawfully . . . [t]akes or exercises control over movable property of another with intent to deprive him thereof”.  Kentucky Revised Statutes § 514.030(1).

If you go with that traditional conception of “theft,” I don’t see how the ehijacking qualifies as theft.  Technically, at least, Roe and Doe did not “take” the property – it was handed over to them by an FXPS representative who was authorized to have possession of the property and authorized to hand it over to the persons listed on the manifest.  If Doe and Roe were listed on the manifest, then it seems to me we have something other than classic theft.  (It’s not like, say, my taking your laptop from you or from your chair when you’ve stepped away; that’s clearly theft in the traditional sense because I too, your property without your permission.)

What Roe and Doe did was to obtain property they’re not really entitled to have but to do it by a trick – to get the FXPS representative to hand it over knowingly and voluntarily by deception.  Centuries ago, English law had to deal with this issue, and it dealt with it by coming up with a new crime:  larceny by trick . . . or what we now call fraud.

The essence of fraud is deceiving someone so that they knowingly and voluntarily (even eagerly) hand their property over to the fraudster . . . thinking they will receive a benefit (the Brooklyn Bridge, in the classic old fraud scam) for doing so.  Conceptually, fraud is a type of theft because the trickster – the fraudster – is getting property to which he or she is really not entitled.  The victim hands the property over voluntarily, but the victim would not do this if he was not deceived (if he know I really do not own the Brooklyn Bridge, to continue our use of the classic old fraud scam).

So, if and when this ehijacking happens, I wonder if the appropriate charge would be theft or fraud.  

Maybe it doesn’t matter.

(Maybe it does – if a charge doesn’t fit the facts, a defendant can file a motion to dismiss the charge and, if the motion is well-founded the court will throw out the charges.  The prosecution, though, could still re-charge as long as the statute of limitations had not run out.)

Aug 06

Computer car theft

Posted 01:34 PM by SusanB 4 comment(s)
You may have heard about this.  Several stories appeared earlier this summer about thieves using laptops to steal cars equipped with keyless entry and ignition systems.  

According to the stories, David Beckham, the British soccer star, has had two BMW X5’s stolen from him this year.  In each case, the thieves used the laptop technique to take the cars.  The second theft apparently occurred while Beckham and his sons were eating at a restaurant in Madrid.

This is a good example of how beneficial technology can be compromised for criminal purposes.  As one reporter explained, “decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car. . . . The owner of the code is now the true owner of the car.”  I’ve read that thieves can also disable tracking systems – GPS systems – that are intended to make it easier to find stolen vehicles.

As far as I know, this is only happening in Europe, where it is becoming more common.  It probably won’t take long, though, for it to migrate here to the U.S.  The process of compromising the vehicle’s entry and ignition systems apparently takes about 20 minutes, and I gather the thieves need to have the vehicle parked in a relatively out of the way place . . . since people might be suspicious if they walked by and saw a laptop hooked up to a parked car.

Does this kind of theft raise any new legal issues?  

I really don’t think it does, at least not in terms of the theft of the vehicle.  All the thieves are doing, after all, is stealing a car, and car theft has been criminalized in this country and abroad for many, many years.  I think our existing car theft statutes would easily encompass this kind of activity.  Take Alaska’s car theft state, for example. Alaska Statutes section 11.46.360(a) It makes it a crime (a felony) if “having no right to do so . . . [a] person drives, tows away, or takes the car, truck, motorcycle, motor home, bus, aircraft, or watercraft of another”.  Most car theft statutes will be structured similarly.  The essence of the crime lies in taking a vehicle that belongs to someone else; the method one uses to accomplish that is irrelevant.  So it really doesn’t matter whether the thief uses a Slim Jim or a laptop.

It seems to me, though, that a prosecutor could also add a “hacking” charge.  As I explained in an earlier post, in terms of criminal law “hacking” consists of gaining access to computer system without being authorized to do so.  As I also noted in response to a comment on that post, we have aggravated hacking (or cracking) statutes that make it a more serious crime to hack a system and cause “damage” by, say, copying or destroying data.

It looks to me like the laptop car thief “hacks” the car’s computer system.  As I explained in that earlier post, our law doesn’t do a particularly good job of defining “access” in the context of “hacking,” but I think a prosecutor could make a good argument that a laptop car thief does gain “access” to the car’s computer system.  As I noted earlier, one of the phrases used to define “access” is “communicate with,” as in “communicating with” a computer system.  Another phrase used for this purpose is “make use of,” again as in “making use of” a computer system.

If you buy that analysis, then it seems laptop car thieves can be charged both with car theft and with hacking the car’s computer system.  Now, they might argue that hacking the car’s computer system was merely part of the process of stealing the vehicle, so they should not be charged with both crimes.  I suspect that argument would not work.  One of the defining traits of modern American criminal law (anyway) is that prosecutors tend to carve a course of conduct up into multiple offenses, a technique courts generally support.  The premise – in this instance – would be that the thief really did commit two distinct and severable crimes:  (i) hacked the car’s computer system; and (ii) stole the car.  A prosecutor who wanted to charge such a thief with both crimes could point out that he could have stopped with (i) but, instead, chose to proceed with the “second” crime, the theft.

Legal issues aside, this is another example of how technology we adopt to make our lives easier can have unforeseen, unfortunate consequences.  



Aug 04

Taxonomy: C3 -- cybercrime, cyberterrorism and cyberwarfare

Posted 07:51 AM by SusanB no comments
(This is going to be a very long post, I'm afraid.)

Today, I want to talk not about cybercrime or cyberterrorism as such, but about the three categories of online malefaction: cybercrime, cyberterrorism and cyberwarfare.

More specifically, I want to focus on the clear and not-so-clear distinctions between the categories.

Let's begin with some basic definitions:
  • Cybercrime is using computer technology to commmit unlawful acts, or crimes. As I explained in an earlier post, the activity we refer to as cybercrime often consists of nothing more than using a computer to commit a crime that is probably as old, or almost as old, as humanity. So, if someone uses a computer and the Internet to siphon funds from a bank account belonging to someone else, it is simply theft (taking property from someone else without their consent) as far as the law is concerned. There are, however, good reasons to consider the perpetrator's use of computer technology in the commission of this and other technological crimes; aside from anything else, they let the perpetrator commit the crime remotely (the perpetrator is in, say, Brazil, the bank account is in the United States), which can make it difficult for law enforcement to "solve" the crime. Also, the use of computer technology can increase the scale on which crime is committed; so, an online fraudstater using computer technology can defraud many more people in a given space of time than she would be able to do if she had to deal with each of them face-to-face. Cybercrime, like all crime, is committed by civilians whose motives are purely their own. (There is an exception to this, which I will note below.)
  • Cyberterrorism consists of using computer technology to engage in terrorism. Terrorism consists of acts that are committed for political, versus economic, motives. Much of crime is committed for economic reasons, as in the examples I gave above. Terrorism is committed to further certain political goals. It is usually intended to demoralize a civilian population (which differentiates it from warfare, which is not supposed to target civilians), and usually accomplishes that, in the real-world, by destroying property and injuring or killing as many civilians as possible. The 911 attacks on the World Trade Center are a perfect example of real-world terrorism; they were intended to destroy a premier symbol of capitalism and, in so doing, undermine the morale and confidence of U.S. citizens. As I explained in an earlier post, we have not, as yet, seen cyberterrorism, but I am confident we will. I do not think, as I said in my earlier post, that cyberterrorism is an effective way to destroy property and human life on the scale and with the shocking simultaneity one can achieve by using bombs, airplanes and similar real-world methods. I do think, though, that computer technology can be used to erode citizen confidence in the security and stability of the internal systems upon which they rely. As I noted in my earlier post, one way to do this would be to launch sequenced, synchronized attacks shutting down ATM systems and other financial mechanisms in carefully selected cities around the United States. As the attacks progressed from city to city, it would become increasingly apparent that they were not random, were not the product of software bugs, were not otherwise explainable but were, instead, the product of terrorist activity. Attacks such as these would not inflict the sheer horror of the 911 attacks, but they could further terrorist goals by creating a climate of insecurity and anger at the government, something analogous to what we saw with the Katrina fiasco. Like terrorism, cyberterrorism is carried out by individuals who are part of a group that is held together by a commitment to a specific political ethos.
  • Cyberwarfare is using computer technology to wage war. The distinguishing characteristic of war is that it is a struggle between nation-states; it is, like all human activity, physically carried out by individuals, but those individuals are acting for a particular nation-state. Like terrorism, warfare tends to result in the destruction of property (often on a massive scale) and in the injury and deaths of individuals (often many, many individuals). Unlike terrorism, war is supposed to be limited to clashes between the aggregations of individuals (armies) who respectively act for the warring nation-states, their armies. Injuring and killing civilians (those who are not serving in one of the combatant nation-states' armies) occurs, but it, like most property damage/destruction, is supposed to be a collateral event. The primary focus of war in general and of particular wars in specific is to "triumph" over the adversarial nation-state(s) (whatever that means in a given context). Inflicting injury/death on civilians and destroying property is not the primary focus of warfare. Cyberwarfare (also known as "information warfare") is a logical consequence of migrating much of human activity into cyberspace. Several years ago, the Department of Defense defined cyberwarfare as "actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer-based networks while defending one's own" computer systems, information, etc. More simply, cyberwarfare consists of using cyberspace to achieve the same general ends nation-states pursue via the use of conventional military force; that is, the use of cyberspace to achieve certain advantages over a competing nation-state or to prevent a competing nation-state from achieving advantages over another state. As I write this, it is clear that many nation-states are already engaging in cyberwarfare, though on what I think is a relatively small scale. Some countries are training/have already trained "hacker warriors" and are using them to mount attacks on other countries, many of which are developing their own cyberwarfare capabilities. From what I can tell, most of the attacks so far resemble skirmishes rather than full-scale "cyber-battles" (whatever a full-scale cyber-battle would look like . . . . )
That's a pretty concise explanation of what each category comprises and of how each category differs from the others. That, however, is not my primary concern in writing this post. What I really want to focus on is how the use of cyber-techniques to implement any or all of these three types of real-world activity can, for lack of a better word, challenge a government's ability to respond to online-based crime, terrorism and/or warfare.

In the real-world, we know who deals with what:
  • Law enforcement officers (in the U.S. local police, state police and, sometimes, federal agents) deal with crime.
  • Law enforcement officers plus, perhaps, specialized law enforcement officers (the FBI in the U.S., specialized police units in other countries) deal with terrorism. Usually, you tend to see a mix of "regular" and "specialized" police responding to terrorism because the local police are likely to be the first responders to a terrorist incident . . . as we saw with the 911 attacks on the World Trade Center. There, the NY police and fire departments were the first to deal with the attacks, though the FBI and related federal agencies quickly became involved, as well.
  • The military deals exclusively with warfare.
That's a tidy division of responsibilty, one that has been with us for at least a century and a half. It assumes, of course, that we can tell the difference between (i) crime, (ii) terrorism and (iii) war.
  • It's generally not difficult to do that when we are dealing with real-world activity: Crime is pretty easy to spot, especially since much of it tends to be one-on-one crime, e.g., one person robs another, one person kills another, etc. And crime falls into identifiable categories: theft, robbery, rape, murder, fraud, arson, etc.
  • Real-world terrorism is generally easy to spot, even though it involves activity that can also fall within the definition of crime, i.e., harming/killing people and destroying property. Real-world terrorism is usually easy to distinguish from crime because (i) it is irrational (in the sense that it has no obvious rational motive, such as financial gain) and (ii) the scale on which it is committed vastly exceeds what one usually encounters with crime.
  • Take the attacks on the World Trade Center, for example: They are irrational in the sense that they produced no financial gains (unlike, say, bombing party of one of the WTC towers and using that to rob a bank or a jewelry store, say). Much of crime, as I have said before, is committed for financial gain.
  • There are, however, crimes that are not committed for financial gain; in any city in the U.S. (or elsewhere) one can read daily about murders that were committed for no rational reason, for no purpose relating to financial gain or the achievement of other rational ends (like ridding oneself of an unwanted spouse). But those crimes tend to be limited in scale, and tend to involve people who know each other. Husbands kill wives, wives kill husbands, employees "go postal" and kill people in their workplace. In crimes such as these, there is a link, a factual nexus between the perpetrator and the victims. They also tend to be limited in scale: The perpetrator kills only the perso she knows and is angry with.
  • In real-world terrorism, the activity is not rational -- why would anyone fly a plane into the World Trade Center? There is no ostensibly rational motive; the motivations of the Al Qaeda members who actually did that are, of course, quite rational if one accepts the ideological premises from which they operate. To the uninitiated, however, the conduct seems irrational. So, there is a clue that we are dealing with terrorism . . . just as the apparent irrationality of the conduct is clear when a suicide bomber blows up himself/herself and whoever happens to be in the area. That second factor is another differentiating factor, another clue, that we are dealing with terrorism in the real-world: The scale is inexact -- there is no clear link between the act and the result; the suicide bomber blows up some random number of people, none of whom he/she knows, none of whom he/she has any personal grudge against.
  • I could go on, but I think (hope) my point is clear -- it is relatively easy to identify terrorism in the real-world.
  • Finally, it is very easy to identify warfare in the real-world. When the Japanese bombed Pearl Harbor or when the U.S. began bombing in Iraq in 2003, no one who heard about/witnessed the attacks could have the slightest doubt that this was warfare . . . not crime, not terrorism. Both were conducted by specialized cadres of individuals associated with the attacking nation-state, all of whom wore distinctive attire and distinctive insignia.
Now, think about how these activities manifest themselves in the cyber-world. it will, in some instances, be relatively easy to identify the type of activity at issue. This is true, generally, for cybercrime: Most of the emails send out to implement 419 and other fraud scams, for example, are the result of activity by cybercriminals (or aspiring cybercriminals). Like fraudsters in the real-world, they are trying to enrich themselves by convincing deluded victims to send them money or transfer other property to them.

Even here, though, the categorization does not always hold: Al Qaeda and other terrorist groups have been known to use online fraud (especially credit card fraud) as a way to raise money for their terrorist activity. If terrorists are engaging in what would otherwise be cybercrime, is the activity still cybercrime or does it become cyberterrorism? I'd say it's still cybercrime because while it is being perpetrated by those who style themselves as terrorist, it is, at bottom, still just fraud.

I want, though, to focus on the problem I noted above: the challenge of initially identifying what type of cyberactivity is at issue and ensuring that the proper agencies/personnel respond to it.

Imagine, say, that a series of sequenced attacks occur on financial systems scattered around the U.S. We will simplify the example by assuming that each of the attacks takes the same form. (It would, of course, be relatively easy to structure the attacks so they differ in varying degrees.)

So, keeping things simple, let us assume that all/many/most ATM machines are taken off line (i) in Des Moines on April 1; (ii) in Portland on April 2; (iii) in Reno on April 3; (iv) in Cincinnati on April 5; (v) in Nashville on April 6; (vi) in Miami on April 7; and so on. The scenario might involve keeping the ATMs offline or it might involve shutting them down, bringing them back up and then shutting them down again (which I think might be more effective). This basis pattern could be coupled with other attacks on banking systems . . . online banking might be shut down, data might be scrambled, etc. etc.

Take that basic scenario: Who would respond (initially -- we'll get to escalating responses in a minute)? The local police would respond. It would presumably be regarded as a cybercrime -- maybe the stereotypical teenage hacker shutting down the system for fun, maybe a prelude to an extortion effort by professional hackers.

Assume, now, that the attack is not a cybercrime, that it is being perpetrated by those "hacker warriors" I mentioned earlier -- cyberwarriors trained and recruited by a nation-state, one that is hostile to the U.S. and that is using cyberspace in an effort to gain certain tactical advantages. Here, the tactical advantage might be an initial step toward destabilizing the financial system in the U.S.

How long would it take for us to realize we were under such an attack? How long would it take for us to realize that this was cyberwarfare, not cybercrime? How would that realization come to pass . . . if at all?

For that realization to occur, someone, somehow would have to be able to see the big picture, would have to know that these attacks were occuring, would have to see the sequencing in the attacks, would have to know about the similarity in the attacks. How would that come to pass?

What if the local police in each of the cities in which an attack occurred simply believed it was a cybercrime? What if the local police, assisted, maybe, by the state police, sought to deal with it on their own? I think this is the most likely scenario, at least for a considerable period of time.

I hope, but doubt, that we have procedures, personnel, and data-gathering processes in place that allow us to track incidents such as these at a global level . . . that, in other words, let us (one or more of us, official one or more of us, somewhere) grasp what is occuring on a larger scale.

Otherwise, we could become the target of cyberwarfare and not even know it. In the 1970s there was, I think, a slogan -- something like "What if they gave a war and no one came?" Maybe the slogan for the 21st century should be something like "What if they started a war and we didn't know?"

Aug 03

Terminology: cybercrime

Posted 08:14 AM by SusanB 3 comment(s)
Since I write about cybercrime, it seems appropriate to define what it is, as a generic term.

I checked an online dictionary and found that it defines “cybercrime” as “a crime committed on a computer network”.  I think that’s a good definition, as far as it goes.

The problem I have with this definition is that, as an American lawyer, I have to be able to fit the concept of “cybercrime” into the specific legal framework we use in the United States . . . and into the more general legal framework that ties together legal systems around the world.

And that leads me to ask several questions:  What, precisely, is “cybercrime?”  Is “cybercrime” different from plain old “crime?” If so, how?  If not, if “cybercrime” is really just a boutique version of “crime,” then why do we need a new term for it?  

Let’s start by trying to parse out what “cybercrime” is and what it is not.  The perfectly logical definition quoted above says “cybercrime” is “a crime” that is committed on a computer network.  I’d revise that a bit . . . for a couple of reasons.

One is that this definition assumes that every “cybercrime” constitutes nothing more than  the commission of a traditional “crime,” albeit by different means (by using a computer network).  As I’ve argued elsewhere, that is true for much of the cybercrime we have seen so far.  For example, online fraud such as the 419 scam is nothing new, as far as law is concerned; it’s simply “old wine in new bottles,” old crime in a slightly new guise. Until the twentieth century, people had only two ways of defrauding others:  They could do it face to face by, say, offering to sell someone the Brooklyn Bridge for a very good price; or they could do the same thing by using snail mail. The proliferation of telephones in the twentieth century made it possible for scam artists to use the telephone to sell the Bridge, again at a very good price. And now we see twenty-first century versions of the same thing migrating online.  

As I’ve explained elsewhere, the same thing is happening with other traditional crimes, such as theft, extortion, harassment, vandalism and trespassing.  So far, it seems that a few traditional crimes -- like rape and bigamy -- probably will not migrate online because the commission of these particular crimes requires physical activity that cannot occur online, at least not unless and until we revise our definitions of these crimes.  

The same cannot be said of homicide:  While we have no documented instances in which computer technology was used to take human life, this is certainly conceivable, and will no doubt occur.  Those who speculate on such things have postulated instances in which, say, someone hacks into the database of a hospital and kills people by altering the dosage of their medication. The killer would probably find this a particularly clever way to commit murder, since the crime might never be discovered.  The deaths might be erroneously put down to negligence on the part of hospital staff; and even if they were discovered, it might be very difficult to determine which of the victims was the intended target of the unknown killer.  

But I digress.  My point is that while most of the cybercrime we have seen to date is simply the commission of traditional crimes by new means, this is not true of all cybercrime.  As I explain elsewhere, we clearly have one completely new cybercrime:  a distributed denial of service (DDoS) attack.  A DDoS attack overloads computer servers and effectively shuts down a website.  In February of 2000, someone launched DDoS attacks that effectively shut down Amazon.com and eBay, among other sites.

DDoS attacks are increasingly used for extortion; someone launches an attack on a website, then stops the attack and explains to the owner of the website that attacks will continue unless and until the owner pays a sum for “protection” against such attacks.  This simply represents the commission of an old crime (extortion) by new means.  It is a tactic the Mafia was using over half a century ago, though they relied on arson instead of DDoS attacks.

But a “pure” DDoS attack such as the 2000 attacks on Amazon.com and eBay is not a traditional crime.  It’s not theft, or fraud, or extortion or vandalism or burglary or any crime that was within a pre-twentieth century prosecutor’s repertoire.  It is an example of a new type of crime, a “pure” cybercrime.  As such, it requires that we create new law, which makes it a crime to launch such an attack.  Otherwise, there is no crime, which is currently the situation in Britain; the UK’s 1990 Computer Misuse Act outlawed hacking and other online variants of traditional crime, but did not address DDoS attacks.  

So, one reason I find the definition above unsatisfactory is that it does not encompass the proposition that cybercrime can consist of committing “new” crimes – crimes we have not seen before, and that we may not have outlawed yet – as well as “old” crimes.  

The other reason I take issue with the definition I quoted above is that it links the commission of cybercrime with the use of a “computer network.”  This is usually true; in fact, the use of computer networks is probably the default model of cybercrime.  But it is also possible that computer technology, but not network technology, can be used for illegal purposes.  A non-networked computer can, for example, be used to counterfeit currency or to forge documents.  In either instance, a computer, but not a computer network, is being used to commit an “old” crime.  


Aug 03

Crime: Basic principles

Posted 08:05 AM by SusanB 1 comment(s)

This is a short post doing for “crime” what I am going to do for “cybercrime” in a minute, that is, defining terms.

Criminal law differs from civil law in two very important respects:  One is that a criminal case is brought by the sovereign (the state or federal government in the US), while a civil case is brought by a private party.  This is relevant for several reasons, one of which is that the victim, the person actually “injured” by the crime, has no control over the case, over the prosecution.  The sovereign can, and will, prosecute even if the victim does not want the prosecution to proceed.  The victim basically functions as a source of evidence, a witness.  (In a civil case, of course, the plaintiff controls the litigation, decides whether to sue, decides whether to settle, etc.)

The other difference lies in the sanction imposed.  A defendant who loses a civil suit can be forced to pay money (damages) or to do certain things or stop doing certain things (injunction).  The purpose of civil sanctions is to make the plaintiff whole by paying him or her money or having the defendant do/stop doing something that is injuring the plaintiff or his interests.  Defendants who are convicted in criminal cases are “punished” by the sovereign.  Punishment is not about making the victim whole (victims can sue those who commit crimes in an effort to obtain damages, as in the O.J. Simpson civil case).  Punishment is about controlling behavior; basically, punishment is intended to create a disincentive for (i) the person convicted from committing further crimes and (ii) others to follow his example by committing the same or similar crimes.  In the U.S,, and in most countries, we punish people primarily by locking them up and/or by fining them.  (Unlike civil damages, fines don’t go to the victim, they go to the sovereign.)  In the U.S. we also execute people, though that is reserved for homicide; the Supreme Court said several decades ago that capital punishment is so severe it has to be limited to this most serious of crimes.  (I know, treason and espionage can qualify, too, but I’m really talking about basic criminal law here.)

In U.S. law, the legal concept of a “crime” has four generic elements:  (i) conduct (an act or, in a very limited class of cases, a failure to act); (ii) mental state (mens rea – basically that one acted purposely/intentionally, knowingly/willfully, recklessly or negligently); (iii) causation (by firing a gun I caused the death of John Doe); and (iv) harm (John Doe is dead).  These are the elements of what we call a substantive (or completed) crime, one in which “harm” is actually inflicted.  We also have a class of inchoate (or incomplete) crimes, the most important of which are attempt and conspiracy.  Law decided a long time ago that we needed to let the police interrupt someone whom they knew was gong to commit a crime before they actually did it.  So, to use my earlier hypothetical, the police know I am plotting to kill John Doe (I’ve told people that, I’ve bought a rifle and I’ve researched his movements); they can stop me before I do so and charge me with attempted murder.  Attempt has the first two elements I outlined above (conduct and mental state) but not the last two.  

Conspiracy encompasses plotting to commit a crime or crimes; sometimes, of course, people who have already committed crimes are charged both with the crimes and with conspiracy.  That’s because conspiracy is both intended to let police interrupt someone who is planning, with others, to commit a crime (in my hypothetical, I plot with Mary Doe to do away with her husband, John) and to let the law punish people who collaborate in the commission of crimes.  This latter rationale is much more important in modern law than the first one; this is the “group danger” theory.  Law assumes that it is important to be able to use conspiracy charges to impose additional sanctions on people who collaborate to commit crimes, because a group of people can cause more “harm” than can a single person.  (I just read an article about how shoplifting is becoming a type of organized crime; organized groups of shoplifters can steal more stuff more effectively than can single shoplifters.)

These and other concepts have been imported into the law of cybercrime.  So, for example, to go back to what I said about “access,” it is at least arguable that someone who is port scanning could be charged with attempting to gain access to the system being scanned.  At least, I find that this possibility generated a lot of discussion when I address it at conferences and other meetings.

Aug 01

Car Snitching

Posted 08:04 AM by SusanB 4 comment(s)
Last spring, Ralph Gomez, who is apparently from St. Augustine, Florida, bought a new Cadillac Escalade.  He took his girlfriend for a ride in his new car, to show it off.

Being a Cadillac, the car was equipped with the OnStar system which, among other things, lets the owner of the car use a cellular connection to contact an OnStar service representative to get directions to obtain assistance in an emergency.  (OnStar is, of course, a version of "the System" we talked about in "Cartapping."

I can’t determine, from the news stories I’ve read about this case, precisely how this happened, but Gomez somehow opened a cellular connection with OnStar.  An OnStar representative responded, but the volume on the connection in the car was set so low Gomez could not hear the representative when he/she tried to find it if anything was wrong.  (I suspect Gomez had been pushing buttons, exploring the new car and its OnStar system, and probably didn’t realize what he’d done.)

After repeatedly trying to get a response from Gomez, the representative followed procedure and contacted local police.  When officers stopped Gomez’ car, they quickly determined that there was no emergency, no problem . . . except for the cocaine clearly visible on the car’s console.

They seized the roughly 4 ounces of crack cocaine they found, plus the Cadillac and the $1,900 Gomez had in his pocket.  He was charged possession of drug paraphernalia and with possessing an illegal narcotic within 1,000 feet of a church.  When the news stories came out, he was being held in the St. Johns County Jail on $15,000 bond.

This episode doesn’t raise any novel legal issues, but it’s a good object lesson in how the technology that increasingly surrounds us can be a double-edged sword.  Fifty years ago, people went to their cars to discuss private matters safely.  Now our cars turn us in to the police.

This Blog

Syndication

Recent Posts

Sponsors

Tags

No tags have been created or used yet.

Archives