From: Julian Assange <proff@suburbia.net>
Date: Thu, 7 Mar 1996 02:03:28 +0800
To: cypherpunks@toad.com
Subject: Legal Aspects of Computer Crime (LACC)
Message-ID: <199603041324.XAA25903@suburbia.net>
MIME-Version: 1.0
Content-Type: text/plain



            _                                _____         _____
           | |               /\             / ____|       / ____|
           | |              /  \           | |           | |
           | |             / /\ \          | |           | |
           | |____        / ____ \         | |____       | |____
           |______|      /_/    \_\         \_____|       \_____|
         
           Legal         Aspects     of    Computer      Crime
                  
            "echo subscribe lacc|mail lacc-request@suburbia.net"


WHEN YOU HAVE SUBSCRIBED
------------------------

    Send in a brief synopsis of who you are and why you are interested
    in Computer Crime as your first message to the list (this helps
    to stimulate discussion and debate as well as provide a sense
    of the LACC community). As a [small] example:

      "Hello, My name is Jane Reynor. I am an articled clerk at the
       Director of Public Prosecutions. I have been assigned as an
       assistant legal researcher to the prosecution of a bank officer
       involved in fraudulent EDI transactions. My interest in computer
       crime stems not just from the case we are working on, but also
       from an otherwise unrelated passion for computer networking that
       I suffered under during my period as undergraduate."

REASONS FOR INCEPTION
---------------------

    The growing infusion of computers and computing devices into society
    created a legislative and common law vacuum in the 1980's. State
    prosecutors attempted to apply traditional property protection and
    deception laws to new technological crimes. By and large they were
    successful in this endeavor. There were however a very few but well
    publicized failed cases against computer "hackers" (notably R vs
    Gold - UK House of Lords and the E911 case). To the informed, these
    cases demonstrated not so much a legislation vacuum, but prosecution
    incompetence in choosing which statute to lay charges under and
    mis-management by prosecuting cases where the real offence of the
    defendant was merely the embarrassment of the powerful.

    In an atmosphere of increased government reliance on computer
    databases and public fear and hostility towards computerization of
    the workplace, legislatures rushed to criminalise certain types of
    computer use.  Instead of expanding the scope of existing
    legislation to more fully encompass the use of computers by
    criminals, changing phrases such as "utter or write" to "utter,
    write or transmit" (the former being the prosecutions undoing in the
    well publicized Gold case) as had been done with the computerization
    of copyright law, an entirely new class of criminal conduct was was
    introduced. The computer had been seen not just as another tool that
    criminals might use in committing a crime but something altogether
    foreign and removed from the rest of society and established Law.
    The result was a series of naively drafted, overly broad and
    under-defined statutes which criminalised nearly all aspects of
    computer use under certain conditions.

    In the early 1990's a fundamental and evolving shift in computer
    usage started to occur. Now, it is rare to see a white collar worker
    in the work-place without the possession of a computer. In western
    countries such as Australia, over one third of households have
    computer systems. The computer is no longer the "altogether foreign
    and removed from the rest of society" device it once was. It has
    come out of the domain of the technical specialist and into the main
    stream.

    Even our notoriously slow moving legal profession is adopting it as
    an essential tool. But there is another change. A qualitative one
    important to our discussion.

    When you link hundreds of thousands of computers together and thus
    the people that use them together you find something remarkable
    occurs.  An event that you could never have predicted by merely
    summing the discrete components involved. A unique virtual society
    forms. Despite being designed with computer networking in mind,
    computer crime legislation copes very poorly with non homogeneous
    authorization [i.e partial authorization].

    Societies are based around a common knowledge of history, beliefs,
    and current events. Each member of a society can be pinpointed as
    belonging to the society in question by the ideas, beliefs and
    knowledge held in common with other societal members. Any new member
    to a society learns this knowledge only because it is passed onto
    them; directly by other members or indirectly via its media, works of
    literature, music and art.

    Successful large scale computer networks like the Internet form for
    one reason and one reason only; information sharing. When a critical
    mass of diversity, interests, user population and information
    exchange is reached, a situation develops that mirrors in all
    important aspects a vibrant and evolving society. Citizens of the
    Internet have a nearly equal sized voice with which to convey their
    thoughts to other members and can do so quickly and without unwanted
    distortion. This is a remarkably democratic process compared to the
    very real _self_ censorship and top heavy direction that is so
    manifest in traditional broadcast and publishing industries.

    But unlike the physical societies that have here-to been the norm,
    the electronic network society is remarkably non-isolationist. It
    continues to draw from, mesh and feed its beliefs into the
    traditional societies it was populated out of. This coupling process
    between computer network and traditional societies will continue
    (at least for English speaking countries -- the cultural barriers
    imposed by primary language differences are non-trivial) until a
    stage is reached where the boundary between the two is blurred and
    intangible.

    Most citizens will then fall under the rule of appallingly drafted
    computer crimes legislation every day of their lives. In the vast
    majority of such legislation directed to address computer crime
    everything which can be performed on a computer unless "authorized"
    is defined as illegal. One might think that an individual could
    authorize themselves to do anything they wished with their own
    computer [not so, as France and Russia and the USA have demonstrated
    with anti-cryptography and other information processing and content
    laws] given their ownership of it.

    But how does the Law define this "ownership"? Does ownership of the
    "chattel" (CPU, memory, disks and other hardware) imply ownership of
    the information created on it?  What about employees with "partial
    authorization" [examine disturbing outcome of Intel employee
    R.Swartz vs the State of Oregon 1995]? If the user of the computer
    system isn't the chattel owner, but has been given full control over
    it does this imply they are authorized for all interaction with the
    data stored on it?  Is there such thing as implicit authorization?
    Can an operating system grant authorization (implicit or otherwise)
    as an authorized agent of the owner/operator? If not, is sending
    electronic mail to someone who doesn't want their computer system to
    receive it "unauthorized insertion of data"?

    In a networked topology a typical computer user may use or otherwise
    interact with hundreds or even thousands of other peoples computers
    in any given day. What is then the analogous "authorization
    topology"?  In Law it has previously been the case that which was
    not expressly forbidden was generally permitted.  Currently the
    digital equivalent of moving a chair [modification of trivial data]
    in someone else's office is illegal and carries with it in most
    countries a 5 to 10 year prison term. It is a sad reflection on the
    legislature of the day that the computer _medium_ was criminalised
    rather than the intent or damage caused to the victim.

    It is unlikely that law reform will occur until current political
    concern over computer networks such as the Internet is moderated. If
    anything the push so far from political drafters has being to once
    again introduce brand new medium criminalising legislation rather
    than revitalizing the existing codes. This unfortunate "labeled
    arrow" approach will continue as long as there exists an ill
    informed and technologically ignorant legislature that finds itself
    pliant to the whims of sensationalist media and honed to their
    dubious targets. Strong ideals do not equal strong policy.

    So ill defined and over broad are the terms used in most computer
    crime legislation that typically the pressing of a button on a
    silicon wrist watch without permission can be construed as
    "insertion of data into a computer without authority" an offense
    which carries 10 years penalty in countries such as Australia. The
    farse inherent is blatant. Surely the process going on within the
    wrist watch is utterly irrelevant. Victemless crimes should be
    avoided if at all possible. If interfering with the watch caused
    damage, even if that damage was to the intellectual property in the
    watch then the crime is one of Criminal Damage [or one of the other
    broad ranging damage statutes, depending on jurisdiction]. If
    changing the internal state of the watch led to fraud or theft, then
    the crime should be one of fraud or theft (possibly by deception).
    If pressing the button changed, for instance, the time of the watch
    and this lead to a death, then the crime should be that of
    manslaughter or murder. Actions that do not damage (or other wise
    attempt to negatively effect) the life of human beings directly, or
    indirectly by damage or loss of property or fundamental societal
    ideals (such as the right to privacy, freedom of association, speech
    & movement) should not be crimes. Actions that annoy but do not
    damage should also not be crimes, and traditionally are not. Crimes
    and the criminal process are serious. Annoyances by definition are
    not.

    In most Commonwealth countries physical trespass [despite the
    general view] is not a crime and with good reason. The Criminal law
    system wasn't intended to be the citizen's lacky and enforcer of
    personal whim, but rather to protect persons from genuine harm and
    preserve social order and the sovereign. Someone trespassing on your
    lands may annoy you. It may contradict your authorization. But it
    [typically] only becomes illegal when you ask the trespasser to
    leave and they refuse, or if their trespassing was directly
    associated with the commission or attempted commission of an offence.

    It is with this lack of appropriate legislation, precedents and
    judicial guidance that judiciary, practitioners, prosecutors, law
    enforcement personnel, defendants and drafters of future codes &
    policy have to struggle to find resolution.

    This list has been created in an attempt to mitigate the lack of
    tangible resources people involved with computer crime have at their
    disposal. It is hoped that by bringing together knowledgeable legal
    professionals together with para-legal personnel and informed lay
    persons that information and resources relevant to the difficult
    task of analyzing, presenting in court, formulating departmental or
    company policy or otherwise dealing with computer crime law and
    computer crimes may be shared and intelligent discussion and law
    reform stimulated.

    nb. this list it is also an appropriate forum to discuss computerized
        legal, law enforcement and criminology databases, such as Netmap,
	Watson, PROMIS, Lexis, APAIS, CRIM-L, et cetera.

GUIDELINES
----------

In order to keep the semantic content high on this list, please consult
the following before posting:


DO POST 			 	DON'T POST
-------					----------

Un/reported decisions.			Personal insults.
Commentaries on cases.			Signatures >4 lines.
Reviews on relevant books.		Quoted replies with more than 30%
Relevant journal articles.		quoted from the original.
Information about proposed legislation. Short questions, or questions which
Full text of CC legislation.            otherwise do not convey useful
Judicially defined terms.		information in their own right.
Articles on new arrests or		Gossip about the moderator.
cases.					Articles about computer (in)security,
Detailed questions.			they should be sent to:
Intelligent commentary.			"best-of-security@suburbia.net"
Personal experiences with computer	"breaking into a computer is the same
crime.                                   as...."
Well thought out analogies.		Petitions (if you think they are
Relevant transcripts.                   exceptionally relevant, send them to
Defense or prosecution strategy.	the moderator, who may post them).
Relevant papers, thesis. 		Chain letters.
Conference announcements and details.	Advertising material.
Locations of legal resources.		Ethical considerations that are only
Computer forensics information.		"opinion".
Trial/court dates, verdicts etc.	Content free news reports or
Reviews of legal software.		articles. 
Pointers to any of the above.		Abusive, antagonistic or otherwise,
Cross post relevant information from    non information rich or non
other lists or news groups.		constructive material.
Relevant affidavits, court documents.	Quotes from Dan Quayle.

SUBSCRIBING
-----------

Send mail to: 

	lacc-request@suburbia.net

with the body of:

	subscribe lacc

UN-SUBSCRIBING
-------------

Send mail to:

	lacc-request@suburbia.net

with the body of:

	unsubscribe lacc

POSTING
-------

To send a message to the list, address it to:

	lacc@suburbia.net

REPLYING
--------

If you are replying to a message already on the LACC list using your
mail programs reply facility you will almost certainly have to change
the reply address to lacc@suburbia.net. This is because the LACC mailing
list program is configured to have return replies sent no "nobody" in
order to avoid receiving the replies of "vacation" programs which
automatically send email saying "I've gone to the moon for two weeks to
hunt rare bits".

ARCHIVES
--------

Monthly back issues of lacc since January 96 are available from:

	ftp://suburbia.net/pub/mailinglists/lacc

Unfortunately the the 1995 archive was lost in a disk crash. If anyone still
has a copy, then please contact the moderator.

--
"I mean, after all;  you have to consider we're only made out of dust.  That's
 admittedly not  much  to  go  on  and  we  shouldn't  forget  that.  But even
 considering, I mean it's sort of a bad beginning, we're not doing too bad. So
 I personally have faith that even in this lousy situation we're faced with we
 can make it. You get me?" - Leo Burlero/PKD
+---------------------+--------------------+----------------------------------+
|Julian Assange RSO   | PO Box 2031 BARKER | Secret Analytic Guy Union        |
|proff@suburbia.net   | VIC 3122 AUSTRALIA | finger for PGP key hash ID =     |
|proff@gnu.ai.mit.edu | FAX +61-3-98199066 | 0619737CCC143F6DEA73E27378933690 |
+---------------------+--------------------+----------------------------------+