Re: tlug: telnet: different question + others

["Stephen J. Turnbull" <turnbull@example.com>]

Of course I'll defer to Frank's expertise on the legal aspects, but I
want to raise a couple of points.

I'm not going to comment on the ethical aspects at this point, except
to say that as general principles,

(1) I don't hold the ignorant _ethically_ culpable, whatever the law
    might say, except to take reasonable effort to understand security
    implications, and to avoid taking actions in ignorance, and

(2) the "respondents" (as Frank puts it, ironically the word used for
    the accused in civil procedures, I believe ;-) since they are
    implicitly acting as experts, bear proportionately more
    responsibility to be informed about security risks, and to pass on
    that information, and generic warnings about acting in ignorance.

>>>>> "FB" == Frank Bennett <bennett@example.com> writes:

    FB> A lawyer would say that no crime is committed in Scenarios 1
    FB> or 2, but that one (and, under federal law, at least, probably
    FB> only one) has potentially been committed in Scenario 3:

OK, so far.  No blood, no foul.  Although there evidently have been
convictions for "theft of electricity" as a way of getting around the
"no economic damages".  (I can't find the cite offhand though, but I'm
pretty sure it was in reference to a hacking case in Europe.)

    FB> In other words, analogies to the practice "back in our day"
    FB> are regarded as correct practice, and the special risks to
    FB> third parties inherent in the online medium, even if they
    FB> materialize as in Scenario 3, are not to be taken into account
    FB> in fixing criminal responsibility for a given act, unless a
    FB> specific statutory provision (such as USC 1030) applies.

I find it hard to believe that there is no appropriate analogy.  If I
borrow your dwelling while you are out of town, and make it a habit of
placing a duplicate key under the doormat for my own convenience, and
a burglar should be aware of my practice ....

Now, that may not be a "crime."  I realize that I should be more
careful about use of the word "crime".  I did not mean to limit the
issue to the criminal code qua criminal code, but to include civil
liability (for damages) as well.[1]  Is it true that I would bear no
liability for such intentional self-interested negligence?  Liability
for damages would surely weigh heavily on an individual.

Cheswick and Bellovin mention a rather larger set of laws than your
singleton, {18 USC 1030}.[2]  In particular, California Penal Code
502(c)(7) allowed (as of the writing of the book in 1994) someone who
"knowingly and without permission accesses or causes to be accessed
any computer, computer system, or computer network" to be convicted;
no damages required.  A judge might laugh this out of court (given
that Our Hero has been granted interactive login privileges), but this
looks to me to fit the situation of Our Hero tolerably closely, since
the access in question would surely be forbidden if permission were
requested, and the student obviously knows that.

Furthermore, discussion in that book of harboring hazardous beasts
(ie, students who weaken the security of University networks) and
reasonable prudence (University network security policy) suggests that
the university may very well be liable for damages in Case 3 under
tort law.  This would constitute strong incentive for the University
to have a strict policy, and to throw the hard drive at violators.
Maybe no (strictly defined) crime would be involved, but Our Hero
might not see the much difference in the weight of punishment.

As Frank is aware, our respective Universities certainly have such
issues very much on their collective minds.  So far my own University
shows little evidence of drawing the conclusion that it should beat
hard on errant students and staff; rather, most ink is devoted to
coverup and spin control.  :-)

Footnotes: 
[1]  I did completely misunderstand the definition of aiding and
abetting, however.  I just plain got that wrong.

[2]  Frank: Remind me to send you the list, annotated with putative
applicability.

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences       Tel/fax: +81 (298) 53-5091
_________________  _________________  _________________  _________________
What are those straight lines for?  "XEmacs rules."
--------------------------------------------------------------------
Next Nomikai Meeting: June 16 (Fri), 19:00   Tengu TokyoEkiMae
Next Technical Meeting: July 8 (Sat) 13:30   Topic: TBA
--------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan