Re: tlug: telnet: different question + others

[Frank Bennett <bennett@example.com>]

On Tue, May 30, 2000 at 09:10:59PM +0900, Stephen J. Turnbull wrote:

> (2) the "respondents" (as Frank puts it, ironically the word used for
>     the accused in civil procedures, I believe ;-) since they are
>     implicitly acting as experts, bear proportionately more
>     responsibility to be informed about security risks, and to pass on
>     that information, and generic warnings about acting in ignorance.

If this is not in the TLUG welcome message or FAQ, it might be added.
It's a good point.

The irony works even better, by the way; the "respondent" is a party who
won the case in the first trial, and is being dragged into court on
appeal.  ("Accused"  is used for criminal, not civil defendants.) 

> OK, so far.  No blood, no foul.  Although there evidently have been
> convictions for "theft of electricity" as a way of getting around the
> "no economic damages".  (I can't find the cite offhand though, but I'm
> pretty sure it was in reference to a hacking case in Europe.)

If you come across it, let me know.

>     FB> In other words, analogies to the practice "back in our day"
>     FB> are regarded as correct practice, and the special risks to
>     FB> third parties inherent in the online medium, even if they
>     FB> materialize as in Scenario 3, are not to be taken into account
>     FB> in fixing criminal responsibility for a given act, unless a
>     FB> specific statutory provision (such as USC 1030) applies.
> 
> I find it hard to believe that there is no appropriate analogy.  If I
> borrow your dwelling while you are out of town, and make it a habit of
> placing a duplicate key under the doormat for my own convenience, and
> a burglar should be aware of my practice ....

Or you make a habit of hiding the key to the front door of the office
building where you work in the parking lot bushes.  That's carelessness,
negligence.  Negligence is not a strong enough intention to get you
convicted of a crime, even if it materializes.  If your negligence is
really severe (you know the risk is significant but you consciously
choose to ignore it) that's recklessness, and that can sometimes lead to
criminal liability.

The typical recklessness offense is manslaughter:  someone is playing with
a gun, it goes off, a man is killed; someone drives a car while drunk,
they hit someone and they are killed.  In existing recklessness offenses,
the action directly proceeds from the offender; there is no intervening
actor.  If there were, you need some greater foundation than recklessness
-- either specific intent (then it becomes conspiracy or aiding and
abetting) or a special relationship (a parent's special responsibility for
acts of their children).

This does not mean that the Virtual Hero of our immediate story has
nothing to worry about.  Consider Hitchcock's "Strangers on a Train"
scenario.  Two men meet for the first time on a train.  One is trying to
get out of a difficult marriage.  The other is waiting to inherit a large
estate from his father. The latter proposes that they swap murders to make
detection by the police more difficult.  The former humors him and thinks
nothing more of it.  But then his wife is murdered ... 

Hitchcock's protagonist is not guilty of a crime (although, ironically, he
is guilty of breaking a promise when he refuses to murder his
counterpart's father).  He is innocent.  But as a professional tennis
player, he is sensitive about his reputation, and the nutter he met on the
train is ready to swear in court that they "had it all worked out".

> Is it true that I would bear no [civil]
> liability for such intentional self-interested negligence?  Liability
> for damages would surely weigh heavily on an individual.

It's straight negligence.  Same as if I drove my car at 100km/hour
down the street in front of my house.  The driving is intentional, but I
am negligent about the risk that my behavior creates for third parties.
Whether it will support liability in this case is a judgement call.
Practically speaking, there is a Catch 22 in the mix; if suit is filed
against Our Hero, he or she will be tossed unceremoniously out of school.
With diminished job prospects, he or she becomes a less attractive
defendant.

> Cheswick and Bellovin mention a rather larger set of laws than your
> singleton, {18 USC 1030}.[2]  In particular, California Penal Code
> 502(c)(7) allowed (as of the writing of the book in 1994) someone who
> "knowingly and without permission accesses or causes to be accessed
> any computer, computer system, or computer network" to be convicted;
> no damages required.

Lawyers always leave the back door open -- what I said was limited to
Federal law :-)  But that's a useful reference, and it would be bad news
for Our Hero.  I still think that a judge would toss the case out as de
minimis, though.

> Furthermore, discussion in that book of harboring hazardous beasts
> (ie, students who weaken the security of University networks) and
> reasonable prudence (University network security policy) suggests that
> the university may very well be liable for damages in Case 3 under
> tort law.

Yep.  Looks like the argument that the SA should tighten security is not
"absolute bullshit" after all.  (Steve: I know that in context you meant
that the student's responsibility cannot be ignored -- but I couldn't
resist :-)

> This would constitute strong incentive for the University
> to have a strict policy, and to throw the hard drive at violators.
> Maybe no (strictly defined) crime would be involved, but Our Hero
> might not see the much difference in the weight of punishment.

The real downside, I think, is that little breaches like this push toward
ever more restrictive network architectures, and that is bad for
education, communication, and freedom.

Cheers,
Frank Bennett
--------------------------------------------------------------------
Next Nomikai Meeting: June 16 (Fri), 19:00   Tengu TokyoEkiMae
Next Technical Meeting: July 8 (Sat) 13:30   Topic: TBA
--------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan