Digg this story   Add to del.icio.us  
Every Man a Cyber Crook
Mark Rasch, 2002-01-07

Federal anti-hacking law permits cybercrime victims to sue their attackers. So why is that software companies, webmasters and computer makers are the ones being hauled into court?

Shortly after it enacted the federal computer crime law, Congress amended it to allow victims to sue their attackers in federal court for damages. It is now proving to be a costly mistake.

It seemed like a good idea at the time. Federal prosecutors have limited time and resources, and don't have the ability to prosecute every hacker. Civil litigants are often most directly affected by the actions of hackers, and providing for civil remedies allows those who suffer economic loss to be compensated.

But in practice, private litigants have rarely used the civil provisions to pursue computer hackers, who, after all, usually don't have very deep pockets. Instead, unfettered by the Department of Justice's interpretation of federal law, litigants have used the computer crime laws to go after computer hardware manufacturers for product liability, Internet companies for software design, spammers and protesters for commercial and other protected First Amendment speech, and website operators for the installation and tracking of computer cookies.

These unintended uses of the computer crime statute, and the court's permitting the suits to proceed in many cases, creates a genuine risk that ordinary business activity and protected speech will be deemed to rise to the level of a computer crime, subject to federal prosecution.

Spam Yourself to Jail
Spam -- that is, unsolicited commercial email -- is annoying and can be costly in terms of time, money, and system resources. In some instances it can result in a civil fine for each piece of email. Recently, a number of civil litigants have used the federal computer crime statute to go after those who sent spam.

A spammer who bypassed AOL's spam filters in violation of the company's Terms of Service was determined to have violated federal criminal law by an Iowa federal court in August.

And in December, the computer crime law was used to slam a former Intel employee who obtained a list of Intel employee's email addresses and spammed up to 29,000 of them.

The former employee offered to remove any individuals that requested to be removed from his mailing list, but refused Intel's requests that he cease sending emails entirely. Intel sued, alleging that the spam cost Intel valuable computer and personnel resources, and therefore constituted an unauthorized "trespass to chattels" in cyberspace. The damages, Intel alleged, was the collective cost of Intel employees' time while reading the unsolicited mail messages. The California appellate court agreed, and enjoined the former employee from sending any such emails.

These cases are disturbing. Spamming shouldn't be encouraged, and it does cost ISPs money. Remember however that the cases invoke the federal computer crime statute, meaning that prosecutors could use the same statutes to stifle unpopular speech, government criticism, or other expression protected by the Constitution simply because it employs the mechanism of mass electronic mailing.

In contrast, laws that target spam specifically, in Washington State and elsewhere, carefully balance commercial speech against the cost to the recipient. The criminal statute contains no such balance, and the courts in these cases imposed none.

America Online and In Prison?
AOL was on the receiving end of several lawsuits alleging criminal violations of the computer crime statute for the configuration of its software. In April, a class of plaintiffs alleged that when they installed version 5.0 of the AOL software, it changed the host systems' configurations and settings to interfere with non-AOL communications and software services. The plaintiffs alleged that AOL knowingly caused the transmission of a program which "intentionally causes damage without authorization to a protected computer" or "intentionally accesses a protected computer without authorization, and as a result of such conduct causes damage."

While rejecting the claim on the grounds that there was no allegation of an aggregate of $5,000 damages, the court found that AOL's installation of software features was likely performed without authorization or in excess of authorization, and therefore could violate federal criminal law.

A similar suit in federal court in Florida in August determined that AOL software may violate the criminal code by installing itself and failing to disclose that it might cause long distance telephone charges to subscribers.

In July, a lawsuit in a federal court in New York alleged that Netscape's SmartDownload feature similarly violated federal criminal law by installing software onto a host computer without authorization. The court refused to enforce Netscape's mandatory arbitration provisions on its website, and permitted the suit to go forward.

Later that month a federal court in Minnesota considered a suit against Sony for alleged product defects in its floppy disk drives that, under rare circumstances, might causes information to be overwritten and lost. While the court concluded that no actionable damages occurred, the court said it "was persuaded by the Plaintiffs that Sony's actions could, theoretically, be actionable" under the federal computer crime statute as it then existed.

Amendments to the law in November made it clear that the computer crime statute was never intended to act as a product liability assurance statute, and would make such suits against hardware manufacturers more difficult.

But together, these cases should be a wake up call for Web designers, ISPs and software companies. JavaScript, Active X controls, automatic updates and other software features may frequently be downloaded to a user's computer -- in many cases without the user's informed knowledge or consent. Such coding may affect the operation of the computer, and may even affect functionality or access to data. If damage occurs, not only may the software designer or user be liable for civil damages, but under the precedents established, they may run the risk of incarceration.

Give Cookies -- Go To Jail?
A number of cases this year have alleged that giving or tracking cookies not only violated acceptable trade practices and privacy regulations, but constituted criminal violations of the federal statute. Lawsuits against Toys R Us in October alleged that the use of JavaScript cookies to obtain information about customers violated the criminal code because the cookies "accessed" the users' computers without their authorization, and obtained information in the personal computer systems without authorization. The court rejected this interpretation because the plaintiff had neither plead nor proven that that unauthorized access caused economic loss. A similar federal lawsuit against another company in September in Washington State had the same result.

The courts in both cases tacitly accepted the principle that cookies constitute an unauthorized access to a computer, and may defraud the owner of valuable privacy information.

It is important to note that the reason for the dismissal was because aggregation of damages wasn't allowed. In November of this year, as part of the anti-terrorism legislation, Congress amended the federal computer crime statute to permit the aggregation of damages. Thus, in the future, such "cookie" suits -- and criminal prosecutions -- may go forward.

Webpage Screen Scraping and Crime
Finally, in mid-December a federal court in Boston found that the practice of screen scraping violated the fraud provisions of the computer crime statute.

Former employees of a travel agency focusing on high school students formed a new company, and sought to obtain the former employer's proprietary pricing information. It was their hope that they could undercut the former employer's prices and thereby obtain a competitive advantage.

Of course the prices charged were available on the former employer's Web pages. The defendants, using their inside knowledge of the plaintiff's "tour codes," designed a Web robot that would repeatedly access the web page and request pricing information for different classes of tours.

The court found that by using proprietary tour code data in violation of a non-disclosure agreement, the defendants exceeded authorized access to the data on the Web site, even though it would have been possible to discover the codes "through repeated searching and deciphering of the URLs." The court found that the use of the website in this manner was unauthorized, and therefore a criminal violation.

A Litigious Legacy
When Congress added the civil damages provision to the Computer Fraud and Abuse Act a few years ago, they certainly didn't know that these provisions would be used against pornographers, spammers, screen scrapers, computer manufacturers, and ISPs.

In fact, as is often the case when Congress permits private litigants to dictate the scope and meaning of a criminal statute, the results of the litigation has not always pleased the Department of Justice or Congress, and has recently forced Congress to amend the statute to clarify its meaning and intent.

Nevertheless, these civil litigants are helping to define the scope of what it means to be a computer criminal. In the future, we can expect the Department of Justice to pick up the baton, and use the precedents established by civil litigants against some unlikely "computer criminals."

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us  
Comments Mode:
Calm down... 2002-01-07
Bii Reilly (1 replies)
Calm down... 2002-01-22
Grim Rebuke (1 replies)
Calm down... 2002-01-23
Every Man a Cyber Crook 2002-01-07
Every Cyber Pain a Cyber Crook 2002-01-07
Anon (1 replies)
Every Cyber Pain a Cyber Crook 2002-01-08
Every Man a Cyber Crook 2002-01-08
Iets-sue (2 replies)
Every Man a Cyber Crook 2002-01-08
SteveB (1 replies)
Every Man a Cyber Crook 2002-01-08
Anonymous (1 replies)
CFAA 2002-01-12
Bill Reilly
Every Man a Cyber Crook 2002-01-12
It's not about the deep pockets!! 2002-01-09
Every Man a Cyber Crook 2002-01-12
Every Man a Cyber Crook 2002-01-15
Yet another columnist sans clue 2002-01-17
Anonymous (1 replies)
Yet another columnist sans clue 2002-01-24
Three cheers for this new law! 2002-01-23


Privacy Statement
Copyright 2010, SecurityFocus