home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
cud
/
cud505a.txt
< prev
next >
Wrap
Text File
|
1995-01-03
|
10KB
|
188 lines
Date: 22 Dec 92 15:31:52 EST
From: Ken Citarella <70700.3504@COMPUSERVE.COM>
Subject: File 1--Balancing Computer Crime Statutes and Freedom
Computer Crime, Computer Security and Human Values
- The Prosecutor's Perspective -
Kenneth C. Citarella
Assistant District Attorney, Westchester County
copyright 1991
I am a prosecutor. I specialize in white collar crime, and
more particularly in computer crime and telecommunication fraud.
My professional interest regarding computer crime, computer
security, and the human values involved with them comes from that
perspective. I study motive, intent, criminal demographics,
software security and other topics to help me identify,
investigate, and prosecute a criminal.
A crime is an act prohibited by law. Criminal statutes define
acts deemed so inimical to the public that they warrant the
application of the police power of the state. Computer crimes only
exist because the legislature has determined that computers and
what they contain are important enough, like your house, money and
life, that certain acts directed against them merit the application
of that power.
A curious distinction arises with regard to computers,
however. Your house can be burglarized even if you leave the door
open. If you drop your money on the street, a finder who keeps it
may still be a thief. The foolish trust you place in an investment
swindler does not absolve him of guilt for his larceny. Yet much
of the discussion on what constitutes computer crime, and even the
computer crime statutes of many states, place a responsibility on
the computer owner to secure the system. Indeed, in New York
State, unless an unauthorized user is clearly put on notice that he
is not wanted in the system, the penetrated system falls outside
the protection of several of the computer crime statutes. The
intrusion, no matter how unwanted by the system owner, has actually
been legitimized by the legislature. Since I participated in the
writing of the New York computer crime statutes, I can attest to
the desire of legislative counsel to force the computer owner to
declare his system off limits. So the societal debate over how
much protection to afford computers has very practical consequences
in the criminal arena.
Commentators frequently address with much anguish whether
computer intruders are truly to be blamed for breaking into a
computer system. They treat such people as a new phenomenon for
whom new rules must be established. ("Hacking" and "hackers" are
terms that have become so romanticized and distorted from their
original context, that I refuse to use them; they simply do not
describe the behavior which is of interest.) I suggest, to the
contrary, that examining the victim impact of computer intrusions
provides a more meaningful analysis.
Consider some examples of the facts typically presented to
law enforcement. A computer intruder penetrates the system of a
telecommunications carrier and accesses valid customer access
codes. She distributes these codes to a bulletin board host who
posts them for the use of his readership. Within 48 hours, the
numbers are being used throughout the United States. The carrier
experiences $50,000.00 in fraudulent calls before the next billing
cycle alerts the customers to the misuse of their numbers. Or,
they could be credit card numbers taken from a bank and used for
hundreds of thousands of dollars of larcenous purchases. Or, it
could be experimental software stolen from a developer who now
faces ruin.
Stories like these have something in common with all criminal
activity, computer based or not. The criminal obtains that which
is not his, violating one of the lessons we all should have learned
in childhood. The computer intruder ignores that lesson and
substitutes a separate moral imperative: I can, therefore, I may;
or, might makes right. The arguments about exposing system
weaknesses, or encouraging the development of youthful computer
experts, amount to little more than endorsing these behavioral
norms. These norms, of course, we reject in all other aspects of
society. The majority may not suppress the minority just because
they have the numbers to do so. The mob cannot operate a
protection racket just because it has the muscle to do so. The
healthy young man may not remove an infirm one from a train seat
just because he can. Instead, we have laws against discrimination,
police to fight organized crime, and seats reserved for the
handicapped.
I suspect that part of our reluctance to classify many
computer intrusions as crimes arises from a reluctance to recognize
that some of our bright youths are engaging in behavior which in a
non-computer environment we would unhesitatingly punish as
criminal. The fact they are almost uniformly the white, middle
class, and articulate offspring of white middle class parents makes
us less ready to see them as criminals. Although there are
questions to be resolved about computer crime, we are sadly
mistaken to focus on what may be different about computer crime, to
the exclusion of what it has in common with all other criminal
conduct. Refer back to the simple scenarios outlined above. The
computer intruder may have all the attributes some commentators
find so endearing: curiosity, skill, determination, etc. The
victims have only financial losses, an enormous diversion of
resources to identify and resolve the misdeeds, and a lasting sense
of having been violated. They are just like the victims of any
other crime.
Of course, there are computer intruders who take nothing from
a penetrated system. They break security, peruse a system, perhaps
leaving a mystery for the sysop to puzzle over. Would any computer
intruder be as pleased to have a physical intruder enter his or her
house, and rearrange their belongings as he toured the residence?
The distinctions on the intruders' part are basically physical
ones: location, movement, physical contact, manner of penetration,
for example. The victims' perspectives are more similar: privacy
and security violated, unrest regarding future intrusions, and a
feeling of outrage. Just as a person can assume the law protects
his physical possession of a computer, whether he secures it or
not, why can he not assume the same for its contents?
What after all is the intent of the intruder in each
situation? To be where he should not be and alter the property
that is there without the approval of its owner. Each case
disregards approved behavior and flaunts the power to do so.
Of course, computer intrusions have many levels of
seriousness, just as other crimes do. A simple trespass onto
property is not a burglary; an unauthorized access is not software
vandalism. The consequences must fit the act. Prosecutors and
police must exercise the same discretion and common sense with
computer intruders they do regarding conventional criminals. No
reasonable law enforcement official contends that every computer
intrusion must be punished as a criminal act. Youth officers and
family courts commonly address the same behavior in juveniles that
other agencies address in adults. Sometimes a youth is warned, or
his parents are advised about his behavior, and that is the best
response. But to insist that some computer intrusions are to be
legitimized, assumes that law enforcement lacks the common sense
and discretion to sort out prosecutable incidents from those best
handled less formally. If we choose not to trust the discretion
and experience in our law enforcement authorities regarding
computer crime, then how can we trust these same people to decide
what drug trafficker to deal with to get someone worse, or to
decide which child has been abused and which was properly
disciplined. The point is that law enforcement makes far more
critical decisions outside of the context of computer crime than
within. The people involved are trained and have the experience to
make those decisions. Yet much of the debate over computer crime
assumes just the opposite.
In my personal experience, prosecutorial discretion has worked
just as well in computer crimes as it has regarding other criminal
behavior. Some complaints result in a prosecution; some are
investigated and no charges filed; some are not even entertained.
Lastly, I should point out that frequently computer intruders
are also involved in a variety of other crimes. Typically, credit
card fraud and software piracy are in their repertoire. And, let
us not forget that the telecommunication charges for all their long
distance calls are being borne by the carrier or the corporate PBX
they have compromised. With telecommunication fraud exceeding a
billion dollars a year, the societal cost of tolerating these
intruders is too large to be blindly accepted.
If the challenge of penetrating a system you do not belong on
is an essential way of developing computer skills, as some people
contend, then let computer curricula include such tests on systems
specifically designed for that. Surgeons develop their skills on
cadavers, not the unsuspecting. Pilots use simulators. Why should
computer specialists practice on someone else's property at someone
else's expense?
There are privacy and Fourth Amendment issues involved in
computer crime. But they are the same issues involved in any other
criminal investigation. The public debate is needed and cases must
go to court as has always been the case with constitutional aspects
of criminal law. Whenever law enforcement follows criminal
activity into a new arena, problems arise. It is as true with
computer crime as it was with rape and child abuse cases. The
answers lie in understanding the common forest of all criminal
behavior not in staring at the trees of computer crime.
(Adapted from a paper presented at the National Conference on
Computing and Values, Southern Connecticut State University, August
14, 1991)
Downloaded From P-80 International Information Systems 304-744-2253