Beryl Howell and Alan Davidson
Beryl Howell, formerly counsel to the Senate Judiciary Committee, is up talking about real-world problems caused by crimes on digital networks. Moral for all three stories: specific laws directed to specific problems are very important. So we need to keep updating these laws to fix mistakes and keep up with changes in technology.
First — leak of many staffers' memos. Two Republican staffers had taken thousands of documents and zipped them up with passwords. Taken from common server. No staffers were supposed to look at other staffers' memos, but permissions were set incorrectly and the files were wide open. Appalling breach of custom. Was a crime committed under the CFAA? Or just an immoral action? What does “authorized access” mean?
“Authorized access” was intended to be a case-by-case inquiry. [note that civil liability requires damage as well, so a higher standard than the criminal part.] Seems to be “you know it when you see it.”
Second case: FBI agents arrive at a suburban house, say computer being used to distribute child porn. Teenager there had downloaded Kazaa, downloaded files that contained child porn, then had become a supernode, being used as a pointer. Teenager had enough files for a felony. Had he been emailing images to his friends? going to specific sites and downloading them beyond Kazaa? Son said he wasn't aware of anything. Child porn is strict liability; hard to do forensic exams because examiners don't want to be in possession of it either. Happy ending: prosecutor declined to prosecute. But signals that technology can take you over a line. Is the user at fault, or the technology?
Third case: Company target of embarrassing emails with sexually explicit attachments (sexually explicit patents) sent on their behalf; clients took business elsewhere. Company seemed incapable of stopping it. Insecure wifi points and student internet accounts used to send these messages; couldn't track spoofer down. Howell's company did an investigation. Complaining emails about these attachments were also spoofed (from “wounded grizzly”). Started talking to wounded grizzly; got an extortion demand for 17million. Suspect surveilled; able to pinpoint him as spoofer. Arrested him two weeks ago; found ricin and guns in his house. Threats you think you're aware of are just the tip of the iceberg.
So we have a problem: limits of CFAA. Couldn't go after “wounded grizzly” because act unclear; stymied legitimate self-help efforts.
Alan Davidson from CDT is up. Why does criminal law only seem to expand? Does it ever go the other direction? “how many laws have you broken today?” There's a disconnect between social norms and the laws we have on the books. Why can't we allow rulesets to evolve — and why can't we have different views about what's wrong online v. what's wrong offline? A lot of policy FUD here. Will rote application of offline law lead to unintended consequences.
Three quick examples: the case of the nation of felons. How do we think about criminal copyright? Has changed dramatically in the last ten years? We've have criminal copyright for a long time on the books. Was a misdemeanor for a long time. With 1997 NET act, we got rid of “commercial profit” requirement; instead said if you distribute works of greater than X value over Y days, you're guilty.
And in 1998, DMCA creates new crimes for circumvention and removal of information.
So we're responding to a felt need to protect material, but what's wrong with this picture? Millions of people regularly violate this law. And this is likely to get worse. Expectations offline (first sale, fair use) drive us to use works online. Technology that precludes these kinds of uses will be counter-intuitive for a lot of people. Seems odd from morality perspective — “criminal” activities may not be felt as wrong. And from deterrence/utilitarian perspective; these laws aren't having a large effect. What does it mean for the rule of law if millions of people routinely ignore it?
Two approaches: House Judiciary committee; maybe problem is that it's too hard to bring these cases (so eliminate wilfulness, make a single copy made a available on a P2P network trigger wilfulness). Second, give govt civil enforcement powers here. This seems to resonate with online social norm. A speeding ticket and not a felony. We may be overreaching in our expansion of criminal law.
Second: case of culpable carrier. Creating criminal liability for ISPs. Challenge in Pappert case: DA can get ex parte order from judge based on showing that child porn is there; gets order saying “you must block material from this source.” Make sure they can't see this web site. Couple things wrong with that. ISPs block bluntly — by blocking IP address. This blocks all other things hosted there. We discovered over a million blocked based on 500 blocking orders coming out of PA. Well-intentioned law leads to incredible overbreadth. Trend is to look to ISPs to hold liable. Begins to jeopardize end-to-end model.
Third case: case of the aborted Koogle family vacation to France. Tim Koogle subject of criminal action in France based on larger Yahoo! case. So he can't go there. This was ultimately resolved just last year when charge dismissed [is that true?], but leaves open question about how to deal with criminal laws. US govt will certainly do this (eg, Elcomsoft). Calls into question relationship between individuals and govt.
In DC, legislators only expand laws — don't contract them.
Five modest suggestions:
1. go slow re cybercrimes
2. revise defs of crimes and access
3. prefer civil enforcement (things less harmful in the online context)
4. issues of international prosecution
5. tie to social norms more carefully
this was the best presentation on this panel. Very substantive and thoughtful — great job, Alan.
Comments
One Response to “Beryl Howell and Alan Davidson”
Got something to say?
Dear Susan,
Actually, French courts did not dismiss T. Koogle in the Yahoo! case. There will be hearings next October in Paris.
I copy below the information I posted on the CyberProfs list:
De: MANARA Cedric
Date: mer. 17/03/2004 15:09
¿: CyberProfs
Objet: The Yahoo! saga (new episode)
Yahoo's CEO may be sued before a French court, because the firm did not comply to the famous Nov. 20, 2000 order.
The Paris Court of appeal has confirmed today what the court of first instance already ruled: French courts have jurisdiction in such a case.
The court applied the French Criminal Code article L. 113-2:
“French Criminal law is applicable to all offences committed on the territory of the French Republic. An offence is deemed to have been committed on the territory of the French Republic where one of its constituent elements was committed on that territory”
(to read this text in its official translation in English, see http://www.legifrance.gouv.fr/html/codes_traduits/code_penal_textan.htm).
Criminal charges have been filed against Tim Koogle, CEO of Yahoo! Inc., for “justifying war crimes, crimes against humanity, or crimes of collaborating with the enemy” and “for having deliberately maintained auctions of Nazi objects.”
Coverage at http://www.juriscom.net/actu/visu.php?ID=477 (in French, with links to the previous judicial decisions). The judgment will soon be posted at http://www.juriscom.net