Personal tools

karnow.html

Crime in the Digital Network

Recombinant Culture: Crime In The Digital Network

Curtis E.A. Karnow
Landels, Ripley & Diamond

Defcon II
Las Vegas
July 1994

Copyright (c) 1994 Curtis Karnow


"Technically, I didn't commit a crime. All I did was destroy data. I didn't steal anything." 1

"A floating world of liquid media where the body is daily downloaded into the floating world of the net, where data is the real, and where high technology can finally fulfill its destiny of an out-of-body experience. ... In recombinant culture, the electronically mediated body comes alive as our android other. ..." 2

"Reality has left the physical world and moved into the virtual one." 3


I Introduction


The signal shift in the development of the digital culture is the loss of physical laws as the conclusive arbiter of action.

Physical and natural laws have generally governed what was possible, and so provided limits to everything from politics to property. Hence the notion of a "reality check." This grounding in physical reality provided a certain minimum commonality among human experiences, providing the basis for shared assumptions. As an intractable limit, the test of physical reality sorted out the real from the dream, valid from the invalid, true from the false, the effective from the futile, and even the good from the bad.

Correspondingly, the legal system has always been a system of ascertainable limits, with physical "property" as it is central core and metaphor. When intangible things of value became valuable, the system bred "intellectual property" to cover these intangibles. The legal system rapidly extended its reach to all manner of vap'rous, indiscernible stuffs: we own, and can steal, and can sue over: invisible trade secrets, accounts receivable, expectations of profit, and patented ideas. By and large these intangibles, and all the intangible personal rights protected by constitutions and law, all plainly do find tangible expression or location. The patent is written out on paper, the right of privacy inheres in our physical selves. The intangible stuff is actually parcelled out on a per capita basis, and documents are kept which certify the individual owners and in so doing mark out the boundaries, the borders, among these incorporeal things. That's why we can reasonably call the stuff "intellectual property."

But we are leaving the physical world behind, and with it the touchstone of physical and natural laws, together with the notion of irreducible limits. Increasingly, the things we deal with are located in a digitized networked space. 4 This is marked by the remarkable increase in computing power available to the average user 5 and growth of the networks. 6 The social work of the culture increasingly is mediated by the computer. Too, the productivity of the culture -- the making of valuable things -- is done on computers, and those valuable things are often bit- composites stored on those machines.

The stuff in computers is information. Some people want to use information in ways that horrifies others. Disputants call on the legal system to settle the matter, and some people get indicted. The law has to provide answers, but there is no consensus on what the rules are: the technology is growing too fast, and there is too much myth and ignorance. Instead of social consensus, the federal and state governments have passed laws, hundreds of them, criminalizing so-called "unauthorized access" and data transmission. Other groups, too have called for laws, regulations, bills of rights, cyberspace constitutions, and so on, to regulate the electronic arena.

These efforts are futile.


II Understanding Information


There is a deep confusion on the value of data and information.

Those who value it most treat it with no honor. They may take a perverse pride in its mutation, in its endless potential, in its infinite mutability. The apostles of the information age tell us that data is free, 7 that the wineskins have burst, 8 that information belongs to us all. Of course, information that is as ubiquitous as air, cheap as sand, is barely property at all. These same people believe profoundly in the value of privacy, and are the vanguard of those combating the Government's efforts to control the keys to private encryption. They oppose the Clipper chip, U.S. government monopolies on encryption devices, corporate control over personal and credit information, and other threats to the individual's power to exercise total domain over the data that he creates. They see -- correctly, I think -- that control over and access to information, on the one hand, and control over the citizenry, on the other hand, are actually inseparable.

On the other side, those charged with the enforcement of the law know well that our movement to an information society is transforming notions of property. They think that if digital property cannot be protected, then property as such will be eviscerated, and with it one of the central foundations of the legal system. It's true; tampering with data can cost millions of dollars; some information is private and shouldn't be released; some data storage areas, and entire systems, should be off limits to unauthorized personnel. The digital world, despite its increasing size and universality -- or indeed as a result-- does not stop at the keyboard and electron tube: it reaches out into the physical world and operates subway systems, nuclear power plants, passenger aircraft and the economies of the developed countries. Precisely because much of what we call physical reality is controlled by computers, we care very much about what happens to specific data. Criminal law must handle the real world consequences of these electronic events.

But most judges, juries and prosecutors don't understand the technology. It's difficult to spend time and money on investigations of system break-ins, it's hard to ask for jail time when the only harm was a temporary slow-down of a network, and it's troublesome to try a case when the perpetrator simply looked around a few files, and left a little electronic graffiti. Why lock someone up for peaking over the digital fence? Who's been hurt? What's the loss in value of picked-over data? When the criminal justice system is wholly overwhelmed by traditional crimes of violence, murder, drugs and the rest then electronic crime takes a back seat. It is too difficult to understand and too complicated to spend time on. 9

There is a deep ambivalence over the value of information.


III Parceling out Information as Property


The law and the culture it symbolizes may not comprehend the nature of data and information, but the law does know what property is. For this reason recent developments in computer law 10 consist by and large, of (i) developing the definition of "property" in the digitized world, 11 and (ii) the adumbration of proscribed actions done with that newly broadened definition. Laws address the interception of data, accessing data and systems, tampering with and altering data, obtaining data of value, frustrating authorized users from accessing data, and viewing other's use of data, including keystroke monitoring. 12 Computer crime laws first appropriate the entire digital world, claiming the right to control the movement of every electron and fiber cable photon; then these laws carve out the boundaries of criminal behavior through the notion of "unauthorized access." Beautiful borders circumscribe each grouping of data; criminal behavior is the breach of the border.

The coverage of these laws can be stunningly broad: every computer and every attached devise and all communication facilities "related to or operating in conjunction with" the system can be protected under federal law (18 USC sect. 1030(e)), and in Pennsylvania it can be a crime to interrupt the "normal functioning" of a system or organization, whatever that means. 13

For example, federal law focusses directly on the unauthorized access of a computing system, and refines that by also making it a crime to exceed one's authorized access to secure, for example, financial information. 18 USC sect. 1030. A ten year jail term can be imposed for preventing others from their authorized use of a system. 18 USC sect. 1030(a)(5). It is a federal felony to have an unauthorized access to a system for the purpose of any copying or taking or disclosing or possession of anything of value. Id. Any access which exceeds one's authority and which thusly secures or alters any information, or which prevents an authorized user from having access, is a federal crime. 18 USC sect. 2701.

Thus computer crime laws follow the general legal presumptions of discrete, separable areas surrounding and defining each legally cognizable entity: homes and property around individuals protected by trespass laws; a web of trade secrets and confidentiality around corporations; and privacy interests marking them all off from each other. These are the traditional rules of consanguity, and the digital universe has been subject to the same colonization. Every user's access is protected from everyone else's. Every digital interference, from destroying another's data to degrading the computer system, 14 can be a crime.

Law defines the borders, and so the very existence and shape, of legal entities. When the breaches are mild, use the civil law and sue; when the breaches are considered severe, enter the criminal law.


IV Faulty Transition to The New Network


Run, run, run as fast as you can
You can't catch me -
I'm the Gingerbread Man.

These efforts, are, like much of the law's attempts to play catch up with technology, too little, and too late. The legal system, inherently conservative, is perpetually a decade behind the technology 15 and so the governing law can rarely be directly invoked. As I note below, though, the price for this divergence is paid by technology as it finds itself shackled by unfit law.

There are two central reasons for the law's difficulty in treating electronic material as property. First, data is infinitely mutable and so untraceable; second is the nature of the network.

1. Infinitely Mutable Data

The character of this chaos is set by the technology's apparent disregard for the laws of physics, its chameleon skin and infinite capability for morphing. The outstanding fact of data, and of the algorithms that operate on them, is the property of recombinancy. Originals are in no way distinguishable from copies; the very notion of an "original" is empty. The same data can be manifested as sound, text and image, and thus each as an algorithmic equivalence that defeats conventional notions of copying and reference. Every transformation is of an equivalent validity. Transmogrification is now banal. Continuity, accuracy, and truth are a function, thus, of the algorithm; these becomes a purely mathematical concept. The integrity of the data substrate is wholly divorced from the infinite colors and shapes and forms of its manifestations and appearance.

You -- You cannot tell where the data came from, what the data is, who made it, when it was made, or if it mutated, or was stripped of identifying information such as trademark or copyright claims. Only the computer knows, and its memory is volatile. It has permanent amnesia.

2. Digital Networks

The truth is that we do not use separable computers, that we no longer access separable information and data. We do not really have discrete data in separate banks of RAM, or a discrete CPU in every garage. The slow, painful efforts of the legal system to accommodate the computer are mooted by the advent of the network.

Law-makers see communications devices and other connections simply as appendages to the key individual computer and data vaults. The image is of a network as simply the medium by which the data travels and by which criminals access property. The image here is of streets connecting homes, the medium of air between communicating humans, empty space between the stars.

But that image is false.

For the network reveals that there are no borders, and never will be. The ultimate networked machine is wholly wired, operating across time and space at the speed of light, connecting every user to every database. This is a sort of single parallel processing multi-threaded machine, and it isn't far from reality. The fact of interconnectedness is as critical to the nature of the computing as the connected nodes themselves. Just as electricity itself has no meaning absent the conducting wires, so too the evolving computing environment is essentially a connected unitary whole. 16

This essential fusion produces a deep quandary for the new computer crime codes. There are problems with the obscenity law of Tennessee affecting BBS operators in Arkansas and California; there are problems with the US trying to restrict the so-called "export" of encryption software across the physical U.S. borders while billion transfers of the same software across the 50 states are legal. There are issues with applying classic telephone wiretap law to the interception of email within a company. It is not clear if an "unauthorized access" has occurred when an authorized user inadvertently introduces into a system a viruses written by someone without access. It is not possible to determine if a repair technician with approved "supervisor" access to a network can legally look at data. We don't really know if privacy rights protect files on local hard drives and whether different rules apply to hard drives across the state or national borders. We know the U.S. government can't insist on the right to record keystrokes at my stand-alone PC, but the FBI wants the power to record and read keystrokes if sent by wire. 17

This is utter confusion. There are different laws with different results regulating a single activity. Federal and state law conflict on privacy rights and criminal conduct; we have conflicts between the laws of two or more states, all of which simultaneously apply to the same networked environment.

To catch up with technology, states have extended the definition of "property" to electronic impulses:18 but in the electroverse of infinitely mutable replicant data, that net sweeps far too wide. Under this brave new regime, theft can include logging onto the wrong partition, a felony erupts when an unwanted comment appears on a start-up screen, 19 and you could get jail time for playing the networkable multiplayer games DOOM or Falcon on your employer's network. 20 Think of it this way: DOOM is a sort of Trojan horse, a virus pretending to be a game.

Indeed, there are a host of unexpected behaviors we've seen explode from the products of commercial vendors that could qualify as felonies under the new laws. For example: so-called "compression" software that slows down a system, operating systems that trash files, telecommunication devices that loose mail, or any iota thereof. As some of you know, there's a bug -- I mean a feature --in the Windows tool OLE 2.0 which allows one to send a hidden program inside a document, defeating many routine security techniques. 21 Sounds like unauthorized access to me.

But criminal unauthorized access? Crooks, surely, must "intend" to do evil before they are locked away. A noted programmer describes how to make a simple modification to a C compiler which will be undetectable and cause a miscompilation under set circumstances. "If this were not deliberate, it would be called a compiler 'bug.' Since it is deliberate, it should be called a Trojan horse." 22 But the "deliberate-mistake" dichotomy is not quite how the criminal law operates. "Reckless disregard" of the consequences, knowing enough so that one ought to know the consequences, is usually enough for a conviction. As one my favorite jury instructions notes, we are all presumed to know and intend the ordinary consequences of our actions-- and that can be a lot of consequences. Presumably someone at Microsoft knew of the OLE bug; presumably Borland knew when it released C++ 4.0 that it generated a rounding error. 23 Both these bugs, of course, in effect destroy data; arguably, Microsoft and Borland "intended" that destruction. And the "deliberate-mistake" dichotomy does not correlate with the risk posed by viruses, either: some like the Macintosh Scores virus (and perhaps, too, the famous internet worm) probably was released unintentionally into the general population 24. In both cases, though, many prosecutors would indict and secure a conviction under the new computer crime statutes.

Is that too bizarre? A prosecution for a bug that eats data or that provides an entry point for data modification? Not bizarre at all. Decisions to indict are essentially unreviewable, and often made by prosecutors with a weak grip on the technology. And the same the same can be said for the juries that decide on guilt.


V Interlude: State of The Net


Let us pause to probe deeper into the nature of networked computing. There are two central aspects that bear scrutiny. Those aspects are: (i) agents and related objects, what I term self-directed code, and (ii) the world-wide electronic environment in which those agents operate: webbed databases.

Let me briefly describe these.

Self directed code means those programs that can be let loose to find their way and report back with some sort of result. These exists in rudimentary form now, in everything from Borland's and Microsoft's spreadsheets to General Magic's draft telecommunication programs. These "agent" objects combine code and data, are independent, sensitive to their context, and therefore do not need complete instructions from the human operator: in that sense, these agents are self directing: they don't need direct human supervision. The point is to embody some amount of artificial intelligence and thus be able to execute some unpredicted computer tasks. 25

The second salient aspect here is the development of worldwide hyperlinked databases, utterly transparent to the user. 26 Already, users of the internet's worldwide web are familiar with the invisible shifting of data sources. True global networking is the ultimate, realizable, ambition. 27 Every network now accepts and operates with the notion of a logical drive, as opposed to the physical drive resident in determined physical space. The simple notion of logical drive, logical space as oppose to physical space, makes it plain that a network "exists" everywhere that any user can access. Noting the physical location of our data is utterly pointless. 28

Imagine, now: self-directing code in a worldwide habitat of hyperlinked data. 29 That is our model network.

This electroverse is a concatenation of endlessly looping data and symbols that do nothing ultimately but refer to themselves and to combinations of themselves. Here, the physical and natural worlds are leveled, electrocuted, no more than a series of signs and symbols.

This is the nebulotic data soup. It is an unrestrained, frenzied hyperbole of text, sound and graphics, each moment a cut and paste morphed version of others, an endless processing and transmission of the bitstream. Memory is a looping self- replicating tape: there is no past, or an infinity of pasts.

Here we have the infinite geography of the electronic cosmos operating at lightspeed: communication so fast and transparent that the elements, the actors, the agents of communication are swept up into the transmission stream and loose all identity but for their existence as transmission agents, each a repeating station, each no more than input and output; each one a copper wire linked into other wires, until we have a single endlessly looping strand, truly e pluribus unum. The electroverse is zero culture, inhabited by android shadow-selves who fear no law, abide no punishment, and feel no guilt.

It is in this digital soup, this is a hyper-relational environment, that we see the death of the barrier. We have no cells, we have no inside and outside, we have no public world and we have no private world. What we do have is the network and the death of dichotomy. This is fatal for the legal system, which depends for its very life on the existence of barriers- after all, that's what the law does: it utters the line between this and that, and punishes the transgressor.

But our android shadows cannot be punished.


VI Crime In A Phantasmagorical Terrain


There are probably no secure systems on the Intenet. 30

What does this pose, this universe of warpspeed propagation of data and signs, this self-metastasis, this cancer of replicating code out of control? The problem is one of extreme difficulty and consequence, because while the law evaporates as the network is perfected, the need for law grows as the network expands to control the infrastructure of the real world. 31 The essential connectivity of the network generates at once its extraordinary power, its volatile reactivity, and so its striking vulnerability.

This, then, is the nub of the problem. As I have noted, the solution to date has been to pass more and more laws, more regulations, calls for new constitutions of cyberspace, to invoke new rights, new privileges; to heap laws on laws. The confusions regarding data and information that I described earlier have been addressed in just this way by all sectors of the political spectrum: The FBI wants more laws, 32 liberal Harvard law school professor Lawrence Tribe wants more laws, 33 the National Security Agency wants regulation of encryption, employers want rules on employee privacy rights, online services such as GEnie and Prodigy regulate "inappropriate" and "offensive" speech, 34 Congress is considering new copyright law to make it perfectly clear that electronic copying is copying. 35 This is the all- American way: more legislation. Don't let anything escape; take no prisoners.

This impetus is fueled by the cynical acceptance by the government -- the legislatures and law enforcement -- that electronic reality really does exist as a sort of parallel universe. They have come to buy the proposition that virtual reality -- what I have termed tongue-in-cheek the electroverse -- has an existence independent, legally speaking, of the day to day reality governed by traditional law. Denizens of that place call it cyberspace, a high frontier, a new territory precisely like the Moon or some other undiscovered country.

The law-makers have endorsed that schizophrenia pressed by the electro-cognoscenti, and they have endorsed it out of fear, ignorance and misunderstanding. How else to react to the omniscient, omnipotent power of cyberspace? Well, take its unruly tenants at their word [they seem to know what they are talking about], and treat cyberspace as a competing reality: regulate it, and break it up into chunks called property.

But alternative universes provide a very bad model: Neither law nor technology benefits. The law founders and sinks in the clear blue fungible sea of the network. And the electronic community is on the verge of being legislated to death, ruled out of fear and loathing, chained by broad and detailed laws that can make anything -- the movement of an electron-- illegal.

The notion of cyberlaw -- legal rules peculiar to the electronic communications context -- makes no more sense than printlaw, newspaperlaw, movie law, T.V-law, shopping center law, videogame law or, indeed, washing-machine law. The network is not, in fact, a place like the Moon. It is a tool, a machine, like a tractor or a pen or velcro, an extension of the physical, moral human being who in turn is subject to the mundane legal system. We can have no law of place or property here, and so new computer crime law's heavy regulation of data and "authorized access" is quite wrong-headed. Computer crime is not really about "unauthorized access," 36 the actions of self-directed code in the network are not "intended" in any sense recognized by the criminal law, it can be impossible to tell if anyone "owns" any given chunk of infinitely mutable data.

The battle of the metaphor always erupts in the face of new and powerful technologies. Our imagination is fired, but our stability is threatened; and we always seek precedent for understanding. So we use the property analogy; the metaphor of invaded homes and goods when systems are attacked, the allusion to space and universes. But this is a category mistake. Computer mediated "space" is no more space than DNA is a person, no more than digital signals are a picture or a novel. Bits and bytes are not the equivalent to their manifestations; the genotype is not the phenotype.

The criminal law has no business here. For the network has no borders, and the autonomous space of hyperperfect illusion and flawlessly recombinant culture is too slippery for any statute.

But, should then the wiley hacker deploy with impunity? Shall we let a thousand viruses bloom? What is the reasonable role of the law in view of the fact that networked computers operate our transportation, banking, powerplants, military and other key infrastructures? 37

Control -- the control we need -- is not finally a legal problem at all. It is a social, moral, and technological problem. The law simply will not save us from the next full stealth polymorphic virus; but widely accepted social norms and technological shields might. Back up the data, use firewalls to insulate machines and data, use smart cards and arbitrary, changing passwords; employ private cancelbots; use real encryption for authentication and privacy. Never make the mistake of believing that a computerized system is necessarily an improvement; and think about not using computers, at all, for certain very high-risk tasks. 38

When real people suffer real injury, measured as real financial loss, then indict and convict those who really and demonstrably intended that harm. That's the purview of the criminal code. If a jury of ordinary people, using ordinary laws on fraud and theft, wouldn't convict, then leave it alone. Put the armed criminals in a cells, and leave the android shadows to their electric dreams. There are grey areas, to be sure, but there should be grey areas, governed slowly by developing manners and custom, not crushed out by an omnipresent criminal code.


Bibliography


Jean Baudrillard, The Transparency of Evil (London & New York: 1990)

John Perry Barlow, "The Economy of Ideas," 2.03 Wired 84 (March 1994)

Lance J. Hoffman (ed.), Rogue Programs: Viruses, Worms, And Trojan Horses (New York: 1990)

Curtis Karnow, "Data Morphing: Ownership, Copyright & Creation," 27 Leonardo 117 (No.2 1994)

Arthur Kroker, Spasm (introduction by Bruce Sterling, music by Steve Gibson)(1993)(CD, book)

Mark Ludwig, The Little Black Book Of Computer Viruses (Tucson: 1991)


About the Author


Curtis Karnow is a former federal prosecutor, and now a partner at the San Francisco law firm of Landels, Ripley & Diamond. His practice emphasizes litigation, computer law and intellectual property. He has advised publishers and developers in the software and multimedia industries, those involved in the software encryption and other advanced computer technologies, and has represented a major telecommunications provider in telephone toll fraud matters. Mr. Karnow has spoken and written widely on computer law, including articles in Wired and Leonardo, chaired panels at various Meckler Virtual Reality conferences in the U.S. and abroad, and was a speaker at this Spring's "Computers, Freedom and Privacy '94" conference in Chicago. He can be reached via internet:


Footnotes


1 Martin Sprouse (ed.), Sabotage in The American Workplace: Anecdotes of Dissatisfaction, Mischief and Revenge (1992)(Bank of America employee planted a logic bomb in the computer system).

2 Arthur Kroker, Spasm 36 (New York, 1993).

3 Benjamin Woolley, Virtual Worlds 235 (Cambridge, 1992).

4 S. Zuboff, In The Age Of The Smart Machine (New York, 1988); Benjamin Woolley, Virtual Worlds 133-134 (Cambridge, 1992).

5 We see about 50-70% more computing power per year, and memory density doubles every 12-18 months. Since 1978, desktop transistor density has gone up 100 times, and raw computing power over 500 times:

80x86 Performance- Max MIPS Transistor
density
June '78 .75 29,000
1982 2.66 134,000
April '89 70 1,200,000
March '93 112 3,100,000
March '94 166 3,300,000
"80x86 Evolution" 19 Byte 88 (June 1994).

6 Note the size and growth of the internet: 21,000 connected networks, 60 countries, 15 million users; 2 million computers, with a rate of monthly growth of 7 to 10%. See also "Special Report: Distributed Computing," 19 Byte 125 (June 1994).

7 Lauren Wiener, Digital Woes (1993).

8 John Perry Barlow, "The Economy of Ideas," 2.03 Wired 84 (March 1994).

9 Michael Gemignani, "Viruses And Criminal Law," reprinted in Lance Hoffman (ed.), Rogue Programs: Viruses, Worms and Trojan Horses 99 (New York 1990).

10 Every state but Vermont has some form of computer-specific criminal statute. Note, "Computer-Related Crimes," 30 American Criminal Law Review 495, 513n.144 (1993). See generally, Anne Branscombe, "Rogue Computer Programs And Computer Rogues," Rogue Programs at 59.

11 For example, Massachusetts found it necessary to pass a law stating that "property" includes "electronically processed or stored data, either tangible or intangible, [and] data while in transit..." Mass. Gen. Law Ch. 266, sect. 30(2)(1992). In its efforts to combat computer crime, Missouri [like many other states] now defines property to include "information," any electronic data, and indeed any intangible item of value. Missouri Stats. sect. 569.093 (10). Kansas defines property similarly for the same purpose. Kan. Crim. Code sect. 21-3755 (i)(h). California makes it a crime to, without permission, use or copy computer data, or to access that data, or to prevent others from accessing it. Cal. Penal Code sect. 502(c)(2), (4), (5) and (7). New York's law, typically, also focuses on unauthorized access to and tampering of computer data. N.Y. Penal Law sect.sect. 156.10; 156.20.

12 18 U.S.C. sect. 2510; [Federal] Computer Fraud And Abuse Act. "Currently 26 million employees are monitored at work, and this number should increase as computers become more widely used and the cost of monitoring systems deceases. If employers monitor the number of keystrokes we make a minute to assess our productivity, or read our electronic mail, what will they be allowed to do in the future as the human-machine interface becomes even more personal?" Clifford Pickover, Introduction, Visions of the Future: Art, Technology, and Computing in the 21st Century (2d ed.).

13 Pa. Cons. Stats. tit. 18 sect. 3933.

14 Del. Code Ann. tit. 11 sect. 934. Many states proscribe denying or interrupting computer services to authorized users. E.g. Pa. Cons. Stat. tit. 18 sect. 3933 (a)(1); Cal. Penal Code sect. 502 (c)(5).

15 An appellate opinion read today took four years to get through the trial system, and about another year and a half in the court of appeal. Of course, the technology had been out on the consumer market before the case was initially filed, and so was a few years old then. The court of appeal decided the meaning and effect of a statute that dated back to the filing of the case, some six or seven years ago, and which had actually been passed a year or so before that, in response to the technology of the day. Now one knows what a nine year old statute means. (The statute has since been amended.) Examples of problems caused by technology outstripping the law are discussed in Curtis Karnow, "The Uneasy Treaty Of Technology & Law," AI Special Issue, Virtual Reality (Premier Issue, 1994).

16 "[C]yberspace.... [is] the place where our lives and fates are increasingly determined... . The power of this realm comes from its connectedness. It is a continuum, not a series of discreet systems that act independently of each other. Blips are not isolated events." Benjamin Woolley, Virtual Worlds 133 (Cambridge, 1992).

17 Which is why fibre optic cable and its bland transmission of a thousand pulses of light makes some people in the government ill. [Optical fibre is not what George Bush meant when he referred to a thousand points of light.]

18 See, i.e., Montana Code sect. 4-5-2-310 (covering any input to or any output from any computer or network).

19 Conn. Gen. Stat. sect. 53a-251 (e); Del. Code Ann. tit. 11 sect. 935. See also, Branscombe "Rogue Computer Programs" supra at 68.

20 Prosecutors have almost unlimited discretion to indict anyone they want. They will go ahead and do just that when the statute says that theft of property is a crime, and then defines property as electronic cycles; or if the law criminalizes any unauthorized use of system; or makes it a crime to "degrade" a system: that's exactly what DOOM will do. The program uses broadcast messages, up to 100 per second, across the network, which degrades the system and can even crash it. See "Games Storm LANs," 5 Infosecurity News 8 (July/August 1994). Multi user dungeons (MUDs), too, have been banned from universities and entire continents (Australia) because of their degrading impact on systems resources. Kevin Kelly et al., "The Dragon Ate My Homework," 1.3 Wired 69, 73 (July/August 1993).

21 The problem is one that could affect distributed objects generally. In the case of OLE 2.0, the embedded item appears to be data; but when activated (for an edit, for example) causes the current program to yield control, including its menu bar, to the parent program that created the data; that parent program could be anywhere on a network, an unknown quantity to the present user. See i.e., Peter Coffee, "Distributed objects form info highway hazards," PC Week 80 (April 18, 1994). As a related concern, it is practically impossible to keep track of the copyright issues governing objects shared among applications, or swapped in from remote sites. See William Brandel, "Objects Spur User's Licensing Concerns," 28 Computerworld 1 (July 4, 1994).

22 Ken Thompson, "Reflections on Trusting Trust," Rogue Programs at 121, 125.

23 Peter Coffee, "Close enough isn't good enough in computer math," PC Week (February 14, 1994).

24 Suzanne Stefanac, "Mad Macs," Rogue Programs, supra at 180, 189.

25 See generally, special issue, "Intelligent Agents," 37 Communications of the ACM (July 1994).

26 Today, nearly three-quarters of Fortune 100 companies spread their data across multiple databases. The number is expected to rise from today 72% to 86% by 1996. "Fractured Data Reported," 5 Infosecurity News 9 (July/August 1994).

27 For a list of products devoted to global networking, see "The Best of Interop+Networld," Byte 36 (July 1994).

28 Operating systems now all incorporate this sort of transparency: that's part and parcel of the "networkable" approach to such systems. For a peek just a little way into the future, see Steve Polilli, et al., "IBM will launch revamped E- mail strategy in fall," 16 InfoWorld 1, 75 (July 4, 1994)(Distributed Computing Environment due in 1995, including virtual directory trees for enterprise-wide net, email with agents). Microsoft's Chicago (Windows 4.0) operating system -- which unlike Windows 3.1, is a true operating system including a replacement for DOS -- introduces "applications built around networks and a built-in capacity to share information. E-mail, for example will be accessible from the tool bar." David Coursey, "The Death of The Single User," PC World 53 (June 1994). Finally, for an example of a patent describing data displays independent of the physical hardware, see "Multiple Virtual Screens on an 'X-Window' Terminal," U.S. Patent No. 5,289,574 (issued February 23, 1994 [Hewlett Packard, assignee]).

29 "The seamless nature of object systems will radically alter the way we think about where our data is. Data will be encapsulated in objects that will in some cases be able to roam to where they are most needed. We are in the habit of thinking that a document is simply stored on a particular hard disk. Distributed object systems will ask us to surrender that comfortable certainty in exchange for the power and flexibility of location-transparent storage." Peter Wayner, "Objects on the March," BYTE 139 (January 1994).

30 Peter Neumann, SRI International, quoted in Peter H. Lewis, "Hackers on internet pose security risks," The New York Times, p.C19 (July 21, 1994).

31 The self-contained replicant synthesis of networked data actually resides in the physical world; it incorporates real human beings who live and eat and die. The truth is that the digital world truly affects and is affected by the physical world: it operates nuclear power plants, subways systems and passenger aircraft. "[A] blip in the money markets can raise bank lending rates, a blip in a multinational's productivity can close factories and throw economies into depression, a blip in the TV ratings can wipe out an entire genre of programming, a blip in an early warning system can release a missile." Benjamin Woolley, Virtual Worlds (Cambridge, 1992) at 133.

32 See i.e the new Telephony bill introduced by the Government last year which would ensure the ability to conduct court approved wire taps, and so on.

33 Tribe proposed a new electronic bill of rights in his keynote address to the first Computer, Freedom & Privacy conference (CFP).

34 See i.e., Peter H. Lewis, "Censors Become A Force On Cyberspace Frontier," The New York Times p.1. col.1 (June 29, 1994)(forums shut down because subject matter might be inappropriate for, i.e., young girls; messages with religious, ethnic and other references deleted; users warned of possible termination, etc.).

35 Congress will be asked to consider a series of amendments to the Copyright Act which among things would state that an electronic transmission is a "publication" of a protected work, that copyright holders have electronic distribution rights to their works, and so on. See "Intellectual Property Working Group Draft Report," released July 7, 1994. Telnet iitf.doc.gov (gopher login) /speech testimony & documents.

36 Ironically, and most importantly, nearly 80% of "computer criminals" are actually "insiders with verified system access." Nina Stewart, Deputy Assistant Secretary of Defense, Counterintelligence & Security in 4 InfoSecurity News 32 (May/June 1994). The FBI has reported that in 80% of its computer crime investigations, the internet was used to gain illegal access to systems. Gary Anthes, "Internet panel finds reusable passwords a threat," ComputerWorld 28 (March 28, 1994). But unless Ms. Stewart's figures are wrong, the FBI's estimates are more a function of the FBI's interests than a reflection of the real world.

37 "Today, with almost every detail of modern life controlled or influenced by computers nd communications-driven systems, our infrastructure has an exposed underbelly: software." Peter Black, "Soft Kill," 1.3 Wired 49-50 (July/August 1993).

38 A number of writers, including this author at the last DEFCON conference, have suggested dispensing with computers for certain tasks. Bev Littlewood et al., "The Risk of Software," 267 Scientific American 62 (November 1992); Lauren Wiener, Digital Woes (1993); Curtis Karnow, "Legal Implications of Complex Virtual Reality Systems," DEFCON 1 (July 1993). See generally, RISKS usenet forum moderated by Peter Neumann, FTP CRVAX.SRI.COM and go to the appropriate directory with "CD RISKS:". [usenet news: comp.risks]



Return to CPSR Computer Crime Page.


Return to the CPSR home page.


Send mail to webmaster.

Archived CPSR Information
Created before October 2004
Announcements

Sign up for CPSR announcements emails

Chapters

International Chapters -

> Canada
> Japan
> Peru
> Spain
          more...

USA Chapters -

> Chicago, IL
> Pittsburgh, PA
> San Francisco Bay Area
> Seattle, WA
more...
Why did you join CPSR?

The need for CPSR's activities has never been greater.