Wednesday, May 28, 2008

You could be a felon if you've done any of the following

  • Signed-up for an online account and provide fictitious information
  • Uttered profane statements to someone over email/IM/blog
  • Sent someone a link pointing to racy content
  • Used someone else’s WiFi without permission
  • Visited website for personal reasons while at work

If so, you could be charged with a felony having broken the U.S. Federal Computer Fraud and Abuse Act (18 U.S.C. 1030) – the very same law that famous computer hacker and formerly on the FBIs most wanted list Kevin Mitnick was convicted of. Crazy right? Ridiculous even? I agree, but not according to the U.S. Attorney for the Central District of California. Let me explain as this goes back to a rather tragic case that occurred about a year and a half ago on MySpace.

“On October 16, 2006, 13-year-old Megan Meier fled from her family's computer, distraught over the cutting comments of her supposed "friends" on MySpace. Twenty minutes later, the troubled teen was dead; she had hung herself in her closet.” … “The twist that Lori Drew, a 47-year-old neighbor and mother of a former friend of Megan's, had allegedly created the fake persona of a 16-year-old boy to befriend and later torment the girl brought outrage. Yet, state investigators could not find a law under which Drew could be charged.”

But now they’ve found a way and if it stands could seriously negatively affect the rest of us. All of us. Everyone online is turned into a potential felon HACKER. They’re trying to stretch the definition of "unauthorized access” to include violating of Terms of Service. I skimmed the ToSs posted by Google, Yahoo, Microsoft, MySpace, Facebook, AT&T, etc and the above items are just a small sampling of what few of us have read about the services we use online. If fact no one could probably even get online without agreeing to these ToSs and the many others like them.

I don’t know what to say here. This better not stand up and one would hope its dismissed quickly. Otherwise we all could be in big trouble if legal precedence is set.

10 comments:

Anonymous said...

This only really applies to that one lady who caused that poor, innocent teenager to commit MySpace-suicide.

And Adrian Lamo.

And Kevin Mitnick.

And anybody else that the someone "doing the fed dance" decides that they stand to make more money or power by causing an otherwise nonpunishable offense to be pursued in criminal (instead of civil) court when the person is "obviously guilty, at the very least by association to something that probably should be a crime".

The chance of anyone who actually does any real damage via computer crime going to prison approaches zero faster and harsher during these quiet times. For example, people with JS-SQLi or Dowd-Flash web-worms.

This is more about the social psychology of risk than anything else. See Schneier on the "How to Sell Security"
http://www.schneier.com/blog/archives/2008/05/how_to_sell_sec.html

This lady has about a 10% chance to win a federal case before she goes to prison and can try for another 10% again in 5-10. Also see: Kevin Mitnick.

If we're even 50% right about her actions being criminal, then that's good enough to make her wait in prison until we figure this out.

It's better to imprison 1 major Internet kingpin out of 33, then to let 32 out of 33 off-the-hook.

Dan Weber said...

Lawyer Orin Kerr has done some papers on just how broad "cybercrime" is. In theory, connecting to IBM's website without following their TOS 100% could leave you vulnerable.

I think it's the first article on this page: http://papers.ssrn.com/sol3/cf_dev/AbsByAuth.cfm?per_id=328150

Security Retentive said...

Ok, I'll pimp my own blog post on this subject generally since I'm that kind of guy.

http://securityretentive.blogspot.com/2008/01/mark-rasch-puts-me-to-shame.html

The real information though can be found in Mark Rasch's original piece on securityfocus, which I link to, but I'll include here so you don't have to give me traffic.

http://www.securityfocus.com/columnists/463

Rafal said...

Thanks Jeremiah - yet another case where the government's inability to cope with technology advancements and "cybercrime" creates a situation where a mis-understood system is thrown into a "we need to fix the web with 1920's law!" tizzy. As long as we have government officials and Congressmen/women who believe the "Internet" is a series of tubes we're screwed.

Oh, and the obligatory link to Bruce's site is just... *gah*

Cyberlocksmith said...

I agree Jeremiah that this is troubling in so many ways.

That said, I am conflicted over the issue. If it can be proven that the intent of the accused was to influence the teen into committing suicide then punishment may be warranted. In the end, the teen *allowed* herself to be influenced by the MySpace posts which saddens me. Given more details about the case, I *may* be inclined to offer the prosecutor whatever 'juice' s/he needed to do their job.

On the other hand, from a purely defensive and perhaps paranoid infosec perspective, I also fear the repercussions of this. When an online form asks for my phone number in order to d/l a white paper or something, will I be breaking the law if I enter an invalid number?

On balance, I agree with you that this *could* be a dangerous precedent but I am not sure there are any easy answers here.

Anonymous said...

Geez, worry much?

I think this is actually a positive example of creative prosecution. Why don't we let the courts decide if 18 USC 1030 applies to the Drew case? If not, we should urge our lawmakers to revamp or replace 1030, which is over two decades old.

The fact is, prosecutors don't set precident. Courts do. Let it play out.

Anonymous said...

I don't think there is such a thing as a "positive example of creative prosecution."

Laws should be understandable and easily followed. We shouldn't have to worry about some prosecutor getting creative on us.

Jeremiah Grossman said...

@Cyberlocksmith, If I have my facts straight, I don't think Lori Drew is accused of having intentionally tried to get the teen to commit suicide.

@Anonymous1, you know this is a security blog right? I mean, we're paid to be paranoid here. And perhaps Im not up to speed on how the law works, but they are rarely changed, more often precedence drives the current interpretation.

Arshan Dabirsiaghi said...

This is so scary - I think everyone should keep a close eye on it. For anyone that thinks this is alarmist, you're just retarded. Gary McGraw talked about the legal uselessness of EULAs at OWASP Belgium regarding WoW hackers, but maybe TOS is different.

I also think that some of the top people in our space should volunteer their services as expert witnesses pro-bono.

Anonymous said...

Jeremiah, you're right that precedence (i.e. "case law") drives interpretation in absense of - and sometimes in presence of - good statutory law. All I'm saying is that the power of case law rests with the courts and not with the prosecutors. And we're talking about the Ninth Circuit here, so I wouldn't worry about it yet.