Date:    Mon, 4 May 1992 8:50:01 GMT
From:    NEELY_MP@DARWIN.NTU.EDU.AU(Mark P. Neely, Northern Territory
Subject: File 2--BloomBecker's 5 points for crime policy

In response to: CuD 4.14 BloomBecker's Legal Guidelines at CV&SC Conference

BloomBecker's 5 points for a nationwide set of legal guidelines for
computer crime are fundamentally flawed!

> 1. The creation of a $200 crime law deductible. Damages incurred below
>    that figure would not be the subject of criminal action.

"Damages" would presumably include the $$$ spent in wages for someone
to inspect the system for maliciously inserted code. It would not be
hard at all to run up a wages bill in excess of $200 in doing so.
Ergo, _all_ computer intrusions would be the subject of criminal
action.

One alternative is to set a realistically higher damages threshold for
criminal proceedings, and allow the "victim" to seek a civil remedy
against the alleged intruder.

> 2. The creation of a civil course of action for inadequate computer
>    security

This sounds, at first sight, quite fair. For instance, here in Darwin
Australia, I can be given a ticket for failing to lock my car doors!
This measure was introduced in an effort to raise public awareness of
escalating car thefts, and to promote public responsibility for
prevention (which is always better than any cure :)

But it is difficult to see how such a measure can be justly applied to
computer security. My primary problem is the phrase "inadequate
computer security".  Locking my car door takes a bit of forethought
and a second or two upon my exiting the vehicle. "Locking" a computer
system would require considerable administration time and money.

I would also assume that the "inadequacy" of the security is to be
measured in light of the data/system to be protected? Is the civil
penalty to be applied to government and quasi-government systems?

Are personal computer operators/ BBS SysOps to be made subject to such
a requirement?

> 3. The making of reckless computing a felony. "Reckless computing" is
>    classified as anything which could potentially cause damage.

Weird... Ctrl-C'ing at the right time could "potentially cause damage"
by crashing the host machine. Causing a conflict of 2 TSR's at your
end (thereby causing your machine to lock up) necessitating a reboot
(and hence dropping the connection) could "potentially cause damage"
to the host system.

Sorry..."reckless" as opposed to "intentional" conduct should NOT be
the subject of criminal actions unless there is good grounds for doing
so.

Recklessness in, for example, the area of driving a motor vehicle may
justifiably be the subject of legal sanctions - but only because of
the danger to life that it causes. I don't think there is an analogous
justification in the area of computer misuse!

> 4. The making a careless computing a misdemeanor.

How do you distinguish "careless" and "reckless"? Does not "careless"
computing have "the potential to cause damage"?

> 5. The enactment of greater protection against unreasonable search and
>    seizure.

Now that is something I would support.

Downloaded From P-80 International Information Systems 304-744-2253