Date: 22 Dec 92 15:31:52 EST From: Ken Citarella <70700.3504@COMPUSERVE.COM> Subject: File 1--Balancing Computer Crime Statutes and Freedom Computer Crime, Computer Security and Human Values - The Prosecutor's Perspective - Kenneth C. Citarella Assistant District Attorney, Westchester County copyright 1991 I am a prosecutor. I specialize in white collar crime, and more particularly in computer crime and telecommunication fraud. My professional interest regarding computer crime, computer security, and the human values involved with them comes from that perspective. I study motive, intent, criminal demographics, software security and other topics to help me identify, investigate, and prosecute a criminal. A crime is an act prohibited by law. Criminal statutes define acts deemed so inimical to the public that they warrant the application of the police power of the state. Computer crimes only exist because the legislature has determined that computers and what they contain are important enough, like your house, money and life, that certain acts directed against them merit the application of that power. A curious distinction arises with regard to computers, however. Your house can be burglarized even if you leave the door open. If you drop your money on the street, a finder who keeps it may still be a thief. The foolish trust you place in an investment swindler does not absolve him of guilt for his larceny. Yet much of the discussion on what constitutes computer crime, and even the computer crime statutes of many states, place a responsibility on the computer owner to secure the system. Indeed, in New York State, unless an unauthorized user is clearly put on notice that he is not wanted in the system, the penetrated system falls outside the protection of several of the computer crime statutes. The intrusion, no matter how unwanted by the system owner, has actually been legitimized by the legislature. Since I participated in the writing of the New York computer crime statutes, I can attest to the desire of legislative counsel to force the computer owner to declare his system off limits. So the societal debate over how much protection to afford computers has very practical consequences in the criminal arena. Commentators frequently address with much anguish whether computer intruders are truly to be blamed for breaking into a computer system. They treat such people as a new phenomenon for whom new rules must be established. ("Hacking" and "hackers" are terms that have become so romanticized and distorted from their original context, that I refuse to use them; they simply do not describe the behavior which is of interest.) I suggest, to the contrary, that examining the victim impact of computer intrusions provides a more meaningful analysis. Consider some examples of the facts typically presented to law enforcement. A computer intruder penetrates the system of a telecommunications carrier and accesses valid customer access codes. She distributes these codes to a bulletin board host who posts them for the use of his readership. Within 48 hours, the numbers are being used throughout the United States. The carrier experiences $50,000.00 in fraudulent calls before the next billing cycle alerts the customers to the misuse of their numbers. Or, they could be credit card numbers taken from a bank and used for hundreds of thousands of dollars of larcenous purchases. Or, it could be experimental software stolen from a developer who now faces ruin. Stories like these have something in common with all criminal activity, computer based or not. The criminal obtains that which is not his, violating one of the lessons we all should have learned in childhood. The computer intruder ignores that lesson and substitutes a separate moral imperative: I can, therefore, I may; or, might makes right. The arguments about exposing system weaknesses, or encouraging the development of youthful computer experts, amount to little more than endorsing these behavioral norms. These norms, of course, we reject in all other aspects of society. The majority may not suppress the minority just because they have the numbers to do so. The mob cannot operate a protection racket just because it has the muscle to do so. The healthy young man may not remove an infirm one from a train seat just because he can. Instead, we have laws against discrimination, police to fight organized crime, and seats reserved for the handicapped. I suspect that part of our reluctance to classify many computer intrusions as crimes arises from a reluctance to recognize that some of our bright youths are engaging in behavior which in a non-computer environment we would unhesitatingly punish as criminal. The fact they are almost uniformly the white, middle class, and articulate offspring of white middle class parents makes us less ready to see them as criminals. Although there are questions to be resolved about computer crime, we are sadly mistaken to focus on what may be different about computer crime, to the exclusion of what it has in common with all other criminal conduct. Refer back to the simple scenarios outlined above. The computer intruder may have all the attributes some commentators find so endearing: curiosity, skill, determination, etc. The victims have only financial losses, an enormous diversion of resources to identify and resolve the misdeeds, and a lasting sense of having been violated. They are just like the victims of any other crime. Of course, there are computer intruders who take nothing from a penetrated system. They break security, peruse a system, perhaps leaving a mystery for the sysop to puzzle over. Would any computer intruder be as pleased to have a physical intruder enter his or her house, and rearrange their belongings as he toured the residence? The distinctions on the intruders' part are basically physical ones: location, movement, physical contact, manner of penetration, for example. The victims' perspectives are more similar: privacy and security violated, unrest regarding future intrusions, and a feeling of outrage. Just as a person can assume the law protects his physical possession of a computer, whether he secures it or not, why can he not assume the same for its contents? What after all is the intent of the intruder in each situation? To be where he should not be and alter the property that is there without the approval of its owner. Each case disregards approved behavior and flaunts the power to do so. Of course, computer intrusions have many levels of seriousness, just as other crimes do. A simple trespass onto property is not a burglary; an unauthorized access is not software vandalism. The consequences must fit the act. Prosecutors and police must exercise the same discretion and common sense with computer intruders they do regarding conventional criminals. No reasonable law enforcement official contends that every computer intrusion must be punished as a criminal act. Youth officers and family courts commonly address the same behavior in juveniles that other agencies address in adults. Sometimes a youth is warned, or his parents are advised about his behavior, and that is the best response. But to insist that some computer intrusions are to be legitimized, assumes that law enforcement lacks the common sense and discretion to sort out prosecutable incidents from those best handled less formally. If we choose not to trust the discretion and experience in our law enforcement authorities regarding computer crime, then how can we trust these same people to decide what drug trafficker to deal with to get someone worse, or to decide which child has been abused and which was properly disciplined. The point is that law enforcement makes far more critical decisions outside of the context of computer crime than within. The people involved are trained and have the experience to make those decisions. Yet much of the debate over computer crime assumes just the opposite. In my personal experience, prosecutorial discretion has worked just as well in computer crimes as it has regarding other criminal behavior. Some complaints result in a prosecution; some are investigated and no charges filed; some are not even entertained. Lastly, I should point out that frequently computer intruders are also involved in a variety of other crimes. Typically, credit card fraud and software piracy are in their repertoire. And, let us not forget that the telecommunication charges for all their long distance calls are being borne by the carrier or the corporate PBX they have compromised. With telecommunication fraud exceeding a billion dollars a year, the societal cost of tolerating these intruders is too large to be blindly accepted. If the challenge of penetrating a system you do not belong on is an essential way of developing computer skills, as some people contend, then let computer curricula include such tests on systems specifically designed for that. Surgeons develop their skills on cadavers, not the unsuspecting. Pilots use simulators. Why should computer specialists practice on someone else's property at someone else's expense? There are privacy and Fourth Amendment issues involved in computer crime. But they are the same issues involved in any other criminal investigation. The public debate is needed and cases must go to court as has always been the case with constitutional aspects of criminal law. Whenever law enforcement follows criminal activity into a new arena, problems arise. It is as true with computer crime as it was with rape and child abuse cases. The answers lie in understanding the common forest of all criminal behavior not in staring at the trees of computer crime. (Adapted from a paper presented at the National Conference on Computing and Values, Southern Connecticut State University, August 14, 1991) Downloaded From P-80 International Information Systems 304-744-2253