Home page logo
/

Nmap Announce mailing list archives

RE: Draft Convention on Cybercrime
From: Marjorie Simmons <lawyer () usit net>
Date: Mon, 5 Jun 2000 16:09:49 -0400


Many of you have written to me with various questions and 
comments on this thread, ranging from "but what can I do to 
help?" and "why is this a problem?", to "is such and so an act 
that would fall under the criminal provisions of xyz law?" 
I reply here to your questions collectively in the interest of 
bandwidth conservation and apologize in advance to List 
members who are not interested in this thread.

Tying the intent of tool design to the intent of a distribution 
and to the intent of a given use (as outlined in the draft of the 
Treaty) is problematic because categorizing and tying together 
design, distribution and use intent is defining what makes a 
action criminal by focusing on a result rather than a process, 
and thereby attempts to make bananas by crossing apples with 
oranges. Its trying to makes laws to govern acts that have yet 
to be _either_ defined or agreed upon as criminal acts, instead 
of first defining and agreeing on what makes a digital 
electronic product and its use criminal.  It simply puts the cart 
before the horse.

As to the product designer:
The laws of product liability govern whether the maker of 
a product gets held accountable for making an inherently 
dangerous product, and in the US a products liability action 
is a civil action, (absent fraud and prior restraint), not a criminal 
action. Almost always it is fraud in a products liability action 
that gives rise to criminal liability, because fraud shows 
wrongful act intent, and intent is key in a products liability 
criminal action.

As to the product user:
Unauthorized access of a system, i.e. "without right" is 
essentially a trespass.  Trespass is generally a tort, not a 
crime, absent some further regulation coupled with notice. 
Criminal trespass, as unauthorized access in the face of 
regulation and notice, is intentional access in the face of 
notice, and is usually, in practice, coupled with some other 
wrongdoing, e.g., property destruction.  The laws governing 
what constitutes a criminal trespass in a non-electronic venue 
vary from country to country, and indeed, from state to state 
in the US.  I've observed that in most jurisdictions the courts 
don't even know what questions to start with in a case of 
digital trespass, let alone which existing laws might be 
molded to the issues at hand. However, that is thankfully 
starting to change.

As to the applicability of existing laws:
Many of the US states have enacted laws governing what 
constitutes a digital criminal trespass, but there is no 
elucidation, that I am aware of, in any US state statute or 
case law of how and why pinging or scanning ports might 
constitute such a trespass.  (Flame on if I missed one.)  The 
federal Digital Millennium Copyright Act (DMCA) prohibits 
manufacturing, distributing, and offering to the public the 
tools or services to perform copyright circumvention or 
"hacking" of a copyrighted item.  This statute could 
conceivably be interpreted to prohibit pinging and port 
scanning of someone else's system where the ports so 
scanned are protected by a firewall or hw/sw design whose 
copyright owner's claim in that design is colorable. To my 
knowledge this claim-type has never been brought (yet), 
but it wouldn't surprise me to see it used by a creative 
lawyer.

Some examples of products & trespass claims:

Let's say, that I design a product which injures foreseeably 
as it is inherently dangerous, e.g., fireworks, and I put the 
product into the stream of commerce without warnings 
or controls.  You are injured by your use of the fireworks. 
Now you sue me in a court in the US.  You plead inherently 
dangerous product, no warnings, and no controls, and as you 
inadvertently shot the fireworks into your neighbor's house, 
your neighbor has sued you for trespass: result = strict liability 
on my part and I lose unless I can show your knowledge and 
negligence somehow offsets the dangerousness of the product. 
I am not liable to you, however, for your trespass of bottle 
rockets flying into your neighbor's kitchen. 

Let's say I make another product that injures because it is put to 
use in a fashion I didn't intend and in fact warned against when 
I put it into the stream of commerce, e.g., a pharmaceutical 
that is intended to treat a specific condition and has controlled 
availability. In suing me you plead foreseeable recreational drug 
use:  result = no liability on my part because (1) design intent 
did not encompass the ultimate use in this case, (2)  I warned, 
and (3)  I controlled the product's entry into the market in order 
to guard against use by unintended parties and use in a fashion 
unintended.  If your child dies for OD'ing on your prescription, 
that is, unfortunately, your problem, in this case.

Now lets take a new product: nmap.  It (1) is not inherently 
dangerous, (2) has a legitimate use that will belie any 
identification as what should be considered contraband (unless 
you're in China), and (3) it is foreseeable that some might use 
it in the furtherance of committing a criminal act (a criminal 
trespass.)  Now assume a cracker uses it to scope out a system 
as a prelude to entering (without right) and destroying property. 
The crack includes placing some vbs to find and delete some 
specific files.  In such a case, both nmap and vbs are tools used 
"in furtherance of" the criminal act, they are not the criminal act 
itself.  No products liability for the maker (or for the distributor 
of the products, absent governmental distribution controls), and 
for both products, their use as tools in furtherance of a criminal 
act is but evidentiary in value.  The fact that both products 
could foreseeably be used in furtherance of an illegal act is 
inconsequential, given that neither is designed to be so used, 
and notwithstanding the fact that neither M$oft nor Fyodor have, 
prior to releasing the products into the stream of commerce, 
warned anyone as to the products' potential for unlawful use.

Here then are the biggest problems with the draft of the Treaty: 

(1) there is no internationally accepted definition of nor 
     agreement upon what constitutes an act of criminal 
     trespass in a traditional, non-electronic form, let alone 
     in a digital venue; 
(2) there is no internationally accepted definition or legal 
     treatment of a case of criminal electronic products 
     liability;  
(3) there is rampant ignorance on the part of lawmakers as 
     to how a computer system trespass might happen at all 
     and as to why a computer-oriented product's maker 
     might be criminally liable in a products liability action; 
     and 
(4) there is, further, no authority (other than perhaps the 
     IETF with a lot of help by some tech-savvy lawyers 
     from a lot of different countries) that could define, to 
     the satisfaction of a multinational political base in a 
     one-size-fits-all fashion, either a digital trespass or a 
     digital products liability criminal act.  
(5) the very design of the Net and the products designed 
     for its navigation implicitly recognize not just the 
     right of The Ping, but its absolute necessity.

 "Without right" is what calls for international agreement on 
what constitutes a criminal trespass.  

"Designed or adapted [specifically] [primarily] [particularly] for 
the purpose of committing ..."  must be split up into 
 (a) what constitutes criminal products liability for a product 
      maker, (products liability for design of an inherently 
      dangerous product) and 
 (b) what, likewise, constitutes unlawful adaptation (a use that 
      is also a design -- as in an unlawful alteration of a product
      of potentially controlled distribution)

By its terms, the draft of the Treaty assumes that the individual 
countries will each sufficiently decide what is "without right", 
but, because of the very interconnectedness of the Net and the 
implicit connections permissions granted through the design of 
browser software, amongst other softwares, differing laws from 
nation to nation on this issue make no sense, as many of you 
have surmised.  I don't know that the problems are exacerbated 
by the people in the Council's agendas, or that they are stupid, 
I think the draft of the Treaty's problems lie in the draft's simple 
short-sightedness fueled by technical ignorance.  The ignorance 
part is easily remedied, but the shortsightedness may not be. 

All these concepts must be agreed upon transnationally before 
they are of any use, and certainly before the results of a case 
with these concepts at issue can be examined and dissected 
in the genesis of an international legal construct designed to 
govern them.  Without prior incorporation of an international 
agreement defining what makes a digital criminal trespass, & 
an inherently dangerous digital product, this draft of the Treaty 
is not only meaningless but creates further legal issue obscurity.  

I suggest, (to those of you who want to see legal clarity happen 
that doesn't outlaw legitimate and respected systems tools),
that you 
(1) contact both the IETF and the Council and strongly suggest 
     they act in concert, 
(2) contact your governmental representatives with the 
     suggestion in (1), above
(3) donate some time to the organization of your choice that 
     speaks with a collective voice on the issues at hand.

To those of you who have asked questions specific to a 
jurisdiction that falls outside the one in which I am licensed, 
(South Carolina), I must refer you to an attorney licensed in 
your jurisdiction.  The rules governing practicing law require 
that I not practice outside my jurisdiction absent being associated 
in a particular matter by an attorney within your jurisdiction. 
If you need a referral, just let me know.

Hope this helps,

Marjorie

Marjorie Simmons, Esq.
PO Box 870
Taylors, SC 29687
864.609.0259
lawyer () usit net
~~~~~~~~~~
  "I planted some bird seed.  A bird came up.  
   Now I don't know what to feed it."
     --Steven Wright

   Warning: Do not drink the battery acid. 
   It doesn't taste good and will hurt you. 
   Also do not bite the tyres, especially 
   while the bike is moving. 
   Our lawyers made us put these warnings in. 
            - An Australian motorcycle manual
~~~~~~~~~~



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault