mailing list archives
RE: Draft Convention on Cybercrime
From: Marjorie Simmons <lawyer () usit net>
Date: Mon, 5 Jun 2000 16:09:49 -0400
Many of you have written to me with various questions and
comments on this thread, ranging from "but what can I do to
help?" and "why is this a problem?", to "is such and so an act
that would fall under the criminal provisions of xyz law?"
I reply here to your questions collectively in the interest of
bandwidth conservation and apologize in advance to List
members who are not interested in this thread.
Tying the intent of tool design to the intent of a distribution
and to the intent of a given use (as outlined in the draft of the
Treaty) is problematic because categorizing and tying together
design, distribution and use intent is defining what makes a
action criminal by focusing on a result rather than a process,
and thereby attempts to make bananas by crossing apples with
oranges. Its trying to makes laws to govern acts that have yet
to be _either_ defined or agreed upon as criminal acts, instead
of first defining and agreeing on what makes a digital
electronic product and its use criminal. It simply puts the cart
before the horse.
As to the product designer:
The laws of product liability govern whether the maker of
a product gets held accountable for making an inherently
dangerous product, and in the US a products liability action
is a civil action, (absent fraud and prior restraint), not a criminal
action. Almost always it is fraud in a products liability action
that gives rise to criminal liability, because fraud shows
wrongful act intent, and intent is key in a products liability
As to the product user:
Unauthorized access of a system, i.e. "without right" is
essentially a trespass. Trespass is generally a tort, not a
crime, absent some further regulation coupled with notice.
Criminal trespass, as unauthorized access in the face of
regulation and notice, is intentional access in the face of
notice, and is usually, in practice, coupled with some other
wrongdoing, e.g., property destruction. The laws governing
what constitutes a criminal trespass in a non-electronic venue
vary from country to country, and indeed, from state to state
in the US. I've observed that in most jurisdictions the courts
don't even know what questions to start with in a case of
digital trespass, let alone which existing laws might be
molded to the issues at hand. However, that is thankfully
starting to change.
As to the applicability of existing laws:
Many of the US states have enacted laws governing what
constitutes a digital criminal trespass, but there is no
elucidation, that I am aware of, in any US state statute or
case law of how and why pinging or scanning ports might
constitute such a trespass. (Flame on if I missed one.) The
federal Digital Millennium Copyright Act (DMCA) prohibits
manufacturing, distributing, and offering to the public the
tools or services to perform copyright circumvention or
"hacking" of a copyrighted item. This statute could
conceivably be interpreted to prohibit pinging and port
scanning of someone else's system where the ports so
scanned are protected by a firewall or hw/sw design whose
copyright owner's claim in that design is colorable. To my
knowledge this claim-type has never been brought (yet),
but it wouldn't surprise me to see it used by a creative
Some examples of products & trespass claims:
Let's say, that I design a product which injures foreseeably
as it is inherently dangerous, e.g., fireworks, and I put the
product into the stream of commerce without warnings
or controls. You are injured by your use of the fireworks.
Now you sue me in a court in the US. You plead inherently
dangerous product, no warnings, and no controls, and as you
inadvertently shot the fireworks into your neighbor's house,
your neighbor has sued you for trespass: result = strict liability
on my part and I lose unless I can show your knowledge and
negligence somehow offsets the dangerousness of the product.
I am not liable to you, however, for your trespass of bottle
rockets flying into your neighbor's kitchen.
Let's say I make another product that injures because it is put to
use in a fashion I didn't intend and in fact warned against when
I put it into the stream of commerce, e.g., a pharmaceutical
that is intended to treat a specific condition and has controlled
availability. In suing me you plead foreseeable recreational drug
use: result = no liability on my part because (1) design intent
did not encompass the ultimate use in this case, (2) I warned,
and (3) I controlled the product's entry into the market in order
to guard against use by unintended parties and use in a fashion
unintended. If your child dies for OD'ing on your prescription,
that is, unfortunately, your problem, in this case.
Now lets take a new product: nmap. It (1) is not inherently
dangerous, (2) has a legitimate use that will belie any
identification as what should be considered contraband (unless
you're in China), and (3) it is foreseeable that some might use
it in the furtherance of committing a criminal act (a criminal
trespass.) Now assume a cracker uses it to scope out a system
as a prelude to entering (without right) and destroying property.
The crack includes placing some vbs to find and delete some
specific files. In such a case, both nmap and vbs are tools used
"in furtherance of" the criminal act, they are not the criminal act
itself. No products liability for the maker (or for the distributor
of the products, absent governmental distribution controls), and
for both products, their use as tools in furtherance of a criminal
act is but evidentiary in value. The fact that both products
could foreseeably be used in furtherance of an illegal act is
inconsequential, given that neither is designed to be so used,
and notwithstanding the fact that neither M$oft nor Fyodor have,
prior to releasing the products into the stream of commerce,
warned anyone as to the products' potential for unlawful use.
Here then are the biggest problems with the draft of the Treaty:
(1) there is no internationally accepted definition of nor
agreement upon what constitutes an act of criminal
trespass in a traditional, non-electronic form, let alone
in a digital venue;
(2) there is no internationally accepted definition or legal
treatment of a case of criminal electronic products
(3) there is rampant ignorance on the part of lawmakers as
to how a computer system trespass might happen at all
and as to why a computer-oriented product's maker
might be criminally liable in a products liability action;
(4) there is, further, no authority (other than perhaps the
IETF with a lot of help by some tech-savvy lawyers
from a lot of different countries) that could define, to
the satisfaction of a multinational political base in a
one-size-fits-all fashion, either a digital trespass or a
digital products liability criminal act.
(5) the very design of the Net and the products designed
for its navigation implicitly recognize not just the
right of The Ping, but its absolute necessity.
"Without right" is what calls for international agreement on
what constitutes a criminal trespass.
"Designed or adapted [specifically] [primarily] [particularly] for
the purpose of committing ..." must be split up into
(a) what constitutes criminal products liability for a product
maker, (products liability for design of an inherently
dangerous product) and
(b) what, likewise, constitutes unlawful adaptation (a use that
is also a design -- as in an unlawful alteration of a product
of potentially controlled distribution)
By its terms, the draft of the Treaty assumes that the individual
countries will each sufficiently decide what is "without right",
but, because of the very interconnectedness of the Net and the
implicit connections permissions granted through the design of
browser software, amongst other softwares, differing laws from
nation to nation on this issue make no sense, as many of you
have surmised. I don't know that the problems are exacerbated
by the people in the Council's agendas, or that they are stupid,
I think the draft of the Treaty's problems lie in the draft's simple
short-sightedness fueled by technical ignorance. The ignorance
part is easily remedied, but the shortsightedness may not be.
All these concepts must be agreed upon transnationally before
they are of any use, and certainly before the results of a case
with these concepts at issue can be examined and dissected
in the genesis of an international legal construct designed to
govern them. Without prior incorporation of an international
agreement defining what makes a digital criminal trespass, &
an inherently dangerous digital product, this draft of the Treaty
is not only meaningless but creates further legal issue obscurity.
I suggest, (to those of you who want to see legal clarity happen
that doesn't outlaw legitimate and respected systems tools),
(1) contact both the IETF and the Council and strongly suggest
they act in concert,
(2) contact your governmental representatives with the
suggestion in (1), above
(3) donate some time to the organization of your choice that
speaks with a collective voice on the issues at hand.
To those of you who have asked questions specific to a
jurisdiction that falls outside the one in which I am licensed,
(South Carolina), I must refer you to an attorney licensed in
your jurisdiction. The rules governing practicing law require
that I not practice outside my jurisdiction absent being associated
in a particular matter by an attorney within your jurisdiction.
If you need a referral, just let me know.
Hope this helps,
Marjorie Simmons, Esq.
PO Box 870
Taylors, SC 29687
lawyer () usit net
"I planted some bird seed. A bird came up.
Now I don't know what to feed it."
Warning: Do not drink the battery acid.
It doesn't taste good and will hurt you.
Also do not bite the tyres, especially
while the bike is moving.
Our lawyers made us put these warnings in.
- An Australian motorcycle manual
- Re: Draft Convention on Cybercrime, (continued)