Will the Real Criminal Please Stand Up?

Computer crimes present a monumental challenge to legal systems

worldwide. Charged with administering justice, the courts generally do

not understand the complicated technical evidence required to

conclusively prove guilt in a computer crime. Meanwhile, law

enforcement agencies advocate stiffer penalties and prosecutors employ

hacker stereotyping rather than hard evidence to sway juries.

Recently, the UK approved legislation equating computer crimes with

terrorism

(http://www.cnn.com/2001/TECH/internet/02/20/hackers.terrorists.idg/inde

x.html). Hence forth, electronic vandals are on the same level as

people who consciously murder children in the name of a "cause". A

pretty harsh characterization, but one that makes it all the more

critical that we ensure justice is properly served. Sadly, the legal

system remains incapable of understanding technical evidence. My recent

involvement in a trial of an accused computer criminal made this point

quite clear.

Try explaining computer science to your grandmother sometime? She will

seem easy compared to a court. Reading through the trial's transcripts,

I noticed some confusion concerning the legality of portscanning. The

transcripts showed someone stating that it, "...can be done

legitimately and not legitimately." If you remember nothing else, then

remember this: A portscan is not an attack! A portscan equates to

walking down the street and checking for open doors and windows. Sure,

it can indicate that someone is "casing the joint", but a portscan in

and of itself is harmless. The prosecution made much ado about the

defendant possessing portscanning tools and using them in the past

(gasp!). Now remember, portscanning is not a crime; however, it was

used to establish the defendant's state-of-mind, intent, and ability to

attack computers. Factors such as this take center stage when the

prosecution relies largely on circumstantial evidence.

Evidence is defined as direct proof of a fact or circumstantial -- an

inference made by the jury based on experience and logic. Jurors are

asked to used their common sense in evaluating a case. A recent Florida

case saw a teacher file Federal wiretapping charges against a student

for taping a lecture without the teacher's express consent

(http://www.cnn.com/2001/LAW/02/28/recording.charge.01.ap/index.html).

Fortunately, the prosecutor's common sense and experience kept this

ridiculous case from trial. Well, most juries *have* no experience in

computer forensics, so how can they fairly evaluate circumstantial

evidence?

The average person's computer science knowledge likens to an 18th

century farmer's physics knowledge. For most people, science is

indistinguishable from magic (a prime reason the Inquisition persecuted

so many scientists). My case involved over 100 pages of testimony

describing how the intruder ftp'd in from a trusted machine, brought

over a sniffer package, failed to compile it, and then removed a

critical database file. No direct evidence showing the attacker's

identity, just an account of the events. I watched two days of

irrelevant testimony describing simple commands that anyone could have

run. The jury and the court seemed clueless when the witness spoke, but

it sure sounded technical. I found it tedious and I *did* understand

him.

The technical evidence, mind-numbingly boring and meaningless to the

jury, did not conclusively prove the attacker's identity, so the

prosecution turned to circumstantial evidence. Labeling the defendant

a "hacker" certainly helped convince the jury of the defendant's guilt.

What are average people's real-life experiences with hackers? The

media? Movies? Using images in a courtroom may make the prosecutor's

life easier, but it's a dangerous practice. Take Robert Hanssen, the

FBI agent accused of being a Russian spy, for example. Judging by

appearances, which everyone did for the past 25 years, he seemed to be

model citizen. Hell, even his wife had no idea

(http://www.cnn.com/2001/US/03/01/spy.wife)!

Obviously, determining guilt for a crime must hinge on the technical

facts that are presented, not "hacker" labels. Interpreting facts so

the juries and courts will understand presents the real difficulty,

though. Having an online handle is not a crime. Studying methods of

defeating computer systems' security is not a crime. Running a Web site

about hacking is not a crime. Breaking into a system without

authorization *is* a crime. Stealing or destroying data that belongs to

someone else *is* a crime. And abusing a position of authority and

trust is a *very* serious crime.

As the legal system begins understanding computer crime (but it has a

very long way to go), labeling hackers as terrorists is unreasonable

and a further burden to the system. In fact, this legislation could

backfire when a jury is unwilling to convict a defendant to hard time

when they don't think he deserves it. The alternative would be to let

them go free, which is also wrong. When a crime is committed,

appropriate justice must be served. Labeling computer crime as

terrorism just sanitizes terrorism.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies