(PYS) Microsoft actively maintains a software
package called Computer Online Forensic Evidence Extractor
(COFEE), a set of utilities designed to help law enforcement
gather forensic data from suspects’ computers. Hackers
responded by releasing DECAF, a program designed to interfere
with the operation of COFEE on a given machine. This is an
example of the technological “arms race” between private
citizens and the government. Should tools like DECAF, designed
specifically to thwart law enforcement, be illegal? Why or why
not?
• The party launching the attack?
• The party who wrote the code that enabled the attack?
• The hosting site containing the files loaded onto the zombie machines?
• The owners of the zombies? Do the owners of the
zombies have a cause of action against the other parties? What
are their damages (assuming that the zombie only runs the DDoS
code when the CPU is idle, and there is no per-minute charge for
Internet connection)? Should it matter whether they also allow
their machine to be a zombie for benign purposes (e.g., SETI
analysis)?
(LJ) While it seems likely the
crimes will continue either way, perhaps the more benevolent
versions of the activities can be distinguished to help people
understand the limitations and ethical challenges presented by
virtual activity? How might we develop legal rules that
distinguish CPU thieves from would-be SETI efforts? How
might we protect slashdotters from the DDOS stigma and
consequences?
(DF) Suppose someone posts negative "information" about a
company after selling the stock short. Under what circumstances
does this count as illegal stock manipulation? Does the
information have to be false? Consider a recent mini-flap
in the world of electric cars.
(KW) Crimes such as
drug trafficking rely on the anonymity of cash to complete their
transactions, and crimes muggings and burglaries are motivated
by cash. If the world eventually moves to a cashless
society (perhaps primarily ecash), will it curb these types of
crimes, or are they adaptable making it harder for law
enforcement to track and make arrests?
(KW) The Computer Fraud and Abuse Act provides criminal and
civil penalties against persons who wrongfully access
computers. However, in order to successfully bring a
civil claim, a loss of at least $5000 must be met, but the loss
must be a cost (e.g. the cost to conduct computer forensics) and
not stolen intellectual property. Should there be a way to
quantify items such as PII (personally identifiable information)
so that a victim may add it to their total loss, or is the
current law a fair assessment of compensation?