Note: This set of lecture notes, for a course I taught at Santa Clara University Law School in the fall of 19995, is incomplete. It is missing some pages that I did not have time to get into satisfactory form, and some of the material is still a little rough.

 

David Friedman

 

Lecture Notes: Computers, Crime and Privacy

I. Class Mechanics: Seminar

II. Three topics:

III. Privacy and encryption: The need

IV. Encryption: The technology (Detailed information is in the FAQ from rsa.com. Some excerpts are on p. 33 of BBB. The following is my simplified version.

V. The Supporting Technology: power, bandwidth, Virtual Reality

VI. Implications of strong privacy

8/23/95

 

I. Can strong privacy be stopped, and if so how?

I. About encryption:

II. Key distribution and management problems.

III. Public key as a solution to both problems.

III. A Digital Signature serves three functions--identify sender, prove sender, untampered text.

IV. As computers get faster, they can encrypt faster, decrypt faster, and break encryption faster.

8/30/95

 

I. Non-cryptographic attacks: Consider a simple password cracking problem. You are a hacker who had dialed into a computer and is trying to get privileges on it--which requires giving it a password it recognizes as associated with a legitimate user.

II. Why does the government care about cryptography?

III. The question of standards:

I. Review:

II. On to Clipper

 

9/11/95

 

I. Odds and Ends

The proposed section 1201 would provide:

 

No person shall import, manufacture or distribute any device, product, or component incorporated into a device or product, or offer or perform any service, the primary purpose or effect of which is to avoid, bypass, remove, deactivate, or otherwise circumvent, without the authority of the copyright owner or the law, any process, treatment, mechanism or system which prevents or inhibits the violation of any of the exclusive rights of the copyright owner under section 106.

II. How important is wiretapping? Freeh's statement

9/13/95

 

I. Non-clipper escrow solutions:

II. Function of Clipper

III. Hardware v Software encryption--can we do the equivalent of Clipper in software?

IV. Digital Telephony bill

V. Cost/benefit calculations:

9/18/95

I. Readings from Chapter 6 of BBB

 

I. Verisign is a new firm, marketing its product as a way of facilitating the use of digital signatures rather than an encryption approach. Nonetheless, it may be very important for the spread of strong privacy. Information can be found at: http://www.verisign.com/faqs/id_faq.html and, in much briefer form, below.

 

II. How does a digital signature work?

II. So far we have assumed the recipient already has the sender's public key. We now drop that assumption. The sender can, of course, send the recipient his public key--but how can he prove that public key XYZ really belongs to person P? Until he does so, he cannot provide a digital signature--and without a digital signature, he cannot prove that the message is really being sent by him.

III. What Verisign is doing:

IV. Who are they?

V. Details:

VI. Is a digital signature legally valid? We don't know yet.

VII. Verisign can be viewed as a Trojan Horse for Public Key Encryption!

0: Guest Lecturer--Silicon Valley's Computer Cop. Some bits.

I. Review Digisign

II. The new hole in Netscape Security?

III. Economic espionage problem?

IV. DSS--was the trap door intentional?

 

V. Is ITAR constitutional?

I. Lund v Commonwealth of Virginia 232 S.E. 2d 745 (Va. 1977); SC of VA

II. United States v. Seidlitz 589 F.2d 152 (4th Cir. 1978)

III. United States v Jones 553 F. 2d 351 (4th Cir. 1977)

IV. The People of New York v. Robert Versaggi

I. If someone wants to do a paper on the pretensions of the Attorney General of Minnesota to rule the internet, some interesting questions might be:

II. The Hacker Crackdown: The sociology of computer crime

III. U.S. v. Robert Riggs (and Craig Neidorf)

IV. Unix source code cases. 1990.

VI. Review: Issues raised by the criminal cases.

VII. Steve Jackson case:

2. When is that legal?

VIII. "Sending a Message"

IV. Sociology issue: "Those Kids aren't Criminals"

V. Odds and Ends:

"However, the problem is becoming moot, as Cancelmoose(tm) (moose@cm.org) has devised a new mechanism, called NoCeM, that will let you set your system to respond however you'd like to PGP-signed requests from people you authorize, where responses include things like not showing you the postings andshowing you only the postings that are named in the requests. So you can get a lot more control over spam without having to open your system up to forgeable cancels."

 

According to Restatement (2d) of Torts sec. 623A,

 

"One who publishes a false statement harmful to the interests of

another is subject to liability for pecuniary loss resulting to the

other if

 

(a) he intends for publication of the statement to result in

harm to interests of the other having a pecuniary value, or either

recognizes or should recognize that it is likely to do so, and

 

(b) he knows that the statement is false or acts in reckless

disregard of its truth or falsity."

 

 

I: The old nightmare: Computers as the end of privacy.

  • II. Public Fork:

    IV. Private fork: Thompson v San Antonio Retail Merchants Association

    V. Fair Credit reporting act.

    A. [[paragraph]] 609 Disclosures

    1. Credit agency must provide subject with all nonmedical information it has on him,

    2. Provide him the sources except for investigative consumer reports, and

    3. Tell him who the recipients of the information are.

    4. The act immunizes credit bureaus against defamation suits and the like, except for violating specific provisions or acting with malice.

    B. [[paragraph]] 611 Procedure for disputing and recording disputes, and correction.

    C. [[paragraph]] 613 Public Record Information for employment

     

    1. Information goes to court or grand jury, or anyone the subject wants it to go to, or to anyone with a legitimate business purpose in connection with a transaction involving that subject.

    2. Legal rules on when information becomes obsolete.

    a. Why? Bankruptcy 10 yrs.

    b. Only applies to small transactions.

     

    III. Obscenity on-line

    A. Obscenity vs Indecency

    1. Obscene--It is constitutional to forbid people in general from reading it. A work is obscene if:

    a. The average person, defined by community standards, would find that the work as a whole appeals to the pruriant interest, and

    b. The work depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable state law, and

    c. The work, taken as a whole, lacks serious literary, artistic, political or scientific value. Not defined by local community standards.

    2. Indecent--may be kept from to children, but not from adults (except to the extent that keeping it from adults is an unavoidable consequence of keeping it from children).

    3. Sable Communications v FCC:

    a. The invention of Dial-a-porn resulted in a series of acts, regulations, suits on how much the providers could be constrained in order to protect children.

    b. 1988 act--total ban on both obscene and indecent, no FCC regulations to limit serving children required.

    c. The court held that banning obscene speech is constitutional, even though the standard of obscenity will vary from place to place. The burden is on the provider to tailor its product accordingly.

    d. Indecent speech is protected by the 1st amendment, so the law must restrict it more narrowly to only protect children. That part of the 1988 act is unconstitutional.

    e. FCC v Pacifica--banned dirty words only by time of day. And broadcasting "can intrude on privacy without prior warning as to program content, uniquely accessible to children, even those too young to read." "Captive audience, ... unwilling listeners." So the case for regulating radio is stronger than for regulating telephone conversations.

    f. Alternatives suggested by the FCC: require credit card, an access code obtained by providing proof of age, or a scrambler only sold to adults.

    g. Dissent (Brennan, Marshall, Stevens) holds that imposing criminal penalties for distributing obscene material to consenting adults is constitutionally intolerable, because of the vagueness of the definition of obscene, hence chilling effect.

    B. How does this apply to networks?

    1. The act applies to anyone who : "Makes obscene communication by means of telephone for commercial purpose" or "permits any telephone facility under such person's control to be used for ..." That might apply to Compuserve EMail and other forms of electronic communication to people using modems over telephone lines. Even if the EMail or posting is not made for commercial purposes, you could argue that its transmission (by Compuserve, or a commercial net access provider) is.

    2. A future act directed at networks would raise constitutional issues similar to those in Sable. Obscene could be prohibited but indecent could probably not be if less extreme alternatives were available. The difficulty of dealing with a multitude of community standards would not prevent such an act.

    3. Currently, alt.talk.sex is not under the act because it is not commercial. But access providers arguably are!

    C. Technical issue--possible control and associated liability.

    1. Posters must identify themselves via digital signature. Require the poster of indecent or obscene material to restrict his post to "World minus K12," or "World minus Prudes."

    2. Posting machine--require users to label posts as "adult only," "PG," ... ?

    3. Receiving machine--require it to provide its community standards in a way that makes it possible for posters to include it out if their posts would offend its community.

    4. Who defines the code--courts? Internet standards committee?

    5. What about an owned information utility such as Compuserve or AOL? Must they require age evidence for customers?

     

    492 U.S. 115, 109 S.Ct. 2829

     

    FCC proposed regs: credit card, ID gotten through the mail, time of day (set aside by court of appeals as too narrow and too broad).

     

    Set aside for failure to conider customer premises blocking.

     

    Proposed third alternative of scrambling, unscrambler only for adults.

     

    2nd ct of appeals upheld this stuff, but invalidated the statute wrt non-obscene.

     

    statute amended to ban all dial-a-porn, adults and children.

     

    Obscene part upheld. Justice BRENNAN, with whom Justice MARSHALL and Justice STEVENS dissent.

     

    Indecent part not narrowly enough tailored

     

     

    Mark Twain Bank and Chaum's digicash are now offering Chaumian digital cash. So one more of the requirements for strong privacy is in place.

     

    U.S. v Thomas

     

    I. Why it matters:

    Interactive Services Association: Not just obscenity. defamation, franchise, real estate laws, ...

     

    II. Tangibility, means of transmission:

    Does law apply only to tangible objects: U.S. v. Carlin only case to interpret. Phone sex case under. USC 1465 "facility or means of interstate commerce."!= "any means of communication?" as judge instructed jury. Congress could have added computer, phone terms to statute, did for child porn, did not here when revised. AG had given the opinion that 1465 did not cover phone transmission. not "by private conveyance" (section the govt chose to rely on)

     

    [prosecution denies tangible, claims Carlin was wrong]

     

    III. Who transported it?

    Transfer initiated by customer.

    like Buying book and bringing it home. They paid for the call. Civil analog.

     

    IV. What is the relevant community?

     

    CA? Local police had seized, looked at, released. Not child porn.

     

    Computer community. World? Customers of that BBS?

    "the states of a legitimate interest in prohibiting dissemination or exhibition of obscene material when the mode of dissemination carries with it a significant danger of offending the sensibilities of unwilling recipients or of exposure to juveniles." Miller v CA 1973.

     

    Community is users. So no need for laws--if violated, users go elsewhere.

     

    EFF argues that ... No impact on the local community. Like reading a book. Can screen out children. Much better filtering.

     

    Miller court said community standard rule might result in "some possible incidental effect on the flow of [otherwise protected] materials across state lines," acceptable because only "incidental." This is more than incidental. So District court should have weighed chilling effect against Tennessee interest--case of first impression.

     

    V. Could they guard against?

    1. Descriptions free and obscene. (but not themselves appealing to prurient ...)

    2. Thomas had to call inspector in Tennessee to acknowledge receipt of membership application. But did not know thereafter where inspector was calling from!

    3. Inspector claims that Thomas' knew he was sending them child porn, Mr. Thomas denied it.

    4. No harder than Sable, but ...

    5. Precedent for the Internet?

     

    VI. Reasons for special laws:

    This is an expecially good first amendment medium--low entry barriers, interactive, ... Open to unpopular speakers--easily chilled.

     

    Could use electronic community, or could prosecute the buyer, who affirmatively acts to bring material into his community.

     

    Or balancing test according to how much is obscene where, and how easy to bar from particular places.

     

    ACLU: stream of 1s and 0s en route, only became obscenity in the receiver's house. Expand Stanley v Georgia.

    EMail on Thomas' network.

     

     

    Scanned pictures.

    Transport for purpose of sale or distribution? After sale.

    Child porn frame: mailed magazines to Mr. Thomas, watched Mrs. pick up the envelope, followed her home, executed search warrant. Acquittal on child porn charges.

    Jury was shown or told about lots of stuff not included in the charges. inflammatory.

    Acceptance of responsibility.

    Also mailed videotapes.

    Misleading advertising.

    Should they have used the Sable statute?

    Will this become irrelevant with internet from Netherlands?

    I. Review of U.S. v Thomas and related stuff.

    II. Odds and ends.

     

    III. Computer Crime:

    A. Jerry Schneider and Pacific Tel. Get into order system. Stole/ordered equipment. 40 days in jail. Computer security consultatn.

    B. Stanley Mark Rivkin. Working on backup system for a bank wire room.

    How we would do it:

    A. Subvert company, sell short.

    B. Time bomb customers, blackmail company.

    C. Are we too late?

     

    0: New stuff:

    I. Review:

    II. Low tech computer crime:

    III. Another extortion--all tapes and backups and backups of ... Caught on payoff.

     

    IV. Stealing services from ex-employer. Thought it was all right--they would have ...

    V. Leslie Lynn Doucette. Hacker service industry.

    VI. Market in Computer Crime?

    VII. Check Kiting story.

    VIII. Card counting? Not illegal. $10,000 materials, $390,000 labor.

    Four teams, eleven people. In 22 days made $130,000. Two systems captured, FBI reported just a computer. No indictments.

     

    VIII. How much computer crime? Total of 1000 1958-1981 tabulated. flat abt 1973

    Financial>Govt>Student

     

    VIII. Suppose you discover a hole ... Responsible you.

    IX. Protecting one program from another.

    I. Bank slip story.

     

    II. How to predict the future:

    III. What is already in place: How is the (computer) world different from 15-20 years ago (and most of our crime experience)?

    IV. Implications for computer crime:

    V. Next step: Crime in a world of strong privacy.

     

    I. More suggestions on crimes in the new world?

    II. How do you prevent these?

    I. Old technology:

    II. Current technology: Crime based on what is here now.

    II. Farther future: Strong Privacy

    I. FBI wiretap proposal:

    II. Clipper II .

    III. Default rule for your info: Avrahami claims it requires express consent.

     

    IV. S. 1360: Medical Records Privacy Act

    V. Net censorship opposed by CATO, ACLU, Brookings

     

    VI. Monitoring vs spoofing: Netscape vs public key phone book.

     

    VII. Drop-in encryption?

    VIII. Rumour boards vs credible boards?

     

    IX. Should blackmail be illegal?

    Two recent cases

     

    I. Cornell: http://joc.mit.edu/~joc/

    II. Caltech case: Mercury.

    I. Would digital signatures have solved this problem?

    II. Does Jianjing have adequate motive?

    III. Lessons of the case for us:

     

    Course Summary:

     

    I. Computer Crime.

    II. Privacy

    IV. Random number issue--how to choose a password.

    V. Digital time stamping idea.

     

    VI. Cornell--what makes it private/public?

     

     

    Preliminary Syllabus: Computers, Crime and Privacy

     

    Hoffman, Lance, ed. Building in Big Brother (BBB); 1[3] meansCh 1, part 3

    Bruce Sterling The Hacker Crackdown

     

    Week BBB Other

     

    Encryption and the Future of Privacy

    8/28 1[1-4] D. Friedman, "A World of Strong Privacy" (forthcoming in Philosophy and Public Policy)

     

    The Clipper Chip Proposal

    9/4 2[1,5, 8], 3

     

    Which Future? The Controversy

    9/11 4,5

    9/18 6,7

    Crime and Law Enforcement: The Past

    9/25 Lund v Commonwealth of Virginia 232 S.E. 2d 745 (Va. 1977);

    United States v. Seidlitz 589 F.2d 152 (4th Cir. 1978)

    United States v Jones 553 F. 2d 351 (1977)

    The People of New York v. Robert Versaggi 518 N.Y. S. 2d 553 (1987)

     

    10/2 The Hacker Crackdown: Parts 1 and 2

    U. S. v. Neidorff

     

    10/11 The Hacker Crackdown: Parts 3 and 4

    Steve Jackson Games v U.S. Secret Service and ...

     

    The Old Privacy Issues

    10/16 Fair Credit Reporting Act and cases.

    Merriken v. Cressman;

    Electronic Communications Privacy Act

     

    Obscenity On-Line*

    10/16

    Computer Crime and law Enforcement: Today*

    10/23

    Computer Crime and law Enforcement: Tomorrow*

     

    10/30

    Strong Privacy Reconsidered

    11/6

    [Student Presentations from here on]

    11/13

     

     

    *: May be student presentations

     

    Readings will be available on line, on disk (library reserve), and in some cases as hardcopy.

    Office hours: M/W 2:20-4:00, Room 204, Phone # 5732, EMail dfriedman@scuacc.scu.edu, ddfr@best.com.

     

    Paper Ideas

     

    Computer Crime in the 1990s: What it is

     

    Computer Crime in the Twenty-first Century: What it will be

     

    How Can and Should On-line Obscenity be Regulated?

     

    On-Line Obscenity: Whose Community Standards?

     

    Problems of Privacy: Anonymous Letters + VR =?

     

    Obscenity and Harassment: Can Private Solutions Work?

     

    Does Cyberspace Need Its Own Laws?

     

    Norms of the Net: How are They Enforced, Do They Work?

     

    Shareware: An Experiment in Unprotected Intellectual Property

     

    Cyberpunk: Does SF Get the Legal Issues Right? (True Names, Snowcrash, Trouble and Her Friends, ...)

     

    Privacy and Computer Crime in a World of Many Nations

     

    The Church of Scientology vs anon.penet.fi

     

    Can Strong Privacy be Stopped? At What Cost?

     

    The Legal System in a World of Strong Privacy

     

     

     

    A Few Places to Look for Stuff

     

    Electronic Frontier Foundation (EFF.com, Web page)

    Cypherpunks

    RSA.com

    www.digicash.com

    ...

     


    Back to the list of articles.

    Back to my home page.