Lecture Notes: Computers, Crime and Privacy 1996

[While I do not intend to follow the same structure in 1997, I will be covering much of the same material]

I. Class Mechanics: Seminar

II. Three topics:


III. Privacy and encryption: The need

IV. Encryption: The technology (Detailed information is in the FAQ from rsa.com. Some excerpts are on p. 33 of BBB. The following is my simplified version.


V. The Supporting Technology: power, bandwidth, Virtual Reality


VI. Implications of strong privacy



I. Can strong privacy be stopped, and if so how?


I. About encryption:


II. Key distribution and management problems.


III. Public key as a solution to both problems.


III. A Digital Signature serves three functions--identify sender, prove sender, untampered text.


IV. As computers get faster, they can encrypt faster, decrypt faster, and break encryption faster.




I. Non-cryptographic attacks: Consider a simple password cracking problem. You are a hacker who had dialed into a computer and is trying to get privileges on it--which requires giving it a password it recognizes as associated with a legitimate user.


II. Why does the government care about cryptography?


III. The question of standards:


I. Review:

II. On to Clipper




I. Odds and Ends


The proposed section 1201 would provide:

No person shall import, manufacture or distribute any device, product, or component incorporated into a device or product, or offer or perform any service, the primary purpose or effect of which is to avoid, bypass, remove, deactivate, or otherwise circumvent, without the authority of the copyright owner or the law, any process, treatment, mechanism or system which prevents or inhibits the violation of any of the exclusive rights of the copyright owner under section 106.


II. How important is wiretapping? Freeh's statement




I. Non-clipper escrow solutions:

II. Function of Clipper


III. Hardware v Software encryption--can we do the equivalent of Clipper in software?


IV. Digital Telephony bill


V. Cost/benefit calculations:




I. Readings from Chapter 6 of BBB


I. Verisign is a new firm, marketing its product as a way of facilitating the use of digital signatures rather than an encryption approach. Nonetheless, it may be very important for the spread of strong privacy. Information can be found at: http://www.verisign.com/faqs/id_faq.html and, in much briefer form, below.


II. How does a digital signature work?


II. So far we have assumed the recipient already has the sender's public key. We now drop that assumption. The sender can, of course, send the recipient his public key--but how can he prove that public key XYZ really belongs to person P? Until he does so, he cannot provide a digital signature--and without a digital signature, he cannot prove that the message is really being sent by him.


III. What Verisign is doing:


IV. Who are they?


V. Details:


VI. Is a digital signature legally valid? We don't know yet.


VII. Verisign can be viewed as a Trojan Horse for Public Key Encryption!

0: Guest Lecturer--Silicon Valley's Computer Cop. Some bits.

I. Review Digisign


II. The new hole in Netscape Security?


III. Economic espionage problem?


IV. DSS--was the trap door intentional?


V. Is ITAR constitutional?


I. Lund v Commonwealth of Virginia 232 S.E. 2d 745 (Va. 1977); SC of VA


II. United States v. Seidlitz 589 F.2d 152 (4th Cir. 1978)


III. United States v Jones 553 F. 2d 351 (4th Cir. 1977)


IV. The People of New York v. Robert Versaggi


I. If someone wants to do a paper on the pretensions of the Attorney General of Minnesota to rule the internet, some interesting questions might be:


II. The Hacker Crackdown: The sociology of computer crime


III. U.S. v. Robert Riggs (and Craig Neidorf)


IV. Unix source code cases. 1990.


VI. Review: Issues raised by the criminal cases.


VII. Steve Jackson case:


VIII. "Sending a Message"


IV. Sociology issue: "Those Kids aren't Criminals"


V. Odds and Ends:


According to Restatement (2d) of Torts sec. 623A,


"One who publishes a false statement harmful to the interests of another is subject to liability for pecuniary loss resulting to the other if


(a) he intends for publication of the statement to result in harm to interests of the other having a pecuniary value, or either recognizes or should recognize that it is likely to do so, and


(b) he knows that the statement is false or acts in reckless disregard of its truth or falsity."



I: The old nightmare: Computers as the end of privacy.


II. Public Fork:

III. Rogan v City of Los Angeles

IV. Private fork: Thompson v San Antonio Retail Merchants Association

V. Fair Credit reporting act.


III. Obscenity on-line


I. Why it matters:Interactive Services Association: Not just obscenity. defamation, franchise, real estate laws, ...


II. Tangibility, means of transmission:

Does law apply only to tangible objects: U.S. v. Carlin only case to interpret. Phone sex case under. USC 1465 "facility or means of interstate commerce."!= "any means of communication?" as judge instructed jury. Congress could have added computer, phone terms to statute, did for child porn, did not here when revised. AG had given the opinion that 1465 did not cover phone transmission. not "by private conveyance" (section the govt chose to rely on)

[prosecution denies tangible, claims Carlin was wrong]


III. Who transported it? Transfer initiated by customer. like Buying book and bringing it home. They paid for the call. Civil analog.


IV. What is the relevant community?

CA? Local police had seized, looked at, released. Not child porn.


Computer community. World? Customers of that BBS?

"the states of a legitimate interest in prohibiting dissemination or exhibition of obscene material when the mode of dissemination carries with it a significant danger of offending the sensibilities of unwilling recipients or of exposure to juveniles." Miller v CA 1973.

Community is users. So no need for laws--if violated, users go elsewhere.

EFF argues that ... No impact on the local community. Like reading a book. Can screen out children. Much better filtering.

Miller court said community standard rule might result in "some possible incidental effect on the flow of [otherwise protected] materials across state lines," acceptable because only "incidental." This is more than incidental. So District court should have weighed chilling effect against Tennessee interest--case of first impression.


V. Could they guard against?


VI. Reasons for special laws:

This is an expecially good first amendment medium--low entry barriers, interactive, ... Open to unpopular speakers--easily chilled.

Could use electronic community, or could prosecute the buyer, who affirmatively acts to bring material into his community.

Or balancing test according to how much is obscene where, and how easy to bar from particular places.

ACLU: stream of 1s and 0s en route, only became obscenity in the receiver's house. Expand Stanley v Georgia.

EMail on Thomas' network.

Scanned pictures.

Transport for purpose of sale or distribution? After sale.

Child porn frame: mailed magazines to Mr. Thomas, watched Mrs. pick up the envelope, followed her home, executed search warrant. Acquittal on child porn charges.

Jury was shown or told about lots of stuff not included in the charges. inflammatory.

Acceptance of responsibility.

Also mailed videotapes.

Misleading advertising.

Should they have used the Sable statute?

Will this become irrelevant with internet from Netherlands?


I. Review of U.S. v Thomas and related stuff.

II. Odds and ends.

III. Computer Crime:

0: New stuff:

I. Review:

II. Low tech computer crime:


III. Another extortion--all tapes and backups and backups of ... Caught on payoff.


IV. Stealing services from ex-employer. Thought it was all right--they would have ...

V. Leslie Lynn Doucette. Hacker service industry.

VI. Market in Computer Crime?

VII. Check Kiting story.


VIII. Card counting? Not illegal. $10,000 materials, $390,000 labor.

Four teams, eleven people. In 22 days made $130,000. Two systems captured, FBI reported just a computer. No indictments.


VIII. How much computer crime? Total of 1000 1958-1981 tabulated. flat abt 1973. Financial>Govt>Student


VIII. Suppose you discover a hole in someone's security... Responsible you.

IX. Protecting one program from another.


I. Bank slip story.


II. How to predict the future:


III. What is already in place: How is the (computer) world different from 15-20 years ago (and most of our crime experience)?


IV. Implications for computer crime:


V. Next step: Crime in a world of strong privacy.


I. More suggestions on crimes in the new world?


II. How do you prevent these?


I. Old technology:


II. Current technology: Crime based on what is here now.


II. Farther future: Strong Privacy


I. FBI wiretap proposal:


II. Clipper II .


III. Default rule for your info: Avrahami claims it requires express consent.


IV. S. 1360: Medical Records Privacy Act


V. Net censorship opposed by CATO, ACLU, Brookings


VI. Monitoring vs spoofing: Netscape vs public key phone book.


VII. Drop-in encryption?

VIII. Rumour boards vs credible boards?


IX. Should blackmail be illegal?


Two recent academic cases


I. Cornell: http://joc.mit.edu/~joc/


II. Caltech case: Mercury.


I. Would digital signatures have solved this problem?

II. Does Jianjing have adequate motive?


III. Lessons of the case for us:


Course Summary:


I. Computer Crime.


II. Privacy


IV. Random number issue--how to choose a password.

V. Digital time stamping idea.

VI. Cornell--what makes it private/public?

Back to the CCP home page