QUESTION

Week 5 Cyber security  

Prompts/Questions (please answer these):

US v. Swartz, at pp. 10-11, and notes and questions 1-6 (pp. 11-14):

Should Aaron Swartz’s conduct and Charles Even’s conduct be a crime? (and if not a crime, should either or both nonetheless be subject to money damages as a matter of private//civil law in a lawsuit brought by the victims?) (or both a crime and civil damages?) What about the “hacker ethic” at pp. 12-14, notes 3-5?

See attachement:

Source used . The “Casebook”: ORIN KERR, COMPUTER CRIME LAW, West (fourth edition, 2018) ISBN: ISBN-13: 978-1-634-59899-6. (there is an e-book version available)

1. US v. Swartz, at pp. 10-11, and notes and questions 1-6 (pp. 11-14):

Should Aaron Swartz’s conduct and Charles Even’s conduct be a crime? (and if not a crime, should either or both nonetheless be subject to money damages as a matter of private//civil law in a lawsuit brought by the victims?) (or both a crime and civil damages?) What about the “hacker ethic” at pp. 12-14, notes 3-5?

Computer misuse crimes are offenses involving interference with the proper functioning of computers. Every computer is programmed to perform a particular set of functions for a particular set of users. Interfering with those functions can be a culpable act that causes significant harm. Computer misuse can occur in two distinct ways. First, a user might exceed his privileges on a computer. For example, a person might hack into a remote network and view confidential files he is not supposed to see. Second, a person might deny others their privileges to use a computer. For example, a person might launch a denial-of-service attack that incapacitates a target network. Legitimate users will try to use the network but find that they cannot. These two types of computer misuse are distinct, but represent two sides of the same coin. In the first, the user exceeds his own privileges; in the second, the user denies privileges to others. This chapter explores the law of computer misuse. It begins with a policy question: Should computer misuse be a crime, and if so, when? The materials then consider whether traditional criminal laws can address computer misuse, or whether new statutes are needed. The remaining parts of the chapter study the three most common types of computer misuse statutes: unauthorized access statutes, computer fraud statutes, and computer damage statutes. A.WHY PUNISH COMPUTER MISUSE? Every first-year law student learns that there are two major reasons why wrongful acts are punished. The first reason is utilitarian. Utilitarians believe that punishment should be imposed because it can decrease the amount of crime in the future. For example, criminal punishment can deter harmful conduct: the prospect of punishment can encourage a person not to commit a criminal act. Punishment also can prevent crime by incapacitating or rehabilitating a defendant. See generally Herbert L. Packer, The Limits of the Criminal Sanction 39–61 (1968). The second goal of criminal punishment is retribution. Retributivists believe that punishment should be imposed to ensure that individuals receive their just deserts. Some retributivists believe that punishment 10 reflects society’s revenge against the wrongdoer; from this perspective, punishment is an “eye for an eye.” Others contend that punishment restores the moral order by denying the wrongdoer’s claim to superiority. The common theme of retributive approaches to punishment is that they look back at the wrongfulness of the defendant’s act rather than look forward at the effect punishment will have on future criminal activity. Do these theories justify punishment for computer misuse? Consider the following problem. United States v. Swartz In 2011 and 2012, the United States Department of Justice prosecuted an Internet activist named Aaron Swartz for alleged computer-related crimes. Tragically, Swartz committed suicide before his case went to trial. As a result, no legal decision was handed down. But consider the alleged facts of the government’s case against Swartz, and ask whether you think Swartz should have been prosecuted if the facts are true—and if so, what punishment would have been appropriate. JSTOR, short for Journal Storage, sells universities, libraries, and publishers online access to a database of over 1,000 academic journals. JSTOR charges as much as $50,000 a year for an annual university subscription fee, at least parts of which go to pay copyright fees to the owners of the articles in the databases. A username and password is ordinarily needed to access the JSTOR website. However, access can be had without a username and password from a computer network owned by a university that has purchased a subscription. Users that visit JSTOR must agree to use JSTOR in a particular way. They generally can download only one article at a time, and the JSTOR software is configured to block efforts to download large numbers of articles. Aaron Swartz objected to the idea that scientific knowledge in academic papers available through JSTOR was not available to the public for free. In a writing he titled the Guerilla Open Access Manifesto, Swartz argued that there was an obligation to make academic papers available to all. He wrote: “There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture. We need to take information, wherever it is stored, make our copies and share them with the world.” Swartz devised a plan to copy JSTOR’s entire database and then make it publicly available via filesharing networks. Although Swartz had legitimate access to JSTOR at Harvard University, where he was a fellow at an academic center on ethics, he decided to access JSTOR from the Massachusetts Institute of Technology (MIT). Swartz did not have an account or a formal relationship with MIT, but MIT is known for having relatively open account practices. Swartz purchased a laptop and went into a building at MIT. He used the MIT wireless network to create a guest account on MIT’s network. Swartz then accessed JSTOR and executed a program called “keepgrabbing” that 11 circumvented JSTOR’s limits on how many articles a person could download. Using the “keepgrabbing” program, Swartz began to download a massive number of articles. MIT and JSTOR eventually realized what was happening, and they blocked Swartz’s computer from being able to access the MIT network by banning the IP address that he was using on MIT’s network. To circumvent the IP address ban, Swartz changed his IP address and continued to download the articles in bulk. JSTOR then blocked Swartz’s new IP address. To stop Swartz from just changing IP addresses and continuing to copy more articles, JSTOR next blocked a range of IP addresses from MIT and contacted MIT for more help. MIT responded by canceling the new account and blocking Swartz’ computer from accessing the MIT address by banning his media access control (MAC) address, a unique identifier associated with his laptop. Swartz next bought a new laptop, and he also used a program that faked a new MAC address on his old laptop to circumvent MIT’s ban. Using the two laptops and the program designed to circumvent JSTOR’s limits on downloading articles, Swartz started to download a significant chunk of JSTOR’s database. A day or two later, JSTOR responded by blocking all of MIT’s access for a few days. Swartz’s next strategy was to connect directly to MIT’s network. Swartz entered a basement closet in a building at MIT that contained a server. Swartz connected his computer directly to the server and hid his computer under a box so no one would see it. The closet was normally locked and Swartz did not have the key, although the lock to the door apparently was broken and the door could be pushed open without the key. Over several weeks, Swartz succeeded in downloading a major portion of JSTOR’s database. Investigators were on to Swartz at this point, however. Investigators installed a video camera in the closet to catch Swartz when he accessed the closet to swap out storage devices or retrieve his computer. Swartz was caught on camera, and he even seems to have realized that he was being watched: At one point he was filmed entering the closet using his bicycle helmet as a mask over his face to avoid being identified. Swartz was spotted on MIT’s campus soon after by the police. He tried to run away, but he was chased and caught. Criminal charges followed.

Notes and Questions

1.Should Aaron Swartz’s alleged conduct be a crime? If the conduct should be a crime, what punishment is appropriate? If you think Swartz should receive a lesser punishment because he was caught before his plan was completed, what punishment would be appropriate if Swartz had completed his alleged plan and released the entire JSTOR database to the public?

2.In 2015, a judge sentenced Charles Evens to 25 months in federal prison for an e-mail hacking scheme. Evens hacked into the personal e-mail accounts of hundreds of young women looking for nude pictures they had taken of themselves. When he found such pictures, Evens would sell them to a website that posted them for public viewing. See Matt Hamilton, Judge Sentences ‘Revenge Porn’ Hacker To 2 Years In Federal Prison, Los Angeles Times, November 16, 2015. In your view, is a 25-month sentence appropriate for this crime? What is the appropriate punishment for a single act of hacking into an e-mail account? How about hacking into hundreds of e-mail accounts? And how much should the punishment depend on what Evens was looking for when he hacked into the accounts and what he did with the personal information he collected?

3.The Hacker Ethic. In the early days of computers in the late 1950s and early 1960s, a culture developed among some users that encouraged creative experimentation. In his book Hackers, Steven Levy focuses on the members of a student club at the Massachusetts Institute of Technology called the Tech Model Railroad Club. Members spent a great deal of time working on an early computer called the TX-0, and developed a number of principles that later coalesced into the “Hacker Ethic.” The Hacker Ethic reflects an open and free approach to using and exploring computers. One principle is that “access to computers—and anything which might teach you something about the way the world works—should be unlimited and total.” Another related principle teaches that “all information should be free.” The basic idea is that any computer user should have a right to tinker with and improve any computer, and that rules governing access should not be followed. See Steven Levy, Hackers 24–28 (1984). The term “hackers” was originally used in this sense to refer to skilled and enthusiastic computer programmers with a deep understanding of how computers work. Over time, however, the term has become synonymous with those who commit acts of unauthorized access to computers. See Pekka Himanen, The Hacker Ethic, at vii–ix (2001). Does the hacker ethic help answer when computer misuse should be criminalized? Consider the argument that misuse consistent with the hacker ethic can help improve security. Hackers can identify security flaws and create patches, or inform others that the flaws exist. In addition, a teenager who becomes skilled at exploiting today’s computers may become tomorrow’s computer security professional tasked with protecting important networks. If hackers need to explore computers to improve them, should the law ensure that such exploration is possible? Is the notion that hacking is a form of “misuse” itself misguided? Alternatively, is the hacker ethic a juvenile mythology that simply attempts to excuse harmful activity? Consider the teaching that “information should be free.” Do you think that a person’s private medical records should be free? Can the hacker ethic coexist with widely-held beliefs in the value of privacy?

4.Responsibility for the consequences of poor computer security. Every computer network is run by a system administrator who is tasked with keeping 13 the network operating smoothly, responding to problems, setting up new accounts, and performing other routine network maintenance tasks. System administrators are usually the first to notice and respond to network intrusions. Consider this imaginary (but representative) exchange of views between a hacker and a system administrator: Hacker: System administrators should blame themselves if their networks are vulnerable. Many system administrators pay little or no attention to security, and their negligence is the true cause of most of the financial losses that result from so-called “computer crime.” Hackers raise the level of network security by testing networks, offering solutions to existing vulnerabilities, and making sure that security remains a priority. Taking steps to understand a network shouldn’t be a crime. Instead, it should be recognized as a public service. System Administrator: Your argument blames the victim for being victimized. We don’t blame homeowners when their houses are burglarized just because they left weak locks on their front doors; instead, we blame the burglars. Also, it’s hard to see why we should thank hackers for forcing us to spend money on network security, given that it is the hackers themselves we are trying to keep out. Here’s an analogy: people who live in high-crime neighborhoods may have several locks on their doors and steel bars on their windows, but they don’t thank the local burglars for encouraging them to raise the level of security in their homes. All hacking without the target’s consent should be criminalized. Hacker: You’re missing the point. Unlike homes, computers are inherently open. Any computer attached to the Internet can be accessed by millions of people around the world at any moment. The question is not whether a computer will be compromised, but rather when and how. In this environment, network operators should be responsible for network security, and should recognize that hackers play a vital role in helping system administrators secure their networks against the real criminals. System Administrator: No, you’re the one who is missing the point. This is my network, and you don’t have a right to break in to it. If you want to help me by exposing my network’s vulnerabilities, you can just ask me for permission. If I think you can help me, I will let you try to hack in. But that’s for me to decide, not you. Hacker: You are mired in the old way of thinking. Computers are different, and the law needs to recognize that. Who has the stronger argument? If you think the hacker’s argument is stronger, does it follow that “state and federal governments should immediately decriminalize all forms of non-malicious hacking?” Michael Lee, et. al., Comment, Electronic Commerce, Hackers, and the Search for 14 Legitimacy: A Regulatory Proposal, 14 Berkeley Tech. L.J. 839, 882 (1999). If so, how would you articulate the difference between malicious hacking and non-malicious hacking?

5.Culpability and intent to profit. Some hackers abide by the hacker ethic, and hack for the intellectual excitement or the thrill. Others hack for profit. Some attempt to hack into e-commerce sites to collect credit card numbers that can be sold later in anonymous Internet chat rooms. Others gain unauthorized access to distribute spam anonymously for a fee, or to look for an advantage over business competitors. Organized crime groups are actively involved in computer hacking. Organized crime elements hire hackers both to steal credit card numbers and to break into victim sites and demand expensive “consulting fees” in exchange for not doing significant damage. Others are hired to break into computers and find trade secrets that can be sold to competitors or outsiders. Does computer misuse deserve greater punishment when undertaken for profit? On one hand, perhaps computer misuse combined with a profit motive is likely to be more harmful because intent to profit generally suggests a lack of concern for other possible harms or the likelihood the conduct will be repeated. On the other hand, some of the harms caused by computer misuse are unintentional byproducts of otherwise intentional activity. The harm may have no direct link to the intent to profit. For example, imagine a person hacks into a computer for profit, and accidentally causes a great deal of damage to the server. Is that hacking really more culpable by virtue of the intent to profit?

6.Alternative of civil remedies? Civil damages can provide an alternative to criminal punishment when conduct is not particularly culpable and can be deterred through payment of money damages. This raises two issues. First, at what point does computer misuse become sufficiently culpable that some kind of criminal punishment is more appropriate than a civil judgment? And second, how effective is the threat of a civil suit if it is easy to escape detection and many people lack the ability to pay damages?

Source used . The “Casebook”: Orin Kerr, Computer Crime Law, West (fourth edition, 2018) ISBN: ISBN-13: 978-1-634-59899-6. (there is an e-book version available

Related Samples