The Computer Owner - Guilty or Not Guilty?

Von-at-Infosec_Writers asks: "It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime could become much more difficult especially since, as a recent CNN.com article stated, a hacker's legal defense can be: it wasn't me but my hijacked computer that committed the crime. 'In some cases, I do suspect there are people whose computer is taken over by third parties. It's also a clever defense to exculpate your client,' says Michael Allison of the Internet Crimes Group.What are possibilities to overcome this problem; to prove that the computer owner, without a doubt, is in fact responsible or not responsible for the crime?" As computers become more and more prevalent in our infrastructure, the consequences for computer crime become that much more serious. How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment, and what are ways we can best determine their involvement, or lack of it, in said crimes?

Innocent Until Proven Clueful

[RobertB-DC]

[...] their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.

I think it's going to be pretty easy to tell, within the law, whether the computer owner knew that a hack attack or illegal download was occurring on his/her computer. Most of the time, the court's answer will be "no".

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

While the defense attorney needs only argue that his client is just an average Joe(anne), and wouldn't know what a Trojan [trojancondoms.com] was if he/she bought one at the drugstore. The defense attorney should be facing a receptive audience. Remember, in the US at least, he'll be facing a jury of 12 average citizens who know as little about how computers work as I do about brain surgery.

Or perhaps less. At least I know which box my brain is in.

The courts will work this out....eventually

[dtolton]

Unfortunately, I think the "I didn't do it, my computer did"
defense will be all too common. How can you hold people
responsible for holes in their system while microsoft produces
software with numerous holes in it, but is not held responsible.

An interesting analogy is gun crimes. If someone owns a gun,
and it is proven conclusively that the gun committed a crime,
but it cannot be proven conclusively that the owner of the gun
is the one who pulled the trigger (opportunity), then it is
difficult to establish a case.

I think a similar idea will work itself out with computer
crime. The fact that your computer did something isn't enough,
you have to be a willing participant in the incident.

Perhaps there should be laws to punish people who leave
unpatched, unprotected computers sitting on the internet. There
are laws that punish irresponsible gun owners, should we also
punish negligent computer owners? What about negligent
programmers?

As an aside, in the last court case I was involved in, e-mail
was admissible in court. The only thing I had to do was produce
some e-mail correspondence between myself and the other party.
The lawyers and the judges all accepted them without a word.
While the e-mails were in fact real, and the transmission could
be verified by isp records, the simple fact that the opposing
council didn't so much as raise an eyebrow shows me just how
ignorant the legal system still is when it comes to technology.
This happened less than a year ago.

well

[JeanBaptiste]

in the US, if your car is going down the freeway and your brakes fail because you didnt do routine maintenance, you end up crashing and killing someone, you are at fault.

on the other hand, if someone cuts your brake lines, you crash and kill someone, you are not at fault.

I would think that viruses and trojans and worms and such would fall more under the 'someone cuts your brake lines' category.

For better or worse a pretty valid argument

[h2oliu]

IANAL, but: To put a rather brutal, but analogous comparison in place. If someone breaks into your house, steals a gun, and then shoots someone on the street. The owner of the house would not be guilty of murder. They may be guilty of negligent storage of a firearm, but not much else.

And since there currently is no crime for keeping a computer unsecured on the internet, I doubt there is much that can be done.

Re:Innocent Until Proven Clueful

[QueenOfSwords]

Problem is, of course, that if you're a CS student who has been a bit lax about security, you're probably screwed. People don't understand computers , so your jury won't understand that anybody who is studying computers or has *specific* knowledge isn't a super-1337 hax0r who is probably guilty.

Responsibility

[Frambooz]

How much responsibility does the owner of an Internet-connected computer have for crimes committed using their equipment...?

I don't know. How responsible are you for a drive-by shooting, done with your stolen car?

Same as in a car!

[scovetta]

If you're driving a car, and the car malfunctions and you hit and kill someone, you shouldn't be held responsible. If you say the car was broken and it wasn't, then it's fraud and you get charged with vehicular manslaughter or whatever.

If your computer was hijacked and you did nothing to prevent it, its YOUR fault. If you ran antivirus/firewall/whatever, then it's the fault of the hacker, and you shouldn't be held responsible.

Of course, we need a good definition of a "good faith attempt at computer security", but that's a grey legal line. Personally, I think that if a patch has been available for more than, say, 2 months, and you aren't patched, its your damn fault. If you installed a program explicitly, then it's your fault (even if it was spyware)-- the analogy, if you get super-duper-hood-attachments for your car and they fly off and impale someone, its your fault.

Of course, that sucks, but it's the only way I can see to segment culpability for crimes in this case.

Re:well

[j0keralpha]

Reasonable Mitigation. There is very little you can do to prevent someone from cutting your brakelines. A lot of Computer Zombification stems from users not proactively patching AV and OS (lets not even talk about applications). Slammer (yes i know this was a server-worm) and Blaster are excellent examples. The world at large had 6 months and 1.5 months respectively to prevent the nightmare from happening, but nobody takes responsibility for (to extend your car analogy) Changing the oil and other basic maintenance on their computers. If a users computer causes x amount in damages and they had a reasonable ability to patch the problem and mitigate it, then they should be held responsible. This obviously doesnt apply for 0-day takeovers. The problem then lies in showing HOW the computer was compromised, and the question is: 'Is the burden of proof upon the user to show they are not at fault, or the attack victim to show that they are?'

Re:If this were the case...

[happyfrogcow]

would not there by logs of some sort to PROVE his computer had been Hijacked by a third party?

if a computer is compromised, never believe the logs.

Re:The courts will work this out....eventually

[gooberguy]

Should we fine and arrest people who keep vulnerable systems on the web? I think not. If your computer gets infected with a virus or worm, no one dies. Sure, damages may be done, but no amount of commercial loss compares with murder. Also, your idea would kill the Internet. The Internet is about freedom. Overall, it is the least regulated, most anonymous medium accesible to Joe Sixpack. If people fear getting arrested for merely being online, they will find something else to do.

Hmmm

[ActionPlant]

How DO you prove whether or not a person had the capability to do the hack? Character witness comes into huge play here, and I have a feeling that as this defense becomes more and more difficult to prosecute in criminal course, we'll see cases popping up where civil suits are being filed against people. In a criminal case you are innocent until proven guilt, while if a civil suit were filed for damages from a specific person's computer, all that has to be proven is that they are the most likely person to have committed the infraction.

I'm waiting for a case to set precedent in this realm. What happens when grandma is on the hook for $250,000 in damages because she was judged for "willful neglect" in not actively taking responsibility to ensure that her computer was adequately protected against trojans? I feel it's only a matter of time before someone proposes that owning a computer carries the same ramifications and responsibilities as owning a gun.

I hope such a thing never actually holds up, but I still fully expect to see it proposed.

Damon,

Guilty by precedent

[kaan]

Look at the rest of society, outside of the context of computing.

If I have a knife and I leave it on a table, and a neighborhood kid comes over and stabs himself in the head, I'll probably get sued (and lose) even though I didn't do the stabbing.

If I leave the keys to my car and somebody steals it, drives all over town and runs over a group of teenagers, I'll probably get sued as being somewhat responsible because I provided the car (indirectly).

If I'm a parent with a house full of handguns, and my child finds one and blows his sister's head off, I'll probably end up in jail even though I didn't pull the trigger.

I can't think of too many examples where our society wouldn't sue the hell out of anyone, even if you're just a by-stander, when something goes wrong. Whether or not that's "right" or "the way things should be", it certainly is. So why should it be any different if my computer is used to do something malicious or damaging? I say stick with the established precedent and blame the computer owner, even if he had nothing to do with the crime. It might not be fair, but at least it would be consistent. We don't live in a society of fairness anyway, we live in a society of blame and accusation.

Re:Innocent Until Proven Clueful

[Megor1]

If a remote-control Trojan is on the PC, then the prosecution would have to prove that:

* The computer's owner is 133t enough to hack into a remote system, but clueless enough to allow a Trojan free rein on his own.

* Or, the computer's owner in fact installed the Trojan program on his PC for the explicit purpose of throwing off investigators.

Really you tell me how to detect a kernel level trojan on a windows box besides running your own seperate intrusion detection system that knows what way the trojan works. (So if its an unknown one you aint gonna find it). And if the person removes the trojan and overwrites itself you aint gonna find any evidence of it

Re:Innocent Until Proven Clueful

[sporty]

What if the trojan hacks someone's computer and then makes itself scarce, ala a rootkit?

Re:The courts will work this out....eventually

[southpolesammy]

If I leave my car unlocked with the keys in the ignition, and someone steals my car, packs it fulls of C4, and blows up a building with it, hopefully, my alibi is good enough to show that I wasn't the one that perpetrated such a heinous act.

The problem with computer crime is that the alibi part of the equation is harder for the computer owner to prove. He may very well have been actively using the computer in question that hacked the Bank of North Elbonia at the time of the crime, but that doesn't mean he did it. In spite of that, proving that he wasn't the perp is difficult. Most other alibis work because of physical bias placing the individual in some other place than the crime in question. This is harder to prove in a virtual setting.

Any hacker (cracker) with a clue

[Michael Crutcher]

.. just walks up to an apartment complex with a wireless card and initiates their hack from there. Toss the wireless card (bought in cash) or spoof the mac address (entirely possible) and poof, its not going to be traced. This is a sticky problem because only the dumbest crackers (script kiddies) aren't going to take these extremely simple precautions to avoid being caught.

As long as wireless networks remain as insecure as they are right now its going to be cracker paradise. I don't see an easy solution to the problem, it almost seems like if a hack can be traced back to your computer you almost certainly didn't commit the crime (unless you're a complete asshat).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Actions and consequences

[isomeme]

Might it be best to make computer owners responsible for all harm caused by their computers, no excuses allowed? People would become much more security conscious. Insurers could include computer liability insurance with home or business coverage, with "good driver"-like discounts if you can show you use proper safeguards.

It's a harsh position, I know, but it seems like it might work.

Re:The courts will work this out....eventually

[bug-eyed monster]

I think the gun and car analogies are a bit too much here. In these analogies, the tool of the crime is obviously taken away from the owner, so it's relatively easy to compare the time of the crime to the alibis and figure out who did it.

I think a better analogy is that of possession of stolen goods. I can buy a used bike, for example, in good faith from a garage sale, use it for months, then one day the police stop me and tell me that bike was stolen. How can I prove that I didn't steal it myself? How can the police prove that I am the thief and I'm lying about the garage sale? Same goes for counterfeit money.

In this analogy, one continues to perform a crime (possession of stolen goods) cluelessly, just like in the case of a trojaned computer. How does the law handle possession of stolen goods? The same procedure should apply to trojaned computers.

The issues

[skinfitz]

Unless you have failsafe tamper proof user interfaces that use biometrics to constantly authenticate the user (i.e. fingerprint and body temerature signature recognising keyboards and mice) along with RFID readers to detect the proximity of the user to the machine (based on the RFID chips implanted in the user's body, naturally) along with digitally signing the network traffic generated by the user of the machine with the biometric data of that user in a way that it could not be tampered with, along with video cameras constantly filming what the user is doing, then the trojan case will always be available...

Re:Innocent Until Proven Clueful

[pyros]

A hacking attempt should have a well documented time, and if the defendent can show they were doing something else at the time they should get a non guilty verdict easily.

That's right, because there is no such thing as batch jobs and scheduled tasks. Any "expert" witness the prosecution calls upon to talk about such things must be getting bribed to do so.

Re:Breaking Point Chaos and Destruction Online

[mveloso]

It's already easy for this to happen. Think about your workplace - the IT guys (you guys, mostly) can put whatever the hell you want on someone's box, and they'd have no idea.

For example:

Staffer: "Hey, I have no idea where that child pr0n came from!"

Manager: "Look, don't make this harder than it has to be. Just pack up your stuff and we won't tell your wife or the paper."

Staffer: "But I never saw that before!"

Manager: "That's what they all say."

With a careful admin, even browser history and caches can be faked. And there's not a thing that the poor staffer could do about it.

Re:The courts will work this out....eventually

[darnok]

> Should we fine and arrest people who keep
> vulnerable systems on the web? I think not.

I think that day is coming.

I think we're at a point of time in computer ownership that was probably a lot like the early days of car ownership.

I'd be fairly certain that there were hardly any rules for the first few years that cars were on the roads, since there wasn't sufficient public perception that lots of rules were required. It was only after enough people got run over, enough cars run off the road, enough general havoc was wreaked that rules against this behaviour were drawn up.

I can even remember the days before seatbelts were compulsory in cars, and when you could drink as much as you liked then drive home. These rules only came in in the last 20-30 years, yet it's almost impossible today to imagine that they didn't exist all along.

As more and more home computers get hijacked and used for "bad things", legislation will start to come in making people responsible for what goes on on their own PCs. Maybe it won't be directed at end users - maybe the responsibility will be put on ISPs, or on the owners of routers that filter traffic into and out of legal jurisdictions - but it *will* be enforced regardless of whether the laws are credible or not.

If not, what will we be left with? - a mass of rogue PCs capable of bringing down major companies and financial and legal systems. No responsible government is going to allow this to happen.

You may or may not like it (personally I've got mixed feelings about it), but it will happen.

Re:The courts will work this out....eventually

[NanoGator]

"Perhaps there should be laws to punish people who leave unpatched, unprotected computers sitting on the internet. There are laws that punish irresponsible gun owners, should we also punish negligent computer owners? What about negligent
programmers?"

Not a fan of either. A significant chunk of vulnerable machines out there are owned by people who don't have a strong enough interest in computers to know they should be patching. Making sure your computer is secure is not as simple as putting a lock on your gun. On top of that, it's not a life or death situation. You'd be asking too much of the casual computer user.

What about negligent programmers? Nope. There's a can of worms you don't want to open. First off, whether or not somebody built something exploitable, the guilty party is still the one who exploits it. Secondly, how do you judge how negligent a programmer is? His job is to write a program that performs a task. There are a lot of security issues out there that the average programmer is not even going to consider. Who would want to contribute to the Open Source Community if one little human mistake made on their part could make them liable because of some script kiddie?

There's one more fundamental problem here that needs to be considered. Computers fail. Power surges happen. Parts wear out. Shit happens. Nobody in their right mind would put somebody's life into the hands of a computer without considering the possibility that the system won't behave as needed. If a virus or worm put somebody's life in danger because a computer wasn't doing what it should be, then where's the punishment for the dude who didn't make the system fail safely?

If you want laws passed that'll help security, try stiffer punishments for the jackasses that create these self-propogating headaches. Not only does the right person get punished, but it also creates incentive for those maintaining these machines to make sure that hacking attempts are traceable.

Re:Innocent Until Proven Clueful

[IdleTime]

Disclaimer: IAASL (I Am A Slashdot Laywer)!

The only one that should be prosecuted is the creator of the software that allowed the PC to be taken over. Average Joe has no clue about securing an unsafe PC. They buy the box at BestBuy and hook it up when they come home, just like it was your average DVD player.

Analogy: If your car, parked with the breaks on, suddenly late one night decides to start rolling due to a bug in the break system and rolls over a kid who gets killed, you the owner, will not be prosecuted if investigation shows the breaks were on. They might go after the producer of the car in this case. Same for a PC.

Re:Innocent Until Proven Clueful

[techno-vampire]

"Jane is a techie, if her computer was infected she must have done it herself?"

I worked for several years as a support tech for an ISP. When Mellissa came around, most of the techs were running around like chickens with their heads cut off, while I laughed. Same thing with the Love Bug. Why? Because unlike everybody else, I used Eudora for email, not Outlook. It doesn't have the well-known security holes, so it's safe from the trojans aimed at Outlook. (OK; that's not the only reason, or the main reason I use it. But it was what kept me safe.)

The point here is, that techs are just as likely to follow the path of least effort as anybody else, and either use vulnerable software or not bother to secure what they have. Not only that, but just working as a tech doesn't mean you actually know what you're doing; I could tell numerous horror stories about techs using Reply All to ask a question about a message sent to a number of people, using "fixes" known to cause the issue to get worse, and otherwise proving that having a job as a tech doesn't make you one.

No, just proving the defendant worked in a tech field or as a tech or was studying CS isn't going to be enough, at least if the defense lawyer is any good. You're going to have to prove that he or she knew enough to have installed the trojan, had access to it and had a reason to do so. Just like with any other crime, Motive Means and Opportunity have to be demonstrated.

Guilt by ignorance/incompotence

[ghost-hacked]

I belive computer owners who have systems connected to the internet should be held acountable even if theyre pc was hijacked, unless, they can prove haven takeing resonable steps to protect there computer. like, antivirus software, fire wall, being a well educated computer user. Something i dont think many people understand or would agree w/ , is that owning a computer that is conected to the interner, has a certain resposibility w/ it. like owning a car, or a gun, caries great resposibility, im not equating the two. ignorant computer users, who knowingly or unknowing contribute to virus propogation, shoule be held accountable for it. just like if you dont keep your car well maintained, and it causes and accedent, you will be held accountable, becasue of you negligence. it is very easy to porotect your computer from virus's and other unwanted programs, as im shure most /. readers will a gree, the problem is the general public, and average computer users dont know how easy it is. you have to have a license to to everyting in the us, exept own a computer, and have a kid, maybee its time to start on those too. less morons, and less morons useing computers.

Re:Innocent Until Proven Clueful

[Dr Damage I]

Of course, is it really right to hold someone liable for damages that result in an intrinsically harmless slip-up? Say I forget to patch SSH or Apache and someone launches an attack from my box. Should I be held liable? If so, why? Because I should know better? That may be true, but I can always argue that I'd intended to patch but just hadn't found the time to do so, and someone by chance, found my box

The issue I have here, is that frequently the offender is using an unprotected computer to exploit a hole in the security of the target computer. Is it really fair to assess damages against someone in favor of a victim who was equally negligent?

Re:"If a computer gets infected, no one dies"

[gooberguy]

If someone died, it would be the fault of the virus writer. You are saying something similar to this: If people leave their doors unlocked and get robbed, it's their own fault. Sounds a little funny now that your logic has been applied to a real world situation. The last time I got robbed, the police didn't blame me, they blamed the robber, and rightfully so. Just because someone is stupid and doesn't patch their systems doesn't mean they are at fault if they get hacked. I'm not saying people should stop patching, not at all, but they shouldn't be blamed just because they are asking to be hacked. Whoever writes the virus is responsible.

Precedence has already been set.

[fireteller2]

I have to say that I disagree with most of the highly moderated posts here so far.

A legal precedent for this type of defense is already set. This type of case should not be considered differently from other crimes.

If my car is stolen and later used in a bank robbery I am not culpable in any way. I was not an accomplice before, during or after the fact, I did not commit the crime. In fact, I am one of the victims. My lack of culpability remains intact weather I am aware of my care being stolen or not, and wither I report it stolen or not.

In all such cases regardless of the items used to commit the crime or how they where obtained the burden of proof lies with the prosecution to demonstrate that it was in fact the defendant who was in control of the items at the time, and therefore the guilty party.

The only complicating factor in computer cases is that the computer may be in the virtual control of one person while in the physical control of another. This has the net effect of slightly shifting the burden of proof towards the diffident; his control of the computer is implied. This is, in my opinion, unfortunate and I hope that future cases will set precedent that shifts the burden back to the prosecution.

In a truly free country the legal system must expend most of its effort keeping innocent people free, not punishing the guilty.

Naturally, a different set of guidelines exist for civil cases.

Re:Innocent Until Proven Clueful

[kscguru]

So we ought to round up the authors of SSH and stick them in jail? After all, an unpatched SSH install is a wide-open door for invasion, and I'll bet good money that most of the invader's connections would come in over SSH!

While it would be great to prosecute only the people that deliberately exploit holes in programming, your idea would do more harm than good. (Much like the DMCA...). If I write code to work around a known Windows API bug that exploits a not-quite-normal workaround, am I hacking Windows?

Re:Innocent Until Proven Clueful

[Anonymous Coward]

Well put, particularly the last comment. Lately we have seen a few cases of spammers being made examples of which raises mixed feelings. We welcome the laws and their effectiveness, but the punishments handed out seem arbitary and unusually harsh.

If someone deliberately, with intent, hacks a critical system and evidence (logs) show clearly a course of malicious actions ultimately causing loss of life or livelihood then yes, send em dowm! You should be culpable of the actual crime. It is a murder investigation inthe first place, and
only incidently a computer related crime. Come to think of what _isn't_ in some way computer related these days.

If on the other hand you deface a website the worst you should face is a $200 fine to cover the webmasters time to clean up your mess.

And - if like many of us who have stumbled across an open port, wandered in and gone
#wall 'Hey - party? You left the door open'
that should not even be an offence.

If I spot an open box these days I'm more inclined to just walk on by and leave then to the script kiddies. So much for well meaning social conscience in 2003.