"You may have heard that 'knowledge is power,' or that information, the raw material of knowledge, is power. But the truth is that only some information is power: reliable information" ( Harris, R. ).
Definition and History
The issues relating to data security, (which will include encryption, anonymity and privacy, fraud, intellectual property, and "computer hacking" are considered critical issues of the Internet for at least three reasons. Firstly, as will be further elaborated, the capacity for encryption and data reproduction have reached extraordinary new levels with the equivalent development of computing and communication technologies. Secondly, notions of privacy and civil society, essential principles in advanced modernity have not yet dealt with these matters in light of the new technologies. Finally, advanced social systems are heavily dependent on the procedural and quantitative accuracy of capacity and directions of system media. As a counter to the procedural and quantitative accuracy of the technology, the same technology allows hitherto unforeseen degrees of falsification. Just as previous subchapters challenged counterfactual claims of universal accessibility and freedom of discourse, this subchapter challenges the counterfactual claim of secure and reliable communication. The general level of insecurity and unreliability of computer-mediated communication further adds to the degree that the Internet is distant from the counterfactual ideal speech situation.
In terms of narrative, dealing with the issues related to data security are linear to the proceeding subchapters. It is ontologically a priori that before any matters relating to content are discussed that the question concerning access was considered first. Susbsequent to this, and under the assumption that individuals learn speech and writing prior to connectivity (although this will not necessarily be the case in the current and subsequent generations) the question concerning freedom of expression and its limits is discussed. With only a modest temporal distance, this third subchapter discusses information primarily from the perspective after content has been generated - that the message has been sent according to intention and received with security. This is been consistent with the general social theory of the communicative rights; the right to secure and truthful information, by which an individual or institution may come to an informed and rational decision.
These matters are not just a concern unique to late modernity. Equivalent examples can be found throughout the history, and even prehistory, of human society. The purpose of this subsection is to illustrate, through through analytical definition, historical and modern examples, the development of data security. Following these definitions and examples, contemporary case studies from computer-mediated communications are examined across the themes of encryption, privacy and anonymity, fraud, intellectual property and computer hacking whereby the scale of the issue and the depth of conflicts between the technology and institutional limits and interests is critical. In general, the issue may be described as follows: in the environment of contemporary computer-mediated communication the capacity for encryption, privacy and anonymity has reached hitherto unforseen levels which are beyond the technological and legal capacity of institutional authorities to control. This provides individuals with new levels of responsibility and also the capacity for deception.
The phrase 'data security'. 'Data' derives from the Latin datum, 'something given', from neuter past participle of dare, to give, refers to pure facts. 'Security', deriving from the Latin (se-, without, and cura, care) is explicitly tied with the notion of freedom, meaning freedom from risk, danger, doubt or anxiety. As usual, these elaborative meanings provide social theoretical grounding and directions for counterfactual ideals - in this instance the comparision in this subchapter is the ideal of giving and receiving data with the freedom of being 'without care'. The case studies themselves will refer to related terms of fraud, anonymity and privacy, encryption, and intellectual property. By 'fraud', direct from the Latin fraus, what is meant is deception in general and in particular, deception for systematic gain. By 'encryption' what is meant is the act to generate cryptography , deriving from the Latin 'crypta' and the Hellenic 'krupte' meaning to hide. By 'anonymity', the ability for authorship to remain undisclosed by technology and law, from the Hellenic 'anonumos', an-, without, onuma, name, an extreme version of 'privacy', the quality of seculusion, from the Latin privatus, not in public life. By 'intellectual property', what is meant is copyright, trademarks, trade secrets and other legal claims to information, which derived from the Latin intellectus, to understand, which is a combination of inter (between) and legere, to gather and choose. In combination with property, a possesion, from the Latin proprius, 'one's own'.
Whilst matters of data security are primarily are concern of literate societies there are instances of the concern in preliterate social groupings. It is self-evident, for example, that acts of fraud do not necessitate written correspondence, and there is the widespread use of fraud in mythology. The use of elaborate metaphor in mythology is also a type of "encryption" and there have been some attempts to provide mathematical and periodic examinations of such narratives, although such studies to date are far from providing the predictive certainty that one gains from pure reason. Finally, there is certainly a degree of professional intellectual property in pre-state societies and most especially in those professions that will ultimately became the keepers and producers of symbolic power - the shamen, witch-doctors, sorcerors and so forth. Evidence likewise exists of some individuals who challenge the rights to such professional intellectual property and engage in "software piracy".
[cf., Claude Levi-Strauss, The Raw and the Cooked Claude Levi-Strauss, Structural Anthropology
With the institutional formation of private property and state administration the practice and purpose of data security was orientated towards these new organising principles. Written records themselves, a skill belonging to a specific class for state purposes, may be cited as an example of data security. According to Kahn:
"It must be that as soon as a culture has reached a certain level, probably measured largely by its literacy, cryptography appears spontaneously -- as its parents, language and writing, probably also did. The multiple human needs and desires that demand privacy among two or more people in the midst of social life must inevitably lead to cryptology wherever men thrive and wherever they write. Cultural diffusion seems a less likely explanation for its occurrence in so many areas, many of them distant and isolated." (Kahn, p84)
The first recorded example of written encryption dates back to c1900 BCE with an Egyptian scribe using non-standard hieroglyphs. The first example of encoded production secrets dates from c1500 BCE with a Mesopatinian tablet using enciphered instructions for pottery glazes. Further, Hebrew scribes writing the biblical book of Jeremiah used a reverse alphabet substitution cipher. (Kahn pp71-77) The Spartan Hellenics were the first to use cryptography in a military use through the skytale circa 500 BCE, using transformative decoding of papyrus message coils. Julius Caeser used simple substitution methods and transliteration of Greek to Latin in government communications. (Kahn pp82-83) Ancient Hellenic society particapted vigorously in the buying and selling of information with significant debate of whether over individual versus collective production and resultant debate over the concept of intellectual property (Betting pp134, Kamber pp428-429).
In traditional societies, encryption was often used for heretical or magical tests, which are often directly correlated with a culture's alphabet. The old Nordic Runic associations with magic are well known as are the Judiac Kaballah. Even in nominally non-literate societies, such as the Celts, the complex mathematical art often contained encrypted magical association. In 855 Abu Bakr Ahmad ben `Ali ben Wahshiyya an-Nabati published several cipher alphabets which were traditionally used for magic. Between 1473-1490, a manuscript by Arnaldus de Bruxella used five lines of cipher to conceal the crucial part of the operation of making a philosopher's stone. Encryption was recommended as a skill (yoga) to be learnt in the Karma Sutra. At the request of Clement VII, Gabriele di Lavinde compiled a combination of alphabet substitution and code - the first recorded example of nomenclator. (Kahn p107) This class of code remained in use among diplomats in Europe for the subsequent four hundred and fifty years - despite the existence of stronger ciphers. It has been attributed to Taj ad-Din `Ali ibn ad-Duraihim ben Muhammad ath-Tha`alibi al-Mausili (1312-161) for producing the first cipher with transposition and multiple substitutions as well as research into cryptanalysis, including tables of letter frequencies and sets of letters which cannot occur together in one word.
In the premodern period information security evidently has two major uses, metaphysical and military, and the purpose of cyrptography was for the security of their institutional forms, church and state. Without collaborating evidence, breaches of information security were most probably from competing institutions. The basic methods of cryptography were introduced in this period, although technological limitations restricted the complexity that could be achieved. Differences in modern and pre-modern cryptography issues can be allocated according to the reasons for the cryptographic activities, the content of cryptograms and the technology by which they are introduced. In terms of rational orientation, modern cryptography has an individualistic or voluntary co-operative basis in addition to an expansion of state security use. With the disetablishment of institutional religious power, the use of crypotography in church communications has collapsed. In terms of content, the information is secular and scientific, and in terms of technology an industrial process must be included.
In modern societies however, whilst most cryptography is still carried out by the state, internally generated commercial competitors become prevalent. Early modernity witnessed introduction of the steganographic cipher, the use of a passphrase as the key for a repeated polyalphabetic cipher (1553) and soon afterward the digraphic cipher (1563). Most importantly however, in 1585 Blaise de Vigenre introduced the first authentic plaintext and ciphertext autokey systems (in which previous plaintext or ciphertext letters are used for the current letter's key): both of these were forgotten and re-invented late in the 19th century. The autokey idea survives today in the DES CBC and CFB modes. (Kahn pp.146-147) The following two centuries so the introduction of the bilateral cipher by Sir Francis Bacon in 1621, and in the 1790s Thomas Jefferson, possibly aided by Dr. Robert Patterson, invented a wheel cipher that reappeared in several forms and was used by the US Navy in the second world war. (Kahn, p192)
Similarly, modern society also so a qualitative change in the nature of intellectual property. Whereas traditional society developed the idea of the individual author, production of such works was still primarily seen as originating from the collective and therefore for collective use. Promotion of intellectual property, particularly by authors (Milton, Wordsworth, Dickens). Recognition of intellectual property first occurred in legislation with the British Statute of Anne from 1710. Significant debate however immediately arose over the concept that once ideas were published in the public sphere, they were no longer private property, and whether there was common law right to intellectual property. Immanual Kant drew attention to the problem in the corpereal and ideal forms:
"The author and the owner of the copy may both say about it with the same right: it is my book! but in a different sense. The first regards the book as writing or speech; the second only as the mute instrument that delivers the speech to him or the public, i.e. as a copy. This right of the author is however no right to the thing, namely the copy (since the owner may burn it before the author's eyes), but an innate right in his own person, that is to prevent another from delivering it to the public without his consent, which consent can by no means be presumed, because he has already given it exclusively to another."
[Many studies date this legislation as 1709. See however, John Feather, The Book Trade in Politics: The Making of the Copyright Act of 1710, "Publishing History", 19(8), 1980, p. 39 (note 3).] [Donaldson v. Beckett. Proceedings in the Lords on the Question of Literary Property, February 4 through February 22, 1774, in "The History of Copyright: A Critical Overview With Source Texts in Five Languages" by Karl-Erik Tallmo, to be published by Nisus Publishing.] [Immanuel Kant, Von der Unrechtm��igkeit des B�chernachdrucks, 1785. Micheal Synergy expresses the same view in Mondo 2000: EDIT]
By the end of the nineteenth century a bilateral copyright agreement was established between the United Kingdom and the United States. This provided the foundation for the Berne Convention for the Protection of Literary and Artistic Works and the International Copyright Act (UK) in 1886. With the formation of the United Nations, the Universal Copyright Convention, administered by the United Nations Educations, Scientific and Cultural Organization, superceded the Berne Convention in 1952, and revised in 1971.
Also in the nineteenth century there was a flurry of development in the world of cryptography, particularly following the introduction of electric telegraphy. Most dramatically however was the publication in 1861 of a book by Friedrich W. Kasiki which provided the first general solution of a polyalphabetic cipher with a repeating passphrase, thus ending several hundred years of security for this means of encryption. This was unfortunate for the Confederacy in the United States civil war, who still continued to use such a method of encryption, whereas the Union forces substituted select words followed by columnar transposition (Kahn, p207-215). The first signifcant advance for the twentieth century occurred in 1917 when AT&T worker, Gilbert S. Vernam, invented a polyalphabetic cipher machine with a random key that never repeats - an apparently totally secure cipher. It was offered to the US government for the first world war, but rejected and was put onto the commercial market in 1920 (Kahn, p401). The inter-war years saw a number of cryptographic machines patented and commercial development in Europe and the United States. Part of the civilian interest in cryptography was undoubtably due to the influence of organised crime in the United States in this period.
The second world war witnessed the introduction of computer mediated cryptography. Of particular note was the Enigma machine, which although not a commercial success, was taken up and used as the prime cyrptographic device of Nazi Germany. The Polish mathematician, Marian Rejewski originally broke the code with follow-ups by Alan Turing, Gordon Welchman and others at Bletchy Park, England. A team headed by William Friedman broke imperial Japan's equivalent, the Purple machine. However it was the period following the second world war proved to be a turning point for cryptanalysis and computing. The importance of encryption to the origins of modern computer technologies is not to be underestimated. However, more relevant to this section was the change of the application of encryption. Along with other aspects of delegitimation, the right to establish and break codes was prior to contemporary times considered the role of the State. In the late 1960s however, IBM established a cryptography research group led by Dr. Horst Feistal and developed a commercial encryption system named "Lucifer". This initiated substantial debate of whether the private sector had the right or need for cryptography.
Following IBM's lead, other companies also began developing encryption systems, leading to the need for a common encryption standard. In 1973 the National Bureau of Standards introduced the Data Encryption Standard (DES) whioch was authorised for use in 1976 for all "unclassified" government communication and became the standard for banks and automatic teller machines. As an alternative to DES, Diffie and Hellman published "New Directions in Cryptography" (Diffie and Hellman, 1976), introducing the idea of public key cryptography. Shortly afterwards Ron Rivest, Adi Shamir and Leonard Adelman introduced RSA, a public key encryption system, a form of encryption so string that U.S. National Security Agency attempted to block publication of their work. In 1986 Paul Zimmerman developed a public key encryption system that would work on personal computers. His system, PGP or Pretty Good Privacy, was a 128 bit public key encryption system that lead to intense debate and legal action when it available, as the US government determined it as an armanent and in violation of U.S. export law. PGP later included Xuejia Lai and James Massey's "A Proposal for a New Block Encryption Standard", a proposed International Data Encryption Algorithm (IDEA).
The late sixties and early seventies also witnessed the introduction of what is known as "phreaking" (phone hacking) in the virtual community lexicon and software piracy. In 1972, John Draper, upon recommendation from a blind youth named Denny, made a free long-distance telephone call using the line-open tone via a toy whistle that he found in a "Cap'n Crunch" cereal box. Draper adopts the name "Cap'n Crunch" and is arrested repeatedly for phone tampering throughout the 1970s. At the same time the remainding members of the Youth International Party start YIPL/TAP (Youth International Party Line/Technical Assistance Program) magazine to help phone hackers make free long-distance calls. Also during the seventies the Homebrew Computer Club make "blue boxes" designed to circumvent tone security on the 'phone system. Members such as "Berkeley Blue" (Steve Jobs) and "Oak Toebark" (Steve Wozniak), later founded Apple Computers.
Despite these changes in the science of encryption and security proceducres most computers and administrative systems in the 1980s remained comparatively ineffectual. The mass introduction of the personal computer gave rise to the modern hacker, first witnessed in 1982 by "414" group (named after their area code). This group successfully broke into sixty computer systems over nine days, including the Los Alamos National Laboratory until they were caught by the FBI. Other major hacker groups which heralded from the 1980s include the Chaos Computer Club in Germany the Legion of Doom in the United States. The former group featured prominently in Stoll's much-cited book "The Cuckoo's Egg", where a member, Pengo, worked with the Soviet Union's KGB to obtain United States military secrets. More recently (1997) members of the CCC wrote an ActiveX control which adds a transaction to the accounting software Quicken, remote allowing remote unauthorised transfer of funds. (http://www.tbtf.com/resource/felix.html) In comparison, The United States based Legion of Doom were heavily targeted in the 'Operation Sundevil' hacker crackdown. Whilst the group has disbanded, some former members have formed the security company ComSec.
In 1990 the United States Secret Service carried out an extensive series of raids against hacker groups and individuals in the United States entitled 'Operation Sundevil'. This followed the AT&T long distance telephone system crash - nothing to do with hackers, except in the superstitious minds of many and the great Internet crash of 1988. This crash, the result of a worm program writted by Robert Morris Jnr, exploited the finger daemon fingerd and the sendmail program. It resulted in some six thousand computers crashing. One individual hacker, Kevin Mitnick, is also worthy of special note. Mitnick has twenty-five counts of alleged computer and other fraud charges against him and has at one point been described by the U.S. government as a fugitive. Mitnick, sentenced for fourty six months in 1999 had been in custody since February 1995 with proposed restrictions prohibiting him from using any computer hardware, software or wireless telecommunications. These draconian measures have been applied to a person who never hacked for monetary profit, with malicious intent, or to destroy property.
[http://www.kevinmitnick.com/news.html]
Electronic and computer technologies has increasingly raised the capacity of breaches of intellectual property whilst legal and systematic mechanisms have responded with increasingly strong legislation and institutional norms. As the marginal cost to reproduce intellectual property per unit decreases stonger attempts are made to monopolize the content of such property, which in capitalism this also includes increased commodification, which is contrary to the technological inclination. As advanced economies have transformed from their agricultural, industrial and now informational base, the conceptual range of intellectual property has expanded dramatically in advanced industrial societies. Copyright law in the United States for example, began with literary composition, and expanded to include photographs (1884), musical recordings (1971), and most recently, architectural design. Likewise patents have expanded from Industrial Design (1852), to include flora (Plant Patent Act, 1830), Surgical Procedures (1950s) and Software (1981). Intellectual property lawyers have even argued that athletic maneuvers should be patented.
[The Growth of Intellectual Property: A History of the Ownership of Ideas in the United States William W. Fisher III* forthcoming in Eigentumskulturen im Vergleich (Vandenhoeck & Ruprecht, 1999)]
As a political feature, the right to anonymity and individual privacy is a political feature peculiar to democratic systems and in particular the Ancient Hellenic ideal of the isomony - where private and equal citizens meet to discuss matters of public interest. Outside of a democracy it is difficult to find a political system whereby the individual right to privacy is as strongly respected in social and legal relations. Furthermore, the industrial process and increasing demarcation between social systems and cultural lifeworlds, between home and work, between gemeinshcaft and gessellschaft, increases the potential of individual privacy - along with surveillance on a larger, depersonalized mass scale.
In the United States, where privacy and anonymity received their strongest endorsement, legal rights are embodied in the Constitution's First Amendment ("no law ... abridging the freedom of speech, or of the press...") which provides the right to anonymity, the Fourth Amendment ("... right of persons to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures...") which provides some protection of location, and the Fifth Amendment ("No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment of indictment of Grand Jury...") which provides the right to silence, and in Statutory Law by Title III (1968) and the Electronic Communications Privacy Act (1986). The former statute protects individuals from wiretaps and electronic surveillence without a court order and the latter elaborates this to include more contemporary communications technologies.
[ In a majority US Supreme Court decision Talley v California (1960), confirmed the First Amendment right to anonmymity. Talley, in breach of a county orinance that demanding disclosure, was arrested for distributing a handbill that was calling for a boycott of certain businesses in the area because the businesses did not hire minorities. Further, in NAACP v Alabama [EDIT year], the NAACP was provided the right to operate without giving the State of Alabama a membership list. It provided the right of anonymous association.
The US Patriot Act has amended the Electronic Communications Privacy Act to allow disclosure of individual credit card and bank account numbers, emergency disclosures from Internet Service Providers and nationwide search warrants. ]
The right to anonymous speech however does not legally ensure that speakers may remain anonymous. Anonymous defamation, untrue, damaging and malicious statements, or false identification that causes harm to a third party wrongly identified as the author are all forms of speech which do not receive legal protection. However, with the development of computer mediated communication and strong encryption difficulties arise. The use of pseydonyms, pseudonymous remailers and public key encryption have created an environment where non-disclosure of identity or parallel identities is a cultural norm. Service providers have been subject to defamation proceedings on the basis of third party speech, some of which have transcended international boundaries such as the famous case between anon.penet.fi - a pseudonymous remailer system and the Church of Scientology in 1995. Further, because in most jurisidictions civil subpoenas do not require probable cause to be issued (and in some there is no need for the subpoena to be filed), service providers have been required to reveal anonymous posters prior to any wrongdoing being shown.
A history of the related topics of encryption, data security, intellectual property and hacking indicates significant changes in the source of encryption and the source of breaches of encryption as well as changes in motivation. These changes correlate with the social formations of traditional society, modernity and advanced modernism or nascent postmodernity. Whereas data security initially was a subject which concerned military and religious purposes in traditional society, industrialisation and modernity saw an expansion of the military and diplomatic application and the introduction of commercial and criminal use. Since the introduction of computing however, commercial organisations have overtaken governmental as the prime users of data security and encryption methods and individuals likewise have become the prime users of techniques to overcome encryption.
This historical change in the institutional status and location of data security use production and breaches raises new questions on the role of freedom of information and privacy in advanced modernity. For clearly, the battleground is between the right of institutions to intellectual privacy and property versus indivdiduals who act with the dual motivations against such claims of institutional privacy and property and a motivation of technical elitism. Prior to making recommendations on how to deal with this seeming incommensurable conflict of interest and conflict between the individual and the institution, several contemporary case studies with technical information will be provided in the following section. These examples are not necessarily strictly related to the Internet per se, but more with the general realm of computer mediated communications and information networks.
Contemporary Case Studies
Computer Fraud
According to a recent report from U.S. National Center for Computer Crime, computer fraud makes up 44 percent of all computer crime. According to research from West Carolina University, U.S. businesses eighty percent of U.S. businesses have been the victim of computer fraud with an estimated cost of some nine billion dollars. However, investigation by this inquiry suggests that in nearly all cases these examples are versions of traditional internal institutional fraud. There are few financially significant examples of where technologically mediated communication has actually led to fraud. Indeed, it was ten years after its promulgation that the U.S. Computer Fraud and Abuse Act (1986) successfully prosecuted an act involving an Internet service - a twenty-year old student whose Macintosh program bypassed AOL's billing service; strictly speaking this was not so much fraud, as rather classical hacking, that is exploiting poor programming by AOL.
[See George Washington University (Department of Forensic Science), Master of Arts, Computer Fraud Investigations, http://www.gwu.edu/~mastergw/programs/crime_commerce/ http://wcuvax1.wcu.edu/~acct625/elise/statistics.html See also: US E-commerce will lose $500 million Computer Fraud and Security, Volume 2003, Issue 1, pp2-3, which claims losses over the christmas period. Jason A. Duva, Online Hacker Pleads Guilty to Felony Computer Fraud, 1997 Intellectual Property & Technology Forum, 012301, Boston College Law School http://www.bc.edu/bc_org/avp/law/st_org/iptf/headlines/content/1997012301.html ]
At the beginning of this chapter it was suggested that one of the most dangerous forms of fraud in contemporary society was, faced with the possibility of sheer procedural and calculated exactness brought on by computer technology, there is also the possibility of enormous deception. Surprisingly, the investigation of this thesis found no greater example of such deception in the public arena was other than that carried out by the U.S. telecommunications company Bell South against the U.S. courts in an attempt to persecute hackers. These events are comprehensively documented in Sterling's "The Hacker Crackdown", which has been cited several times during this study. At the trial the Chicago Computer Fraud and Abuse Task force claimed that the E911 document was worth $79,499, a figure supplied by the Bell South security personell. This figure was substantially inflanted, giving highly improbably costing for bureaucratic and technical overheads, even to the extent of claiming an entire computer system had been purchased to produce the single ten page document.
Far more commonly known to the contemporary Internet user, the Advance Fee Fraud or 419 Fraud (from the section of the Nigerian Criminal Code) requires the recipient to pay an advance fee or provide power of attorney to another party in order to access funds which are phrased as both coming from legitimate or illegal sources. According to some reports, 419 Fraud is one of the largest industries in Nigeria, although it the fraud is harldy restricted to that nation alone. Originating in the ealy 1980s and being largely ignored by successive administrations in Nigeria, this is another example of fraud which has received enormous amplification by the introduction of computer mediated communication whilst not resulting from the technology itself. Faced with increasing international criticism and pressure, Nigeria has established a new anti-fraud unit, the Economic and Financial Crimes Commission, which has evidently had some success; according to a Reuters report some thirty cases before the courts and with some $200 million in property confiscated. Among those arrested included a member of parliament and those allegedly involved in a $180 million scam which brought down a Brazilian bank.
[Public Awareness Advisory Regarding "4-1-9" or "Advance Fee Fraud" Schemes, U.S. Secret Service, 2002. Available at: http://www.secretservice.gov/alert419.shtml
Economic and Financial Crimes Commission of Nigeria, http://www.efccnigeria.org/index.html. See interview with Alhaji Ribadu: "I Will Make Things Difficult for Fraudsters", June 2003. http://www.efccnigeria.org/chairman/intvtribune20030605.html Woman Leads Fight Against Nigerian Fraudsters, November 25, 2003 By Daniel Balint-Kurti http://efccnigeria.org/links/nl2003112501reuters.html ]
Whereas the Advance Fee Fraud is primarily conducted through electronic mail, the use of the world wide web and usenet or other distributed mailing lists is also common. One act particular note include a fraudelent webpage was the appearance of a press release which destroyed the stock value of the small technology company Emulex in August 2000, costing nearly $2.2 billion in market capitalization. The author of the release, Mark Jakob, earned more than $225,000 after the Internet Wire published the release and Bloomberg Business News reported it. In another Bloomberg related incident in 1999, a personal webpage was designed with the appearance of Bloomberg News, claiming that the minor U.S. technology company, Pairgain, was being taken over by an Israeli company, ECI Telecom, causing a leap of more than thirty percent in Pairgain's value. In a similar fashion in 2002, the SEC issued an order to Benjamin Snyder, a 17-year old high school student who posted a fraudulent Bloomberg News article claiming that Viragen International share price would multiply by several hundred percent by receiving approval from the FDA for an effective anthrax cure. Synder had recently purchased shares in Viragen. According to the SEC; "Snyder's scheme failed to influence the market for Viragen stock".
[ Pess Release Earns Day Trader 44 Months.(Company Business and Marketing) Newsbytes News Network, August 8, 2001, by Dick Kelsey April 8, 1999 Fake Internet News Account Sends a Stock Price Soaring By EDWARD WYATT http://www.nytimes.com/library/tech/99/04/biztech/articles/08hoax.html SEC SUES PERPETRATOR OF BOGUS BLOOMBERG STORY POSTED ON INTERNET MESSAGE BOARDS, SEC NEWS Digest, Issue 2002-122, June 25, 2002 http://www.sec.gov/news/digest/06-25.txt ]
The most sophisticated of this "pump and dump" system of fraud carried out through Internet technologies, was that by Charles O. Huttoe and twelve others who distributed, without disclosure, to friends and relatives some 42 million shares of Systems of Excellence Inc (SEXI) involving some 12 million USD. Huttoe engaged in numerous false press releases indicating non-existent sales and false revenue projections. Huttoe bribed SGA Goldstar to tout SEXI in the "Whisper Stocks" online newsletter, which operated from August 1993 to November 1996. During this period, defendands touted without disclosure other companies in exchange for stock. Huttoe and Theodore R. Melcher, Jr., the author of the online newsletter, were sentenced to federal prison.
[ SECURITIES AND EXCHANGE COMMISSION Washington, D.C. LITIGATION RELEASE NO. 16632 / July 20, 2000 http://www.sec.gov/litigation/litreleases/lr16632.htm ]
Using a more complex combination of Internet technologies, including six million unsolicited emails, fraudulent websites and an online newsletter distributed over a ten month period, Francis A. Tribble and Sloane Fitzgerald, Inc. promoted two small companies (Eventemp and JT's Restaurants) who paid cash and securities to Tribble and Fitzgerald. Because they failed to disclose this information to investors, they were prosecuted and a $15,000 penalty was imposed on Tribble. As seems usual, neither Tribble nor Fitzgerald admitted nor denied the claims of the SEC. The SEC investigation was initiated after their unsolicited email campaign led to the largest number of complaints being sent to the SEC's online complaint centre. The enforcement actions against Sloan and Fitzgerald were part of a national sweep which involved 44 individuals and companies which breached truthfulness about companies touted, deception about the independence of individuals from the companies and failer to disclose the degree of compensation from companies.
[ SECURITIES AND EXCHANGE COMMISSION Washington, D.C. S.E.C. v. Francis Tribble and Sloane Fitzgerald Civil Action No. 98-8699 (RVX ) (C.D. Cal. October 27, 1998). Litigation Release No. 15959/ October 27, 1998 SEC Fines Internet Stock Promoter Responsible for Massive Spam Campaign http://ftp.sec.gov/litigation/litreleases/lr15959.txt SEC Charges 44 Stock Promoters in First Internet Securities Fraud Sweep, Washington, D.C., October 28, 1998 http://ftp.sec.gov/news/headlines/netfraud.htm ]
As a key aspect of the Internet is its internationalization it is only to be expected that in time before a fraud of international proportions, that is, where the pepretrators act in concert internationally, would occur. In April 2001 the International Chamber of Commerce shut down a banking fraud that sold fraudulent investments and securities to an estimated the value of almost $4 billion USD. Spanning 29 websites and at least 10 individuals and companies in the United States and Switzerland, the cartel created websites that mimicked Bloomberg LP reporting and that from the Brussels-based Euroclear investment bank, including www.bloomberg.50megs.com and www.euroclear30.50megs.com. Monies were raised through advance fees and through false high-yield/low risk investment programmes. Less than a year later, in May 2003, a similar attempt at banking fraud occured with false offers of Bank Guarantees. A US (Florida) company, with an address in Switzerland appeared of ties with major U.K. and European Banks offering bank guarantees with discounts of over fourty percent, redeemable in one year. The company received an advance fee of 1 percent of the Guarantee's Face Value. The company was caught out as East European banks and traders questioned the ICC-CCB before purchase.
[ ICC Commercial Crime Services, CCS foils multi-billion dollar internet banking fraud, London, 11 April 2001 http://www.iccwbo.org/ccs/news_archives/2001/fraud.asp Authorities uncover Net banking scam, Story by Matt Berger, IDG News Service, http://www.computerworld.com/managementtopics/ebusiness/story/0,10801,59548,00.html Arrests made in online banking scam By John Geralds [18-04-2001] http://www.itweek.co.uk/News/1120620 ICC Internet warnings prevent financial instrument fraud ICC publications help increase awareness of fraudulent financial instruments. London, 26 May 2003 http://www.iccwbo.org/ccs/news_archives/2003/false_bank-guarantees.asp ]
Nevertheless, the main concern from a consumers point of view, and with a relatively low dollar cost in comparison to these security frauds, are complaints over auctions. With an average of 1,000 complaints per week sent in the year 2000 to the U.S. government's Fraud Complaint Centre, complaints concerning online auctions made up 48.8% of all complaints, easily surpassing securities and commodities (16.9%) and credit-card complaints (4.8%). Almost twenty percent of complaints were of auction goods that were not delivered. According to the Federal Trade Commission, standard auction deceptions also occur online, including false escrow services, bid siphoning, shill bidding and bid shielding. Recently, consumers and victims of fraud have banded together to publically "out" fraudulent sellers (including the US companies Electro Depot and Tech-Surplus and with a consumer managed database at http://www.auctionblacklist.com/) and co-ordinate with law enforcement officials.
[ Net fraud complaints are largely over auctions Story by Margret Johnston, IDG News Service, August 30, 2000, IDG http://www.computerworld.com/industrytopics/retail/story/0,10801,49250,00.html Internet Auctions: A Guide for Buyers and Sellers, April 2003 http://www.ftc.gov/bcp/conline/pubs/online/auctions.htm eBay Auction Fraud Spawns Vigilantism Trend By Ina Steiner AuctionBytes.com October 12, 2002 Auctionbytes-NewsFlash, Number 411 - October 12, 2002 - ISSN 1539-5065 ]
Most recently "phishing" - identity theft - has become popular as a means of fraud. Such fraud normally involves posing as a legitimate business (often a bank) requesting bank number and password, or in some cases, for credit card numbers and expiry dates from alleged purchases. An imaginate example was an email claiming to be from Westpac Internet banking posing as a security email and requesting that users reactivate their banking details. The fraudsters were careful enough to use a deceptive header that made the email appear to come from westpac.com.au and a redirected link that appeared to direct to westpac's online banking site, olb.westpac.com.au. Similar attempts have been used in the past using Citibank, Bank of America and First Union Bank. In each of these cases there was clear information that could alert a savvy Internet user to the nature of the fraud: In the Citibank case, the use of a hotmail address as the return header; in the Bank of America case, numerous spelling mistakes, and in the third case, the use of firstunion.com as the email address and website (both are managed through wachovia.com).
[ Westpac, "Important Security Information", 2004 http://www.westpac.com.au/internet/publish.nsf/Content/PBOB+Important+Security+Information Internet ScamBusters� By Audri and Jim Lanford Copyright (c) Audri and Jim Lanford Issue #63, July 9, 2003 Internet ScamBusters� #63 ("Snippets") http://www.scambusters.org/Scambusters63.html ]
Encryption, Anonymity and Privacy
Case studies and methodological research indicate that in reference to the Internet there is a systematic and technical association between encryption, anonymity and privacy. The following examples - starting with anonymous remailers and the Church of Scientology, following historical chronology to export restrictions on PGP and the proposed Clipper Chip, privacy violations via "cookies", organizational and workplace privacy, privacy concerns raised with Microsoft's Passport/.NET, and other incidences of corporate or state organized electronic surveillance, especially the development of the FBI's Carnivore surveillance system and the legal options made available in the USA-PATRIOT act of the United States. As with the the last subsection, examples correlate with particular Internet services (beginning with usenet, moving towards electronic mail and webbrowsers, then into hardware and software and real-time services) yet are usually not only associated with Internet technologies but rather are amplified by the introduction of the new technologies.
Anonymous remailers have been a feature of usenet for many years. The major differentiation is between anonymous and pseudo-anonymous systems. In the former, a trust relationship is established between the sender and the remailer. The sender provides a message with genuine detailers to the remailer who alters those details so the sender can publish "pseudo-anonymously". Fully anonymous remailers come in two types. With the first (Type I or "cypherpunk"), one encrypts the a message prior to sending it to the remailer, who then decrypts the message and sends it to the recipient. This protects the sender from monitoring between their computer and the remailer. With even greater security is Type II (or "mixmaster") which uses multiple mackets and RSA/DES encryption and is protected by denial-of-service attacks to the remailer (latency, reordering, universal size, distinguishability). Often the security conscious also chain remailers, sending a message to remailer A with instructions to send it to remailer B, then to C and then to D and then finally to the desired recipient. Programmes such as Premail, Mailcrypt (Unix), Private Idaho (Windows), and Chainmail (Macintosh) automate this process.
[ Mixmaster & Remailer Attacks, Lance Cotrell (undated, Mixmaster FAQ, 1996] http://www.obscura.com/~loki/remailer/remailer-essay.html ]
The explosion in anonymous remailer technology in the mid-1990s was much inspired by a legal conflict between the Church of Scientology (US) and the host of the popular (700,000 members, 10,000 emails/day) pseudo-anonymous remailer anon.penet.fi, Julf Helsingius. In February 1995, the Church of Scientology, through Interpol and the Finnish police, demanded from Helsingius provide the source for [email protected], which belonged to a Caltech alumni account, [email protected]. The Finnish police claimed that that lawyers representing the Church claimed that the user had stolen files from an internal Scientology computer in California. Caltech however refused to hand over the name of the person who used the account, however they did give it to the Los Angeles Police Department.
[ http://www.firstmonday.dk/issues/issue2/remailers/ By SAMEER PAREKH ]
A second attack on the remailer occurred in 1996 by the Church, with Finnish police demaning that Helsingius give the originating accounts for two penet users. Whilst this order was being debated in the Court system, the British The Observer published an article falsely accusing Helsingius of facilitating the distribution of ninety percent child pornography on the net (in reality anon.penet.fi did not allow the distribution of digital images). Helsingius closed down anon.penet.fi stating: "I will close the remailer for the time being because the legal issues concerning the Internet in Finland are yet undefined. The legal protection of the users needs to be clarified. At the moment the privacy of Internet messages is judicially unclear". The remailer has never re-opened.
[ Jim Lippard and Jeff Jacobsen Skeptic vol. 3, no. 3, 1995, pp. 35-41. http://www.skeptic.com/03.3.jl-jj-scientology.html CMC Magazine, September 1997, Sabine Helmers A Brief History of anon.penet.fi - The Legendary Anonymous Remailer http://www.december.com/cmc/mag/1997/sep/helmers.html ]
The conflict between PGP and the Clipper Chip actually dates back to 1976 when a cryptographer (Whitfield Diffie) and an electrical engineer (Martin Hellmen) discover the principles of public key cryptography. The following year, as mentioned in the introduction to this subchapter, Ron Rivest, Adi Shamir and Len Adlemen develop the public key code and entitle their system RSA, partially patented to M.I.T. The National Security Agency deems their discovery not fit for publication. M.I.T. and the authors decide to ignore the NSA and publish in Scientific American, July 1977 and the system itself in Communications. By doing so the authors lost most of the their non-US patent rights to the RSA algorithm. In most nations a patent must be obtained before publication, whereas in the United States it may be achieved up to one year after publication. Another major issue is the fact that the RSA algorithm was considered patentable in the first instance, an unusual practise by international standards. Under the circumstances, the three RSA writers build the PKP and RSADSI systems instead.
[ACM (Feb 1978, vol 21, no 2, pp 120-126)]
In 1991, the United States Senate introduced bill 266 which was aimed at forcing manufacturers of communications techniques to provide the U.S. government a "backdoor" past any security measures. Proposed as "the Clipper chip" it was to be introduced in telephone systems, email and all other electronic communications and transmissions. As a government standard it would have been used alongside drivers license and social security numbers, etc. As the New York Times (17th April 1991) reported: "It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall insure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."
In response to the bill, in the same year Paul Zimmerman wrote the first version of PGP (Pretty Good Protection), and implementation of RSA Encryption with a symmetric key cipher of his own design (later replaced with IDEA - the International Data Encryption Algorithm invented by Xuejia Lai and James Massey). Despite warnings on the original documentation that international distribution may be in breach of US law, the product somehow made overseas distribution. PGP, due to its symmetric key design, can effectively bypass Clipper on technological grounds. Soon after words the holders of the RSA algorithm patent contact Zimmerman claiming patent violation - to which Zimmerman claimed, and stated in his distribution - that licensing of the algorithm was the responsibility of the user and that the software was for educational purposes only. At the same time, the US Customs Service investigated Zimmerman on the grounds that he had broken criminal export laws on the grounds that strong encryption counts as "munitions". That investigation closed in January 1996.
Meanwhile, faced with growing opposition by civil libertarian groups, the initial version of the Clipper chip legislation (dubbed "Clipper I") was defeated in 1993. However in September 1995 a "Clipper II" proposal was introduced, that would have raised the encryption level for export encryption from 40-bit to 64-bit if the item had a back door key and sought included industry comment which was mainly negative. This led the government to undertake for the third time ("Clipper III") proposals to regulate encryption technology. In early 1996, a draft proposal "Achieving Privacy, Commerce, Security and Public Safety in the Global Information Infrastructure", sought to establish a public key infrastructure for encryption that would use a government-sanctioned to virtually impose key-escrow. Such a system would allow global surveillance, would reduce U.S. private communications security when dealing internationally and would reduce the economic value of U.S. communications products. The proposal was shelved again for the third time.
[ EFF "Legal Cases - PGP & Phil Zimmermann" Archive, last update January 1997 http://www.eff.org/Cases/PGP_Zimmermann/ Computer Professionals for Social Responsibility, Clipper Chip, October 1994, updated October 1998 http://www.cpsr.org/program/clipper/clipper.html ]
"Cookies" are a common feature in webservers whereby server side connections (e.g., CGI scripts) store and retrieve information from the connecting client that originated in the webbrowser Netscape Navigator 1.0. For the most part cookies have considered benign, if somewhat suspicious. In February 2000 the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission, claiming that the US company DoubleClick was unlawfully tracking the online activities of Internet users through cookies to create detailed personal profiles for marketing purposes - just prior to filing the compliant, DoubleClick and Abacus Direct, the US's largest catalog database firm, merged. However in 2002 an attempted legal settlement was made EPIC argued that the settlement was inadequate as DoubleClick was not making any changes to its practices. Following the EPIC complaint the Internet Engineering Task Force began consideration of a new cookie standard.
[ "The Internet and Privacy Legislation: Cookies for a Treat?" by Viktor Mayer-Schoenberger, West Virginia Journal of Law and Technology Electronic Privacy Information Center, Cookies, November 2002 http://www.epic.org/privacy/internet/cookies/ ]
Most organizations ensure a degree of security surveillance and, in workplaces, monitoring for purposes of productivity. With the introduction of Internet technologies not only are traditional forms of monitoring (e.g., 'phone and video-monitoring) enhanced, but there are new forms of monitoring of electronic mail of webbrowsing. To protect workers for unfair monitoring, or management decisions based on such monitoring, the International Labour Organization adopted a code of practise in 1996 which includes notification, minimised data collection, that monitoring and data should only be used for employment relevant purposes, data security, accessibility and prohibition of polygraph testing. Contemporary legal theory in advanced nations support the concept of reasonable expectations of privacy and cases have been won where these expectations have been violated.
However these expectations have not been as strongly enforced with Internet technologies, with particular debates in the United States over the definition of consent-waiving and service-provision, usually favouring the employer. According to Pivec and Brikenhoff: "At this time, both statutory and common law appear to favor the business interests of employers over the privacy rights of employees" and from Ciocchetti: "The fact that the courts broadly interpret these three exceptions makes the ECPA�s privacy protections illusory at best". This legal fact is doubly enforced by the capacity of various programmes to monitor networks up to an including instant message services which, unlike electronic mail or webbrowsing, are normally not stored.
[Cramer v. Consolidated Freightways http://www.ca9.uscourts.gov/ca9/newopinions.nsf/72AF8644401119A488256A6C0057DA99/$file/9855657.pdf?openelement (PDF), No. 98-55657, (9 Cir. 2001). Violation of Californian privacy laws by installation of audio an video surveillance in bathroom/tiolets. Halford v. The United Kingdom http://hudoc.echr.coe.int/hudoc/ViewRoot.asp?Item=0&Action=Html&X=1121182248&Notice=0&Noticemode=&RelatedMode=0, 73/1996/692/884. International law protects the content of an employee's call from a workplace telephone. O'Connor v. Ortega http://laws.findlaw.com/us/480/709.html, 480 US 709 (1987). Reasonable expectations of privacy of filing cabinet and desk contents. K-Mart Corp. Store No. 7441 v. Trotti, 677 SW2d 632 (Tx Ct App 1984). Reasonable expectation of privacy violated by employer search of provided lockers. Protection of Workers' Personal Data An ILO code of practice 1997, ix+47 pp. ISBN 92-2-110329-3 http://www.law.duke.edu/journals/dltr/articles/2001dltr0026.html http://www.abanet.org/irr/hr/winter99_pivec.html Human Rights WINTER 1999 E-Mail in the Workplace: Limitations on Privacy By Mary E. Pivec and Susan Brinkerhoff Corey A. Ciocchetti MONITORING EMPLOYEE E-MAIL: EFFICIENT WORKPLACES VS. EMPLOYEE PRIVACY Duke Law and Technology Review, July 2001 Journal of Technology Law and Policy, Vol 5, Issue 1, University of Florida, 2000 http://grove.ufl.edu/%7Etechlaw/vol5/emailfinal.htm 2 Va. J.L. & Tech. 4 (Fall 1997) http://vjolt.student.virginia.edu 1522-1687 / � 1997 Virginia Journal of Law and Technology Association VIRGINIA JOURNAL of LAW and TECHNOLOGY UNIVERSITY OF VIRGINIA FALL 1997 2 VA. J.L. & TECH. 4 Windows Nine-to-Five: Smyth v. Pillsbury and the Scope of an Employee�s Right of Privacy in Employer Communications by Rod Dixon[*] http://vjolt.student.virginia.edu/graphics/vol2/vol2_art4.html Cite as: Amy Rogers, You Got Mail But Your Employer Does Too: Electronic Communication and Privacy in the 21st Century, 5.1 J. TECH. L. & POL'Y 1, http://grove.ufl.edu/~techlaw/vol5/emailfinal.htm (2000). ]
Microsoft's Passport was established as a identification and authenicitation system which provided data harvesting so that other affiliated groups could receive information about the user and submitted by the user upon application. There is an estimated 200,000,000 users (by Micosoft) of Passport. Working with Passport, Microsoft's .NET centralized web service required authentication - raising the possibility that any sites designed on the .NET service would require personal disclosure. Passport and .NET were also designed to interoperate with Hailstorm, a proposed suite of services that Microsoft would provide from cnetral services that would include significant quantities of personal information. In addition, Microsoft has recently released Windows Product Activayion (WPA) acts as an anti-piracy device by scanning hardware setups and linking this with the license registeration for the software. Through WPA and registration, users are matched to their personal copmputers, are required to register with Microsoft Passport and are unable to receive anonymous software support.
In response to these practises, some 15 organization filed a complaint to the US Federal Trade Commission claiming that Microsoft was engaging in unfair and deceptive trade practises. In April 2002, Micrsoft shelved Hailstorm and in May 2002, the European Commission began an inquiry in the .NET and Passport services. Although Gates describes a proposed compliance by nine US state jurisdictions and D.C. over .NET and Passport as "impossible", as Microsoft sought to develop "the largest and most extensive database of profiles on the planet", Microsoft settled with the FTC in August 2002 with substantial changes to Passport and .NET and in January 2003 with the European Union to comply with their 1995 Data Protection Directive.
[ Comment must be made that Microsoft is not alone in such practises. Sun Corporation, with the ironically named "Liberty Alliance" has initiated a similar project: http://www.wired.com/news/business/0,1367,53859,00.html Sun Shines Light on ID Alliance By Michelle Delio 10:10 AM Jul. 15, 2002 PT New York Times BUSINESS/FINANCIAL DESK | April 11, 2002, Thursday TECHNOLOGY; Microsoft Has Quietly Shelved Its Internet 'Persona' Service By JOHN MARKOFF (NYT) BUSINESS/FINANCIAL DESK | May 28, 2002, Tuesday INTERNATIONAL BUSINESS; Microsoft Faces European Commission Inquiry on Privacy Concerns (NYT) http://news.com.com/2100-1001-888110.html Gates says states' remedy "impossible" Last modified: April 22, 2002, 9:25 AM PDT By Joe Wilcox Staff Writer http://www.ftc.gov/opa/2002/08/microsoft.htm http://www.euractiv.com/cgi-bin/cgint.exe/3095017-426?targ=1&204&OIDN=1504575&-home=home Microsoft promises 'substantial' .NET changes ]
As can be expected, Internet technologies have also aided corporate and state surveillence technqiues. Particular examples that be noted in reference to this subchapter include the provisions in the USA-PATRIOT Act of October 2001 (drafted and voted within a mere five weeks), which particularly enhances the capacity of the U.S. government and its agencies to engage in digital surveillance to their is no necessary provision of reasonable suspicion or probable cause that those surveyed are engaging in, or in communication with, terrorist activity, as was the case with the Foreign Surveillance and Intelligence Act of 1978. With electronic mail agencies are only supposed to view the addresses of communication, but not necessarily the content unless a trace order is obtained. In practise this is extremely difficult and more so in the case with webbrowsing where the content is the web routing information. The USA-PATRIOT Act also enables those subject to computer hacking to engage in monitoring of others "under the color of law" and gives Internet Service Providers the "right" to engage in voluntary disclosure of user transmissions and content. Other provisions include the introduction of "sneak and peek" warrants, seemingly in violation of the Fourth Ammendment, the execution of warrants in any jurisdiction and roving wiretaps.
[From the acronym Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, USAPA), H.R. 3162 Ronald L. Plesser, James J. Halpert, Emilio W. Cividanes, USA Patriot Act For Internet And Communications Companies, Computer and Internet Lawyer (March, 2002) http://cyber.law.harvard.edu/privacy/Presser%20article--redacted.htm In July 2002 the European Union enacted a Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (PDF) that leaves each EU Member State free to adopt laws authorizing data retention. See: http://register.consilium.eu.int/pdf/en/02/st03/03636en2.pdf ]
Although the USA-PATRIOT Act includes "sunset clauses", the clear and continuing direction of governmental powers, most particularly in the United States but also in other jurisdictions, is to utilize Internet technologies as a form of surveillance and political control. Along with the aforementoned attempts of key escrow with government backdoors in the form of the Clipper chip, the current situation stands on the shoulders of the Communications Assistance for Law Enforcement Act (CALEA), also known as the Digital Telephony bill, which required telephone companies to provide ease of wiretap access - and compensated said companies to the tune of 500 million USD. With CALEA in law and the infrastructure capability provided, the FBI developed Carnivore, a surveillance programme using the reasonably common technology, filtered "packet sniffing". In 1997, the FBI deployed a second version of the programme, Omnviroe which able to capture email traffic over a targeted ISP and finally in 1999, DragonWare, which enabled the reconstruction of email messages, file attachments and webpages. As with concerns in the Patriot Act, legal opinion is suspicious of the compliance of Carnivore et al, with the Fourth Amendment.
[ Geoffrey A. North, Carnivore In Cyberspace: Extending The Electronic Communications Privacy Act's Framework To Carnivore Surveillance, 28 Rutgers Computer & Tech. L.J. 155 Rutgers Computer and Technology Law Journal (2002) Privacy and the Internet: Welcome to the Orwellian World, 11 U. Fla. J.L. & Pub. Pol'y 79 (1999) for a more in depth explanation of the 4th Amendment and ECPA. ]
Whilst these concerns are more than legitimate and contingencies must be sought in relation to the right to privacy in face of the new technologies, it is evident that any legislative orientation must not just orientate itself to the technology itself, but also to the collapse of qualitative data in the face of enormous quantitive capacity, that is, the oft-commented concerns of "sensory overload" common in cyberpunk literature. Specifically, the misuse of data collection and the use of incorrect data. For example, in the United States there is increasing evidence that police investigations of political portest organizations even where there is no suggestion of criminal activities. The Electronic Privacy Information Center has filed a suit on the belief that the the US Department of Justice and Treasury have purchased personal data from private companies, in particular through the company ChoicePoint, which it is believed has at least thirty five government contracts valued in the tens of millions of dollars. Not only are there examples of government agents misusing data (e.g., officials selling DEA database information to private investigators, FBI agents using using confidential government information to manipulate stock prices and engage in extortion), but there are numerous instances of erroneous data - especially when subjective evaluations are used or structural correlations.
[ c.f. The Washington Post Editorial Spotlight on the Cops Wednesday, December 17, 2003; Page A42 http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A6540-2003Dec16¬Found=true New surveillance guidelines fuel debate in California Concerns raised on civil liberties By Bobby Caina Calvan, Globe Correspondent, 11/30/2003 The Boston Globe, http://www.boston.com/news/nation/articles/2003/11/30/new_surveillance_guidelines_fuel_debate_in_california?mode=PF NATIONAL DESK | November 23, 2003, Sunday F.B.I. SCRUTINIZES ANTIWAR RALLIES By ERIC LICHTBLAU (NYT) 1047 words Late Edition - Final , Section 1 , Page 1 , Column 3 http://www.law.com/jsp/statearchive.jsp?type=Article&oldid=ZZZLRJGTQWC E-Legal: Uncovering Alleged Government Purchases of Electronic Personal Data Eric J. Sinrod Special to law.com 01-21-2002 http://www.businessweek.com/bwdaily/dnflash/jan2002/nf20020124_0582.htm JANUARY 24, 2002 PRIVACY MATTERS By Jane Black Data Collectors Need Surveillance, Too BUSINESS/FINANCIAL DESK | May 23, 2002, Thursday Five, Including F.B.I. Agents, Are Named In a Conspiracy By ALEX BERENSON (NYT) 1146 words ]
Intellectual Property and Piracy
Software piracy is as old in the computer industry as software production and replication of publications is as old as publishing. The phenomenology of computer technology allows the perfect replication without depreciating originals, something that no other industry has managed. According to major software producers, represented by the Business Software Alliance of the United States, worldwide losses to the software industry due to software piracy in 1997 reached $11.4 billion US dollars. Furthermore they claim, piracy in the United States resulted in 130,000 lost jobs and $5.3 billion in lost wages. Such claims are obviously inflated as they do not take into the account that users simply wouldn't buy the software in the first instance if rigorous software controls were possible, let alone desireable. From an historical point of view, software once was free - it was packaged as part of a computer hardware purchase - and has now become a commodity. From an economic point of view, it software piracy may also be justifiable; the marginal price of a commodity should equate with the marginal cost of production.
It is not as other information industries have not also been subject to the same clash of ideas and technologies. In 1988, Chesterman and Lipman claimed: "The tape recorder, the vide cassete and the photocopier make it possible for almost anyone to duplicate anything at will. The computer, it its mass-produced form as the PC (personal computers) or micro, is used to copy software, and since it contains copyright material in its design, it can itself be 'pirated' or 'cloned'. The fifth machine is the telephone, which is certainly the oldest, and may yet be the most important of them all. This is because it allows anyone who owns a computer to gain access to the whole electronics communications system." [Chesterman, J., Lipman, A.., The Electronic Pirates, Routlege, 1988, p16] But with the convergence of media formats, software piracy, in a myriad of forms, has taken up a new urgency. This subsection discusses software piracy of computer programmes (operating systems, utilities and applications), piracy of music (etc) with the specific and well publicised example of Napster, along with other file sharing programmes (e.g., NeoModus, iMesh, Audiogalaxy, Gnutella, Kazaa), Digital Rights Management, encryption techniques and "cracks".
Intelligent research on the subject of software piracy on an international level has been conducted by Steven Chew Jnr (who, at the time of writing was an undergraduate). Chew differentiates between copyright violations (end-user piracy, reseller piracy, counterfeiting and trade-name infringement) and different versions of software (beta, shareware, freeware, public domain). Furthermore sensitivity is shown to the negative effects of piracy (lack of manuals, technical support, upgrades), in comparing differential piracy rates from the Business Software Alliance, Chew rather wryly notes; "poorer countries, most notably in Southeast Asia, have had a difficult time gaining access and funding for this kind of technology. As a result, these countries have found alternative ways to access American software out of necessity". Chew also claims a cultural imperative, noting claims that copyright is an entirely "western" ideal, existing only to maintain a monopoly over the production and distribution of knowledge and is deeply antithetical to "some of the most fundamental beliefs rooted in Communism and Confucianism". These twin claims (economy and culture) can be tested empirically; using the nation-states from subchapter 3.1, the following table that compares GDP, Gini Index, Internet Providers, Internet Users per capita, computers per capita and traffic index to the incidence of software piracy (according to the BSA).
Nation, GDP per capita, Gini Index, Internet Providers, Internet Users (millions), Internet Users Per Capita, Computers Per Capita, Traffic Index, Piracy Incidence (percentage), Cost of Piracy (millions of USD)
U.S.A., $36300, 41, 7 000, 165.75, 0.591, 0.574, 90, 35, 2876 Japan, $28000, 25, 73, 56, 0.441, 0.316, 68, 67, 2076 Germany, $26600, 30, 200, 32.1, 0.385, 0.332, 84, 50, 1875 France, $25700, 33, 62, 17, 0.284, 0.300, na, 57, 771 United Kingdom, $25 300, 37, 400, 34.3, 0.574, 0.338, 82, 43, 543 Italy, $25200, 27, 93, 19.25, 0.334, 0.178, 82, 58, 404 Mexico, $9000, 52, 51, 3.5, 0.034, 0.06, 88, 78, 200 Russia, $8800, 40, 35, 18, 0.124, 0.043, 71, 94, 541 Brazil, $7400, 59, 500, 13.98, 0.079, 0.048, 71, 77, 551 Turkey, $7000, 42, 50, 2.5, 0.037, 0.037, na, 97, 159 Thailand, $6600, 41, 15, 1.2, 0.019, 0.024, na, 98, 174 China, $4600, 40, 3, 45.8, 0.036, 0.000, 52.5, 98, 527 Phillipines, $4000, 46, 33, 4.5, 0.053, 0.017, na, 97, 44 Egypt, $3700, 29, 50, .6, 0.008, 0.11, 0.011, na, 85, 39 Indonesia, $3000, 32, 24, 4.4, 0.019, 0.010, 36, 99, 118 India, $2540, 38, 43, 7, 0.007, .004, 63, 82, 128 Pakistan, $2100, 31, 30, 1.2, 0.008, .004, na, 96, 8.5 Vietnam, $2100, 36, 5, .4, 0.005, .007, na, na Bangladesh, $1750, 34, 10, .15, 0.001, .002, na, na Nigeria, $ 840, 51, 11, .1, 0.001, .006, na, 85, 9
[ See: Steven Chew Jnr, Copycat: The Effects of Software Piracy on the Global Economy, Stanford University, 2004 http://www.stanford.edu/class/e297c/new/trade_environment/growing_pains/schew.htm ]
From the data provided above there is a strong negative correlation between GDP per capita and the incidence of software piracy (-0.90679), a moderate positive one with the Gini coefficient (0.217745), a negative one with the number of Internet Users per capita (-0.63769), strongly negative with Internet Users per capita (-0.90724) and computers per capita (-0.91766). In reference to the influence of Confucian and/or Communist ideals a subjective assignment ranging from 1 to 5 according to recent historical influence was placed on the nations noted according to relative intensity; the correlation was only moderately positive (0.272554). However, these correlation coefficients also have to take into account trends and institutional behaviour. Evidence is presented by Chew (and the BSA) that not only is piracy expected in those nations where the incidence is high, there is only marginal attempts to stop counterfeit distributions. This is not however, just for domestic consumption, but also for those from nations where counterfeiting is strongly curtailed.
The music recording industry, allegedly long-term sufferers of personal and corporate software piracy, faced a new and unique problem with the development of the Napster program. Napster company founder, the eighteen year-old former first year university student from Northeastern University Shawn Fanning, built a the Napster program and began operations in June 1999. Napster was not responsible for copying or accumulating the recordings of musical artists. Rather, it allows those with Internet access to network of people using Napster at any moment simply helps people find the music they seek. Napster was always careful to state that it was about "sharing" recordings from a user-sponsored "library" and was enormously popular attracting up to 3 million site visits per week. Nonetheless, by December 1999, the Recording Industry of America sued for copyright infringement, asking for $10,000 in damages for each time a recording was copied. In July 2000, Napster announced plans to plans to ensure the protection of copyright holders, only to have a a district judge order the service to disallow the distribution of copywritten material two days later, and then to have a circuit court determine in another two days that it may continue operations. Two months later, Napster establishes a partnershiop with the German media company, Bertelsmann, to develop a membership based system and payments to artists.
[Indeed, with a peak of 50 million users Napster has been described as "the biggest copyright infringement in recorded history" (Tannenbaum, Computer Networks, p7)]
Nonetheless, in February 2001, the United States Federal Appeals Court rules that Napster must stop trading in copyrighted material. Napster then has successfully negotiated with the Recording Industry for the payment of a monthly fee to continue the service and a file filtering system to stop users from downloading specific files as specified by record company attorneys (with the legal burden on the attorneys). However in July 2001, a district court judge issued an order that Napsters 99% success rate in the filtering service was insufficient and the service was shut down once more. In late September 2001, the service reopened after reaching an settlement with music publishers, which included a payment of 26 million USD and a percentage of its fee for service system that began in 2002. Today Napster claims to hold the world's largest collection of digital music (500,000 tracks), charging 99c per track and $9.95 USD for an LP.
[ David Spitz, "Contested Code(s): Toward a Social History of Napster", Masters Thesis, M.I.T., 2001? EDIT See also the paper: Sandra Marcus, "Napster and Peer-to-Peer Music Exchange",University of Tennessee at Knoxville, 2001: http://web.utk.edu/~smarcus/P2P.html www.napster.com, as of January 16 2004]
Napster's legal weakness was that it operated on a centralized database of file titles, even if the files themselves was decentralized. Later versions of file-sharing applications, such as the those associated with Gnutella (e.g., BearShare, Morpheaus), FastTrack (KaZaA) etc. Do not have this weakness - they are entirely peer-to-peer in both their file and listing distribution. There is no single server to shut-down and no organization entity to earmark responsibility - the system bypasses the client-server model common in most networks and establishes a servent-servent system, with each machine operating as a minature webserver. This would seem to suggest that file-sharing cannot be prevented as long as their is an Internet. Of course, in part this was always true. Electronic mail, file transfer protocol, nntp - all these are forms of file-sharing as well. It is definitional to a communications network technology and this case, all files and all data on all computers are theoretically accessible.
A recent legal trajectory to curtail file sharing involves the development of digital content management as a technology and digital rights management in law. On the technical level, several companies (e.g., ContentGuard, InterTrust, Relatable) have developed encryption technologies to protect content. These of course suffer the same problems as all software encryption and protection does. Other Napster-like file sharing programs are providing content owners management rights over their material, such as AppleSoup (developed by former Napster staff) and MojoNation. On the legal front, the World Intellectual Property Organization Copyright Treaty establishes a new standard by calling for the prohibition of the development of decryption technologies, which was used against the sixteen-year old Norwegian Jon Johansen, and two members of MoRE (Masters of Reverse Engineering). Their software title, DeCSS (from the DVD standard encyrption, CSS, or Content Scrambling System) decrypted files from a DVD so that one could view DVDs that a person owned on their computer. In a similar manner in June 2001, Russian programmer Dmitry Sklyarov was arrested by violating the U.S. Digital Millenium Copyright Act after he presented a paper and published a program that could overcome the encryption program for Adobe books: Sklyarov, a Russian citzen working for a Russian software company was not engaged in distribution of the program on U.S. soil. Even academics have been targetted with a team of researchers at Princeton University in 2001 threatened by the Recording Industry Artists of America (RIAA) over the proposed presentation on a paper concerning the Secure Digital Media Initiative (SDMI). In April 2001, a team of researchers headed by Princeton Professor Ed Felten announced that they could defeat a DRM system developed by the Secure Digital Media Initiative (SDMI).
[ Both these cases at the time of composition were ongoing. For details of the Jon Johensen case, see the Electronic Freedom Frontier file archive: "Free Jon Johensen", 2000-2003 http://www.eff.org/IP/Video/DeCSS_prosecutions/Johansen_DeCSS_case/ For details of the Dmitry Sklyarov case see the Electronic Freedom Frontier file: Frequently Asked Questions (and Answers) About the Dmitry Sklyarov & ElcomSoft Prosecution, 2002 http://www.eff.org/IP/DMCA/US_v_Elcomsoft/us_v_sklyarov_faq.html The Making of a Policy Gadfly Seeing crucial computer-science work threatened, a Princeton professor takes on Congress By ANDREA L. FOSTER From the issue dated November 29, 2002, The Chronicle of Higher Education http://chronicle.com/free/v49/i14/14a02701.htm Volume 49, Issue 14, Page A27 ]
The Electronic Privacy Information Center defines Digital Rights Management technologies act as strong assertion over content use by those who hold copyright. Technologies exist that restrict the use of digital files in terms of file access (number and length of views), alteration and saving or copying. They may be managed through the operating system, the application or through device hardware. Claims have been made that DRM technology and the legislation requiring copy protection infringe privacy, fair-use and open source development. With regards to privacy, many DRM systems prevent the anonmyous consumption of content, requiring identification for use. Others do not provide for alternative operating systems, even those with substantial desktop market share such as Macintosh and Linux. Applications such as InTether cause the system to reboot or even engage in self-destruction if attempts are made to manipulate packaged files. A popular music CD released by Sony Music in 2002 was designed with a copy protection so it could not be played on personal computer CD drives - a form of copy protection that was soon circumvented by the use of nothing more complex than a felt-tipped pen.
[ Digital Rights Management and Privacy, EPIC, 2003 http://www.epic.org/privacy/drm/default.html Celine Dion disc could crash European PCs Evan Hansen, CNET News.com CNet April 05, 2002, 15:20 GMT http://news.zdnet.co.uk/internet/0,39020369,2107848,00.htm CD Crack: Magic Marker Indeed Reuters 11:35 AM May. 20, 2002 PT http://www.wired.com/news/technology/0,1282,52665,00.html ]
In recent developments in Digital Rights Management, US legislators introduced a bill that would permit copyright owners or their agents to engage in computer fraud in order to interrupt filetrading. This was subsequent to a bill (Systems Standards and Certification Act) that would require hardware to embed government approved copy protection systems. In March 2002, this scope was expanded to the Comsumer Broadband and Digital Protection Act which would require manufacturers to embed copy protection in all devices that can received digital media. In other words, the U.S. legislative strategy has returned to "Clipper Chip" like proposals, whereas in the United Kingdom, law enforcement officials are now targetting individuals. Meanwhile increasing evidence shows file trading is extremely popular, evident by the popularity of "mp3" and "warez" as Internet search words. All indications suggest that a more aggressive assertion of claimed copyrights through legislation and technology, and more frequent breaches of copyright by technology and econonomics. The conflict, under current norms appears irresolvable.
[ See: Latest Major Action on HR 5211: 8/20/2002 Referred to House subcommittee. Status: Referred to the Subcommittee on Courts, the Internet, and Intellectual Property http://www.newscientist.com/news/news.jsp?id=ns99993037 Britain Steps Up Piracy Campaign Reuters 10:52 AM Jan. 14, 2004 PT Story location: http://www.wired.com/news/digiwood/0,1412,61914,00.html ]
Computer Hacking
"Those things are in the hands of any angry teenager with a $300 Linux machine" Paul Vixie, Internet Software Consortium
[ 'DDoS' Attacks Still Pose Threat to Internet By David McGuire washingtonpost.com Staff Writer Tuesday, November 4, 2003; 8:49 AM http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A61714-2003Nov4¬Found=true]
"Computer hacking" is being used here in context of threats through the writing and propogation of viruses and worms, denial of service attacks and network intrusions that alter content, including website takeovers. There is certainly no intention to suggest that this represents the millieu or a definition of computer hacking, which has already been thoroughly discussed in the second chapter on the matter of computer culture. This particular subchapter is dedicated to the critical issues surrounding data security and is exclusive in that regard. In a definitional senses, viruses and worms are programs that replicate themselves and often (although not always) have a trigger that releases a payload or execution. A virus attaches itself to an existing program or to the operating system, whereas a worm exists as an independent entity. In comparison a denial of service attack is any attempt to prevent legitimate users from using a service through electronic "flooding", disrupting connections and disrupting specefic systems. Network intrusions are achieved through exploiting vulnerablities in critical programs as well as more mundane acts of "social engineering".
[ The term computer virus was first defined by Fred Cohen in 1983 and were classified as "research" or "wild". Virus and Worm definition from Ball State University, University Computing Service, undated http://www.bsu.edu/ucs/article/0,1370,6313-1985-3303,00.html http://www.bsu.edu/ucs/article/0,1370,6313-1985-4488,00.html Denial of Service definition from "Denial of Service Attacks", CERT Coordination Centre, Carnegie Mellon University, http://www.cert.org/tech_tips/denial_of_service.html ]
The first reported "wild" viruses were reported in 1981 for the Apple II (Elk Cloner) and it wasn't until 1986 that one appeared for the IBM PC (Brain). Written by brothers Amjad and Basit Farooq Alvi, who operated Brain Computer Software, in Lahore, Pakistan, Brain developed proprietory software which was being pirated. To "protect" their software, the virus was created to infect using any computer using an unregistered version of the program - and required users to call Brain Computer Services for help removing the virus. By 1989 there were less than 70 different viruses across the major personal computer hardware platforms (IBM PC, Atari ST, Amiga, Macintosh) and it wasn't until 1991 that one appeared that was network sensitive (GPI, for Novell Networks), by which time viruses had caught the attention of the mainstream press and the computer underground with organizations such as Verband Deutscher Virenliebhaber (Association of German Virus Lovers) producting a virus construction kit (1991) and the commercial development of anti-virus software.
[The story of the Brain virus, according to its authors is available: Brain Computer Services, About Us, 2003 http://www.brain.net.pk/aboutus.htm ]
At the same time virus technologies significantly improved with combined characteristics including polymorphism (variable decryption routine code), amorouing (against virus disembly) and multipartite abilities (capable of infecting programmes and boot sectors). Predicted massive disruptions in the mass media from the Michelangelo virus in 1992 did not eventuate, although virus protection software sales did substantially increase. In 1995 antivirus software companies expressed concerns that with the mass introduction of MS-Windows-95 their products would be irrelevant - a unfounded fear with the suddent proliferation of macro-based viruses for the MS-Office environment. Macro viruses gained particular repute with the propagation of the Melissa virus (1999) and the ILoveYou virus (2000) which distributed themselves through MS-Outlook email clients, and in October 2000 use of the QAZ virus gained internal access to Microsoft. The prevelance of viruses have led firms belonging to the one-hundred and fourty member UK IT Forum to claim losses of up to 122,000 GBP in employment productivity and related costs per virus attack.
[ Adleman, L. M. An abstract theory of computer viruses. In Advances in Cryptology - CRYPTO'88 (1988) Peter Denning. Computers Under Attack: Intruders, Worms, and Viruses. ACM Press, 1990 Threat Assessment of Malicious Code and Human Threats Lawrence E. Bassham &W. Timothy Polk National Institute of Standards and Technology Computer Security Division, 1994 http://csrc.nist.gov/publications/nistir/threats/threats.html http://www.cnn.com/2000/WORLD/europe/10/27/usa.microsoft/ Hackers attack Microsoft network October 27, 2000 Web posted at: 5:06 PM EDT (2106 GMT) Businesses count cost of viruses By Madeline Bennett [08-12-2003] www.vnunet.com/News/1151371, VNU Business Publications ]
In comparison computer worms have a longer history of legitimate use - network worms were considered a promising line of research for management tasks at the Xerox Palo Alto Research Center in 1982. As a security threat worms first made their appearance with the Christmas Tree Executable in 1987 which brought down both the world-wide IBM network and BITNET. In the following year, November 1988, the Robert Morris' Internet Worm, with two sets of binaries (one for Sun UNIX and one for DEC UNIX) and utilizing TCP/IP protocols and operating system exploits took out an estimate 6,000 of the existing 60,000 Internet hosts. The US General Accounting Office estimated the cost of the worm due to lost computer time and disinfection was somewhere between $100 000 and $1 000 000 (which is a clear statement of the inaccuracy of such evaluations). Less than two months later the Father Christmas worm was released on the worldwide DECnet attacking VAX/VMS systems.
Following this, it was not until 2001 that a worm gained international attention with the sudden propagation of the Code Red worm which attacked Microsoft IIS web servers. With an additional denial-of-service directed against the US government website (www.whitehouse.gov), systems that utilized US-English Windows NT/2000 would cause websites to display the message "Welcome to http://www.worm.com! Hacked by Chinese!", affecting close to 700,000 hosts. In January, 2003 the rapid SQL Slammer worm, affecting MS-SQL Server 2000 and MS-Desktop Engine 2000, took spread worldwide in roughly ten minutes, brought down 5 of the 13 DNS root servers and impacted a range of systems including ATM (banking) (e.g., 13,000 Bank of America ATMs could not be used), air traffic control systems and emergency services. The worm itself did little direct damage relying on speed of propagation to slow network services to a crawl. The same year also witnessed the rapid spread of the SoBig worm, which infected 1/17 emails at its height.
[ Eugene Spafford. The internet worm program: An analysis. Computer Communication Review, 19(1), January 1989. Ryan Permeh, Marc Maiffret, .ida "Code Red Worm", eEye Digital Security, 2001 http://www.eeye.com/html/Research/Advisories/AL20010717.html CERT� Advisory CA-2003-04 MS-SQL Server Worm, Carnige Mellon University, 2003 http://www.cert.org/advisories/CA-2003-04.html Schmidt, Charles and Tom Darby, "The What, Why and How of the 1988 Internet Worm," revised 8/98. http://www1.minn.net/~darbyt/worm/worm.html (April 6, 1999). MS-SQL Slammer/Sapphire Traffic Analysis Robert Beverly, MIT LCS, 2003 http://momo.lcs.mit.edu/slammer/ SoBig.F breaks virus speed records, August 22, 2003 http://www.cnn.com/2003/TECH/internet/08/21/sobig.virus/ and Sobig is biggest virus of all, August 21, 2003 http://news.bbc.co.uk/1/hi/technology/3169573.stm ]
The propogation and effects of worms and some viruses blur the edges between these programs and denial of service attacks. One significant differentiation that can be made is that whilst programs operate independently, denial of service attacks usually require the active participation of an agent, such as the use of syn and ping flood attacks by a hacker originating in Romania in 1997 which took out five Internet Rely Chat servers. The ping attack rapidly evolved to a technique called 'smurfing' which relays multiple ping packets often with multiple forged sources which was still effective in 2000. A variation, called 'fraggle', relies on UDP echo packets. A further variation, distributed coordinated attacks, were noted as a weakness as early as 1996 and briefly weakened the services of yahoo, buy.com, Ebay, CNN and Amazon in February 2000.
This move from IRC denial of service to website providers was considered serious enough to be subject to a U.S. Senate Committee that month. In 1998 the Electronic Disturbance Theater, supporting the Zapatista's launched an attack on the Pentagon, the Frankfurt Stock Exchange, and the web site for Mexican President Ernest Zedillo in September 1998 using a program developed by the group called FloodNet. The Pentagon engaged in a succesful counter-offensive, however, teh website for the Mexican President was overwhelmed by the 18,000 protestors who participated. A Brazilian government website was shutdown in March, 2000 for several hours and in August French and international "hactivists" flood the World Bank and the International Monetary Fund but with only minimal effect. More recently, a distributed denial of service attack struck the 13 DNS root servers, knocking out all but five in what was described as the "largest and most complex DDOS attack ever against the root server system". At the time of composition, DDOS attacks are still considered a serious threat to the root server system.
[ An exhaustive study of distributed denial of service attacks can be found at: http://www.ee.princeton.edu/~rblee/DDoS%20Survey%20Paper_v7final.doc Ruby B. Lee, Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures, Princeton University, 2002 and How to 0wn the Internet in Your Spare Time, by Stuart Staniford, Vern Paxson, and Nicholas Weaver Proceedings of the 11th USENIX Security Symposium (Security '02) http://www.icir.org/vern/papers/cdc-usenix-sec02/ A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms, by Jelena Mirkovic, Janice Martin and Peter Reiher, UCLA Computer Science Department, Technical report #020018, 2002 http://lasr.cs.ucla.edu/ddos/ucla_tech_report_020018.pdf Kristi Coale, Romanian Cracker Takes Down the Undernet, Wired Magazine, Jan 14, 1997 Smurfing Cripples ISPs http://www.wired.com/news/technology/0,1282,1446,00.html James Glave, Smurfing Cripples ISPs, Wired Magazine, Jan 7, 1998 http://www.wired.com/news/technology/0,1282,9506,00.html Craig A. Huegen, The Latest in Denial of Service Attacks: "Smurfing" - Description and Information to Minimize Effects, 2000 Dan Richman, Internet attack slows Web to a crawl, SeattlePI, Jan 18, 2000 http://seattlepi.nwsource.com/local/smrf18.shtml Fred Cohen, "A Note on Distributed Coordinated Attacks," Computers and Security, vol. 15, pp. 103-121, 1996. Ann Harrison, Cyberassaults hit Buy.com, eBay, CNN and Amazon, Computerworld, February 9, 2000. http://www.computerworld.com/news/2000/story/0,11280,43010,00.html See for example Senator Leahy's testimony: Statement of Senator Patrick Leahy, Ranking Member, Senate Committee on the Judiciary, Joint Senate-House Hearing On "Internet Denial of Service Attacks and the Federal Response" February 29, 2000 http://leahy.senate.gov/press/200002/000229b.html] DoS Attack Shuts Down Brazilian Government Site By Steve Gold, Newsbytes March 18, 2000 http://www.computeruser.com/newstoday/00/03/18/news1.html Hacktivists Chat up the World Bank 'Pecked to Death by a Duck' by Sarah Ferguson October 18 - 24, 2000 http://www.villagevoice.com/issues/0042/ferguson.php RIAA Web site disabled by attack By Declan McCullagh CNET News.com July 30, 2002, 4:20 AM PT, http://zdnet.com.com/2100-1105-947101.html Attack On Internet Called Largest Ever By David McGuire and Brian Krebs washingtonpost.com Staff Writers Tuesday, October 22, 2002; 5:40 PM http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A828-2002Oct22¬Found=true ]
Temporary acquisition of websites is a form of computer hacking preferred among "hacktivists" who wish to make a public point. The first recorded website hack was in August, 1996 of the United States Department of Justice evidently in protest of their attempts to regulate Internet content. This was quickly followed in December hacks on the CIA's website, the US Airforce (twice) and NASA (twice), the UK Labour Party, and the government of Sweden. The following year witnessed various Indonesian government and other webservers hacked with a follow up attack the following year on 45 webservers along with a high profle hacks against the New York Times by Adrian Lamo and the "Free Kevin Mitnik" demand along with the Liberal Party of Australia early in their re-election campaign.
Not to be outdone, the East Timorese top level domain, .tp, was hacked the following year, as was ebay, with the main page altered and with access to other content allowing auction prices to be changed, and fake advertisements to be posted. Later that year the FBI was hacked along with the U.S. Senate (twice), Network Solutions. The year 2000 heralded several high profile website hacks including RSA Security, Apache, Nike and Western Union, the latter causing the loss of security on 15,700 credit cards. The RSA Security and Nike website hack were particularly notable, as they were not just website takeover, but domain redirections. It is even suggested that DNS hacking is the result of United States government restrictions on strong encryption, despite the recommendation of RFC 2137 of April 1997 which recommended the use of digital signatures to ensure that only authorised persons can update a DNS record. In 2002, the Federal Aviation Authority website was defaced along unpublished information downloaded; the hackers claim that they engaged in the act to expose the poor state of cybersecurity.
[ See "2600 | Saturday August 17, 1996 DOJ Hacked" http://www.2600.com/hackedphiles/doj/ Wayne B. Drash and Jim B. Morris, September 19, 1996 www.cnn.com/TECH/9609/19/cia.hacker/ Flashback Hack Archive | Who have they hacked now? fb.provocation.net/www.flashback.se/hack/1996/12/ Phrack, Volume 8, Issue 52, January 1998 http://www.phrack.org/phrack/52/P52-19 and Aug 03, 1998 Portuguese Hackers Attack Indonesia by Joao Beltrao http://www.digito.pt/tecnologia/noticias/tec321.html Computer hacker strikes election blow, Tuesday, September 1, 1998 http://news.bbc.co.uk/1/hi/world/asia-pacific/162668.stm New York Times Internal Network Hacked, Security Focus News, Kevin Poulsen, SecurityFocus Feb 26 2002 5:15PM http://www.securityfocus.com/news/340 Virtual country 'nuked' on Net Tuesday, January 26, 1999 Published at 15:01 GMT http://news.bbc.co.uk/1/hi/sci/tech/263169.stm By Internet Correspondent Chris Nuttall Hackers deface Senate Web site again June 11, 1999 Web posted at: 7:56 p.m. EDT (2356 GMT) http://www.cnn.com/TECH/computing/9906/11/senate.hackers.02/ NSI's Web site hacked Last modified: July 2, 1999, 1:15 AM PDT By Courtney Macavinta http://news.com.com/2100-1023_3-227998.html Western Union data heist: 'Human error' By Robert Lemos ZDNet News September 10, 2000, 5:00 PM PT http://zdnet.com.com/2100-11-523769.html?legacy=zdnn Whom to Sue for Nike.com Hack? Craig Bicknell 03:00 AM Jun. 29, 2000 PT http://www.wired.com/news/politics/0,1283,37286,00.html FAA hacked by patriots By Kevin Poulsen, SecurityFocus Online Posted: 26/04/2002 at 06:54 GMT http://www.theregister.co.uk/content/55/25029.html ]
Computer hackers have tended to have succesful careers if and when they have been caught. Anaecdoctal evidence suggests that skilled hackers are often employed as security consultants. High profile evidence does suggest this: Ian Murphy ("Captain Zap") who breached the AT&T computer system manipulating costing clock meters in the early 1980s, now runs a security consulting firm IAM/Secure Data. Robert Morris, author of the aforementioned Internet worm, now teaches computer science at M.I.T. Kevin Mitnick is a security consultant and author, Kevin Poulsen is an editorial director at Security Focus. Nevertheless these financial and employment gains are made after the fact and in Mitnick's case, after imprisonment. It also stands in contrast to the imprisonment of many recent hackers (e.g., David Smith, author of the Melissa Virus, and "Mafiaboy", the Canadian teenager who brought down Amazon and Yahoo).
[ Slot Machine Justice for Melissa Author, Mark Rasch May 13 2002 http://www.securityfocus.com/columnists/81 Thursday, 13 September, 2001, 00:19 GMT 01:19 UK 'Mafiaboy' hacker jailed http://news.bbc.co.uk/1/hi/sci/tech/1541252.stm ]
Recommendations
Developing recommendations and justifications to the concerns relating to data security, which includes encryption, anonymity and privacy, fraud, intellectual property, and computer hacking requires both analysis on the pragmatic levels and a synthesis that balances the rational domains in a coherent manner that takes into account contigenicies within each value-sphere. Analysis betrays conflicting origins and interpretations. For example, on one hand the testing of technical and administrative security systems is actually beneficial to improving such systems. On the other, breach of such systems may led to enormous damages. Moral interpretation of unauthorised security breaches is another example. Authors on the topic of computer hackers vary from those who describe the activities as criminal vandalism to the highly principled 'hacktivists' to technological aesthetes.
[ An early and oft-referenced example of variation in the motivational and sociological structures of computer hackers is found in: Gordon Meyer and Jim Thomas, The Baudy World of the Byte Bandit: A Postmodernist Interpretation of the Computer Underground, Northern Illinois University, 1990 and Gordon Meyer, The Social Organization of the Computer Underground, Masters' Thesis, Northern Illinois University, 1989 See also: Suler, J.R. and Phillips, W. (1998). The Bad Boys of Cyberspace: Deviant Behavior in Multimedia Chat Communities. CyberPsychology and Behavior, 1, 275-294 http://www.rider.edu/~suler/psycyber/badboys.html ]
If the moral and motivational concerns seem contradictory, the technological and legal imperatives conflate the situation. It it not unreasonable to suggest that the technological and systematic imperatives are operating in contrary directions, hence leading to extremely diverse recommendations, behaviour and legal enforcement. As with all recommendations within this critical issues chapter, the motivational orientation is towards the counter-factual ideals of individual empowerment and autonomy and informed social democracy utilising transparent and amplified scientific and systematic technologies. Taken from this perspective the question concerning data security is in manner ways simplified rather than made more complex. However, before providing a summary of recommendations that match an orientation towards these counter-factual ideals, it is important to review the pragmatic circumstances of data security through the Internet and computer mediated communication in light of the thematic examples just provided.
On a technical level, the capacity of information and communication technologies to replicate data without error is well understood. Obviously in a technical sense enforcement of intellectual property is an additional resource that is contrary to the telic inclination of the technology itself. Furthermore, and specific to the Internet, fraudulent identity potrayal is a technically trivial task. With the standard electronic mail communications protocol, SMTP, is relatively easy to falsify the hostname of the computer connected to the mailserver (the 'helo' command), and the email address of the sender (the 'mailfrom' command). A further data security issue is relaying, a legacy technology where electronic mail was indirectly sent via intermediary hosts. This may have been very important in the 1980s where communications routes were uncertain, however now it is almost certainly used by those who wish to conceal the source of their electronic mail and wish to deflect responses to relay sites. In other words, computer mediated communications and Internet protocols seem to be orientated towards providing a more "open" means of communication.
[See Request For Comment 821 and 822, www.faqs.org. It must be added that although the received header on SMTP does log the source host IP address additional received headers can also be added to confuse tracking.]
In the legal and commercial sense however, the opposite is the case. With claims that; "information goods � from movies and music to software code and stock quotes � have supplanted industrial goods as the key drivers of world markets", an imperative has been raised to increase the relative privitization and control of information, to convert information into a saleable commodity and, in the time-honoured commercial practise of "rent-seeking" to derive income far greater that the marginal cost benefit to production or the satisifaction of needs. Needless to say in the contemporary distribution of power in legal and commercial reasoning is strongly orientated towards providing greater security of property for the holders of concentrated capital and further opportunities to increase their income regardless of whether such legal and commercial norms are contrary to economic laws, individually disempowering, hurtful to democratic values and limiting technological benefits.
[See Information Rules: A Strategic Guide to the Network Economy Carl Shapiro and Hal R. Varian, "One of the great things about information is that you can sell it over and over again." This is amply illustrated in the recording business. In 1984 the classical music producer Erato issued a Sibelius recording in an olive drab cover that sold around 2,000 copies. Nine years later they issued three tracks from the same disk with a colorful cover and a catchy title, which sold more than 50,000 copies. The lesson: look in your archives for hidden gems!" p28, Information Rules ]
It is not surprising therefore that under the conventional mindset of formal political democracy, a capitalist economic system and information technology that particular assumptions are made. The themes of fraud is widely perceived as being a "terrible thing" but with few solutions beyond conventional law enforcement offered. Encryption in invariably debated within the confines of potential criminality versus principles of privacy or civil liberties. Intellectual property debates are usually about problematic implementations of "digital rights management" and technological imperatives rather than the just basis of information as a commodity in the first instance. The debate over computer hacking varies in extreme descriptions of vandalism to aesthetic and cultural appreciation. It is the interest of this study however to provide recommendations that are thematically contingent and match the counter factual ideals of personal freedom and social democracy in an information technology setting. This requires stepping outside of the conventional mindset structured by existing political economy.
The recommendations offered here may be described under three broad headings: Democratic Social Information, Secure Individual Freedom of Expression and Legalisation of Non-Malicious "Hacking". In part they are founded systematic proposition that natural persons are deserving of greater security than legal persons, and also the phenomonological difference between individuals and social institutions, the former deserving of freedom and the latter requiring democratic control. They are founded also on the first principles that data sent reaches the expected destination, that data received is from the indicated service and that commercial exchange is founded on principles that the a priori conditions of economic activity are satified and that goods or services equal the marginal cost of their production. To the extent that these recommendations contradict existing commercial arrangements, a preliminary attempt is made for their incorporation. Finally, a principle of non-contradiction is involved insofar that the recommendations here are consistent with those already offered.
With regards to the first recommendation, secure individual expression, assigns particular rights, options and access to computer technologies that are not currently offered by legislative regimes and are not in the interest of legislative regimes that seek to control their population. These rights includes the right to speak anonymously and to remain anonymous unless defamation or libel is shown, to utilize encryption and communication-security technologies according to their violition, and to engage in communication with other private natural persons on whatever topic they so desire and to exchange whatever data that they so desire and to accumulate data through whatever tools or programs that they have at their disposal. It is further suggested that these rights are not only desired ideals, but also naturally and socially rational and pragmatic.
Immediate objections raised to such a proposition are within conventional structures. For example, in the top secret communications between William S. Sessions (the director of the NSA) and to George J. Tenet (special assistant to the President) on the subject of the dangers proposed by encryption technologies, at no stage are matters of personal liberty or social democracy even raised; the entire frame of reference is within; "law enforcement, preservation of public safety ... [and] the maintenance of national security". These are values standards which apply to repressive and authoritarian regimes, not to libertarian and democratic ones. The final paragraph is a chilling endorsement of authoritarian surveillance: "Technical solutions, such as they are, will only work if they are incorporated into all encryption products. To ensure that this occures, legislation mandating the use of Government approved encryption products or adherence to Government encryption criteria is required."
[ William S. Sessions (Director NSA), Encryption: The Threat, Applications, and Potential Solutions, Correspondence to George J. Tenet (Special Assistant to the President), February 19, 1993 Available at: http://www.epic.org/crypto/clipper/foia/crypto_threat_2_19_93.html ]
In a social theory sense, it is difficult to justify such claims even on the basis of systems functional sociology. What is proposed is not even a self-referential truth which truncuates culturally derived moral values and principles (such as democracy and freedom) in favour existing the legal framework interpreted with a value-free affirmation. Rather, the proposal was to extend the existing legal framework to include new means of restricting freedom, new means of state surveillance, new powers for the state-security apparatus. From the point of view of security apparatus these new powers are only a logical extension of their subsystem interests - like all other non-democratic institutional bodies they are orientated first and foremost towards power and increasing power. If the Internet provides new opportunities for individual rights, it also provided new opportunities for surveillance. One could even suggest that the Clipper Chip was merely an ambit claim by such organizations whose representatives were well aware that it was unacceptable to the public but were prepared to offer concessional legislation instead.
Arguments in favour of state-sanctioned key escrow systems often start with assumptions of the need for commercial confidentiality, with citizenship security coming a distant second. Stronger arguments in favour of domestic law enforcement and intelligence gathering suggest comparison to the principles already enunciated; as the NSA memorandum suggested: "These same advances threaten the capabilities of law enforcement and national security operations that intercept the communications of narcotraffickers, organized criminals, terrorists, espionage agents of foreign powers and SIGINT targets". Louis Freeh, director of the F.B.I. suggested that private encyrption systems may eventually become illegal because strong encyrption in the hands of private citizens may be used by drug trafficers, child pornographers and terrorists. What is weak in these arguments is that there is no differentiation between private citizens acting as natural persons and that of social organizations and the distinct difference between the private distribution of information and the the production of said information or their public distribution. To the extent necessary, the matters concerning the free exchange of information has already been discussed in the previous subchapter. To put simply, private individuals have the natural right to engage in information exchange regardless of the content.
[ The Case for Clipper (Clipper Chip offers escrowed encryption) by Dorothy E. Denning, MIT's Technology Review (07/1995) A. Michael Froomkin The Metaphor is the Key: Cryptography, The Clipper Chip and the Constitution http://www.law.miami.edu/~froomkin/articles/clipper1.htm and It Came From Planet Clipper: The Battle Over Cryptographic Key "Escrow" http://www.law.miami.edu/~froomkin/articles/planet_clipper.htm MEMORANDUM FOR MS. JOANN H. GRUBE, NSA REPRESENTATIVE/NSC PRD-27 EXPORT CONTROL WORKING GROUP SUBJECT: Comments on PRD-27/NSA Draft (U) http://www.totse.com/en/privacy/encryption/clipfoia.html Tim O'Connor, Privacy and Freedom Online (PGP, Politics and You) http://www.nyu.edu/its/security/privacy.html New York University, 1997 ]
Even if however existing powers accept the rationality of the argument that expressions are not acts and the transactions of information between private individuals is not the same as public and social transactions, a case can still be made for the need for preventative surveillance. Given that predictive and preventative surveillance is the contemporary strategy of risk-based analysis for social control, despite the conflicts this has with principles of formal law, placing strong encryption in the hands of citizens which cannot be breached by law enforcement agents, suggests both serious risk and the prospect of dramatic increases in criminal activity. Problems with this sort of reasoning have been examined in detail in Michel Foucault's studies, which note the elevation of criminology from social statistics (Adolphe Quetet) to a natural science with the biological reification of "homo criminalis", a threat to the species more than just a breaker of laws.
[ Mathieu, Deflem. 1997. "Surveillance and Criminal Statistics: Historical Foundations of Governmentality." pp. 149-184 in Studies in Law, Politics and Society, Volume 17, edited by Austin Sarat and Susan Silbey. Greenwich, CT: JAI Press. http://www.cla.sc.edu/socy/faculty/deflem/ZCRIST.htm Cohen, Stanley (1985) Visions of Social Control. Cambridge: Polity Press. Michel Foucault, [1975a] 1977) Discipline and Punish: The Birth of the Prison, translated by A. Sheridan. New York: Pantheon. ]
Whilst few today would advocate a biological imperative to crime in the far reaching manner suggested in pre-second world war statisticians, criminology remains a social statistical technology which inevitably presumes guilt before innocence on the basis of individuals being correlated to particular social categories. Such behaviour is by no means paranoid - governmental behaviour of the last century is certainly proof that widespread surveillance occurs far in excess of antisocial activity with discriminatory biases and it seems inevitable that any institution that is provided the authority to engage in such surveillance will do so in a manner this is both disproportionate and discriminatory. Certainly the onus lies on such bodies to show that the loss of surveillance ability due to the widespread availablity of strong encryption techniques, anonymous posting and so forth can be correlated with a disproportional increase in real crimes which could be prevented by government-sponsored encryption. Further on a related point, it is also in the international interest of civic rights (not to mention that of U.S. software companies) that the current export restrictions on strong encryption be overturned; it belittles common sense to describe mathematical code as "munitions".
[ "Between 1953 and 1973, the CIA opened and photographed almost 250,000 first class letters within the U.S. from which it compiled a database of almost 1.5 million names." S. Rep. No. 755, 94th Cong., 2d Sess., pt. 2, at 4 (1976) [hereinafter Church Committee Report]. Church Committee Report, supra note 81, at 6 (noting that the FBI had 500,000 domestic intelligence files, many with more than one name included). quoted in A. Michael Froomkin op cit. ]
Whilst freedom and security of expression is recommended for private individuals a thoroughly different application is recommended for social organizations, that is, democracy and disclosure. This difference is initially propsed on phenomenological grounds - an organization is not a natural person, it a legal construct formed by an association of natural persons operating in the public sphere and with public resources. The debate on whether or not such organizations are financed by state, corporate or individual capital is largely irrelevant in this matter, as is whether their management structure is public ownership, private ownership or many of the variations within and between those broad categories. To provide social organizations the sort of anonymity and civil rights that is afforded to natural citizens is to reify the organization to a suprahuman level, beyond human agency. Whilst this is of course not true, as a group of individuals will always be in control and of such bodies, forming a class with amplified rights in comparison to the natural person. The Russian revolutionary, Leon Trotsky, presents this scathing assessment of "business secrets" within democratic societies;
"The actual relationship existing between the exploiters and the democratic "controllers" is best characterized by the fact that the gentlemen "reformers" stop short in pious trepidation before the threshold of the trusts and their business "secrets." Here the principle of "non-interference" with business dominates. The accounts kept between the individual capitalist and society remain the secret of the capitalist: they are not the concern of society. The motivation offered for the principle of business "secrets" is ostensibly, as in the epoch of liberal capitalism, that of free ' competition." In reality, the trusts keep no secrets from one another. The business secrets of the present epoch are part of a persistent plot of monopoly capitalism against the interests of society."
[Leon Trotsky, The Transitional Programme: The Death Agony of Capitalism and the Tasks of the Fourth International, Labor Publications, 1981 (FP: 1938) http://www.marxist.net/trotsky/programme/]
Like many Marxists, Trotsky was far more competent at deconstructing capitalism than reconstructing society in accordance to the vague models of socialism. In this particular quotation Trotsky draws attention to not only the propects of corrupt business practises, but the disconcerting issue that normal commercial practise may actually be contrary to economic principles. It is well established within economics as a science, that all markets from perfect competition to pure monopoly, require perfect information for maximun efficiency of resource allocation, that is, free, complete, instant, and universal information. Whilst computer mediated communication makes such "perfect information" more of a potential reality than any other period in human history, increasingly commercial practises conflict with this economic science with the increased privitization of information, increased commodification of information and increased moves towards business secrecy. The confusion affects the practise of economists as well, who tend to widely fluctuate between analysis which assumes that the commodification and restriction of information is inefficient yet on the other had, view research and development as incentives for future production, necessitating a degree of secrecy.
[ James Boyle, Shamans, Software, and Spleens: Law and the Construction of the Information Society, Harvard University Press, 1997 See also T. Buck, Comparitive Industrial States, Macmillan, 1982, pp1-18 (Chapter 1: The Theoretical Yardsticks) Strategies and tactics to uncover business secrets have become a commodity in their own right. See for example: Confidential : uncover your competitors' top business secrets legally and quickly-- and protect your own / John Nolan. New York : HarperBusiness, c1999. ]
The privitization of information has been well documented, certainly more than what has been presented in this subchapter. There can be little doubt that the autonomous organizations within the international economic system are increasing engaging in concentration and accumulation of "information capital" complemented by using their political and economic leverage over legislator to increasingly alter copyright and intellectual property law in their favour. A dramatic example is the 1995 U.S. government white paper on intellectual property rights which advocated legislative change to extend copyright violition to include reading a document on a webbrowser even without saving the document to disk. Clearly, the introduction of the Internet as a communications technology has correlated with an intellectual property equivalent of the land-grabs of nineteenth century colonialism. Through the concept of private production and private ownership of information, the international economy has become biased in favour of those nation-states that have strongly developed intellectual property rights and against those that have weak intellectual property rights, with software piracy in its myriad forms representing attempts by developing nations to redress the imbalance and often reclaim their cultural or natural heritage that has been appropriated. Everywhere, from biotechnology to music to publishing, the tendency has been to strengthen privitized intellectual property rights and to diminish fair use and the public domain.
[ See for example, Lawrence Lessing, "The Future of Ideas: The Fate of the Commons in a Connected World", Vintage, 2002 Intellectual Property and the National Information Infrastructure The Report of the Working Group on Intellectual Property Rights, 1995 http://www.uspto.gov/web/offices/com/doc/ipnii/ ]
Evidently, the proposed democraticization and disclosure of information from social organizations is not just raised because democraticization and disclosure are moral standards in their own right (which they are), but also with the real concern that economic efficiency and effectiveness is under dire threat from the relentless expansion of commercial institutional power. To date, proposals which satisfy both economic definitions of information (a free public good for the capacity to make efficient decisions and a private commodity to encourage research and development) which match contemporary developments in technology are not strongly forthcoming. The problem may be succinctly described as follows: Information has economic value both in enhancing productivity and, in the reflexive form, enhancing efficiency. In the generation of information, costs are involved in the gathering, processing, replicating and archiving and using information, even if current information technology has rapidly decreased some of those costs. With contemporary information technology however the costs associated with initial production are vastly disproportionate to the costs associated with replication, the institutional imperative to secrecy and control is strengthened. This creates an unnecessary gap between real and potential information wealth which acts contrary to the technological capacity. Thus actual individual institutional wealth is increased and concentrated at the expense of potential general wealth.
[ The Changing R&D Information Economy in the Digital Age Report Prepared by Robert Ubell, Cendi, 1997 http://www.dtic.mil/cendi/publications/ubell-97-3.html ]
One serious attempt to bridge this problem has been offered by the Free Software Foundation and in particular by the famous UNIX programmer Richard Stallman. In recognizing the abuses and inefficiencies that arise from existing copyright law and patents, the Foundation advocates the alternative (an aesthetically unpleasing name) "copyleft" or, the GNU Public License, the basic philosophy of which is "free as in freedom" - one can charge for information, or give it away, one can attach other goods or services with such a transaction, or not. But no individual under the general public license can prevent the recipient of information of reproducing the information or altering the information as they see fit, as long as the original author is appropriately referenced. The author asserts their moral rights against plagarism, but makes no claim of economic ownership. This should not be seen as a reversal of Fichte's distinction between the physical object and ideas of a product and the "form" expressed by the author (which remains their exclusive property), but rather an evolution which further distinguishes between moral rights and systematic efficiency and the pragmatic social origin of all information. To put simply, copyright was an effective and appropriate means of systematic enforcement of authors' rights in the time of the nascent industrial age, the priniting press and the philosophy of consciousness. Today, in the nascent information age, computer mediated communication and linguistic philosophy, it is a hindrance, not a benefit. It must be replaced, in totality, but varying forms of public license based on the use of information rather than the sale of information.
[ Free Software, Free Society: Selected Essays of Richard M. Stallman by Richard M. Stallman, Lawrence Lessig (Introduction), Joshua Gay Free Software Foundation; (October 1, 2002) Free as in Freedom: Richard Stallman's Crusade for Free Software by Sam Williams O'Reilly & Associates; (March 2002) ]
The implied complement to the abolition of copyright and its replacement with a public license regime is public disclosure by public organizations. Obviously in some cases corporate encryption is justified - such as that used by the banking industry - but ultimately their key escrow must be held in the hands of public officials for public disclosure reasons. Another exception can include or professionals and their natural person clients. However, the hundreds of billions of dollars of nongovernmental research and development, including market research, conducted worldwide should be available to public scrutiny and use and undoubtably consists of substantial replication of the same research, a most inefficient manner of allocating resources. Keeping such knowledge in the hands of private organizations is a form of "rent-seeking" that is contrary to economic science, even if it is in individual commercial institutional interests. Finally, public disclosure would significantly weaken (real and imagined) connections between the corporate sector and "white collar" fraud and organized crime - this of course is reason enough for a number of organizations to oppose and fear public disclosure.
[ The United States alone conducts $130 billion USD in such research. Quoted in A. Michael Froomkin op cit. See Economics and Statistics Admin. & Bureau of the Census, U.S. Dep't of Commerce, Statistical Abstract of the United States 1993, at 596 [hereinafter 1993 U.S. Statistical Abstract]. This sum includes all research and development conducted outside the government, regardless of whether funded by industry or government. For evaluations of the problem see: Kip Shlegal, White-Collar Crime Reconsidered (Northeastern University Press, 1992) and Transnational Organized Crime: Summary of a Workshop (1999), National Academies Press, Peter Reuter and Carol Petrie, Editors; Committee on Law and Justice, National Research Council, 1999 Adamoli, Sabrina, et al. Organised Crime around the World. 1998. Bassiouni, M. Cherif, and Eduardo Vetere, eds. Organized Crime: A Compilation of U.N. Documents, 1975-1998. 1998. Richards, James R. Transnational Criminal Organizations, Cybercrime, and Money Laundering: A Handbook for Law Enforcement Officers, Auditors, and Financial Investigators. 1999 ]
Of course, if personal security and social democracy in the information economy is to become a reality then there must be same means of assurance of these features. Whilst legal mechanisms do have some validity and effectiveness, technical decentralization is a far more efficient means in a society permeated by computer mediated communication. This brings the subchapter to the third headline recommendation, the legalisation of some forms of computer hacking. It must be stated from the outset that this recommendation does not come from a aesthetic justification of the hacker subculture and the technological aesthetics, although these are a rich, dynamic and perceptive genre in their own right. Rather the interest here is the moral principles and situational ethics as they apply to computer hacking and the legal regime that regulates them in light of the preceeding discussion which legitimates individual security, the end of copyright and public disclosure by social organizations. Steven Mizrach, for example, has already noted in contemporary hackers such an ethic exists:
Among new hackers, a slightly different version of Levy's Ethic has crystallized. It's OK to copy commercial software - if you distribute it freely to people. Reselling it is wrong. It's OK to hack your way onto systems containing public information (and from the hacker's point of view, such things as "corporate secrets" are public, not private, property) but wrong to read people's private mail. It's OK to read data that one is not "authorized" to - but wrong to alter or destroy that data. It's OK to propagate nondestructive viruses as a prank, but wrong to unleash destructive ones. It's OK to "rip off" corporate voice mail systems and other services, but wrong to steal the credit card numbers and telephone codes of hapless individuals. Hackers that engage in such "dark side" activities are generally identified as "Dark side hackers," and they are often shunned by the rest of the community for giving them a bad name. Unfortunately, it is these "dark side" activities that often result in the passage of computer crime statutes, and thus the persecution of the good with the bad.
[THE ELECTRONIC DISCOURSE OF THE COMPUTER UNDERGROUND by Steve Mizrach A Note in Methodology: Doing Ethnographies in Cyberspace http://www.fiu.edu/~mizrachs/cudisc.html] It is self-evident for example, from the preceeding discussion that this study has come to the conclusion that breach of existing copyright laws, most software "piracy" and electronic intrusion of social institutions should not be subject to punitive legal action and by the same token, acts that protect the individual, such as the use of strong encryption, are also legitimate. The general moral principle is "cause no harm", the situational ethic includes the right to test security systems, including port scanning and other acts (even deceptive, social engineering in an institutional context) that allows unauthorized access that does not cause intentional or careless damage. A further elaboration of the ethic is that the hacker should report the security breached to the appropriate institutional personell. The major advantages of incorporating such an ethical orientation within a legal system include improved security systems, the reintergration of the hacker community within the social system, and the democraticisation of security systems. By the same token, those actions which damage computer resources and files or the breach personal privacy are pathological, particularly in the context of enhanced democratic and access rights, and should remain subject to rehabilitative action.
[A United States District Court in Georgia has ruled that port scanning is legal, because it causes no damage to the target computers (http://pub.bna.com/eclr/00434.htm) http://news.bbc.co.uk/1/hi/world/americas/1932191.stm Tuesday, 16 April, 2002, 06:48 GMT 07:48 UK Hacking 'legal' in Argentina http://www.law.berkeley.edu/journals/btlj/articles/vol14/Lee/html/text.html ]
It is in interest of systematic and institutional efficiency, of personal freedom and security, of a democratic and open society, that the propositions concerning data security have been made. Care has been taken to ensure that they do not contradict prior recommendations concerning universal access and freedom of expression. Once again however, attention is drawn at the enormous distance between the counter-factual ideals of natural persons being able to communicate securely with one another and the access of information from social organizations and the contemporary reality that is dominated by disparities resulting from the systematic influences of wealth and power. The trajectory of these influences should be easy enough to discern - less public scrutiny, further concentration of information capital, less development of knowledge for the public good, increased fraud and connections between social organizations and organized crime, marginal profits far exceeding marginal costs, institutional intrusion and surveillance of individual lives, economic colonialism and increasingly malicious computer viruses and worms. It is from these two options, that the questions arising from an analysis of data security on the Internet, led to a consideration of integrating the Internet into society as a whole.
Section Bibliography Andre Becard, Computer Privacy Handbook, Peachpit Press, 1995 Bishop A., Early Computer Security Papers, Part I. http://csrc.ncsl.nist.gov/publications/history/, First compiled 1998, University of California Cohen, F., Introductory Information Protection, 1995 [FP 1990], http://www.all.net/books/ip/top.html Deavours C.A, Kruh L., Machine Cryptography and Modern Cryptanalysis, Artech House, 1985. National Security in the Information Age, Matthew G. Devost, University of Vermont, Masters Thesis, 1995 available at: http://liun.hektik.org/hightech/herf/devostthesis.html Diffie, W, Hellman, H. New directions in Cryptography. IEEE Trans. on Information Theory, vol. IT-26, no. 6, pp. 644--654, Nov. 1976 Garfinkel, S. ``PGP: Pretty Good Privacy'', O'Reilly & Associates, Inc., 1995 Fitzgerald A., Fitzgerald B., Cifuentes C., Cook C., (eds) Going Digital 2000: Legal Issues for e-commerce, software and the internet., Prospect Media, undated (2000?) Khan, D., The Codebreakers, Macmillan, 1967 Rivest: Ronald L. Rivest, ``The RC5 Encryption Algorithm'', document made available by FTP and World Wide Web, 1994. Rivest, Shamir and Adleman, ``A method for obtaining digital signatures and public key cryptosystems'', Communications of the ACM, Feb. 1978, pp. 120-126. Savard, John., A Cryptographic Compendium, http://fn2.freenet.edmonton.ab.ca/~jsavard/jscrypt.htm, 1999 Thomas F. Cotter, Pragmatism, Economics, and the Droit Moral, 76 N.C.L.Rev. 1 (1997). Turing, A., A Treatise on Engima. Edited by Ralph Erskine, Philip Marks and Frode Weierud. Work in progress from the U.K. Public Record Office: http://www.cmc.com/lars/engineer/computer/crypto.htm