http://writ.news.findlaw.com/ramasastry/20060724.html By ANITA RAMASASTRY July 24, 2006 In Dundee, Scotland, Abertay University recently made headlines with the announcement that it is offering a degree in computer hacking! For some, this is like teaching a class in safecracking or burglary. But others strenuously disagree. The degree program is meant to teach "ethical" hacking - to educate white-hat hackers. Indeed, its promotional literature states "it takes a thief to catch a thief." Put another way, in order to know how to combat the enemy, you need to know how the enemy operates. No wonder, then, that consulting firms and companies train their own computer professionals about hacking. The degree program nevertheless poses a significant risk: What if a black-hat hacker pretends to be a white-hat hacker, and signs up? The University has promised to work with the U.K. government to screen potential students to keep out black-hat hackers. But such screening will surely be imperfect. And some students may become black-hat hackers only after graduation. Still others may be tempted to commit some unauthorized or harmful hacking just for the fun of it. In this column, I will consider the legal status - and advisability - if such a program were to be created in the United States. Along the way, I'll consider the similar - and provocative - question of the liability of those who may write about or teach terrorist tactics. The First Amendment Protects Even Speech About How to Commit Crimes In the U.S., such a course would be First Amendment-protected. But there would be limits to such protection. And such limits, in era of the "war on terror," are likely to be aggressively enforced. As the U.S. government becomes increasingly concerned, for example, about people using the Internet to incite terrorism, there has been increased scrutiny of who might be liable for assisting others to commit terrorist acts. The First Amendment, for instance, does not prevent prosecution for aiding and abetting someone else's criminal acts. So suppose a professor knew a student was a black-hat hacker, and did not bar him or her from the class; conceivably, the professor could be prosecuted for aiding and abetting. But knowledge of a specific project for which the black-hat envisioned using the class information would probably be required. And at an extreme, if a hacking program could be shown to be a veritable school for crime, it might be shut down completely. The Paladin Case Illustrates the Limits of First Amendment Protection for Crime Manuals One key precedent that has caused publishers and journalists to worry is Rice v. Paladin. Paladin Press's first book was 150 Questions for a Guerrilla, by General Alberto Bayo, which discussed tactics of guerrilla warfare. Its current offerings include Advanced Lock Picking Secrets, How to Get in Anywhere Anytime and Drug Smuggling: The Forbidden Book. But its website does include a disclaimer: "WARNING: Paladin does not intend for any of the information contained in its books or videos to be used for illegal purposes." In 1983, Paladin published the title Hit Man: A Technical Manual for Independent Contractors, written under the pseudonym Rex Feral. It turned out that the book was indeed used as a manual - for three appalling murders. In 1992, Lawrence Horn plotted to murder his wife and son, an eight-year-old quadriplegic, in order to gain sole possession of a $2 million medical malpractice settlement for the boy's injuries. Horn retained the services of felon James Perry, who purchased a mail-order copy of Hit Man from Paladin Press. Reportedly, Perry read Hit Man closely and followed much of its advice, including specific tips on how to avoid being caught. The book contains advice, for example, about driving a rental car with a stolen out-of-state license plate tag, and killing without leaving blood on a hit man's own clothing. With the aid of the manual, Perry strangled Horn's son, and shot Horn's wife and the son's nurse. But he did not succeed in avoiding detection: Both Perry and Horn were subsequently convicted of these crimes. The three murder victims' relatives also filed a wrongful death action against Paladin Press. They contended that the publisher "aided and abetted Perry in the commission of his murders through its publication of Hit Man's killing instructions." Technically, there is typically no "aiding and abetting" liability in a civil case. But the complaint arguably stated a valid claim in tort law, by alleging a causal relationship between the publisher and the murders. And although a federal district court dismissed the case on First Amendment grounds, the U.S. Court of Appeals for the Fourth Circuit reinstated it. Part of the reason the case was allowed to go forward was a surprising stipulation (that is, a legally-binding written admission) by Paladin: It admitted that with the book, it had "intended to attract and assist criminals and would-be criminals who desire information and instructions on how to commit crimes,"; had "intended and had knowledge" that Hit Man actually "would be used, upon receipt, by criminals and would-be criminals to plan and execute the crime of murder for hire"; and had even assisted Perry in the perpetration of the very murders at issue. In 1999 - the same year the book was cited as having a role in a similar crime, committed by Robert Vaughn Jones -- Paladin Press's insurance company settled the case, rather than allowing it to go to trial. Paladin paid the plaintiffs several million dollars, agreed to destroy remaining copies of the book in its possession, and surrendered any rights it had to publish the book. Intent or Knowledge is a Key Factor In Third-Party Responsibility for Crimes and Torts Liability - or conviction - in such cases typically requires intent or knowledge of the ensuing criminal actions. Indeed, it would arguably offend the First Amendment if speakers or publishers could unwittingly cause crimes for which they then could be held responsible. In the civil context, in the Paladin case, the publishing company made crucial admissions, including that it intended the book to be read by criminals - rather than, say, everyday readers fantasizing about or curious about, a life of crime. Federal criminal law creates a general "aiding and abetting" offense for those who "provide knowing aid to persons committing federal crimes, with the intent to facilitate the crime." Importantly, the aider and abettor's state of mind must be "knowing" and "intent[ional]"; recklessness alone is not enough. The question is exactly when the First Amendment does, and does not, prohibit prosecution under the statute. In the U.S. v. Barnett case, the U.S. Court of Appeals for the Ninth Circuit concluded that a man selling mail-order instructions for making the drug PCP could be prosecuted if his printing of instructions was part of encouraging and counseling others in the commission of a crime. Somewhat similarly, "aiding and abetting" convictions have been upheld - despite strenuous First Amendment objections -- when defendants taught illegal techniques on avoiding tax liability to discrete groups of persons or audiences. In the tax-avoidance cases, the fact that the audience was composed of specific, known individuals was key. It remains unclear if an "aiding and abetting" offense ever can rest solely on the basis of general publication of instructions on how to commit a crime, or on sale to the public of a product that some purchaser is likely to use for unlawful ends. Special Rules for Terrorism: Broader "Aiding and Abetting" Liability Interestingly, the federal laws against aiding and abetting terrorism are a little broader - and, to my knowledge, have not been subject to First Amendment challenge. For example, under federal law, it is a crime to provide "material support or resources" to another person, "knowing or intending that they are to be used in preparation for, or in carrying out," various federal offenses relating to terrorism, or in preparation for, or in carrying out, the concealment from the commission of any such violation. The statute defines the term "material support or resources" to include, among other things, "training, expert advice or assistance. . ." It is also a crime for a person to provide "material support or resources" to a "known foreign terrorist organization". Such expert advice or training likely would not be covered by the First Amendment because, like the tax-avoidance courses noted above, it would be directed at a particular audience, with the speaker knowing the purpose to which it would be put, or knowing that the group receiving the assistance was a designated terrorist organization. A more difficult case would be, for instance, the general publication of the Al Qaeda Manual. This law - Section 323 of the Anti-Terrorism and Effective Death Penalty Act, which preceded 9/11 -- is broader in scope than the general aiding and abetting statute in two major ways: First, it applies even if the underlying offense is never committed. Second, its state of mind requirement is broader: The person providing the support or resources need not have the specific intent to facilitate the underlying offense, but only the knowledge that the resources provided "are to be used" to prepare for or commit a specified offense. Our Hypothetical Degree Program In Hacking: Why It Would Be Legal Putting the possibility of terrorism-related hacking aside, however, our hypothetical American degree program in hacking would generally be on strong First Amendment ground - unless unusual scenarios arose. Because white-hat hacking does exist, the program would generally be safer than "how to" crime-manual publishers like Paladin Press. Hacking isn't inherently a bad thing: For instance, the FBI could hack into a terrorist's web site to ferret out criminal plans. Still, instructors at such a program should tread carefully. Specific knowledge of a particular future instance of black-hat hacking - as well, surely, as the intent to aid it -- could lead to civil or even criminal liability. So students' suspicious questions ought not to be answered lightly, without some insight into why the student might be asking them. And from a policy - not just a legal - standpoint, such a program ought to periodically evaluate whether its influence on the world is good or bad: If, for instance, Scotland's Abertay University ends up with graduates on hacking's "Most Wanted" list, it may want to shut down whether or not Scottish law compels it to. -=- Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns. Copyright © 1994-2006 FindLaw _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 24 2006 - 23:31:29 PDT