[ISN] Is it Legal to Teach a Course on Computer Hacking?

From: InfoSec News (alerts@private)
Date: Mon Jul 24 2006 - 23:13:33 PDT


http://writ.news.findlaw.com/ramasastry/20060724.html

By ANITA RAMASASTRY 
July 24, 2006

In Dundee, Scotland, Abertay University recently made headlines with
the announcement that it is offering a degree in computer hacking! For
some, this is like teaching a class in safecracking or burglary. But
others strenuously disagree.

The degree program is meant to teach "ethical" hacking - to educate
white-hat hackers. Indeed, its promotional literature states "it takes
a thief to catch a thief." Put another way, in order to know how to
combat the enemy, you need to know how the enemy operates. No wonder,
then, that consulting firms and companies train their own computer
professionals about hacking.
 
The degree program nevertheless poses a significant risk: What if a
black-hat hacker pretends to be a white-hat hacker, and signs up? The
University has promised to work with the U.K. government to screen
potential students to keep out black-hat hackers. But such screening
will surely be imperfect. And some students may become black-hat
hackers only after graduation. Still others may be tempted to commit
some unauthorized or harmful hacking just for the fun of it.

In this column, I will consider the legal status - and advisability -
if such a program were to be created in the United States. Along the
way, I'll consider the similar - and provocative - question of the
liability of those who may write about or teach terrorist tactics.


The First Amendment Protects Even Speech About How to Commit Crimes

In the U.S., such a course would be First Amendment-protected. But
there would be limits to such protection. And such limits, in era of
the "war on terror," are likely to be aggressively enforced. As the
U.S. government becomes increasingly concerned, for example, about
people using the Internet to incite terrorism, there has been
increased scrutiny of who might be liable for assisting others to
commit terrorist acts.

The First Amendment, for instance, does not prevent prosecution for
aiding and abetting someone else's criminal acts. So suppose a
professor knew a student was a black-hat hacker, and did not bar him
or her from the class; conceivably, the professor could be prosecuted
for aiding and abetting. But knowledge of a specific project for which
the black-hat envisioned using the class information would probably be
required. And at an extreme, if a hacking program could be shown to be
a veritable school for crime, it might be shut down completely.


The Paladin Case Illustrates the Limits of First Amendment Protection
for Crime Manuals

One key precedent that has caused publishers and journalists to worry
is Rice v. Paladin. Paladin Press's first book was 150 Questions for a
Guerrilla, by General Alberto Bayo, which discussed tactics of
guerrilla warfare. Its current offerings include Advanced Lock Picking
Secrets, How to Get in Anywhere Anytime and Drug Smuggling: The
Forbidden Book. But its website does include a disclaimer: "WARNING:  
Paladin does not intend for any of the information contained in its
books or videos to be used for illegal purposes."

In 1983, Paladin published the title Hit Man: A Technical Manual for
Independent Contractors, written under the pseudonym Rex Feral. It
turned out that the book was indeed used as a manual - for three
appalling murders.

In 1992, Lawrence Horn plotted to murder his wife and son, an
eight-year-old quadriplegic, in order to gain sole possession of a $2
million medical malpractice settlement for the boy's injuries. Horn
retained the services of felon James Perry, who purchased a mail-order
copy of Hit Man from Paladin Press.

Reportedly, Perry read Hit Man closely and followed much of its
advice, including specific tips on how to avoid being caught. The book
contains advice, for example, about driving a rental car with a stolen
out-of-state license plate tag, and killing without leaving blood on a
hit man's own clothing. With the aid of the manual, Perry strangled
Horn's son, and shot Horn's wife and the son's nurse. But he did not
succeed in avoiding detection: Both Perry and Horn were subsequently
convicted of these crimes.

The three murder victims' relatives also filed a wrongful death action
against Paladin Press. They contended that the publisher "aided and
abetted Perry in the commission of his murders through its publication
of Hit Man's killing instructions." Technically, there is typically no
"aiding and abetting" liability in a civil case. But the complaint
arguably stated a valid claim in tort law, by alleging a causal
relationship between the publisher and the murders. And although a
federal district court dismissed the case on First Amendment grounds,
the U.S. Court of Appeals for the Fourth Circuit reinstated it.

Part of the reason the case was allowed to go forward was a surprising
stipulation (that is, a legally-binding written admission) by Paladin:  
It admitted that with the book, it had "intended to attract and assist
criminals and would-be criminals who desire information and
instructions on how to commit crimes,"; had "intended and had
knowledge" that Hit Man actually "would be used, upon receipt, by
criminals and would-be criminals to plan and execute the crime of
murder for hire"; and had even assisted Perry in the perpetration of
the very murders at issue.

In 1999 - the same year the book was cited as having a role in a
similar crime, committed by Robert Vaughn Jones -- Paladin Press's
insurance company settled the case, rather than allowing it to go to
trial. Paladin paid the plaintiffs several million dollars, agreed to
destroy remaining copies of the book in its possession, and
surrendered any rights it had to publish the book.


Intent or Knowledge is a Key Factor In Third-Party Responsibility for
Crimes and Torts

Liability - or conviction - in such cases typically requires intent or
knowledge of the ensuing criminal actions. Indeed, it would arguably
offend the First Amendment if speakers or publishers could unwittingly
cause crimes for which they then could be held responsible.

In the civil context, in the Paladin case, the publishing company made
crucial admissions, including that it intended the book to be read by
criminals - rather than, say, everyday readers fantasizing about or
curious about, a life of crime.

Federal criminal law creates a general "aiding and abetting" offense
for those who "provide knowing aid to persons committing federal
crimes, with the intent to facilitate the crime." Importantly, the
aider and abettor's state of mind must be "knowing" and
"intent[ional]"; recklessness alone is not enough. The question is
exactly when the First Amendment does, and does not, prohibit
prosecution under the statute.

In the U.S. v. Barnett case, the U.S. Court of Appeals for the Ninth
Circuit concluded that a man selling mail-order instructions for
making the drug PCP could be prosecuted if his printing of
instructions was part of encouraging and counseling others in the
commission of a crime.

Somewhat similarly, "aiding and abetting" convictions have been upheld
- despite strenuous First Amendment objections -- when defendants
taught illegal techniques on avoiding tax liability to discrete groups
of persons or audiences.

In the tax-avoidance cases, the fact that the audience was composed of
specific, known individuals was key. It remains unclear if an "aiding
and abetting" offense ever can rest solely on the basis of general
publication of instructions on how to commit a crime, or on sale to
the public of a product that some purchaser is likely to use for
unlawful ends.


Special Rules for Terrorism: Broader "Aiding and Abetting" Liability

Interestingly, the federal laws against aiding and abetting terrorism
are a little broader - and, to my knowledge, have not been subject to
First Amendment challenge.

For example, under federal law, it is a crime to provide "material
support or resources" to another person, "knowing or intending that
they are to be used in preparation for, or in carrying out," various
federal offenses relating to terrorism, or in preparation for, or in
carrying out, the concealment from the commission of any such
violation. The statute defines the term "material support or
resources" to include, among other things, "training, expert advice or
assistance. . ." It is also a crime for a person to provide "material
support or resources" to a "known foreign terrorist organization".

Such expert advice or training likely would not be covered by the
First Amendment because, like the tax-avoidance courses noted above,
it would be directed at a particular audience, with the speaker
knowing the purpose to which it would be put, or knowing that the
group receiving the assistance was a designated terrorist
organization. A more difficult case would be, for instance, the
general publication of the Al Qaeda Manual.

This law - Section 323 of the Anti-Terrorism and Effective Death
Penalty Act, which preceded 9/11 -- is broader in scope than the
general aiding and abetting statute in two major ways: First, it
applies even if the underlying offense is never committed. Second, its
state of mind requirement is broader: The person providing the support
or resources need not have the specific intent to facilitate the
underlying offense, but only the knowledge that the resources provided
"are to be used" to prepare for or commit a specified offense.


Our Hypothetical Degree Program In Hacking: Why It Would Be Legal

Putting the possibility of terrorism-related hacking aside, however,
our hypothetical American degree program in hacking would generally be
on strong First Amendment ground - unless unusual scenarios arose.

Because white-hat hacking does exist, the program would generally be
safer than "how to" crime-manual publishers like Paladin Press.  
Hacking isn't inherently a bad thing: For instance, the FBI could hack
into a terrorist's web site to ferret out criminal plans.

Still, instructors at such a program should tread carefully. Specific
knowledge of a particular future instance of black-hat hacking - as
well, surely, as the intent to aid it -- could lead to civil or even
criminal liability. So students' suspicious questions ought not to be
answered lightly, without some insight into why the student might be
asking them.

And from a policy - not just a legal - standpoint, such a program
ought to periodically evaluate whether its influence on the world is
good or bad: If, for instance, Scotland's Abertay University ends up
with graduates on hacking's "Most Wanted" list, it may want to shut
down whether or not Scottish law compels it to.

-=-

Anita Ramasastry is an Associate Professor of Law at the University of
Washington School of Law in Seattle and a Director of the Shidler
Center for Law, Commerce & Technology. She has previously written on
business law, cyberlaw, and other legal issues for this site, which
contains an archive of her columns.

Copyright © 1994-2006 FindLaw



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 24 2006 - 23:31:29 PDT