The key to both Mark's and Todd's conundra is intent. Criminal laws - which is what I think they are afraid of being punished by - require some kind of intent to possess or obtain the "bad stuff." (Once upon a time I was a criminal defense lawyer and I actually researched this issue in connection with potential HIPAA criminal charging issues for a book I wrote a couple years back.) As George Carlin put it, "ya gotta wanna." Sometimes recklessly not caring about predictable consequences might be enough, but there has to be some level of intent for there to be a crime. Spam is unsolicited (if it wasn't it wouldn't be spam); whatever bad stuff it contains is there because the *sender* intended it, not the receiver. The fact that the bad stuff got stored on your server and would even be recoverable after deletion doesn't change that result - though not even opening would make it even harder to argue that you intended to receive the bad stuff, since you never even found out that's what it was. The same goes for bad stuff that bad guys host on your server. You didn't put it there; you didn't want it there; you didn't even know it was there until you stumbled across it. So you didn't unwittingly commit a crime by someone else's act. However, this latter scenario does have more problems and risks than the email scenario. I believe that at some point we will develop principles for holding system owners liable for misuses of their systems which are caused by reasonably discoverable and avoidable security vulnerabilities. If you have reason to think you are being victimized in this way I think you ought to do something about it, or risk being a test case. As to what you do if you discover a bunch of bad stuff on your system, I'd say: (1) Figure out how the bad guy(s) got in and fix the hole, and either (2)(a) if you are lazy, strapped for time and resources, and it looks like a bunch of pirated boy toy singer mp3s (or some such), get rid of it and go on to the next thing, or (2)(b) if you're motivated, have time and resources, and it looks like evidence of a serious crime or national security problem, preserve it and see if you can identify the right law enforcement respondent. As an ordinary citizen you don't have a positive obligation to report finding evidence of a crime, but sometimes it's a really good idea. Reader Advisory Notice: Internet email is inherently insecure. Message content may be subject to alteration, and email addresses may incorrectly identify the sender. If you wish to confirm the content of this message and/or the identity of the sender please contact me at one of the phone numbers given below. Secure messaging is available upon request and recommended for confidential or other sensitive communications. John R. Christiansen Preston | Gates | Ellis LLP 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (Direct: 206.370.8118 (Cell: 206.628.9125 -----Original Message----- From: Mark Johnson [mailto:markbarb2@private] Sent: Friday, August 08, 2003 3:39 PM To: crime@private Subject: Re: CRIME What do you do with bad stuff? I would like to pose a similar hypothetical question to the group. Consider this scenario: Suppose you receive an unsolicited e-mail which has an attachment. Since you do not know what it is, you delete the mail without reading it. Unbeknownst to you, the email attachment was "Bad Stuff", as Todd put it. You are now the unwitting owner of felony material. The questions: Are you breaking the law? Should we open all our spam to protect ourselves ??!?!?!!! Thanks in advance, Mark _________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 16:39:10 PDT