Three Minutes With Jennifer Granick, Computer Lawyer
Criminal defense attorney assesses antivirus laws, First Amendment rights of coding, and educating young hackers.
Kim Zetter, PCWorld.com
Thursday, November 16, 2000
Jennifer Granick, a San Francisco-based criminal defense attorney who since 1995 has handled computer-related cases (primarily regarding hacking), spoke to attendees this year at the hackers' and virus-writers' conference DefCon about legal issues surrounding their activities. She talked to PCWorld.com about the wisdom of having laws against writing or posting virus code.
PCWorld.com: Do you think posting of virus code should be illegal?
JG: It depends on the circumstances. I think if you post something with a warning that "if you use this, it's dangerous," then no. If you post something in the context that encourages or inspires people to use it--either wittingly or unwittingly--to do damage to somebody else, then maybe yes.
PCW: But isn't posting something with a warning just a wink-wink way of getting around the legality of it with a loophole?
JG: I don't think that virus researchers or computer security people would feel that way at all.
PCW: But if we're talking, for instance, about a virus exchange bulletin board or a known virus writing hangout where the posting of code is not for the purposes of research ...
JG: The person who develops ... and writes the tool is not necessarily responsible, either morally or legally, for what someone does with that tool. If I'm a person who makes hammers, just because someone goes and bludgeons someone with it later doesn't mean that I'm responsible because they misused it. The way you tell if I'm responsible is you look at the circumstances under which I conveyed that information or tool.
PCW: But the tool you want to use as an example has both a positive and a negative benefit. Unless they are antivirus researchers, which these virus writers cannot particularly call themselves ...
JG: Why not? You know, the good work on these issues is done by a lot of people. Often, valuable social causes or social interests are served by the free dissemination of information, even if that information can be used to hurt somebody. But even further than that, [virus code is] protected by the First Amendment. Unless I'm directly inciting somebody to illegal activity, that kind of speech ... [is] my First Amendment right.
PCW: How is posting malicious code a First Amendment right?
JG: I don't think that the code itself is necessarily malicious or not malicious. The United States government made the same argument about encryption technology and encryption code, which they said is a munition--like a gun or a bomb--and therefore can't be exported, so you can't post it in a place where foreign nationals can get [it]. [But] there have been court rulings [Bernstein vs. the United States in the 9th Circuit Court] that first of all said that code is speech and [that it] is protected by the First Amendment in the way that speech is, because of its inherently expressive nature.
PCW: Why do you think that viruses are getting so much attention?
JG: I think it's part of the hysteria over computer crimes.... [N]either Congress nor the public understands how this is actually going to harm computer security instead of furthering it. People are terrified of hackers, and that's a fear that has been promoted by our government and promoted by the media ... and promoted by the hackers themselves because it gives them a lot of notoriety and importance.
PCW: Do you think that there's entirely too much emphasis placed on this type of crime in comparison to other crimes?
JG: I think that there's a lot of hyperbole about how much hacking costs us every year. These damage estimates are really overinflated, and I think that in comparison to how dangerous some other activity is, we're way too concerned about it. I mean, even the government admits that there haven't been any cases of cyberterrorism or anything like that.
PCW: Isn't this a case where it's clear what the possible scenario could be and we should try to block that hole before it occurs?
JG: I don't think so. I don't think there's any comprehension on the part of the public or on the part of legislators about what it really takes to develop a secure infrastructure, and so they are legislating in an area that they have no idea about. And a lot of these [legislative] proposals hav e a chilling effect on the very people who we need to do research and report security flaws.
What companies need to do is ... to respond when there are security advisories. And when they're running outdated or vulnerable software and there's a patch provided, they need to install the patch.... Industry has not done a good job of policing itself even when the security information is out there.... We're not talking about magic here; we're talking about basic network hygiene. We won't have to put these people in jail and spend all this money prosecuting them if we don't leave our systems wide open.
PCW: Do you think that laws making this kind of activity illegal promote the activity more?
JG: No. I think it doesn't do much to deter the people who are truly criminal, because I can tell you from experience that criminals don't think they're going to get caught. And I think it does a lot to inhibit people who are legitimate security researchers, because they're afraid of transgressing the law.
PCW: Why do you speak at DefCon?
JG: These kids are ignorant about what the law is and about ethics and what's expected of them. And society at large is ignorant about these kids and ... what their value is to society and what their motivations are. So I like to go to DefCon and tell them: ... Here's what the law expects from you. Here's what you can and cannot do, and here's your rights and how to protect yourself because you are under fire. People just assume that you're bad, and that's not the case. Many of these people have later grown up to make extremely important and valuable contributions.
Jennifer Granick on ethics of computer hacker code.
Moderator: jasonb