Cautionary Tale

Lucy E. Lynch llynch at darkwing.uoregon.edu
Tue Jan 22 16:51:04 GMT 2002


FYI

Lucy E. Lynch 				Academic User Services
Computing Center			University of Oregon
llynch at darkwing.uoregon.edu		(541) 346-1774/Cell: 912-7998

---------- Forwarded message ----------
Date: Mon, 21 Jan 2002 23:08:56 +0200
From: Bretton Vine <bretton at deepsouth.co.za>
Reply-To: legal at internet.org.za
To: legal at internet.org.za
Subject: [IOZ.legal] The crime of distributed computing

http://www.theregister.co.uk/content/6/23477.html

By Ann Harrison

A college computer technician who offered his school's unused computer
processing power for an encryption research project will be tried next
month in Georgia for computer theft and trespassing charges that carry
a potential total of 120 years in jail.

The closely-watched case if one of the first in which state
prosecutors have lodged felony charges for allegedly downloading
third-party software without permission.

David McOwen was working as a PC specialist at the state-run DeKalb
Technical Institute in 1998, when he learned about a project by the
non-profit organization distributed.net that allowed computer users to
donate their unused processing power to test the RC5 encryption
algorithm. Noticing that many of the machines he maintained on the
seven DeKalb campuses sat idle for long periods, McOwen installed
distributed.net clients at several of those locations while performing
a Y2K upgrade on the machines in 1999.

According to McOwen, during the Christmas holidays in 1999 school
administrators noticed that unused machines were sending and receiving
the distributed.net data -- about the equivalent of one email a day.
The school sent McOwen a letter of suspension in January of 2000,
without specifying a grievance, and McOwen resigned shortly
afterwards, believing that he had put the incident behind him.

Instead, in June of 2001 McOwen was contacted by an investigator from
the Georgia Bureau of Investigation who informed him that he was the
subject of an 18-month computer crime investigation. In October,
prosecutors from the Georgia state attorney general's office charged
McOwen with eight violations of Georgia's tough computer crime law:
one count of computer theft, and seven counts of computer trespass --
one for each of the school offices where McOwen downloaded the
distributed.net client.

Each felony count carries a $50,000 fine and a 15-year possible prison
term, for a 120 year maximum possible sentence. The indictment also
calls for restitution equal to the amount of money paid to state
workers to uninstall the programs from 500 PCs.

As the case nears trial, it's raising eyebrows among some legal and
technology experts for the unusual application of an anti-hacking law
to actions taken by a network's legitimate administrator.

'This Is Not Hacking' "Our problem with this kind of statute is that
it is written in such broad terms that it can reach all sorts of
behavior that doesn't constitute computer fraud, but can give the
government prosecutorial discretion," says Lee Tien, a senior staff
attorney with the San Francisco-based Electronic Frontier Foundation,
who has followed McOwen's case.

"This is a hacking statute," says McOwen, "but obviously this is not
hacking." At an early stage in the proceedings, prosecutors claimed
that McOwen had cost the state of Georgia $415,000 in bandwidth
charges, based on a calculation that the distributed.net clients
consumed precisely 59 cents worth of bandwidth per second. The state
has since backed away from the $415,000 figure.

Today, much of the case rests on whether McOwen violated DeKalb's
policies by downloading the distributed.net client. Russ Willard, a
spokesman for Georgia Attorney General Thurbert Baker, contends that
McOwen deliberately ignored the college's written computer usage
guidelines, which were issued to him with his first user I.D. and
password. Willard says the policy forbade McOwen from downloading any
unauthorized third-party software onto the college's machines.

McOwen claims he had permission from college officials to download the
software, and his lawyer suggests that there were no written
guidelines forbidding such installations to begin with. "If there is a
policy I have not seen it," says attorney David Joyner, who says he
has received all the discovery evidence in the case. DeKalb college
president Paul Starnes and McOwen's supervisors from the college's IS
department would not comment on the case.

Even if there was such a policy presented to McOwen, those who work at
universities say they are often disregarded. "It think it's so common
on the academic community that nobody reads agreements like that,"
says David Farber, a professor of telecommunications at the University
of Pennsylvania and former chief technologist of the FCC. "It is part
and parcel of many academics and many students that inquisitiveness
motivates them to download third-party software. If you are going to
prosecute a person for that on those grounds, than you should
prosecute everybody on campus because everyone has done it."

Financial Motive Alleged

Willard says that McOwen was singled out for prosecution partly
because he had ignored his supervisor's warnings. "In this case, Mr.
McOwen was expressively prohibited by his superiors from downloading
these programs and was informed on many occasions by his supervisors
to stop downloading programs," said Willard. "They were aware that he
was doing it and he had gone in and cleaned it up on numerous
occasions." Joyner insists McOwen received no such warning.

Prosecutors also claim that McOwen had a financial motive for
volunteering the school's machines. McOwen was a top producer on
distributed.net for "Team AnandTech," a group sponsored by a hardware
forum site which is still the second ranking contributor to the RC5
research project. A $1,000 prize goes to the individual contributor
who recovers the RC5 encryption key.

"McOwen placed a program on computers, that in his estimation would
benefit him personally, including computers that has sensitive student
financial and identity information without authorization," says
Willard. "There is concern about the program itself compromising or
providing the basis to compromise sensitive personal or financial
information, there is the matter of Mr. McOwen's unauthorized
activities on this computer, and finally there is the point that there
was misappropriation of state property."

McOwen says the prize money wasn't a factor. "People do these projects
for the betterment of mankind," says McOwen. "You are not doing it for
the prize and possibility of money, you are doing it because it is the
right thing to do."

"I think the prosecutor's office needs some lessons in computer
science," says Farber. "If you want to make a point, there are much
better examples than this guy."

The case is set for trial on 28 January.

<snip - second header>

http://www.newsbytes.com/news/02/173751.html

By Steven Bonisteel, Newsbytes
DECATUR, GEORGIA, U.S.A.,
17 Jan 2002, 5:05 PM CST

A computer technician at Georgia-run college who found himself facing
criminal charges after installing software for a volunteer
distributed-computing effort will face probation instead of prison.

David McOwen, once a systems administrator at DeKalb Technical
College, faces a year of probation and a $2,100 fine for connecting a
number of DeKalb computers to Distributed.net so that the spare
computing cycles could assist in a communal code-breaking challenge.

But McOwen's supporters, including the Electronic Frontier Foundation
(EFF), said today that an agreement reached with state prosecutors was
far better than the worst-case scenario: years in prison and hundreds
of thousands of dollars in fines and restitution.

"David never should have been prosecuted in the first place, but we're
glad that the state decided to stop," said Lee Tien, a senior staff
attorney at the EFF. "He very likely could have won if the case had
gone to trial, but trials cost money and you never know what will
happen."

Tien said McOwen, who was to face a criminal trial later this month,
will also have to perform 80 hours of community service "unrelated to
computers or technology." However McOwen will not end up with a felony
or misdemeanor record under Georgia's First Offender Act.

The criminal charges stunned many participants in
distributed-computing efforts, who frequently are also denizens of
university or college computing departments.

In early January 2000, when the San Diego Supercomputer Center of the
University of California was issuing press releases about its
number-crunching prowess via Distributed.net in an RC5-64
code-breaking challenge, DeKalb was suspending McOwen for
participating in the same event.

A suspension wasn't all McOwen faced. This spring, long after he had
resigned from DeKalb in the wake of the suspension, McOwen learned
that he was being investigated by the state attorney general's office
as a result of his Distributed.net participation. This fall, he was
officially charged one count of computer theft and seven counts of
computer trespassing.

Tien in a prepared statement said that the dispute centered on a on
whether McOwen had fair notice that the distributed-computing software
was prohibited at DeKalb.

"From what I can tell, the state would have had a hard time proving
beyond a reasonable doubt that David knew he wasn't authorized to
install the software," Tien said. "I can't help but feel that this was
a face-saving deal for the state."

Originally, the state had calculated that McOwen had drained hundreds
of thousands of dollars worth of DeKalb computing time since
installing the software early in 1999, arriving at its figure by
calculating that the software sapped 59 cents worth of bandwidth each
second.

A pro-McOwen site is at http://www.freemcowen.com

===================< IOZ.legal >====================
  To unsubscribe, mail <majordomo at internet.org.za>
with "unsubscribe legal" in the body of your message
=====================================================




More information about the unisog mailing list