Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!lll-winken!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!hpfcdc!hpldola!hp-lsd!oldcolo!dave From: dave@oldcolo.UUCP (Dave Hughes) Newsgroups: comp.misc Subject: Computer Virus Hearings Keywords: virus, goddard, congress, leahy Message-ID: <154@oldcolo.UUCP> Date: 17 May 89 14:10:15 GMT Distribution: usa Organization: Old Colorado City Communications, Colorado Springs, CO Lines: 396 May 16th, 1989 Senator Patrick Leahy Senate Judicial Subcommittee on Technology and Law 815 Hart Office Building Washington, DC, 20510 Honorable Chairman Leahy: I listened late tonight (1 to 2 AM MST, May 16th, CSPAN) to the entire one hour testimony of Clifford Stoll and your questions and comments on the issue of computer viruses. And I noted your statement that the Hearing was only recessed so that people could comment officially on the topic for a period of two weeks. Thus I request that this letter be considered input to your Hearings on Computer Viruses. I first want to commend you for the line of questioning and your closing remarks in which you expressed your view (in my words) that although we need to be able to deal with the problem of computer vandals that we must not be so afraid of the future that we curtail the flow of information - both scientific, business, and political -and the linking up of human genius to networks and each other. I agree completely with your balanced view of the issue, with your stress on the need for continued access and free information flow. This is important, not just for the flourishing of the 'geniuses' you refer to, and the unimpeded functioning of business and government, but also - and this is very important to the future of our society - for giving the general public - ordinary people - no matter where they are, from our smallest towns, farms and ranches to the largest cities, the greatest possible, and lowest cost access to public computer networks for purposes of employment or the pursuit of their own businesses, education and training, enjoyment of and contribution to culture, and better access to their own government and the political process. If this nation is to avoid becoming a polarized society of the 'information rich and information poor' and 'computer strong and computer weak,' laws and administrative measures aimed at preventing computer crime must not intensify the natural tendencies for institutions to put their problems before the long term interests of the public at large, for which, presumably those institutions exist. I agree generally with Clifford Stoll's testimony in which he accurately described the functioning and values of computer 'communities' at the rarified scientific level of research. But he really did not answer your question very well of "What would you do if you were in my place" for he seemed torn between wanting to trust the ethical standards of the computer community but having lost time away from his science because of a few irresponsible people, he was ready to admit there might be a need for new laws. I would like to focus the thoughts of your committee more sharply on the way I believe the general problem of legally dealing with human behavior via computer networks needs to be approached. I am neither one of the 'young geniuses' you refer to, nor a computer scientist per se, though I now enjoy an international reputation for my 10 years on hands-on-computer and modem work (4 hours a day) exploring, developing, ways at the very grass roots community and individual (not institutional) level ordinary people (not just exceptional professionals) can use computer (modem, fax, voice mail) communications to discuss and debate, online, public issues and engage in the political process, pursue both formal and informal education remotely, undertake successful small entrepenurial enterprises, enjoy cultural experiences, and all made possible by the economics, convenience of modem communications. I am a 60 year old retired military professional officer who has served in high policy, management and sensitive positions (to include Washington) so I am fully aware of the importance of dealing with the problems arising from this new medium. However, partly because I forsaw the broad and potentially beneficial impact of small digital devices linked together globally by advances in telecomunications I determined in 1977 to personally master and apply the rvolutionary new 'individual' digital tools at the grass roots community level of our society rather than at the large business, scientific, or government level. I did so on the grounds that if we learn how to make the Information Age work in middle America on main street, in small neighborhoods and schools, and for general local community purposes, not just advanced business, government, or scientific needs, or for computer elites, we will not have to fear for our future as a nation. For our strong political traditions of individual responsibility, reliance as much on community ethics and peer actions as government imposed standards, freedom of speech and of assembly, and our willingness to 'risk' the abberant behavior of some, so that the freedoms of many will not be impaired - all these have their direct counterpart in computer communications - which some have come to call, rather accurately 'virtual communities.' I have operated four 'local' dial up systems in the Old Colorado City neighborhood (population 12,000) of Colorado Springs over the past 8 years, from one line free bulletin boards to multi- user unix subscription systems (which are networked and accessible precisely the same way Mr Stoll's computers are). My 'community level' systems have been dialed into over 125,000 times, by over 12,000 different individuals. I have also spent an average of 4 hours a day online for the past 7 years - both tending my own systems and accessing other national, and international systems. In both my small business, educational and community volunteer computers, I am just as vulnerable to technical crime, vandalism, computer viruses as larger systems. I find I have been able (precisely because some societal problems are more easily dealt with at the local small scale community level than at the large, abstract, national level) to handle the abberant behavior of the few without recourse to extreme measures or the calling on law enforcement. I believe you must think very carefully and reflect in legislation the profound difference between treating 'information' on computer systems as (1) property (2) premises, or (3) speech before acting. ELECTRONIC PROPERTY - it is obvious that some data on a computer system may be property which can be stolen, destroyed or damaged. Laws designed to prevent theft, destruction, or damage to computer information are indicated here. But we understand pretty clearly in this society the concept of 'property' and applying our knowledge to computer 'property' is not difficult and the laws that are on the books and coming out seem balanced in this regard. ELECTRONIC PREMISES - a computer can be regarded as a place, which if intentionally protected by passwords or other devices intended to keep out those not authorized, can be protected by extention of laws that are designed to prevent tresspass, breaking and entering, or breach of privacy. (The Computer Privacy Act of 1976 does a pretty good job here). ELECTRONIC SPEECH - the area that is very poorly understood by those who have not used modem 'communciations' capabilities of computer systems is the activity of 'free speech' on computer systems. People become de facto members of 'virtual communities' - whether in associations of scientists such as Mr. Goddard an Astronomer with his colleages on scientific computers, or groups of local individuals who have no other institutional relationships but dial into local free 'bulletin-boards' where they socialize, debate local political issues, bypass the media to share information, conduct business or pursue personal interests and hobbies. Their activity on these systems far more can be legally defined as the practice of 'free assembly' and 'public speech' than as dealing with data as 'property' or the computer as a 'premises.' Freedom of Electronic Speech must be as jealously protected as non-electronic forms of speech are in society at large. And I urge your committe to think very carefully about the consequences of limiting such speech by laws aimed at curbing computer viruses. A piece of 'data' (as technically defined) on a computer system can be any one of the three catagories above. What makes it one or the other is less its technical description in computer terms than its relationship to the individuals who put it there, the owner/operator of the system it resides on or moves through, and either the contractual or 'understood' rules for its uses and the behavior of those who deal with it. When a dozen people dial into either a free and open local computer bulletin-board, or the 'computer conferencing' sections of a national, commercial, password-protected information service for the purpose of exchanging comments on a subject, they are engaged in a form of 'electronic assembly' and they are practicing 'electronic speech.' Speech and assembly forms , the freedom to pursue which MUST be forever protected by extension, if necessary, of appropriate Constitutional guarantees into this new medium. And this use of computer systems should not be confused with issues of 'property' or 'premise'. When a person dials into a computer system and places 'information' there which by its prior ownership, his actions to identify it as such (such as a copyright notice) or by either the specifically spelled out by the system managers or 'understood' rules that whatever he places there is private or insitutional 'intellectual property' then the laws pertaining to its protection may apply. But one must look at much more than just the 'data' to determine if it is property, or speech. There is a burden on the users of systems, and the operators of systems, to make clear what the status of (1) access to the system and (2) ownership of the data thereon is if they expect to be protected at law. Various system operators make very different rules on such matters, and they should be free to do so. Compuserve, for example, chooses to bind its users to an agreement that specifies that anything posted in its computers by subscribers becomes the property of Compuserve, and its disposal must be dealt with accordingly. I choose to state that anything posted on my dial up subscription system remains the property of those who post it there - with all the obligations and rights flowing from that. The difference is not the data, but the agreements made between system operators and their users before the users are given access. Obviously - and the application of the Electronic Privacy Act of 1986 turns on this key criteria - the question of what legal responsibility must be borne for 'breaking and entering' a computer, or transmitting a virus through a system, or stealing of data from a computer has to do with whether the operators of systems take steps to prevent access to a system unless specific permission is granted - using in the form of an assigned (not self generated) password giving access. And that the potential user of a system knows that permission is required. A system which permits uncontrolled access to its ports, or self-assigned passwords is not even covered under the Electronic Privacy Act. Nor need it be. Such computer systems are 'public' as far as privacy is concerned. Even if the system is privately owned. What makes this matter more complex however, that 'parts' of a computer system, or network may be open to the outside public, or closed. In my own case, so that no person in the community is denied access by reasons of cost, to our discussions about public issues, I permit one port (719-632-3391) of our 'Old Colorado City Electronic Cottage' to be free, with self-assigned access to the 'Roger's Electronic Bar' political debate section. Regular subscribers to my service use other ports (and phone numbers) have to be issued a password specifically by us before gaining access, and are responsible for security of their passwords, They also have e-mail, (and access to the global network which was affected by the virus in November), private file spaces, and other conferences which cannot be accessed by the public. But they can go inside the 'Rogers Bar' section too, on the same computer. But when they do they understand that their remarks are not private, what they post there, unless they specifically designate it by copyright notice or other statement, is free to be copied and used by others, and the Electronic Privacy Act does not apply. Law enforcement agencies are as welcome to that section as anyone else. Thus inside one system the rules - and laws are different depending on rights of access. If a person stole or guessed a password on my system, and then used it to propegate a virus throughout the Internet, by his acts of illegal entry into the system in the first place he could be prosecuted. He 'broke and entered.' If he already is a legitimate subscriber, and promulgated a virus through the system, whether or not he did anything illegal depends as much on whether he further breached security whose intentions are to prevent access, or whether he used a feature which he had no reason to believe was prohibited, and of course whether what he did caused damage to others on other systems. Thus you must constantly struggle to craft any laws in terms that recognizes that individual computers and networks are themselves multi-faceted and you cannot simply deal with a computer as one legal entity for these purposes. I have found that when the focus shifts from the 'computer' and 'network' itself as physical entities and more deals with the 'computer communities' and behavior, intentions, prudent actions of the adminstrators and users to protect themselves, inform others of the status of access, data, users, and groups of users that it is far easier - by extention - to apply the laws and precedences of the past with respect to property, premises, and speech. Another extremely important fact to keep in mind is that access to computers and information networks will have to be supplied by the same institutions which historically we have created to give people 'access' to knowledge - schools and libraries. Not everyone will own their own personal computers, modems, or even phones. But we can insure that all have access if schools,. libraries and other public agencies (possibly even the Post Offices of the future) own computers and terminals and give the public free, or lowest possible shared cost access. Your laws must be sensitive to the different circumstances of this sector of 'public' computers and public access too. I am extremely sensitive to the potential for 'Electronic Democracy' in making it at once easier, cheaper, and more effective for individuals to participate in the political process than currently. We have made great progress here in Colorado Springs in the serious practice of Electronic Democracy - and both private, and public dial up systems participate vigerously. Many of us want to see no law which suffocates that promising potential. For we have serious problems in America with the costs and complexities of public participation in the political process. Mass media has introduced as many problems as it has solved. These new personal tools can help, so long as the public Highways of the Mind are not turned into highly restrictive or closed routes. My start point when thinking about freedoms and restrictive laws pertaining to computers is to realize that if we turned the clock back 200 years, Benjamin Franklin would have been the first owner of a microcompter, probably an Apple, and would have been considered a hacker. Thomas Jefferson would have written the Declaration of Independence on a wordprocessor, probably a corporate IBM PC. But Thom Paine would have first published 'Common Sense' on a pirate bulletin board. And I for one do not want the corporate or government Kings George to tread on my cursor. We must preserve Freedom of Electronic Speech. I have a request to make. And a suggestion. In answer to your question of Clifford Stoll "What would you do if you were me." One method of dealing with the growing problem of computer crimes and mischief, some of it not fully intended by its perpetrators, is the education of computer communications users to these issues. Clifford Stoll admitted he never really thought about the problem until he was affected by it. In my very extensive experience online (I calculate I have read over 13,000,000 words on hundreds of systems, and produced probably 1,000,000 words of my own online) I find that there is little knowledge of even the appropriate laws and regulations which apply. A direct, simple, timely and cheap method for assisting in the progressive sensitization and education of computer network users is to put transcripts of applicable hearings and Federal debate over these issues out over the Network! And to make it far easier and cheaper for the computer-modem owning public to dial up central systems which contain the applicable laws and regulations that everyone is supposed to know! Relying solely on mass media and press, or the Congressional Record to convey this information, is no longer necessary. And given the nature of the culture of computer networkers, it would be far more to the point to 'publish' electronically these laws, and make it cheap and easy for any modem-owing citizen to access them, and even hold online discussions about them in forums hosted by knowledgable public officials. I suggest that the Congress initiate by law and funding - perhaps through the Library of Congress - a dial-up network which carries the full text of all laws pertaining to computer crime and associated matters. Ideally the access should be free to the public. Secondarily, however, a transcript of the hearings you are holding on the specific issue of Computer Viruses, could be put out over Usenet (Internet, Usenet, and academic Bitnet) for reading by the online population. I believe, for example, that the excellent and informative one-hour interchange between you and Clifford Stoll at the Monday, May 15th Hearing would be widely read on the network - which at least one half million persons on 14,000 computers use regularly. Since the rate of 'information exchange' at your oral hearings was approximately 120 oral words per minute, about 7,200 words were uttered. In an online Ascii form that entire hour can be scanned at 1200 baud in 6 minutes, read carefully and completely in 15 minutes, and occupy less that 24k of file space on any computer. In terms of Usenet in which over 5 megabytes of information is generated daily, that is a drop in the bucket. If your staff does not know how to do this, I would gladly volunteer to take a floppy disk with the transcript in ascii form and disemminate it over the network myself from my local system from Colorado Springs. It would take little effort and practically no cost. But in any case I do request that your staff send me a floppy disk in msdos form, of a transcript of the hearing, and any amplifying comments, so that I may post it on my own local computer system for the free education and enlightenment of those thousands of local callers to local systems where such issues are discussed every day. Many of us who use and administer public systemd can do our part in this important task of education/sensitizing the online culture to the issues. We might as well use the networks where the problems are to disseminate the general societal solutions, as well as technical ones. The Federal government could be doing a lot more than it is now in using the new technologies to both publicize its deliberations, solicit public input, and disseminate its decisions. When the computer-using public has had a chance by the means I have outlined above to learn about, discuss and debate, and take their own 'virtual community' actions to prevent and deal with computer crimes, and that method proves insufficent, then the time for new legislation may be at hand. But until they have had such a chance, informed by the valuable content of your hearings, I for one am reluctant to lead with new laws. By the way, I am posting this letter to you on several networks, urging readers to consider airing their views to your committee before you terminate the hearings. Thank you David R Hughes 6 N 24th Street Colorado Springs, Colorado 80904 719-636-2040 (voice) 719-632-3391 (modem) -- Dave Hughes Old Colorado City Communications "It is better to light one screen than cursor the darkness" hp-lsd!oldcolo!dave Bill Robinson