8

Once a business decides it is worthwhile to persue legal action against the attacker, what information and processes should be followed so that:

  • Integrity of the investigation is maintained
  • The undesired behaviour will cease
  • The damage is properly assessed
  • The value of the damages will be reimbursed

What types of cases succeed? What types of cases likely never see the light of day?

Is there a Law (or other) journal that covers these cases in any significant depth?

this.josh
  • 8,843
  • 2
  • 29
  • 51
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 3
    Note that this is a highly-localised question: relevant law in the US, EU and other areas all differ. –  Nov 23 '10 at 11:21
  • 1
    @Graham The US and EU example you gave aren't 'highly' localised, and is relevant to a vast majority of users on this site. Newtown township Pennsylvania, would be highly localized ;) – makerofthings7 Nov 23 '10 at 13:32
  • @makerofthings7: there are many sovereign states in the EU, each with their own legislation. Such legislation varies over time. Therefore this question is localised in four dimensions. –  Nov 23 '10 at 13:45
  • 1
    Perhaps there is value in either sharing what is common among most, if not all, locations. It would also be of value to determine what applies to either the US or the UK, since that is relevant to a majority of this site's readership (please correct me if I'm wrong). – makerofthings7 Nov 23 '10 at 13:49
  • @makerofthings: I'd imagine US, UK and general EU legistlation covers most of the readership. But as Graham Lee pointed out, the EU legistlation is a very tricky question. However, I'm sure in most cases the difference isn't that big, though it exists. For example, here in Finland an attacker couldn't be prosecuted for "identity theft" because it doesn't exist in our legistlation - however, they could instead be prosecuted for fraud, since they fooled the system they were attacking... – Ilari Kajaste Nov 25 '10 at 08:49
  • 1
    Nothing. Remember Kevin Mitnick and Bernie S.? – Nate Koppenhaver Aug 23 '11 at 23:39
  • @makerofthings7 So you expect one answer to include what is common in the laws of all the countries that make up the EU AND all the states that make up the US (remember you didn't identify if you were looking for a felony or a misdemeanor). So this "answer" is going to be less than a page in length and include; how the integrity of the investigation is maintained, how the damage is properly assessed, and how the value of the damages will be reimbursed. It will also include a list of what the perpetrator was charged with. What you have here is a **BOOK**! – Everett Aug 26 '12 at 12:58
  • Can I also point out this question is actually between 7 and 10 questions? If you don't have the legal ability to answer this yourself, how are you going to know who provided the right answer? – Everett Aug 26 '12 at 13:00

3 Answers3

4

As I recall cyberlaw is pretty up in the air as it is a newer issue. The biggest issue, at least in the US, is proving that it actually was that person behind the keyboard. IPs can be spoofed, pseudonyms are just that pseudonyms, and intellectual property law is fairly unrefined as well. Also the hacker needs to be an adult or have committed a crime on a large scale, this of course is up to court discretion. Additionally one needs to consider is the user of the script to blame or the original developer? You can look at cases against Limewire and other P2P networks. I believe it really comes down to did the business take all necessary precautions to prevent this in addition to the attacker's intention. The RIAA has looked foolish in the past by trying to prosecute 12 year olds on music theft.

Woot4Moo
  • 889
  • 6
  • 10
  • +1 I'll keep the RIAA example in mind when I come across an overzealous client – makerofthings7 Nov 22 '10 at 21:15
  • On the other hand, FBI did prosecute a suspected trafficker in childporn, who claimed innocence blaming CSRF and the like (though I do not know what came of it). – AviD Nov 23 '10 at 00:27
  • This case finally jailed the attacker who hacked a neighbour's wireless access point to plant incriminating child porn etc: http://arstechnica.com/tech-policy/news/2011/07/wifi-hacking-neighbor-from-hell-gets-18-years-in-prison.ars – Rory Alsop Jul 16 '11 at 09:24
2

I don't know of any law journals on this matter, as I am not a lawyer, but it appears that this involves all the procedures related to evidence in a civil lawsuit.

The sorts of resources that would be applicable would depend on the venue.

For example, let us say that I file a civil lawsuit via Federal diversity jurisdiction. Then, 28 USC controls the details. Furthermore, the court's local procedures as well as the federal court procedures would have a significant impact on the evidence, in addition to existing laws and precedents.

In short, you should provide more details.

Zian Choy
  • 1,131
  • 8
  • 8
1

It doesn't work that way.

The hackers don't have money, so you'll never get reimbursed for your damages.

Most hacking isn't repeated. That hacker will go away regardless, but that won't stop other hackers.

"Damage" is impossible to calculate. How much damage is lost reputation? HBGary had a nasty hack that damaged their reputation, but it also gave them a ton of publicity, so the hack may have instead helped them overall.

"Integrity of the investigation" rarely matters, because it's not that evidence that is used in trial. Instead, a lot of hackers are convicted of "conspiracy" or "intent" or "obstruction of justice" or some such nonsense. For example, the guy who stole Palin's e-mails was convicted of felony "obstruction of justice", because he deleted the evidence of the e-mail hack.

The evidence used to convict hackers usually comes from their hard drives, not yours. The police look for things like credit cards, other identity info, or child porn.

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14
  • I think you'll find that in a high proportion of cases they do in fact have very large sums of money, as much 'hacking' is sponsored by organised crime and major governments. And the most serious attacks are repeated, because they make money. The methodologies and tools are sold to other attack groups to re-use. You are correct in saying that most money will never be reimbursed, but that is more the fault of failures in international law enforcement, anonymity on the web and international law, which is why you need to use 'conspiracy' or oter charges which are easier to prove. – Rory Alsop Aug 24 '11 at 07:54