Peter Black's Freedom to Differ

Yesterday The Age reported that two Queenslanders had been charged over recruiting people to a Nigerian scam which netted the fraudsters more than $4.3 million:

Police said the Sunshine Coast man, 48, and woman, 40, were initially victims of the operation, having been invited to take part in a bogus contract involving the Nigerian oil industry.

They began sending money to the scammers in September 2003.

Police allege they later invited others to become involved in the scheme.

It's believed 12 people sent more than $4.3 million overseas.

Read more here.  As I was reading this story I was reminded of an episode of This American Life where they recounted the extraordinary tale of how three Americans had a very different response to these sorts of scams - revenge:

Listen to the podcast here.

Larry Downes looks at the section 230 immunity and the Roommates.com case:

I write in this month’s CIO Insight about the 9th Circuit’s en banc decision in the Roommates.com case. This important decision tested the limits of immunity for information service providers (in this case, the operator of a website that allows users to post roommate-matching ads) under Section 230 of the 1996 Communications Act. At issue was whether Roommates.com could be sued under fair housing laws for asking users about their age, sex, sexual orientation, whether they have children and their preferences for these characteristics in a roommate. Eric Goldman has an excellent post on the case at his website: http://blog.ericgoldman.org/archives/2008/04/roommatescom_de_1.htm

Writing for the majority, Chief Judge Kozinski held that the service was not entitled to immunity (the merits are yet to be decided) because the site was a “developer” of the potentially-illegal content. In short, Kozinski distinguished free-form text boxes (immunity intact) from drop down menus that offered only limited choices. The drop down menus, the court held, are not immune, because they cross the line between hosting and assisting in the development of the content, and Section 230 applies only to the former.

I’m troubled, as many people are, by the decision and some of its dicta. In particular, Footnote 15 signals increasing judicial resistance to the Section 230 safe harbor. It also falls into the trap of judges assuming they know more about the information economy than they do:

“The dissent stresses the importance of the Internet to modern life and commerce, Dissent at 3476, and we, of course, agree: The Internet is no longer a fragile new means of communication that could easily be smothered in the cradle by overzealous enforcement of laws and regulations applicable to brick-and-mortar businesses. Rather, it has become a dominant—perhaps the preeminent—means through which commerce is conducted. And its vast reach into the lives of millions is exactly why we must be careful not to exceed the scope of the immunity provided by Congres and thus give online businesses an unfair advantage over their realworld counterparts, which must comply with laws of general applicability.”

Kozinski cites nothing to support these comments. But what does it even mean to say that the Internet has become “a dominant…means [can there be more than one dominant mean?] through which commerce is conducted”? Despite double-digit growth for over ten years, e-commerce still only accounts for well under 10% of retail activity. And I can’t even find a measurement for services revenue, which Roommates.com represents. Which is to say, as far as I can determine, “the Internet” is still a fragile new means of communication.

Read more here.

Australian IT reports that a proposed cyber treaty may mean new surveillance laws in Australia:

LAWS allowing police to rapidly secure evidence held on computers, and to obtain real-time access to network traffic, may be needed for Australia to join a global treaty aimed at fighting fraud and electronic crime.

Federal Attorney General's Department project director Steven Stroud said a review was being carried out to establish what legislative changes would be needed if the Australian government were to join the Council of Europe's Convention on Cybercrime.

"We're fundamentally well-placed to accede, given our cybercrime laws in the Crimes Act and the Customs Act," he said.

"But the convention requires specific actions and measures, so consideration is needed about what the obligations would be."

Mr Stroud said a number of pieces of legislation would need to be amended, "and some of these would be quite significant".

"The convention has provisions for data retention by carriers, and we don't have those laws in Australia," he said.

"There are also provisions for expedited collection of evidence held on computers, and we don't have those laws either.

"The Telecommunications Interception Act allows law enforcement to obtain material with a warrant, but there's no way police can just ring someone up and say they need something can they have it.

"These are the kinds of issues we need to explore."

The convention, which provides a standard framework for investigating and prosecuting crimes involving computers across national borders, has already been adopted by more than 45 countries.

Read more here.

I was surprised to read that online crime (and associated paranoia) in Canada is so high, especially because these findings would be similar in most western countries:

Canadians are more likely to be victims of crime on the Internet than they are on the streets, suggests a new survey commissioned by the Canadian Association of Police Boards.

Cyber crime - things such as identity theft, computer viruses and online harassment - is very close to surpassing illicit drugs as the top crime category in North America.

The survey, completed last January by Deloitte LLP, found that nearly half of the 567 respondents had been victims of cyber crime, and 70 per cent said they did not report the crime.

Almost everyone surveyed - 95 per cent - thought they were being targeted by cyber criminals.

"If that doesn't scare you, I don't know what will scare you," said Calgary police Chief Rick Hanson during a news conference Wednesday.

"It's huge and it's getting worse," said Ian Wilms, chair of the Canadian Association of Police Boards. "You lock your door at night time, but people don't, when online, just take the 30 seconds to update the security patches on their computer."

Read more here (from canada.com).

Much has been over the past few days of the decision to indict a Missouri mother on charges connected to the suicide of a 13-year-old MySpace user (see my post here).  However, MSNBC approaches it from a different angle:

Think twice before you sign up for an online service using a fake name or e-mail address. You could be committing a federal crime.

Federal prosecutors turned to a novel interpretation of computer hacking law to indict a Missouri mother on charges connected to the suicide of a 13-year-old MySpace user.

Prosecutors alleged that by helping create a MySpace account in the name of someone who didn't exist, Lori Drew, 49, violated the News Corp.-owned site's terms of service and thus illegally accessed protected computers.

Legal experts warned Friday that such an interpretation could criminalize routine behavior on the Internet. After all, people regularly create accounts or post information under aliases for many legitimate reasons, including parody, spam avoidance and a desire to maintain their anonymity or privacy online or that of a child.

This new interpretation also gives a business contract the force of a law: Violations of a Web site's user agreement could now lead to criminal sanction, not just civil lawsuits or ejection from a site.

"I think the danger of applying a statute in this way is that it could have unintended consequences," said John Palfrey, a Harvard law professor who leads a MySpace-convened task force on Internet safety.

"An application of a general statute like this might result in chilling a great deal of online speech and other freedom."

Read it here.

Two interesting pieces of news to note relating to people using MySpace for criminal purposes.  The first, is a ruling of the U.S. Court of Appeals for the Fifth Circuit in Doe v. MySpace Inc that predictably held that MySpace is immune under s 230 of the Communications Decency Act from a lawsuit over the alleged sexual assault of a teenage girl by a man she met on the site.  As Howard Bashman amusingly notes at How Appealing footnote one in the ruling helpfully explains that:

The term 'blog' is a portmanteau of 'Web log' and is a term referring to an online journal or diary.

The second is a post from Brett Trout at Blawg IT on the case of Missouri Mother Lori Drew who allegedly used MySpace to cause the suicide of her 16-year old neighbor Megan Meier.  This week a federal grand jury in Los Angeles indicted Drew on one count of conspiracy and three counts of unauthorized access of protected computers to intentionally inflict emotional distress upon Meier:

Los Angeles federal prosecutors allege that back in 2006, Drew created a MySpace page for a fictitious 16-year old boy named "Josh." Drew allegedly used the MySpace account  to send numerous messages to Meier. After initially befriending Meier, "Josh" ended the relationship with a message indicating the world be a better place without Meier. Meier killed herself that same day.

After state and federal prosecutors in Missouri refused to take any action against Drew, attorneys representing the Cyber and Intellectual Property Crimes Section of the U.S. Attorneys Office in MySpace’s hometown of Los Angeles brought the indictment against Drew. As reported by Wired, federal authorities have granted alleged co-conspirator, 19-year old Ashley Grills, immunity in return for her cooperation with the investigation. If convicted on all counts, Drew could be sentenced to up to 20 years in federal prison.

The laws being enforced against Drew were originally enacted to deter and punish computer hackers. It is important to note however, that despite any underlying legislative intent, there is nothing to prevent authorities from asserting these new laws against social networkers. Even though it is unlikely that even your most offensive social networking activities amount to what federal prosecutors allege took place in the Drew case, this case should sound as a warning call to all social networkers to double check how their actions might be perceived by others. Every social networker should double-check that none of their social networking activities might be construed as deceptive, fraudulent or harassing.

Most importantly, if you suspect your child may be the victim of a cyberbully, take action immediately. For more information on how to address cyberbullying, click here for my previous post on the subject. As the Drew case demonstrates, unchecked social networking can lead to much worse things than federal prison.

Read more here.  The Wall Street Journal Law Blog also comments on the legal merits of the case:

Was Lori Drew surprised to learn that she committed a federal crime when she signed on to a social networking site using a fictitious identity? We wondered that today while reading an indictment that charges Drew — a 49 year-old resident of Missouri who registered on MySpace as “Josh Evans,” a 16 year-old boy — with violating 18 U.S.C. Section §1030, a broad statute that criminalizes computer fraud.

The backstory: As detailed in this January New Yorker article and today’s indictment, Drew — under the guise of “Josh” — struck up a flirtatious online relationship with Megan Meier, a 13-year old MySpace member, that lasted for several weeks. According to the indictment, “Josh” told Megan she was “sexi” and made other sexually suggestive overtures. Then, “Josh” told Megan he was moving away and that the world would be a better place without her. After “Josh” broke off the relationship, Megan hanged herself in her bedroom.

Here, the theory of the case seems to be that when Drew registered on MySpace she agreed to certain terms of service that required her to, among other things, provide “truthful and accurate registration information” and “refrain from promoting information that” she knew was “false or misleading.” For violating the terms of service, the feds have charged her with conspiracy to access MySpace without authorization.

“A very sympathetic set of facts,” concedes Orin Kerr, a cyberlaw prof at George Washington. “But highly dubious; a weak legal argument.” Kerr, who says he’s considering making an offer to represent Drew, told the Law Blog that there are two problems with the legal theory. First, the statute requires a conspiracy to intentionally access the site without authorization, and there’s no evidence that Drew read or knew the terms of service. Second, it needs to be a conspiracy to obtain information, and this was not. “It was a conspiracy to harass,” said Kerr, “but that’s not what the statute is about.”

He added: “It’s a dangerous theory because terms of service are violated so often, and that means there’s a choice courts must face: maybe any violation of any terms of service is a federal crime; maybe no violations are a crime; or maybe some violations are a crime. If a court allows it, then it means that if the government is looking for a criminal charge against someone, they just need to show someone violated a term of service. Do I expect the Ninth Circuit Court of Appeals to allow it? No.”

Read more here.

When the battle of the sexes moves online, Tom LaSusa explains that men are apparently more likely to be duped by internet fraud schemes:

They say girls develop much faster than boys. At the very least, they appear to be quicker on the uptake when it comes to avoiding getting duped on the Internet.

A study from the Internet Crime Complaint Center (IC3) suggests that men are far more likely to be duped by Internet fraud schemes than women. For every dollar that women lost to scammers, phishers, and other Net crooks in 2007, men lost a buck plus an extra 67 cents.

Last year, the IC3 -- a partnership among the FBI, the National White Collar Crime Center, and Bureau of Justice Assistance -- received nearly 220,000 complaints of Internet crime. Of the complainants, more than half (57.6%) were male and lived in one of the four most populated states: California, Florida, Texas, and New York.

...

Unfortunately -- and incredibly (in my opinion) -- lack of consumer awareness still plays a major part in why folks are duped.

It's hard to believe that after all these years, people could still believe an e-mail offering "a thousand blessings" -- and a tidy sum of cash -- if only they will help some poor rich family hide their millions in an American bank account!

Or what about an investment scam? Who gets a random e-mail from a stranger with a "sweet tip" on some mysterious stock -- and then dumps their money into it? Apparently New Yorkers, Texans, Floridians, and Californians. Go figure.

Me? I barely trust financial tips from people I know.

Read more here (from Information Week).

I was disturbed to read this story, "FBI posts fake hyperlinks to snare child porn suspects", by CNET News.com's Declan McCullagh during the week:

The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.

Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.

A CNET News.com review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who's using an open wireless connection--and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police.

...

The implications of the FBI's hyperlink-enticement technique are sweeping. Using the same logic and legal arguments, federal agents could send unsolicited e-mail messages to millions of Americans advertising illegal narcotics or child pornography--and raid people who click on the links embedded in the spam messages. The bureau could register the "unlawfulimages.com" domain name and prosecute intentional visitors. And so on.

Read more here.

The Sydney Morning Herald reports that the Rudd Government is considering introducing a three-strikes policy against computer users who download songs illegally:

AS THE internet threatens to kill the established music industry, the Rudd Government is considering a three-strikes policy against computer users who download songs illegally.

The Government will examine new legislative proposals being unveiled in Britain this week to target people who download films and music illegally. Internet service providers (ISPs) there might be legally required to take action against users who access pirated material.

The music industry estimates 1 billion songs were traded illegally by Australians last year.

Under the three-strikes policy, a warning would be first issued to offenders who illegally share files using peer-to-peer technology to access music, TV shows and movies free of charge. The second strike would lead to the offender's internet access being suspended; the third would cancel the offender's internet access.

The policy would mirror legislation being introduced in Britain, which would require ISPs to police the activities of users.

Communications Minister Stephen Conroy said the Government was aware of the views put by the music industry for a code of conduct for ISPs to address file-sharing by subscribers.

"We will also examine any UK legislation on this issue [including any three-strikes policy] with particular interest," he said.

...

National Internet Industry Association chief executive Peter Corones said his members' reservations over the three-strikes and code of conduct proposals would be discussed with Mr Conroy this week.

He said present legislation provided severe penalties for dealing in pirate sound recordings that infringe on the rights of artists, composers, record companies and music publishers. Yet there was no action to date.

Penalties include injunctions, damages and costs, fines of up to $60,500 for individuals and up to $302,500 for corporations per infringement and up to five years' jail.

"Internet service providers are not the enforcers of copyright," Mr Corones said. They are "a mere conduit" for internet connectivity.

Any action by the Government is likely to displease young broadband users. Quantum Market Research YouthSCAN released the findings of a new study this month showing 63 per cent of young Australians felt there was no point in paying for music that was freely available.

It asked 600 Australians aged between 10 and 17 across NSW and Victoria in August and September about accessing music.

Consultant Nick Dawes said a no-pay attitude had developed among young people because they did not fear any retribution.

Their attitude is: "If we can get it for free, why not?"

Read more here.

Rachna Dhamija, J. D. Tygar and Marti Hearst from the Harvard School of Engineering and Applied Science have published an academic paper explaining "Why Phishing Works".  Here is the abstract:

To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. The authors first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. They then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. The study found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. It also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

Download the paper here.

As this is a UK report, I wonder if this is commonplace in Australia too ...

SOARING numbers of British teachers are calling helplines for advice on how to cope after being "cyberbullied" on the internet by their pupils.

The Association of School and College Leaders said that it now receives a call every day from teachers who say they have become victims. The problem was unheard of just two years ago.

Pupils are scouring the internet looking for embarrassing photographs of them. They also use chatrooms and networking sites, such as Facebook or Bebo, to share incriminating material or make vicious accusations about their tutors.

Union leaders are urging their members to be cautious about content and ease of access to material they put on the internet. Many teachers have Facebook pages on which they share photographs of holidays or nights out with friends.

...

It emerged this week that students at the University of Bradford used Facebook to criticise a lecturer.

They created a page entitled “Annie Smith is S***”, Times Higher Education reported. The webpage listed grievances about the woman along with a number of abusive comments. Dr Smith said: “Lecturers are finding that there is a big change in the way that students behave. They are becoming more aggressive.”

Bob Carstairs, assistant general secretary of the ASCL, assists with a helpline. He said: “One of the most commonly reported problems is pupils being extremely rude about teachers on the internet. The advice we give heads is to ignore it and get on with your life, unless the material is sexual or violent.”

One head teacher contacted the helpline after his pupils created a page on Bebo that said he became aroused by beating children. Husband and wife teachers had allegations about their sex life placed on a website by pupils.

Another teacher contacted her union after a disgruntled former boyfriend put intimate footage of them on the internet, which she did not know had been filmed. She became aware of this when her pupils found it and told her. A spokeswoman for the Association of Teachers and Lecturers said: “It made things very awkward with her pupils.”

Read more here (from The Australian).  So, are there any "I hate Peter Black" websites or Facebook groups out there?

Information Week analyses the top ten cubersecurity threats for 2008:

The SANS Institute on Monday released its take on the top 10 cybersecurity threats for 2008. Leading the list is a rise in the number of attacks on Web browsers, the proliferation of botnets, and sophisticated cyberespionage.

Twelve noted cybersecurity experts -- Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller -- helped compile the list. Released in conjunction with the SANS Security 2008 conference in New Orleans, the list represents a collective assessment of the online attack vectors most likely to cause damage in the year ahead.

Read more here.

On Tuesday I blogged about the ethics of "stealing" WiFi (see here), so I was interested to read today that Bruce Schneier of Wired's Security Matters blog, looks at whether you should leave your own Wi-Fi open, and says why not ... after all, you can steal his WiFi:

Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous.

I'm told that uninvited strangers may sit in their cars in front of my house, and use my network to send spam, eavesdrop on my passwords, and upload and download everything from pirated movies to child pornography. As a result, I risk all sorts of bad things happening to me, from seeing my IP address blacklisted to having the police crash through my door.

While this is technically true, I don't think it's much of a risk. I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house. And yes, if someone did commit a crime using my network the police might visit, but what better defense is there than the fact that I have an open wireless network? If I enabled wireless security on my network and someone hacked it, I would have a far harder time proving my innocence.

...

Finally, critics say someone might steal bandwidth from me. Despite isolated court rulings that this is illegal, my feeling is that they're welcome to it. I really don't mind if neighbors use my wireless network when they need it, and I've heard several stories of people who have been rescued from connectivity emergencies by open wireless networks in the neighborhood.

Similarly, I appreciate an open network when I am otherwise without bandwidth. If someone were using my network to the point that it affected my own traffic or if some neighbor kid was dinking around, I might want to do something about it; but as long as we're all polite, why should this concern me? Pay it forward, I say.

Certainly this does concern ISPs. Running an open wireless network will often violate your terms of service. But despite the occasional cease-and-desist letter and providers getting pissy at people who exceed some secret bandwidth limit, this isn't a big risk either. The worst that will happen to you is that you'll have to find a new ISP.

A company called Fon has an interesting approach to this problem. Fon wireless access points have two wireless networks: a secure one for you, and an open one for everyone else. You can configure your open network in either "Bill" or "Linus" mode: In the former, people pay you to use your network, and you have to pay to use any other Fon wireless network. In Linus mode, anyone can use your network, and you can use any other Fon wireless network for free. It's a really clever idea.

Security is always a trade-off. I know people who rarely lock their front door, who drive in the rain (and, while using a cellphone) and who talk to strangers. In my opinion, securing my wireless network isn't worth it. And I appreciate everyone else who keeps an open wireless network, including all the coffee shops, bars and libraries I have visited in the past, the Dayton International Airport where I started writing this and the Four Points Sheraton where I finished. You all make the world a better place.

Read more here.

Ars Technica has a thoughtful post on the ethics of "stealing" WiFi:

Amazingly, accessing an unsecured, wide-open WiFi network without permission is illegal in some places, and not just in the UK. An Illinois man was arrested and fined $250 in 2006 for using an open network without permission, while a Michigan man who parked his car in front of a café and snarfed its free WiFi was charged this past May with "Fraudulent access to computers, computer systems, and computer networks." On top of that, it's common to read stories about WiFi "stealing" in the mainstream media.

It's time to put an end to this silliness. Using an open WiFi network is no more "stealing" than is listening to the radio or watching TV using the old rabbit ears. If the WiFi waves come to you and can be accessed without hacking, there should be no question that such access is legal and morally OK. If your neighbor runs his sprinkler and accidentally waters your yard, do you owe him money? Have you done something wrong? Have you ripped off the water company? Of course not. So why is it that when it comes to WiFi, people start talking about theft?

Read more here.  I couldn't agree more.

The Washington Post pays tribute to those clever cyber-crooks:

The year 2007 may go down in the annals of Internet crime as the year when organized cyber criminals finally got serious about their marketing strategies -- crafting cyber schemes that were significantly more sophisticated and stealthy.

Security experts say criminals are increasingly trying to ensnare Internet users by lurking on familiar Web sites and using purloined data to craft scam e-mails that are more believable, and thus more likely to entice an unsuspecting user.

"The attackers are now following the same path that businesses have, in trying to advertise themselves in their own special way on the more popular Web sites," said Tom Liston, an incident handler at the Bethesda, Md.-based SANS Internet Storm Center and a senior security consultant with Intelguardians, a Washington-based Internet security consulting group. "They're doing exactly what every business tries to do, which is to find innovative ways get themselves out in front of as many eyeballs as possible."

Read more here.

The Times says most of us are criminals:

More than half of computer users have illegally logged on to someone else’s wi-fi connection yet only 11 people have been arrested for the crime, an investigation by The Times has found.

“Wi-fi tapping” or “piggybacking” has boomed in the past few years as hackers take advantage of unsecured computers to access the internet without paying for it.

Police regard it as a serious offence because intruders can download pornographic materials and illegal images without being caught. Only the legitimate holder of the wi-fi account is likely to be tracked down.

Officers are also worried that criminals can use unsecured wireless connections to steal personal details such as passwords and credit card numbers and use them to commit identity theft.

Read more here.  However, Techdirt maintains that there is nothing unethical about borrowing an open wireless connection:

For years, we've been pointing out that there's nothing unethical about borrowing an open wireless connection. Unfortunately, the stories on this subject just keep getting more hysterical. The latest example is a story from the UK that dubs the offense "wi-fi tapping" and reports that more than half of computer users have engaged in the practice, which it claims is illegal in the UK. Now, you might think that the fact that a majority of otherwise law-abiding Brits have engaged in piggybacking would be a reason to re-consider the law against it, but instead the story takes the opposite tack, sternly lecturing readers about the need to abstain from borrowing Internet access. Unfortunately, they never get around to explaining what's supposed to be wrong with it. They point out that people sometimes do illegal things with a borrowed wi-fi connection, but that's like saying you should never allow anyone to borrow your car because they might run someone over with it. And they insist that it's not a victimless crime because "A crime is perpetrated against the person who pays for the internet connection." But that's just circular logic. It's quite possible the owner of the network left it open on purpose, and in any event, if the piggybacker is just checking his email or engaging in light web surfing, the bandwidth being consumed is trivial. The "victim" is unlikely to even notice, and he certainly doesn't suffer any serious harm. Of course, there might be legitimate reasons, either security- or bandwidth-related, why someone would want to lock down his or her network. It's certainly worthwhile to educate users about the pros and cons of leaving your network open, and to provide them with directions for locking down their network if they wish to do so. But the police have much more important things to do than harassing people whose only crime is a compulsive need to check their email.

Read more here.

A Dutch teenager has been arrested "for stealing online furniture" in the game-world Habbo Hotel:

Dutch police have made their first arrest of an online thief -- a 17-year-old accused of stealing virtual furniture from rooms in the Habbo Hotel -- a popular teenager networking Web site.

An Amsterdam police spokeswoman confirmed a report that the teenager was accused of stealing 4,000 euros (2,833 pounds) worth of virtual furniture by hacking into the accounts of other users.

Read more here (from Yahoo! News).

The Citizen Media Law Project, run by the Berkman Center for Internet & Society, has created a Legal Threats Database.  Creative Economy describes the Database:

The Legal Threats Database is a catalog of the growing number of lawsuits, cease and desist letters, and other legal challenges faced by those engaging in online speech. This publicly accessible database aims to provide lawyers, citizen journalists, and mainstream media alike with a valuable resource for assessing the validity and possible outcomes of legal threats to online speech, based on actual cases and legal actions.

The database, the first such interactive compendium, contains legal threats from 35 states and 9 countries, and is growing daily. These threats range from copyright infringement lawsuits filed against bloggers to cease and desist letters claiming defamation sent to MySpace users. Visitors to the CMLP’s website can input new threat entries, comment on existing threats, and search the database in a number of ways, including by location, legal claim, publication medium, and content type.

Visit the Database here.  This is an excellent idea and if you are aware of or have received any "legal threats" I would encourage you to add it to the database.

Techdirt asks do grade changing hackers deserve 20 years in jail?

Over the years, we've had numerous stories of kids caught changing their grades by hacking into school computer systems.  However, is it worth a $250,000 fine and 20 years in jail?  That's apparently what two men face after hacking into California State University's computer system and changing their grades. The guys have been charged with "unauthorized computer access, identity theft, conspiracy, and wire fraud." Obviously, these guys did a bad thing, but it's hard to see how the possible sentence matches with the crime. Of course, it seems unlikely that any judge would give them the maximum sentence, but even hearing that it's possible just for changing your grades seems ridiculous.

Read more here.  I can't help but agree that 20 years does seem ridiculously excessive ... I'd probably settle with the offending students receiving failing grades for the classes/units they hacked.

ZDNet News covers this latest report into spam:

The U.S. remains the world's biggest spammer, according to security firm Sophos, which on Friday released its quarterly report on the world's top spam-offending countries--dubbed the "Dirty Dozen."

The U.S. came in well ahead of its rivals, according to the report, being responsible for

28.4 percent of all spam

. South Korea was second (5.2 percent), followed by China (4.9 percent), Russia (4.4 percent) and Brazil (3.7 percent).

"It seems as though a major American spammer is arrested every other week at the moment but, despite these high-profile law-breakers being put away, the U.S. continues to relay far more spam than any other nation on the planet," Carole Theriault, senior security consultant at Sophos, said in a statement.

"This level of activity can't be attributed solely to the slick operations of a few cash-hungry criminals. The problem is there are thousands of spammers using many thousands of compromised zombie computers in the U.S.," Theriault said.

Read more here.

Kim Weatherall has a piece in Crikey today on the extradition and sentencing of Hew Griffiths, an Australian resident, who was extradited to face a US criminal court on charges of conspiracy to commit criminal copyright infringements, and criminal copyright infringement. He pleaded guilty, and last Friday he was sentenced to more than 4 years in jail.  Kim makes this warning:

We should be worried that such extraditions might become more common. If they do, Australians will have to consider, in their online activities, extradition to the US as a possible risk. So much for Australian sovereignty.

Read her full piece at Crikey here (also cross-posted on LawFont here).

Also at LawFont, Kim links to several other comments from Australian bloggers, including posts at The House of Commons and Club Troppo.

Ars Technica reports "with both a grin and a lonely tear ... the latest ridiculous claim from the copyright-trumps-all brigade":

NBC/Universal general counsel Rick Cotton suggests that society wastes entirely too much money policing crimes like burglary, fraud, and bank-robbing, when it should be doing something about piracy instead.

"Our law enforcement resources are seriously misaligned," Cotton said. "If you add up all the various kinds of property crimes in this country, everything from theft, to fraud, to burglary, bank-robbing, all of it, it costs the country $16 billion a year. But intellectual property crime runs to hundreds of billions [of dollars] a year." Cotton's comments come in Paul Stweeting's report on Hollywood's latest shenanigans on Capitol Hill.

There are two obvious rejoinders to such a ridiculous statement. The first is that "hundreds of billions of dollars a year" is a myth. The MPAA's own cherry-picked study from Smith Barney in 2005 put their annual loss at less than $6 billion, and while the music and software industries also like to publish trumped-up claims, the figures are nowhere near hundreds of billions of dollars each year.

The second objection, of course, is that the traditional crimes Cotton describes often involve the destruction of people's lives along with property. Burglaries can result in homicide, as can fraud (ask the preacher's wife), while bank robbery is without a doubt a dangerous game. Those crimes also typically involve real property. For better or for worse, real property should not be confused with intellectual property, which is not subject to the same rules of scarcity. Stopping a bank heist is, without a doubt, a far more important matter than stopping the bootlegging of Gigli or Spiderman 3.

Chances are you would prefer that the cops spend their efforts protecting people from rampant home burglaries than chasing down kids with pirated music on their iPods.

Read more here.

Susan W Brenner asks whether online defamation should be criminalised:

Brenner, Susan W., "Should Online Defamation Be Criminalized?" . Mississippi Law Journal, Vol. 76, 2007 Available at SSRN: http://ssrn.com/abstract=982418

Abstract: In 1961 the drafters of the Model Penal Code decided that defamation should not be criminalized, even though libel was a common law crime. They based their decision on two assumptions: One was that defamation does not inflict “harm” of a severity comparable to rape or murder; the other was that while defamation concededly inflicts a lesser “harm,” the likelihood of its being inflicted was too slight to justify the imposition of criminal sanctions. This article argues that our increasing use of cyberspace makes the second assumption increasingly problematic, and therefore requires that we revisit the need to criminalize online defamation.

(Hat tip: Law Blog Metrics.)

In a provocative column for Wired Regina Lynn asks, is virtual rape a crime?'

Unfortunately, rape in virtual spaces is not unheard of. And I'm not talking about the "consensual" rape built into some games (although if you're interested in that debate, GameGrene has a good conversation about it).

There is no question that forced online sexual activity -- whether through text, animation, malicious scripts or other means -- is real; and is a traumatic experience that can have a profound and unpleasant aftermath, shaking your faith in yourself, in the community, in the platform, even in sex itself.

Our laws say that an adult subjecting a teenager or child to sexual words, images or suggestions on the internet is preying on their mental and emotional state in a sexual way. Even if you never try to meet the minor in person, and even if you never touch them or expose your naked self to them, it is a crime to attempt to engage sexually with a minor.

If it is a criminal offense to sexually abuse a child on the internet, how can we say it is not possible to rape an adult online?

But I have a hard time calling it "rape," or believing it's a matter for the police. No matter how disturbed you are by a brutal sexual attack online, you cannot equate it to shivering in a hospital with an assailant's sweat or other excretions still damp on your body.

...

Rape is the ultimate perversion of sexual intimacy. Like sex, rape has mental and emotional elements that go beyond the body and the damage to the mind and spirit generally takes much longer to heal than the body.

But that doesn't make the psychological upheaval of virtual rape anywhere near the trauma of real rape. And I can't see us making virtual rape a matter for the real-life police.

It's a shitty thing to do to someone. But it's not a crime.

Read the whole column here.

PC World's Steve Bass outlines the scenario:

Julie Amero, a substitute teacher in Norwich, Connecticut, has been convicted of impairing the morals of a child and risking injury to a minor by exposing as many as ten seventh-grade students to porn sites.

It's a short story: On October, 19, 2004, Amero was a substitute teacher for a seventh-grade language class at Kelly Middle School. A few students were crowded around a PC; some were giggling. She investigated and saw the kids looking at a barrage of graphic, hard-core pornographic pop-ups.

The prosecution contended that she had used the computer to visit porn sites.

The defense said that wasn't true and argued that the machine was infested with spyware and malware, and that opening the browser caused the computer to go into an endless loop of pop-ups leading to porn sites.

Amero maintains her innocence. She refused offers of a plea bargain and now faces an astounding 40 years in prison (her sentencing is on March 2).

Simply incredible.  Read more, including detailed analysis of the case, here.