Hackers defense: The computer did it
SAN FRANCISCO, California (Reuters) -- Prosecutors looking to throw the book at accused computer hackers have come across a legal defense expected to become even more widespread in an era of hijacked PCs and laptops that threatens to blur the lines of personal responsibility: the computer did it.
In one case that was being watched as a bellwether by computer security experts, Aaron Caffrey, 19, was acquitted earlier this month in the United Kingdom on charges of hacking into the computer system of the Houston Pilots, an independent contractor for the Port of Houston, in September 2001.
Caffrey had been charged with breaking into the system and crippling the server that provides scheduling information for all ships entering the world's sixth-largest port.
Although authorities traced the hack back to Caffrey's computer, he said that someone must have remotely planted a program, called a "trojan," onto his computer that did the hacking and that could have been programmed to self-destruct.
In two other cases, British men were accused of downloading child pornography but their attorneys successfully argued that trojan programs found on their computers were to blame.
In all three cases, no one has suggested that the verdicts were anything other than correct.
Some legal and security experts say the trojan defense is a valid one because computer hijacking occurs all the time and savvy hackers can easily cover their tracks.
"I've seen cases where there is a similar defense and it could work or not work based on corroborating evidence" such as how technical the defendant is, said Jennifer Stisa Granick, clinical director of the Sanford Law Center for Internet and Society.
It is relatively easy to trace a hack back to a particular computer, but proving that a specific person committed the crime is much more difficult, she and others said.
Someone other than the computer owner could use the machine, either by gaining physical access or remotely installing trojan software that was slipped onto the computer via an e-mail sent to the computer owner or downloaded from a malicious Web site, they said.
"On the one hand, this is 100 percent correct that you can not make that jump from computer to keyboard to person," said Bruce Schneier, chief technology officer at Counterpane Internet Security based in Cupertino, California. "On the other hand, this defense could [be used] to acquit everybody.
"It makes prosecuting the guilty harder, but that's a good thing," he added.
Mark Rasch, former head of the U.S. Department of Justice computer crime unit, agreed.
"The more difficult problem is people could actually go to jail for something they didn't do" as a result of trojan programs, said Rasch, chief security counsel for computer security provider Solutionary. "If I want to do something illegal I want to do it on someone else's machine."
But Dave Morrell, a computer consultant for the Houston Pilots who worked with the FBI after the attack, said the defense also opened the door to hackers.
"It sets a precedent now in the judicial system where a hacker can just claim somebody took over his computer, the program vanished and he's free and clear," he said
Michael Allison, chief executive of computer forensics firm Internet Crimes Group in Princeton, New Jersey, said experts should have been able to prove if there had been a trojan on the computer in question.
The defense is likely to become more widespread especially given the increasing use of "spyware" programs that can be used by hackers to steal passwords and essentially eavesdrop on a computer user, experts said.
"The emergence of spyware will only enhance these claims," said Michael Geist, a law professor at the University of Ottawa Law School in Canada. "We're going to have to sort through the level of responsibility a person has for operating their own computer."
The trojan defense has not yet been put to the test in the United States.
Copyright 2003 Reuters. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.