I was going to post on the conviction of Terry Childs, the San Francisco network administrator who locked out all of the other network administrators and then quit his job. He refused to give up his username and password and was finally convicted of felony computer tampering. It’s a pretty interesting story. He claims that he did it to show the weaknesses in the city’s network security. Considering the city was locked out of its own system for 12 days, he may have made his point.
But overshadowing the story is the completely baseless fear-mongering by InfoWorld’s Paul Venezia. In discussing the conviction, he states:
“[S]houldn’t the letter of the law be applied to other “denial of service” problems caused by the city while they pursued this case? In particular, the person or persons who released hundreds passwords in public court filings in 2008 be tried for causing a denial of service for the city’s widespread VPN services? … You may argue that the release of those documents was a mistake, but people go to prison for mistakes all the time. Negligence is not a defense. … If so, there are suddenly thousands of IT workers all over the country that are now guilty of this crime in a vast number of ways. If the letter of the law is what convicted Terry Childs, then the law is simply wrong.”
Wow, this guy writes for a major Internet news site. It did take me five minutes to find, but I looked up the law that Childs was convicted under, California Penal Code Section 502. I won’t quote the whole section here, but “Knowingly accessed” or “Knowingly … used” are requirements for all of the violations. So, despite Mr. Venezia’s baseless assertions, negligence is a defense, thousands of IT workers are not suddenly felons, and the letter of the law is correct.
A person must have a “guilty mind” (mens rea) to be convicted of most crimes. The level of guilt is also important. Many states recognize four levels of mens rea: purposefully, knowingly, recklessly, negligently. Those are listed descending order. Therefore, if a law requires a “knowingly” level of mens rea, people who negligently commit the same action are not guilty of violating the law. You would think that the staff at InfoWorld would put in a little research effort before they start telling IT workers that they are possible felons.
What makes this worse is that Mr. Venezia has a much larger audience than I do AND he was linked by Slashdot.org. Literally millions of people will read his article and think that the law is criminalizing mistakes by IT administrators. Maybe I should start making baseless, fear-mongering accusations too. Stay tuned for tomorrow’s post where I will discuss how SQL queries violate the Patriot Act.