[ISN] When Gaming is a Gamble

[InfoSec News]

http://www.securityfocus.com/columnists/229

By Mark Rasch 
Mar 22 2004

As a computer security expert, you are hired by an offshore casino in
the Cayman Islands to develop a security and authentication
technology. Your client is a licensed Cayman casino that has been
operating for over 30 years, and wants to make a foray into online
gaming.

You perform a standard penetration test, a security assessment, an
architecture and code review, help establish the SSL and
authentication protocols, and help with firewall implementation and
monitoring -- you know: the full suite of security services. You test
the beta site and its configuration, and give your stamp of approval.

With check in hand, you return to America and days, weeks or months
later, the site goes active. A few weeks after that, you are visited
by an FBI agent with a federal grand jury subpoena seeking records
relating to your security work. Weeks after that, a knock on the door
announces the arrival of deputy U.S. Marshals with a warrant for your
arrest for violation of 18 U.S.C. 1084 and 18 U.S.C. 2.

Your computer security consulting may have earned yourself a one-way
ticket to the hoosegow.

U.S. law generally makes it a crime if you are "engaged in the
business of betting or wagering" and you "knowingly [use] a wire
communication facility for the transmission in interstate or foreign
commerce of bets or wagers or information assisting in the placing of
bets or wagers on any sporting events, or contest..." This statute, 18
USC 1084, is called the "wire act" and has been applied for more than
70 years to go after offshore bookies who seek to evade U.S. law by
locating overseas.

However, Internet gambling is legalized in Liechtenstein, Gibraltar,
Australia, New Zealand, Costa Rica, and a few Caribbean islands. So
the first question is whether Internet gaming by a company in a
country that permits it is a violation of U.S. law. The U.S. Justice
Department argues that it is -- and has the arrests and convictions
(well, guilty pleas) to prove it. The theory is that entities that are
in the business of betting or wagering (even where this is legal), who
use international communications facilities like the Internet, and in
some way "enter" or "affect" the United States or U.S. citizens, are
violating the Wire Act.

What does this mean to you, the security professional? You aren't in
the "business" of betting or wagering. You haven't taken any bets over
international wires.


Living Vicariously

A recent New York Times article reports that U.S. prosecutors are
beginning to use the federal aiding and abetting statute to
investigate and potentially prosecute those who, through perfectly
lawful activities, assist online gaming companies that flout U.S. law.  
This includes banks, broadcasters, ISPs and advertisers who help these
casinos get their message out. The same net could easily snare
information security professionals who, either deliberately or
inadvertently, assist the gamers in their activities.

This represents a potentially dangerous trend for information security
professionals. Security, by its nature, is intended to facilitate
concealment. It ensures that only those authorized to "enter" may do
so. If properly implemented, it can protect the confidentiality of
communications, prevent unwanted parties from accessing files, and
even arrange for files to "self destruct" when improperly accessed.

With this power comes some responsibility, and some duty to inquire
about the use of the technology. Clearly if a narco-trafficker in
Bogota or a member of Al Qaeda in Afghanistan seeks assistance in
concealing their activities, the moral as well as legal answer is a
resounding, "no." In fact, in the case of the terrorist (or a group
designated by the government as a terrorist organization), providing
"material support" is a criminal offense, even without the aiding and
abetting language.

But the U.S. government's assault on those who assist gamers presents
a much more difficult issue. It essentially imposes responsibility on
the security professional to inquire of his or her clients the reason
they are seeking confidentiality, integrity or availability, and to
make an independent judgment about whether these reasons may violate
the laws of any nation that may touch the networks -- all under
penalty of criminal prosecution.

Thus, a network administrator for Arthur Anderson who provides copies
of Norton utilities runs a risk (albeit a small one) of indictment
when the software is used to wipe files relating to Enron.

The criminal conspiracy statute, 18 U.S.C. 371, is known as "the
prosecutor's friend" because of its talent for incarcerating people
even tangentially connected to criminal activity. Yet even this
statute requires the government to show an agreement to commit a
crime. The aiding and abetting statute requires no such proof. It only
requires the government to show that, with knowledge (express or
implied) that a party intends to commit a crime, the defendant
provided material support for that person.

And the punishment for aiding and abetting is the same as for
committing the underlying crime.

Applying this rationale to Internet crimes and information security
professionals is a dangerous and inherently slippery slope. The
information security professional who sets up a secure website for
people to protest against Chinese occupation of Tibet runs the risk of
criminal and capital punishment in China. The man who sets up the
secure payment system for a Norwegian purveyor of dirty pictures may
be prosecuted in the United States for a vicarious violation of U.S.  
"indecency" laws.

A line must be drawn -- clearly. If a person with intent to facilitate
criminal activity deliberately does so, then it's fair game to
prosecute. But we should not impose on the security professional a
duty to know what the laws of the world are as applied to Internet
activities. Hell, even us lawyers can't keep track.
 
 
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the
Justice Department's computer crime unit, and now serves as Senior
Vice President and Chief Security Counsel at Solutionary Inc.