From: Paul Robertson (compuwar@gmail.com)
Date: Wed Jun 14 2006 - 15:04:08 EDT
On 6/9/06, Campbell Murray <campbell@encription.co.uk> wrote:
> Hi,
>
> I have been following this list closely and have taken some legal advice
> from colleagues within the UK Police forces and UK solicitors on this
> matter. The position seems to be quite clear.
This depends heavily upon the jurisdiction, laws being broken and
level of surity that a law is being broken...
>
> A) If you discover illegal activity you have an obligation to report this to
> the proper authorities immediately regardless of contractual obligation. In
> short your legal obligations supersede any contractual obligations you may
> have with a client or employer.
This is heavily jurisdictional, and again, may depend on civil vs.
criminal law- and level of surity. For instance, do you assume that
all musical content found on an mp3 server is illegal, and do you
report it? It's not as cut and dried as it would appear, especially
if you're not an investigating authority or acting on behalf of one.
Worse-yet, the wrong move may prejudice a case when there's a real bad
actor and a real victim if you're found to be acting as an agent of
law enforcement and don't follow the correct procedures.
>
> B) If you choose to report this to your client and let them deal with it you
> are again obliged to make sure that they DO report it.
>
> C) If an offence is not reported and it is later discovered you will find
> yourself liable for a charge of 'aiding and abetting' the original offence.
>
Again, this is situational. In any case, your motivation should be to
do the right thing because it's the right thing, not because you might
have downstream issues.
If you're wrong about the legality of something, and you do report it,
it's possible that you could open yourself up to civil liability
unless you've adaquately covered yourself in the contract. My
contracts generally allow me to err on the side of caution, for
instance on machine-level forensics work, I generally use phrasing to
cover things which in my opinion may be illegal, and giving me the
ability to report it to any relevant agency I deem appropriate.
I've had some long and involved discussions over what does and doesn't
constitute child pornography according to US statutes, as well as what
my legal reporting obligations are with my local U.S. Attny's office
and local FBI field office.
While I'm reasonably well informed, it's not my job to determine if a
particular image of a particular subject *is* child pornography, or if
it *might be* child pornography- I can't always reasonably know the
age of a potential victim from an image, and once the images get
questionable, my contracts allow me to call the appropriate
authorities and make a report. After that, they'll determine if
something is prosecutable (which is a higher standard than illegal)
and determine what I need to do next. If I'm wrong, and it's not
really child pornography (virtual, aged enhanced, doesn't meet the
standard, over age model,) my contracts cover me just as much as if it
meets the standard but isn't prosecutable or if it's going to be
prosecuted.
> The over riding theme that I have discovered is that regardless of any
> contracts you have with your employers or clients in this situation YOU have
> a responsibility to report the incident. If you do not you are committing
> an offence yourself.
You miss my point, which I admit wasn't as clear as it should have
been - I'm of the opinion that you have an obligation to cover this in
your contracts so that when the client hires you, they're aware of the
position, ethics and process you'll take. That doesn't supercede your
own legal obligations, but may protect you in borderline cases.
Paul
-- fora.compuwar.net ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:06 EDT