Trojan Horse Defence Valid

A jury in the Southwalk Crown Court, London, has acquitted a teenager of various cyber crimes after his counsel successfully used the 'Trojan Horse' defense. Aaron Caffrey, aged 19, was charged with launching a denial of service (DoS) attack from his personal computer against a mainframe computer owned by the Port of Houston in Texas, United States, but claimed that the attack was not his doing - but that of a rogue hacker who infiltrated his computer and used it as a base for the attack.

Caffrey was able to dodge criminal provisions in the Computer Misuse Act 1990, like the defendant in Schofield v R. In this case, a man accused of possessing 14 images of an illicit, pornographic nature was acquitted by claiming that the images were not downloaded onto his computer by him, but rather, an unknown malicious agent.

Outside court Mr Caffrey's barrister, Iain Ross, said his client was "delighted" he had been cleared but he had been left "very nervous and a little bit shaky". He went on: "He wishes to say that this ordeal has been a dark cloud hanging over him for the last two years. He had always insisted he was not guilty and that he was a victim of a criminal act rather than being a criminal himself."

Many have criticised the defense as allowing cyber criminals to evade conviction, but I don't think this argument applies to Caffrey's case. Prosecutors failed to establish motive and intent to commit a crime (vaguely citing 'revenge' against an online chat user who insulted his American girlfriend), and evidence raised by the defense seems to justify the jury's finding that it was not 'beyond reasonable doubt' that the attacks were knowingly committed by the defendant. The jury obviously found it compelling, deliberating for only 3 hours before returning with a not guilty verdict.

Of course, it seems somewhat suspicious that Aaron himself was the founder of a British hacker league called Allied Hax0r 31337, and that there was (miraculously) no evidence at all that his computer had been compromised, but evidently this was sufficient to satisfy reasonable doubt. There were no log files (granted, though, it was a Windows machine with many logging options disabled, and many Trojans do clean up after themselves), and Caffrey himself admitted no evidence of suspicious activity until he was arrested in January after authorities traced the attack to his home in Shaftesbury, Dorset.

The defense does seem to hold up to scrutiny, but needs to be tempered with common sense. Computer users do need to take some responsibility for how their property is used by others, but this shouldn't unfairly disadvantage those without the knowledge to protect themselves. Several times a week I get calls from clients or friends wondering why their computer is suddenly displaying popup advertisements everywhere or trying to dial a foreign phone number. When coupled with the realisation that a good black hat (chacker) can very easily manufacture activity logs utterly indistinguishable from the real thing, falsify configuration files, plant hacking scripts and files on a user's computer without their (direct) consent, and launch attacks remotely with a frightening amount of ease, there is a clear need for the Trojan Horse defense. These people simply don't have the knowledge to protect themsevles against an increasingly hostile internet filled with spyware and viruses. A side note:

Latin already had a word viri, but it was the nominative plural not of virus (slime, poison, or venom), but of vir (man), which as it turns out is also a 2nd declension noun. I do not believe that writers of English who write viri are intentionally speaking of men. And although there actually is a viri form for virus, it's the genitive singular, not the nominative plural.

[...] Those confused souls who write *virii are tacitly positing the existence of the non-word *virius, and declining it as though it were like filius... *Virii is still completely silly, so don't do that; otherwise, everyone will know you're just a blathering script kiddie.

But I digress.

To draw an analogy, if my car were to be stolen, I could not be held responsible for criminal or tortious acts committed by the thieves (consider, for example, the owner of the car used by the plaintiffs in Gala v Preston). Note, however, that this is not the situation in Caffrey's case. The defendant addmitted to being a member of a cracker group and clearly aware of the risks associated with computer security, so a more appropriate analogy may be that of leaving an automatic weapon unsecured. (Further, the defendant in this case was using Microsoft Windows, so it's more like the weapon was left unattended, loaded, and in a school playground.)

At any rate - as a matter of policy - it is no excuse for the owner of an object posessing actual knowledge of its inherent capability to cause serious harm to third parties, who has the required knowlege and skill to take measures to prevent this harm being caused, and where the measures of prevention are cheap and effective, to not take any steps to prevent unauthorised use. Of course, this is hardly a wrong for which criminal action is justified - if, indeed, Caffrey is telling the truth. The Port of Houston may, however, wish to bring a civil action in negligence against the defendant for failing to take reasonable care to prevent a foreseeable risk of harm. A civil suit seems the best way to deal with Caffrey's contumelious disregard for the safety of his fellow netizens without causing undue criminal ramifications.

Legal commentators are predicting "immense implications" for the use of this defense in future cybercriminal prosecutions, prompting some to call for a system of court-appointed expert witnesses to evaluate the plausibility of the defense by performing a detailed technical examination of the facts of the case at bar. Computer forensics will indeed be a growing area (and - ironically - an interesting career path for hackers-turned-security-experts), but courts need not baulk at the technical nature of the defense. In a vast majority of cases, careful analysis of the evidence by each party is sufficient to determine its applicability.