Smith, 30, of Aberdeen, N.J., was arrested last Thursday, following a national manhunt. He will be arraigned in Monmouth County Superior Court at 7 a.m. PDT Thursday. According to New Jersey Deputy Attorney General Christopher G. Bubb, Smith's arrest was made as a direct result of information provided by America Online Inc.
The online services company led investigators to a phone number and then the newsgroup where the macro virus was first posted. A controversial Microsoft document identification technology -- the Global Unique Identifier, or GUID -- also appears to have played at least a minor role in the Melissa manhunt.
David Sobel, general counsel for the Electronic Privacy Information Centre, said the virtual tracking of Smith gave an indication of how electronic identifiers such as Intel's ID chip could be used by law enforcement agencies -- and set a "potentially frightening" precedent. "Cases like this always occur in the context where people might agree with the outcome," Sobel said -- such as catching the person believed responsible for a damaging virus.
But, he asked, what if China used the same identifying technologies to track dissidents? "There are lots of human rights implications," he said. Gerry Jenkins -- a Chicago-based Internet lawyer with Goldberg, Kohn, Black, Rosenbloom and Moritz -- said Smith's arrest could be a case of hard cases making bad law.
While it's very important to demonstrate to virus writers that if they write damaging code they will be caught and punished, Jenkins said: "The problem is that there's no guarantee that companies won't do these kind of things for less lofty reasons. There's no guarantee that privacy policies won't change based on what is in their best interests at the time. "The process becomes legitimised -- you have created a precedent." Jenkins said AOL, which was roundly criticised last year for inadvertently releasing a user's identity to U.S. Navy investigators, had a policy to protect customers' privacy. "I think they made the decision that David Smith wasn't a person they wanted to protect," he said. Jennifer Granick, a San Francisco criminal defence lawyer who specialises in high-tech issues, said the Smith case "definitely" broke new ground.
"It's not new that AOL cooperates with law enforcement in investigations, but some of the elements of the investigation are new, such as the GUID," she said.
"A case like this points out to the average consumer how the software in their lives can be compromising to their privacy," she added. "That's a serious area of concern."
At least one online privacy expert, however, wasn't alarmed by the Smith case. David Sorkin, professor at Chicago's John Marshall Law School and associate director of the Centre for Information Technology and Privacy Law, said he didn't see the Smith case as a case study in online privacy. The use of tracking technology to apprehend a suspect was legitimate, Sorkin said, so long as investigators had probable cause and obtained the appropriate court orders.
Of greater concern to Sorkin is the fact that different jurisdictions even within the United States have different standards regarding electronic privacy. "The fact that they were able to, and did use, the identifier and Internet logs used by America Online demonstrates the extent to which peoples' movements on the Internet can be tracked -- and the potential dangers," Sorkin said.
EPIC's Sobel said he would follow Smith's case "very closely" -- especially if it goes to trial. "I think the case, generally, is going to give us an interesting glimpse into how individuals can be tracked on the Internet. The GUID is one of those, but so is the record-keeping procedures of ISPs like AOL," Sobel said. "It's one of the first case studies that we are going to have of the use of various devices to combat anonymity."
Take me to the Melissa Virus special.