This is one of eleven chapters contained in The Internet and Business: A Lawyer's Guide to the Emerging Legal Issues, published by the Computer Law Association. Copyright © 1996 by The Computer Law Association, Inc. All Rights Reserved. ISBN 1-885169-05-1. It is the on-line version of a short book that provides an overview of the key legal issues facing Internet users and providers. It is intended for attorneys who advise business clients about Internet use issues.
Chapter Eleven reviews the history of criminal prosecutions related to computers and on-line services, and describes the current state of the law relating to computer crime.
Chapter Eleven reviews the history of criminal prosecutions related to computers and on-line services, and describes the current state of the law relating to computer crime.
Cyberspace. The term conjures visions ranging from William Gibson's Neuromancer science fiction classic, to Ridley Scott's Blade Runner, to Sandra Bullock in The Net. It is touted as the new electronic marketplace -- offering wave after wave of opportunities and possibilities. It is true that the Internet offers tremendous opportunities for electronic commerce, sharing of information, performing research, and communicating quickly and effectively with others. However, along the information superhighway are information superhighwaymen. They do not shout the electronic equivalent of "stand and deliver." Rather, computer criminals, organized crime figures, drug cartels, international money launderers, hackers and "cyberpunks" are all roaming the Internet -- seeking money, information, or simply an opportunity to wreak havoc and destruction.
While computer technology permits business to work more efficiently, communicate more effectively, and become more productive, the computer, as a tool, permits those with less benevolent intention to evade the law. What's worse, with the advent of new information technologies, more information -- and more sensitive information -- is stored in a manner which makes it more accessible to more individuals -- not all of whom have purely wholesome motives. Computer hackers, acting on their own or for hire to others, are becoming increasingly sophisticated and knowledgeable, and therefore more difficult to detect and prosecute. The challenge of international cooperation and coordination of investigations, coupled with diverse, overlapping and sometimes contradictory computer crime laws, regulations and criminal procedures make enforcement of criminal statutes even more difficult -- especially when computer crime transcends national borders.
Much has been written about the phenomenon of "computer crime," but there is little agreement on its definition. Statistics on the scope of the problem vary widely. Clearly, the hacker who breaks into a computer and destroys files would, if guilty of any offense, be guilty of a "computer crime." But what about the bank employee who uses a computer to create a fictitious bank account into which she funnels embezzled bank funds? Or the telemarketing executive who uses a computer's word-processing and mail merge features to send out -- either by "snail mail" or by electronic mail -- fraudulent solicitations? Is an electronic chain letter fundamentally different than one sent out through the Postal Service?
Computers and computer bulletin boards have been used to facilitate child pornography and child abduction rings, software piracy, theft of cable services, theft of telephone services, computerized stalking, terrorist rings, narcotics dealing, as well as other forms of criminal activities including plain theft. As more white collar businesses become computerized, the process of collection of evidence -- through search warrants, subpoenas and other discovery devices -- even in the non-computer crime field, has increasingly required a detailed knowledge of the technology involved in the collection, storage and retrieval of information. Indeed, virtually every type of crime which can be committed can be facilitated through the use of computer or information technologies. In many cases, the use of the computers does not alter the fundamental character of the offense -- bribery remains the same even if accomplished through e-mail or electronic funds transfers, although the use of the computer may affect the degree of the offense.
Computers provide not only a quantitative change in the way people conduct business -- legitimate and illicit -- but they also represent a qualitative change. Take as an illustration the phenomenon of e-mail. Like regular mail, it provides a mechanism for sending a message from one person to another. It also provides a means for sending files -- documents or software programs -- across computer networks. However, e-mail can also be used to transmit newsletters -- like a publishing house. It can be used for instant communications, like a telephone. It may be used to transmit sound, photographs or video -- either in real-time, or in a store and forward mode. Unlike regular mail, e-mail may be stored remotely from the intended recipient, and may be accessible to many more people. Do users -- senders or recipients -- have the same expectations of privacy in e-mail as they do in physical mail? As in voice-mail? As in other documents? Are such electronic documents "records?" Such issues may depend upon the nature of the message, and the particular context in which it is sent or received.
Just as the character of information is altered by the use of computers, the legal paradigm also must change with the new technology. As with all changes in technology and society, the law -- and in particular, the federal law -- has struggled to keep up with advances in the way people do business. Computer crimes have analogues in traditional crimes like trespass, larceny, destruction of property, but these common law concepts are inadequate to proscribe the new, high technology crimes. Moreover, computer criminals are not of a discrete type. They range from the computer world equivalent of a juvenile delinquent, the hacker or cyberpunk, to the sophisticated white-collar embezzler attacking financial institution computers, and include cyberterrorists, extortionists, spies, petty thieves and joyriders. In addressing the problem of computer crime, laws must be expansive enough to deter unlawful activities, while narrow enough to recognize the many legitimate uses of computers and computer networks.
Nowhere is this dichotomy more evident than in the application of the criminal law to the expanding technologies of cyberspace. Computer crime has probably existed since the advent of computers -- much as "telephone crime" has existed since the advent of the telephone. Once again, the law attempts to follow technology -- often with unexpected or absurd results. In order for a method of attack -- on the Internet, or on any computer itself -- to be criminal the law must define it to be so. Especially in the area of criminal law -- where the government has the ability to deprive the individual not only of property in the form of fines, orders of restitution, and orders of forfeiture, but also has the ability to deprive the individual of liberty itself, and in limited circumstances of life -- the law must tread gingerly upon the rights of these individuals. As such, the criminal law has applied the so-called "rule of lenity" and imposed the burden of proof and persuasion on the prosecution. This means that, in order to impose a criminal sanction, the law must clearly and unambiguously define which activities are permitted and which are proscribed, and any doubts concerning the application of the law are to be resolved in favor of the accused. If the law is too ambiguous to be understood or to define the nature of the proscribed conduct, the entire statutory scheme may be struck down as "void for vagueness." In the western adversarial system, the government has the burden of proving, beyond a reasonable doubt, each of the required elements of the offense, including jurisdiction, venue, competence, and intent, as well as the actions which set forth the criminal offense.
This is especially true in the area of computer crime where Congress and state legislatures regulate based upon perceived problems with existing regulations, or to quell fears of conduct which may or may not be truly "criminal" in nature. Indeed, despite the media hype surrounding computer crime, there exists no generally accepted definition of such an offense. Perhaps the most workable definition is that proposed by Donn Parker of SRI, International: that computer crime is a criminal offense for which the knowledge of computers is necessary for the successful commission of the offense. Such a definition distinguishes true computer crimes from computer related crimes in which computers are used as tools or targets of the criminal offense, but for which knowledge of the workings of a computer is not essential for the successful commission of the offense. Thus, a chain letter typed on a computer's word processing software and thereafter mailed to victims of a fraudulent solicitation is probably not a computer crime, despite the fact that knowledge of the word processing software facilitated the commission of the offense. A similar chain letter sent out over the Internet, and soliciting electronic funds transfers comes closer to a true computer crime especially if responses are electronically sorted or manipulated.
Notice, however the tautological reasoning inherent in the definition of computer crime. It presupposes that the conduct is initially criminal, and that a computer is used in this conduct. As noted above, however, conduct is not inherently criminal -- it is defined as such. Once again, the law is required to place old wine in new bottles, and to look to traditional and common law concepts of crime to define proscribed activities.
This article will focus on the new breed of computer crimes -- those offenses whose character or venality is dependent upon the new technologies.
1. Problems for the Prosecutor
One of the unique features of computers is the fact that they provide the user with a degree of anonymity -- or, more accurately, pseudonymity -- which is unparalleled in the non-electronic environment. The network surfer can truly be any person he or she wishes to be, either by masquerading as another user, or by defining oneself as one sees fit.
This anonymity has significant criminal law consequences. Not only does it make the task of detecting computer crimes and the offenders more difficult, it complicates the various proof issues presented at a computer crime trial. For example, if a user named John Smith at Gigantic State University were found to have been responsible for the propagation of a computer virus, and a copy of the virus was located in a computer account at JSmith@gsu.edu, the electronic address for J. Smith at Gigantic State University, this would be circumstantial but not conclusive evidence that that J. Smith was the author or propagator of the computer virus. However, with the ability of other users to masquerade as J. Smith, and the concomitant ability to store files on his computer account, conclusive proof of the authorship of the computer virus is problematic.
The problem of anonymity is complicated by the fact that, in computer crime prosecutions, the integrity of computerized data is frequently in question. At one time the government is contending that the computerized information and the computer system that contains it which has been the subject of attack by the criminal defendant is vulnerable to alteration or destruction, while at the same time, the bulk of the evidence presented is frequently generated by the very same corrupted computer system.
2. Impact on User's Behavior
In addition, the anonymity afforded users of computer networks causes them to attempt offenses which they would never contemplate except in cyberspace. One reason for this is the lack of a coherent ethical structure in cyberspace. In the world outside cyberspace, there has been established, through years of experience and law, an ethical structure of acceptable and unacceptable behavior. Take the example of a hotel. A guest at a hotel knows that she may go into her own room so long as she continues to pay the bill, and is not such a nuisance as to make her vulnerable to expulsion. Similarly, public areas of the hotel -- such as the lobby, bar and restaurant, are generally available regardless of whether or not one is a guest of the hotel. Finally, the private areas of the hotel -- private offices, administrative offices, loading docks, kitchens and the like are generally inaccessible. We know these things without anyone pointing them out to us -- this knowledge comes from experience.
Cyberspace has no common ethical experience. A "guest" to a host computer may or may not perceive a difference between accessing certain files and not accessing others. The boundaries of acceptable behavior, or even ethical behavior, in cyberspace are not yet clearly defined. Nor does there exist a consensus on what types of information can and should be considered property on the network, and what constitutes theft or interference with this property. Indeed, there is no consensus on the propriety of password sharing, and it is frequently difficult to determine whether a user's use of a computer or computer system is authorized, and if so, by whom? While a consensus may exist among computer users that it is wrong to access and read the e-mail of another, real questions arise about whether the criminal law should be used to enforce this code of conduct.
Long before there were computers and computer crimes, there were criminal offenses. These offenses included the obvious malum in se offenses of murder, larceny, and burglary, and the malum prohibitum offenses related to intellectual property. As noted above, computer technologies were initially used to facilitate ordinary criminal offenses like embezzlement and theft. Early computers were dedicated mainframes -- and users were generally directly wired into the computers. Thus, early computer crime cases were characterized by authorized users manipulating computer programs to, for example, steal money from a bank or other employer.
Other typical early computer crimes included attacks on telephone systems and networks (so-called "phrack" attacks, from the merger of phone-phreaks and computer "hacks") or diversion of money through electronic funds transfers. Because early users of computers were highly centralized and not very interconnected, the opportunity for computer crime tended to be limited to misuse of systems by authorized users. The nature of early computer offenses likewise was limited by the talents of the users and the nature of the non-distributed computer systems.
Prior to the advent of particularized computer crime law, prosecutors and judges were forced to deal with computer miscreants by resorting to ordinary criminal law concepts of theft, destruction of property, trespass and criminal mischief. At that time, computers tended to be large, dedicated stand-alone machines, and access to these computers was generally restricted by limiting access to the physical terminals which were connected to the mainframe computer. As a result, virtually all computer crimes were committed by insiders or quasi-insiders. Legitimate computer users with authorized access to the computers, software developers, vendors and other authorized users were the primary perpetrators of these computer crimes, which generally involved employee thefts of data, information or other "property" on the computer. Other forms of computer misuse involved the willful destruction of the software, hardware or data in the computers, generally in retaliation for employee discharge or as a result of disputes over software license agreements.
As a result, early misuse of computers tended to be small, isolated incidents. The types of misconduct in which an employee might engage in the real world were paralleled in cyberspace. As an employee might look up another's employment file or other confidential information, or steal goods from an employer, or run a side business using the employer's resources, these activities could also be conducted in cyberspace.
Early computer crime prosecutors soon found problems in employing traditional common law concepts to the new electronic media. Consider the following scenario: A former employee of ABC company, a defense contractor, now works for XYZ company, a competitor. His former employer has never deleted his computer account, and he accesses that computer to obtain valuable competitive bid information which he uses for the benefit of his new employer. Has the employee committed a criminal offense (putting aside the criminal antitrust offenses)?
It is clear that the former employer's bid information is sensitive. It is not as clear that such sensitive information is protected by the law. Moreover, it is not even clear that what the former employee did constituted a criminal offense. Was the bid information "stolen?" Clearly it remained in the former employer's computer, and remained available for the former employer's use. Is the bid information "property" subject to "theft" at all? If so, what types of information are "property?" Must the information be "confidential" to be "property?" If the former employee accessed the computer and viewed the internal phone directory (which might be publicly available) would a "theft" prosecution be warranted? Must the employee know of the confidential -- and hence protected -- character of the information in order to be guilty of a criminal offense? These questions continue to challenge today's prosecutors.
Before the advent of particular computer crime legislation, the most common federal statutes used to prosecute computer criminals were the wire fraud statute, which proscribes the use of the interstate wire communication facilities in furtherance of any scheme or artifice to defraud, and the Interstate Transportation of Stolen Property ("ITSP") statute. Of the two, the more sweeping -- and therefore the most successful -- is the wire fraud statute. Indeed, many modern computer crime offenses are prosecuted under this statute. The statute is broad in scope, and simply requires proof of some type of scheme or artifice to defraud out of money or property, and the use of interstate or international wires in furtherance of such a scheme. Thus, for the "garden variety" of fraud offenses -- theft of money or other property for which a commercial value can be established, the wire fraud statute provides an adequate, if imperfect, basis for a criminal prosecution.
However, there are significant limitations to the reach of the wire fraud statute. Not all computer crimes -- such as simple trespass or destruction of computerized information -- would fall within the admittedly broad definition of a "scheme or artifice to defraud." Not all malevolent conduct is "fraudulent" in nature. While using the password of another may constitute a misrepresentation (or, for that matter, may not) it probably does not constitute a "scheme or artifice to defraud." In the early days of computer crime legislation, computer networks were in their nascent stage, and many attacks on computers occurred from hard-wired terminals, therefore defeating the jurisdictional requirement of interstate communications.
The application of common law concepts of fraud, theft and trespass were an ill fit to the new technology. For example, the federal embezzlement statute, proscribes the "conversion" of federal property. But is "information" contained on a computer truly "property" subject to conversion? Is all information property, or only certain types of information? Must the defendant be aware that the information is protected in order to be criminally prosecuted? If so, how do you demonstrate such knowledge? Is information subject to greater protection in a computer than it would be in other circumstances -- for example, are whistleblowers subject to criminal prosecution for "conversion" of corporate information in the non-electronic environment? Who "owns" corporate or governmental information? Can information be "converted" when the information remains in the possession of the owner? Is the offensive conduct the "theft" of the information, or the later use of that information? What constitutes "use" of information?
Considering information itself as property subject to theft or conversion, while consistent with the axiom that "knowledge is power," represents a potentially dangerous precedent. The federal criminal law protects certain discrete types of information from disclosure or misuse, including national security information, grand jury information, bank secrecy and credit reporting information, probation and presentence reports, personnel and health records, tax records, and records protected from disclosure under the Privacy Act. Federal law also protects certain patent, trademark and copyright information, not from disclosure, but from infringing use. Under state law, various other types of information may be protected -- sometimes with potential criminal sanctions, sometimes with evidentiary sanctions, sometimes with purely civil or injunctive sanctions. These include criminal arrest reports, bank records, cable TV records, credit information, criminal justice information, employment records, insurance records (including health insurance), mailing lists, medical and treatment information, school records, social security numbers, tax records, and certain telephone records. Finally, in several jurisdictions, state law also protects the disclosure or use of trade secrets.
At least one case has adopted the view that 18 U.S.C. § 641 applies only to "corporeal or tangible property" and refused to extend that section to the theft of government services. However, this appears to now be the minority view. While current Department of Justice policy limits the use of the embezzlement statute in cases of theft of "information" in order to prevent the unwarranted prosecution of whistle blowers, this policy is not binding on the Department of Justice, and so-called "information crimes" may still be prosecuted.
In United States v. Girard, the Second Circuit held that the sale of information, gleaned from a computerized database, regarding identity of DEA undercover agents was sufficient to support the conviction of a government employee for embezzlement under 18 U.S.C. § 641. Similarly, in United States v Sampson, the court held that the unauthorized use of computer time constituted embezzlement of government property under 18 U.S.C. § 641.
Other difficulties arise in the prosecution of individuals for the "theft" of information. For example, the crime of "theft" or "larceny" would, at common law, require proof of "asportation" or the "taking away" of the property stolen.
In the instance of theft of computerized information, the "stolen" property remains precisely where it was, and the owner is not deprived of the actual use of the information. Similarly, concepts of trespass and breaking--in do not fit well into the electronic environment. There is no physical entry into the computer, and therefore no common-law trespass.
A few cases illustrate the problem of applying the wire fraud statute to computer crimes -- especially where the information "stolen" is intellectual property. These cases point out the different protections offered by the copyright laws and the criminal theft statutes. In United States v. Riggs, defendants Riggs and Niedorf, admitted computer hackers, devised what the District Court accepted to be a scheme to steal computer software and other property belonging to Bell South which was designed to regulate the phone company's enhanced 911 ("E911") emergency call system. Riggs accessed the Bell South computer using other people's passwords and downloaded a text file which described the E911 system. The District Court, in denying the motion to dismiss the wire fraud count observed:
The government charges Riggs and Neidorf with scheming to defraud Bell South out of property -- the confidential information contained in the E911 text file. The indictment specifically alleges that the object of defendants' scheme was the E911 text file, which Bell South considered to be valuable, proprietary, information. The law is clear that such valuable, confidential information is "property," the deprivation of which can form the basis of a wire fraud charge under § 1343.
Despite the District Court's acceptance of the concept of intellectual property like computer software being subject to "theft" or "fraud" in Riggs, other courts have come to the opposite conclusion in applying both the wire fraud and ITSP statutes. In United States v. LaMacchia, the defendant, a 21 year old student at the Massachusetts Institute of Technology created an electronic bulletin board on the Internet which was accessible by anyone. He actively encouraged correspondents to upload copyrighted commercial software, and then he posted this software to another bulletin board for download by others. LaMacchia made no money from this endeavor, although presumably he -- like anyone else -- would have had access to the reposted software.
For his pains, LaMacchia was indicted for one count of conspiring with "persons unknown" to commit wire fraud. According to the indictment, the object of the fraud was to facilitate "on an international scale" the "illegal copying and distribution of copyrighted software" without payment of licensing fees and royalties to software manufacturers and vendors. Because LaMacchia's actions were not done for money or profit, the government was precluded from indicting him for criminal copyright violations.
The District Court, relying in large measure on the Supreme Court's holding in Dowling v United States, took the unusual step of dismissing the wire fraud indictment prior to trial. In Dowling, the Supreme Court reversed a defendant's Interstate Transportation of Stolen Property conviction under 18 U.S.C. § 2341 for shipping pirated off-air Elvis Presley recordings across state lines without the permission of, and without paying royalties to, the holder of the copyright. The Dowling court found that, while a criminal copyright violation may have occurred in that case (because the transportation was for profit), no violation of the ITSP statute could be found, because the "property" which was transported across state lines -- the recordings themselves -- were not truly "stolen." The Supreme Court suggested that the recordings, while evidence of potential copyright violations, were not property "taken" by fraud. The Dowling Court reasoned that crimes involving copyright violations could be dealt with through a variety of means, chiefly civil, and that it was not clearly Congress' intention that the ITSP function as a criminalization of copyright infringement. The Supreme Court observed:
These cases and others prosecuted under § 2314 have always involved physical "goods, wares, [or] merchandise" that have themselves been "stolen, converted or taken by fraud." This basic element comports with the common-sense meaning of the statutory language: by requiring that the "goods, wares, [or] merchandise" be "the same" as those "stolen, converted or taken by fraud," the provision seems clearly to contemplate a physical identity between the items unlawfully obtained and those eventually transported, and hence some prior physical taking of the subject goods.
The court reasoned that any other application of the criminal law could lead to the criminal prosecution -- either as wire fraud or ITSP -- of individuals who publish articles or photographs which violate the rights of the copyright holder -- something not clearly contemplated by Congress in enacting the copyright or fraud laws.
The District Court in LaMacchia observed that dismissal of the fraud indictment was mandated by the Dowling holding because of the fundamental difference between copyrights and other "intellectual property" which were protected by one statutory scheme, and other types of tangible property which were protected by another -- and more onerous statutory scheme. Finally, the LaMacchia court noted:
While the government's objective is a laudable one, particularly when the facts alleged in this case are considered, its interpretation of the wire fraud statute would serve to criminalize the conduct of not only persons like LaMacchia, but also the myriad of home computer users who succumb to the temptation to copy even a single software program for private use. It is not clear that making criminals of a large number of consumers of computer software is a result that even the software industry would consider desirable.
In United States v. Brown, the Tenth Circuit, also relying on Dowling, reversed the defendant's ITSP conviction for "stealing" source code created by his former employer. The defendant had downloaded a copy of the source code onto his home computer, which was discovered in a later search warrant executed on his home. In dismissing the indictment, the Tenth Circuit observed that "Dowling holds that § 2314 applies only to physical 'goods, wares or merchandise.' Purely intellectual property is not within this category. It can be represented physically, such as through writing on a page, but the underlying, intellectual property itself, remains intangible."
Thus, it appears that there is a legal dispute whether intellectual property -- software, trademark protected information, or other types of information -- are protected from "theft" by computer under the general fraud or theft statutes. Moreover, unlike other forms of "theft," in these cases, the owner of the property retains the "stolen" property, and there has been no true "asportation" or taking away of the property -- the traditional requirement for criminal prosecution at common law.
Finally, the ITSP statute -- and many state felony larceny statutes -- poses a monetary jurisdictional requirement on the value of the property stolen. As the Riggs case demonstrated, the value of intellectual property is frequently difficult to determine. In Riggs, the government calculated the value of non-commercially available software at "millions of dollars," using Bell South's calculation of the costs of developing the software in man-years. It was later learned that the marketing department of Bell South was making copies of the software available to certain individuals for approximately $13. If the purloined software were sold, presumably the value of the software would be the thief's value -- or the price paid by the purchaser of the software. For commercially available software, the value could be the cost of purchasing the software at a retail outlet, but it is not clear that each copy of the software downloaded by others would count toward the aggregate value (although it presumably could be used to calculate the "loss" to the copyright holder). Loss of profits from the distribution of multiple copies of the same program is not necessarily the same as the value of the program distributed. A copyright holder may lose millions of dollars in potential sales from the "theft" of a single copy of its software.
Other federal and state cases point out the difficulty courts have had determining whether information itself is subject to theft or fraud. Some cases have held that computer software or computerized information is property subject to theft, fraud, or embezzlement.
In the vast majority of fraud or theft cases successfully prosecuted involving computers however, the object of the fraud is not the computerized information itself. Indeed, the information or the computer is merely a means to obtain other property -- chiefly money. The defendant has used the computer -- or the information contained therein -- to steal money or other property either directly or indirectly from the victim. In such cases, courts have had no difficulty applying traditional mail or wire fraud statutes to these "computer related" crimes.
In addition to the wire fraud and ITSP statutes, the government, on at least one occasion, United States v. Horowitz, used the federal false statements statute, 18 U.S.C. § 1001 to prosecute an individual who, having left the employ of one government contractor and having gone to work for a competitor, accessed his former employer's computer to obtain confidential bid information to submit on behalf of his new employer. However, this prosecution was made possible more by virtue of what Horowitz did with the information he obtained than by the manner in which he obtained the information. The false statement was Horowitz' later denial to investigators of the unlawful use of proprietary information, not the use of the information itself.
Consider finally the following hypothetical. A computer hacker, through "social engineering" -- that is, the process of learning about how computers are used by individuals and organizations -- determines that your login name is your initials, and your password is your spouse's first name. Armed with this knowledge, the hacker logs in with your user id and password, and examines files on your computer. In the absence of a particular computer crime statute, has this individual committed a criminal offense?
Clearly, if the login is made for the purpose of some other scheme to defraud (that is to use the information so gleaned for fraudulent purposes) a wire fraud prosecution could be supported if the jurisdictional elements were established. But what if no such evidence may be established? Is the mere fact of logging in with your user id and password sufficient to create a "scheme to defraud" or some sort of "false personation?" Is the hacker truly making a false representation that he is an authorized user of the system, any more than an individual with a skeleton key is making a false representation that he is authorized to be in a building? The Gillies and Hamm ATM cases above suggest that such a prosecution might be supported under a particular "unlawful access" statute. But in the absence of such a statute, has a crime been committed? It is the lack of a clear answer to that question and others which led to the establishment of computer crime statutes.
Another offense which can be committed over computer networks like the Internet is the theft of computer or other services. The prosecution of members of the Legion of Doom for not only trespass into computers, but also for the unauthorized use of computer resources, provides an example of the way computer criminals may break into computers and simply use the services of the host computers. However, problems remain for such a prosecution. For example, individuals who use computers provided by their employers or others, and, in violation of company policy, play video or computer games, transmit or store "unauthorized" messages, or otherwise use the computer in a manner not explicitly authorized or sanctioned by the owner or provider of the computer resources may be violating corporate policy, but may not be committing the crime of theft of services. Should the criminal law be used to enforce internal corporate computer use policies? Should someone go to jail for playing a computer game on their computer at work? Are corporate and governmental computer use policies consistent with policies on the use of other corporate or governmental resources?
It is clear that computer time, in appropriate circumstances, constitutes a "thing of value." Computers and computer networks are expensive machines, and cost time and money to establish and maintain. However, the mere "use" of computer time does not always deprive the owner of the use of his computer. When an intruder is using the unused portion of a central processing unit, and does not, in any way, interfere with the normal operations of the computer does this constitute a "theft" of services? Certainly a classic "theft of services" in the sense that the intruder obtained the services of the host computer without authorization, a defendant might successfully argue that no harm resulted from the theft, and that the owner of the system was, in fact, deprived of nothing of value.
Efforts to apply theft statutes to the theft of computer services have met with mixed success. For example, in Lund v. Commonwealth, the court refused to find an offense in the simple unauthorized use of a computer, and in State v. McGraw, the court likewise found that since the defendant did not deprive the owner (or another acquiring rights legitimately from the owner) of the ability to fully use the computer system, the behavior does not constitute theft of services. In In Re Commodore 128 Personal Computer, the Arizona Court of Appeals rejected the forfeiture of a defendant's computer under the state racketeering laws because the state computer crime statute did not provide for forfeiture, and the government had not established that the defendant had used the computer to make unauthorized access into the telephone company's computer.
Various states have statutes which criminally punish the theft or misappropriation of trade secrets. Proof of this offense would require the government to demonstrate that the information at issue was, in fact a trade secret, and that there had been an agreement between the owner of the property and the defendant restricting rights to the information taken.
Obviously, where the offender is not an insider, or is unknown, a trade secret prosecution remains problematic. While the misuse of the trade secret, like the misuse for profit of copyrighted information, may constitute a criminal offense, the mere possession of such a trade secret, or its mere misappropriation, may not constitute a crime.
A recent case typifies the problem of the enforcement of trade secrets in cyberspace. In Religious Technology Center v. Netcom, et. al., the District Court for the Northern District of California declined to continue an injunction preventing the further publication of the trade secrets of the Church of Scientology. One of the defendants in that case had obtained what the court concluded were secret internal documents of the Church, and had posted them on various Internet newsgroups. The defendant asserted that he had received at least some of these documents from various anonymous FTP sites -- publicly accessible Internet sites. The District Court concluded that:
Although the Internet is a new technology, it requires no great leap to conclude that because more than 25 million people could have accessed the newsgroup postings from which [the defendant] alleges he received the [trade secret] works, these works would lose their status as secrets. While the Internet has not reached the status where a temporary posting on a newsgroup is akin to publication in a major newspaper or on a television network, those with an interest in using the Church's trade secrets to compete with the Church are likely to look to the newsgroup. Thus, posting works to the Internet makes them "generally known" to the relevant people -- the potential "competitors" of the Church.
The Court is troubled by the notion that any Internet user, including those using "anonymous remailers" to protect their identity, can destroy valuable intellectual property rights by posting them over the Internet, especially given the fact that there is little opportunity to screen postings before they are made. Nonetheless, one of the Internet's virtues, that it gives even the poorest individuals the power to publish to millions of readers, can also be a detriment to the value of intellectual property rights. The anonymous (or judgment proof) defendant can permanently destroy valuable trade secrets, leaving no one to hold liable for the misappropriation. . . . Although [the defendant] cannot rely on his own improper posting to support the argument that the Church's documents are no longer secrets, evidence that another individual has put the alleged trade secrets into the public domain prevents [plaintiff] from further enforcing its trade secret rights in those materials.
Thus, it appears that if a trade secret is stolen and then posted to the Internet, the owner of the trade secret will be unable to later protect that secret.
Another common law offense is that of trespass. Trespass, and its analogue, burglary, require an intentional entry onto the property of another without the express or implied permission of the owner or user of the property to so enter. Burglary required proof of the additional elements that the entry be made by breaking and entering, into a building or a dwelling of another, sometimes at night, and with the intention of committing a crime therein.
What both of these offenses have in common is the concept of a physical entry onto the property of another. Thus, a defendant who breaks into the victim's office and either steals or photocopies the files of the victim, has at a minimum committed the offense of trespass, and may have committed the common law or statutory offense of burglary as well.
In cyberspace, these concepts simply do not exist. There is no physical entry onto the property of another. The offense of trespass has no analogue in the electronic environment. Moreover, it is technically possible to obtain computerized information without physical intrusion. Information may be gleaned -- as in the movie Sneakers -- by "shoulder surfing" information on a computer screen -- that is viewing the computer screen and capturing the information displayed. Computer monitors emit electromagnetic radiation which may reveal the content of computerized transmissionsor files, and which may be intercepted. Infrared or other forms of remote transmission, used today for cordless keyboards and connections between portable computers, may be intercepted without any physical intrusion. Thus, using common-law trespass statutes to prosecute high technology computer offenses is, at best, inadequate.
Another offense punishable in the real world is the destruction of property. Thus, if an offender equipped with a sledge hammer pummels a computer into an unrecognizable pile of bolts, chips, and wires, he clearly has committed the offense of destruction of property. If the same offender, equipped with a modem, deletes files from a computer system, all he or she has done is to change the polarity of a magnetic medium, which may or may not (applying the "rule of lenity" described above) constitute a destruction of property.
In order to understand how people commit computer crimes, it is important to understand first why they do so. Obviously, the motivation for computer related offenses is as varied as the motivation for any other type of crime, and may run the gamut from personal enrichment, avarice, revenge, thrill seeking, to truly psychopathic behavior. In general, virtually any type of offense which can be committed without a computer can be committed with the assistance of computers, including terrorism, espionage, obscenity, murder and arson. However, there are a few characteristics which make computer crimes unique among criminal offenses. For example, computer crimes may be committed remotely and across geographic boundaries. They may be committed in many jurisdictions at the same time. They may have affects years or decades after they are launched or planned. They may or may not violate "traditional" criminal laws like trespass or theft statutes. They are difficult or impossible to investigate, and even more difficult to prosecute. Investigators, prosecutors, judges, lawyers and juries are frequently unfamiliar with the technology and its applications, further complicating the prosecution of such offenses.
In Burleson v. Texas, Burleson, a senior programmer/analyst, was fired from his company. In retaliation, he inserted a "logic bomb," a software program designed to delete files responsible for calculating payroll commissions for more than 400 employees. He was prosecuted for violation of the Texas computer crime statute which makes it a crime for anyone who knowingly:
(1) causes a computer to malfunction or interrupts the operation of a computer without the effective consent of the owner of the computer or a person authorized to license access to the computer; or
(2) alters, damages, or destroys data or a computer program stored, maintained, or produced by a computer, without the effective consentof the owner or licensee of the data or computer program.
The court held that, as applied to Burleson's conduct, the statute was not impermissibly vague, and that, despite the fact that the statute could be applied to "innocent programmers," Burleson was not "innocent." Despite the fact that Burleson involved an employment dispute rather than a contract dispute, it illustrates the proposition that the insertion of software devices designed to disable computer systems without the knowledge or authorization of the owner of the computer may subject those who write such programs to both civil and criminal liability.
One of the biggest problems with the application of traditional criminal law concepts to cyberspace is the difficulty of establishing jurisdiction and venue. Most crimes occur either where the defendant puts in place the actions which cause the prohibited effects, the actus reas, or where the victim of the offense is located. The classic example is that of a person in Kentucky firing a rifle and killing a person across the border in Tennessee. Both states retain jurisdiction to prosecute the offender, and to apply their laws to the prohibited conduct. This is true because the offender has, by his conduct, invoked the jurisdiction of the state in which his conduct has its effect.
Unfortunately for this analogy, cyberspace is everywhere. Defamatory or malicious or pornographic messages posted on the Internet are accessible globally. Thus, by using the Internet, a user may unintentionally find himself subject to all nations' jurisdiction. Users of the Internet must be aware of the laws and procedures in every jurisdiction -- domestically and internationally. Posting an electronic message on a World Wide Web home page may violate the privacy rights of individuals in Germany, Sweden, or other countries which protect individual privacy. In appropriate circumstances, actions which constitute negligent or reckless conduct may support criminal prosecutions in the United States or abroad -- where criminal negligence is a much more widely accepted concept. It is not too extreme to imagine that as a result of a posting to the Internet, a user could find himself subject to an extradition request from a foreign government.
Several recent cases illustrate this problem. In United States v. Thomas, two individuals permitted others to access their computer bulletin board system, which contained allegedly pornographic materials. After unsuccessfully prosecuting the operators of the bulletin board system in Berkeley, California (the location of the defendants and their bulletin board system) Secret Service agents downloaded allegedly obscene files to a computer in Tennessee, and thereafter successfully prosecuted the defendants in the remote jurisdiction. While this case involved child pornography -- for which no "community standards" need be referenced, under the Supreme Court's holding in Miller v. California for materials to be considered "obscene" they must violate contemporary community standards. In the Thomas case, the government was able to select the "community" in which the materials were transmitted, and therefore to determine both the jurisdiction and venue.
Similarly, in the case of Philip Zimmerman, a software developer, the government has, for the last year, investigated whether the posting of encryption software called PGP (for "Pretty Good Privacy") on the Internet constituted an "export" of this software, despite the fact that the software may have remained within the jurisdiction of the United States. The government apparently has taken the position that posting on the Internet causes the restricted program to be irretrievably placed in the stream of international commerce, and therefore to be "exported" whether or not it leaves the United States.
The problem may be simply described as follows: What one does on the Internet, one does in every jurisdiction simultaneously. If you post on the Internet information about the availability of securities for purchase in Australia, you run the risk of violating the securities registration laws of New Jersey. A message posted on a Web page in Nebraska may violate Islamic law and domestic law of Iran. Photographs available for downloading via anonymous FTP from New York may be deemed "obscene" or unlawful in Idaho or Iraq. Files containing personal data about citizens of the European Community may be restricted for transfer outside the E.C.
Beginning in the late 1970's state legislatures and the United States Congress began to realize the infirmities of existing legislative solutions to the new and rapidly expanding problem of computer crime. In particular, as a result of several highly publicized computer crimes, including the theft of telephone services by John Draper -- the notorious "Captain Crunch" who used a whistle in a Captain Crunch cereal box to obtain free long distance services -- and the Equity Funding scandal, certain inadequacies appeared in existing law. In particular, the problems of prosecution of computer trespass and destruction of property offenses led legislative bodies to enact new and more specialized computer crime statutes.
The first truly comprehensive federal computer crime statute was the Computer Fraud and Abuse Act of 1986 ("CFAA"). The statute represented a complete rewriting of a 1984 statute which proved inadequate to the task of dealing with the problem of computer crime." This act amended Title 18 United States Code § 1030 to enhance penalties for the intentional "access" into "federal interest computers" for the purpose of committing certain types of criminal conduct.
The statute criminalizes six types of computer activities: (1) the unauthorized access of a computer to obtain information of national secrecy with an intent to injure the United States or advantage a foreign nation; (2) the unauthorized access of a computer to obtain protected financial or credit information; (3) the unauthorized access into a computer used by the federal government; (4) the unauthorized interstate or foreign access of a computer system with an intent to defraud; (5) the unauthorized interstate or foreign access of computer systems that results in at least $1000 aggregate damage; and (6) the fraudulent trafficking in computer passwords affecting interstate commerce.
As a predicate for each of these offenses, to make out a case of a violation of this statute, the government would have to establish an intentional access into a "federal interest computer." The term "federal interest computer" is defined to include computers owned by or used by the federal government in addition to a computer "which is one of two or more computers used in committing the offense, not all of which are located in the same State." Thus, any computer used in interstate or international commerce in the commission of the offense would be covered by this provision.
Each of these provisions also require proof that the defendant accessed the computer without authorization or, in the case of the use of a computer with the intent to defraud, that the defendant exceeded his authorization to access the computer. By focusing on the method of entry into the computer or computer system, rather than the method of use of computer system, the statute excludes broad categories of potentially criminal conduct. Theft of information from corporate or government insiders, or those with an arguable right to access the computer, may or may not be punished under this provision.
Nor could those who, with authorization to access or use a computer or computer system, thereafter alter, damage, or destroy information contained on that system. Similarly, the prosecution of authors or distributors of computer viruses, or other forms of "malicious code" was complicated by the requirement that the government demonstrate that the wrongdoer (1) actually accessed the computer; and (2) lacked the express or implied authority to do so.
Curiously, the fraud provision of the CFAA expressly prohibits prosecution for the unauthorized access of a computer system where "the object of the fraud and the thing obtained consists only of the use of the computer." Thus, as under the wire fraud statute, the mere viewing of data without authorization may not be criminal under the CFAA. Furthermore, the protection afforded by the CFAA to national secrets, financial records, and government computers does not require an explicit computer crime statute; protection probably exists irrespective of the provisions of the CFAA.
Perhaps the most famous application of this statute was the 1989 prosecution of Robert Tappan Morris, a Cornell University graduate student who, on November 2, 1988 released a computer "worm" across the Internet computer network. The program, designed to surreptitiously spread across the network to thousands of connected computers inadvertently replicated faster than the defendant intended, and, instead of inserting a copy or two into these networked computers, inserted thousands of copies of the program until the network actually shut down. On appeal, the Second Circuit rejected the defendant's arguments that, because he was permitted to send mail to users of computers on the network he was therefore "authorized" to "access" these computers, and further rejected arguments that the statute required proof that he intended to cause damage to the computers -- as distinct from intent to obtain unauthorized access.
In September 1994 the Computer Fraud and Abuse Act was once again modified -- this time to deal with the problem of "malicious code" -- computer viruses, computer worms, and other computer programs which are designed to alter, damage or destroy files or computer programs.
The legislation was needed in part because the old law did not adequately deal with the problem of computer viruses. By focusing almost exclusively on the authorization of the user to access a computer, the CFAA failed to adequately examine the problem of what types of criminal conduct people could do to computer without "accessing" such a computer. Because the structure of the computer crime statute focused upon the unauthorized access, and not upon the later use of the computer, legislative reform was necessary to deal with the problem.
The amended computer crime law punishes those who, without the knowledge and authorization of the "persons or entities who own or are responsible for" a computer, cause the transmission of "a program, information, code, or command to a computer or computer system" with the intent to cause damage to the computer or information in the computer or prevent the use of the system.
In addition to punishing intentional conduct, the statute criminalizes those who act "with reckless disregard of a substantial and unjustifiable risk" of damage or loss, and would create a civil cause of action for "any person who suffers damage or loss by reason of a violation of the section" to obtaincompensatory damages or injunctive relief. The computer virus provisions of the law were most recently used when FBI agents arrested a Monmouth University (N.J.) student, Dominick LaScala, for allegedly sending out numerous e-mail messages to University administrators, and thereby preventing their use of the computer system. He was arrested for both "intentionally" and "recklessly" depriving the University of the use of its computer system for what is known in computer parlance as a "spamming" attack.
In addition to protecting the data contained on computers, federal law also attempts to protect the integrity or confidentiality of electronic communications. In 1986, Congress amended the federal wiretap law, passing the Electronic Communications Privacy Act (ECPA) to expand federal jurisdiction and to criminalize the unauthorized "interception" of stored and transmitted electronic communications. The statute makes it unlawful to either "intercept" or "disclose" the contents of electronic communications, except as provided by statute. Thus, capturing or monitoring of the contents of electronic mail messages, electronic communications, or stored electronic communications may violate these provisions.
The provisions of ECPA may, however, have the effect of restricting or limiting electronic privacy, rather than enhancing it. Employers or owners of computer systems who seek to monitor the activities of users of the systems to ferret out wrongdoers or trespassers may run afoul of these provisions by engaging in monitoring or "keystroke capture." As a result, they may create "warning banners" indicating that, by using the computer system, the operator waives any and all privacy rights and explicitly consents to monitoring of his or her activities. While such warning banners may protect the employer or owner of the system from potential criminal liability under the "consent" provisions of ECPA they may result in a total waiver of any privacy rights by users of the systems. A system operator then must ensure that the policies and procedures regulating the use of systems and the authority of the system operator or others to monitor the communications are clearly defined.
The original federal computer crime statute was entitled the "Computer Fraud and Abuse Act" because the problem it attempted to correct was one of computer fraud. Indeed, it was enacted contemporaneously with 18 U.S.C. § 1029, the credit card fraud provisions of the United States code, and structurally bears many similarities to the other fraud offenses.
For this, and several other reasons, the United States Sentencing Guidelines provisions applicable to computer crime are the general fraud guidelines. Under the guidelines, after assessing a base offense level for the fraud offense, an offender's sentence is determined by a mathematical calculation of certain predefined aggravating, and to a lesser extent mitigating factors. The mathematical calculation -- based upon a point system (adding points for aggravating factors, subtracting for mitigating factors) leads the sentencing judge to a sentencing table, which, depending upon the offender's criminal history, determines the "guidelines range" for that offense. The sentencing court has little discretion to consider any other than the predefined aggravating or mitigating factors, or to sentence an offender outside the predetermined range. In 1991, similar guidelines went into effect for corporations or other organizations convicted of criminal offenses.
Because the computer fraud guidelines are tied to the general fraud guidelines, the potential enhancements were tied almost exclusively to the district court's calculation of loss. For ordinary fraud offenses, such an economic enhancement is probably appropriate -- an individual who defrauds a person of $500 deserves a lesser sentence than one who defrauds him or her out of $5 million.
Such an approach, however, is ill suited for the typical computer crime. What is the loss to a computer user in a simple trespass, or "shoulder surfing" offense? Is it the value of the information observed? How is this calculated? Does it matter whether the information is actually used by the offender, or intended to be used by the offender? Should the costs of investigation, detection, or backup of a system be included in the loss calculation? Should a defendant be sentenced based upon the loss he or she intended to cause, or the loss actually caused? Should the sentence be enhanced based upon the offender's abuse of a special skill or position of trust in obtaining access to the computer, or is this inherent in the nature of the offense? The sentencing guidelines were enacted in an effort to provide uniformity and certainty to sentencing. However, the failure to address these fundamental questions increases the turbidity of such an approach.
This problem was squarely presented in the Morris Internet worm prosecution. Morris intended to cause little if any damage. The loss to those infected by the worm included the man-hours taken to determine what was going on, and to get rid of the worm. To a lesser extent, the loss may have included the costs to infected institutions of fixing the defects in software which were exploited by Morris' worm -- locking the barn door after the horse has been stolen. The calculations of loss in that case varied wildly, with estimates ranging from no loss to more than $96 million dollars. Ultimately, the government recommended a sentence based upon a conservative "loss" of $250,000, but did not appeal the District Court's probationary sentence based upon a finding (unexplained) that the sentencing guidelines did not apply to Morris' conduct.
Similar problems arise with other computer viruses which may cause thousands of people to waste a minute or two while the virus is eradicated. In the aggregate, such a loss could be hundreds of thousands (or millions) of dollars. And yet, using modern virus checking and eradication programs, nobody truly lost anything. Employees whose computers were infected merely used the minute the computer was unavailable to return a phone call, do other work, or get a second cup of coffee.
These considerations are more than academic. They mean the difference between a probationary sentence, a few months incarceration in a minimum security facility, or a mandatory and severe sentence in a more secure institution. Because the ultimate goal of criminal law is deterrence and punishment, the lack of clarity in the sentencing guidelines significantly impairs the impact of the computer crime and other criminal laws.
In addition, some computer crimes may result in little if any demonstrable economic loss to victims -- and therefore a small sentence for offenders. This fact, coupled with the reluctance of victims to report computer crime offenses and the difficulty in locating offenders results in the evisceration of the criminal law as a true deterrent to computer attacks.
Finally, sentencing courts are frequently reluctant to impose what they consider to be draconian sentences based upon some artificial "loss" on computer hackers. Thus, in United States v. Demonte, the District Court sentenced a computer hacker to a probationary sentence based upon his "extraordinary cooperation" and the fact that he had liquidated all of his assets in order to make restitution to the "victims" of the offense. The Sixth Circuit reversed the lessening of the sentence on this latter ground. The Court of Appeals noted that ". . . allowing probation in this case seems to defeat the federal sentencing guidelines' expressed desire to put white-collar crimes on a par with "street crimes" as far as incarceration is concerned."
In 1994, the United States Sentencing Commission, responsible for drafting the sentencing guidelines, recognized that computer related offenses frequently involve more than economic loss. They involve loss of privacy and security as well. In addition, the Commission recognized that "loss" included the costs of system recovery and other consequential losses. Therefore, the Commission proposed new sentencing guidelines, applicable to both individuals and corporations, for punishment of computer crime. The proposed guideline would substantially increase criminal penalties for unauthorized uses of computers which disclose private information which threaten the reliability or confidentiality of data, or which interfere or potentially interfere with the administration of justice, health care, or communications. No action has yet been taken on the proposed amendments.
In addition to the "fraud" guidelines, federal law also punishes electronic "eavesdropping" -- the interception of electronic communications. In such a case, the base offense level is 9, and may be enhanced if the interception is done "for commercial purposes."
As of this writing, every state except Vermont has enacted a computer crime statute. Many of these are based upon the federal computer crime statute, but several of them go well beyond the scope of the federal statute, and punish the unauthorized "use" of a computer or computer system. These statutes vary widely in their definitions of "computers" "computer systems" "computer networks" "computer supplies" "data" "software" or other fundamental terms. A detailed examination of each of these statutes is beyond the scope of this article. However, recently State legislatures have grappled with the same issues of value of information and access by viruses as have confronted the federal government, with varying degrees of success.
Computers in general and the Internet in particular may also be used to facilitate intellectual property offenses, which, if done "willfully" and for "financial gain," may be criminal in nature. The nature of the digital medium permits the instantaneous reproduction of perfect copies of copyrighted or protected materials, and permits these exact copies to be instantly transmitted to thousands or millions of individuals at the same time. The anonymity provided by the Internet permits offenders to commit these violations with impunity. Moreover, because of peculiarities in the law related to criminal copyright infringement there are circumstances in which neither the uploader or the downloader of this intellectual property may be guilty of an offense.
Moreover, the content of information contained on the Internet makes the possibility of copyright infringement not only more alluring, but potentially more profitable. Not only are text files available over the Net, but also photographs, video, music and other audio. Indeed, virtually every medium which can be transmitted is being transmitted. Finally, the anonymity provided by the Internet is coupled with a hacker ethos, personified by the writings and teachings of Richard Stallman, that information (and consequently intellectual property of all kinds) belongs to the public, and therefore laws protecting intellectual property may be disregarded to the extent they interfere with a perceived First Amendment right.
As noted earlier, both the LaMacchia and Brown courts rejected the application of general fraud or theft statutes to the criminal prosecution of electronic copyright violations, leaving, for the time being, the criminal copyright laws the exclusive remedy to punish such a violation. 
Intellectual property rights are exceptionally difficult to enforce on the Internet. Not only must the offender be caught (not an easy task given the nature of the Net) but the legal remedies are by no means sure. In Playboy Enterprises Inc. v. Frena, the defendant uploaded copyrighted Playboy photographs to his BBS for later downloading to those who paid a fee to the defendant. Playboy sued for, among other things, copyright and trademark infringement. The trial court found a copyright infringement because Playboy's "display" rights had been infringed. The court noted that ". . . the concept of display is broad. It covers the projection of an image on a screen or other surface by any method, the transmission of an image by electronic or other means, and the showing of an image on a cathode ray tube, or similar viewing apparatus connected with any sort of information storage and retrieval system."
The court also found that the Playboy trademark was distinctive, and despite the fact that the defendant professed no intention of using Playboy's mark to identify his files, and his professed lack of knowledge that subscribers were committing any infringement, an infringement was committed nonetheless. This case is significant in that it dispels the notion that a service provider on the Internet must have had the intent to infringe in order to be found liable for copyright or trademark infringement.
The Internet has changed the way people interact and communicate, and has created a new "community" for businesses, academics, and others. Ordinary legal paradigms do not apply to the Internet, and moral and legal structures break down in cyberspace. As more information is stored on the Internet, and as that information is more sensitive, the vulnerability of that information increases. Computer crime laws, and computer crime investigations and prosecutions must be vigilant to keep pace.
Traditional criminal concepts of theft, trespass, and destruction of property do not fit well into the realm of cyberspace. As a result, both the federal government and virtually every state legislature have passed specialized computer crime statutes to deal with the problem of unauthorized use, access or manipulation of computers or computerized data. These statutes frequently become obsolete as soon as they are passed, with changes in both technology and behavior outpacing changes in the law. Computer viruses, or other forms of "malicious code" are not expressly prohibited under many such statutes, and the authors of such programs may successfully escape criminal prosecution.
As computer technology alters the way we conduct business and interact with each other, it changes the way crimes can be committed. Computer stalking, computer terrorism, computerized threats, cyberporn, electronic espionage and electronic extortion are all made possible by the advent of computers and high speed data networks. Legislation and regulation inevitably fail to keep pace with the imagination of motivated hackers. Hacking for fun is also being supplanted by hacking for profits as freelancers, businesses, governments and intelligence agencies turn to computer networks to facilitate both legitimate and criminal activities.
Copyright © 1996 by Mark D. Rasch. All Rights Reserved.
Mark D. Rasch
Center for Information Protection Science Applications International Corporation
8301 Greensboro Drive, Ste. 400
McLean, Virginia 22102-3600 Phone: (703) 734-5853 (800) 247-1804 Fax: (703) 448-7360
Mark D. Rasch (J.D., SUNY at Buffalo, 1983), is the Director of Information Security Law and Policy at the Center for Information Protection at Science Applications International Corporation ("SAIC") in McLean, Virginia. He is a frequent writer and speaker on issues related to computer crime and the use of the Internet, and headed the Department of Justice's computer crime efforts until 1991. He was also responsible for the prosecution of Robert Tappan Morris, the first use of the federal computer crime statute. Portions of this article are reprinted with permission from CRIME ON THE INTERNET, THE HANDBOOK OF INFORMATION SECURITY MANAGEMENT (Auerbach Publishers, 1995).
1. D. Parker, FIGHTING COMPUTER CRIME (1983).
2. Such a case was presented in the investigation and prosecution of Cornell University graduate student Robert Tappan Morris. United States v. Morris, 928 F.2d 504 (2d Cir.1991). In November, 1988 Morris, a graduate of Harvard University, completing his studies at Cornell, launched a computer "worm" from his computer located at Cornell's Computer Science Laboratory. After the initial furor dissipated, and Morris' identity was suspected (but not yet proven), officials of Cornell found progressive copies of the worm saved on backup copies of Morris' account. It was only because of Morris' subsequent confession, and the fact that the government was able to demonstrate through the testimony of eyewitnesses that Morris was logged onto his computer account at the time (and the fact that Morris never challenged the fact of authorship) that the government was able to conclusively demonstrate that Morris was the author -- and the sole author -- of the worm.
3. Title 18 U.S.C. § 1343.
4. Title 18 U.S.C. § 2314.
5. See, United States v. Seidlitz, 589 F.2d 152 (4th Cir. 1978).
6. Additionally, the government would have to demonstrate that the interstate use of the wires facilitated the fraud. See United States v. Computer Sciences Corporation, 511 F. Supp. 1125 (E.D. Va. 1981) (dismissing the § 1343 indictment because none of the allegedly fraudulent bills were transmitted interstate).
7. 18 U.S.C. § 641.
8. A proposal currently pending in Congress would expand the scope of the federal computer crime statute, 18 U.S.C. § 1030, to punish access to all information contained in a computer. See, National Information Infrastructure Protection Act of 1995, S. 982, 141 CONG. REC. S 9421, Vol. 141 No. 108 (June 29, 1995).
9. Chappel v. United States, 270 F.2d 274, 277 (9th Cir. 1959).
10. United States Attorney's Manual § 9.
11. 601 F.2d 69 (2d Cir. 1979).
12. 6 COMP. L. SERV. REP. 879 (N.D. Cal. 1978).
13. Accord, United States v. Friedman, 445 F.2d 1076, 1087 (9th Cir.) (theft of grand jury transcripts and information contained therein was theft of government property), cert. denied, 404 U.S. 958 (1971); United States v. Morison, 604 F. Supp. 655, 663-65 (D. Md. 1985) ("theft" of classified information supports embezzlement conviction); United States v. DiGillo, 538 F.2d 972 (3d Cir.) cert. denied, 429 U.S. 871 (1971) (theft by photocopying government records sufficient to support § 641 conviction); United States v. McAusland, 979 F.2d 970 (4th Cir. 1992) (theft of competitor's confidential bid information violates § 641).
14. Lund v. Virginia, 217 Va. 688, 232 S.E. 2d 745 (1977) (labor and computer services used by graduate student not subjects of common law or statutory larceny because computer time not a "good or chattel" and could not be asported -- the statute was later amended to correct this problem).
15. 739 F. Supp. 414 (N.D. Ill. 1990).
16. 739 F. Supp. at 418.
17. 871 F. Supp. 535 (D. Mass. 1994).
18. 473 U.S. 207 (1985).
19. 473 U.S. at 216.
20. 871 F. Supp. at 544.
21. 925 F.2d 1301 (10th Cir 1991).
22. 925 F.2d at 1307.
23. Ward v Superior Court, 3 Comp. L. Serv. Rep. 206 (Cal. Super. Ct. 1972) (downloading and printing of employer's proprietary software supported conviction under state trade secret law); United States v. Seidlitz, 589 F.2d 152 (4th Cir. 1978) (computer software is "property" subject to fraud under § 1343); Hancock v. Texas, 402 S.W. 2d 906 (Tex. Crim. 1966) aff'd sub. nom. Hancock v. Decker, 379 F.2d 552 (5th Cir. 1967) (computer programs were "property" subject to theft under state larceny and theft statutes). Other courts have, for various reasons, been reluctant to find a property interest. Indiana v. McGraw, 480 N.E.2d 552 (Ind. 1985) (no "conversion" by city employee who used municipality's computer for private gain because no intent to deprive the owner of the value of the computer time.); New York v. Weg, 113 Misc. 2d 1017, 450 N.Y.S. 2d 957 (1982) (no theft of business services by defendant's act of improper use of Board of Education's computer since Board was a non-commercial entity, and therefore the computer was not a "business" service under the statute).
24. Arizona v. Gillies, 135 Ariz. 500, 662 P.2d 1007 (1983) (In a capital murder/rape case, defendant's use of the victims' ATM bank card constituted the unauthorized access into the bank's computer because the use of the card impliedly constituted a representation that the defendant was, in fact, the victim); Missouri v. Hamm, 569 S.W.2d 289 (Mo. App. 1978) (fraudulent use of ATM card of another constituted obtaining money by implied misrepresentation that defendant was authorized use of card); United States v. Sykes. 4 F.3d 697 (8th Cir. 1993) (use of ATM card of another supports conviction for computer crime); United States v. Alston, 609 F.2d 531 (D.C. Cir. 1979) (alteration of computerized consumer credit files to obtain loans sufficient to support conviction for wire fraud and false statements); United States v. Jones, 553 F.2d 351 (4th Cir. 1977) (ITSP prosecution following unlawful input of computerized information which caused checks to be issued fraudulently); United States v. Giovengo, 637 F.2d 941 (3d Cir. 1980) (use of computers to steal money from airline ticketing network supports conviction for wire fraud); United States v. Holmes, 611 F.2d 329 (10th Cir. 1979) (bank employee who uses computer to divert funds guilty of 18 U.S.C. § 656 embezzlement).
25. United States v. Horowitz, 806 F.2d 1222 (4th Cir. 1986).
26. See, e.g. United States v. Riggs, 739 F. Supp. 414 (N.D. Ill. 1990) (discussing activities of Legion of Doom.); M. Slattala & J. Quittner, Masters of Deception (1995).
27. 217 Va. 688, 232 S.E. 2d 745 (1977).
28. 480 N.E. 2d 552 (Ind. 1985).
29. Accord, New York v. Weg, 450 N.Y.S .2d 957 (N.Y. Crim. Ct. 1982). But see, United States v Sampson, 6 Comp. L. Serv. Rep. 879 (N.D. Cal. 1978) (unauthorized use of computer time constituted embezzlement of government property under 18 U.S.C. § 641); United States v. Kelly, 507 F. Supp. 495 (E.D. Pa. 1981) (use by employees of private employer's computers to conduct private business enterprise supported conviction for mail fraud because it constituted a scheme to deprive employer of services of employees and of computer time).
30. 804 P.2d 100 (Ariz. App. 1991).
31. Structural Dynamics Research Corp. v. Engineering Mechanics Research Corp., 401 F. Supp. 1102 (E.D. Mich. 1975); Ward v Superior Court, 3 COMP. L. SERV. REP. 206 (Cal Super. Ct. 1972) (downloading and printing of employer's proprietary software supported conviction under state trade secret law).
32. Federal law punishes as a misdemeanor the disclosure by government employees of "confidential information" which is broadly defined. 18 U.S.C. § 1905.
33. 1995 U.S. Dist. LEXIS 16184, Dkt. No. C-95-20091 RMW (N.D. Ca., September 22, 1995).
34. Id. Slip. op. at 30-31.
35. In parallel litigation involving similar trade secrets, a federal court in Virginia refused to extend trade secret protection on different grounds. In Religious Technology Center v. Lerma, 1995 U.S. Dist. LEXIS 17833 (E.D. Va. November 28, 1995) the court observed that "[a]lthough the person who originally posted a trade secret on the Internet may be liable for trade secret misappropriation, the party who merely downloads Internet information cannot be liable because there is no misconduct involved in interacting with the Internet. Id. at *17. The Court concluded that "Even if one were to assume that the -- documents are still trade secrets, under Virginia law, the tort of misappropriation of trade secrets is not committed by a person who uses or publishes a trade secret unless that person has used unlawful means, or breached some duty created by contract or implied by law resulting from some employment or similar relationship." Id at *18. Therefore, the court concluded, no trade secret violation occurred.
36. This problem was exemplified in several cases. In American Computer Trust Leasing v. Jack Farrell Implement Co., 763 F. Supp. 1473 (D. Minn. 1991), a civil trespass cases, the Court rejected the defendant's counterclaim that a computer software developer had committed trespass by accessing the customer's computer and deactivating the software by modem. The Court found that Minnesota's trespass law, which related to property "produced by and grown upon the land" did no apply to computers. Similarly in Washington v. Olson, 735 P.2d 1362 (Wash App. 1987), the court rejected a trespass conviction of a University of Washington police officer who, after accessing a computer with authorization, obtained information about UW students and used this information for unauthorized purposes. The Court reasoned that, while the use of the information was unauthorized, and the access into the computer exceeded the scope of the officer's authorization to use the computer and violated departmental policy, the computer crime statute, like the trespass statues, criminalizes the unauthorized access or entry, not the later use of the fruits of an authorized entry.
37. 802 S.W. 2d 429 (Tex. App. Fort Worth 1991).
38. Texas Penal Code § 33.03.
39. W. S. Byassee, Jurisdiction Of Cyberspace: Applying Real World Precedent To The Virtual Community, 30 WAKE FOREST L. REV. 197 (Spring, 1995).
40. No. CR-94-20019-G (W.D. Tenn. 1994).
41. 18 U.S.C. § 2252; N.Y. v. Ferber, 458 U.S. 747 (1982).
42. 413 U.S. 15 (1973).
43. For a discussion of the Zimmerman case, see, L. Rose, First Amendment Protection for Networks and On-Line.
44. See, European Parliament and Council of the European Union, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 24 October 1995. Online. [June 1996] Available HTTP: http://elj.warwick.ac.uk/elj/jilt/dp/material/directiv.htm.
45. J. Daly, Great Moments in Hacker History, Computerworld, March 22, 1993, p. 79.
46. J. Bologna, Computer Insecurity, Computerworld, August 3, 1987, p. 53; In re Equity Funding Corporation, 603 F.2d 1353 (9th Cir. 1979).
47. 18 U.S.C. § 1030(a) (1986).
48. 18 U.S.C. § 1030(e)(2) (1986).
49. 18 U.S.C. § 1030(a)(4) (1986).
50. But see, United States v. Czubinski, Dkt. No. 95-10165 NMG, (D. Mass. December 18, 1995) (IRS official who accessed IRS computer to obtain information for personal use as Ku Klux Klan member guilty of exceeding authorized access to a computer with intent to defraud IRS in violation of 18 U.S.C. § 1030(a)(4)).
51. 1986 U.S. CODE CONG. &AMP; ADMIN. NEWS at 2484. The statute "is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another."
52. 18 U.S.C. § 1030(a)(5) (1986).
53. 18 U.S.C. § 1030(a)(4) punishes whoever: (4) knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer; . . ..
54. United States v. Morris, 928 F.2d 504 (2d Cir. 1991).
56. P.L. 103-322, Title XXIX, § 290001(b)-(f), 108 Stat. 2097. Sept. 13, 1994.
57. For example, if I place software on the Internet, available for anonymous FTP (file transfer), and you download this software, and the software contains a virus which I wrote, have I "accessed" your computer, and if so, have I accessed it without authorization? In fact, you have accessed my computer. Similarly, if I send you a disk, file or program with such a virus or malicious code, and you load it on your computer, have I "accessed" your computer?
58. Many legislative solutions were proposed -- most of which vainly attempted to define "computer viruses" or "malicious code." The final solution (or merely the current, interim solution) was to examine not the nature of the program sent over the network, but rather, the intent of the author of the program. Thus, the transmission of a program which, in fact, causes damage to a computer is not a criminal offense, unless such damage was intended by the author of the program. However, criminalizing intentional damage to a computer (or the willful transmission of software with the intent to destroy information on a computer) goes beyond that which we ordinarily would consider to be a crime. Some element of "authorization" -- or lack thereof -- is also an essential component of such an offense. Computer users routinely delete files, alter them, and -- intentionally or otherwise -- destroy information contained in a computer. This is not a criminal offense. However, focusing on the permission of the owner of the computer is likewise problematic. The owner of a computer may be a corporation, or the computer may be leased. Again, the problem is, who "owns" the information in the computer (or the program) and who has a right to alter, destroy, delete or prevent access to that information?
59. 18 U.S.C. § 1030(a)(5)(A) (1994).
60. 18 U.S.C. § 1030(a)(5)(B) (1994).
61. Held in E-mail Bombing, N.Y. Daily News, December 4, 1995, p. 3.
62. "Spamming" refers to the process of sending numerous e-mail messages with the intent to inundate the host computer. In a related case, a Phoenix Arizona law firm, Canter & Siegel posted messages on various "newsgroups" on the Internet advertising their immigration law services. In accordance with Internet ettiquette -- or "Netiquette" -- newsgroup postings are supposed to be relevant to that newsgroup. For their breach of Netiquette, Canter & Siegel were inundated by a "spamming" attack. See, e.g., K.K. Campbell, A Conspiracy So Immense-. Online. [June 1996] Available HTTP: http://www.eff.org/pub/Legal/Cases/Canter_Siegel/. No criminal charges were brought, or even considered against those engaged in the "spamming" of the law firm.
63. 18 U.S.C. § 2510 et seq.; 18 U.S.C. § 2710 et seq.
64. Pub. L. 99-508, 100 Stat. 1868 (October 21, 1986).
65. 18 U.S.C. §§ 2511, 2702.
66. For a detailed discussion of the privacy aspects of the use of the Internet, see J. Awerdick, On-Line Privacy. For a discussion of the rights of employers to engage in monitoring under ECPA, see K. Casser, Employers, Employees, E-mail and The Internet.
67. 18 U.S.C. § 2702(b)(3); 18 U.S.C. § 2511(2)(d).
68. 18 U.S.C. App. § 2F1.1 (1995).
69. See, e.g., United States v. Pederson, 3 F.3d 1468 (11th Cir. 1993) (enhancing penalty of police officer who unlawfully accessed National Crime Information Computer to obtain criminal history records for abuse of a position of trust).
70. 25 F.3d 343 (6th Cir. 1994).
71. 57 FR 62832 (December 31, 1992).
73. 18 U.S.C. App. § 2H3.1.
74. The state statutes include: ALA. Code §§ 13A-8-100 to 13A-8-103 (Supp. 1992); ALASKA STAT. § 11.46.740 (1989); ARIZ. REV. STAT. ANN. § 13-2316 (1989); ARK. CODE ANN. §§ 5-41-101 to 5-41-107 (Michie Supp. 1991); CAL. PENAL CODE § 502 (West Supp. 1992); COLO. REV. STAT. §§ 18-5.5-101 to 18-5.5-102 (1986 & Supp. 1992); CONN. GEN. STAT. ANN. §§ 53a-250 to 53a-261 (West 1985); DEL. CODE ANN. tit. 11, §§ 931 to 939 (1987 & Supp. 1993); FLA. STAT. ANN. §§ 815.01 to 815.07 (West Supp. 1993); GA. CODE ANN. §§ 16-9-91 to 16-9-94 (1992); HAW. REV. STAT. §§ 708-890 to 708-893 (Supp. 1992); IDAHO CODE §§ 18-2201 to 18-2202 (1987); ILL. ANN. STAT. Ch. 38 para. 16D-1 to 16D-7 (Smith-Hurd Supp. 1992); IND. CODE ANN. §§ 35-43-1-4 & 35-43-2-3 (Burns Supp. 1992); IOWA CODE ANN. §§ 716A.1 to 716A.16 (West Supp. 1992); KAN. STAT. ANN. § 21-3755 (1988); KY. REV. STAT. ANN. §§ 434.840 to 434.860 (Michie/Bobbs-Merrill 1985); LA. REV. STAT. ANN. §§ 14:73.1 to 14:73.5 (West 1986 & Supp. 1993); ME. REV. STAT. ANN. tit. 17-A, § 357 (West 1983 & Supp. 1992); MD. ANN. CODE art. 27, § 146 (Supp. 1991); MASS. GEN. L. ch. 266, § 30 (1990); MICH. STAT. ANN. § 28.529 (Callaghan 1990); MINN. STAT. ANN. §§ 609.87 to 609.891 (West 1987 & Supp. 1992); MISS. CODE ANN. §§ 97-45-1 to 97-45-13 (Supp. 1992); MO. REV. STAT. §§ 537.525, 569.093 to 569.099 (1986 & Supp. 1991); MONT. CODE ANN. §§ 45-2-101, 45-6-310 to 45-6-311 (1991);NEB. REV. STAT. §§ 28.1343 to 28.1348 (Supp. 1991); NEV. REV. STAT. ANN. §§ 205.473 to 205.491 (Michie 1992); N.H. REV. STAT. ANN. §§ 638:16 to 638:19 (1986); N.J. STAT. ANN. §§ 2C:20-23 to 2C:20-34 (West Supp. 1992); N.M. STAT. ANN. §§ 30-45-1 to 30-45-7 (Michie Supp. 1989); N.Y. PENAL LAW §§ 156.00 to 156.50 (McKinney 1988); N.C. GEN. STAT. § 14-453 to 14-457 (1986); N.D. CENT. CODE ANN. § 12.1-06.1-08 (Supp. 1991); OHIO REV. CODE ANN. §§ 2913.01, 2913.81 (Anderson 1993); OKLA. STAT. ANN. tit. 21, §§ 1951 to 1958 (West Supp. 1993); OR. REV. STAT. §§ 164.125, 164.377 (1991); 18 PA. CONS. STAT. ANN. § 3933 (Supp. 1992); R.I. GEN. LAWS §§ 11-52-1 to 11-52-8 (Supp. 1992); S.C. CODE ANN. §§ 16-16-10 to 16-16-30 (Law. Co-op. 1985); S.D. CODIFIED LAWS ANN. §§ 43-43B-1 to 43-43B-8 (1983 & Supp. 1992); TENN. CODE ANN. §§ 39-14-601 to 39-14-603 (1991); TEX. PENAL CODE ANN. §§ 33.01 to 33.05 (West 1989 & Supp. 1992); UTAH CODE ANN. §§ 76-6-701 to 76-6-705 (1990); VA. CODE ANN. §§ 18.2-152.1 to 18.2-152.14 (Michie 1988 & Supp. 1992); WASH. REV. CODE §§ 9A.52.110 to 9A.52.130 (1988); W. VA. CODE §§ 61-3C-1 to 61-3C-21 (Supp. 1992); WIS. STAT. § 943.70 (Supp. 1992); WYO. STAT. §§ 6-3-501 to 6-3-505 (1988).
75. 18 U.S.C. § 1030.
76. See, e.g. People v. Versaggi, 136 Misc.2d 361, 518 N.Y.S.2d 553 (1987) (Defendant argued that unauthorized issuing of computer commands to shut down company telephone system did not constitute statutorily prohibited "altering" of the computer program that operated the system, but rather constituted "interruption of the operation" of the computer system, which was not prohibited by statute).
77. 17 U.S.C. § 506; 18 U.S.C. § 2319.
78. See, e.g. C. Radin, Psst. Want Some Software Cheap, Boston Globe, February 28, 1995, p. 81.
79. A proposal pending before Congress would reverse the District Court's holding in LaMacchia, and would expressly make it a crime to infringe a copyright even if the sole "financial gain" obtained was the software itself. Criminal Copyright Improvement Act of 1995, S. 1122, 141 CONG. REC. S 11451 (August 4, 1995).
80. 839 F. Supp. 1552 (M.D. Fla. 1993).