This ease of accessibility and the newfound reliance on the information superhighway unfortunately also raises the potential to become a victim of a hijacking or other unauthorized intrusion into private affairs in cyberspace. The rapidly changing pace of technology, the confusion over user rights and the protection of the public interest offers a challenging platform for evolving legislation and controls
The use of computer system networks to access the Internet has rapidly become part of the very cornerstone of this country's business, financial, and governmental transactions. Rapid accessibility to information, records and communications has become paramount to the daily decisions and management of our business resources. Of concern to business managers on the Net is the potential for the unauthorized access, permanent destruction, alteration or irreparable damage to information, especially confidential or financial records. This damage could potentially be caused by anyone with a laptop, a modem, and access to the Internet.
Business needs answers to questions regarding liability and intellectual property protection. Assurances of system security for both business and their customers must be addressed. While ensuring protection for business, lawmakers must also protect the constitutional guarantees for privacy and freedom of expression. Finally they must also deal with anti-trust and the implications to the business organization of the next century.
This paper examines the current federal and state legislation, discusses the legislative protection for business, defines some of the business protection requirements and examines the proposed legislation relating to business needs.
The jurisdiction to investigate cases under this law was assigned jointly to the FBI and the U.S. Secret Service (USSS). The FBI was assigned to investigate cases involving espionage, misuse of classified data, government related fraud, terrorism, bank fraud, wire fraud and organized crime. The USSS has been given oversight responsibility for investigations of federal interest crimes relating to a variety of offenses, including financial institution fraud and electronic crimes involving network intrusion, where funds and data are stolen or manipulated.3
Additionally, the Secret Service is generally assigned to pursue those cases involving interstate claims of credit card fraud, ATM machine fraud, telephone fraud, and the unauthorized entry to the U.S. Department of Treasury computer systems. Both agencies are charged only to investigate the charges computer crime in Federal Interest. The respective investigative agencies must provide adequate evidence for the U.S. Attorneys office to pursue a prosecution in federal court.
Other federal legislation that has been used to combat computer crime includes the Electronic Communication Privacy Act of 1986, the Wire Fraud Act and the Privacy Protection Act of 1980.
In addition to the federal legislation, 49 of the 50 states have enacted computer crime statutes that address the definition of and the penalties for commission of computer crimes. It is notable that as of the completion of the 1994 Session, the only state without a computer crime statute is Vermont, the home state of the Honorable Senator Leahy, the chief spokesman for computer crime legislation in the U.S. Senate.4
A review of existing State legislation highlights the following:
Most state legislation is similar to federal law in terms of the prohibition of the modification, destruction, access to, duplication of, or possession of data, documentation, or computer programs without the consent of the owner, The disclosure of restricted access codes or other restricted information to unauthorized persons is prohibited by most state legislation, and Generally the degree of punishment or the magnitude of the fine is based on the degree of damage or cost.
The State of California Computer Crime Legislation is typical of the state legislation reviewed.5 It includes the development of a sliding scale of fines and/or possible imprisonment, based upon the degree of severity of the computer crime and consideration of the specific description of the type of computer crime, the extent of victim expenditure, and finally the "injury" to the victim. Interestingly "injury" is described in this context as "... any alteration, deletion, damage or destruction of a computer system, computer network, computer program, or data caused by the access" (apparently computers have feelings too). The California code also allows civil action for recovery of compensatory damages, including the imputation of conduct of unemancipated minors to their parents.
Other provisions that appear unique to California Code include:
Convictions for computer crimes are grounds for expulsion from state universities. Any computer, computer system, computer network, or software used for or used as a repository for the storage of ill-gotten goods or actions is subject to forfeiture. Except as otherwise required by law, the court shall consider alternative sentencing, including community service, if the defendant shows remorse and recognition of the wrong doing and an inclination to not repeat the offense.
It is significant that many of the states seem to take a rather soft approach to the commission of computer crimes. For example, New Hampshire has a provision pertaining to the determination of the value of property or computer services that states ". . . when the value of the property of computer services or damage thereto cannot be satisfactorily ascertained, the value shall be deemed to be $250".6
There appears to be little evidence to reveal a tough criminal approach to computer crime. In general the potential terms of imprisonment and the limits of fines seemed rather mild compared to the potential damages that could occur.
Most state statutes include specific guidelines and provisions for enabling civil action, against a computer hacker. But civil action is only feasible if the defendant has adequate resources to pursue. Considering profiles of a typical hacker, this civil provision may not provide any deterrent and given the limited assets, may be seen as merely a nuisance.
The 1990 conviction of Robert Tappan Morris Jr., the creator of the "worm" that caused the shutdown of an estimated 2,500 to 6,000 computers on the Internet demonstrates to some the ability of the CFAA to adequately address the scope of computer crime in the cybernet. The Morris conviction was considered the first successful prosecution under CFAA that makes it a felony to "intentionally access a Federal interest interstate computer without authorization." Morris was sentenced to 400 hours of community service, three years probation and fined $10,000. The trial Judge concluded that ". . . prison would not be a suitable punishment for this crime".7
While seen as an important milestone to some, others viewed this prosecution as an overzealous misdirection of limited prosecutarial resources.8 There was after all, no physical damage; the actual costs of reprogramming and correcting the problem were undetermined and there was no financial gain to the perpetrator. Mr. Morris was apparently a typical 22 year old graduate student, e.g., broke with no resources. The potential to recover damages in a civil action seemed remote.
An example where the CFAA was less effective in the protection of business interests is the case of David LaMacchia. LaMacchia, a MIT junior, was indicted in 1994 for conspiracy to commit wire fraud for operating a bulletin board system on MIT workstations that was used to trade unauthorized copies of commercial copyrighted software without paying. The charges against LaMacchia were dismissed when the judge ruled that copyright infringement can not be prosecuted under the wire fraud statute.
Software authors and companies have long complained that not enough was being done to curb large-scale piracy of proprietary matter on the Internet and other computer networks and applauded the indictment. Some computer-rights proponents said the indictment went too far because LaMacchia did not actually copy the software himself.9
The Software Publishers Association called the final ruling disappointing and said that it was a concern for future cases because it narrows what little case law exists on the subject. Whether LaMacchia was paid or not, "when you get down to it... he was transmitting unauthorized copies of authorized software."10
The US Congress has recognized the necessity to remain proactive and to ensure technology does not outrun the regulations through constant attention.
Current legislation meant to address issues of federal interest include the following:
On June 19, 1995, in testimony before the 104th U.S. Congress, Senators Kyl, Leahy and Grassley introduced Senate Bill 982, known as the National Information Infrastructure Protection Act of 1995. This action as explained by Senators Kyl and Leahy, was to improve the existing CFAA legislation ". . . by providing more protection to computerized information and systems, by designating new computer crimes, and by extending protection to computer systems used in foreign or interstate commerce or communication." Senator Kyl and Leahy, the promoters of the NII believe that this legislation will strengthen current protections by the following:11
The definition of a federal interest computer would be replaced with protected computer and expanded to include those computers used in foreign communications. The protection for classified national defense or foreign relations information maintained on computers would be specifically protected. In general terms, the NII would strengthen the penalties for computer crime.
Any criminal activity, including obtaining government information or confidential information from the private sector could result in felony prosecution. The scope of criminal action would be expanded to include the intentional misuse of the computer system by authorized users, where the intent is for financial gain, commercial advantage, or to commit any criminal or tortuous act. The bill would protect against damage to computers caused by either outside hackers or malicious insiders.
The bill would seek to expand the protection of the CFAA to protect computers used in interstate or foreign commerce or communications. This aspect of the NII is seen as and expansion of the definition of federal interest, and would expand interstate (and international) protection to include concerns such as the telecommunications network. The bill adds a provision to protect systems against threats of computer-age blackmail. Persons could be prosecuted for threats to harm or invade computer networks unless their demands are addressed.
The final objective of the bill is to consolidate computer crime legislation in one section of the Federal Code. The authors of this code believe that by centralizing computer crime under one statute, we may better measure existing harms, anticipated trends, and determine the need for additional legislative reform.
Legislators have a long history of assuming that what is good for business is good for the individual and vice versa. The interests of these parties may not be well served with global solutions to the questions raised by use of the Interent. Both business and individuals may well enjoy the same solutions to 'look and feel' interfaces to the Internet but it is hard to imagine that individual use will require the protection for information that business use will require. The solution to protect the credit card information of the individual may serve as a starting point but will it be adequate to protect the large customer database of credit card information used by business?
The potential benefits of the use of the Internet for business conduct and communication are immense. The ability to distribute privileged or secure information by use of computer networks extends huge advantages of convenience as well as economizes time, money and resources. The technology is here and now and is awaiting acceptance by business and the public as a fast, safe and positive alternative to existing modes of communication and transactions. Adverse publicity, characterized by media headlines of computer theft, fraud and hacking, reinforce the public and business reluctance to enter the info highway.
The potential increased demand for Internet services by the business community is seen as an attractive source of future revenue and a basis for growth of the system. In order for business to place its confidence and future in the Internet, certain assurances of security and confidentiality must be maintained. Dern has identified that among the services commercial users want from the Internet is an assurance of security against intrusion and eavesdropping.12 This assurance should be to the same general degree of security that they can expect from all of their communication services and must address the accuracy and authenticity of information and guarantee privacy for users and providers.
At a recent Capitol Hill Hearing, Robert H. Rasor, Deputy Assistant Director of Investigations at the U.S. Secret Service (USSS) testified before the Committee on Banking and Financial Services.13 He stated that his department is charged with the oversight responsibility for investigations relating to a variety of offenses including financial institution fraud and electronic crimes involving network intrusions, where funds and data are stored or manipulated.
To assist the business community in combating computer crime, the USSS has developed a proactive risk analysis process. The intent of this process is to focus on the inherent weaknesses in the system that are targeted by the criminal community. Rasor recommended that proposed cyber system users demonstrate their ability to protect themselves and be prepared to assist law enforcement when abuse occurs.
Rasor maintains that active memberships in the industry committees and working groups provide a forum for the exchange of necessary information and awareness of the status of the industry.
Since the 1980s, digitization and cheap, widely-used and available personal computers have made copying easy, perfect and fast. Since quickly making thousands of perfect copies is possible for anyone with a PC, the only remaining barrier to widespread copying is access to material worth copying.
Advanced communication networks like the Internet provide access to material that is worth copying. Indeed, software, games, audio, video, still pictures, conversations - virtually every type of information is now digitized.
A 1995 Pinkerton Security survey14 of corporate security directors indicated that protection of so-called intellectual property, trademarks, trade secrets, copyrights, patents and other proprietary files or information ranked overall as the second most important concern of security executives after workplace violence.
The Hallcrest Report 215 estimated that billions of dollars of revenue are lost each year to copyright infringement on the Internet. The Software Publishers Association has pursued companies suspected of violating software copyright laws, collecting $14M in fines nationally during the last five years.
Under current copyright principles, the business may be found liable for its customer's or employee's copyright infringement, even if the business was completely unaware that the material was infringing.16 With so many now connected to computer networks, this potential liability for employers is much greater. Employees now can copy not only software programs, but also textbooks and journal articles.
As with the copying of commercial software, the threat of litigation against isolated, individual offenders will not be effective in deterring most infringers. Thus, copyright owners will try to sue those who provide access to networks. The vicarious liability for theft, copyright infringement and unauthorized access extends beyond the individual and encompasses the employers as a firm and the corporate officers as individuals. Business may choose to stay off the Internet rather than risk the liability.
The NII working group fails to understand this liability problem confronts not only the large on-line service providers, but all businesses that want to participate actively on the Internet.17
Guidelines for the application of new privacy principles will be released to coincide with National Consumers Week, October 23 - 30, 1995. The Voluntary Privacy Principles for users of the Information Superhighway will be outlined in the National Telecommunications and Information Administration (NTIA) report called, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information.18
It recommends that business adopt a policy of informing individuals of the scope of any information gathering in which they are engaged and outlining the intended use of the information and then, limiting the use to those stated purposes.
After a preview of the guidelines, industry is screaming that the guidelines are vague and unenforceable and individuals say they are ambiguous and make too many concessions to business.
Anonymity is another concern for business. Encryption offers wide protection for business but also for the computer criminal. The ability to conceal the identity of the user protects the user's privacy but poses different problems for the business and law enforcement agencies dealing with the aftermath of a computer crime.
But federal policy makers have opposed the widespread technology of computerized encryption. If such programs were made available on the Internet, they argue, foreigners would have access to encryption technologies that are prohibited from export. The problem is that American business today competes in a global marketplace, but encryption technologies are restricted to US boundaries.19
According to federal law enforcement agencies' estimates, on-line thieves steal more that $10B worth of data in the US annually.20 On-line theft represents an increasing risk to corporations whether or not they operate over the Internet. The threat is not simply the penetration of network and Internet firewalls per se, but the emergence of an on-line market for corporate data that could be stolen by a company's own employees.
Finally business as it is known today will not be business of tomorrow. The capability and expansion offered by the Internet create the opportunity for virtual offices, virtual communities, virtual workgroups, and virtual companies, each with a wider focus and need for protection. Business opportunities will allow the combining and dissolving of industry arrangements for very specific outcomes. There will be no requirement for co-locations, staff consolidations or joint facilities. Legislation must recognize that today's anti-trust violation is tomorrow's virtual organization.
Both current federal and state legislation have attempted to deal with computer crimes as understood at the time the legislation proposed. Neither level has done a very comprehensive job of addressing the rapid evolution of the medium or envisioning how current usage has changed the way business is now conducted. Interstate movement is the concern of the federal statutes; state statutes are left to deal with damage assessment within state boundaries. In an environment where access is global, network routing is unknown to the user and usage has exponential growth, the current legislation leaves gaping holes for business users. How are they really protected? What are the implications for the business firm when access unknowingly is obtained through their site? Are they left to protect themselves?
More laws are not necessarily the answer. But laws that address the flexibility and changing face of this environment are required. Government regulation must recognize the changing face of technology and how this technology is shaping the marketplace. Focusing on the industry leaders in today's recognized industries will not serve the industries of tomorrow.
Legislation will again be playing catch-up as the technology moves pass at breakneck speed.
If the current vision of the Interent as the marketplace of tomorrow is to be realized, the regulation and legislation must protect not only the individual but the business user.
1 Dern, Daniel, "Meeting the Challenges of Business and End-User Communities on the Internet: What They Want, What They Need, What They're Doing", Public Access to the Internet, Cambridge, MA, The MIT Press, edited by Kahin and Keller 1995.
2 "Computer Fraud and Abuse Act", Congressional Record, U.S. Senate, April 10, 1986, Legislative day of September 24, 1986, 132 Cong Rec. S14453, Vol. 132, No 133, Continuation of Senate Proceedings of October 1, 1986, Issue No 133, and Proceedings of October 2, 1986, Issue No. 134.
3 Rasor, Robert, Deputy Assistant Director of Investigations, U.S. Secret Service, "Testimony before the House Subcommittee on Domestic and International Monetary Policy of the Committee on Banking and Financial Services", October 11, 1995.
4 Friedman, M., Carmicino, B, and Buys, K., " The Electronic Law Office, Infojacking: Crimes On the Information Super Highway", New Jersey Law Journal, May 22, 1995, pg. S-2.
5 CALIFORNIA CODES ANNOTATED, Penal Code, Part 1, Title 13, Chapter 5, Section @502. Computer Crimes, current through 1994 Session.
6 NEW HAMPSHIRE REVISED STATUTES ANNOTATED, Title LXII, Chapter 683, RSA 638:17(1994), Current through 1994 Session.
7 Hafner, Katie, "Morris Code, Computer Crimes and Misdemeanors Vigorous Prosecution of Robert T. Morris Jr. Questioned", The New Republic, February 19, 1990, Vol. 202, No. 8, Pg. 15, ISSN: 0028-6583.
8 Spafford, Eugene, " Crisis and Aftermath, the Internet Worm", Communications of the ACM, June, 1989, Vol. 32, No. 6; Pg. 678; ISSN 0001-0782.
9 "College Student Indicted for Pirating on Internet," Information Access Co., Computer Fraud & Security Bulletin, Elsevier Advanced Technology Publications, , May, 1994.
10 "Charges Dropped Against Student", Computer Fraud & Security Bulletin, Elsevier Science Publishers LTD., February , 1995.
11 "National Information Infrastructure Protection Act of 1995", Congressional Record, U.S. Senate, June 30, 1995, Legislative day of June 19, 1995, 141 Cong. Rec S9573, Vol. 141 No. 109.
12 Dern, Daniel, "Meeting the Challenges of Business and End-User Communities on the Internet: What They Want, What They Need, What They're Doing", Public Access to the Internet, Cambridge, MA, The MIT Press, edited by Kahin and Keller 1995.
13 Rasor, Robert, Deputy Assistant Director of Investigations, U.S. Secret Service, "Testimony before the House Subcommittee on Domestic and International Monetary Policy of the Committee on Banking and Financial Services", October 11, 1995.
14 Dempsey, Mary, "No. 2 BIX Concern: Data Protection", Crain's Detroit Business, October 2, 1995.
15 Ibid.
16 Band, Jonathan, "Liability: The Web's Big Worry", San Francisco Examiner, October 8, 1995, Sunday Fifth Edition, Pg. B-5.
17Ibid.
18 "Top Administration Consumer Officials Launch National Consumers Week, Focus on Consumer Service, Privacy Protection, Fraud", PR Newswire, Section: Washington Dateline, to: Business Editor, October 20, 1995.
19 Bigelow, Bruce, "Computer Networks Ripe for Info-Highway Robbery", The San Diego Union-Tribune, September 6, 1995, Section: Lifestyle, Ed 1-8, pg. E-2.
20 Wilder, Clinton and Violino, Bob, "Data Security; On-Line Theft--Trade in Black-Market Data is a Growing Problem for Both Business and the Law", Information Week, August 28, 1995.
"Anti-Counterfeiting Group's Gall Meeting Explores Infringement on the Internet", BNA Management Briefing, October 18, 1995.
Abate, Tom, "Keystroke Cops; FBI's New 'CyberSwat' Team Fuels the Debate Over Electronic Privacy", The San Francisco Examiner, September 7, 1995, Second Edition, Section: Business pg. B-1.
Band, Jonathan, "Liability: The Web's Big Worry", San Francisco Examiner, October 8, 1995, Sunday Fifth Edition, Pg. B-5.
Bigelow, Bruce, "Computer Networks Ripe for Info-Highway Robbery", The San Diego Union-Tribune, September 6, 1995, Section: Lifestyle, Ed 1-8, pg. E-2.
CALIFORNIA CODES ANNOTATED, Penal Code, Part 1, Title 13, Chapter 5, Section @502. Computer Crimes, current through 1994 Session.
"Charges Dropped Against Student", Computer Fraud & Security Bulletin, Elsevier Science Publishers LTD., February , 1995.
Chirstodoulo, George and Fitzpatrick, Anthony, "Electronic Theft Could Create Vicarious Liability", The National Law Journal, April 17, 1995.
CODE OF IOWA 1995, Title XVI, Subtitle 1, Chapter 716a, Iowa Code @716A.2(1995), Current through 1994 Legislation.
"College Student Indicted for Pirating on Internet," Information Access Co., Computer Fraud & Security Bulletin, Elsevier Advanced Technology Publications, , May, 1994.
"Computer Abuse Title in S.1607", Congressional Record, U.S. Senate, November 19, 103rd Cong; 1st Sess., 139 Cong Rec. S16421, Vol. 139, No 162, Part 2.
"Computer Fraud and Abuse Act", Congressional Record, U.S. Senate, April 10, 1986, Legislative day of September 24, 1986, 132 Cong Rec. S14453, Vol. 132, No 133, Continuation of Senate Proceedings of October 1, 1986, Issue No 133, and Proceedings of October 2, 1986, Issue No. 134.
"Definition of 'Federal Interest Computer' Not Unconstitutionally Vague ", The Computer Lawyer, Section : Current Developments: Criminal; Vol.10, No 6; Pg 36.
DELAWARE CODE ANNOTATED, Title 11, Part I, Ch 5, Subchpt III, Subpart K, 11Del.C.@932(1994), current through 1994 Regular Session.
Dempsey, Mary, "No. 2 BIX Concern: Data Protection", Crain's Detroit Business, October 2, 1995.
Dern, Daniel, "Meeting the Challenges of Business and End-User Communities on the Internet: What They Want, What They Need, What They're Doing", Public Access to the Internet, Cambridge, MA, The MIT Press, edited by Kahin and Keller 1995.
Fishbein, Stephen, "What Victims of Computer Crime Should Know and Do", New York Law Journal, November 12, 1993, Section: Outside Council, pg 1.
Friedman, M., Carmicino, B, and Buys, K., " The Electronic Law Office, Infojacking: Crimes On the Information Super Highway", New Jersey Law Journal, May 22, 1995, pg. S-2.
Fulton, Anne M., "Cyberspace and the Internet: Who Will Be the Privacy Police?", CommLaw Conspectus, The Catholic University of America, 1995.
Gellman, Robert, "Privacy and the National Information Infrastructure", DM News, August 21, 1995, Section: On Privacy; pg 13.
GENERAL STATUES OF CONNECTICUT, Title 53a, Chptr 952, Part XXII, Computer Related Offenses, @53a-251, current through 1994 session.
Goldstein, Matthew, "Proposed Guide Seen Inadequate to Protect Superhighway Privacy", New York Law Journal, May 16, 1994, pg. 1.
Hafner, Katie, "Morris Code, Computer Crimes and Misdemeanors Vigorous Prosecution of Robert T. Morris Jr. Questioned", The New Republic, February 19, 1990, Vol. 202, No. 8, Pg. 15, ISSN: 0028-6583.
"Ideas in Cyberspace, Vulnerable to Theft", The Phoenix Gazette, September 5, 1995, Final, Section, Front, pg. A-5.
Maney, Kevin and Meredith, Robin, "Risky Business on the Internet//Few Feel Safe Making On-Line Transactions", USA TODAY, September 20, 1995, Final Edition, Section: Money, pg. 1B.
Maurer, Michael, "Court shakes Up Computer-Service Firms: Software Copyright at Issue", Crain's Detroit Business, September 4, 1995.
"National Information Infrastructure Protection Act of 1995", Congressional Record, U.S. Senate, June 30, 1995, Legislative day of June 19, 1995, 141 Cong. Rec S9573, Vol. 141 No. 109.
"NTIA About to Release Report on Privacy in Information Age", BNA Management Briefing, The Bureau of National Affairs, September 22, 1995.
NEW HAMPSHIRE REVISED STATUTES ANNOTATED, Title LXII, Chapter 683, RSA 638:17(1994), Current through 1994 Session.
Rasor, Robert, Deputy Assistant Director of Investigations, U.S. Secret Service, "Testimony before the House Subcommittee on Domestic and International Monetary Policy of the Committee on Banking and Financial Services", October 11, 1995.
"Security on Information Highway Disclosed at Advisory Committee Meeting", Daily Report For Executives, July 18, 1994, 1994 DER 135d32, Regulation, Economics and Law, Section A;135l.
Spafford, Eugene, " Crisis and Aftermath, the Internet Worm", Communications of the ACM, June, 1989, Vol. 32, No. 6; Pg. 678; ISSN 0001-0782.
"Top Administration Consumer Officials Launch National Consumers Week, Focus on Consumer Service, Privacy Protection, Fraud", PR Newswire, Section: Washington Dateline, to: Business Editor, October 20, 1995.
WEST VIRGINIA CODE ANNOTATED, Chapter 61, Article 3C., W.Va. Code @61-3D-5(1995), current through 1995 Session.
Wilder, Clinton and Violino, Bob, "Data Security; On-Line Theft--Trade in Black-Market Data is a Growing Problem for Both Business and the Law", Information Week, August 28, 1995.
WISCONSIN STATUTES, Chapter 943, Wis. Statue. @943.70(1994), Current through 1994 Legislation.