Computer Crimes
7. Computer Crimes
The body of laws governing crimes on the Internet are some of the most rapidly changing of all state laws. Controversy surrounding issues such as pornography on the Internet and the World Wide Web, the copying and posting of copyrighted information from an authorized site on the Internet to another site, and privacy of communication and access to materials on the Internet are still being hotly debated and no clear method for dealing with them has yet been devised. In addition, recent efforts to regulate the world of the Internet have taken place largely in the federal level. As of this writing, major federal legislation has just been enacted that covers many activities on the Internet, but the regulations have not yet been written enforcing its various provisions and much of the act is not yet effective. Accordingly, there is still much speculation about what the law means.
On the state level, the one thing upon which there is much unanimity is that theft of information or money in electronic form is much the same as theft in any other form. State laws on computer crime, therefore, focus on theft of information or money through the use of a computer or an on-line computer service.
Virtually every state requires that one have the requisite mental state before they may be convicted of a computer crime. One must willfully, knowingly or purposely access computer-based data and intend to steal, destroy or alter computer-based information, steal services, passwords, or otherwise interfere with hardware or software, etc. It is not enough for purposes of these laws to accidently or unintentionally wander into areas on the internet where valuable or secure information may reside. If one enters such an area using computers or computer technology, his/her intent must be to steal, destroy or defraud to be found guilty of a crime.
Only a handful of states don’t explicitly ban access to certain computer files. In most states mere access can be prosecuted as a crime. In addition, many states have the additional requirement that damage sustained by the victim of the crime be of a certain amount before the crime becomes a felony. For example, in New Jersey, if damage is more than $200, it is a felony. If it is less, it is a misdemeanor. The limit is $1,000 in South Dakota, $10,000 in Connecticut. In very few states, there is either no misdemeanor provision at all, or no money amount distinguishing the one from the other.
As the technology becomes ubiquitous, the law in this controversial area is sure to be subject to tremendous change and development over the next few years. One new development that is only beginning is legislation regarding the use of computers in acts of terrorism. To date, only two states have provisions regarding computer crimes and acts of terrorism. For example, Indiana specifically mentions terrorism, but others imply it in language that makes it a crime to use computers to disrupt government services or public utilities. It is anticipated that in the next few years there will be a growing number of states defining certain computer crimes as terrorism and then enhancing the penalties for committing such crimes. In the meantime, this chapter can be used at least as a guidepost to identify the specific laws in question even if the specific provisions change in the details.
Table 7: Computer Crimes | ||||||
---|---|---|---|---|---|---|
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
ALABAMA | 13A-8-100, et seq. | Willfully, knowingly, without authorization or without reasonable grounds | Access; alter, damage, or destroy hard/software valued under $2,500, class A misdemeanor | Access plus scheme to defraud; alter, damage, or destroy hard/software valued over $2,500 or cause interruption of public/government services; class C felony if purpose of offense is to scheme, defraud or obtain property; class B felony if damage = or > $2,500; interruption of government operation or public/utility service; class A felony if action causes physical injury to person not involved in said act. | No | No |
ALASKA | 11.46.740 | Knowingly, without reasonable grounds | None | Obtain or change information about a person, class C felony | No | No |
ARIZONA | 13-2316, et seq. | Intentionally, knowingly, recklessly | None | Access; access plus scheme to defraud; computer fraud in the 1st degree, class 3 felony; computer fraud in the 2nddegree, class 5 felony | No | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
ARKANSAS | 5-41-101, et seq. | Intentionally, purposefully | Computer trespass, access with damage under $2500 but over $500, class A misdemeanor; access with no damage, class C misdemeanor; access as 2nd or subsequent violation with loss or damage under $500, class B misdemeanor; unlawful computerized communication, class A misdemeanor; computer fraud, class D felony | Access with damage over $2500; computer fraud, class D felony | No | Yes |
CALIFORNIA | Penal Code 502 | Knowingly, willful for additional punitive or exemplary damages | Access; introduce virus; traffic in providing access; theft of services valued under $400, fine up to $5000 or imprisonment in county jail for up to 1 year, for first offense that doesn’t result in injury | Access plus scheme to defraud; alter, damage or destroy hard/software valued over $5000; theft of services valued over $400; access and alters, destroys, uses, copies, damages data or disrupts computer services punishable by fine up to $10,000 or imprisonment in county jail for 1 year, for offense that results in injury or 2nd or subsequent offense | No | Yes |
COLORADO | 18-5.5-101 et seq. | Knowingly | Class 3 misdemeanor if loss or damage is less than $100; class 2 if between $100 and $500 | Class 4 felony if between $500 and $15,000; class 3 felony if $15,000 or more | No | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
CONNECTICUT | 53a-250, et seq. | Knowingly | Class A misdemeanor: when unauthorized access to computer systems or theft computer services or interruption of computer services or misuse of computer system info or destruction of computer equipment and total damage exceeds $500; class B misdemeanor: same computer crimes and damages $500 or less | Class B felony: when he/she commits same offenses listed above and damage exceeds $10,000; class C felony: ditto and damage exceeds $5,000; class D felony: ditto and damage exceeds $1,000 or reckless conduct creates risk of physical injury | No | Yes |
DELAWARE | 11 §§931, et seq. | Knowingly, intentionally, recklessly, negligently | Class A misdemeanor: when unauthorized access, theft of computer services, interruption of computer services, misuse of computer system info or destruction of computer equipment, sending commercial email after asked to stop, and damages $500 or less | Class G felony: same offenses and damages >$500; class F felony: same offenses and damages exceeds $1,000 or risk of injury to another person; class E felony: same offenses and damages exceed $5,000; class D felony: same and damages exceed $10,000 | No | Yes |
DISTRICT OF COLUMBIA | None |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
FLORIDA | 815.01, et seq. | Willfully, knowingly, and without authorization | Misdemeanor of the 1st degree: For offenses against computer equipment and supplies: if damage between $200 and $1,000 | Felony in the 1st degree if: violation endangers human life; felony in 2nd degree if: damages are $5,000 or greater or offense was for purpose of devising or executing any scheme or artifice to defraud or obtain property or interrupts or impairs government services or public service/utility; felony in the 3rd degree: all other violations. | No | Yes |
GEORGIA | 16-9-91, et seq. Note: Section does not specifically classify crimes listed as either felony or misdemeanor. Offenses listed in misdemeanor or felony columns are based on the levels of punishments imposed rather than by explicit classification. | Knowingly, intentionally | Traffic in passwords | Computer theft, trespass (including modify, destroy, interfere with use), invasion of privacy, forgery | No | Yes |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
HAWAII | 708-890, et seq. | Intentionally, knowingly | Computer fraud: class B felony if knowingly defrauded, accessed computer without authorization and damage $300 or less in any 1 yr. period; class C felony if knowingly defrauded, transferred, or otherwise disposes of control of access; Computer Damage: class B felony if knowingly causes transmission that causes unauthorized damage or intentional access of a computer that causes damage; class C felony if knowingly accesses computer without authorization and recklessly causes damage. | No | No | |
IDAHO | 18-2201 to 18-2202 | Knowingly | Use, access, or attempt to access | Access or attempt to access with purpose to scheme, defraud or obtain property, money or services; alter, damage, or destroy computer, computer system, computer network or software/data/documentation | Yes | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
ILLINOIS | 720 1LCS 5/ 16D-1, et seq | Knowingly | Access or cause to be accessed, falsified email information or other routing information in transmission of unsolicited bulk email through email service provider or its subscribers or gives software enabling this, class B misdemeanor; access and obtain data or services, class A misdemeanor for 1st offense | Class 4 felony: access with purpose to scheme, defraud or deceive; damages computer or alter, delete, or destroy program or data in connection with scheme, defraud or deceive; if offender accesses computer and obtains money or control of money in connection with his/her scheme, defraud or deception; class 3 felony if any of the above are 2nd or subsequent offense; class 4 felony: if value of money, property, or services is $1,000 or less or if 2nd or subsequent offense obtaining data or services; class 3 felony: if value between $1,000 and $50,000; class 2 felony: if value $50,000 or more | Yes | Yes |
INDIANA | 35-43-1-4; 35-43-2-3 | Knowingly; intentionally | Access, class A misdemeanor | Class D felony: computer tampering; class C felony if for purpose of terrorism; class B felony if for purpose of terrorism and results in serious bodily harm to a person | No | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
IOWA | 714.1 et seq.; 716.6B; 702.1A; 702.14 | Knowingly | Theft of data or services with value between $500 and $1000, aggravated misdemeanor; $200-500, serious misdemeanor; under $200, simple misdemeanor; access of computer, simple misdemeanor | Theft of data or services with value over $10,000, class C felony; value between $1000 and $10,000, class D felony | No | Yes |
KANSAS | 21-3755 | Intentionally | Criminal computer trespass and computer password disclosure are class A nonperson misdemeanors | Computer crime is a severity level 8 nonperson felony | Yes | No |
KENTUCKY | 434.840, et seq. | Knowingly, intentionally | Unlawful access to a computer in 2nd degree is class A; unlawful access in 4th degree is a class B misdemeanor | Unlawful access to computer in 1st degree, class C felony; misuse of computer info is a class C felony; unlawful access in 2nd degree is a class D felony | Yes | No |
LOUISIANA | 14:73.1, et seq. Note: Section does not specifically classify crimes listed as either felony or misdemeanor. Offenses listed in misdemeanor or felony columns are based on the levels of punishments imposed rather than by explicit classification. | Intentionally | Alter, damage or destroy hard/software valued under $500; interfere with use of another valued under $500 | Alter, damage or destroy hard/software valued over $500; interfere with use of another valued over $500; computer fraud | No | No |
MAINE | Tit. 17-A §§431, et seq. | Intentionally; knowingly | Access | Copying; alter, damage or destroy hard/software; introduce virus | No | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
MARYLAND | Crim. Law §7-302 | Intentionally; willfully | A person who illegally accesses computer is guilty of a misdemeanor | If aggregate amount of loss is over $10,000 | Yes | No |
MASSACHUSETTS | Ch. 266 §33A | Intentionally | none | none | Yes | No |
MICHIGAN | 752.791, et seq. | Intentionally | If violation involves $200 or less | If violation involves more than $1000 | No | No |
MINNESOTA | 609.87, et seq. | Intentionally | Misdemeanor: commission of unauthorized computer access; Gross Misdemeanors: commission in a manner that creates risk to public health/safety, commission in a manner that compromises the security of data, conviction of second or subsequent misdemeanors within 5 years | Commission of unauthorized computer access in a manner that creates a grave risk of causing death of a person, conviction of second or subsequent gross misdemeanor | Yes | No |
MISSISSIPPI | 97-45-1, et seq. Note: Section does not specifically classify crimes listed as either felony or misdemeanor. Offenses listed in misdemeanor or felony columns are based on the levels of punishments imposed rather than by explicit classification | Intentionally | Access; any of the following, causing damages less than $100: interfere with use; alter, damage or destroy hard/software; traffic in passwords | Access plus scheme to defraud; any of the following, causing damages greater than $100: interfere with use; alter, damage or destroy hard/software; traffic in passwords | No | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
MISSOURI | 537.525, 569.094, et seq. | Knowingly | Class A misdemeanor: tampering with computer equipment, tampering with computer users | Tampering with computer equipment with purpose to scheme, defraud, or obtain property the value of whichis $150 or more is class D felony; if damage to computer or related parts is between $150 and $1,000, then class D felony; if damage is $1,000 or more, then class C felony; tampering with computer users with purpose to scheme, defraud, or obtain property the value of which is $150 or more, class D felony | No | Yes |
MONTANA | 45-2-101, 45-6-310 to 45-6-311 | Knowingly, purposefully | Any of the following, causing damages less than $1000, access; access plus scheme to defraud; alter, damage or destroy hard/software | Any of the following, causing damages greater than $1000: access; access plus scheme to defraud; alter, damage or destroy hard/software | No | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
NEBRASKA | 28-1343, et seq. | Intentionally | Commission of unauthorized computer access in a manner that creates risk to public health/safety is class I misdemeanor; commission of unauthorized computer access in a manner that compromises the security of data is class II misdemeanor; unlawfully accessing computer to obtain confidential public info is class II misdemeanor; second or subsequent offense is a class I misdemeanor; accessing without authorization or exceeding authorization is class V misdemeanor; second or subsequent offense is class II | Access with intent to deprive or obtain property/services is a class IV felony; if value of property/services is $1,000 or more, then class III felony; access and damage, disruption, or distribution of destructive computer program, then class IV felony; if losses with a value of $1,000 or more, then class III felony; if causes grave risk of causing death, then class IV felony | No | No |
NEVADA | 205.473, et seq. | Knowingly, willfully | Unlawful access is a misdemeanor as well as unlawful interference with or denial if access or use | Unlawful access done to defraud or obtain property or causing damages excess of $500 or interrupts/impairs public service/utility is a class C felony; unlawful interference with or denial of access of use done to defraud or obtain property is a class C felony. | Yes | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
NEW HAMPSHIRE | 638:16, et seq. | Knowingly | Computer crime is a misdemeanor if damage is $500 or less | Computer crime with damages exceeding $1,000 is a class A felony; computer crime with damages exceeding $500 or offender’s conduct creates risk of physical injury is a class B felony | No | No |
NEW JERSEY | 2C:20-23, et seq. Note: Section does not specifically classify crimes listed as either felony or misdemeanor. Offenses listed in misdemeanor or felony columns are based on the levels of punishments imposed rather than by explicit classification. | Purposely, knowingly | Access; any of the following, causing damages less than $200: access plus scheme to defraud; alter, damage or destroy hard/software | Access; any of the following, causing damages greater than $200: access plus scheme to defraud; alter, damage or destroy hard/software | No | No |
NEW MEXICO | 30-45-1, et seq. | Knowingly, willfully | Any of the following, causing damages less than $250: access; access plus scheme to defraud; alter, damage or destroy hard/software; disclosure, copy or display of computer information; less than $100 is a petty misdemeanor | Any of the following, causing damages greater than $250: access; access plus scheme to defraud; alter, damage or destroy hard/software; disclosure, copy or display of computer information; $250 to $2500 in damages, 4th degree felony; $2500 to $20,000, 3rd degree felony, $20,000 or greater, 2nd degree felony | No | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
NEW YORK | Penal Code 156.00, et seq. | Knowingly; intentionally | Unauthorized use of computer is a class A misdemeanor; computer tampering in fourth degree is a class A misdemeanor | Computer tampering in third degree is a class E felony; computer tampering in second degree is a class D felony; computer tampering in first degree is a class C felony; unlawful duplication of computer related material is a class E felony; criminal possession of computer related material is a class E felony | Yes | No |
NORTH CAROLINA | 14-453, et seq. | Willfully | Class 1 misdemeanors: unlawful access of computers for purposes other than to scheme, defraud, or obtain property; altering, damaging, or destroying computer software, programs or data | Class G felony: to access computer with purpose to scheme, defraud, obtain property; also Class G felony: to damage computer, computer system, computer network, or parts thereof; Class F felony: access to any government computer; Class H felony: denying access to government computer services | No | Yes |
NORTH DAKOTA | 12.1-06.1-08 | Intentionally | Computer crime is a class A misdemeanor | Computer fraud is a class C felony | Yes | Yes |
OHIO | 2913.01, et seq. | Knowingly | 4th degree misdemeanor: unauthorized use | Unauthorized use of computer property is felony of the 5th degree | Yes | No |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
OKLAHOMA | Tit. 21, §§1951, et seq. | Willfully | Access or use of cause to be used computer services | Access plus scheme to defraud; alter, damage or destroy hard/software; denial of access; traffic in passwords. There are several prohibited acts under the Computer Crimes Act classified as a felony | Yes | Yes |
OREGON | 164.125; 164.377 | Knowingly | Access is class A misdemeanor; theft of services is class C misdemeanor if total of services is less than $50. class A misdemeanor if total of services is more than $50 but less than $750 | Class C felony: access plus scheme to defraud; alter, damage or destroy hard/software; theft of data or services | Yes | No |
PENNSYLVANIA | Tit. 18 §7601, et seq. | Intentionally and knowingly | Unlawful transmission of e-mail is misdemeanor of 3rd degree; unless causes damage of $2,500 or more, then misdemeanor of 1st degree. | Unlawful use, disruption of service, theft, unlawful duplication, trespass and distribution of virus are felonies of 3rd degree. | No | No |
RHODE ISLAND | 11-52-1, et seq. | Purposefully, intentionally; knowingly | Theft of data or services valued under $500; cyberstalking | Access of computer for fraudulent purposes; intentional access, alteration, damage, or destruction; computer theft with a value over $500; use if false information and tampering with computer source documents | No | Yes |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
SOUTH CAROLINA | 16-16-10, et seq. | Willfully, knowingly, maliciously | Computer crime in the second degree, class A misdemeanor; Computer crime in the third degree, class B misdemeanor | Computer crime in the first degree, class E felony; second or subsequent convictions of computer crimes in the second degree, class F felony | No | No |
SOUTH DAKOTA | 43-43B-1, et seq. | Knowingly | Obtaining use, altering or destroying system, access and disclosure without consent where value is $1000 or less, class 1 misdemeanor; obtaining use, altering or destroying system as part of deception where value involved is $1000 or less, class 1 misdemeanor | Obtaining use, altering or destroying system, access and disclosure without consent where value involved is more than $1000, class 6 felony; Obtaining use, altering or destroying system as part of deception; value is more than $1000, class 4 felony | Yes | No |
TENNESSEE | 39-14-601, et seq.; 39-14-105 | Knowingly, directly or indirectly | Access is class C misdemeanor; introducing virus is class B; hacking into any computer system is class A | Access for purpose of fraudulently obtaining money, property or services; act of terrorism | Yes | Yes |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
TEXAS | Penal Code 33.01, et seq. | Knowingly, intentionally | Break of computer security is class B misdemeanor; class A if the amount involved is above $1,500 | Break of computer security is a state of jail felony if amount involved is between $1,500 and $20,000 or amount is less than $1,500 and defendant has previous conviction; felony of third degree is amount between $20,000 and $100,000; felony of second degree if amount between $100,000 and $200,000; felony of first degree if amount is $200,000 or above | No | No |
UTAH | 76-6-702, et seq. | Intentionally, knowingly | When damage is under $300 or info is not confidential then class B misdemeanor; when damage is between $300 and $1,000, then class A | When damage is between $1,000 and $5,000, third degree felony; when damage is or exceeds $5,000 then second degree, there is also a third degree felony | Yes | No |
VERMONT | Tit. 13 §4101 et seq. | Knowingly, intentionally | No | Yes |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
VIRGINIA | 18.2-152.1, et seq. | Intentionally | Computer fraud with value of property or services less than $200, class 1 misdemeanor; Computer trespass is class 3 misdemeanor; if damages $2,500 or more, then class 1; computer invasion of privacy is class 1; theft of computer services is class 1; personal trespass by computer done unlawfully but not maliciously is class 1; computer harassment is class 1 | Computer fraud with value of property or services obtained $200 or more, class 5 felony; computer trespass with damages $2,500 or more caused by malicious act, class 6; Personal trespass by computer done maliciously is class 3 | No | Yes |
WASHINGTON | 9A.52.110, et seq. | Intentionally | Computer trespass in second degree is a gross misdemeanor | Computer trespass in first degree is class C felony | No | No |
WEST VIRGINIA | 61-3C-1, et seq. | Knowingly, willfully | Unauthorized access to computer services; unauthorized possession of computer data or programs having value under $5,000; disruption or denial of computer services; unauthorized possession of computer information; disclosure of computer security info; obtaining confidential public info.; computer invasion of privacy | Computer fraud and access to legislature computer; unauthorized possession of computer data or programs having value of $5,000 or more; alteration, destruction, etc. of computer equipment | Yes | Yes |
State | Code Section | Mental State Required for Prosecution | Misdemeanor | Felony | Attempt Proscribed | Civil Action |
---|---|---|---|---|---|---|
WISCONSIN | 943.70 | Willfully, knowingly | Offenses against computer data and programs class A misdemeanor; offenses against computers, computer equipment and supplies is class A misdemeanor | Offenses against computer data and programs is if offense is to defraud or obtain property, class I; if damage greater than $2500 or act causes interruption or impairment of govt operations or public utility or service, class D; if offense creates risk of death or bodily harm to another, class F; offense against computer, computer equipment or supplies is class I if offense is done to defraud or obtain property; class H if damage is under $2500; and class F if act creates risk of death or bodily harm to another | No | Aggrieved party may sue for injunctive relief |
WYOMING | 6-3-501, et seq. | Knowingly | Crime against computer equipment and supplies | Crimes against intellectual property (means data including programs); crimes against computer equipment and supplies if done with intent to scheme, defraud, or obtain property; crimes against computer users when value is above $750 | No | No |
Computer Crime
COMPUTER CRIME
Computerization significantly eases the performance of many tasks. For example, the speed and ability to communicate with people is fostered by the Internet, a worldwide network that is used to send communiqués and provide access to the world-wide web. But this same speed and ability to communicate also opens the door to criminal conduct. Computer crime plays a significant role in the criminal law of the information age. Accompanying the influx of computers is an increase in criminal acts and, as a result, an increase in the number of statutes to punish those who abuse and misuse this technology.
Computer crime, sometimes known as cyber-crime, is a serious concern. The crime can be perpetrated instantaneously and its effects can spread with incredible quickness. Furthermore, the ever-increasing use of computers, especially in serving critical infrastructure, makes computer criminality increasingly important.
There is an endless list of possible crimes that can occur through use of the Internet. For example, the Internet can be a medium used for committing hate crimes, pornography, consumer fraud, stalking, terrorism, theft of security or trade secrets, software piracy, economic espionage, and financial institution fraud. The threat of computer crime is underlined by the fact that a security organization such as the Federal Bureau of Investigation was forced to temporarily take down its Internet site in 1991 after an attack by hackers. Companies have been equally vulnerable and have incurred millions of dollars in damage due to the effect of certain viruses.
Misuse of the computer threatens individual and business privacy, public safety, and national security. There have been considerable efforts made by state, federal, and international governments to curb computer crime.
Categorizing computer-related crime
A precise definition of computer crime is problematic. This is because of the array of different forms and forums in which the crime may appear. A single category cannot accommodate the wide divergence of conduct, perpetrators, victims, and motives found in examining computer crimes. Adding to this confusion is the fact that computer crimes also can vary depending upon the jurisdiction criminalizing the conduct. The criminal conduct can be the subject of punishment under a state statute. There is also an odd mixture of federal offenses that can be used to prosecute computer crimes. But computer crimes are not just domestic. Because computers operate internationally, the definition of computer crime can be influenced by the law of other countries as well. Despite debate among leading experts, there is no internationally recognized definition of computer crime.
At the core of the definition of computer crime is activity specifically related to computer technologies. Thus, stealing a computer or throwing a computer at another person would not fall within the scope of the definition of computer crime in that these activities do not use the technology as the means or object of the criminal act.
Computers serve in several different roles related to criminal activity. The three generally accepted categories speak in terms of computers as communication tools, as targets, and as storage devices.
The computer as a communication tool presents the computer as the object used to commit the crime. This category includes traditional offenses such as fraud committed through the use of a computer. For example, the purchase of counterfeit artwork at an auction held on the Internet uses the computer as the tool for committing the crime. While the activity could easily occur offline at an auction house, the fact that a computer is used for the purchase of this artwork may cause a delay in the detection of it being a fraud. The use of the Internet may also make it difficult to find the perpetrator of the crime.
A computer can also be the target of criminal activity, as seen when hackers obtain unauthorized access to Department of Defense sites. Theft of information stored on a computer also falls within this category. The unauthorized procuring of trade secrets for economic gain from a computer system places the computer in the role of being a target of the criminal activity.
A computer can also be tangential to crime when, for example, it is used as a storage place for criminal records. For example, a business engaged in illegal activity may be using a computer to store its records. The seizure of computer hard drives by law enforcement demonstrates the importance of this function to the evidencegathering process.
In some instances, computers serve in a dual capacity, as both the tool and target of criminal conduct. For example, a computer is the object or tool of the criminal conduct when an individual uses it to insert a computer virus into the Internet. In this same scenario, computers also serve in the role of targets in that the computer virus may be intended to cripple the computers of businesses throughout the world.
The role of the computer in the crime can also vary depending upon the motive of the individual using the computer. For example, a juvenile hacker may be attempting to obtain access to a secured facility for the purpose of demonstrating computer skills. On the other hand, a terrorist may seek access to this same site for the purpose of compromising material at this location. Other individuals may be infiltrating the site for the economic purpose of stealing a trade secret. Finally, unauthorized computer access may be a display of revenge by a terminated or disgruntled employee.
In addition to computer crimes having several roles, the individuals who commit the crimes do not fit one description. The only common characteristic of the individuals committing these crimes is their association with a computer. The perpetrator of a computer crime could easily be a juvenile hacker, sophisticated business person, or terrorist. Likewise, the victims of computer crimes do not fit a specific category in that the spectrum of possible victims includes individuals, financial institutions, government agencies, corporations, and foreign governments.
Computer crimes often fit within traditional criminal law categories in that computers can be used to commit crimes such as theft, fraud, copyright infringement, espionage, pornography, or terrorism. In some instances, existing criminal categories adapt new terminology to reflect the computer nature of the crime. For example, cyberterrorism is used when the terrorist activity involves computers, and cyberlaundering relates to money laundering via computer. Trespass crimes take on a new dimension when the unauthorized access occurs in cyberspace. For example, in 2000, the website for the American Israel Public Affairs Committee was defaced by intruders who downloaded e-mail addresses and credit card numbers from the site.
Criminal conduct that may appear to have no connection with computers can, in fact, be affected by technology. For example, stalking presents itself as a serious concern growing from increased use of the Internet. Cyberstalking generally involves the stalking of a person via the Internet or other electronic communication. Access to personal information on the Internet makes cyberstalking particularly problematic. Recognizing the need to consider the effect of technology on crimes such as stalking, the Attorney General issued the "1999 Report on Cyberstalking: A New Challenge for Law Enforcement and Industry" that describes the efforts that law enforcement can take to deter this criminal activity. First Amendment concerns factor into whether these and other legal initiatives regarding computer crimes will withstand constitutional challenges.
Computer crimes do not always correlate with traditional descriptions of illegality. Some activities present unique forms of criminal conduct that bear no resemblance to common law or existing crimes. For example, computerization allows for new types of crimes, such as trafficking in passwords.
Other computer crimes may have a resemblance to traditional crimes but the conduct may not fit neatly into an existing category. For example, a "page-jacker" who misappropriates material from another individual's website may face criminal liability for a copyright violation. If the "page-jacker," however, manipulates a website to redirect individuals to his or her own website, it remains uncertain whether this fraudulent conduct fits within classic theft or fraud offenses. Specific computer crime statutes are tailored to meet these new forms of criminal conduct. The ability the Internet provides in accessing information with a degree of anonymity makes some crimes, such as identity theft, important priorities for the criminal justice system.
The technical and changing nature of computer technology can make it difficult for those who are drafting criminal statutes. The array of new terms and new meanings given to existing terms requires a certain level of expertise in order to understand the computer activity. Examples of simple words used in the context of computer activity are the terms "virus" and "worm." A federal court explained, "A 'worm' is a program that travels from one computer to another but does not attach itself to the operating system of the computer it 'infects."' This differs from a computer "virus," which does attach to the computer operating system that it enters (United States v. Morris, 928 F.2d 504, 505n.1 (2d Cir. 1991)).
Computer crime statutes
Legislation at both the federal and state level provide for the prosecution of computer crime. Although computer crimes can be prosecuted using federal statutes that are exclusively focused on computer crime, many prosecutors do not use these specific computer-related statutes. Instead, prosecutors often continue to use traditional criminal law statutes in computer crime prosecutions. Although computer crime laws develop to accommodate new forms of criminal activity, the law has moved relatively slowly in comparison to the rapid development of computer technology.
Federal statutes. At the forefront of federal computer-related offenses is the computer fraud statute, 18 U.S.C. § 1030. Initially passed in 1984 (Counterfeit Access Device and Computer Fraud and Abuse Act of 1984), the statute has been amended on several occasions, including a significant expansion of the statute in the Computer Fraud and Abuse Act of 1986.
This computer fraud statute prohibits seven different types of computer-related activity. These can basically be described as: (1) electronic espionage; (2) unauthorized access to financial institution information, information from a United States department or agency, or information from any protected computer involved in interstate or foreign commerce; (3) intentionally browsing in a government computer or affecting a government computer; (4) using the computer for schemes of fraud or theft; (5) transmitting programs that cause damage or accessing a protecting computer and causing damage; (6) interstate trafficking of passwords; and (7) extortion threats to a protected computer. The statute includes both felony and misdemeanor provisions with different penalties depending on the specific conduct. Additionally, 18 U.S.C. § 1030(g) includes a civil remedy for those damaged through violations of the statute.
The Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510 et. seq., 2701–2710) was initially enacted to criminalize eavesdropping. In 1986 Congress updated this privacy legislation so that it was not limited to conduct involving traditional wires and electronic communications. The EPCA now covers all forms of digital communications.
By providing privacy rights to Internet communications, the EPCA equips federal prosecutors with a tool for curbing criminal activity involving the Internet. This act allows prosecutors to proceed with criminal charges when a defendant compromises a victim's privacy rights by improperly accessing the victim's computer system. The ECPA details the statutory exceptions that are provided to system operators and to law enforcement. For example, where service providers can monitor traffic data on the system, they are precluded from reading material that is being transmitted over the Internet.
Another federal statute that permits prosecution of computer-related activity is the Economic Espionage Act (EEA). Passed by Congress in 1996, this act focuses on the protection of trade secrets. Trade secrets, a term defined in the statute, include an array of different types of information that have an actual or potential value and that an owner has "taken reasonable measures" to keep secret. The EEA offers trade secret protection to both businesses and the government. The significance of information to society, and the problems that are attached to protecting this information, make the EEA an important step in how the law can provide protection from computer crime.
The EEA includes statutes pertaining to both domestic and foreign trade secrets. The statute 18 U.S.C. § 1831 prohibits the misappropriation of trade secrets that benefit any foreign government. In contrast, 18 U.S.C. § 1832 prohibits the theft of domestic trade secrets. The EEA provides for extraterritorial application, allowing U.S. prosecutors to pursue cases that meet criteria set forth in the statute, despite the fact that the criminal activity may have occurred outside the United States. The EEA also permits forfeiture, such as forfeiture of computer equipment, as a possible penalty. In an effort to encourage businesses that are victims of a theft of trade secrets to cooperate in pursuing prosecution, the EEA attempts to preserve the confidentiality of the trade secret during the criminal prosecution.
The availability and dissemination of pornography is exacerbated by technology. The accessibility of pornography via the Internet is a concern of the Communications Decency Act of 1996 and the Child Pornography Prevention Act of 1996. The child pornography and luring statutes specifically include activities related to use of a computer (18 U.S.C. § 2251 et. seq., 18 U.S.C. § 2422(b)). These statutes and others have been added to the criminal code to provide additional protections to children. When reviewing these statutes, courts have the difficult task of determining the appropriate line between individual liberties, such as privacy and free speech, and criminal conduct.
Many federal statutes prohibit conduct in "technology-neutral" ways. These statutes permit prosecutors to proceed with the prosecution of criminal activity involving a computer without having to wait for lawmakers to create a specific computer-related crime. For example, the sale of drugs without a prescription can be prosecuted using a traditional drug statute, even though the activity occurs on the Internet (21 U.S.C. § 353(b)). Similarly, statutes prohibiting the sale, manufacture, or distribution of controlled substances present conduct in a "technology-neutral" way, permitting the use of existing statutes for the prosecution of these crimes (21 U.S.C. §§ 822, 829, 841). Improper gun sales on the Internet, likewise, may be prosecuted using existing gun commerce statutes (18 U.S.C. § 922).
Statutes that include the term "wires" as a means of committing the conduct may allow prosecutors to apply the statute to Internetrelated crimes. For example, a statute that includes the language "wire communication facility" to describe the means by which the criminal conduct occurs, is broad enough to encompass Internet-related crimes. This language is found, for example, in a sports gambling statute (18 U.S.C. § 1081). Thus, businesses conducting sports gambling over the Internet can be prosecuted using the traditional federal gambling laws (18 U.S.C. § 1084).
In the federal arena, one commonly finds computer-related conduct charged using existing statutes that are not uniquely worded to provide for prosecutions involving activity related to computers. Despite the absence of specific reference to computers, individuals engaged in computer-related activity are charged with crimes such as securities fraud (15 U.S.C. § 77q), money laundering (18 U.S.C. § 1956), fraud and related activity in connection with access devices (18 U.S.C. § 1029), and conspiracy (18 U.S.C. § 371).
Three statutes that do explicitly refer to computers that prosecutors continue to use in charging computer-related activity are wire fraud (18 U.S.C. § 1343), copyright infringement (17 U.S.C. § 506 (a)), and illegal transportation of stolen property (18 U.S.C. § 2314).
Wire fraud presents a generic statute that is easily adaptable to a wide array of criminal conduct. Schemes to defraud of "money or property" or the "intangible right to honest services" that use the wires in their furtherance are prohibited by the wire fraud statute (18 U.S.C. § 1343). For example, individuals selling fraudulent products over the Internet can be subject to prosecution under the wire fraud statute.
Software piracy and intellectual property theft are important issues of the information age. Because the Internet offers an easily accessible means for transmitting copyrighted material, these crimes have the effect of costing U.S. businesses substantial sums of money each year. Often prosecutors use the copyright infringement statute (17 U.S.C. § 506 (a)) in proceeding against individuals committing these crimes. The No Electronic Theft Act (P.L. 105–147), passed by Congress in 1997, extends the reach of criminal copyright law to specifically include electronic means as one method for committing the crime (17U S. C. § 501 (a) (1)). The act also expands the scope of the criminal conduct covered under this crime, allowing for prosecutions without a showing that the distributor of the copyrighted material profited from the activity.
Computer crimes also have been prosecuted under the National Stolen Property Act. This was particularly true prior to the passage of the specific computer-related statute, the Computer Fraud and Abuse Act (18 U.S.C. § 1030). The National Stolen Property Act prohibits certain described activities involving the illegal transportation of stolen property (18 U.S.C. § 2314). There are, however, specific statutory limitations that preclude this offense from being used widely to prosecute computer crimes.
State statutes. All states have enacted computer crime laws. These laws offer different coverage of possible computer criminality. In some instances the state law resembles provisions found in the federal Computer Fraud and Abuse Act. Some states incorporate computer activity into theft and criminal mischief statutes, while others provide laws addressing sophisticated offenses against intellectual property. Computer fraud, unauthorized access offenses, trade secret protection and trespass statutes also exist in some state codes. In some state statutes, there is explicit legislative recognition that the criminal activity is a problem in both the government and private sector.
A state may use different degrees of an offense to reflect the severity of the computer violation. For example, a state may penalize what it terms an aggravated criminal invasion of privacy, which carries a higher penalty than a privacy invasion that is not aggravated. Several states have included forfeiture provisions, which permit the forfeiture of computers and computer systems as a consequence of the illegal conduct. State statutes include civil relief, allowing individuals harmed by violations of the computer statute to sue civilly for damages. Realizing the skills necessary for investigating computer crime, a state may include provisions for the education of law enforcement officers as part of its efforts to combat criminal activity related to computers.
International initiatives
Computers can operate globally. Thus, the perpetrator of a computer crime can affect the computers of another country without leaving home. As stated by Attorney General Janet Reno, "[a] hacker needs no passport and passes no checkpoints." The global nature of the Internet raises a host of international questions, such as what should be considered computer crime and who will have the jurisdiction to prosecute such crime. There are also issues regarding how evidence necessary for a criminal prosecution may be obtained. Mutual assistance treaties between countries often assist in procuring necessary evidence from other countries that may be needed for a criminal prosecution within the United States.
Although the Internet operates internationally, there is no uniformly accepted set of international laws that criminalize computer misuse and abuse. Several international conferences and initiatives, however, have focused on computer crime.
The Council of Europe (COE), an international organization with more than forty member countries, has been at the forefront in promoting international cooperation regarding computer crime. Mutual assistance in the investigation of cybercrime is also a discussion topic of the Group of Eight (G-8) countries (United States, United Kingdom, France, Germany, Italy, Canada, Japan, and Russia). In May 1998, the G-8 countries adopted a set of principles and an action plan to combat computer crimes.
Other international initiatives also have considered computer-related issues. For example, consumer protection policies have been formulated through the Organization for Economic Co-operation and Development ("OECD"). Computer crime issues have also been discussed in international forums such as the Vienna International Child Pornography Conference. Additionally, the United Nations produced a manual on the prevention and control of computerrelated crime. The manual stresses the need for international cooperation and global action.
Agencies focused on computer crimes
The Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) are the agencies at the forefront of investigation and prosecution of computer crimes. Each of these entities has established separate bodies within the agency that concentrates on computer crimes. There are also interagency groups that focus on computer crimes. In some cases, private businesses are included as a part of the cybergroup. Since most of the victims of computer crimes are businesses, the FBI has stressed the importance of having close business cooperation in the investigation and prosecution of these crimes.
The National Infrastructure Protection Center (NIPC), established in 1998, focuses on protecting "critical infrastructures." The NIPC is an interagency body located within the FBI. The NIPC is divided into three sections: (1) the Computer Investigations and Operations Section (CIOS), which coordinates computer crime investigations; (2) the Analysis and Warning Section (AWS), which analyzes information and warns the government and private industry of possible system threats; and (3) the Training, Outreach and Strategy Section (TOSS), which provides training to law enforcement and out-reach to private businesses. In addition to the NIPC, the FBI has cybercrime programs in individual FBI offices.
The Computer Crime and Intellectual Property Section (CCIPS) of the DOJ is the prosecutorial body coordinating federal computer crime cases throughout the United States. Founded in 1991, CCIPS became a formal section of the DOJ in 1996. CCIPS assists federal prosecutors and law enforcement agents throughout the country. CCIPS works particularly closely with the assistant U.S. attorneys in the individual offices that are handling computer crime cases. Each U.S. attorney's office designates an assistant U.S. attorney, known as Computer and Telecommunications Coordinators (CTCs), to receive special training for the prosecution of computer crime cases.
The CCIPS also serves a key role in the national and international coordination of efforts to curb computer crimes. It is associated with the National Cybercrime Training Partnership (NCTP), a body that is focused on making certain that law enforcement receives adequate technical training to handle computer crimes. CCIPS also participates in discussions with international bodies such as the G-8 Subgroup on High-Tech Crime and the Council of Europe Experts Committee on Cybercrime.
Numerous other government agencies can play a role in the investigation of computer crimes. For example, if the computer activity involves bomb threats, the Bureau of Alcohol, Tobacco, and Firearms (ATF) may be involved in the investigation. The investigation of Internet fraud involving the mails may include the U.S. Postal Inspection Service. The U.S. Customs service may play a role in an investigation involving imported software, and the U.S. Secret Service is likely to be involved if the alleged crime is counterfeiting of currency. Likewise, Internet securities fraud may include individuals from the Securities and Exchange Commission (SEC) as part of the investigation team.
In some instances the government agency may have developed a particular group focused on computer activity. For example, in July 1998 the Securities and Exchange Commission created the Office of Internet Enforcement (OIE). A key focus of this body is Internet securities fraud. In addition to providing training, the OIE oversees the investigation of improper securities activity involving the Internet. The office also refers matters to other government agencies.
There are also study groups to consider approaches to eradicating computer crimes. On 5 August 1999, President Clinton issued Executive Order 13,133 establishing a working group to consider and make recommendations regarding the existence of unlawful conduct on the Internet. The report of the group, issued in March 2000, recommends a three-part approach for addressing unlawful conduct on the Internet. It calls for analysis through a "policy framework" of Internet regulation of unlawful conduct to assure consistency in the treatment of online and offline conduct and ensure the protection of privacy and civil liberties. It stresses the need for law enforcement funding, training, and international cooperation. It also calls for continued support from the private sector. A key focus of the report is the need to develop educational methods to combat computer crime.
The private sector has been included in many of the agency efforts to curtail computer crime. An example of a joint effort between the government and business is seen in the Cybercitizen Partnership, an alliance between high-tech industry and the government. As an aspect of this partnership, the government and private industry will share computer knowledge to achieve a more secure system. An aim of this partnership is to promote computer ethics and educate users.
In an effort to become more aware of computer crimes, the FBI and the National White Collar Crime Center established the Internet Fraud Complaint Center (IFCC). Established as a result of this partnership is a website that offers victims of Internet fraud a way to report Internet fraud online.
Government agencies have also been involved in educating consumers about computer abuses. For example, the Federal Trade Commission (FTC) uses the computer to alert and educate consumers and businesses on privacy and fraud issues that pertain to the Internet.
Privacy issues
Computers present new considerations for both substantive criminal law and criminal procedure. At the heart of many of the questions is the appropriate balance between privacy rights and necessary criminal investigation. It is particularly problematic with respect to computer crimes, since serious national security issues can arise when computers are misused.
The tension between the government's need to secure information to investigate criminal conduct and privacy concerns of individuals and businesses appears prominently in the debate concerning encryption. Encryption offers individuals and businesses the ability to protect the privacy of data being transferred on the Internet. Encryption is particularly useful in protecting trade secrets in the commercial market. Encryption, however, also can be used to avoid detection by individuals who are committing unlawful activities. By encrypting data, individuals can store data, transmit data, and harmfully use data for criminal purposes. The Department of Justice has expressed concern that securely encrypted material can undermine law enforcement efforts. Unlike law enforcement's ability to obtain court authorized wiretaps for information transmitted over the telephone, securely encrypted matter may preclude the government from using the material.
Conclusion
Computers add a new dimension to criminal law, presenting many issues for law enforcement. At the forefront of law enforcement concerns is the necessity to secure adequate training to combat these crimes. This requires additional resources. The technical sophistication needed to follow the "electronic trail" far surpasses traditional methods of investigation. In some cases data are encrypted, making it difficult for police authorities to discern the contents of the information. The detection of criminal conduct may also be hampered by the reluctance of entities to report an unauthorized computer access. Corporations may fear the negative publicity that might result as a consequence of their systems being compromised. In many cases, unauthorized computer access may go undetected by the individual or entity whose computer system had been invaded.
Equally challenging are the policy and legal issues. It is necessary to enact legislation that will sufficiently prohibit the abuses of new and developing technology. The speed with which technology develops makes this a continual concern. In some cases, the line between what will be considered criminal conduct and what will be civil remains uncertain. A common debate in discussions of business crimes is whether the activity is an aggressive business practice, or alternatively a crime. Further, issues of jurisdiction and enforcement power present special problems given that the Internet operates internationally. This can become particularly problematic when countries adopt different standards of what constitutes crime and different penalties for computerrelated criminal activity.
The Internet also presents national security concerns since computers serve instrumental roles in the delivery of emergency services, government operations, banking, transportation, energy, and telecommunications. As technology develops, the law needs to respond to these new developments to deter those who would abuse and misuse the new technology.
Ellen S. Podgor
See also Employee Theft: Behavioral Aspects; Employee Theft: Legal Aspects; Fear of Crime; Federal Criminal Jurisdiction; Police: Private Police and Industrial Security; Sex Offenses: Consensual; Stalking; Theft; White-Collar Crime: History of an Idea.
BIBLIOGRAPHY
Alexander, Kent B., and Wood, Kristin L. "The Economic Espionage Act: Setting the Stage for a New Commercial Code of Conduct." Georgia State University Law Review 15 (1999): 907–939.
Baker, Glenn D. "Trespassers Will Be Prosecuted: Computer Crime in the 1990s." Computer Law Journal 12 (1993): 61–100.
Branscomb, Anne W. "Rogue Computer Programs and Computer Rogues: Tailoring the Punishment to Fit the Crime." Rutgers Computer and Technology Law Journal 16 (1990): 1–61.
Charney, Scott, and Alexander, Kent. "Computer Crime." Emory Law Journal 45 (1996): 931–957.
Goodman, Marc D. "Why the Police Don't Care About Computer Crime." Harvard Journal of Law & Technology 10 (1997): 465–495.
Hatcher, Michael; McDannell, Jay; and Ostfeld, Stacy. "Computer Crimes." American Criminal Law Review 36 (1999): 397–444.
Lederman, Eli. "Criminal Liability for Breach of Confidential Commercial Information." Emory Law Journal 38 (1989): 921–1004.
Nimmer, Raymond T. The Law of Computer Technology, 2d ed. Boston: Warren Gorham Lamont, 1992. Pages 12-1–12-50.
Parker, Donn B. Fighting Computer Crime. New York: Wiley Computer Publishing, 1998.
Perritt, Henry H., Jr.; Charney, Scott; and Miller, Gregory P. "Computer Crimes Now on the Books: What Do We Do from Here?" Temple Law Review 70 (1997): 1199–1226.
Podgor, Ellen S., and Israel, Jerold H. "Computer Crimes." In White Collar Crime in a Nutshell. St. Paul, Minn.: West Publishing Co., 1997. Pages 236–242.
Reno, Janet. "Keynote Address by U.S. Attorney General Janet Reno on High Tech and Computer Crime." (Presented before the meeting of the P–8 Senior Experts' Group on Transnational Organized Crime, January 21, 1997, Chantilly, Virginia).
Whitley, Joe D., and Jordan, William H. "Computer Crime." In White Collar Crime: Business and Regulatory Offenses. Vol. 2. Edited by Otto G. Obermaier and Robert G. Morvillo. New York: Law Journal Press, 1999. Pages 21-1–21-43.
Wise, Edward M. "Computer Crime and Other Crimes Against Information Technology in the United States." In International Review of Criminal Law 64. Toulouse, France: Association Internationale De Droit Penal, 1992. Pages 647–669.
INTERNET RESOURCES
For information on the protection of critical infrastructure, see the website of the National Infrastructure Protection Center (http://www.nipc.gov).
For information on international issues regarding computer crimes, see the U.N. Crime and Justice Information Network (http://www.uncjin.org).
For information on U.S. enforcement of computer crimes, see the Computer Crime and Intellectual Property section of the Criminology Division of the U.S. Department of Justice (http://www.usdoj.gov/criminal/cybercrime).
For information on cyberstalking, see the website of the U.S. Department of Justice (http://www.usdoj.gov/criminal/cybercrime/cyberstalking.htm).
Computer Crimes
Computer Crimes
DEFINITIONS
The U.S. Department of Justice (DOJ), in its manual on computer crime, defines such crime as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." Being very broad, the definition, dating to 1989, remains valid. In its elaborations on the subject, DOJ divides computer crime into three categories: 1) crimes in which computer hardware, peripherals, and software are the target of a crime; the criminal is obtaining these objects illegally; 2) crimes in which the computer is the immediate "subject" or "victim" of a crime, i.e., the crime consists of attacks on a computer or a system, destruction or disrupting of which is the damage caused; and 3) crimes in which computers and related systems are the means or "instrument" by which ordinary crimes are committed, such as theft of identities, data, or money or the distribution of child pornography.
Computer Crime: Broad Focus
The first category is part of computer crime no doubt because computers are still surrounded by a halo of novelty. In the course of time, the theft of computers or software will no more be remarked upon than the theft of groceries or horses (e.g., "grocery crime" or "horse crime.") In the third category the computer is the principal means of obtaining other things and is thus analogous to "armed" robbery—where a weapon is the means of achieving the criminal end. The rapid spread of computers and computer systems, interconnected by wired or wireless means, has opened a new field in which criminals could operate. But all the crimes covered by the third category existed before computers.
Computer Crime: Narrow Focus
The second of DOJ's categories is the one most people associate with computer crime and also with "computer annoyance" in the form of "spam." These disruptions began innocently enough. The first virus, known as Elk Clone, was written by Rich Skrenta as a boy in the 9th grade around 1982. The virus resided on an Apple II disk and, on the 50th booting of the computer with that disk, displayed a little poem, entitled "Elk Cloner: the program with a personality," which said in part: It will get on all your disks / It will infiltrate your chips / Yes it's Cloner! Rich Skrenta has, since, gone on to become the co-founder and CEO of Topix.net, an Internet news service. Viruses have differentiated into other categories. Major forms and definitions are listed below as outlined by Ryan P. Wallace and associates writing in American Criminal Law Review:
- Viruses. These are programs that modify other computer programs so that they carry out functions intended by the creator of the virus. The Melissa Virus, for example (March 1999), disrupted e-mail service around the world.
- Worms. Worms have the functionality of viruses but spread by human action by way of the Internet hitch-hiking on mail.
- Trojan horses. As their name implies, these intruders pretend to be innocent programs. Users are persuaded to install something innocent-seeming on their computer. The Trojan horse then activates a more destructive program embedded in the innocent code.
- Logic bombs. Are destructive programs activated by some event or a specific date or time. Elk Cloner fit this category because it activated its message on the 50th booting of a disk. The same concept is used legally by companies that distribute time-limited samples of their software. The software disables itself after the passage, say, of 30 or 60 days.
- Sniffers. These are legitimate programs used to monitor and analyze networks. They can be deployed in a criminal fashion to steal passwords, credit card information, identities, or to spy on network activity.
- Distributed denial of service attacks. Such attacks are directed at Web sites by illegitimately causing multiple computers to send barrages of connection requests to the target site, thus causing it to crash.
The "Hacker"
The term "hacker" came to be applied to computer hobbyists who spent their spare time creating video games and other basic computer programs. The term acquired negative connotations in the 1980s when computer experts illegally accessed several high-profile databanks. Databases at the Los Alamos National Laboratory (a center of nuclear weapons research) and the Sloan-Kettering Cancer Center in New York City were among their targets. Access to systems by telephone linkage from any computer increased such attacks. Over time, the "hacker" label came to be applied to programmers and disseminators of viruses. The public perception of hackers continues to be that of a lone expert with a taste for mischief. But "hacking" has come to encompass a wide range of computer crimes motivated by financial gain. Indeed, the vital information kept in computers has made them a target for corporate espionage, fraud, and embezzlement efforts. With the growing sophistication in computer security programs and law-enforcement efforts has come the insight that many apparent "hacker" attacks come from well-informed insiders intent on spoil or, occasionally, on vengeance.
Spam
Since the spread of the Internet, "spam" has acquired the meaning of "unsolicited e-mail." Spam came under relatively mild regulation with the passage of the Controlling the Assault of Non-Solicited Pornography and Marketing Act, also officially called the CAN-SPAM Act of 2003 (Public Law 108-197). It became effective in December of 2003 and took effect on January 1, 2004. The Act requires that senders of unsolicited commercial e-mail label their messages, but Congress did not require a standard labeling language. Such messages are required to carry instructions on how to opt-out of receiving such mail; the sender must also provide its actual physical address. Misleading headers and titles are prohibited. Congress authorized the Federal Trade Commission to establish a "do-not-mail" registry but did not require that FTC do so. CAN-SPAM also prevents states from outlawing commercial e-mail or to require their own labeling. Since 2003 other bills have been proposed but have not been enacted.
In effect, based on the provisions of CAN-SPAM, spam is not a computer crime unless, according to U.S. Code, Title 18, No. 1037, violation is committed "in furtherance of any felony under the laws of the United States or of any State." Despite its legal status, spam is both a major annoyance and extracts a cost. According to Ryan P. Wallace et. al., "Estimates put the total cost of spam to American businesses in 2003 at more than $10 million in lost productivity and anti-spam measures."
INCIDENCE AND COSTS
The FBI Survey
As reported by the Federal Bureau of Investigation in its 2005 FBI Computer Crime Survey, 64.1 percent of 2,066 companies surveyed reported some kind of computer crime incident in 2005 resulting in financial loss; all told, 5,389 incidents were reported. Small businesses were well-represented in the survey: more than half of the respondents (51.2 percent) had a range of 10 to 99 employees. Responding organizations experienced 2.75 incidents on average. Half of the respondents had 1 to 4 incidents, 19 percent had 20 or more incidents, the rest fell in between. Large organizations tended to have the most incidents.
The total cost of incidents reported by this group of companies was $31.7 million. The largest losses, amounting to $12 million, were associated with viruses, worms, and Trojan horses. The next four categories, in order, were thefts of laptops, desktops, and personal digital assistants ($3.5 million), financial fraud ($3.2 million), and network intrusion ($2.6 million). The smallest category, with a cost of $52,500, was Web-site defacement.
As already stated, slightly over 64 percent experienced financial losses. The FBI extrapolated this result to the nation as a whole but intentionally made its assumptions conservative. The agency assumed that only 20 percent of a total population of 13 million companies would have experienced losses rather than 64 percent, as in its sample. The downward shift was in part based on the likelihood that respondents to the FBI survey may have done so because they were more aware of problems through experience. But the FBI also recognized that actual victimization rate may have been much higher than the 20 percent assumed. In any case, the conservative assumption used produced a total loss for the nation of $67.2 billion in 2005.
The CSI/FBI Survey
The Computer Security Institute (CSI) describes itself as "the world's leading membership organization specifically dedicated to serving and training the information, computer and network security professional." With FBI cooperation, CSI has been conducting the CSI/FBI Computer Crime and Security Survey every year for a decade; its 2005 survey was the tenth. It is both a smaller and a larger survey than the FBI survey summarized above in that it looks at fewer but larger organizations. In 2005 CSI surveyed 699 organizations; these included governmental entities and universities as well as businesses; only 20 percent of survey respondents were organizations in the 1 to 99 employee category. Ninety-one percent of respondents reported financial losses; these amounted to $130.1 million (over against $31.7 million by 2006 organizations in FBI's 2005 survey). CSI made no attempt to extrapolate its loss figure to the nation as a whole.
The pattern of losses reported in the CSI/FBI survey shows up some interesting differences. The top loss category was also from viruses ($42.8 million); second ranked was unauthorized access ($31.2 million); third was theft of proprietary information ($30.9 million). These three categories accounted for 80.6 percent of all damages.
Only 20 percent of respondents reported incidents to law-enforcement agencies, an all-time low level already reached in 2004. The principal reasons given for not reporting incidents was that such information, reaching the public, would hurt stock price or aid competitors. Based on the survey results, "inside jobs" are as frequent as attacks by hackers or criminals from the outside.
INTERNAL AND EXTERNAL THREATS
Andrew Harbinson, an expert in computer crime working for Ernst & Young in Ireland wrote recently in Accountancy Ireland that for every external attack there are 3 or 4 attacks on the inside. "This is for obvious enough reasons," wrote Harbinson. "To carry out a crime you need knowledge, motive and opportunity. An outsider may have a lot of motive and a degree of knowledge (depending on the internal security of the network) but an insider is likely to have all three." Harbinson also finds it notable that "in some surveys in the last couple of years the proportion of internal to external frauds has miraculously 'flipped,' with external frauds now stated as being more common." The most likely reason for this, in Harbinson's view, is a new regulatory climate produced by scandals like those involving Enron and Worldcom. "Companies are much more reluctant to admit to fraud, as to do so might have regulatory consequences. It is a matter of some concern that, instead of dealing with such issues, most companies appear to want to sweep them under the carpet." The CSI/FBI survey discussed above appears to substantiate this view by showing a decline in the reporting of such incidents in order to protect the stock price.
SECURITY MEASURES
Computer security is concerned with preventing information stored in or used by computers from being altered, stolen, or used to commit crimes. The field includes the protection of electronic funds transfers, proprietary information (product designs, client lists, etc.), computer programs, and other communications, as well as the prevention of computer viruses. It can be difficult to place a dollar value on these assets, especially when such factors as potential loss of reputation or liability issues are considered. In some cases (e.g., military and hospital applications) there is a potential for loss of life due to misplaced or destroyed data; this cannot be adequately conveyed by risk analysis formulas.
The question most companies face is not whether to practice computer security measures but how much time and effort to invest. Fortunately, companies looking to protect themselves from computer crime can choose from a broad range of security options. Some of these measures are specifically designed to counter internal threats, while others are shaped to stop outside dangers. Some are relatively inexpensive to put in place, while others require significant outlays of money. But many security experts believe that the single greatest defense that any business can bring to bear is simply a mindset in which issues of security are of paramount concern.
Protection from Internal Threats
Whereas big corporations typically have entire departments devoted to computer system management, small businesses often do not have such a luxury. But common-sense measures that can be taken by managers and/or system administrators to minimize the danger of internal tampering with computer systems include the following:
- Notify employees that their use of the company's personal computers, computer networks, and Internet connections will be monitored. Then do it.
- Physical access to computers can be limited in various ways, including imposition of passwords; magnetic card readers; and biometrics, which verify the user's identity through matching patterns in hand geometry, signature or keystroke dynamics, neural networks (the pattern of nerves in the face), DNA fingerprinting, retinal imaging, or voice recognition. More traditional site control methods such as sign-in logs and security badges can also be useful.
- Classify information based on its importance, assigning security clearances to employees as needed.
- Eliminate nonessential modems that could be used to transmit information.
- Monitor activities of employees who keep non-traditional hours at the office.
- Make certain that the company's hiring process includes extensive background checks, especially in cases where the employee would be handling sensitive information.
- Stress the importance of confidential passwords to employees.
Protection from External Threats
Small businesses also need to protect their systems against outside attack. Firewalls may be expensive but may be worth the cost. The single greatest scourge from the outside are viruses of one kind or another. Business owners can do much to minimize this threat by heeding the following basic steps:
- Install and use anti-virus software programs that scan PCs, computer networks, CD-ROMs, tape drives, diskettes, and Internet material, and destroy viruses when found.
- Update anti-virus programs on a regular basis.
- Ensure that all individual computers are equipped with anti-virus programs.
- Forbid employees from putting programs on their office computers without company approval.
- Make sure that the company has a regular policy of backing up (copying) important files and storing them in a safe place, so that the impact of corrupted files is minimized. Having a source of clean (i.e., uninfected by viruses) backup copies for data files and programs is as important as it is elementary.
A variety of sources exist to assist small business owners with virus protection and Internet security measures. For example, several Web sites provide free virus warnings and downloadable antivirus patches for Web browsers, including www.symantec.com/avcenter and www.ciac.org. The Computer Security Institute provides annual surveys on security breaches at www.gocsi.com. Another useful resource is the National Computer Security Association (www.ncsa.com), which provides tips on Internet security for business owners and supplies definitions of high-tech terms.
Small businesses seeking to establish Internet security policies and procedures might begin by contacting CERT. This U.S. government organization, formed in 1988, works with the Internet community to raise awareness of security issues and organize the response to security threats. The CERT web site (www.cert.org) posts the latest security alerts and also provides security-related documents, tools, and training seminars. Finally, CERT offers 24-hour technical assistance in the event of Internet security breaches. Small business owners who contact CERT about a security problem will be asked to provide their company's Internet address, the computer models affected, the types of operating systems and software used, and the security measures that were in place.
HARDWARE THEFT
Although computer viruses and theft of information pose the greatest financial threats to large organizations, loss of hardware by simple thievery is the second-ranking loss category for small business. Common-sense measures such as supervising entrances and locking up easily transported equipment at night are obvious enough. Many laptops are lost to thieves-of-opportunity who, standing in an unattended lobby, see a laptop on a desk while distantly laughter sounds from an office birthday party.
Business travelers, of course, must keep a close eye on their notebook and laptop computers. The allure of portables is so great that thieves sometimes work in teams to get their hands on them. Airports and hotels are favorite haunts of thieves. Security experts counsel travelers to be especially vigilant in high-traffic areas, to carry computer serial numbers separately from the hardware, and to consider installing locks, alarms, or tracking software.
see also Internet Security
BIBLIOGRAPHY
Federal Bureau of Investigation. 2005 FBI Computer Crime Survey. Available fromwww.fbi.gov/publications/ccc2005.pdf. Retrieved on 28 January 2006.
Gordon, Lawrence A., Martin P. Loeb, William Lucyshyn, and Robert Richardson. 2005 CSI/FBI Computer Crime and Security Survey. Computer Security Institute. Available from www.gocsi.com. Retrieved on 29 January 2006.
Gibson, Stan. "Hacking: It's a Mad, Mad, Mad New World." eWeek. 1 January 2001.
Harbinson, Andrew. "Understanding Computer Crime: A Beginner's Guide." Accountancy Ireland. August 2005.
Karp, Josh. "Small Businesses Often Target of Cybercrime; Lack of IT Expertise Leads to Vulnerability." Crain's Chicago Business. 19 February 2001.
Morgan, Lisa. "Be Afraid … Be Very Afraid—Malicious Attacks Are on the Rise, and Trends Are Harder to Predict." Internet Week. 8 January 2001.
Rich Skrenta Home Page Available from http://www.skrenta.com/. Retrieved on 28 January 2006.
Wallace, Ryan P., Adam M. Lusthaus, and Jong Hwan Kim. "Computer Crimes." American Criminal Law Review. Spring 2005.
U.S. Department of Justice. National Institute of Justice. Computer Crime: Criminal Justice Resource Manual. 1989.
Hillstrom, Northern Lights
updated by Magee, ECDI
Computer Crime
COMPUTER CRIME
According to the U.S. Uniform Crime Reporting Statistics, by 2000 more than 300 million users around the globe accessed the World Wide Web. Of those, at least 1 million were engaged in illegal Internet activities (computer crime or "cyber-crime"). Cyber-crimes include Internet-related forgery, embezzlement, fraud, vandalism, and the disposal of stolen goods. The potential threat to the overall development of e-commerce was serious—so much so that online security expenditures were expected to double to $30 billion in 2004.
The Computer Crime and Security Survey, issued by the Computer Security Institute (CSI) and the FBI, reported that 85 percent of the 538 firms and governmental institutions surveyed found security breaches in 2000. Sixty-five percent admitted that such breaches had caused financial losses. The 186 respondents willing to quantify their losses claimed they totaled $378 million, a 42-percent increase from 1999 and the highest amount recorded since the surveys began in 1995. Seventy percent cited their Internet connections as the source of security problems.
Perhaps 80 percent of all computer-related crimes result from insider attacks, sometimes perpetrated by recently laid-off employees with still-active computer accounts. Fraud and forensic experts reported that organized crime and terrorist groups recruit telecommunications workers to use telephone networks to commit fraud, piracy, and money laundering.
DEFINITIONS
Computer crime includes traditional criminal acts committed with a computer, as well as new offenses that lack any parallels with non-computer crimes. The diversity of offenses renders any narrow definition unworkable. The U.S. Department of Justice (DOJ) broadly defines computer crimes as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." Accurate statistics on the extent of this phenomenon have proven to be elusive because of the difficulty in adequately defining computer crimes. The statistics also are untrustworthy due to victims' failure to report incidents. The aggregate annual losses to businesses and governments are estimated to be in the billions of dollars.
Some of the most notorious computer crimes have involved computer viruses, such as the Melissa virus that appeared on the Internet in March 1999 and infected systems in the United States and Europe, and the February 2000 distributed denial of service (DDS) attacks on several leading commercial Web sites including Yahoo!, E*Trade, Amazon.com, and eBay.
Cyber-crimes are frequently grouped into three categories. The first are those in which the computer comprises the "object" of a crime and in which the perpetrator targets the computer itself. This includes theft of computer processor time and computerized services. The second category involves those in which the computer forms the "subject" of a crime, either as the physical site of the offense or as the source of some form of loss or damage. This category includes viruses and related attacks. Finally, the third category includes those in which the computer serves as the "instrument" used to commit traditional crimes in cyberspace. This encompasses offenses like cyber-fraud, online harassment, and child pornography.
Though teenage hackers and underage, e-fraud perpetrators have captured headlines, no "typical" cyber-criminal exists. Perpetrators also commit cyber-crimes for a variety of reasons. Motives range from a desire to showcase technical expertise, to exposing vulnerabilities in computer security systems, retaliating against former employers, or sabotaging government computer systems.
TYPES OF COMPUTER CRIMES
Distributed denial of service attacks rank among the most widely reported cyber-crimes. They first appeared in mid-1999 and are relatively easy to perpetrate. Many of the tools required to carry them off are freely available online. Often, DDS attack networks consist of hundreds of compromised systems. The attacker inaugurates the attack sequence from one or more consoles, and it can affect thousands of systems worldwide.
Virus programs infect computer files by inserting copies of themselves into those files; they are spread from host to host when users transmit infected files by e-mail, over the Internet, across a company's network, or by disk. The Melissa Virus interrupted e-mail service around the world when it was posted to an Internet newsgroup on March 26, 1999, affecting perhaps 100,000 users and one-fifth of all U.S. businesses. Related problems include worms, which can travel within a computer or network without a user transmitting files; trojan horses, which are disguised as innocuous files but which, once activated, can steal users' login names and passwords, thus facilitating identity theft; and logic bombs, programs activated by a specific event.
Two reports issued by the CIA's National Intelligence Council and the Center for Strategic and International Studies in December 2000 predicted that, during the first two decades of the 21st century, Internet-enabled terrorists would launch attacks on the United States with computer viruses and logic bombs in an attempt to destroy America's private-sector infrastructure. The reports also envisioned a future cyber-arms race, for which the United States would need to develop a "cyber-arsenal."
The Internet facilitates terrorism by permitting virtually anonymous communication among terror-ists—transmissions that are very difficult to track and intercept. The targets of cyber-terrorists could include air-traffic systems and stock exchanges. Hackers even have successfully broken into governmental systems and launched denial-of-service attacks, such as the 2000 hacker penetration of a printer at the U.S. Navy's Space and Naval Warfare Center that resulted in the transmission of potentially sensitive information to a server in Russia. In 1994, hackers breached the Air Force's main command and control research center. The following year, the Pentagon reported 250,000 attacks on its computers, with 65 percent resulting in computer network entry.
Other widely publicized computer crimes involved online fraud, such as stock scams and securities fraud via the Internet. The Securities and Exchange Commission (SEC), which receives about 300 complaints a day concerning online scams, devotes one-fourth of its enforcement staff to computer-related offenses. Theft of online content also is common. A Software & Information Industry Association study maintained that one-third of all business software applications in use in 1999 were pirated copies. And the Internet has made the distribution of information obtained in identity thefts, such as a person's name or social security number, much quicker and easier. The dissemination of child pornography online also has garnered widespread public and law-enforcement attention. Other offenses, such as stalking victims via the Internet, have only recently begun to be addressed.
ANTI-CYBER-CRIME LEGISLATION
Approximately 40 federal statutes govern the prosecution of computer-related crimes. Among the most prominent are the Copyright Act, the National Stolen Property Act, mail and wire fraud statutes, the Electronic Communications Privacy Act, the Communications Decency Act of 1996, the Child Pornography Prevention Act, and the Child Pornography Prevention Act of 1996.
Congress recognized computer-related crimes as discrete federal offenses with the 1984 passage of the Counterfeit Access Device and Computer Fraud and Abuse Law, which was revised four times in the following decade. This law narrowly protected classified U.S. defense and foreign relations information, files of financial institutions and consumer reporting agencies, and access to governmental computers.
Congress enacted another major anti-cyber-crime law in 1996, the National Information Infrastructure Protection Act (NIIPA). NIIPA broadened the scope of protection offered by the Computer Fraud and Abuse Law by covering all computers attached to the Internet and, therefore all computers used in interstate commerce. It also criminalized all unauthorized access of computer files in order to transmit classified government information; intentional access of U.S. department or agency non-public computers without permission; and accessing protected computers, without or beyond authorization, to defraud and obtain something of value.
The Copyright Act covers computer-related copyright infractions, such as software piracy. The act provides criminal remedies for any intentional infringement of a copyright perpetrated for commercial advantage or private financial gain. Given the ease and anonymity of nearly identical reproductions made of online intellectual property, such as software, digitized text, and audio and visual files—and the ability to disseminate those copies worldwide—many see copyright as an increasingly costly cyber-crime offense. Traditional exceptions to copyright privileges, such as "fair use" and the "right of first sale," may be eroded under evolving copyright protection laws in cyberspace. Digital intellectual property rights also are regulated by the No Electronic Theft Act of 1996, which criminalizes the electronic reproduction and dissemination of copyrighted material.
The National Stolen Property Act (NSPA) has been extended to cover the fraudulent transfer of funds online, as well as the theft of tangible hardware. The courts have determined that federal mail and wire fraud statutes, which outlaw the use of interstate wire communications or the mail to defraud persons of money or property, also can apply to computer-aided theft. However, the case law on this point is still evolving.
One of the most controversial areas of cyber law, the extent of online privacy protection, was addressed in the Electronic Communications Privacy Act of 1986 (ECPA). ECPA has been utilized to prosecute computer hacking, since it strengthens the privacy rights of computer users and permits law enforcement to use electronic surveillance when investigating computer crimes. ECPA also has been used in cases of the theft of encrypted, satellite-transmitted television broadcasts.
The problem of online child pornography spawned several laws intended to block the online transmission of pornographic material to minors. Congress passed the Communications Decency Act of 1996 (CDA, also Title V of the Telecommunications Act of 1996), which prohibited the transmission of "indecent," "patently offensive," and "obscene" material to minors over the Internet. However, the Supreme Court invalidated certain sections of the DCA in Reno v. American Civil Liberties Union, stating that they infringed the First Amendment protection of free speech.
In response, Congress passed the Child Online Protection Act, which penalized any commercial Web site that allowed children to access content that was "harmful to minors." By summer 2001, this act was challenged on First Amendment grounds in a U.S. circuit court. The Internet's role in the production and dissemination of child pornography also is addressed by the Child Pornography Prevention Act of 1996 (CPPA), intended to criminalize the production, distribution, and reception of computer-generated, sexual images of children. The CPPA has survived constitutional challenges in court.
Despite the plethora of anti-cyber-crime laws, few cases have been adjudicated under them. This is due to the reluctance of victims to lodge suits, the difficulty of gathering evidence and identifying perpetrators in cyberspace, the desire of many victims to pursue matters privately, and the fact that many such incidents were prosecuted under state, rather than federal, laws. Prosecution of cyber-crime raises several difficult constitutional dilemmas. Among these are Fourth Amendment concerns about the legality of the search and seizure of computer records and software, First Amendment concerns about freedom of speech, and general questions about the extent of citizens' online privacy.
Since 1978, the states also have addressed cyber-crimes in their own legislation, with Arizona and Florida being the first to do so. Every state has some such legislation on the books. The states have taken the lead in specifically addressing some forms of cyber-crime, such as online harassment. However, the expansion of state computer crime legislation also generates conflicts between federal and state authorities regarding cyber-crime prosecution.
ENFORCEMENT AGENCIES
Despite the relative infrequency of cyber-crime prosecutions to date, the U.S. government has backed numerous initiatives to encourage and invigorate prosecution efforts. In 1995, the Federal Bureau of Investigation (FBI) launched its "Innocent Images" probe to track down online child pornography. By March of 1999, the effort had resulted in more than 200 convictions. The FBI also hosts computer crime teams in its 56 field offices and organized the Infrastructure Protection and Computer Intrusion Squad (ICPIS) in Washington D.C., which constitutes a national investigative body and resource on cyber-crime. The FBI's InfraGard program fosters cooperation between federal law enforcement officials and the private sector. InfraGard maintains a secure Web site so businesses can alert law enforcement agencies about suspicious network activity or attacks.
The DOJ addresses computer crime through its Computer Crime and Intellectual Property Section (CCIPS), founded in 1991. Among other duties, CCIPS enforces the NET Act and collaborates with assistant U.S. attorneys around the country to target cyber-crimes. Other sections of the DOJ's Criminal Division target e-crime within their areas of particular concern, such as fraud, child exploitation and obscenity, and terrorism and violent crime.
The Electronic Crimes Task Force (ECTF) forms a central clearinghouse dedicated to computer-related crimes for all local, state, and national law enforcement. Based in New York City, it is headed by the U.S. Secret Service and cooperates with selected partners from private industry. ECTF has successfully cracked large drug cartels, organized crime groups, and individual hackers. The ECTF also generated the precedent for e-mail wiretapping when it arrested 44 members of the John Gotti Jr. crime group for telecommunications fraud.
The DOJ, FBI, Department of Defense, and members of business also cooperate in the National Infrastructure Protection Center (NIPC), created in 1998 to aid in the enforcement of existing anti-cyber-crime laws and to foster cooperation among public-and private-sector prosecution efforts. The NIPC focuses on identifying viruses, issuing warnings, and locating cyber-criminals.
Another government and industry collaboration is the Computer Emergency Response Team (CERT) Coordination Center, dedicated to detecting, disseminating information about, and disabling computer viruses. CERT, part of the Software Engineering Institute (SEI), a publicly and privately funded research and development center, was founded in 1988. CERT has combated more than 17,000 different viruses.
The September 11, 2001 terrorist attacks on the World Trade Center and the Pentagon threw into high relief the vulnerability of the United States to terrorist incursions. In response, the Bush administration authorized the creation of a new, cabinet-level National Homeland Security Agency (NHSA), which had been originally proposed in a series of recommendations by the U.S. Commission on National Security in January 2001. NHSA's responsibilities would include coordinating government and private sector efforts to protect the nation's critical infrastructure from cyber and physical attacks. Additional measures under discussion were the expansion of enforcement authority to investigate money laundering, control borders, detain immigrants, and to wiretap phones and screen e-mails without a warrant. Authorities also could use techniques such as data-mining programs to locate terrorists in cyberspace. Such efforts will build on the emerging field of computer forensics, which dissects storage media to find evidence via specialized software and techniques. One such tool is an IP filter, which uses fuzzy logic to track down e-mail addresses and URLs associated with Internet use.
INTERNATIONAL COMPUTER CRIME
Since the Internet is not limited by geography, crimes committed in cyberspace can easily achieve global dimensions. Systems can be accessed from anywhere in the world, and locating perpetrators is difficult. Many computer fraud and embezzlement schemes target international financial networks. Organized crime groups can utilize information technology to evade identification and carry out drug trafficking and money laundering on a global scale. Questions of jurisdiction and apprehension become much more complicated in international cyberspace.
Estimates place annual business losses to cyber crime at roughly $1.5 billion. Many hackers are based in countries far from those they affect. For example, the author of the Love Bug virus that affected the United States was located in the Philippines. Many authorities suspect that organized "cyber-crime gangs" frequently originate in developing countries, such as the former Soviet republics where computer-crime laws are lax and enforcement is haphazard.
Individual countries vary widely in the legal approaches they have taken to regulating the Internet. Some strictly observant Islamic nations have tried to contain the dissemination of information online, which they view as containing messages potentially harmful to their populaces. Germany has tried to restrict Web sites containing Neo-Nazi content. China installed firewalls to prevent its citizens from accessing unauthorized sites, and Burma bans Internet access completely.
Britain has led in the passage of legislation designed to combat "cyber-terrorism." In February 2000 it passed the British Terrorism Act, which includes in its ban on terrorist groups those who disrupt hospitals or power supplies by hacking into computer systems. A revision of the Regulation of Investigatory Powers Act gives police broad access to e-mail and other online communications.
The Council of Europe's proposed cyber-crime treaty, the initial draft of which was released in April 2000, generated the most controversy of any international cyber legislation proposed to date. It spans a broad spectrum of cyber-crimes from copyright infringement to online terrorism. The treaty seeks to harmonize European criminal laws regarding data interception, interference, and online fraud. Any member nation's enforcement authorities would be granted online entry to any other state in order to pursue a cyber-crime investigation. Governments also could also employ new powers on wiretapping, real-time collection of traffic data, and the search and seizure of digital information. Opponents worry that the treaty ignores individual civil liberties and intellectual property rights. Many U.S. business and governmental officials also oppose adoption of the treaty in its proposed form.
Finally, the global interconnection of computer systems fostered a push for international cooperation to combat computer-related crimes. In 1998 Britain, Canada, France, Germany, Italy, Japan, Russia, and the United States agreed to coordinate efforts to investigate and prosecute cyber-crimes. Among the solutions under debate was an international treaty to standardize domestic cyber-crime laws. Thorny topics include the extent to which governments should allow the free movement of data encryption, which protects the electronic information from compromise but also can be used by criminals to shield their activities. Increased government surveillance of online communications is criticized by privacy advocates and members of various ethnic and racial groups, who feel that it constitutes a form of illegal profiling. The regulation of content, which might suppress hate speech or child pornography, faces obstacles from proponents of free expression.
FURTHER READING:
Brooke Paul. "DDoS: Internet Weapons of Mass Destruction." Network Computing. January 8, 2001.
Chen, Christine; and Greg Lindsay. "Viruses, Attacks, and Sabotage: It's a Computer Crime Wave." Fortune. May 15, 2000.
Chin, Woo Siew. "Insight into Cyber Terrorism." New Straits Times. October 3, 2001.
"Cybercrime: Community Accession to an International Convention." European Report. March 21, 2001.
Fletcher, Charlie. "ID Thievery is On the Rise." Catalog Age. June 2000.
Gantz, John. "Take a Bite Out of Crime on the Web." Computerworld. February 19, 2001.
Gittlen, Sandra. "World Organizations Urge Sharing of Security Info." Network World. October 23, 2000.
Godwin, Mike. "Save the Children." American Lawyer. Au-gust, 2001.
Grosso, Andrew. "The Promise and Problems of the No Electronic Theft Act." Communications of the ACM. February,2000.
Munro, Neil. "Cybercrime Treaty on Trial." National Journal. March 10, 2001.
Neeley, DeQuendre. "Justice Department Report Arouses Concerns." Security Management. May, 2000.
Nicholson, Laura; Tom Shebar; and Meredith Weinberg. "Computer Crimes." American Criminal Law Review. Spring 2000.
Oreskovic, Alexei. "FBI Warns of Digital-Crime Wave from Eastern Europe." Industry Standard. March 11, 2001.
Radcliff, Deborah. "A Case of Cyberstalking." Network World. May 29, 2000.
——. "Crime in the 21st Century: The New Field of Computer Forensics." InfoWorld. December 14, 1998.
Rapaport, Richard. "Cyberwars: The Feds Strike Back." Forbes. August 23, 1999.
Shrimsely, Robert. "'Cybercrime' Covered by Extended Law on Terrorism." Financial Times. February 20, 2001.
Spiegel, Peter. "U.S. Cybercops Face Global Challenge as World Gets Wired Up." Financial Times. October 25, 2000.
Thibodeau, Patrick. "European Cybertreaty Raising Concerns." Computerworld. December 11, 2000.
Verton, Dan. "FBI Completes Cybercrime Program Rollout." Computerworld. January 15, 2001.
——. "National Security Threatened by Internet, Studies Say." Computerworld. January 1, 2001.
SEE ALSO: Children and the Internet; Computer Fraud and Abuse Act of 1986; Computer Security; Data Mining; Fraud, Internet; Intellectual Property; Legal Issues; National Information Infrastructure Protection Act of 1996; National Infrastructure Protection Center; Privacy: Issues, Policies, Statements; Safe Harbor Privacy Framework; Viruses; Worms
Computer Crime
COMPUTER CRIME
The use of a computer to take or alter data, or to gain unlawful use of computers or services.
Because of the versatility of the computer, drawing lines between criminal and noncriminal behavior regarding its use can be difficult. Behavior that companies and governments regard as unwanted can range from simple pranks, such as making funny messages appear on a computer's screen, to financial or data manipulation producing millions of dollars in losses. Early prosecution of computer crime was infrequent and usually concerned embezzlement, a crime punishable under existing laws. The advent of more unique forms of abuse, such as computer worms and viruses and widespread computer hacking, has posed new challenges for government and the courts.
The first federal computer crime legislation was the Counterfeit Access Device and Computer Fraud and Abuse Act (18 U.S.C.A. § 1030), passed by Congress in 1984. The act safeguards certain classified government information and makes it a misdemeanor to obtain through a computer financial or credit information that federal laws protect. The act also criminalizes the use of computers to inflict damage to computer systems, including their hardware and software.
In the late 1980s, many states followed the federal government's lead in an effort to define and combat criminal computer activities. At least 20 states passed statutes with similar definitions of computer crimes. Some of those states might have been influenced by studies released in the late 1980s. One report, made available in 1987 by the accounting firm of Ernst and Whinney, estimated that computer abuse caused between $3 billion and $5 billion in losses in the United States annually. Moreover, some of those losses were attributable to newer, more complicated crimes that usually went unprosecuted.
The number of computer crimes continued to increase dramatically in the early 1990s. According to the Computer Emergency and Response Team at Carnegie-Mellon University, the number of computer intrusions in the United States increased 498 percent between 1991 and 1994. During the same time period, the number of network sites affected by computer crimes increased by 702 percent. In 1991, Congress created the National Computer Crime Squad within the federal bureau of investigation (FBI). Between 1991 and 1997, the Squad reportedly investigated more than 200 individual cases involving computer hackers.
Congress addressed the dramatic rise in computer crimes with the enactment of the National Information Infrastructure Act of 1996 as title II of the Economic Espionage Act of 1996, Pub. L. No. 104-294, 110 Stat. 3488. That Act strengthened and clarified provisions of the original Computer Fraud and Abuse Act, although lawmakers and commentators have suggested that as technology develops, new legislation might be necessary to address new methods for committing computer crimes. The new statute also expanded the application of the original statute, making it a crime to obtain unauthorized information from networks of government agencies and departments, as well as data relating to national defense or foreign relations.
Notwithstanding the new legislation and law enforcement's efforts to curb computer crime, statistics regarding these offenses remain stag-gering. According to a survey in 2002 conducted by the Computer Security Institute, in conjunction with the San Francisco office of the FBI, 90 percent of those surveyed (which included mostly large corporations and government agencies) reported that they had detected computer-security breaches. Eighty percent of those surveyed acknowledged that they had suffered financial loss due to computer crime. Moreover, the 223 companies and agencies in the survey that were willing to divulge information about financial losses reported total losses of $455 million in 2002 alone.
Concerns about terrorism have also included the possibility that terrorist organizations could perform hostile acts in the form of computer crimes. In 2001, Congress enacted the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (usa patriot act), Pub. L. No. 107-56, 115 Stat. 277, to provide law enforcement with the necessary tools to combat terrorism. The Act includes provisions that allow law enforcement greater latitude in hunting down criminals who use computers and other communication networks. The Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 also directed the united states sentencing commission to review, and possibly to amend, the sentencing provisions that relate to computer crimes under 18 U.S.C.A. § 1030.
The Department of Justice's Computer Crime and Intellectual Property Section prosecutes dozens of computer-crime cases each year. Many of those cases involve instances of computer hacking and other unauthorized intrusions, as well as software piracy and computer fraud.
One set of especially destructive crimes—internal computer crimes—includes acts in which one computer's program interferes with another computer, thus hindering its use, damaging data or programs, or causing the other computer to crash (i.e., to become temporarily inoperable). Two common types of such programs are known in programming circles as "worms" and "viruses." Both cause damage to computer systems through the commands written by their authors. Worms are independent programs that create temporary files and replicate themselves to the point where computers grow heavy with data, become sluggish, and then crash. Viruses are dependent programs that reproduce themselves through a computer code attached to another program, attaching additional copies of their program to legitimate files each time the computer system is started or when some other triggering event occurs.
The dangers of computer worms and viruses gained popular recognition with one of the first cases prosecuted under the Computer Fraud and Abuse Act. In United States v. Morris, 928 F.2d 504 (2d Cir. 1991), Cornell University student Robert T. Morris was convicted of violating a provision of the act that punishes anyone who, without authorization, intentionally accesses a "federal interest computer" and damages or prevents authorized use of information in such a computer, causing losses of $1,000 or more. Morris, a doctoral candidate in computer science, had decided to demonstrate the weakness of security measures of computers on the internet, a network linking university, government, and military computers around the United States. His plan was to insert a worm into as many computers as he could gain access to, but to ensure that the worm replicated itself slowly enough that it would not cause the computers to slow down or crash. However, Morris miscalculated how quickly the worm would replicate. By the time he released a message on how to kill the worm, it was too late: Some 6,000 computers had crashed or become "catatonic" at numerous institutions, with estimated damages of $200 to $53,000 for each institution. Morris was sentenced to three years' probation and 400 hours of community service, and was fined $10,500. The U.S. Supreme Court declined to review the case (Morris, cert. denied, 502 U.S. 817, 112 S. Ct. 72, 116 L. Ed. 2d 46 [1991]).
Computer hackers often share Morris's goal of attempting to prove a point through the clever manipulation of other computers. Hackers, who, typically, are young, talented, amateur computer programmers, earn respect among their peers by gaining access to information through telecommunications systems. The information obtained ranges from other individuals' e-mail or credit histories to the Department of Defense's secrets.
A high-profile case in 1992 captured national headlines. In what federal investigators called a conspiracy, five young members of an underground New York City gang of hackers, the Masters of Deception (MOD), faced charges that they had illegally obtained computer passwords, possessed unauthorized access devices (long-distance calling-card numbers), and committed wire fraud in violation of the Computer Fraud and Abuse Act. Otto Obermaier, the U.S. attorney who prosecuted the youths, described their activities as "the crime of the future," and said that he intended to use the case to make a critical statement about computer crime. The indictment contained 11 counts, each punishable by at least five years in prison and individual fines of $250,000. Supporters of MOD's civil liberties questioned whether the gang members had done anything truly illegal.
MOD members Paul Stira and Eli Ladopoulos pleaded guilty to the charges against them. They confessed that they had broken the law but insisted that they had not done anything for personal profit. They were sentenced to six months in a federal penitentiary, followed by six months' home detention. John Lee and Julio Fernandez faced specific charges of illegally selling passwords for personal profit. Lee pleaded guilty and received a year behind bars, followed by 300 hours of community service. Fernandez bargained with prosecutors, offering them information on MOD activities, and thus received no jail time. Gang leader Mark Abene, who was notorious in computer circles by his handle Phiber Optik, pleaded guilty to charges of fraud. A U.S. District Court judge sentenced Abene to a year in federal prison, hoping to send a message to other hackers. However, by the time Abene was released from prison in 1995, his notoriety had grown beyond the hacker underground. Many in the computer world hailed him as a martyr in the modern web of computer technology and criminal prosecution. Abene subsequently found employment as a computer technician at a New York-based on-line service.
Computer crime can become an obsession. Such was the case for Kevin Mitnick, a man federal prosecutors described prior to his arrest as the most wanted computer hacker in the world. In the early 1980s, as a teenager, Mitnick proved his mettle as a hacker by gaining access to a North American Air Defense terminal, an event that inspired the 1983 movie War Games. Like the MOD gang, Mitnick gained access to computer networks through telecommunications systems. In violation of federal law, he accessed private credit information, obtaining some 20,000 credit numbers and histories. Other break-ins by Mitnick caused an estimated $4 million in damage to the computer operations of the Digital Equipment Corporation. The company also claimed that Mitnick had stolen more than one million dollars in software.
Mitnick was convicted, sentenced to one year in a minimum-security prison, and then released into a treatment program for compulsive-behavior disorders. Federal investigators tried to keep close track of him during his probation, but in November 1992, he disappeared. Authorities caught up with his trail when Mitnick broke into the system of computer-security expert Tsutomu Shimomura at the San Diego Supercomputer Center—a move that was clearly intended as a challenge to another programming wizard. Shimomura joined forces with the Federal Bureau of Investigation to pursue their elusive quarry in cyberspace. Using a program designed to record activity in a particular database that they were sure that Mitnick was accessing, while monitoring phone activity, Shimomura and authorities narrowed their search to Raleigh, North Carolina. A special device detecting cellular-phone use ultimately led them to Mitnick's apartment. Mitnick was arrested and was charged on 23 federal counts. He pleabargained with prosecutors, who agreed to drop 22 of the counts in exchange for Mitnick's guilty plea for illegally possessing phone numbers to gain access to a computer system. Mitnick was sentenced to eight months in jail.
Mitnick's case illustrates the difficulties that legislatures and courts face when defining and assigning penalties for computer crime. Using a computer to transfer funds illegally or to embezzle money is clearly a serious crime that merits serious punishment. Mitnick broke into numerous services and databases without permission and took sensitive information, in violation of federal laws; however, he never used that information for financial gain. This type of behavior typically has no counterpart outside of cyberspace—for example, people do not break into jewelry stores only to leave a note about weak security.
Some instances of computer crimes demonstrate the way in which small computer files that require relatively little effort on the part of the perpetrator can cause millions of dollars' worth of damage to computer networks. In March 1999, David L. Smith of New Jersey created a virus that lowered the security levels of certain word-processing programs and caused infected computers to send e-mail messages containing attachments with the virus to e-mail addresses contained in the infected computer's e-mail address book. The virus was activated on an infected computer when the user opened the word-processing program.
Smith posted a message on March 26, 1999, to an Internet newsgroup called "Alt.Sex." The message claimed that if a user opened an attachment, it would provide a list of passcodes to pornographic websites. The attachment contained the virus, which became known as the "Melissa" virus. Smith was arrested by New Jersey authorities on April 1, 1999, but not before the virus had infected an estimated 1.2 million computers and affected one-fifth of the country's largest businesses.
The total amount of damages was $80 million. Smith pleaded guilty in December 1999 to state and federal charges. He faced 20 months in a federal prison and a fine of approximately $5,000 for his crime. He faced additional time in state prison. According to U.S. Attorney Robert J. Cleary, "There is a segment in society that views the unleashing of computer viruses as a challenge, a game. Far from it; it is a serious crime. The penalties Mr. Smith faces—including
potentially five years in a federal prison—are no game, and others should heed his example."
Others have continued to commit such crimes. In February 2000, a computer hacker stunned the world by paralyzing the Internet's leading U.S. web sites. Three days of concentrated assaults upon major sites crippled businesses like Yahoo, eBay, and CNN for hours, leaving engineers virtually helpless to respond. When the dust had settled, serious doubts were raised about the safety of Internet commerce. An international hunt ensued, and web sites claimed losses in the hundreds of millions of dollars. After pursuing several false leads, investigators ultimately charged a Canadian teenager in March 2000 in one of the attacks.
On February 7, engineers at Yahoo, the popular portal web site, noticed traffic slowing to a crawl. Initially, suspecting faulty equipment that facilitates the thousands of connections to the site daily, they were surprised to discover that it was receiving many times the normal number of hits. Buckling under exorbitant demand, the servers—the computers that receive and transmit its Internet traffic—had to be shut down for several hours. Engineers then isolated the problem: Remote computers had been instructed to bombard Yahoo's servers with automated requests for service. Over the next two days, several other major web sites suffered the same fate. Hackers hit the auction site eBay, the bookseller Amazon.com, the computer journalism site ZDnet, stock brokerages E*Trade and Datek, the computer store Buy.com, the web portal Excite at Home, and the flagship site for news giant CNN. As each site ground to a halt or went offline, engineers tried in vain to determine where the digital bombardment had originated.
Experts expressed amazement at the attacks' simplicity as well as at the inherent vulnerabilities that they exposed in the Internet's architecture. Hackers had launched what quickly came to be known as a distributed Denial-of-Service (DOS) attack—essentially a remote-controlled strike using multiple computers. First, weeks or months in advance, they had surreptitiously installed commonly available hacking programs called "scripts" on 50 or more remote computers, including university systems chosen for their high-speed connections to the Internet. Later, they activated these scripts, turning the remote computers into virtual zombies that were ordered to send unfathomably large amounts of data—up to one gigabyte per second—continuously to their victims. These data asked the target web sites to respond, just as every legitimate connection to a web site does. The sheer multitudes of requests and responses overwhelmed the victim sites. To escape detection, the "zombies" forged their digital addresses.
Federal investigators were initially stymied. They had legal authority to act under 18 U.S.C.A. § 1030, which criminalizes "knowingly transmit(ting) a program information code or command" that "intentionally causes damage." Sleuthing was difficult, however. Not only had the hackers covered the trail well, but also the FBI had suffered numerous personnel losses to private industry. The bureau had to hire consultants and had to develop special software to assist in its manhunt. Moreover, as FBI official Ron Dick told reporters, the proliferation of common hacking tools meant that even a teenager could have orchestrated the crime.
In early March 2000, authorities arrested 17-year-old New Hampshire resident Dennis Moran, allegedly known online as "Coolio." The lead proved false. In mid-April, claiming to have found "Mafia boy," Royal Canadian Mounted Police arrested a 15-year-old Montreal hacker. The youth, whose real name was not divulged, allegedly had boasted of his exploits online while trying to recruit helpers. Officials charged him with a misdemeanor for launching the attack upon CNN's website.
Although the department of justice continued its hunt, this denial-of-service attack was never completely resolved. Analysts have noted that DOS attacks have occurred for several years, although not to the extent as that of February 2000. In May 2001, for instance, the White House's web page was hit with a DOS attack that blocked access to the site for about two hours.
Based upon the sheer number of cases involving computer crime, commentators remain puzzled as to what is necessary to curb this type of activity. Clearly, technology for law enforcement needs to stay ahead of the technology used by the hackers, but this is not an easy task. A number of conferences have been held to address these issues, often attracting large corporations such as Microsoft and Visa International, but the general consensus is that the hackers still hold the upper hand, with solutions still elusive.
further readings
Cadoree, Michelle. 1994. Computer Crime and Security. Washington, D.C.: LC Science Tracer Bullet.
Gemignani, Michael C. 1993. Computer Law. New York: Clark Boardman Callaghan.
Irwin, Richard D. 1990. Spectacular Computer Crimes. Homewood, Ill.: Dow Jones–Irwin.
Mungo, Paul. 1992. Approaching Zero. New York: Random House.
Nugent, Hugh. 1991. State Computer Crime Statutes. Justice Department. National Institute of Justice.
Slatalla, Michelle, and Joshua Quittner. 1995. Masters of Deception. New York: HarperCollins.
Soma, John T. 1994. Computer Technology and the Law. Colorado Springs: Shepard's/McGraw-Hill.