Georgetown University Law Center 2000 Working Paper Series In Business, Economics and regulatory policy d Public Law and Legal Theory Working Paper No. 249030 Criminal Law in Cyberspace by Neal Kumar Katyal a revised version of this working paper is forthcoming in the University of Pennsylvania Law Review, Volume 149, April 2001 So This paper can be downloaded without charge from the ocial Science research Network electronic Paper collection at http://papers.ssrn.com/paper.taf?abstractid=249030
1 Georgetown University Law Center 2000 Working Paper Series in Business, Economics and Regulatory Policy and Public Law and Legal Theory Criminal Law in Cyberspace by Neal Kumar Katyal A revised version of this working paper is forthcoming in the University of Pennsylvania Law Review, Volume 149, April 2001 This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection at http://papers.ssrn.com/paper.taf?abstract_id=249030 Working Paper No. 249030
Criminal Law in Cyberspace Neal Kumar Katyal Forthcoming: 149 U Penn. L. Rev.-(April, 2001) NTRODUCTION WHAT IS CYBERCRIME? A. Unauthorized Access to Computer Programs and Files Unauthorized Disruption 1 orms 3. Logic Bombs Trojan Horses Distributed denial of service C. Theft of Identity Carrying out a Traditional Offense 1. Child Pornography 2. Copyright......... ..27 Illegal Firearms Sales 33 II TREATING CYBERCRIME DIFFERENTLY A. First-Party Strate 1. Five Constraints on Crime 2. The Efficiency of Cybercrime a) Conspiracy's Demise b) Pseudonymity and Encryption racing and Escape Second-Party Strategies of Victim Precaution 1. Optimal victim Behavior 2. The Limits of victim Precaution 4448938乃3987 3. The Emergence of a Special Form of Crime, Targeting Networks 5. Supersleuth Victims Electronic Vigilantism Third Party Strategies of Scanning, Coding, and Norm Enforcement 92 Internet service providers Credit Card Companies Software and Hardware Manufacturers Public Enforcement of Social Norms 105 CONCLUSION..,,,.,.,,.,.,..,.,.,..,,.,.,,.,..,,..,,,..,,,. Associate Professor of Law, Georgetown University Law Center. Thanks to Akhil Amar, Julie Cohen, Fred Cohen Michael Froomkin, Jennifer Granick, Jerry Kang, Sonia Katyal, Josh Liston, Wayne Mink, Wendy Perdue, Mark Rasch, Jeffrey rosen, Joanna Rosen, Jonathan Rusch, Mike Seidman, Warren Schwartz, Anna Selden, Andrew Shapiro, Neal Stephenson, Cliff Stoll, Lynn Stout, Mark Tushnet, Eugene Volokh, Robin West, and participants in a georgetown University Faculty Workshop
*Associate Professor of Law, Georgetown University Law Center. Thanks to Akhil Amar, Julie Cohen, Fred Cohen, Michael Froomkin, Jennifer Granick, Jerry Kang, Sonia Katyal, Josh Liston, Wayne Mink, Wendy Perdue, Mark Rasch, Jeffrey Rosen, Joanna Rosen, Jonathan Rusch, Mike Seidman, Warren Schwartz, Anna Selden, Andrew Shapiro, Neal Stephenson, Cliff Stoll, Lynn Stout, Mark Tushnet, Eugene Volokh, Robin West, and participants in a Georgetown University Faculty Workshop. Criminal Law in Cyberspace Neal Kumar Katyal* Forthcoming: 149 U. Penn. L. Rev. – (April, 2001) INTRODUCTION ................................................................ 2 I. WHAT IS CYBERCRIME? ................................................... 10 A. Unauthorized Access to Computer Programs and Files ....................... 17 B. Unauthorized Disruption ............................................. 19 1. Viruses ................................................... 19 2. Worms .................................................... 20 3. Logic Bombs & Trojan Horses .................................. 21 4. Distributed Denial of Service ................................... 22 C. Theft of Identity ................................................... 23 D. Carrying out a Traditional Offense ...................................... 24 1. Child Pornography ........................................... 24 2. Copyright .................................................. 27 3. Cyberstalking ............................................... 30 4. Illegal Firearms Sales ......................................... 33 II TREATING CYBERCRIME DIFFERENTLY ........................................ 34 A. First-Party Strategies ............................................... 34 1. Five Constraints on Crime ...................................... 34 2. The Efficiency of Cybercrime ................................... 38 a) Conspiracy’s Demise ................................... 39 b) Pseudonymity and Encryption ............................. 43 c) Tracing and Escape .................................... 68 B. Second-Party Strategies of Victim Precaution .............................. 73 1. Optimal Victim Behavior ....................................... 73 2. The Limits of Victim Precaution ................................. 79 3. The Emergence of a Special Form of Crime, Targeting Networks ......... 85 4. New De Minimis Crime ....................................... 87 5. Supersleuth Victims & Electronic Vigilantism ........................ 89 C. Third Party Strategies of Scanning, Coding, and Norm Enforcement ............. 92 1. Internet Service Providers ...................................... 93 2. Credit Card Companies ........................................ 99 3. Software and Hardware Manufacturers ........................... 100 4. Public Enforcement of Social Norms ............................. 105 CONCLUSION ................................................................ 110
INTROdUCTION The new millennium brings new crimes. Witness two of the most talked-about crimes of the year, the ILove You computer worm(in terms of economic damage, perhaps the most devastating crime in history, causing more than $11 billion in losses )and the denial of service attacks on Yahoo eBay, ETrade and other sites(which caused $1.2 billion in damage ). These events suggest that a new breed of crime has emerged over the past decade: Cybercrime. This umbrella term covers all sorts of crimes committed with computers-from viruses to trojan horses; from hacking into private email to undermining defense and intelligence systems; from electronic thefts of bank accounts to disrupting web sites. Law has not necessarily caught up with these crimes, as the recent dismissal of charges against he author of the ILove You worm demonstrates. How should the law think about computer crime? Some academics see cyberspace as a new area where first principles of law need to be rethought. David Johnson and David Post, for example, contend that existing legal rules are not suitable for the digital age, and that governments should not necessarily impose legal order on the Internet. 3 Others, by contrast, believe that a computer is merely an instrument and that crime in cyberspace e virus Signs Marketing and Sales Contract, BUSINESS WIRE, Aug 1, 2000(totaling damage from ILove You virus at $ll billion ); Russ Banham, Computer Viruses, CFO Magazine, Aug. 1, 2000(describing Yankee Group Consulting Firm study of February's denial of service attacks and its damage calculation of $1. 2 billion) PhilippinesDropsChargesinlloVeYouVirusCaseathttp://www.cnn.com/2000/tech /computing/08/21/computers. philippines reut/index. html(Aug 21, 2000)(reporting that Phillippines dropped charges because the only law against hacking was passed after the crimes took place) dAvid R Johnson David G Post, And How Shall the Net Be Governed? A Meditation on the Relative Virtues of Decentralized Emergent Law, in CooRDINATING THE INTERNET 62(Brian Kahin James H. Keller eds. 1997); David R. Johnson David Post, Law and Borders-The Rise of Law in Cyberspace, 48 STAN. L REV. 1367, 1372-75(1996) see also Benjamin Wittes, Is Law Enforcement Ready for Cyber Crime LEGAL TIMES, October 10, 1994 at 17 (describing how "some describe the Internet as'qualitatively different from other platforms for crime"and how others, such as Stewart Baker, former general counsel at the National Security Agency, believe that such descriptions are"broadly speaking-wrong")
1 eVirus Signs Marketing and Sales Contract, BUSINESS WIRE, Aug. 1, 2000 (totaling damage from ILoveYou virus at $11 billion); Russ Banham, Computer Viruses, CFO Magazine, Aug. 1, 2000 (describing Yankee Group Consulting Firm study of February’s denial of service attacks and its damage calculation of $1.2 billion). 2Philippines Drops Charges in ILoveYou Virus Case, at http://www.cnn.com/2000/TECH /computing/08/21/computers.philippines.reut/index.html(Aug 21, 2000) (reporting that Phillippines dropped charges because the only law against hacking was passed after the crimes took place). 3David R. Johnson & David G. Post, And How Shall the Net Be Governed? A Meditation on the Relative Virtues of Decentralized Emergent Law, in COORDINATING THE INTERNET 62 (Brian Kahin & James H. Keller eds. 1997); David R. Johnson & David Post, Law and Borders–The Rise of Law in Cyberspace, 48 STAN. L. REV. 1367, 1372-75 (1996); see also Benjamin Wittes, Is Law Enforcement Ready for Cyber Crime?, LEGAL TIMES, October 10, 1994 at 17 (describing how “some describe the Internet as ‘qualitatively different’ from other platforms for crime” and how others, such as Stewart Baker, former general counsel at the National Security Agency, believe that such descriptions are “broadly speaking–wrong”). INTRODUCTION The new millennium brings new crimes. Witness two of the most talked-about crimes of the year, the ILoveYou computer worm (in terms of economic damage, perhaps the most devastating crime in history, causing more than $11 billion in losses) and the denial of service attacks on Yahoo, eBay, ETrade and other sites (which caused $1.2 billion in damage).1 These events suggest that a new breed of crime has emerged over the past decade: Cybercrime. This umbrella term covers all sorts of crimes committed with computers–from viruses to trojan horses; from hacking into private email to undermining defense and intelligence systems; from electronic thefts of bank accounts to disrupting web sites. Law has not necessarily caught up with these crimes, as the recent dismissal of charges against the author of the ILoveYou worm demonstrates.2 How should the law think about computer crime? Some academics see cyberspace as a new area where first principles of law need to be rethought. David Johnson and David Post, for example, contend that existing legal rules are not suitable for the digital age, and that governments should not necessarily impose legal order on the Internet.3 Others, by contrast, believe that a computer is merely an instrument and that crime in cyberspace
Criminal Law in Cyberspace should be regulated the same way as other acts in realspace. The U.S. Department of Justice(Doj recent report on cybercrime typifies this approach. I contend that neither view is correct, and that each camp slights important features that make cybercrime both different from and similar to traditional crime Underlying the"cybercrime is not different position is a worry about a unique form of geographic substitution. The concern is that disproportionately punishing activity in either realspace or cyberspace will induce criminals to shift their activities to that sphere in which the expected punishment is lower. For example, if the electronic theft of $1 million warrants five years'imprisonment, and the physical theft of Sl million warrants ten years' imprisonment, criminals are likely to opt for the electronic theft. Such analysis is, however, incomplete. Beccaria and Becker have observed that the expected penalty for criminal activity is not only the sentence in the criminal code, it is also a function of See, e. g, Christopher M. Kelly, The Cyberspace Separatism Fallacy, 34 TEX INT'L L.J. 413(1999)(book review); Catherine T Clarke, From CrimiNet to Cyber-perp: Toward an Inclusive Approach to Policing the Evolving Criminal Mens Rea on the Internet, 75 OR. L REv. 191, 204-05 (1996)(discussing informal surveys of lawyers revealing that"most lawyers consider criminals on the'net to be exactly the same as those outside the 'net); Jack L Goldsmith, Against Cyberanarchy, 65 U CHI. L REv. 1199(1998)(arguing that cyberspace can be regulated in many traditional ways). An important middle approach is Larry Lessig's, who contends that cyberspace can be regulated hrough law and programming code. See LAWRENCE LESSIG, CODE AND OTHER LAWS OF CYBERSPACE 52-60(1999) Some courts have also suggested that crimes might be different in cy berspace because there is a lack of ngible media, such as a briefcase that may be"stolen. "See, e. g, United States v. Carlin Commun., Inc, 815 F2d 1367, 1371(10th Cir. 1987). Others have disagreed. See United States v. Thomas, 74 F. 3d 701, 707(6th Cir. 1996) United States v Gilboe, 684 F2d 235 (2d Cir 1982) The Justice Department believes that"substantive regulation of unlawful conduct. should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world. If an activity is prohibited the physical world but not on the Internet, then the Internet becomes a safe haven for that unlawful activity. UNITED STATES DEPARTMENT OF JUSTICE. THE FLECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING THE USE OF THE INTERNET 11(2000)[hereinafter DOJ REPORTI Current federal law, in general, embraces the view that there are no differences. See id at vi("Existing substantive federal laws generally do not distinguish between unlawful conduct committed through the use of the Internet and the same conduct committed through the use of other, more traditional means of communication
Criminal Law in Cyberspace Page 3 4 See, e.g., Christopher M. Kelly, The Cyberspace Separatism Fallacy, 34 TEX INT’L L.J. 413 (1999) (book review); Catherine T. Clarke, From CrimiNet to Cyber-perp: Toward an Inclusive Approach to Policing the Evolving Criminal Mens Rea on the Internet, 75 OR. L. REV. 191, 204-05 (1996) (discussing informal surveys of lawyers revealing that “most lawyers consider criminals on the 'net to be exactly the same as those outside the 'net”); Jack L. Goldsmith, Against Cyberanarchy, 65 U. CHI. L. REV. 1199 (1998) (arguing that cyberspace can be regulated in many traditional ways). An important middle approach is Larry Lessig’s, who contends that cyberspace can be regulated through law and programming code. See LAWRENCE LESSIG, CODE AND OTHER LAWS OF CYBERSPACE 52-60 (1999). Some courts have also suggested that crimes might be different in cyberspace because there is a lack of tangible media, such as a briefcase that may be “stolen.” See, e.g., United States v. Carlin Commun., Inc., 815 F.2d 1367, 1371 (10th Cir. 1987). Others have disagreed. See United States v. Thomas, 74 F. 3d 701, 707 (6th Cir. 1996); United States v. Gilboe, 684 F.2d 235 (2d Cir. 1982). 5 The Justice Department believes that “substantive regulation of unlawful conduct. . .should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world. If an activity is prohibited in the physical world but not on the Internet, then the Internet becomes a safe haven for that unlawful activity.” UNITED STATES DEPARTMENT OF JUSTICE, THE ELECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING THE USE OF THE INTERNET 11 (2000) [hereinafter DOJ REPORT]. Current federal law, in general, embraces the view that there are no differences. See id. at vi (“Existing substantive federal laws generally do not distinguish between unlawful conduct committed through the use of the Internet and the same conduct committed through the use of other, more traditional means of communication.”) should be regulated the same way as other acts in realspace.4 The U.S. Department of Justice (DOJ) recent report on cybercrime typifies this approach.5 I contend that neither view is correct, and that each camp slights important features that make cybercrime both different from and similar to traditional crime. Underlying the “cybercrime is not different” position is a worry about a unique form of geographic substitution. The concern is that disproportionately punishing activity in either realspace or cyberspace will induce criminals to shift their activities to that sphere in which the expected punishment is lower. For example, if the electronic theft of $1 million warrants five years’ imprisonment, and the physical theft of $1 million warrants ten years’ imprisonment, criminals are likely to opt for the electronic theft. Such analysis is, however, incomplete. Beccaria and Becker have observed that the expected penalty for criminal activity is not only the sentence in the criminal code, it is also a function of
Criminal Law in Cyberspace age he probability that one will get caught 6 To the extent that cybercrimes are easier to get away with, sentences might be increased to compensate for this lower probability In addition to the probability of being caught, another variable overlooked by the"cybercrime is not different camp is the perpetration cost of engaging in crime. A bank robbery in realspace, for example, consumes tremendous criminal resources. A robber would have to hire lookouts and firepower, garner inside knowledge about the bank, and so on. Profits would be split between five, Six, or even more people. A computer theft, by contrast, involves fewer resource inputs and may even be accomplished by a single person sitting down at a computer. Because cybercrime requires fewer resources and less investment to cause a given level of harm, the law might want to approach these crimes differently These variations suggest that cyberspace is a unique medium for three reasons. First, and most importantly, the use of computers and other equipment is a cheaper means to perpetrate crime Criminal law must be concerned not only with punishing crime ex post, but with creating ex ante barriers to inexpensive ways of carrying out criminal activity. In this Article, this principle-which is generally applicable in criminal law- will be called cost deterrence. The idea is that law should strive to channel crime into outlets that are more costly to criminals. Cyberspace presents unique opportunitie for criminals to reduce their perpetration costs the probability of success achieved by a given expenditure is greater. Accordingly, the law should develop mechanisms to neutralize these efficiency advantages See gary S. Becker, Crime and Punishment: An Economic Approach, 76 J. POL. ECON. 169(1968); Cesare Beccaria On Crimes and Punishments, in ON CRIMES AND PUNISHMENTS AND OTHER WRITINGS 1, 21(Richard Bellamy ed Richard Davies et al. trans., Cambridge Univ Press 1995)(1764)
Criminal Law in Cyberspace Page 4 6 See Gary S. Becker, Crime and Punishment: An Economic Approach, 76 J. POL. ECON. 169 (1968); Cesare Beccaria, On Crimes and Punishments, in ON CRIMES AND PUNISHMENTS AND OTHER WRITINGS 1, 21 (Richard Bellamy ed. & Richard Davies et al. trans., Cambridge Univ. Press 1995) (1764). the probability that one will get caught.6 To the extent that cybercrimes are easier to get away with, sentences might be increased to compensate for this lower probability. In addition to the probability of being caught, another variable overlooked by the “cybercrime is not different” camp is the perpetration cost of engaging in crime. A bank robbery in realspace, for example, consumes tremendous criminal resources. A robber would have to hire lookouts and firepower, garner inside knowledge about the bank, and so on. Profits would be split between five, six, or even more people. A computer theft, by contrast, involves fewer resource inputs and may even be accomplished by a single person sitting down at a computer. Because cybercrime requires fewer resources and less investment to cause a given level of harm, the law might want to approach these crimes differently. These variations suggest that cyberspace is a unique medium for three reasons. First, and most importantly, the use of computers and other equipment is a cheaper means to perpetrate crime. Criminal law must be concerned not only with punishing crime ex post, but with creating ex ante barriers to inexpensive ways of carrying out criminal activity. In this Article, this principle–which is generally applicable in criminal law–will be called cost deterrence. The idea is that law should strive to channel crime into outlets that are more costly to criminals. Cyberspace presents unique opportunities for criminals to reduce their perpetration costs; the probability of success achieved by a given expenditure is greater. Accordingly, the law should develop mechanisms to neutralize these efficiency advantages