Criminal Law in Cyberspace age 5 Some neutralization techniques, however, risk punishing utility-producing activities. For example, encryption has the potential to further massive terrorism ( which leads many in the law enforcement community to advocate its criminalization) but also the potential to facilitate greater security in communication and encourage freedom(which leads many others to push for unfettered access to the technology ) This is a standard dilemma that the law encounters in regulation of technology, call it the dual-use problem. The problem arises when an activity has both positive and negative uses, and forbidding the act forfeits the good uses. To help solve the problem, I introduce a conventional tool, the sentencing enhancement, as a mechanism that selectively targets improper uses. Policymakers and cademic have given little attention to sentencing enhancements, and lack a theory of when they should e used. This Article endeavors to fill that gap, arguing that they are suited for acts whose benefits and harms are context specific. It shows, for example, how enhancements provide a solution to the encryption debate because they can be aimed at encryptions harmful applications Second, cybercrime adds additional parties to the traditional perpetrator-victim scenario of crime. In particular, much cybercrime is carried out through the use of Internet Service Providers (ISPs), such as America OnLine. Criminal law should consider imposing responsibilities on third parties because doing so promotes cost deterrence. Third parties can develop ways to make crime more expensive, and may be able to do so in ways that the govemment cannot directly accomplish. The same logic sometimes applies to victims of cybercrime; law can develop mechanisms to encourage optimal victim behavior as well. As part of this discussion, the Article shows how victim self-help depends on changing police behavior, and outlines a strategy to make police departments behave more like fire departments(focusing on warning and prevention, and less on chasing people after they commit crimes
Criminal Law in Cyberspace Page 5 Some neutralization techniques, however, risk punishing utility-producing activities. For example, encryption has the potential to further massive terrorism (which leads many in the law enforcement community to advocate its criminalization) but also the potential to facilitate greater security in communication and encourage freedom (which leads many others to push for unfettered access to the technology). This is a standard dilemma that the law encounters in regulation of technology, call it the dual-use problem. The problem arises when an activity has both positive and negative uses, and forbidding the act forfeits the good uses. To help solve the problem, I introduce a conventional tool, the sentencing enhancement, as a mechanism that selectively targets improper uses. Policymakers and academics have given little attention to sentencing enhancements, and lack a theory of when they should be used. This Article endeavors to fill that gap, arguing that they are suited for acts whose benefits and harms are context specific. It shows, for example, how enhancements provide a solution to the encryption debate because they can be aimed at encryption’s harmful applications. Second, cybercrime adds additional parties to the traditional perpetrator-victim scenario of crime. In particular, much cybercrime is carried out through the use of Internet Service Providers (ISPs), such as America OnLine. Criminal law should consider imposing responsibilities on third parties because doing so promotes cost deterrence. Third parties can develop ways to make crime more expensive, and may be able to do so in ways that the government cannot directly accomplish. The same logic sometimes applies to victims of cybercrime; law can develop mechanisms to encourage optimal victim behavior as well. As part of this discussion, the Article shows how victim self-help depends on changing police behavior, and outlines a strategy to make police departments behave more like fire departments (focusing on warning and prevention, and less on chasing people after they commit crimes)
Criminal Law in Cyberspace Page 6 Two features of cyberspace, however, suggest that these burden-shifting strategies will be difficult. The first, which borrows from the New Economy jingo of Network effects, " contends that interconnectivity is an important goal that should not be sacrificed lightly. If victims and ISPs are forced to take precautionary measures-from building strong firewalls to forgoing communication with risky computer systems-it may diminish the value of the Internet. A strong public law enforcement presence necessary to prevent the Net from fragmenting into small regions accessible only to subsets of trusted users with passkeys. A second feature that limits burden-shifting arises because of the asymmetric incentives between ISPs and their users. Because an isP derives little util ity from providing access to a risky subscriber, a legal regime that places liability on an IsP for the acts of its subscribers will quickl lead the IsP to purge risky ones from its system. ISPs, as private entities, face no constitutional constraints and little public accountability, the results of ISP liability may be unfair and risk undermining the Net's benefits Third, and more generally, a host of thorny problems arise because most activities that occur cyberspace are invisible to third parties-and sometimes even to second parties, such as the very website that is being hacked In a type of space where crimes are invisible, strategies that focus on trying to prevent crime by maintaining public order, such as Broken Windows Policing, are of limited utility(though some insights can be adapted to cyberspace). Social norms cannot operate as effectively to prevent crime on the Net, for its users are not necessarily constrained by the values of realspace nor can norms sometimes be enforced as easily as they can in realspace On the other side of the ledger, the danger of overly aggressive law enforcement is multiplied in yberspace. Each new major cybercrime leads law enforcement to push for changes to the technical infrastructure to create better monitoring and tracing. If these codes are hidden in private hardware and
Criminal Law in Cyberspace Page 6 Two features of cyberspace, however, suggest that these burden-shifting strategies will be difficult. The first, which borrows from the New Economy jingo of “Network effects,” contends that interconnectivity is an important goal that should not be sacrificed lightly. If victims and ISPs are forced to take precautionary measures–from building strong firewalls to forgoing communication with risky computer systems–it may diminish the value of the Internet. A strong public law enforcement presence is necessary to prevent the Net from fragmenting into small regions accessible only to subsets of trusted users with passkeys. A second feature that limits burden-shifting arises because of the asymmetric incentives between ISPs and their users. Because an ISP derives little utility from providing access to a risky subscriber, a legal regime that places liability on an ISP for the acts of its subscribers will quickly lead the ISP to purge risky ones from its system. ISPs, as private entities, face no constitutional constraints and little public accountability; the results of ISP liability may be unfair and risk undermining the Net’s benefits. Third, and more generally, a host of thorny problems arise because most activities that occur in cyberspace are invisible to third parties–and sometimes even to second parties, such as the very website that is being hacked. In a type of space where crimes are invisible, strategies that focus on trying to prevent crime by maintaining public order, such as Broken Windows Policing, are of limited utility (though some insights can be adapted to cyberspace). Social norms cannot operate as effectively to prevent crime on the Net, for its users are not necessarily constrained by the values of realspace nor can norms sometimes be enforced as easily as they can in realspace. On the other side of the ledger, the danger of overly aggressive law enforcement is multiplied in cyberspace. Each new major cybercrime leads law enforcement to push for changes to the technical infrastructure to create better monitoring and tracing. If these codes are hidden in private hardware and
Criminal Law in Cyberspace age 7 software, however, public accountabil ity may be undermined. a similar point is true about enforcement by police; because police are invisible on the Internet, the potential for entrapment may be greater. The ultimate effect of this loss of police visibility may be to poison legitimate activity on the Net because confidence in communication may be undermined. A man cannot be sure that he is talking to a friend and not a government interloper seeking to document a criminal case. Because the technology of law enforcement is not well understood among the public, citizens will fear the Net, and its advantages will be stymied. Consider the public uproar over a third prominent news item from this year: the discovery that the Federal Bureau of Investigation(FBi has a system to read private emails with the poorly chosen title of "Carnivore Nevertheless, the differences between crimes that take place in cyberspace and those that occur in realspace should not obscure their similarities. For example, if crime in cyberspace is easier to commit due to technical prowess, then the law needs to begin to think about how to treat offline crimes that hamess technical ability. Similarly, if acts in cyberspace portend criminal activity in realspace, then this dangerous complementarity can- if sufficiently strong-justify punishing acts in cyberspace(an example might be electronic stalkers, who may graduate to stalking in realspace). This notion undoes the standard idea that criminal punishment should be reserved only for acts that are harmful; the point here is not that a certain act is harmful, but that its commission will lead to a harmful act. Preventing the former act is a mechanism the government may use to discourage the commission of the latter Review U, WASH. POST, Aug. 11, 2000, at 23; Ted Bridis, FBI Mon't Provide Data on Carnivore Congress 3 g 'See McVeigh v. Cohen, 983 F Supp. 215, 217 (D D.C. 1998)(officer discharged on basis of gays-in-military po fter government obtains America OnLine email where he indicated his homosexuality) SSee infra note 184(discussing exaggerated fears of Carnivore); see also David A. Vise, Carnivore Going Requested, WALL ST J, Aug 10, 2000, Neil King, FBI'S Wiretaps to Scan E-mail Spark Concern, N.Y. TIMES, July
Criminal Law in Cyberspace Page 7 7 See McVeigh v. Cohen, 983 F.Supp. 215, 217 (D.D.C. 1998) (officer discharged on basis of gays-in-military policy after government obtains America OnLine email where he indicated his homosexuality). 8 See infra note 184 (discussing exaggerated fears of Carnivore); see also David A. Vise, Carnivore Going to Review U., WASH. POST, Aug. 11, 2000, at 23; Ted Bridis, FBI Won't Provide Data on Carnivore Congress Requested, WALL ST. J., Aug. 10, 2000; Neil King, FBI'S Wiretaps to Scan E-mail Spark Concern, N.Y. TIMES, July 11, 2000, at A3. software, however, public accountability may be undermined. A similar point is true about enforcement by police; because police are invisible on the Internet, the potential for entrapment may be greater. The ultimate effect of this loss of police visibility may be to poison legitimate activity on the Net because confidence in communication may be undermined. A man cannot be sure that he is talking to a friend, and not a government interloper seeking to document a criminal case.7 Because the technology of law enforcement is not well understood among the public, citizens will fear the Net, and its advantages will be stymied. Consider the public uproar over a third prominent news item from this year: the discovery that the Federal Bureau of Investigation (FBI) has a system to read private emails with the poorly chosen title of “Carnivore.”8 Nevertheless, the differences between crimes that take place in cyberspace and those that occur in realspace should not obscure their similarities. For example, if crime in cyberspace is easier to commit due to technical prowess, then the law needs to begin to think about how to treat offline crimes that harness technical ability. Similarly, if acts in cyberspace portend criminal activity in realspace, then this dangerous complementarity can– if sufficiently strong–justify punishing acts in cyberspace (an example might be electronic stalkers, who may graduate to stalking in realspace). This notion undoes the standard idea that criminal punishment should be reserved only for acts that are harmful; the point here is not that a certain act is harmful, but that its commission will lead to a harmful act. Preventing the former act is a mechanism the government may use to discourage the commission of the latter
Criminal Law in Cyberspace Page 8 The problem of cybercrime is a larger one of how the law deals with new technologies Sometimes, the law treats crimes that employ new technologies as different and deserving of special gulation(wire fraud, hijacking of airplanes, grand theft auto)and other times it does not(crimes performed with typewriters and the theft of most objects, which carries the same penalty whether accomplished with James Bond-style panache or by a simple break-in). Lurking underneath this differential regulation is a complex symbiotic relationship between technology and law. Computer crime forces us to confront the role and limitations of criminal law, just as criminal law forces us to reconceptualize the role and limitations of technology After all, computer crime is not simply constrained by law. Before Bob Ellickson and Larry Lessig's pathbreaking work, many scholars assumed that law was the primary mechanism for the regulation of conduct. Ellickson and Lessig helped introduce a second constraint, social norms. They showed how such norms can regulate as effectively, or even more effectively than law could. Lessig's recent work has suggested a third form of regulation, architecture or Code. Rather than relying on social pressure or legal sanction, Lessig explains how physical and electronic barriers can prevent harmful acts. In realspace, installing lights on street comers can prevent muggings and other forms of street crime, and placing concrete barricades near inner-city highway ramps will prevent suburbanites from quickly driving in and out to purchase drugs. In cyberspace, Internet browsers can 9See CAROLYN MARVIN. WHEN OLD TECHNOLOGIES WERE NEW: THINKING ABOUT ELECTRIC COMMUNICATION IN THI LATE NINETEENTH CENTURY 6, 88-97(1988)(suggesting that electricity and telephones modified crime control) 1See Neal Kumar Katyal, Deterrence's Difficulty, 95 MICH L REV. 2385, 2416-20, 2447-55(1997)(distinguishing between three forms of social regulation: legal sanctions, monetary price, and social norms) ROBERT C ELLICKSON, ORDER WITHOUT LAW(1991); Lawrence Lessig, The Regulation of Social Meaning, 62U CHIL REV.943(1995 "LESSIG, supra note 4 Richard Weizel, A Tentative Farewell to the Bridgeport Barriers, N.Y. TIMES, July 5, 1998, at Sec. 14, p 1; Fred Musante, Drug Trade Links Bridgeport and its Suburbs, N.Y. TIMES, Feb. 14, 1993, at Sec. 13, p I
Criminal Law in Cyberspace Page 8 9 See CAROLYN MARVIN, WHEN OLD TECHNOLOGIES WERE NEW: THINKING ABOUT ELECTRIC COMMUNICATION IN THE LATE NINETEENTH CENTURY 6, 88-97(1988) (suggesting that electricity and telephones modified crime control). 10See Neal Kumar Katyal, Deterrence’s Difficulty, 95 MICH. L. REV. 2385, 2416-20, 2447-55 (1997) (distinguishing between three forms of social regulation: legal sanctions, monetary price, and social norms). 11ROBERT C. ELLICKSON, ORDER WITHOUT LAW (1991); Lawrence Lessig, The Regulation of Social Meaning, 62 U. CHI. L. REV. 943 (1995). 12LESSIG, supra note 4. 13Richard Weizel, A Tentative Farewell to the Bridgeport Barriers, N.Y. TIMES, July 5, 1998, at Sec. 14, p.1; Fred Musante, Drug Trade Links Bridgeport and its Suburbs, N.Y. TIMES, Feb. 14, 1993, at Sec. 13, p.1. The problem of cybercrime is a larger one of how the law deals with new technologies. Sometimes, the law treats crimes that employ new technologies as different and deserving of special regulation (wire fraud, hijacking of airplanes, grand theft auto) and other times it does not (crimes performed with typewriters and the theft of most objects, which carries the same penalty whether accomplished with James Bond-style panache or by a simple break-in). Lurking underneath this differential regulation is a complex symbiotic relationship between technology and law.9 Computer crime forces us to confront the role and limitations of criminal law, just as criminal law forces us to reconceptualize the role and limitations of technology. After all, computer crime is not simply constrained by law.10 Before Bob Ellickson and Larry Lessig’s pathbreaking work, many scholars assumed that law was the primary mechanism for the regulation of conduct. Ellickson and Lessig helped introduce a second constraint, social norms. They showed how such norms can regulate as effectively, or even more effectively, than law could.11 Lessig’s recent work has suggested a third form of regulation, architecture or Code.12 Rather than relying on social pressure or legal sanction, Lessig explains how physical and electronic barriers can prevent harmful acts. In realspace, installing lights on street corners can prevent muggings and other forms of street crime, and placing concrete barricades near inner-city highway ramps will prevent suburbanites from quickly driving in and out to purchase drugs.13 In cyberspace, Internet browsers can
Criminal Law in Cyberspace Page 9 be configured to prevent repeated password entry attempts for sensitive websites or could be coded to prevent certain forms of encryption This Article suggests the presence of two other constraints, physical harm and monetary cost The risk of physical harm in committing a crime is a rather obvious constraint, and one that is generally lower with computer crime as compared to realspace crime. Monetary costs, by contrast, are not thought of by criminal scholars as a deterrent, and this is unfortunate. One reason why computer crime is so dangerous is because it is so cheap to perpetrate The legal system, I contend, should rely more on perpetration costs. After all, unlike the probabilistic specter of legal sanction, these costs are certain to be incurred by all who commit a crime In some ways, the legal systems current focus on legal sanction at the expense of monetary costs is ironic. Criminals tend to be gamblers- willing to speculate on the chance that they will not be caught and vet the conventional wisdom is to set up a parlor from which to conduct the wager instead of relying on a certain perpetration cost. Governments use the threat of jail time to deter offenses when they know that the bulk of offenders discount the threat of long jail sentences because they have many years to live due to their youth. The lack of high perpetration costs is one factor that explains the rise in cybercrime. Indeed, the fact that crime is cheap to commit weakens the power of social norms, the ease of, for example, copying a Cd leads many to think of it as not a serious crime Monetary costs in short may deter a different stratum of the population than might law enforcement-those with less money. Suppose, for example, that the majority of hackers are teenagers. Teenagers, with their small wallets and purses, might be particularly sensitive to strategies that increase the monetary costs of crime. If dangerous software programs such as hackers tools were expensive, or if sensitive websites charged low admissions fees, these forms of regulation may deter
Criminal Law in Cyberspace Page 9 be configured to prevent repeated password entry attempts for sensitive websites or could be coded to prevent certain forms of encryption. This Article suggests the presence of two other constraints, physical harm and monetary cost. The risk of physical harm in committing a crime is a rather obvious constraint, and one that is generally lower with computer crime as compared to realspace crime. Monetary costs, by contrast, are not thought of by criminal scholars as a deterrent, and this is unfortunate. One reason why computer crime is so dangerous is because it is so cheap to perpetrate. The legal system, I contend, should rely more on perpetration costs. After all, unlike the probabilistic specter of legal sanction, these costs are certain to be incurred by all who commit a crime. In some ways, the legal system’s current focus on legal sanction at the expense of monetary costs is ironic. Criminals tend to be gamblers -- willing to speculate on the chance that they will not be caught – and yet the conventional wisdom is to set up a parlor from which to conduct the wager instead of relying on a certain perpetration cost. Governments use the threat of jail time to deter offenses when they know that the bulk of offenders discount the threat of long jail sentences because they have many years to live due to their youth. The lack of high perpetration costs is one factor that explains the rise in cybercrime. Indeed, the fact that crime is cheap to commit weakens the power of social norms; the ease of, for example, copying a CD leads many to think of it as not a serious crime. Monetary costs in short may deter a different stratum of the population than might law enforcement – those with less money. Suppose, for example, that the majority of hackers are teenagers. Teenagers, with their small wallets and purses, might be particularly sensitive to strategies that increase the monetary costs of crime. If dangerous software programs such as hackers’ tools were expensive, or if sensitive websites charged low admissions fees, these forms of regulation may deter