Criminal Law in Cyberspace criminal wrongdoing in a way that conventional law enforcement would not. 4 Civil forfeiture of computers and equipment, and postconviction use/training restrictions on computers can also increase perpetration costs and prevent recidivism. Criminal law scholars should incorporate monetary costs just as they should recognize social norms and architecture, into their calculations about optimal deterrence. This multifaceted strategy of regulation is particularly important for crimes where offenders tend to be heterogenous Put a different way, the emergence of computer crime threatens an implicit calculus that thus far has constrained realspace crime. Computers make it easier for criminals to evade the constraint of social norms(through pseudonymity and removal from the physical site of the crime ), legal sanctions ( the probability of getting caught may be reduced for similar reasons), and monetary cost(because the resource inputs necessary to cause a given unit of harm are much lower ). The standard Beckerian solution to this problem is to increase the legal sanction, but situating cybercrime within these other constraints reveals other solutions. These other strategies might be more effective because it may be difficult to increase the sanction enough to compensate for a very low probability of getting caught. Some examples of perpetration cost strategies have been given, so the point will be illustrated by architectural regulation. Government could redress the lowered constraints against crime by enacting regulations that would prevent pseudonymity by regulating the Internet Protocol and software manufacturers(thus increasing the power of social norms as a constraint on crime, as well as increasing the probability of getting caught ), by insisting upon mechanisms that ensure electronic tracing of computer signals to locate offenders(thus increasing the probability of getting caught), or by requiring IThe perverse incentive problem created by such regulation, as well as a fuller discussion of the role of monetary costs in deterrence is discussed infra Tan 96-?
Criminal Law in Cyberspace Page 10 14The perverse incentive problem created by such regulation, as well as a fuller discussion of the role of monetary costs in deterrence, is discussed infra TAN 96-?. criminal wrongdoing in a way that conventional law enforcement would not.14 Civil forfeiture of computers and equipment, and postconviction use/training restrictions on computers can also increase perpetration costs and prevent recidivism. Criminal law scholars should incorporate monetary costs, just as they should recognize social norms and architecture, into their calculations about optimal deterrence. This multifaceted strategy of regulation is particularly important for crimes where offenders tend to be heterogenous. Put a different way, the emergence of computer crime threatens an implicit calculus that thus far has constrained realspace crime. Computers make it easier for criminals to evade the constraint of social norms (through pseudonymity and removal from the physical site of the crime), legal sanctions (the probability of getting caught may be reduced for similar reasons), and monetary cost (because the resource inputs necessary to cause a given unit of harm are much lower). The standard Beckerian solution to this problem is to increase the legal sanction, but situating cybercrime within these other constraints reveals other solutions. These other strategies might be more effective because it may be difficult to increase the sanction enough to compensate for a very low probability of getting caught. Some examples of perpetration cost strategies have been given, so the point will be illustrated by architectural regulation. Government could redress the lowered constraints against crime by enacting regulations that would prevent pseudonymity by regulating the Internet Protocol and software manufacturers (thus increasing the power of social norms as a constraint on crime, as well as increasing the probability of getting caught), by insisting upon mechanisms that ensure electronic tracing of computer signals to locate offenders (thus increasing the probability of getting caught), or by requiring
Criminal Law in Cyberspace targets to use software hardening measures to prevent hackers from interfering with web sites(thus increasing the perpetration cost of committing these computer crimes. Reasonable people can lisagree about the wisdom of each of these, my point is only that because the emergence of computers can reduce all five constraints to crime, our legal solution cannot be blind to these other constraints and focus willy-nilly on the legal sanction. At this stage, an important caveat is in order this article is a general treatment of an immensely complicated subject matter. A single Article cannot attempt to answer all the difficult questions about cybercrime strategy. Sometimes it will only pose them, and other times it will only suggest possible frameworks for approaching problems. This means that some subjects will be considered more comprehensively than others, but selectivity is inevitable given the newness of the field. The main point of this initial Article is to focus on ways to deter cybercrime with reference to the legal and nonlegal constraints on crime: harnessing first-party strategies(preventing offenders from committing acts by raising perpetration costs and legal risks), second-party strategies(encouraging victims to protect against attacks, thereby making it more expensive for criminals to commit crimes and easier for them to get caught), and third-party strategies(relying on ISPs and other entities to monitor risky activity and forestall attacks through architectural solutions ) S My future work will examine the threats posted by law enforcement on the Net 6 To that end, the Article begins by analyzing the various types of crime that can occur online Virtually every aspect of human interaction-from bank accounts to personal privacy, from the safety of women to the security of our nations military-is at risk. The Article then explores optimal ways of The Article therefore makes the assumption that deterrence is a primary goal of criminal law, and then asks on what basis computer crimes can be best deterred See Neal Kumar Katyal, Law Enforcement on the Net, forthcoming
Criminal Law in Cyberspace Page 11 15The Article therefore makes the assumption that deterrence is a primary goal of criminal law, and then asks on what basis computer crimes can be best deterred. 16See Neal Kumar Katyal, Law Enforcement on the Net, forthcoming. targets to use software hardening measures to prevent hackers from interfering with web sites (thus increasing the perpetration cost of committing these computer crimes). Reasonable people can disagree about the wisdom of each of these; my point is only that because the emergence of computers can reduce all five constraints to crime, our legal solution cannot be blind to these other constraints and focus willy-nilly on the legal sanction. At this stage, an important caveat is in order: this Article is a general treatment of an immensely complicated subject matter. A single Article cannot attempt to answer all the difficult questions about cybercrime strategy. Sometimes it will only pose them, and other times it will only suggest possible frameworks for approaching problems. This means that some subjects will be considered more comprehensively than others, but selectivity is inevitable given the newness of the field. The main point of this initial Article is to focus on ways to deter cybercrime with reference to the legal and nonlegal constraints on crime: harnessing first-party strategies (preventing offenders from committing acts by raising perpetration costs and legal risks), second-party strategies (encouraging victims to protect against attacks, thereby making it more expensive for criminals to commit crimes and easier for them to get caught), and third-party strategies (relying on ISPs and other entities to monitor risky activity and forestall attacks through architectural solutions).15 My future work will examine the threats posted by law enforcement on the Net.16 To that end, the Article begins by analyzing the various types of crime that can occur online. Virtually every aspect of human interaction–from bank accounts to personal privacy, from the safety of women to the security of our nation’s military–is at risk. The Article then explores optimal ways of
Criminal Law in Cyberspace Page 12 preventing cybercrime. Moving beyond the conventional strategy of increasing sanctions, the Article explores other constraints on crime. Deterrence may be enhanced by manipulating these other constraints because individuals may lack information about sanctions or probabilities of detection,o because they may not be responsive to expected sanctions. At stake here is a theory of deterrence that is not focused only on a criminal s attitudes and knowledge about the law. Instead, law can harness other constraints like monetary price to deter even those who ignore law I. WHAT IS CYBERCRIME? The term"cybercrime"refers to the use of a computer to facilitate or carry out a criminal offense. This can occur in three different ways. First, a computer can be electronically attacked. We may further subdivide this category by distinguishing among acts that involve 1)unauthorized access to computer files and programs, 2)unauthorized disruption of those files and programs, and 3)theft of an electronic identity. An example of the first category is a break-in to Defense Department Computers An example of the second category is the ILove You worm. The third category, identity theft, occurs when a person or entity's identity is wrongfully appropriated. a webpage may be"page-jacked, for example, so that when you click onto a financial service to read investment news, you receive spurious nformation instead. I7 The above crimes involve situations in which a computer is the subject of an attack. A rather different type of computer crime occurs when a computer is used to facilitate or carry out a traditional offense. 8 For example, a computer might be used to distribute child pornography over the Internet,or it might be used to create massive numbers of copies of a popular, and copyrighted, song See infra note 70(discussing PairGain case) SCott Charney Kent Alexander, Computer Crime, 45 EMORY L.J. 931, 934(1996)
Criminal Law in Cyberspace Page 12 17See infra note 70 (discussing PairGain case). 18Scott Charney & Kent Alexander, Computer Crime, 45 EMORY L.J. 931, 934 (1996). preventing cybercrime. Moving beyond the conventional strategy of increasing sanctions, the Article explores other constraints on crime. Deterrence may be enhanced by manipulating these other constraints because individuals may lack information about sanctions or probabilities of detection, or because they may not be responsive to expected sanctions. At stake here is a theory of deterrence that is not focused only on a criminal’s attitudes and knowledge about the law. Instead, law can harness other constraints like monetary price to deter even those who ignore law. I. WHAT IS CYBERCRIME? The term “cybercrime” refers to the use of a computer to facilitate or carry out a criminal offense. This can occur in three different ways. First, a computer can be electronically attacked. We may further subdivide this category by distinguishing among acts that involve 1) unauthorized access to computer files and programs, 2) unauthorized disruption of those files and programs, and 3) theft of an electronic identity. An example of the first category is a break-in to Defense Department Computers. An example of the second category is the ILoveYou worm. The third category, identity theft, occurs when a person or entity’s identity is wrongfully appropriated. A webpage may be “page-jacked,” for example, so that when you click onto a financial service to read investment news, you receive spurious information instead.17 The above crimes involve situations in which a computer is the subject of an attack. A rather different type of computer crime occurs when a computer is used to facilitate or carry out a traditional offense.18 For example, a computer might be used to distribute child pornography over the Internet, or it might be used to create massive numbers of copies of a popular, and copyrighted, song
Criminal Law in Cyberspace Page 13 Complicated insurance fraud, large check kiting operations, and other sophisticated forms of white collar crime rely on computers to run the criminal operation. In these cases, computers make it easier to carry out a crime in realspace. In these circumstances, computers are tools that expedite traditiona offenses As news reports suggest, cybercrime is becoming an increasingly common form of criminal activity. The numbers are staggering. In just one decade, the number of recorded computer security incidents grew from six in 1988 to more than 8,000 in 1999. Theft on the Internet caused $2 billion in losses in the year 1996, a number that is much higher today. 22 One company has found 100,000 IDONN PARKER, FIGHTING COMPUTER CRIME 98-100(1983). Because of the broad nature of crimes in cyberspace and the ease in committing them, there is no one type"of cybercriminal. Their profiles span the gamut of society. See id, at 2("computer criminals are not of a discrete type. They range from the computer world equivalent of a juvenile delinquent, the hacker or cyberpunk, to the sophisticated white-collar embezzler attacking financial institution computers, and include cyberterrorists, extortionists, spies, petty thieves and joyriders. " Of course, sometimes an act will overlap categories. a boy who breaks into a record labels stored computer recordings to listen to an unreleased song by his favorite band, and who then decides to use Napster to distribute the song to his friends, both commits unauthorized access and the carrying out of a traditional offense. The only important definitional principle at stake is to avoid forcing expansion of the last category, traditional offenses, unnecessarily. In today s society, virtually everything has some nexus to a computer. Using WordPerfect to type a threat to the President is rather different than using a computer program to place thousands of copies of copyrighted material on the Internet. See mark d. Rasch. Criminal Lan and the Internet. in THE INTERNET AND BUSINESS: A LAWYERS GUIDE TO THE EMERGING LEGAL ISSUES 3(1996). In the latter, the computer is achieving something that would be quite difficult to do without computers-namely, rampant distribution of the illegal material. It is this use of hardware and software that this article addresses Judiciary Committee and the Subcomm. on Criminal Justice Oversight of the SenateJudiciary Committee, 106th 2 Internet Denial of Service Attacks and Federal Response: Hearing Before the Subcomm. on Crime of the Hous Cong(Feb 29, 2000)(statement of James Dempsey, Senior Staff Counsel, Center for Democracy and Technology) -Mark J. Biros Thomas F. Urban, New Computer Crime Statutes Close Loopholes, NATL L J, March 25, 1996,at C3. A Computer Security Institute survey reports that 62 percent of companies have experienced computer break-ins, 51 percent reported financial losses due to computer security problems, and 27 percent reported financial fraud Theft of information and intellectual property has increased 15 percent from 1998 to the beginning of 2000 Unauthorized access by an insider has increased 28 percent during that time and system penetration by external parties has increased by 30 percent. See Federal Law Enforcement Response to Internet Hacking: Hearing Before the Senate Appropriations Com., 106th Cong(Feb. 16, 2000)(statement of Mark Rasch, Global Integrity Corporation); see also Hardy, Firms are Hurt by Break-Ins at Computers, WALL ST J, Nov. 21, 1996, at B4 (approximately one-half of Americans 205 largest companies reported that their computers had been penetrated and 84% of these companies assessed their damage at more than $50,000 per incident): Federal Law Enforcement Response to Internet Hacking: Hearing Before the Senate Appropriations Comm, 106th Cong(Feb 16, 2000) (statement of Louis J Freeh, Director, Federal Bureau of Investigation)(stating that 1999 Computer Security Institute/FBI survey found that 55% of respondents reported malicious computer activity by corporate
Criminal Law in Cyberspace Page 13 19DONN PARKER, FIGHTING COMPUTER CRIME 98-100 (1983). Because of the broad nature of crimes in cyberspace and the ease in committing them, there is no one “type” of cybercriminal. Their profiles span the gamut of society. See id., at 2 (“computer criminals are not of a discrete type. They range from the computer world equivalent of a juvenile delinquent, the hacker or cyberpunk, to the sophisticated white-collar embezzler attacking financial institution computers, and include cyberterrorists, extortionists, spies, petty thieves and joyriders.”) 20Of course, sometimes an act will overlap categories. A boy who breaks into a record label’s stored computer recordings to listen to an unreleased song by his favorite band, and who then decides to use Napster to distribute the song to his friends, both commits unauthorized access and the carrying out of a traditional offense. The only important definitional principle at stake is to avoid forcing expansion of the last category, traditional offenses, unnecessarily. In today’s society, virtually everything has some nexus to a computer. Using WordPerfect to type a threat to the President is rather different than using a computer program to place thousands of copies of copyrighted material on the Internet. See Mark D. Rasch, Criminal Law and the Internet, in THE INTERNET AND BUSINESS: A LAWYERS GUIDE TO THE EMERGING LEGAL ISSUES 3 (1996). In the latter, the computer is achieving something that would be quite difficult to do without computers–namely, rampant distribution of the illegal material. It is this use of hardware and software that this Article addresses. 21Internet Denial of Service Attacks and Federal Response: Hearing Before the Subcomm. on Crime of the House Judiciary Committee and the Subcomm. on Criminal Justice Oversight of the Senate Judiciary Committee, 106th Cong. (Feb.29, 2000) (statement of James Dempsey, Senior Staff Counsel, Center for Democracy and Technology). 22Mark J. Biros & Thomas F. Urban, New Computer Crime Statutes Close Loopholes, NATL L. J., March 25, 1996, at C3. A Computer Security Institute survey reports that 62 percent of companies have experienced computer break-ins, 51 percent reported financial losses due to computer security problems, and 27 percent reported financial fraud. Theft of information and intellectual property has increased 15 percent from 1998 to the beginning of 2000. Unauthorized access by an insider has increased 28 percent during that time and system penetration by external parties has increased by 30 percent. See Federal Law Enforcement Response to Internet Hacking: Hearing Before the Senate Appropriations Comm., 106th Cong (Feb. 16, 2000) (statement of Mark Rasch, Global Integrity Corporation); see also Hardy, Firms are Hurt by Break-Ins at Computers, WALL ST. J., Nov. 21, 1996, at B4 (approximately one-half of American’s 205 largest companies reported that their computers had been penetrated and 84% of these companies assessed their damage at more than $50,000 per incident); Federal Law Enforcement Response to Internet Hacking: Hearing Before the Senate Appropriations Comm., 106th Cong (Feb. 16, 2000) (statement of Louis J. Freeh, Director, Federal Bureau of Investigation) (stating that 1999 Computer Security Institute/FBI survey found that 55% of respondents reported malicious computer activity by corporate Complicated insurance fraud, large check kiting operations, and other sophisticated forms of white collar crime rely on computers to run the criminal operation.19 In these cases, computers make it easier to carry out a crime in realspace. In these circumstances, computers are tools that expedite traditional offenses.20 As news reports suggest, cybercrime is becoming an increasingly common form of criminal activity. The numbers are staggering. In just one decade, the number of recorded computer security incidents grew from six in 1988 to more than 8,000 in 1999.21 Theft on the Internet caused $2 billion in losses in the year 1996, a number that is much higher today.22 One company has found 100,000
Criminal Law in Cyberspace Page 14 instances of illegal activity on websites in 17 years. 23 New viruses are being launched at the rate of 10- 15 per day and over 2, 400 currently exist. Last year, there were more than 22, 000 confirmed ttacks against Department of Defense computers. It is no surprise that the FBIs caseload has skyrocketed as a result of these trends. 6 Yet many believe that cybercrime is still in its infancy, and that criminals have not yet reached their potential. It could be said, akin to early 1990s high technology companies, criminals still lack an adequate" business model that will achieve profit. This, alas, is likely to change. As more targets in realspace are hardened against criminal acts, more geographic substitution from realspace to cyberspace will occur. Even ten years ago, reports began to describe computer crime as the "weapon of choice"among white-collar criminals.29 Nevertheless, law enforcement has not responded adequately to the threat. As one industry analyst put it, " law enforcement on-line ranges from haphazard to nearly non-existent. > Erasure insiders-disgruntled employees, computer technicians, and the like); Burleson v. Texas, 802S w. 2d 429(Tex. App 1991)(employee prosecuted for using logic bomb to erase payroll data after he was fired) Bobbi Nodell, Online Thieves Collide with the Law: A Look at How Copyright Theft Is Being Handled in the Courts(july23,1998),availableat<http://www.msnbc.com/news/178744.asp 24Economic Cyber Threats: Hearing Before the Joint Economic Comm, 106th Cong(Feb 23, 2000 )(statement of Vinton Cerf, Senior Vice President, MCI Worldcom). More than 4 million computer hosts were affected by computer security incidents in 1999 alone by viruses. See Statement of James X. Dempsey, supra note 21 ForhireHackerstohelpPentagonpreventattackshttp://www.cnn.com/2000/tech/computing /08/01/pentagon. at defcon. idg/index. html Internet Denial of Service Attacks and Federal Response: Hearing Before the Subcomm. on Crime of the House Judiciary Committee and the Subcomm. on Criminal Justice Oversight of the Senate udiciary Committee, 106th Cong(Feb. 29, 2000)(statement of Michael A. Vatis, Director, FBI National Infrastructure Protection Center) ( describing an"exponentia[]"increase in caseload, and that cases have increased from 206 in 1997 to over 900 TEconomic Cyber Threats: Hearing Before the Joint Economic Comm, 106th Cong (Feb 23, 2000)(statement of today); Statement of Louis J. Freeh, supra note 22(same) Dr Mark Graff, Sun Micro Systems) SSeeKatyal, supra note 10, at 2421(describing geographic substitution as a phenomenon occurring when crime 29Quintanilla, Computer Crimes Newest Nemesis for Regulators, Police Departments, INVESTOR's DAILY, Mar 9 1990.at25 Federal Law Enforcement Response to Internet Hacking: Hearing Before the Senate Appropriations Comm 106th Cong(Feb. 16, 2000)(statement of Jeff B. Richards, Executive Director of the Internet Alliance). See also Marc
Criminal Law in Cyberspace Page 14 insiders–disgruntled employees, computer technicians, and the like); Burleson v. Texas, 802 S.W. 2d 429 (Tex. App. 1991) (employee prosecuted for using logic bomb to erase payroll data after he was fired). 23Bobbi Nodell, Online Thieves Collide with the Law: A Look at How Copyright Theft Is Being Handled in the Courts (July 23, 1998), available at <http://www.msnbc.com/news/178744.asp>. 24Economic Cyber Threats: Hearing Before the Joint Economic Comm., 106th Cong. (Feb. 23, 2000)(statement of Vinton Cerf, Senior Vice President, MCI Worldcom). More than 4 million computer hosts were affected by computer security incidents in 1999 alone by viruses. See Statement of James X. Dempsey, supra note 21. 25For hire: Hackers to help Pentagon prevent attacks, http://www.cnn.com/2000/TECH/computing /08/01/pentagon.at.defcon.idg/index.html. 26Internet Denial of Service Attacks and Federal Response: Hearing Before the Subcomm. on Crime of the House Judiciary Committee and the Subcomm. on Criminal Justice Oversight of the Senate Judiciary Committee, 106th Cong. (Feb. 29, 2000) (statement of Michael A. Vatis, Director, FBI National Infrastructure Protection Center) (describing an “exponentia[l]” increase in caseload, and that cases have increased from 206 in 1997 to over 900 today); Statement of Louis J. Freeh, supra note 22 (same). 27Economic Cyber Threats: Hearing Before the Joint Economic Comm., 106th Cong. (Feb. 23, 2000) (statement of Dr. Mark Graff, Sun Micro Systems). 28SeeKatyal, supra note 10, at 2421 (describing geographic substitution as a phenomenon occurring when crime moves away from a high-enforcement area to a low one). 29 Quintanilla, Computer Crimes Newest Nemesis for Regulators, Police Departments, INVESTOR’S DAILY, Mar. 9, 1990, at 25. 30Federal Law Enforcement Response to Internet Hacking: Hearing Before the Senate Appropriations Comm., 106th Cong (Feb. 16, 2000) (statement of Jeff B. Richards, Executive Director of the Internet Alliance). See also Marc instances of illegal activity on websites in 1½ years.23 New viruses are being launched at the rate of 10- 15 per day and over 2,400 currently exist.24 Last year, there were more than 22,000 confirmed attacks against Department of Defense computers.25 It is no surprise that the FBI’s caseload has skyrocketed as a result of these trends.26 Yet many believe that cybercrime is still in its infancy, and that criminals have not yet reached their potential.27 It could be said, akin to early 1990s high technology companies, criminals still lack an adequate “business model” that will achieve profit. This, alas, is likely to change. As more targets in realspace are hardened against criminal acts, more geographic substitution from realspace to cyberspace will occur.28 Even ten years ago, reports began to describe computer crime as the “weapon of choice” among white-collar criminals.29 Nevertheless, law enforcement has not responded adequately to the threat. As one industry analyst put it, “law enforcement on-line ranges from haphazard to nearly non-existent.”30 Erasure