Criminal Law in Cyberspace Page 15 programs cover electronic footprints, making tracking very difficult and facilitating a cybercriminals escape.Although enforcement is weak, federal law against cybercrime has been expanded. The current federal computer crimes statute, 18 U.S.C.$ 1030, prohibits certain forms of unauthorized access(and prohibits exceeding authorized access)to any"federal interest computer. " Federal interest computers, in turn, include virtually every computer connected to the Internet, for the law protects any computer used across state lines. Section 1030 prohibits access to a computer when access is used to obtain national security information or financial records, intercept interstate communications, manipulate government computers, defraud and obtain anything of value worth $5000 or more, traffic in passwords, or extort by threatening to damage a protected computer33And Congress has lowered the mens rea standard to impose penalties regardless of whether a computer intruder intended to cause damage. 4 The statute carries a mandatory-minimum sentence of six months 35 D. Goodman, Why the Police Don't Care about Computer Crime, 10 HARV. J. LAw TECH 465(1997); Paul Korenzeniowski, Computers Made Plain, INVESTOR'S DAILY, July 21, 2000, at A4 (quoting industry analyst stating that"Computer technology has been evolving so rapidly that government enforcement agencies have not had the resources needed to keep pace"). According to one leading DOJ Computer Crime prosecutor, I observed that the chances of detection and prosecution of computer hackers are very small. " Statement of Mark Rasch, supra note 22 3 See infra TAN 179-195; see also Rasch, supra note 20, at 1(Computer hackers, acting on their own or for hire to others, are becoming increasingly sophisticated and knowledgeable, and therefore more difficult to detect and prosecute. 3218USC.§1030eX2B) 318USC.§1030a1)(a In 1994, Congress modified Section 1030 to state that the requisite mens rea was "intentional, knowing, and reckless, but that amendment was further modified in 1996 to impose strict liability. See S Rep. No. 104-357, at 9-12 (revealing that Congress wanted to punish hackers who do not intentionally cause damage to computers). See also United States v. Sablan, 92 F 3d 865(9 Cir. 1996); Note, Hacking Through the Computer fraud and Abuse Act, 31 U.-C. DAvIS L REV. 283, 284(1997)(documenting changes made to the intent requirement in$ 1030) Perversely, Section 1030s mandatory minimum sentence has created an inverse sentencing effect whereby prosecutors do not prosecute computer crime cases because of the draconian minimum sentence. See Letter from Senator Schumer to Colleagues, February 16, 2000(copy on file with author)(As a result, some prosecutors have declined to bring cases, knowing that the result would be mandatory imprisonment.
Criminal Law in Cyberspace Page 15 D. Goodman, Why the Police Don’t Care about Computer Crime, 10 HARV. J. LAW & TECH. 465 (1997); Paul Korenzeniowski, Computers Made Plain, INVESTOR’S DAILY, July 21, 2000, at A4 (quoting industry analyst stating that “Computer technology has been evolving so rapidly that government enforcement agencies have not had the resources needed to keep pace”). According to one leading DOJ Computer Crime prosecutor, “I observed that the chances of detection and prosecution of computer hackers are very small.” Statement of Mark Rasch, supra note 22. 31See infra TAN 179-195; see also Rasch, supra note 20, at 1 (“Computer hackers, acting on their own or for hire to others, are becoming increasingly sophisticated and knowledgeable, and therefore more difficult to detect and prosecute.”). 3218 U.S.C. §1030(e)(2)(B). 3318 U.S.C. §1030(a)(1)-(a)(7). 34In 1994, Congress modified Section 1030 to state that the requisite mens rea was “intentional, knowing, and reckless,” but that amendment was further modified in 1996 to impose strict liability. See S. Rep. No. 104-357, at 9-12 (revealing that Congress wanted to punish hackers who do not intentionally cause damage to computers). See also United States v. Sablan, 92 F. 3d 865 (9th Cir. 1996); Note, Hacking Through the Computer Fraud and Abuse Act, 31 U.-C. DAVIS L. REV. 283, 284 (1997) (documenting changes made to the intent requirement in § 1030). 35Perversely, Section 1030's mandatory minimum sentence has created an inverse sentencing effect whereby prosecutors do not prosecute computer crime cases because of the draconian minimum sentence. See Letter from Senator Schumer to Colleagues, February 16, 2000 (copy on file with author) (“As a result, some prosecutors have declined to bring cases, knowing that the result would be mandatory imprisonment.”) programs cover electronic footprints, making tracking very difficult and facilitating a cybercriminal’s escape.31 Although enforcement is weak, federal law against cybercrime has been expanded. The current federal computer crimes statute, 18 U.S.C. § 1030, prohibits certain forms of unauthorized access (and prohibits exceeding authorized access) to any “federal interest computer.” “Federal interest computers,” in turn, include virtually every computer connected to the Internet, for the law protects any computer used across state lines.32 Section 1030 prohibits access to a computer when access is used to obtain national security information or financial records, intercept interstate communications, manipulate government computers, defraud and obtain anything of value worth $5000 or more, traffic in passwords, or extort by threatening to damage a protected computer.33 And Congress has lowered the mens rea standard to impose penalties regardless of whether a computer intruder intended to cause damage.34 The statute carries a mandatory-minimum sentence of six months.35
Criminal Law in Cyberspace Page 16 The federal computer crimes statute is only the beginning of government regulation. Criminal Law scholars have not noticed that when Vermont enacted a statute proscribing computer crime in 1999, it became the fiftieth state to devote specific legislation to computer crimes. The two activities that most states criminalize are 1)unauthorized access to a computer with intent to do some further bad act and 2)damage to computer-related property(including intangible property). 6 Put briefly unauthorized access with intent criminalizes using a computer outside the scope of ones authority when one has malevolent intent. One need not actually accomplish what was intended, although success in the criminal enterprise would usually affect the penalty imposed. Also, depending on the state, the generalize the types of acts proscribed by these statutes rather than simply adopting the names of the crimes o 36States use different and sometimes conflicting terminology in classifying computer crimes. I am attempting t (especially because the same name is occasionally used by different states to capture different acts). The statutes lyzed are ALA CODE SS 13A-8-100 to 13A-8-103(2000); ALASKA STAT, $8 11.46.200(a)(3), 11.46.484(a)(5), 11.46.740 11.46.985(Michie); ARIZ. REV. STAT. ANN. $8 13-2301(E), 13-2316(West 2000), ARK CODE ANN $8 5-41-101 to 5-41 108(Michie 1999); CAL PENAL CODE $$ 502, 502.01, 1203.047(West 2000): COLo. REV. STAT $8 18-5.5-101 to 18-5.5- 102(2000): CONN. GEN STAT $S 53a-250 to 53a-261(2000): DEL CODE ANN tit. xi, ss931-939(2000) FLA STAT ch 8150lto815070200)GA. CODE ANN.§s16-990tol6-9-9(2000),HAW.REV.SIAT.§§708-890to708-893(2000 IDAHO CODE $8 18-2201 to 18-2202, 26-1220 (Michie 2000): 720 ILL. COMP. STAT 5/16D-l to 5/16D-7(2000): IND CODE §§3543-1-4,35-43-2-3(2000; IOwA CODE§s716A.lto7l6A16(2000;KAN.STAT.ANN.§§21-375(2000),KY.REV STAT. ANN. &$434.840 to 434.860(2000): LA. REV. STAT. ANN. $8 14: 73. 1 to 14:73.5(2000): ME. REV. STAT. ANN.tit 17-A, 88431-433 (West 2000): MD CODE ANN. art 27, 146(2000); MASS. GEN LAwS. ANN. ch 266 $& 30, 33A, 120F (West 2000): MICH. COMP. LAwS. ANN. $8 752.791 to 752.797(West 2000); MINN STAT $8 609.87 to 609.894(2000) MISS CODE ANN. $897-45-1 to 97-45-13(2000), Mo. ANN. STAT $8 569.093 to 569099(West 2000); MONT. CODE ANN.§8456-310to45-6-311(2000,NEB.REv.SIAT.§§28-1343to28-1348(2000);NEv.RV.STAT.§§205473to 205491(2000NH.REV.STAT.ANN.§8638:16to638:19(2000),NJ.REv.SIAT.§2A:38A-1-6,SC20-23to2C20-34 (2000): N.M. STAT. ANN. $8 30-45-1 to 30-45-7(Michie 2000); N.Y. PENAL LAw &8 156.00 to 156.50, N.C. GEN STAT s8 14-453 to 14-457(2000): N.D. CENT CODE &$ 12 1-06 1-08(2000): OHIO REV. CODE ANN.$ 2913.04 (2000): OKLA. STAr.t21,§§1951-1958(2000OR.REV.SIAT.§s164125,164377(2000),18PA.CONs.SIAT.§3933(2000),R1 GEN LAwS SS 11-52-1 to 11-52-8(2000); S.C. CODE ANN. 8$ 16-16-10 to 16-16-40 (Law. Co-op. 2000), S.D. CODIFIED LAWS S& 43-43B-l to 43-43B-8 (Michie 2000); TENN CODE ANN. $8 39-14-601 to 39-14-603(2000), TEX PENAL CODE ANN. $S 33.01 to 33.04(2000); UTAH CODE ANN. $$ 76-6-701 to 76-6-705(2000); VT STAT. ANN. $$ 4101 to 4107 (2000;VA. CODE ANN.§s182-152.2to18.2-152.14( Michie2000); WASH REV.CODE§S9A.52.110to9A.52.130(200; W. VA CODE SS 61-3C-l to 61-3C-21(2000), WIS. STAT. ANN.$943.70(west 2000); WYO STAT. ANN. $8 6-3-501 to 6- 505( Michie2000 37For example, Alabama technically criminalizes only unauthorized access, but the punishment for the crime for the purpose of devising or executing any scheme or artifice to defraud or to obtain any property. "See al ngs (normally a Class A misdemeanor) is increased to a Class C felony if the offense was committed, among other thi CODE13A-8-102(d(1)(2)(2000)
Criminal Law in Cyberspace Page 16 36States use different and sometimes conflicting terminology in classifying computer crimes. I am attempting to generalize the types of acts proscribed by these statutes rather than simply adopting the names of the crimes (especially because the same name is occasionally used by different states to capture different acts). The statutes analyzed are ALA CODE §§ 13A-8-100 to 13A-8-103 (2000); ALASKA STAT. §§ 11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985 (Michie); ARIZ. REV. STAT. ANN. §§ 13-2301(E), 13-2316 (West 2000); ARK CODE ANN §§ 5-41-101 to 5-41- 108 (Michie 1999); CAL. PENAL CODE §§ 502, 502.01, 1203.047 (West 2000); COLO. REV. STAT. §§ 18-5.5-101 to 18-5.5- 102 (2000); CONN. GEN. STAT. §§ 53a-250 to 53a-261(2000); DEL. CODE ANN tit. xi, §§ 931-939 (2000); FLA. STAT. ch. 815.01 to 815.07 (2000); GA. CODE ANN. §§ 16-9-90 to 16-9-94 (2000); HAW. REV. STAT. §§ 708-890 to 708-893 (2000); IDAHO CODE §§ 18-2201 to 18-2202, 26-1220 (Michie 2000); 720 ILL. COMP. STAT. 5/16D-1 to 5/16D-7 (2000); IND. CODE §§ 35-43-1-4, 35-43-2-3 (2000); IOWA CODE §§ 716A.1 to 716A.16 (2000); KAN. STAT. ANN. §§ 21-375 (2000); KY. REV. STAT. ANN. §§ 434.840 to 434.860 (2000); LA. REV. STAT. ANN. §§ 14:73.1 to 14:73.5 (2000); ME. REV. STAT. ANN. tit. 17-A, §§4 31-433 (West 2000); MD. CODE ANN. art 27, § 146 (2000); MASS. GEN. LAWS. ANN. ch. 266 §§ 30, 33A, 120F (West 2000); MICH. COMP. LAWS. ANN. §§ 752.791 to 752.797 (West 2000); MINN. STAT. §§ 609.87 to 609.894 (2000); MISS. CODE. ANN. §§ 97-45-1 to 97-45-13 (2000); MO. ANN. STAT. §§ 569.093 to 569.099 (West 2000); MONT. CODE ANN. §§ 45-6-310 to 45-6-311 (2000); NEB. REV. STAT. §§ 28-1343 to 28-1348 (2000); NEV. REV. STAT. §§ 205.473 to 205.491 (2000); N.H. REV. STAT. ANN. §§ 638:16 to 638:19 (2000); N.J. REV. STAT. §§ 2A:38A-1-6, SC:20-23 to 2C:20-34 (2000); N.M. STAT. ANN. §§ 30-45-1 to 30-45-7 (Michie 2000); N.Y. PENAL LAW §§ 156.00 to 156.50; N.C. GEN. STAT. §§ 14-453 to 14-457 (2000); N.D. CENT. CODE §§ 12.1-06.1-08 (2000); OHIO REV. CODE ANN. § 2913.04 (2000); OKLA. STAT. tit. 21, §§ 1951-1958 (2000); OR. REV. STAT. §§ 164.125, 164.377 (2000); 18 PA. CONS. STAT. § 3933 (2000); R.I. GEN. LAWS §§ 11-52-1 to 11-52-8 (2000); S.C. CODE ANN. §§ 16-16-10 to 16-16-40 (Law. Co-op. 2000); S.D. CODIFIED LAWS §§ 43-43B-1 to 43-43B-8 (Michie 2000); TENN. CODE ANN. §§ 39-14-601 to 39-14-603 (2000); TEX. PENAL CODE ANN. §§ 33.01 to 33.04 (2000); UTAH CODE ANN. §§ 76-6-701 to 76-6-705 (2000); VT. STAT. ANN. §§ 4101 to 4107 (2000); VA. CODE ANN. §§ 18.2-152.2 to 18.2-152.14 (Michie 2000); WASH. REV. CODE §§ 9A.52.110 to 9A.52.130 (2000); W. VA CODE §§ 61-3C-1 to 61-3C-21 (2000); WIS. STAT. ANN. § 943.70 (west 2000); WYO. STAT. ANN. §§ 6-3-501 to 6- 3-505 (Michie 2000). 37For example, Alabama technically criminalizes only unauthorized access, but the punishment for the crime (normally a Class A misdemeanor) is increased to a Class C felony if the offense was committed, among other things, "for the purpose of devising or executing any scheme or artifice to defraud or to obtain any property." See ALA. CODE 13A-8-102(d)(1)-(2) (2000). The federal computer crimes statute is only the beginning of government regulation. Criminal Law scholars have not noticed that when Vermont enacted a statute proscribing computer crime in 1999, it became the fiftieth state to devote specific legislation to computer crimes. The two activities that most states criminalize are 1) unauthorized access to a computer with intent to do some further bad act and 2) damage to computer-related property (including intangible property).36 Put briefly, “unauthorized access with intent” criminalizes using a computer outside the scope of one’s authority when one has malevolent intent. One need not actually accomplish what was intended, although success in the criminal enterprise would usually affect the penalty imposed.37 Also, depending on the state, the
Criminal Law in Cyberspace Page 17 person need not actually do anything after he has exceeded lawful access. 3 As long as the intent exists a person commits this crime the moment he exceeds his lawful access. 9"Damage to computer-related property""is more straightforward. The crime has been committed when a person damages a computer, computer systems, computer data, computer programs, or other computer-related property The patchwork of state laws reveals other patterns in criminalizing certain computer-related activities. Many states designate the theft, interruption, or denial of computer services as an independent crime. 40 Some state statutes explicitly criminalize the introduction of computer viruses and other bugs. Some states criminalize the disclosure of passwords or other computer security information. #2 A few statutes include email crimes, typically punishing either harassing or unsolicited 3SSome states, e.g. California, specifically punish particular bad uses of data obtained after an intruder secures access. See CAL PENAL CODE$ 502(c)(2)(criminalizing those who"Knowingly accesses or without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either(A) devise or execute any scheme or artifice to defraud, deceive, or extort, or(B) wrongfully control or obtain money, property, or data. " Other states also criminalize the unauthorized access of a computer, even if no malevolent intent exists. See, e.g, KAN. STAT. ANN.$ 21-3755(d)(2000). See also ALASKA STAT 11. 46.200(a)(3)(Michie 2000)(specifying reckless disregard standard for theft of computer services) 39The list of" bad acts"from which a prosecutor chooses what the cybercriminal "intended"varies by jurisdiction However, common"bad acts"include"devising or executing any scheme or artifice to defraud or extort, see, e. g ARK STAT. ANN. 5-41-103(a)(1), and"wrongfully control[ling] or obtain[ing] money, property, or data", see, e.g, CAL PENAL CODE$ 502(c)1(B) 40 A representative theft provision is Connecticuts: "A person is guilty of the computer crime of theft of computer services when he accesses or causes to be accessed or otherwise uses or causes to be used a computer system with the intent to obtain unauthorized computer services. "See CoNN. GEN STAT. 53a-251(c). Delaware provides a good example of an interruption/denial provision: A person is guilty of the computer crime of interruption of computer services when that person, without authorization, intentionally or recklessly disrupts or degrades es the disruption or degradation of computer services or denies or causes the denial of computer services to an authorized user or a computer system. See DEL CoDE ANN. tit. 11$934 4Maine's provision is a good example; a person is a criminal if he "[i]ntentionally or knowingly introduces or allows the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has the right to do so. "See M. REV. STAT tit. 17-A $ 333(1)c) 42Eg, PA CONS. STAT 8 3933(3)(2000)
Criminal Law in Cyberspace Page 17 38Some states, e.g. California, specifically punish particular bad uses of data obtained after an intruder secures access. See CAL. PENAL CODE § 502 (c)(2) (criminalizing those who "Knowingly accesses or without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.") Other states also criminalize the unauthorized access of a computer, even if no malevolent intent exists. See, e.g., KAN. STAT. ANN. § 21-3755(d) (2000). See also ALASKA STAT. 11.46.200(a)(3) (Michie 2000) (specifying reckless disregard standard for theft of computer services). 39The list of “bad acts” from which a prosecutor chooses what the cybercriminal “intended” varies by jurisdiction. However, common “bad acts” include “devising or executing any scheme or artifice to defraud or extort,”see, e.g., ARK STAT. ANN.5-41-103(a)(1), and “wrongfully control[ling] or obtain[ing] money, property, or data”, see, e.g., CAL. PENAL CODE § 502(c)(1)(B). 40A representative theft provision is Connecticut’s: “A person is guilty of the computer crime of theft of computer services when he accesses or causes to be accessed or otherwise uses or causes to be used a computer system with the intent to obtain unauthorized computer services.” See CONN. GEN. STAT. § 53a-251(c). Delaware provides a good example of an interruption/denial provision: “A person is guilty of the computer crime of interruption of computer services when that person, without authorization, intentionally or recklessly disrupts or degrades or causes the disruption or degradation of computer services or denies or causes the denial of computer services to an authorized user or a computer system.” See DEL. CODE. ANN. tit. 11 § 934. 41Maine’s provision is a good example; a person is a criminal if he “[i]ntentionally or knowingly introduces or allows the introduction of a computer virus into any computer resource, having no reasonable ground to believe that the person has the right to do so.” See ME. REV. STAT. tit. 17-A § 333(1)(c). 42E.g., PA. CONS. STAT. § 3933(3)(2000). person need not actually do anything after he has exceeded lawful access.38 As long as the intent exists, a person commits this crime the moment he exceeds his lawful access.39 “Damage to computer-related property” is more straightforward. The crime has been committed when a person damages a computer, computer systems, computer data, computer programs, or other computer-related property. The patchwork of state laws reveals other patterns in criminalizing certain computer-related activities. Many states designate the theft, interruption, or denial of computer services as an independent crime.40 Some state statutes explicitly criminalize the introduction of computer viruses and other bugs.41 Some states criminalize the disclosure of passwords or other computer security information.42 A few statutes include email crimes, typically punishing either harassing or unsolicited
Criminal Law in Cyberspace Page 18 bulk email +However, the difficulty in finding cybercriminals, and the difficulty of enforcing state laws across various jurisdictions, make state prosecution almost impossible Not only are federal and state government measures to prevent cybercrime generally lacking. so too are the private ones. Industry has not kept up to the task of securing its own data. Most have no systems manager. one person may handle dozens or hundreds of systems. Hard enough to keep the software current and users happy, let alone watch for intruders breaking in or grabbing passwords. While the average computer has become more secure, the sheer explosion in the number of computers-and societys reliance on them-has meant that our overall security has dropped precipitously. In part, this is because many crimes go undetected and unreported. 46 For example, Arkansas sanctions a person when, with the purpose to frighten, intimidate, threaten, abuse, or harass another person, he sends a message on an electronic mail or other computerized communications system and in that message threatens physical injury or property damage or uses any obscene, lewd, or profane language See ARK. CODE ANN. 85-41-108(2000). The constitutionality of at least a portion of this provision is certainly questionable. The other tactic used by states is to criminalize the sending of unsolicited bulk email when the sender as forged his identity. For instance, Illinois sanctions a person who"[f]alsifies or forges electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail provider or its subscribers. See ILL. CoMP. STAT 5/16D-3(5)(2000) See doJ REPORT, supra note 5, at 34(noting barriers to state prosecution, including lack of resources, long-arm jurisdiction, electronic surveillance, and subpoena power ) Statement of Freeh, supra note 22(explainin that state investigators often lack training necessary in cybercrime cases) CLIFFORD STOLL, SILICON SNAKE OIL 107(1995) One government study deliberately attacked 38,000 government computers, and successfully penetrated 65% of them. Systems administrators detected only 4% of those penetrations. Of the 4%, only 27% of them were reported In other words, there were only 267 reports by administrators arising from the successful penetration of the 24, 700 machines-about I report per 100 violations. General Accounting Office, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks 20(1996); Charney Alexander, supra note 18, at 936. As the Former Director of the FBI Computer Crime Squad put it, " You bring me a select group of 10 hackers and within 90 days, I'll bring this country to its knees. "Chris O'Mally, Information Warriors of the 609, POPULAR SCL, July 1997, at 74 Another reason computer attacks are so easy is that computer operating systems and other major software packages are still riddled with security flaws. Computer crime can be prevented either with better government prosecution, or with better private software protection. Code can prevent cybercrime by closing weak areas and bugs that hackers exploit to gain access to data. Yet this has not happened. As one major industry representative puts it, Working under the hood of all the major operating systems in use today, we find the same kinds of security flaws, coding errors, and faulty assumptions programmers like myself were turning out in the 70s and 80s. Statement of Dr. Mark Graff, supra note 27
Criminal Law in Cyberspace Page 18 43 For example, Arkansas sanctions a person when, “with the purpose to frighten, intimidate, threaten, abuse, or harass another person, he sends a message on an electronic mail or other computerized communications system” and in that message threatens physical injury or property damage or uses any obscene, lewd, or profane language. See ARK. CODE ANN. § 5-41-108 (2000). The constitutionality of at least a portion of this provision is certainly questionable. The other tactic used by states is to criminalize the sending of unsolicited bulk email when the sender has forged his identity. For instance, Illinois sanctions a person who “[f]alsifies or forges electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail provider or its subscribers.” See ILL. COMP. STAT. 5/16D-3(5)(2000). 44 See DOJ REPORT, supra note 5, at 34 (noting serious barriers to state prosecution, including lack of resources, long-arm jurisdiction, electronic surveillance, and subpoena power); Statement of Freeh, supra note 22 (explaining that state investigators often lack training necessary in cybercrime cases). 45CLIFFORD STOLL, SILICON SNAKE OIL 107 (1995). 46One government study deliberately attacked 38,000 government computers, and successfully penetrated 65% of them. Systems administrators detected only 4% of those penetrations. Of the 4%, only 27% of them were reported. In other words, there were only 267 reports by administrators arising from the successful penetration of the 24,700 machines –about 1 report per 100 violations. General Accounting Office, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks 20 (1996); Charney & Alexander, supra note 18, at 936. As the Former Director of the FBI Computer Crime Squad put it, “You bring me a select group of 10 hackers and within 90 days, I’ll bring this country to its knees.” Chris O’Mally, Information Warriors of the 609th, POPULAR SCI., July 1997, at 74. Another reason computer attacks are so easy is that computer operating systems and other major software packages are still riddled with security flaws. Computer crime can be prevented either with better government prosecution, or with better private software protection. Code can prevent cybercrime by closing weak areas and bugs that hackers exploit to gain access to data. Yet this has not happened. As one major industry representative puts it, “Working under the hood of all the major operating systems in use today, we find the same kinds of security flaws, coding errors, and faulty assumptions programmers like myself were turning out in the 70s and 80s.” Statement of Dr. Mark Graff, supra note 27 . bulk email.43 However, the difficulty in finding cybercriminals, and the difficulty of enforcing state laws across various jurisdictions, make state prosecution almost impossible.44 Not only are federal and state government measures to prevent cybercrime generally lacking, so too are the private ones. Industry has not kept up to the task of securing its own data. “Most have no systems manager. . .one person may handle dozens or hundreds of systems. Hard enough to keep the software current and users happy, let alone watch for intruders breaking in or grabbing passwords.”45 While the average computer has become more secure, the sheer explosion in the number of computers–and society’s reliance on them–has meant that our overall security has dropped precipitously. In part, this is because many crimes go undetected and unreported.46
Criminal Law in Cyberspace Due to the ever-increasing amounts of jargon, a brief description of some of the major forms of cybercrime may help facilitate the theoretical discussion. My aim, again, is not to set out iron-clad categories as much as it is to describe some of these crimes before moving to the heart of the paper. 47 Unauthorized Access to Computer Programs and files Unauthorized access occurs whenever an actor achieves entry into a target's files or programs without permission. The actor may be a person or another computer, and the access may be achieved electronically(through passwords and other mechanisms)or physically(by for example, breaking into a file cabinet and stealing a PIN). Electronic access is by far the more common threat, and it is erpetrated by those who steal passwords, use computers to generate random passwords until entry is accomplished, or use"trap doors" to enter a secure area. A trap door is a fast way into a computer program that allows program developers to bypass security protocols built into the program Programmers and software manufacturers place trap doors in programs so that they can quickly modify the underlying code. But these doors also permit anyone with a modest level of computer sophistication to break into a computer, and run it in any way he or she sees fit. For example, a ubiquitous computer platform in the late 1980s-UNIX-contained a trap door that allowed anyone to break into mainframe This Article does not directly focus on analogues to realspace crime that create a harm solely or predominantly in cyberspace. For example, it will not directly deal with the perplexing matter of whether ones computer identity can be harmed. The most common example here is"virtual rape"of a person on the Internet. See Julian Dibbell, A Rape in Cyberspace or How an Evil Clown, a Haitian Trickster Spirit, Two Wizards, and a Cast of Dozens Turned Database into a Society, 1994 ANN. SURV. AM. LAw 471; LESSIG, supra note 4, at 75. Such acts, while in no wa similar to their realspace counterparts, can have serious consequences in realspace. For example, they may destroy Internet communities, and these communities may be essential places for learning, sharing, and the like. Virtual rape, and other such acts, can impose psychological harm. See Dibbell, supra, at 475-76 These electronic acts may also have complementarity with their realspace counterparts, and the law accordingly might want to intervene. See infro TAn 91-93(discussing cyberstalking) Passwords are commonly stolen through the use of"sniffer "programs. These programs monitor a users keystrokes, and transmit the information to the host computer that set up the sniffer program. The electronic thief then has a full transcript of the passwords necessary to achieve entry into a system. In 1994 as many as 100,000 sites were affected by sniffer attacks. DAVID ICoVE, KARL SEGER, WILLIAM VON STORCH, COMPUTER CRIME: A CRIMEFIGHTERS HANDBOOK 51(1995)
Criminal Law in Cyberspace Page 19 47This Article does not directly focus on analogues to realspace crime that create a harm solely or predominantly in cyberspace. For example, it will not directly deal with the perplexing matter of whether one’s computer identity can be harmed. The most common example here is “virtual rape” of a person on the Internet. See Julian Dibbell, A Rape in Cyberspace or How an Evil Clown, a Haitian Trickster Spirit, Two Wizards, and a Cast of Dozens Turned a Database into a Society, 1994 ANN. SURV. AM. LAW 471; LESSIG, supra note 4, at 75. Such acts, while in no way similar to their realspace counterparts, can have serious consequences in realspace. For example, they may destroy Internet communities, and these communities may be essential places for learning, sharing, and the like. Virtual rape, and other such acts, can impose psychological harm. See Dibbell, supra, at 475-76. These electronic acts may also have complementarity with their realspace counterparts, and the law accordingly might want to intervene. See infra TAN 91-93 (discussing cyberstalking). 48Passwords are commonly stolen through the use of “sniffer” programs. These programs monitor a user’s keystrokes, and transmit the information to the host computer that set up the sniffer program. The electronic thief then has a full transcript of the passwords necessary to achieve entry into a system. In 1994 as many as 100,000 sites were affected by sniffer attacks. DAVID ICOVE, KARL SEGER, & WILLIAM VON STORCH, COMPUTER CRIME: A CRIMEFIGHTER’S HANDBOOK 51 (1995). Due to the ever-increasing amounts of jargon, a brief description of some of the major forms of cybercrime may help facilitate the theoretical discussion. My aim, again, is not to set out iron-clad categories as much as it is to describe some of these crimes before moving to the heart of the paper.47 A. Unauthorized Access to Computer Programs and Files Unauthorized access occurs whenever an actor achieves entry into a target’s files or programs without permission. The actor may be a person or another computer, and the access may be achieved electronically (through passwords and other mechanisms) or physically (by, for example, breaking into a file cabinet and stealing a PIN). Electronic access is by far the more common threat, and it is perpetrated by those who steal passwords, use computers to generate random passwords until entry is accomplished, or use “trap doors” to enter a secure area.48 A trap door is a fast way into a computer program that allows program developers to bypass security protocols built into the program. Programmers and software manufacturers place trap doors in programs so that they can quickly modify the underlying code. But these doors also permit anyone with a modest level of computer sophistication to break into a computer, and run it in any way he or she sees fit. For example, a ubiquitous computer platform in the late 1980s–UNIX–contained a trap door that allowed anyone to break into mainframe