Computer crimes.

• Author: Huang, Xiaomin
• Position: Twenty-Second Annual Survey of White Collar Crime

1. INTRODUCTION A. Defining Computer Crime B. Types of Computer-Related Offenses II. FEDERAL APPROACHES A. Federal Criminal Code 1. National Information Infrastructure Protection Act of 1996 a. Offenses Under the Statute b. Jurisdiction c. Defenses i. Jurisdiction ii. Statutory Interpretation iii. Amount of Damages d. Sentencing 2. Other Statutes a. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 b. Copyright Statutes i. Copyright Infringement Act and No Electronic Theft Act ii. Digital Millennium Copyright Act c. National Stolen Property Act d. Mail and Wire Fraud Statutes e. Electronic Communications Privacy Act f Child Pornography Statutes i. Communications Decency Act of 1996 ii. Child Online Protection Act of 1998 iii. Child Pornography Prevention Act of 1996 g. Internet False Identification Prevention Act of 2000 B. Enforcement Strategies C. Constitutional Issues 1. Interstate Commerce Clause 2. First Amendment 3. Fourth Amendment D. Statutory Issues III. STATE APPROACHES A. Overview of State Criminal Codes B. Issues of Jurisdiction C. Enforcement IV. INTERNATIONAL APPROACHES A. Internet-Related Regulation B. International Convergence and Cooperation I. INTRODUCTION

   This Article discusses federal, state, and international developments in computer-related criminal law. This Section defines computer crimes. Section II describes the federal statutes used for prosecuting computer crime, analyzes enforcement strategies, and discusses constitutional and statutory issues involving computer crime. Section III examines state approaches to battling computer crime and the resulting federalism issues. Lastly, Section IV addresses international approaches to regulating the internet as well as international cooperation in computer crime enforcement.

   1. Defining Computer Crime

      DOJ broadly defines computer crime as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." (1) Because of the diversity of computer-related offenses, a narrower definition would not be adequate. While the term "computer crime" includes traditional crimes committed with the use of a computer, (2) the rapid emergence of computer technologies and the exponential expansion of the internet (3) spawned a variety of new, technology-specific criminal behaviors that must also be included in the category of "computer crimes." (4) To combat these new criminal behaviors, Congress passed specialized legislation. (5)

      Experts have had difficulty calculating the damage caused by computer crimes due to (i) the difficulty in adequately defining what is a computer crime, (6) (ii) victims' reluctance to report incidents for fear of losing customer confidence, (7) (iii) the dual system of prosecution, (8) and (iv) the lack of detection. (9) In 2006, the Department of Justice's Bureau of Justice Statistics and the Department of Homeland Security's National Cyber Security Division began a joint effort to estimate the number of cyber attacks and the number of incidents of fraud and theft of information. (10)

   2. Types of Computer-Related Offenses

      DOJ divides computer-related crimes into three categories according to the computer's role in the particular crime. (11) First, a computer may be the "object" of a crime. (12) This category primarily refers to theft of computer hardware or software. (13)

      Second, a computer may be the "subject" of a crime. (14) In this category, the computer is akin to the pedestrian who is mugged or the house that is robbed--it is the subject of the attack and the site of any damage caused. This category encompasses, "spam," (15) "viruses," (16) "worms," (17) "Trojan horses," (18) "logic bombs," (19) "sniffers," (20) "distributed denial of service attacks," (21) and unauthorized "web bots or spiders." (22) In the past, most offenders in this category were simply motivated by malice or mischief rather than financial gain. (23) These types of crimes were frequently committed by juveniles, (24) disgruntled employees, (25) and professional hackers as a means of showing off their skills. (26) In recent years, however, there has been an increase in crimes from this category which are committed for financial gain. (27)

      Third, a computer may be an "instrument" used to commit traditional crimes. (28) These traditional crimes include identity theft, (29) child pomography, (30) copyright infringement, (31) and mail or wire fraud. (32)

2. FEDERAL APPROACHES

   This Section explores the major federal statutes, enforcement strategies, and constitutional issues regarding computer related crimes. Part A discusses key federal statutes in the prosecution of computer crimes, the most significant of which is the National Information Infrastructure Protection Act of 1996 ("NIIPA" of "1996 Act"). (33) Part B describes relevant enforcement efforts and Parts C and D examine search and seizure of electronic evidence.

   Although the focus of this Article is the federal government's approach to prosecuting criminal computer offenses, past litigation has sought primarily civil remedies. (34)

   1. Federal Criminal Code

      Since 1984, Congress has pursued a dual approach to combating computer crime. The Counterfeit Access Device and Computer Fraud and Abuse Law of 1984 (35) and subsequent amending acts (36) address crimes in which the computer is the "subject"--that is, computer crimes for which there is no analogous traditional crime and for which special legislation is needed. This line of statutes culminated in NIIPA, (37) which is discussed in detail in Part 1.

      The federal government's other approach to regulating computer crime has been to update traditional criminal statutes in order to reach similar crimes involving computers. (38) The federal government has also used the United States Sentencing Guidelines ("Guidelines" or "U.S.S.G.") to enhance sentences for traditional crimes committed with the aid of computers. (39) Part 2 discusses the most prominent statutes that are used to prosecute traditional crimes committed with the aid of a computer.

      1. National Information Infrastructure Protection Act of 1996

         Section 1030 of Title 18 of the U.S. Code protects against various crimes involving "protected computers." Because "protected computers" include those used in interstate commerce or communications, the statute covers any computer attached to the internet, even if all the computers involved are located in the same state. (40) The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 ("USA PATRIOT Act") (41) contains several significant amendments to the 1996 Act. Additional amendments to the 1996 Act are contained in the Cyber Security Enhancement Act of 2002 ("Cyber Security Act"), which was signed on November 25, 2002 as part of the Homeland Security Act of 2002 (42) and in the Computer Software Privacy and Control Act, which was signed on April 30, 2004. (43)

         1. Offenses Under the Statute

            Subsection 1030(a) lists the seven specific acts of computer-related crime that NIIPA prohibits. Section 1030(a)(1) makes it a crime to access computer files without authorization and to subsequently transmit classified government information. (44) Section 1030(a)(2) prohibits obtaining, (45) without authorization, information from financial institutions, (46) the United States, or private computers that are used in interstate commerce. (47) Section 1030(a)(3) proscribes intentionally accessing a United States department or agency nonpublic computer without authorization. (48) Section 1030(a)(4) prohibits accessing a protected computer, without authorization, with the intent to defraud and obtain something of value. (49)

            Section 1030(a)(5), which addresses computer hacking, has sustained the most substantial modifications following passage of the USA PATRIOT Act. In response to concerns about malicious computer cracking and computer terrorism, the USA PATRIOT Act creates two categories of offenses under this subsection based on the type of damage caused.

            The first category of offenses is contained in subsections (a)(5)(A)(i), (a)(5)(A)(ii), and (a)(5)(A)(iii), re-designating subsections (a)(5)(A), (a)(5)(B), and (A)(5)(C), respectively. (50) Subsection 1030(a)(5)(A)(i) criminalizes knowingly causing the transmission of a program, code, or command, and as a result, intentionally causing damage (51) to a protected computer. (52) This subsection applies regardless of whether the user had authorization to access the protected computer; thus, company insiders and authorized users can be culpable for intentional damage to a protected computer. (53)

            The second category of offenses, contained in subsections 1030(a)(5)(A)(ii) and 1030(a)(5)(A)(iii), prohibit intentional access without authorization that results in damage but does not require intent to damage; (54) subsection 1030(a)(5)(A)(ii) requires that the action be reckless, while [section]1030(a)(5)(A)(iii) merely requires negligence. (55) This provision makes unauthorized users responsible even if the transmission was not intentional but was reckless (56) or negligent. (57)

            Although the re-designated subsection (a)(5)(A) appears identical to former subsections (a)(5)(A)-(C) of the 1996 Act, the threshold damage requirements for the amended statute are now much lower. The USA PATRIOT Act also amended the 1996 Act's definition of damage, so that now [section] 1030(a)(5)(A) can be violated by "any impairment to the integrity or availability of data, a program, a system, or information." (58)

            Section 1030(a)(6) prohibits one with intent to defraud from trafficking in passwords which would either permit unauthorized access to a government computer or affect interstate or foreign commerce. (59)

            Finally, [section] 1030(a)(7) makes it illegal to transmit in interstate or foreign commerce any threat to cause damage to a protected computer with intent to...