Computer crimes.

• Author: Dillon, Sheri A.
• Position: Thirteenth Survey of White Collar Crime

1. INTRODUCTION

   This Article tracks developments in computer related criminal law and legal literature, analyzes federal, state, and international approaches to computer crime legislation and enforcement, and reviews recent developments in these areas. Section I defines computer crime, discusses the different forms it can take, and explores the extent of this problem. Section II describes the federal statutes used for prosecuting computer crimes and analyzes their defenses, enforcement strategies, and sentencing. Section III treats state approaches to combating computer crime and the resulting federalism issues. Section IV addresses international approaches. Finally, Section V tracks emerging issues, including data encryption.

   1. Defining Computer Crime

      The rapid emergence of computer technologies and the exponential expansion of the Internet(1) have spawned a variety of new criminal behaviors and an explosion in specialized legislation to combat them.(2) Computer crimes include traditional crimes committed with a computer(3) together with novel, technologically specific offenses that are arguably not analogous to any non-computer crimes.(4) The diversity of computer-related offenses renders any narrow definition untenable. The Department of Justice ("DOJ") broadly defines computer crimes as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution."(5)

      Accurate statistics on the extent of this phenomenon have proven elusive(6) because of the difficulty in adequately defining computer crimes.(7) The statistics are also untrustworthy due to failure to report incidents for (1) fear of losing customer confidence;(8) and (2) lack of detection.(9) However, the aggregate annual losses to businesses and governments are estimated to be in the billions of dollars.(10)

   2. Types of Computer-Related Offenses

      There are no "typical" computer-related crimes and no "typical" motives for committing such crimes.(11) Computer criminal can be youthful hackers,(12) disgrunded employees and company insiders,(13) or international terrorists and spies.(14) However, a workable structure is provided by classifying computer-related crimes by considering the role the computer plays in a particular crime.(15)

      First, a computer may be the "object" of a crime: the offender targets the computer itself. This encompasses theft of computer processor time and computerized services. Second, a computer may be the "subject" of a crime: a computer is the physical site of the crime, or the source of, or reason for, unique forms of asset loss. This includes the use of "Viruses,"(16) "Trojan horses,"(17) "logic bombs,"(18) and "sniffers."(19) Third, a computer may be an "instrument" used to commit traditional crimes, but in a more complex manner. For example, a computer might be used to collect credit card information to make fraudulent purchases.(20)

2. FEDERAL APPROACHES

   This Section examines the major federal statutes directed at computer-related crimes and describes some of their practical shortcomings. Part A discusses the federal criminal code (Title 18), including the National Information Infrastructure Protection Act of 1996 ("NIIPA"). Part B describes enforcement strategies. Part C examines sentencing under federal computer crime legislation, and Part D treats search and seizure and First Amendment issues.

   1. Federal Criminal Code

      Rather than attempting to deal with computer crime by amending every traditional statute to encompass new technologies,(21) Congress has treated computer-related crimes as distinct federal offenses since 1984, after passage of the Counterfeit Access Device and Computer Fraud and Abuse Law.(22) Subsequently, the volume of such legislation has greatly expanded to address the many types of computer-related crimes. Regulation began as an intentionally narrow attempt to protect vital government interests.(23) As new computer crime issues have arisen and more statistics have become available, the law has attempted to adapt, most recently with the National Information Infrastructure Protection Act of 1996 (NIIPA).(24)

      1. National Information Infrastructure Protection Act of 1996

         The 1996 Act contains the most recent amendments to the Computer Abuse Act, and includes several significant modifications to the 1984 and 1994 Acts.(25)

         1. Offenses Under the Statute

            One important change the 1996 Act effectuated is the substitution of the term "protected computers," for "federal interest computers," throughout the statute.(26) Because protected computers include those used in interstate commerce or communications, the statute now protects any computer attached to the Internet, even against criminals operating in the same state.(27) Section 1030(a) contains seven major subsections, each aimed at specific acts of computer-related crime:

            Subsection 1030(a)(1) protects against the accessing, without or beyond authorization,(28) and subsequent transmission of classified government information.(29)

            Subsection 1030(a)(2) prohibits the obtaining,(30) without or in excess of authorized access, information from financial institutions,(31) the U.S. government, or private sector computers used in interstate commerce.(32)

            While 1030(a)(2) requires obtaining information, 1030(a)(3) proscribes intentionally accessing a U.S. department or agency computer without authorization.(33) If the government or a government agency does not use the computer exclusively, the illegal access must affect the government's use. The prior requirement of 1030(a)(3)--that the access "adversely" affect the government's use--was removed by the 1996 Act, eliminating the possible defense that the access was benign.(34)

            Section 1030(a)(4) prohibits accessing a protected computer, without or beyond authorization, thereby furthering an intent to defraud and obtaining something of value. There is an exception if the defendant obtained solely computer time with a value less than $5,000.

            Section 1030(a)(5), which was completely revised by the 1994 Act, created several problems addressed by the 1996 Act. First, by applying the section only to computers used in interstate commerce or communication, [sections] 1030(a)(5) under the 1994 Act may have inadvertently decriminalized hacker attacks on intrastate government and financial institution computers. The 1996 Act solved this problem by including interstate, government, and financial institution computers as "protected computers."(35) Second, the 1986 Act required that damage be done by those without authorized access, so insiders who intentionally damaged computers that they were authorized to access were not covered. The 1994 Act corrected that by removing the trespass requirement and adding an intent or recklessness element but left negligent trespassers uncovered. The 1996 Act resolved this discrepancy.(36)

            Under the current statute, it is always a crime to intentionally cause damage(37) to a protected computer by "transmission of a program, information, code, or command," regardless of authorization to access the computer.(38) It is also a crime to cause damage (recklessly, negligently, or otherwise) if the protected computer was intentionally accessed without authorization.(39) Thus, company insiders and authorized users are culpable for only intentional damage, while unauthorized users, such as hackers who cause the transmission of malevolent software, including viruses, are responsible even if the transmission was only reckless(40) or negligent.(41)

            Section 1030(a)(6) prohibits: "knowingly" and with intent to defraud. trafficking in passwords which either would permit unauthorized access to a government computer, or affect interstate or foreign commerce.(42)

            Finally, [sections] 1030(a)(7), added in 1996, makes it illegal to transmit in interstate or foreign commerce any threat to cause damage to a protected computer with intent to extort something of value.(43) This section would cover such offenses as hackers threatening to crash a system if not given system privileges,(44) or encrypting someone's data and demanding money for the key.(45)

            The 1996 Act differentiates between conduct which involves improper access or compromising of privacy and conduct in which the defendant uses such access for pernicious purposes, by transforming misdemeanor sections (a)(2), (a)(3), (a)(5)(c), and (a)(6) into felonies if committed for financial gain, in furtherance of any criminal or tortious act, or if the value of the obtained information exceeds $5,000.(46) Section 1030(g) provides an incentive for victims to report(47) computer related crimes by allowing civil remedies for victims of intentional computer crime.(48) This section punishes an attempt to commit an offense as if the offense occurred.(49) The Act expressly grants investigatory authority to the United States Secret Service, in addition to any other agency having such authority.(50)

         2. Defenses

            Possible defenses available under [sections] 1030 include defenses relating to jurisdiction, statutory interpretation, especially as it relates to intent, and the amount of damages.

            Jurisdictional defenses formerly available under the statute have been eliminated by the 1996 Act. Under the 1994 Act, a "federal interest" computer had to be accessed to convict under [sections] 1030(a)(4). Thus, access of a private-sector, nonfinancial computer for the purposes of fraud from within the same state did not fall under the Act.(51) This was not true of [sections] 1030(a)(5), which protected computers used in interstate commerce or communications, but damage caused to intrastate government or financial institution computers may have been beyond the scope of the Act. The 1996 Act removed both loopholes.(52)

            The 1996 Act also eliminated several other possible defenses arising from ambiguities in statutory language. Section 1030(5)(c) now clearly requires only an intent to access, not an intent to cause...