Computer crimes.

• Author: Nicholson, Laura J.
• Position: Annual white collar crime survey

1. INTRODUCTION

   This Article tracks developments in computer-related criminal law and legal literature, analyzes federal, state, and international approaches to computer crime legislation and enforcement, and reviews recent developments in these areas. Section I defines computer crime, discusses the different forms it can take, and explores the extent of this problem. Section II describes the federal statutes used for prosecuting computer crimes and analyzes their defenses, sentencing, and enforcement strategies. Section III examines state approaches to combatting computer crime and the resulting federalism issues. Section IV addresses international approaches. Finally, Section V tracks emerging issues, including data encryption.

   1. Defining Computer Crime

      The rapid emergence of computer technologies and the Internet's(1) exponential expansion have spawned a variety of new criminal behaviors and an explosion in specialized legislation to combat them.(2) While the term "computer crime" includes traditional crimes committed with a computer,(3) it also includes novel, technologically specific offenses that arguably are not analogous to any non-computer crimes.(4) The diversity of computer-related offenses, however, renders any narrow definition untenable. The Department of Justice ("DOJ") broadly defines computer crimes as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution."(5)

      Accurate statistics on the extent of this phenomenon have proved elusive(6) because of the difficulty in adequately defining computer crimes.(7) The statistics are also untrustworthy due to victims' failures to report incidents because of (1) fear of losing customer confidence(8) and (2) lack of detection.(9) The aggregate annual losses to businesses and governments, however, are estimated to be in the billions of dollars.(10)

   2. Types of Computer-Related Offenses

      There is no "typical" computer-related crime and no "typical" motive for committing such crimes, although common motives include exhibiting technical expertise, highlighting weaknesses in computer security systems, punishment or retaliation, computer voyeurism, asserting a belief in open access to computer systems, or sabotage.(11) Computer criminals can be youthful hackers,(12) disgruntled employees and company insiders,(13) or international terrorists and spies.(14) Because of the vast variety of computer-related crimes and motives, computer-related crimes are classified according to the computer's role in the particular crime.(15)

      First, a computer may be the "object" of a crime: the offender targets the computer itself. This encompasses theft of computer processor time and computerized services. Second, a computer may be the "subject" of a crime: a computer is the physical site of the crime, or the source of, or reason for, unique forms of asset loss. This includes the use of "viruses,"(16) "worms",(17) "Trojan horses,"(18) "logic bombs,"(19) and "sniffers." Third, a computer may be an "instrument" used to commit traditional crimes in a more complex manner. For example, a computer might be used to collect credit card information to make fraudulent purchases.(20)

2. FEDERAL APPROACHES

   This Section examines the major federal statutes directed at computer-related crimes and describes some of their practical shortcomings. Part A discusses the federal criminal code (Title 18), including the National Information Infrastructure Protection Act of 1996 ("NIIPA").(21) Part B describes enforcement strategies and Part C examines search and seizure and First Amendment issues.

   1. Federal Criminal Code

      Rather than attempting to deal with computer crime by amending every traditional statute to encompass new technologies,(22) Congress has treated computer-related crimes as distinct federal offenses since the passage of the Counterfeit Access Device and Computer Fraud and Abuse Law in 1984.(23) The 1984 Act was intentionally narrowly tailored to protect classified United States' defense and foreign relations information, financial institution and consumer reporting agency files, and access to computers operated for the government.(24) Subsequently, the volume of such legislation greatly expanded to address many other types of computer-related crimes.(25) As new computer crime issues have arisen and more statistics have become available, the law has attempted to adapt. In the Computer Fraud and Abuse Act of 1986,(26) Congress expanded the scope of the law and attempted to define its terms more clearly.(27) Congress continued to expand the scope of the computer crime law in 1988,(28) 1989,(29) and 1990.(30) In 1994, Congress rewrote part of the Act again,(31) and then passed the National Information Infrastructure Protection Act of 1996 (NIIPA).(32)

      1. National Information Infrastructure Protection Act of 1996

      The 1996 Act contains the most recent amendments to the Counterfeit Access Device and Computer Fraud and Abuse Law, and also includes several significant modifications.(33)

      1. Offenses Under the Statute

         One important change effectuated by the 1996 Act was the substitution of the term "protected computers," for "federal interest computers," throughout the statute.(34) Previously, the 1994 Act only covered crimes involving computers located in more than one state.(35) Because "protected computers" includes those used in interstate commerce or communications, the statute now protects any computer attached to the Internet, even if all the computers involved are located in one state.(36) Section 1030(a) contains seven major subsections, each aimed at specific acts of computer-related crime:

         Subsection 1030(a)(1) makes it a crime to access computer files without authorization or in excess of authorization,(37) and subsequently to transmit classified government information.(38)

         Subsection 1030(a)(2) prohibits obtaining,(39) without access or in excess of authorized access, information from financial institutions,(40) the U.S. government, or private sector computers used in interstate commerce.(41)

         Subsection 1030(a)(3) proscribes intentionally accessing a U.S. department or agency nonpublic computer without authorization.(42) It states that if the government or a government agency does not use the computer exclusively, the illegal access must affect the government's use. The prior requirement of 1030(a)(3)--that the access "adversely" affect the government's use--was removed by the 1996 Act, eliminating the possible defense that the access was benign.(43)

         Section 1030(a)(4) prohibits accessing a protected computer, without or beyond authorization, with the intent to defraud and obtain something of value. There is an exception if the defendant only obtained computer time with a value less than $5,000 per year.(44)

         Section 1030(a)(5) addresses computer hacking. Section 1030(a)(5)(A) criminalizes knowingly causing the transmission of a program, code, or command, and as a result, intentionally causing damage(45) to a protected computer (without regard as to authorization to access the computer). Thus, company insiders and authorized users can be culpable for intentional damage to a protected computer. Section 1030(a)(5)(B)-(C) prohibits intentionally accessing a protected computer without access, and as a result of such conduct, causing damage(46) (recklessly, negligently, or otherwise). Thus, unauthorized users, such as hackers who cause the transmission of malevolent software, including viruses, are responsible even if the transmission was not intentional, but only reckless(47) or negligent.(48)

         The 1996 Act solved many problems created by the 1994 Act revisions to [sections] 1030(a)(5). First, by applying the section only to computers used in interstate commerce or communication, [sections] 1030(a)(5) under the 1994 Act may have inadvertently decriminalized hacker attacks on intrastate government and financial institution computers. The 1996 Act solved this problem by including interstate, government, and financial institution computers as "protected computers."(49) Second, the 1986 Act required that damage be done by those without authorized access, so insiders who intentionally damaged computers that they were authorized to access were not covered. The 1994 Act corrected that by removing the trespass requirement and adding an intent or recklessness element while leaving negligent trespassers uncovered. The 1996 Act resolved this discrepancy by adding 1030(a)(5)(C), which prohibits unauthorized access which causes damage (regardless of whether or not the damage was "recklessly caused").(50)

         Section 1030(a)(6) prohibits one from "knowingly" and with intent to defraud trafficking in passwords that either would permit unauthorized access to a government computer or affect interstate or foreign commerce.(51)

         Finally, [sections] 1030(a)(7), added in 1996, makes it illegal to transmit in interstate or foreign commerce any threat to cause damage to a protected computer with intent to extort something of value.(52) This section covers such offenses as hackers threatening to crash a system if not given system privileges,(53) or encrypting a company's data and demanding money for the key.(54)

         The 1996 Act differentiates between conduct that involves improper access or compromising of privacy and conduct in which the defendant uses such access for pernicious purposes by transforming misdemeanor sections (a)(2), (a)(3), (a)(5)(c), and (a)(6) into felonies if such violation is committed for financial gain, in furtherance of any criminal or tortious act, or if the value of the obtained information exceeds $5,000.(55) Section 1030(g) provides an incentive for victims to report(56) computer related crimes by allowing civil remedies for victims of intentional computer crime.(57) This section punishes an attempt to commit an offense as if the offense actually occurred.(58) The Act expressly grants investigatory...