COMPUTER CRIMES

COMPUTER CRIMES

I. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

II. COMPUTER INTRUSION AND FRAUD . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

A. Botnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

B. Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

C. Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618

D. Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619

E. Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619

F. Trojan Horses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

G. Logic Bombs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

H. Sniffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

I. Denial of Service Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 621

J. Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621

K. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

L. Phishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622

III. FEDERAL APPROACHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

A. The Computer Fraud and Abuse Act . . . . . . . . . . . . . . . . . . . 623

1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

2. Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

3. Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

4. Proposed Reform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628

B. First Amendment and Online Speech . . . . . . . . . . . . . . . . . . . 629

1. Threat Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629

2. Child Pornography and Sexual Communication with

Minors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631

3. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

4. Anonymous Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

5. Miscellaneous Exceptions . . . . . . . . . . . . . . . . . . . . . . . . 636

C. Traditional Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636

1. Property Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637

2. Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

3. Wire Fraud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640

4. Facilitating Prostitution and Section 230 . . . . . . . . . . . . . 640

D. Fourth Amendment Search and Seizure . . . . . . . . . . . . . . . . . 641

1. Scope and Execution of a Search . . . . . . . . . . . . . . . . . . . 643

2. Third-Party Doctrine. . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

E. Electronic Surveillance & the Electronic Communications

Privacy Act. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

1. Categorization of Information . . . . . . . . . . . . . . . . . . . . . 650

2. Components of The ECPA . . . . . . . . . . . . . . . . . . . . . . . 652

611

a. Pen/Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652

b. Wiretap Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653

c. Stored Communications Act. . . . . . . . . . . . . . . . . . . 655

3. Exceptions and Defenses. . . . . . . . . . . . . . . . . . . . . . . . . 657

IV. STATE APPROACHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

A. Structure of State Criminal Codes . . . . . . . . . . . . . . . . . . . . . 658

B. State Computer Crime Initiatives . . . . . . . . . . . . . . . . . . . . . . 658

1. Online Harassment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

2. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

3. Unauthorized Access, Hacking, and Spyware . . . . . . . . . . 660

4. Protection of Personal Information . . . . . . . . . . . . . . . . . 660

5. Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661

6. Jurisdiction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

7. Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

V. ENFORCEMENT CHALLENGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

A. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

B. Extraterritoriality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666

C. International Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

D. Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668

I. INTRODUCTION

The U.S. Department of Justice (“DOJ”) broadly defines computer crime—also

known as cybercrime—as crime that “use[s] or target[s] computer networks.”

1

While the term computer crime includes traditional crimes, such as fraud or theft

committed with the use of a computer,

2

it also encompasses unique criminal

behaviors such as hacking.

3

To combat these crimes, prosecutors rely on technol-

ogy-specific federal legislation, such as the Computer Fraud and Abuse Act,

4

as

well as the application of traditional law to activities in cyberspace, such as

1. Office of Legal Educ., Prosecuting Computer Crimes, U.S. DEP’T OF JUSTICE (2010), http://www.justice.

gov/criminal/cybercrime/docs/ccmanual.pdf [hereinafter PROSECUTING COMPUTER CRIMES]; see also Crime,

BLACK’S LAW DICTIONARY (12th ed. 2019) (defining computer crime as “[a] crime involving the use of a

computer . . . [a]lso termed cybercrime; computer offense; cyberoffense”).

2. See infra Section III.C.

3. See, e.g., 18 U.S.C. §§ 1029, 1037; Stephen Cobb, Advancing Accurate and Objective Cybercrime Metrics, 10 J.

NAT’L SEC. L. & POL’Y 605, 610 (2020) (listing examples of cybercrimes and explaining that “some computer crimes

are unique to computers while others are traditionally prohibited forms of human misbehavior enhanced by

technology”); Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REV. 1003, 1013 (2001) (describing

different types of crimes that occur online or on a computer); Charlotte Decker, Note, Cyber Crime 2.0: An Argument to

Update the United States Criminal Code to Reflect the Changing Nature of Cyber Crime, 81 S. CAL. L. REV. 959, 964–

70 (2008) (discussing crimes aimed at computers, including hacking and extortionate hacking, distributed denial-of-

service attacks, theft of trade secrets, access device theft, and wiretap violations).

4. See Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 99-474, 100 Stat.

1213 (1986) (codified at 18 U.S.C. § 1030).

612 AMERICAN CRIMINAL LAW REVIEW [Vol. 58:611

proscriptions against narcotics trafficking and theft.

5

Though cybercrime is prosecuted at the state and federal level, its frequency is

difficult to measure.

6

Many never learn that they were the victim of a cybercrime,

and commercial entities and institutions that do learn of an intrusion are often

reluctant to report the event due to fear of negative publicity, reduced consumer

trust, and increased regulatory scrutiny.

7

Such disincentives to reporting cyber-

crime, coupled with the difficulty of detecting it and the dual systems of state and

federal prosecution,

8

make calculating the total damage and frequency of computer

crime challenging.

9

5. See, e.g., United States v. Ulbricht, 31 F. Supp. 3d 540, 546–47 (S.D.N.Y. 2014) (describing prosecution

for narcotics trafficking involving the use of a website functioning as “an online marketplace for illicit goods and

services”); Intel Corp. v. Hamidi, 71 P.3d 296, 303–04 (Cal. 2003) (holding that sending mass emails through an

Intel list-serve did not constitute trespass to chattels under tort theory because it did not cause or threaten to cause

damage to the defendant’s computer). But see Sch. of Visual Arts v. Kuprewicz, 3 Misc. 3d 278, 281 (N.Y. Sup.

Ct. 2003) (holding that large volume email could at least constitute a cause of action for trespass to chattel). See

generally Morgan N. Temte, Blockchain Challenges Traditional Contract Law: Just How Smart Are Smart

Contracts?, 19 WYO. L. REV. 87 (2019) (discussing “the application of traditional contract law principles, the

potential for unauthorized practice of law, jurisdictional challenges in drafting and enforcing smart contracts, and

concerns regarding the potential liability for errors in smart contracts”); Catherine M. Sharkey, Can Data Breach

Claims Survive the Economic Loss Rule?, 66 DEPAUL L. REV. 339 (2017) (discussing the application of the

economic loss rule, which precludes tort recovery for purely financial losses, in the context of credit card data

breaches); Keith N. Hylton, Property Rules, Liability Rules, and Immunity: An Application to Cyberspace, 87 B.

U. L. REV. 1 (2007) (applying traditional tort rules to cyberspace).

6. COUNCIL OF ECON. ADVISERS, EXEC. OFFICE OF THE PRESIDENT, THE COST OF MALICIOUS CYBER ACTIVITY

TO THE U.S. ECONOMY 30 (2018), https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-

Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf [hereinafter THE COST OF MALICIOUS CYBER ACTIVITY]

(“[T]he field of cybersecurity is plagued by insufficient data, largely because firms face a strong disincentive to

report negative news.”). Cf. Stephen Cobb, Advancing Accurate and Objective Cybercrime Metrics, 10 J. NAT’L

SEC. L. & POL’Y 605, 605–06 (2020) (arguing that “[e]ven the most affluent of nations have not yet managed to

consistently generate acceptable statistics about any crimes, cyber or non-cyber,” but that a deficiency in crime

metrics seems most damaging to “efforts to deter and defeat cybercrime”).

7. Press Release, Fed. Trade Comm’n, FTC Addresses Uber’s Undisclosed Data Breach in New Proposed

Order (April 12, 2018), https://www.ftc.gov/news-events/blogs/business-blog/2018/04/ftc-addresses-ubers-

undisclosed-data-breach-new-proposed (describing the FTC’s revised consent order against Uber after the

company failed to disclose its 2016 breach); see also Gary Guthrie, Facebook Admits Malware Defrauded Users

Out of $4 Million, CONSUMER AFFAIRS (Oct. 2, 2020), https://www.consumeraffairs.com/news/facebook-admits-

malware-defrauded-users-of-4-million-100220.html (explaining how it took Facebook two years to tell the world

about the SilentFace mob that defrauded users); Robert Lemos, Companies Fall Shot on Mandatory Reporting of

Cybercrimes, DARKREADING (Jun. 2, 2020), https://www.darkreading.com/attacks-breaches/companies-fall-

short-on-mandatory-reporting-of-cybercrimes/d/d-id/1337977 (citing the ISACA “State of Cybersecurity 2020”

report finding that 62% of 2,051 surveyed cybersecurity professionals believe their companies under-report

cybercrimes); KENNETH OLMSTED & AARON SMITH, PEW RSCH. CTR., AMERICANS AND CYBERSECURITY 3–4

(2017), http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/ (describing a poll that found only

about twelve percent of Americans have a very high level of confidence that government and private companies

can protect their personal information).

8. See Joseph M. Olivenbaum, Ctrl-Alt-Delete: Rethinking Federal Computer Crime Legislation, 27 SETON

HALL L. REV. 574, 575 n.4 (1997) (arguing that the dual system of prosecution renders statistics suspect).

9. THE COST OF MALICIOUS CYBER ACTIVITY, supra note 6, at 30; see also Josephine Wolff, The Real

Reasons Why Cybercrimes May Be Vastly Undercounted (Feb. 12, 2018), https://slate.com/technology/2018/02/

the-real-reasons-why-cybercrimes-are-vastly-underreported.html (describing why companies may be reluctant to

report accurate numbers regarding cybercrime); cf. Stephen Cobb, Advancing Accurate and Objective

2021] COMPUTER CRIMES 613