Computer Crimes
| Author | Sean Swinford/Bill Huesken/Aubrianna Mierow/Hasala Ariyaratne/Seth Ismail |
| Pages | 579-636 |
COMPUTER CRIMES
I. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
II. COMPUTER INTRUSION AND FRAUD . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
A. Botnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
B. Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
C. Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
D. Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
E. Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
F. Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
G. Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
H. Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
I. Denial of Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
J. Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
K. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
L. Phishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
III. FEDERAL APPROACHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
A. The Computer Fraud and Abuse Act . . . . . . . . . . . . . . . . . . . 591
1. Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
2. Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
3. Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
4. Proposed Reform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
B. First Amendment and Online Speech . . . . . . . . . . . . . . . . . . . 596
1. Threat Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
2. Child Pornography and Sexual Communication with
Minors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
3. Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
4. Anonymous Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
5. Miscellaneous Exceptions. . . . . . . . . . . . . . . . . . . . . . . . 604
C. Traditional Crime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
1. Property Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
2. Identity Theft. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
3. Wire Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
4. Facilitating Prostitution and Section 230 . . . . . . . . . . . . . 608
D. Fourth Amendment Search and Seizure . . . . . . . . . . . . . . . . . 609
1. Scope and Execution of a Search . . . . . . . . . . . . . . . . . . 611
2. Third-Party Doctrine . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
E. Electronic Surveillance & the Electronic Communications
Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
1. Categorization of Information . . . . . . . . . . . . . . . . . . . . . 618
2. Components of the ECPA . . . . . . . . . . . . . . . . . . . . . . . . 620
579
a. Pen/Trap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
b. Wiretap Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
c. Stored Communications Act . . . . . . . . . . . . . . . . . . 623
3. Exceptions and Defenses . . . . . . . . . . . . . . . . . . . . . . . . 625
IV. STATE APPROACHES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
A. Structure of State Criminal Codes . . . . . . . . . . . . . . . . . . . . . 626
B. State Computer Crime Initiatives . . . . . . . . . . . . . . . . . . . . . . 627
1. Online Harassment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
2. Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
3. Unauthorized Access, Hacking, Spyware, and Phishing . . 628
4. Protection of Personal Information . . . . . . . . . . . . . . . . . 628
5. Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
6. Jurisdiction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
7. Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
V. ENFORCEMENT CHALLENGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
A. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
B. Extraterritoriality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
C. International Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
D. Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
I. INTRODUCTION
The U.S. Department of Justice (“DOJ”) broadly defines computer crime—also
known as cybercrime—as a crime that “use[s] or target[s] computer networks.”
1
U.S. DEP’T OF JUST., PROSECUTING COMPUTER CRIMES (2d ed. 2010) [hereinafter PROSECUTING COMPUTER
CRIMES], http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf; see also Crime, BLACK’S LAW
DICTIONARY (12th ed. 2019) (defining computer crime similarly).
Although computer crime includes traditional crimes, such as fraud or theft com-
mitted with the use of a computer,
2
it also encompasses unique criminal behaviors
such as hacking.
3
To combat these crimes, prosecutors rely on technology-specific
federal legislation, such as the Computer Fraud and Abuse Act,
4
as well as the
1.
2. See infra Section III.C.
3. See, e.g., 18 U.S.C. §§ 1029–1030, 1037; Stephen Cobb, Advancing Accurate and Objective Cybercrime
Metrics, 10 J. NAT’L SEC. L. & POL’Y 605, 610 (2020) (listing examples of cybercrimes and explaining that
“some computer crimes are unique to computers while others are traditionally prohibited forms of human
misbehavior enhanced by technology”); Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REV.
1003, 1013 (2001) (describing different types of crimes that occur online or on a computer); Charlotte Decker,
Note, Cyber Crime 2.0: An Argument to Update the United States Criminal Code to Reflect the Changing Nature
of Cyber Crime, 81 S. CAL. L. REV. 959, 964–70 (2008) (discussing crimes aimed at computers, including
hacking and extortionate hacking, distributed denial-of-service attacks, theft of trade secrets, access device theft,
and wiretap violations).
4. See Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 99-474, 100 Stat.
1213 (1986) (codified at 18 U.S.C. § 1030).
580 AMERICAN CRIMINAL LAW REVIEW [Vol. 60:579
application of traditional law to activities in cyberspace, such as proscriptions
against narcotics trafficking and theft.
5
Though cybercrime is prosecuted at the state and federal levels, its frequency is
difficult to measure.
6
See, e.g., COUNCIL OF ECON. ADVISERS, EXEC. OFF. OF THE PRESIDENT, THE COST OF MALICIOUS CYBER
ACTIVITY TO THE U.S. ECONOMY 30 (2018) [hereinafter THE COST OF MALICIOUS CYBER ACTIVITY], https://
trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-
Economy.pdf (“[T]he field of cybersecurity is plagued by insufficient data, largely because firms face a strong
disincentive to report negative news.”); cf. Cobb, supra note 3, at 605–06 (arguing that “[e]ven the most affluent
of nations have not yet managed to consistently generate acceptable statistics about any crimes, cyber or non-
cyber,” but that this deficiency seems most damaging to “efforts to deter and defeat cybercrime”).
Many never learn that they were the victim of a cybercrime,
and commercial entities and institutions that do learn of an intrusion are often
reluctant to report the event due to fear of negative publicity, reduced consumer
trust, and increased regulatory scrutiny.
7
Press Release, Fed. Trade Comm’n, FTC Addresses Uber’s Undisclosed Data Breach in New Proposed
Order (Apr. 12, 2018), https://www.ftc.gov/news-events/blogs/business-blog/2018/04/ftc-addresses-ubers-
undisclosed-data-breach-new-proposed (describing the FTC’s revised consent order against Uber after the
company failed to disclose its 2016 breach); see also Gary Guthrie, Facebook Admits Malware Defrauded Users
Out of $4 Million, CONSUMER AFFAIRS (Oct. 2, 2020), https://www.consumeraffairs.com/news/facebook-admits-
malware-defrauded-users-of-4-million-100220.html (explaining how it took Facebook two years to tell the world
about the SilentFace mob that defrauded users); Robert Lemos, Companies Fall Shot on Mandatory Reporting of
Cybercrimes, DARKREADING (Jun. 2, 2020), https://www.darkreading.com/attacks-breaches/companies-fall-
short-on-mandatory-reporting-of-cybercrimes/d/d-id/1337977 (citing the ISACA “State of Cybersecurity 2020”
report finding that 62% of 2,051 surveyed cybersecurity professionals believe their companies under-report
cybercrimes); KENNETH OLMSTED & AARON SMITH, PEW RSCH. CTR., AMERICANS AND CYBERSECURITY 3–4
(2017), http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/ (describing a poll that found only
about twelve percent of Americans have a very high level of confidence that government and private companies
can protect their personal information).
Such disincentives to reporting cyber-
crime, coupled with the difficulty of detecting it and the dual systems of state and
federal prosecution,
8
make calculating the total damage and frequency of computer
crime challenging.
9
THE COST OF MALICIOUS CYBER ACTIVITY, supra note 6, at 30; see also Josephine Wolff, The Real
Reasons Why Cybercrimes May Be Vastly Undercounted, SLATE (Feb. 12, 2018), https://slate.com/technology/
2018/02/the-real-reasons-why-cybercrimes-are-vastly-underreported.html (describing why companies may be
reluctant to report accurate numbers regarding cybercrime); cf. Cobb, supra note 3, at 617–18 (proposing
additional challenges in calculating the frequency of computer crime, including the use of an outdated
conceptualization and focus on crimes against people rather than commercial organizations in reporting surveys).
Both the legislative
10
Rebecca Beitsch, Spending bill includes large funding increase to boost cybersecurity, THE HILL (Mar.
11, 2022), https://thehill.com/policy/national-security/597902-spending-bill-includes-large-funding-increase-to-
boost-cybersecurity/.
and executive
11
See Press Release, U.S. Dep’t. of Just., Former Chief Security Officer Of Uber Convicted Of Federal
Charges For Covering Up Data Breach Involving Millions Of Uber User Records (Oct. 5, 2022), https://www.
justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach.
branches have under-
taken recent efforts to improve reporting of cyber incidents, but it is too early to
assess the impact of these approaches.
5. See, e.g., United States v. Ulbricht, 31 F. Supp. 3d 540, 546–47 (S.D.N.Y. 2014) (describing prosecution
for narcotics trafficking involving the use of a website functioning as “an online marketplace for illicit goods and
services”).
6.
7.
8. See Joseph M. Olivenbaum, Ctrl-Alt-Delete: Rethinking Federal Computer Crime Legislation, 27 SETON
HALL L. REV. 574, 575 n.4 (1997) (arguing that the dual system of prosecution renders statistics suspect).
9.
10.
11.
2023] COMPUTER CRIMES 581
To continue reading
Request your trial