Computer Crimes

• Author: Macon Bianucci/Tara Mahesh/Jordan Mallory/Jeffrey Tsoi/Jeffrey Warren
• Pages: 511-570

COMPUTER CRIMES

I. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

II. COMPUTER INTRUSION AND FRAUD . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

A. Botnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

B. Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

C. Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

D. Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

E. Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

F. Trojan Horses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

G. Logic Bombs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

H. Sniffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

I. Denial of Service Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

J. Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

K. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

L. Phishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

III. FEDERAL APPROACHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

A. The Computer Fraud and Abuse Act . . . . . . . . . . . . . . . . . . . 523

1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

2. Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

3. Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

4. Proposed Reform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

B. First Amendment and Online Speech . . . . . . . . . . . . . . . . . . . 528

1. Threat Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

2. Child Pornography and Sexual Communication with Minors 530

3. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

4. Anonymous Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

5. Miscellaneous Exceptions . . . . . . . . . . . . . . . . . . . . . . . . 535

C. Traditional Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536

1. Property Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

2. Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

3. Wire Fraud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

4. Facilitating Prostitution and Section 230 . . . . . . . . . . . . . 540

D. Fourth Amendment Search and Seizure . . . . . . . . . . . . . . . . . 541

1. Scope and Execution of a Search . . . . . . . . . . . . . . . . . . . 543

2. Third-Party Doctrine. . . . . . . . . . . . . . . . . . . . . . . . . . . . 547

E. Electronic Surveillance & the Electronic Communications

Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

1. Categorization of Information . . . . . . . . . . . . . . . . . . . . . 551

2. Components of The ECPA . . . . . . . . . . . . . . . . . . . . . . . 553

a. Pen/Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553

511

b. Wiretap Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

c. Stored Communications Act. . . . . . . . . . . . . . . . . . . 556

3. Exceptions and Defenses. . . . . . . . . . . . . . . . . . . . . . . . . 558

IV. STATE APPROACHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

A. Structure of State Criminal Codes . . . . . . . . . . . . . . . . . . . . . 559

B. State Computer Crime Initiatives . . . . . . . . . . . . . . . . . . . . . . 559

1. Online Harassment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

2. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

3. Unauthorized Access, Hacking, Spyware, and Phishing . . 560

4. Protection of Personal Information . . . . . . . . . . . . . . . . . 561

5. Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562

6. Jurisdiction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

7. Enforcement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

V. ENFORCEMENT CHALLENGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

A. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

B. Extraterritoriality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

C. International Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568

D. Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

I. INTRODUCTION

The U.S. Department of Justice (“DOJ”) broadly defines computer crime—also

known as cybercrime—as crime that “use[s] or target[s] computer networks.”

1

While the term computer crime includes traditional crimes, such as fraud or theft

committed with the use of a computer,

2

it also encompasses unique criminal

behaviors such as hacking.

3

To combat these crimes, prosecutors rely on technol-

ogy-specific federal legislation, such as the Computer Fraud and Abuse Act,

4

as

1. Office of Legal Educ., Prosecuting Computer Crimes, U.S. DEP’T OF JUSTICE (2010), http://www.justice.

gov/criminal/cybercrime/docs/ccmanual.pdf [hereinafter PROSECUTING COMPUTER CRIMES]; see also Crime,

BLACK’S LAW DICTIONARY (12th ed. 2019) (defining computer crime as “[a] crime involving the use of a

computer . . . [a]lso termed cybercrime; computer offense; cyberoffense”).

2. See infra Section III.C.

3. See, e.g., 18 U.S.C. §§ 1029, 1037; Stephen Cobb, Advancing Accurate and Objective Cybercrime Metrics,

10 J. NAT’L SEC. L. & POL’Y 605, 610 (2020) (listing examples of cybercrimes and explaining that “some

computer crimes are unique to computers while others are traditionally prohibited forms of human misbehavior

enhanced by technology”); Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REV. 1003, 1013

(2001) (describing different types of crimes that occur online or on a computer); Charlotte Decker, Note, Cyber

Crime 2.0: An Argument to Update the United States Criminal Code to Reflect the Changing Nature of Cyber

Crime, 81 S. CAL. L. REV. 959, 964–70 (2008) (discussing crimes aimed at computers, including hacking and

extortionate hacking, distributed denial-of-service attacks, theft of trade secrets, access device theft, and wiretap

violations).

4. See Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L. No. 99-474, 100 Stat.

1213 (1986) (codified at 18 U.S.C. § 1030).

512 AMERICAN CRIMINAL LAW REVIEW [Vol. 59:511

well as the application of traditional law to activities in cyberspace, such as pro-

scriptions against narcotics trafficking and theft.

5

Though cybercrime is prosecuted at the state and federal level, its frequency is

difficult to measure.

6

Many never learn that they were the victim of a cybercrime,

and commercial entities and institutions that do learn of an intrusion are often

reluctant to report the event for fear of negative publicity, reduced consumer trust,

and increased regulatory scrutiny.

7

Such disincentives to reporting cybercrime,

coupled with the difficulty of detecting it and the dual systems of state and federal

prosecution,

8

make calculating the total damage and frequency of computer crime

challenging.

9

5. See, e.g., United States v. Ulbricht, 31 F. Supp. 3d 540, 546–47 (S.D.N.Y. 2014) (describing prosecution

for narcotics trafficking involving the use of a website functioning as “an online marketplace for illicit goods and

services”); Intel Corp. v. Hamidi, 71 P.3d 296, 303–04 (Cal. 2003) (holding that sending mass emails through an

Intel list-serve did not constitute trespass to chattels under tort theory because it did not cause or threaten to cause

damage to the defendant’s computer). But see Sch. of Visual Arts v. Kuprewicz, 771 N.Y.S.2d 804, 807-08 (N.Y.

Sup. Ct. 2003) (holding that large volume email could at least constitute a cause of action for trespass to chattel).

See generally Morgan N. Temte, Blockchain Challenges Traditional Contract Law: Just How Smart Are Smart

Contracts?, 19 WYO. L. REV. 87 (2019) (discussing “the application of traditional contract law principles, the

potential for unauthorized practice of law, jurisdictional challenges in drafting and enforcing smart contracts, and

concerns regarding the potential liability for errors in smart contracts”); Catherine M. Sharkey, Can Data Breach

Claims Survive the Economic Loss Rule?, 66 DEPAUL L. REV. 339 (2017) (discussing the application of the

economic loss rule, which precludes tort recovery for purely financial losses, in the context of credit card data

breaches).

6. COUNCIL OF ECON. ADVISERS, EXEC. OFFICE OF THE PRESIDENT, THE COST OF MALICIOUS CYBER ACTIVITY

TO THE U.S. ECONOMY 30 (2018), https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-

of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf [hereinafter THE COST OF MALICIOUS CYBER ACTIVITY]

(“[T]he field of cybersecurity is plagued by insufficient data, largely because firms face a strong disincentive to

report negative news.”). Cf. Cobb, supra note 3, at 605–06 (arguing that “[e]ven the most affluent of nations have

not yet managed to consistently generate acceptable statistics about any crimes, cyber or non-cyber,” but that a

deficiency in crime metrics seems most damaging to “efforts to deter and defeat cybercrime”).

7. Press Release, Fed. Trade Comm’n, FTC Addresses Uber’s Undisclosed Data Breach in New Proposed

Order (April 12, 2018), https://www.ftc.gov/news-events/blogs/business-blog/2018/04/ftc-addresses-ubers-

undisclosed-data-breach-new-proposed (describing the FTC’s revised consent order against Uber after the

company failed to disclose its 2016 breach); see also Gary Guthrie, Facebook Admits Malware Defrauded Users

Out of $4 Million, CONSUMER AFFAIRS (Oct. 2, 2020), https://www.consumeraffairs.com/news/facebook-admits-

malware-defrauded-users-of-4-million-100220.html (explaining how it took Facebook two years to disclose the

SilentFace mob that defrauded users); Robert Lemos, Companies Fall Short on Mandatory Reporting of

Cybercrimes, DARKREADING (Jun. 2, 2020), https://www.darkreading.com/attacks-breaches/companies-fall-

short-on-mandatory-reporting-of-cybercrimes/d/d-id/1337977 (citing the ISACA “State of Cybersecurity 2020”

report finding that 62% of 2,051 surveyed cybersecurity professionals believe their companies under-report

cybercrimes); KENNETH OLMSTED & AARON SMITH, PEW RSCH. CTR., AMERICANS AND CYBERSECURITY 3–4

(2017), http://www.pewinternet.org/2017/01/26/americans-and-cybersecurity/ (describing a poll that found only

about twelve percent of Americans have a very high level of confidence that government and private companies

can protect their personal information).

8. See Joseph M. Olivenbaum, Ctrl-Alt-Delete: Rethinking Federal Computer Crime Legislation, 27 SETON

HALL L. REV. 574, 575 n.4 (1997) (arguing that the dual system of prosecution renders statistics suspect).

9. THE COST OF MALICIOUS CYBER ACTIVITY, supra note 6, at 30; see also Josephine Wolff, The Real

Reasons Why Cybercrimes May Be Vastly Undercounted (Feb. 12, 2018), https://slate.com/technology/2018/02/

the-real-reasons-why-cybercrimes-are-vastly-underreported.html (describing why companies may be reluctant to

report accurate numbers regarding cybercrime); cf. Cobb, supra note 3, at 617–18 (proposing additional

2022] COMPUTER CRIMES 513