Computer-related crimes.

• Author: Carroll, Michael W.
• Position: Tenth Survey of White Collar Crime

[TABULAR DATA OMITTED]

1. INTRODUCTION

   This article tracks developments in computer-related criminal law and legal literature, including an analysis of federal computer crime legislation and enforcement, and a discussion of state and international approaches.

   1. Defining Computer Crime

      The rapid development of computer technology has spawned a variety of new criminal behaviors and an explosion in specialized legislation to combat them.(1) While computer crimes include traditional crimes committed with a computer, the term also encompasses offenses against intellectual property and other crimes which do not fall within traditional criminal statutes. Moreover, computer crime is moving in new directions as child pornographers abuse the information highway to distribute their wares and rapists and pedophiles use the internet to meet and set up their victims.(2) The diversity of computer-related offenses thus demands a broad definition. The Department of Justice defines computer crimes as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution."(3)

      Estimates of the predominant sources and extent of computer crimes vary. Many experts value losses due to computer crimes in the hundreds of millions and even billions of dollars.(4) While the exploits of youthful computer hackers have received the most press coverage, experts maintain that insider crimes committed by disgruntled or greedy employees have caused far more damage.(5)

      Computer crime legislation attempts to respond both to the problems of old crimes committed with new technology and new types of crimes made possible by new technology. Some efforts to deter computer-related crime have closed loopholes in existing statutes; other statutes function as independent computer crime chapters.(6)

   2. Types of Computer-Related Offenses

      There is no "typical" computer-related crime and no typical motive for committing such crimes.(7) Computer criminals can be teenage hackers, disgruntled employees, mischievous technicians, or international terrorists.(8) However, it is possible to classify computer-related crimes by considering the role the computer plays in a particular crime.(9)

      First, a computer may be the object"(10) of a crime, meaning the computer itself is targeted. Theft of computer processor time and computerized services are included in this category.

      Second, the computer may be the "subject"(11) of a crime. In these cases, the computer is the physical site of a crime, or is the source of or reason for unique forms of assets lost.(12) The use of "viruses"(13) and "logic bombs"(14) fit into this category. These crimes present novel legal problems because of the intangible nature of the electronic information which is the object of the crime.(15)

      Third, a computer may be an "instrument"(16) used as a means of committing traditional crimes such as theft, fraud, embezzlement, or trespass,(17) albeit in a more complex manner.(18) For example, a computer might be used to scan telephone codes automatically in order to make unauthorized use of a telephone system.(19)

      2. FEDERAL APPROACHES

   1. Federal Criminal Code

      Computer-related crimes have been treated as distinct federal offenses since 1984, when Congress passed the Counterfeit Access Device and Computer Fraud and Abuse Law of 1984.(20) Since the 1984 Act was passed, the volume of such legislation has expanded greatly to meet the challenge of more types of computer-related crimes. However, federal computer crime legislation has been inexplicably unresponsive to the problems of fighting computer crime.(21) It began as a piecemeal effort to solve a problem with unknown dimensions and importance.(22) As more data about computer crimes has become available, the law has become more precise.(23) Yet the most recent attempt to address the problem of computer-related crimes, the 1994 Act, may still contain significant gaps.(24) This section examines the major federal statutes directed at computer-related crimes and some of their practical shortcomings.

1. Computer Fraud and Abuse Act

   The 1984 Act was widely criticized for being too ambiguous and narrow in scope to provide adequate protection against computer-related offenses.(25) In an attempt to strengthen and clarify the 1984 Act,(26) Congress amended it in 1986 with the Computer Fraud and Abuse Act.(27)

   The 1986 Act was directed at unauthorized intentional access to federal interest computers.(28) The statute proscribes six types of illegal activities.(29) It prohibits unauthorized access of a computer:(30) (1) to obtain information relating to national defense or foreign relations;(31) (2) to obtain information in a financial record of a financial institution or consumer reporting agency;(32) or (3) to manipulate information on a computer that would affect the United States government's operation of the computer.(33) it also prohibits: (4) accessing a "federal interest computer" without or in excess of authorization and with intent to defraud or obtain anything of value.(34) Subsection (5) of the 1986 Act was amended in 1994, but for those actions governed by the 1986 Act, intentional access of a "federal interest computer" without authorization, and thereby altering, damaging, or destroying information, or preventing "authorized use" of the computer is prohibited.(35) The access must either cause an aggregate loss of $1,000 during a one year period, or actually or potentially modify or impair medical examination, diagnosis, treatment, or care.(36) Finally, the 1986 Act prohibits: (6) "knowingly," and with intent to defraud, trafficking in passwords which either would permit unauthorized access to a government computer, or affect interstate or foreign commerce.(37)

   Punishment for an attempt to commit an offense is identical to punishment for commission of the offense itself.(38) The 1986 Act expressly grants investigatory authority to the United States Secret Service, in addition to any other agency having such authority.(39)

2. Computer Abuse Amendments Act of 1994

   Responding to criticism of the 1986 Act, Congress passed the Computer Abuse Amendments Act of 1994(40) to broaden the scope of liability for computer crimes and to expressly provide civil remedies for the victims of computer crimes. The 1994 Act makes three changes to [sections] 1030(a)(5), broadening the scope of liability. First, the 1994 Act changes coverage from acts committed on federal interest computers and affecting such computers to acts committed on computers used in interstate commerce or communications and affecting any computer.(41) Second, the threshold requirement of "unauthorized access" has been removed.(42) As a result, the class of those potentially liable has been expanded to include, among others, company insiders and users of computer networks, who were arguably immune under the 1986 Act because their access was authorized. Finally, the 1994 Act criminalizes certain types of reckless conduct in addition to intentional acts.(43) This may facilitate prosecution of hackers who cause the transmission of malevolent software, such as computer viruses, if such actions are sufficiently reckless but would not have been considered intentional under the 1986 Act.

   Under the amended statute, intentional computer crimes committed on interstate computers are felonies,(44) while reckless acts on interstate computers are misdemeanors.(45) The 1994 Act also provides an incentive for victims to report computer-related crimes by allowing civil remedies for victims of intentional computer crimes.(46) Additionally, the 1994 Act amends subsection (a)(3) to insert "adversely" before "affects the use of the Government's operation of such computer",(47) implying that a trespasser might affect the computer benignly and escape prosecution.

3. Other Statutes

   Other statutes have been useful in prosecuting computer-related crimes falling outside the Computer Fraud and Abuse Act. Computer-related crimes can be charged under at least forty different federal statutes.(48) What follows is a brief discussion of the statutes most commonly used to prosecute computer-related crimes which are not covered by the Computer Fraud and Abuse Act.(49) Such offenses range from theft of computer software to unauthorized access of a computer system without causing damage.(50)

   1. Copyright Act

      Any person who unlawfully copies and distributes software may be subject to punishment for criminal copyright infringement.(51) The criminal copyright infringement statute has three elements: (1) infringement of a copyright; (2) done willfully; and (3) for commercial advantage or private financial gain.(52) The first element of copyright infringement may be satisfied by the mere unauthorized copying of computer software, but the second and third elements are often more difficult to prove.(53)

   2. National Stolen Property Act

      The National Stolen Property Act(54) prohibits the transportation in interstate commerce of "any goods, wares, securities or money" valued at $5,000 or more and known to be stolen or fraudulently obtained.(55) This statute has been applied to various computer-related crimes, including fraudulent computerized transfers of funds.(56) The court has held that computer software does not constitute "goods" or "wares" under the National Stolen Property Act, if the programs were solely in an intangible form.(57) The court has also distinguished between the theft of software only, and the theft of software in conjunction with the theft of tangible hardware, which is covered by the terms "goods" and "wares" in the National Stolen Property Act.(58)

   3. Mail and Wire Fraud

      The federal mall and wire fraud statutes(59) prohibit the use of interstate wire communications and mails to further a fraudulent scheme to obtain money or property.(60) One commentator suggests that these statutes seem to apply to "any computer-aided theft involving the use of...