Criminal law in cyberspace.

• Author: Katyal, Neal Kumar

INTRODUCTION

The new millennium brings new crimes. Witness two of the most talked-about crimes of last year, the ILoveYou computer worm (in terms of economic damage, perhaps the most devastating crime in history, causing more than $11 billion in losses) and the denial-of-service attacks on Yahoo!, eBay, E*Trade, and other sites (which caused $1.2 billion in damage).(1) These events suggest that a new breed of crime has emerged over the past decade: cybercrime. This umbrella term covers all sorts of crimes committed with computers--from viruses to Trojan horses; from hacking into private e-mail to undermining defense and intelligence systems; from electronic thefts of bank accounts to disrupting web sites. Law has not necessarily caught up with these crimes, as the recent dismissal of charges against the author of the ILoveYou worm demonstrates.(2) How should the law think about computer crime?

Some academics see cyberspace as a new area in which first principles of law need to be rethought. David Johnson and David Post, for example, contend that existing legal rules are not suitable for the digital age and that governments should not necessarily impose legal order on the internet.(3) Others, in contrast, believe that a computer is merely an instrument and that crime in cyberspace should be regulated the same way as criminal acts in realspace.(4) The recent U.S. Department of Justice ("DOJ") report on cybercrime typifies this approach.(5) contend that neither view is correct and that each camp slights important features that make cybercrime both different from and similar to traditional crime.

Underlying the "cybercrime is not different" position is a worry about a unique form of geographic substitution. The concern is that disproportionately punishing activity in either realspace or cyberspace will induce criminals to shift their activities to that sphere in which the expected punishment is lower. For example, if the electronic theft of one million dollars warrants five years imprisonment, and the physical theft of one million dollars warrants ten years imprisonment, criminals are likely to opt for the electronic theft. Such analysis is, however, incomplete. Beccaria and Becker have observed that the expected penalty for criminal activity is not only the sentence in the criminal code, but also a function of the probability that one will get caught.(6) To the extent that cybercrimes are easier to get away with, sentences might be increased to compensate for this lower probability.

In addition to the probability of being caught, another variable overlooked by the "cybercrime is not different" camp is the perpetration cost of engaging in crime. A bank robbery in realspace, for example, consumes tremendous criminal resources. A robber has to hire lookouts and firepower, garner inside knowledge about the bank, and so on. Profits will be split among five, six, or even more people. A computer theft, by contrast, involves fewer resources and may even be accomplished by a single person sitting down at a computer. Because cybercrime requires fewer resource inputs and less investment to cause a given level of harm, the law might approach these crimes differently.

These variations suggest that cyberspace is a unique medium for three reasons. First, and most importantly, the use of computers and other equipment is a cheaper means to perpetrate crime. Criminal law must be concerned not only with punishing crime ex post, but with creating ex ante barriers to inexpensive ways of carrying out criminal activity. In this Article, this principle--which is generally applicable in criminal law--will be called "cost deterrence." The idea is that law should strive to channel crime into outlets that are more costly to criminals. Cyberspace presents unique opportunities for criminals to reduce their perpetration costs; the probability of success in inflicting a certain level of harm while holding expenditures constant is greater. Accordingly, the law should develop mechanisms to neutralize these efficiency advantages.

Some neutralization techniques, however, risk punishing utility-producing activities. For example, encryption has the potential to further massive terrorism (which leads many in the law enforcement community to advocate its criminalization) but also has the potential to facilitate greater security in communication and thereby encourage freedom (which leads many others to push for unfettered access to the technology). This is a standard dilemma that the law encounters in the regulation of technology--call it the "dual-use problem." The problem arises when an activity has both positive and negative uses and forbidding the act forfeits the good uses. To help solve the problem, I introduce a conventional tool, the sentencing enhancement, as a mechanism that can selectively target improper uses. Policymakers and academics have given little attention to sentencing enhancements and lack a theory of when they should be used. This Article endeavors to fill that gap, arguing that sentencing enhancements are suited to certain acts that are not inherently harmful to society and whose benefits depend on context. It shows, for example, how enhancements provide a solution to the encryption debate because they can be aimed at encryption's harmful applications.

Second, cybercrime adds additional parties to the traditional perpetrator-victim scenario of crime. In particular, much cybercrime is carried out through the use of Internet Service Providers ("ISPs"), such as America Online. Government should consider imposing responsibilities on such third parties because doing so promotes cost deterrence. Third parties can develop ways to make criminal activity more expensive and may be able to do so in ways that the government cannot accomplish directly. The same logic sometimes can apply to victims of cybercrime; law can develop mechanisms to encourage optimal victim behavior as well. As part of this discussion, this Article shows how victim self-help depends on changing police behavior and outlines a strategy to make police departments behave more like fire departments (focusing more on warning and prevention and less on chasing suspected perpetrators after they commit crimes).

Two features of cyberspace, however, suggest that these burden-shifting strategies will be difficult to implement. The first, which borrows from the New Economy theory of "network effects," contends that interconnectivity is an important goal that should not be sacrificed lightly. If potential victims and third parties like ISPs are forced to take precautionary measures--from building strong firewalls to forgoing communication with risky computer systems--these measures may diminish the value of the internet. A strong public law enforcement presence is necessary to prevent the net from fragmenting into small regions accessible only to subsets of trusted users with the right passkeys. A second feature that limits burden-shifting arises from the asymmetric incentives between ISPs and their users. Because an ISP derives little utility from providing access to a risky subscriber, a legal regime that places liability on an ISP for the acts of its subscribers will quickly lead the ISP to purge risky ones from its system. ISPs, as private entities, face no constitutional constraints and little public accountability; the results of ISP liability may be unfair and threaten the potential benefits of the net.

Third, and more generally, a host of thorny problems arise because most activities that occur in cyberspace are invisible to third parties--and sometimes even to second parties. In a space where crimes are invisible, strategies that focus on trying to prevent crime by maintaining public order, such as "broken windows" policing, are of limited utility (though some insights can be adapted to cyberspace). Social norms cannot operate as effectively to prevent crime on the net because its users are not necessarily constrained by the values of realspace.

On the other side of the ledger, the danger of overly aggressive law enforcement is multiplied in cyberspace. Each new major cybercrime leads law enforcement to push for changes to the technical infrastructure to create better monitoring and tracing. If these monitoring mechanisms are hidden in private hardware and software, however, some contend that public accountability may be undermined. A similar point can be made about enforcement by police: Because police are invisible on the internet, the potential for entrapment or other forms of police misconduct may be greater. The ultimate effect of this loss of police visibility may be to poison legitimate activity on the net because confidence in communication may be undermined. An internet user will not be sure that he is talking to a friend and not a government interloper seeking evidence of criminal activity.(7) Because the technology of law enforcement is not well understood among the public, citizens will fear the net and its potential advantages will be stymied. Consider the public uproar over a third prominent news item from this year: the discovery that the Federal Bureau of Investigation ("FBI") has a system, with the poorly chosen title of "Carnivore," which allows it to examine private e-mails.(8)

Nevertheless, the differences between crimes that take place in cyberspace and those that occur in realspace should not obscure their similarities. For example, if crime in cyberspace is easier to commit due to technical prowess, then the law needs to consider how to treat offline crimes that harness technical ability. Similarly, if acts in cyberspace portend criminal activity in realspace, then this dangerous complementarity can--if sufficiently strong--justify punishing acts in cyberspace (an example might be electronic stalkers who may graduate to stalking in realspace). This notion undoes the standard idea that criminal punishment should be reserved only for...