People began committing crimes with personal computers soon after the machines started rolling off assembly lines. Early crimes, such as those involving hacking into mainframes, viruses, and fraud, haven’t disappeared; however, recent computer crimes noted in the media concern issues like sexual predators, credit card theft, child pornography, and scams. In one famous case, a Trojan horse (a malicious program that masquerades as something else) promised free pornography, but instead dialed ruinously expensive international telephone calls.
In this informal article series, I plan to examine what computer crime is, how traditional laws address it, and if and why we need new legislation to deal with it. I plan to explain the principles of criminal law and how they relate to crimes committed via the Internet. I’m primarily discussing United States law and the English common law legal tradition; many areas are similarly legislated worldwide. This week we’ll look at what constitutes a computer crime and the requirement for due process.
Regulation and Attempted Regulation — When the public perceives an increase in crime, it cries out "there oughta be a law," and demands greater protection and stiffer penalties. In response to such concerns, the U.S. Congress enacted the Computer Fraud and Abuse Act (CFAA) in 1984, and in 1988 and 1994 the law was further amended and clarified.
Despite Congress’s efforts, the CFAA lagged behind public concerns, causing individual states to criminalize actions such as "computer trespass" and "unauthorized access." For example, Florida passed the first computer crimes bill in 1978. Nearly every state has enacted computer crime legislation since then.
In the past few years, the President and Congress have tried to regulate computer use in general and the Internet in particular. One such effort has been the White House’s advocacy of software key escrow, which would allow law enforcement – police, FBI, Secret Service, etc. – with the proper subpoena to access escrowed encryption keys, and thus decode encrypted information from any computer using exportable encryption technology.
Another effort was the recent spectacular failure of the so-called Communications Decency Act (CDA), which was thrown out by the Supreme Court for trampling on the First Amendment rights of free speech. Software key escrow, the CDA, and similar efforts to regulate computer use arose in response to the public outcry over computer crime.
What is Computer Crime? But does our society require all this legislation? What exactly is computer crime? This simple question is difficult to answer because the wording of a statute must be careful to avoid the convolutions that different interpretations can bring. One’s first reaction to the question might be, "It’s a crime committed with a computer." Of course, such a loose definition would include picking up a computer and throwing it at someone. Although that is indeed assault, it is of course not the heart of what I mean by computer crime.
"Hmm," one might go on. "What about a crime committed against a computer, such as stealing it?" Although this is a crime against a computer, it is simple theft and requires no new legislation. The recent case of a Seattle-area man shooting his computer in frustration would probably not have qualified as computer crime. To discuss computer crime meaningfully we might consider a crime committed against the data on a computer, or more specifically, on the computer’s hard disk (Crime committed with data, such as transmitting child pornography, is illegal regardless of means.) To understand computer crime, let’s look at things people do with computers that are considered criminal.
No New Crimes — Dialing into a remote computer and moving or deleting files is widely considered a criminal act, and is often part of legislation concerning computer crime. In essence, such hacking involves accessing another person’s data via an online connection, then viewing or copying the data, or even deleting it. However, this intrusion has a great deal in common with old-fashioned burglary, where a criminal sneaks into someone else’s property and steals valuables. Often such theft is done for profit, but as with burglary, it is also done on dares or "just for fun" by the misguided.
As another example, if you use the Web much, you’ve probably seen warnings that you are entering a "non-secured area" and that data entered in a form will not be safe from prying eyes. Some data you might not much care about, but other information, such as a credit card number, you don’t want to expose to the criminal element. Credit card theft is a serious problem, but whenever you use your card, whether on or off the Internet, you increase the risk of the number being stolen. Credit card fraud predates computer use by years, however, and is already subject to criminal penalties.
Finally, as a third example, selling, viewing, or otherwise handling general pornography on the Internet isn’t in itself a crime in the United States or most Western nations, and pornography itself predates the Net by thousands of years. However, specific types of pornography, like that involving children, are highly illegal almost everywhere. Criminal penalties for pornography are enforceable on the Net and off, as well as on private bulletin board systems, though jurisdiction may limit or expand prosecution. Recent test cases by the United States Postal Service and online crackdowns by the FBI – the authority for investigating violations of U.S. federal law – on child pornography have attempted to establish jurisdiction across state lines from where the data was housed and in cyberspace regions like America Online.
What About New Legislation? If there are no new crimes, why do we need new legislation? The answer lies in how the law perceives and defines crime. Criminal law must be extremely specific so that "due process" is served. In short, that means that the citizenry must be able to look up and read the law and understand specifically what actions are prohibited and will be punished. Thus, criminal statutes tend to be quite precise in their wording, and conduct that is not clearly included will not be punished. In the case of computer crimes, cases brought under traditional criminal statutes can end up being dismissed because of the way the crimes were defined.
For example, breaking into a computer through a modem and copying confidential files is theft according to a common sense definition. But most traditional criminal statutes define theft in terms of "carrying away" property "of value." Electrons have no value, and since they also lack substance, they can’t be carried away. As a result, criminal charges brought under traditional theft statutes for stealing computer programs have been dismissed.
For instance, in the 1972 California case of Ward vs. Superior Court, the defendant was accused of stealing computer source code from his ex-employer. He had used an access code to gain entry to the employer’s computer, where the software was stored. Like many theft statutes, the California statute required that the item be "carried away." The defendant was convicted under the statute because he had printed the source code and carried the printout away. Had he copied it to a floppy disk, the result may have been different – the statute did not include the theft of patterned magnetic oxides on a substrate.
Similarly, common sense says that breaking into a computer is conceptually no different than entering property without permission – it is trespass. But, criminal statutes define trespass as the "physical entry" onto property of another. Connecting to another person’s computer does not involve physical entry and does not violate traditional criminal trespass statutes. And further, looking at another person’s files – even confidential ones – is not a breach of any traditional criminal law. As a result, most states have passed specific laws dealing with "computer trespass" and "unauthorized access."
Tune in Next Time… I hope it’s clear by now that although computer-related criminal conduct is simply a variation on age-old themes, the fact that it is often done almost spectrally, without physical intrusion or taking of material goods, sets it outside traditional criminal law. How have the courts dealt with this problem? In the next segment of this series, I’ll expand on this information and introduce the basic principles of criminal law. After that, we’ll turn our attention to U.S. federal and state computer laws with a focus on crimes committed via the Internet or other online methods.
[Brady Johnson is a Seattle attorney who focuses his practice on criminal law, plaintiff personal injury, and civil rights. He currently has a civil rights case pending before the U.S. Supreme Court.]