|
Article Excerpt
I. INTRODUCTION
A. Defining Computer Crime B. Types of Computer-Related Offenses 1. Object of Crime 2. Subject of Crime a. Spam b. Viruses c. Worms d. Trojan Horses e. Logic Bombs f. Sniffers g. Denial of Service Attacks h. Web Bots & Spiders 3. Instrument of Crime II. GENERAL ISSUES A. Constitutional Issues 1. First Amendment 2. Fourth Amendment B. Other Issues III. FEDERAL APPROACHES A. Sentencing Guidelines B. Federal Statutes 1. Child Pornography Statutes a. Communications Decency Act of 1996 b. Child Pornography Prevention Act of 1996 2. Computer Fraud and Abuse Act a. Offenses Under the Statute b. Jurisdiction c. Defenses d. Penalties 3. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 4. Copyright Statutes a. Criminal Copyright Infringement in the Copyright Act i. Defenses ii. Penalties b. Digital Millennium Copyright Act 5. Electronic Communications Privacy Act a. Stored Communications Act b. Title III (Wiretap Act) i. Defenses ii. Penalties c. Statutory Issues 6. Identity Theft a. Penalties 7. Wire Fraud Statute C. Enforcement IV. STATE APPROACHES A. Overview of State Criminal Codes B. Jurisdiction C. Enforcement V. INTERNATIONAL APPROACHES A. Issues B. Solutions
I. INTRODUCTION
This Article discusses federal, state, and international developments in computer-related criminal law. This Section defines computer crimes. Section II covers the constitutional issues concerning computer crimes. Section III describes the federal approaches used for prosecuting computer crime, and analyzes enforcement strategies. Section IV examines state approaches to battling computer Crime and the resulting federalism issues. Lastly, Section V addresses international approaches to regulating computer crimes.
A. Defining Computer Crime
The U.S. Department of Justice ("DOJ") broadly defines computer crime as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." (1) Because of the diversity of computer-related offenses, a narrower definition would be inadequate. While the term "computer crime" includes traditional crimes committed with the use of a computer, (2) the rapid emergence of computer technologies and the exponential expansion of the Internet (3) spawned a variety of new, technology-specific criminal behaviors that must also be included in the category of "computer crimes." (4) To combat these new criminal behaviors, Congress passed specialized legislation. (5)
Experts have had difficulty calculating the damage caused by computer crimes due to: the difficulty in adequately defining "computer crime;" (6) victims' reluctance to report incidents for fear of losing customer confidence; (7) the dual system of prosecution; (8) and the lack of detection. (9) In 2006, DOJ's Bureau of Justice Statistics and the Department of Homeland Security's National Cyber Security Division conducted a joint effort to estimate the number of cyber attacks and the number of incidents of fraud and theft of information. (10)
B. Types of Computer-Related Offenses
1. Object of Crime
DOJ divides computer-related crimes into three categories according to the computer's role in the particular crime. (11) First, a computer may be the "object" of a crime. (12) This category primarily refers to theft of computer hardware or software. Under state law, computer hardware theft is generally prosecuted under theft or burglary statutes. (13) Under federal law, computer hardware theft may be prosecuted under 18 U.S.C. [section] 2314, which regulates the interstate transportation of stolen or fraudulently obtained goods. (14) Computer software theft is only included in this category if it is located on a tangible piece of hardware because the theft of intangible software is not prosecutable under 18 U.S.C. [section] 2314.
2. Subject of Crime
Second, a computer may be the "subject" of a crime. (15) In this category, the computer is akin to the pedestrian who is mugged or the house that is robbed, it is the subject of the attack and the site of any damage caused. These are computer crimes for which there is generally no analogous traditional crime and for which special legislation is needed. This category encompasses spam, viruses, worms, Trojan horses, logic bombs, sniffers, distributed denial of service attacks, and unauthorized web bots or spiders. In the past, malice or mischief rather than financial gain motivated most offenders in this category. Now, many crimes are driven by personal profit or malice. (16) These types of crimes were frequently committed by juveniles, disgruntled employees, and professional hackers as a means of showing off their skills. (17) Disgruntled employees are widely thought to pose the biggest threat to company computer systems. (18) Teenage hackers remain a problem as well. (19) Courts have had a hard time finding appropriate punishments for teenage hackers. (20) In recent years, more of these crimes have been committed for financial gain. (21)
a. Spam
Spam is unsolicited bulk commercial email from a party with no preexisting business relationship. (22) Spam rates doubled in 2006, accounting for more than 90% of global email traffic by the end of the year. (23) Additionally, hackers often use spam as a way of distributing viruses, spyware, and other malicious software. (24)
b. Viruses
A virus is a program that modifies other computer programs, causing them to perform the task for which the virus was designed. (25) It usually spreads from one host to another when a user transmits an infected file by e-mail, over the Internet, across a company's network, or by disk. (26)
c. Worms
Worms are like viruses, but they use computer networks or the Internet to self-replicate and "send themselves" to other users, generally via e-mail, while viruses require human action to spread from one computer to the next. (27) Worms have far more destructive potential than viruses because they can spread so much faster. (28)
d. Trojan Horses
Trojan horses are programs with legitimate functions that also contain hidden malicious code. (29) Like its namesake, a Trojan horse dupes a user into installing the seemingly innocent program on his or her computer system and then activates the hidden code, which may release a virus or allow an unauthorized user access to the system. (30) Hackers use Trojan horses as the primary way they transmit viruses. (31)
e. Logic Bombs
Logic bombs are programs that activate when a specific event occurs, such as the arrival of a particular date or time. (32) They can be destructive but software companies commonly use them to protect against violation of licensing agreements by disabling the program upon detection of a violation. (33)
f. Sniffers
Sniffers, also known as network analyzers, can read electronic data as it travels through a network. (34) Network administrators use them to monitor networks and troubleshoot network connections. (35) Sniffers can help network administrators find and resolve network problems. (36) However, a hacker can break into a network and install a sniffer that logs all activity across a network, including the exchange of passwords, credit card numbers, and other personal information. (37)
g. Denial of Service Attacks
In a denial of service attack, hackers bombard the target website with an overwhelming number of simple requests for connection, thus rendering the site unable to respond to legitimate users. (38) In distributed denial of service attacks, hackers use the networks of innocent third parties to overwhelm websites and prevent them from communicating with other computers. (39) After breaking into several network systems, the individual makes one system the "Master" system and turns the others into agent systems. (40) Once activated, the Master directs the agents to launch a denial of service attack. (41) The use of third party "agents" makes it particularly difficult to identify the culprit. (42)
h. Web Bots & Spiders
"Web bots" or "spiders" are data search and collection programs that can create searchable databases that catalogue a website's activities. (43) Although seemingly innocuous, too many spiders on the same web site can effectively be a denial of service attack. In addition, they can steal data from the websites that they search. (44)
3. Instrument of Crime
Third, a computer may be an "instrument" used to commit traditional crimes. (45) These traditional crimes include identity theft, (46) child pornography, (47) copyright infringement, (48) and mail or wire fraud. (49)
II. GENERAL ISSUES
A. Constitutional Issues
This Section addresses general constitutional issues with computer crimes. Specific constitutional issues with federal and state statutes are discussed in the relevant Sections of this article. Constitutional issues related to computer crimes usually fall under either the First Amendment or the Fourth Amendment. There are also some federalism issues. In particular, there is a question as to how much the federal government can regulate intrastate behavior under the Commerce Clause. This is discussed more fully in the following Section on federal child pornography statutes. (50)
1. First Amendment
The First Amendment (51) protects the same forms of speech in cyberspace that it does in the real world. Hate speech and other forms of racist speech receive the same protection on the Internet as they have always received under traditional First Amendment analysis. (52) The guarantee of the First Amendment extends well beyond personally held beliefs to include speech that advocates conduct, even when that conduct is illegal. (53) Racist speech is also probably protected on the Internet, as it is not likely to fit within the "fighting words" exception to the First Amendment. (54)
There is an exception to this general free speech principle for "true threats," (55) such as sending threatening e-mail messages to a victim or even a public announcement on the Internet of an intention to commit an act that is racially motivated. (56) A similar exception exists for harassment on e-mail or the Internet, as long as it is sufficiently persistent and malicious as to inflict, or is motivated by desire to cause, substantial emotional or physical harm (57) and is directed at a specific person. (58) Child pornography is not protected either, but finding a sufficiently narrow description to prevent its spread on the Internet has proven difficult. (59)
Recently, the Virginia Supreme Court struck down a Virginia statute, which criminalized the falsification of identifying transmission information in unsolicited bulk e-mail messages (spam), as overly broad and infringing on the First Amendment right to engage in anonymous speech. (60) The court emphasized that the statute in question did not distinguish between commercial and non-commercial unsolicited e-mails, including those expressing political and religious messages. (61) Therefore, the statute could not survive strict scrutiny because it was not narrowly tailored to the compelling state interests, articulated in the federal CAN-SPAM Act, (62) of preserving the efficiency and convenience of e-mail. (63)
2. Fourth Amendment
A number of difficult Fourth Amendment (64) issues inhere in computer crimes. The Fourth Amendment prohibits unreasonable searches and seizures by the government. (65) However, what constitutes a search or seizure with respect to computers is not always clear. There is disagreement as to whether there should be a special approach created for computer-related searches and seizures, or whether it is adequate to draw comparisons from traditional Fourth Amendment analysis. (66) This section will examine how courts have defined a Fourth Amendment search and applied the warrant requirement in the context of computers.
The Supreme Court has held that a search occurs within the meaning of the Fourth Amendment when government actions violate an individual's legitimate or "reasonable" expectations of privacy. (67) Generally, a person has a reasonable expectation of privacy in a computer they own in their home, but this is less clear cut in the workplace. (68) Fourth Amendment issues may also arise when law enforcement intercepts address information on the Internet, such as e-mail addresses and website addresses. The Supreme Court has found that there is no expectation of privacy in the phone numbers someone dials. (69) Before 2001, the FBI routinely searched similar information on Internet communications without much mention of constitutional issues. (70) The Ninth Circuit has held that obtaining Internet address information by installing a surveillance program at the Internet Service Provider's ("ISP") facility is "constitutionally indistinguishable" from the use of a pen register and, therefore, Internet users have no expectation of privacy in such information. (71) The Fourth Circuit has similarly held that a criminal defendant has no reasonable expectation of privacy in the information he provides to his ISP. (72) Despite these decisions, and the implication of the changes made by the Patriot Act, the analogy to phone numbers does not necessarily follow. (73)
The use of investigative tools devised for eavesdropping on Internet communications may present additional Fourth Amendment questions. (74) The use of a keystroke logger system appears to be constitutional. (75) The constitutionality of other techniques, however, will likely be tested as the government discloses more information about both the nature of its capabilities and the frequency of their application.
Although the Fourth Amendment generally requires specificity in search warrants, broad search warrants have been upheld when addressed to computer crimes. (76) Broad searches have been justified as "about the narrowest definable search and seizure reasonably likely to obtain the [evidence]." (77) There is a circuit split as to whether law enforcement agents with a warrant may search and seize computer files even though doing so might cause seizure of contents having no relation to the crime being investigated. (78) There is also a split as to how the plain view exception (79) should apply to computer files. (80)
Another relevant Fourth Amendment issue is the doctrine of staleness, (81) which "applies when information proffered in support of a warrant application is so old that it casts doubt on whether the fruits or evidence of a crime will still be found at a particular location." (82) The durability of data and graphics stored on computer hardware has drastically extended the period after which the staleness doctrine applies. For example, the Ninth Circuit upheld the validity of a search warrant even though ten-month-old information supported it. (83)
In executing a warrant, agents may seize and search a disk, even if its label indicates that it is not within the scope of the warrant. (84) Agents may also search computer hardware and software when they have reason to believe that those items contain records covered by the warrant. (85) They may even remove the hardware and software from the owner's premises to conduct their examination. (86) They may not, however, seize peripheral items, such as printers, to assist them in their review of the seized items. (87) State courts have split on extending this principle to their search and seizure jurisprudence. (88)
B. Other Issues
In addition to constitutional obstacles, federal laws may interfere with computer crime statutes at both the federal and state level. Several laws intended to protect privacy have implications in computer crimes as well. For example, Title III applies to both the government and civilians in situations in which there are Fourth Amendment issues. (89) Title III applies to state actors as well and states may not legislate lower standards for interception, although they may set higher ones. (90)
Another complication arises as a result of additional protection for computer records provided by the Privacy Protection Act of 1980. (91) The statute requires police to obtain a subpoena prior to searching or seizing work product or other materials reasonably believed to pertain to public communications such as newspapers. (92) This protection does not include child pornography. (93) The Privacy Protection Act still applies to other material that may be public communications.
III. FEDERAL APPROACHES
This Section explores the major federal statutes, enforcement strategies, and constitutional issues regarding computer related crimes. The government can charge computer-related crimes under at least forty different federal statutes. (94) There are also a number of traditional criminal statutes whose application to computer crime is unclear. (95) In addition, the federal government has sometimes used the United States Sentencing Guidelines ("Guidelines") to enhance sentences for traditional crimes committed with the aid of computers. (96) This Section discusses the role of the Sentencing Guidelines in general, key federal statutes in the prosecution of computer crimes, and relevant enforcement efforts. Although the focus of this Article is the federal government's approach to prosecuting criminal computer offenses, past litigation has also sought civil remedies. (97)
A. Sentencing Guidelines
The Guidelines supplement the federal computer crime statutes and help determine how much of the maximum sentence a perpetrator should serve. (98) The Guidelines treat most computer crimes as economic crimes sentenced under [section] 2B 1.1. (99) The Guidelines also dictate "special skills" enhancements for particular crimes including computer crimes. (100)
B. Federal Statutes
Since 1984, Congress has pursued a dual approach to combating computer crime. The Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (101) and subsequent amending acts (102) address crimes in which the computer is the "subject." This line of statutes culminated in the Computer Fraud and Abuse Act ("CFAA"), (103) which is discussed in detail in Section 2. The federal government's other approach to regulating computer crime has been to update traditional criminal statutes to reach similar crimes involving computers. (104)
1. Child Pornography Statutes
Federal child pornography statutes have not fared well under the First Amendment. In Reno v. American Civil Liberties Union, (105) the Supreme Court gave an unqualified level of First Amendment protection to Internet communications. (106) Under Reno, legislation will not withstand scrutiny if it requires web surfers or Internet content providers to estimate the age of those with whom they communicate or to tag their communications as potentially indecent or offensive, prior to engaging in "cyberspeech." (107) The Court found that less regulation is necessary to protect children on the Internet compared to television or radio because users rarely come across content on the Internet accidentally and warnings often precede sexually explicit images. (108) The global nature of the Internet also renders it difficult, if not impossible, for users to predict when their potentially offensive communications will reach a minor. (109) Consequently, Reno requires courts to apply unqualified First Amendment scrutiny to speech restrictions affecting the Internet. (110) Note that "unqualified" protection does not cover obscenity or child pornography, which the government may ban. (111) Under this standard, parts of several federal child pornography laws discussed below and all of the Child Online Protection Act of 1998 ("COPA"), (112) have been found unconstitutional. (113)
a. Communications Decency Act of 1996
The Communications Decency Act of 1996 ("CDA"), or Title V of the Telecommunications Act of 1996, (114) originally prohibited the transmission of "indecent," (115) "patently offensive," (116) or "obscene" (117) material to minors over the Internet. In Reno v. American Civil Liberties Union, (118) the Supreme Court struck down those portions of the statute that banned "indecent" (119) and "patently offensive" (120) images as being unconstitutionally vague and overbroad. (121) The rest of [section] 223(a), banning transmission of obscene speech to minors, remains in effect. (122)
Under [section] 223(a), knowing transmission of obscene speech or images to minors is punishable by a fine, imprisonment of up to two years, or both. (123) The Guidelines set a base offense level of ten for transportation of obscene matter, which is automatically increased by five levels if the obscene matter is transmitted to a minor. (124) A seven-level upward adjustment is mandated if the distribution was intended to convince a minor to engage in prohibited sexual conduct. (125) The base level of the offense can be raised no less than five levels if the offense is related to distribution of material for pecuniary gain. (126) If the material involved in the offense portrays sadistic, masochistic conduct, or other depictions of violence, the offense level increases by four. (127)
b. Child Pornography Prevention Act of 1996
In 1996, Congress passed the Child Pornography Prevention Act (128) ("CPPA"), which criminalized the production, distribution, and reception of computer-generated, sexual images of children. (129) Thus, CPPA sought to prohibit computer transmission of erotic photographs of adults doctored to resemble children. (130) However, in April 2002, the Supreme Court held two provisions of the statute, prohibiting pornography that appeared to depict minors, but in actuality depicted young-looking adults or virtual child pornography, unconstitutionally vague and overbroad. (131)
In response, Congress passed the Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today Act of 2003 ("Protect Act"). (132) The PROTECT Act included a provision prohibiting advertisement, distribution, and...
|
