Article: computer crimes

Download 247.51 Kb.
Size247.51 Kb.
  1   2   3   4   5   6   7   8   9   10   11


Copyright (c) 2016 American Criminal Law Review

American Criminal Law Review
Fall, 2016
American Criminal Law Review
53 Am. Crim. L. Rev. 977
LENGTH: 10338 words


This Article discusses federal, state, and international approaches to computer-related criminal law. Section I defines computer crimes; Section II covers the constitutional and jurisdictional issues concerning computer crimes; Section III examines state approaches to battling computer crimes; Section IV discusses computer crime related treaties; and Section V culminates with enforcement challenges and related initiatives.

A. Defining Computer Crime

The U.S. Department of Justice ("DOJ") broadly defines computer-related crime--which is "interchangeably refer[red] to as 'computer crime,' 'cybercrime,' and 'network crime'" --as "those crimes that use or target computer networks." n1 While the term "computer crime" includes traditional crimes committed with the use of a computer, n2 it also encompasses technology-specific criminal behaviors, such as fraud involving devices and email. n3 To combat these crimes, prosecutors rely on technology-specific federal legislation, namely the Computer Fraud and Abuse Act, n4 as well as applications of conventional common law to activities in cyberspace. n5

[*980] It is challenging to calculate the total damage caused by computer crime because of (1) the difficulty of adequately defining it, n6 (2) victims' reluctance to report incidents for fear of losing customer confidence, n7 (3) the dual system of concurrent state and federal prosecution, n8 and (4) the difficulty of detection. n9 Despite this, computer crime seriously affects daily life and creates a large number of victims. In 2014, cybersecurity leaders from PricewaterhouseCoopers, the U.S. Secret Service, CSO Magazine, and the CERT Division of Carnegie Mellon's Software Engineering Institute evaluated survey responses from more than 500 executives of U.S. businesses, law enforcement services, and government agencies. n10 Their findings showed that seventy-seven percent of respondents detected a cybersecurity incident in the past twelve months, and thirty-four percent said the number of cybersecurity incidents increased over the previous year. n11

B. Types of Computer-Related Offenses

The DOJ divides computer-related crimes into three categories according to the computer's role as the object, subject, or instrument of the crime. n12

1. Object of Crime

First, a computer may be the "object" of a crime. n13 This category primarily refers to the theft of computer hardware or software. n14 Computer hardware theft is [*981] generally prosecuted under state theft or burglary statutes. n15 Under federal law, computer hardware theft may be prosecuted under 18 U.S.C. § 2314, which regulates the interstate transportation of stolen or fraudulently obtained goods. n16 Computer software theft is included in this category only if it is located on a tangible piece of hardware. n17

2. Subject of Crime

Second, a computer may be the "subject" of a crime. n18 In this category, the computer is akin to the pedestrian who is mugged or the house that is robbed; it is the subject of the attack and the site of any damage caused. This category includes spam, viruses, worms, Trojan horses, logic bombs, sniffers, distributed denial of service attacks, botnets, and unauthorized web bots or spiders. While these tools are used to commit crimes, the mere use of one of these tools does not constitute a crime by itself. Each of these subcategories is defined and discussed below.

In the past, malice or mischief rather than financial gain motivated most offenders in this category. n19 These types of crimes were frequently committed by juveniles, n20 disgruntled employees, n21 and professional hackers as a means of [*982] showing off their skills. n22 However, in recent years, an increasingly diverse group of individuals motivated by financial gain and sovereign state interests have committed crimes against computers. n23

a. Spam

Spam is unsolicited bulk commercial email. n24 In January 2016, more than fifty-three percent of all emails sent over the Internet were spam. n25 Spam emails commonly advertise various products and services n26 and are used by hackers as a way of distributing viruses, spyware, and other malicious software. n27

b. Viruses

A virus is a "program that modifies other computer programs." n28 It usually spreads from one host to another when a user transmits an infected file by email, [*983] instant message, across a company's network, or by disk and USB drive. n29 A virus can also propagate through downloading files or illicit software from the Internet. n30 Unlike worms, viruses require human action to spread from one computer to the next. n31 Once infected, the virus can impair the computer's integrity by causing it to crash, deleting its files, or installing malicious software. n32 One of the most financially destructive computer viruses in history, the "Gozi" virus, infected at least one million computers, including 40,000 in the United States. n33 The virus, disguised to look like an innocent PDF document, secretly installed malicious software and began siphoning bank account numbers, usernames, and passwords, which the hackers used to transfer funds out of the victims' accounts. n34

c. Worms

Worms are similar to viruses, n35 but use computer networks or the Internet to self-replicate and "send themselves" to other users on the network without any user intervention. n36 Worms' ability to self-propagate renders them particularly difficult to neutralize. n37

d. Trojan Horses

Trojan horses, or simply "Trojans," are computer programs with legitimate functions that also contain hidden malicious code. n38 Like its namesake, a Trojan dupes a user into installing the seemingly innocent program on a computer system and then activates the hidden code, which may release a virus or allow an unauthorized user access to the system. n39

[*984] e. Logic Bombs

Logic bombs are programs that activate when a specific event occurs, such as the arrival of a particular date or time. n40 While they are often destructive, n41 logic bombs are commonly used as protective measures by software companies in order to disable programs upon detection of licensing agreement violations. n42

f. Sniffers Sniffers, also known as network analyzers, can read electronic data as it travels through a network. n43 Network administrators use sniffers to monitor networks and troubleshoot network connections. n44 A hacker, however, can break into a network and install a sniffer that logs all activity across a network, including the exchange of passwords, credit card numbers, and other personal information. n45

g. Denial of Service Attacks

In a denial of service attack, hackers bombard the target website with an overwhelming number of simple requests for a connection, making the site unable to respond to legitimate users. n46 In distributed denial of service attacks, hackers use third-party networks to overwhelm websites and prevent them from communicating with other computers. n47

[*985] h. Botnets

A botnet, short for robot network, is a collection of compromised computers--numbered in the hundreds of thousands or even millions--under the remote command and control of a criminal "botherder." n48 A botherder typically uses these compromised computers, called "bots" or "zombies," to perform other activities, such as sending spam, n49 participating in distributed denial-of-service attacks, and committing identity theft. n50

i. Web Bots & Spiders

"Web bots" or "spiders" are data search and collection programs that can create searchable databases cataloguing a website's activities. n51 Although these functions are seemingly innocuous, too many spiders on the same website can effectively operate as a denial of service attack. n52 Moreover, they can steal data from the websites that they search. n53

j. Phishing Emails

Phishing involves sending mass emails to various persons, purportedly from a trusted source, n54 such as a bank or law enforcement agency, with messages [*986] intended to prompt the recipient to disclose sensitive information. n55 In the early versions of phishing, a recipient who clicked on the link embedded in the email would be presented with a fraudulent popup window or website requesting significant personal data, such as credit card information or log-in credentials. n56 In recent variations of phishing, once a person clicks on the embedded link and is taken to the infected website, malware on the website immediately downloads the malicious programs onto a computer, allowing the phishers to exploit data at a later date. n57 Hackers also often engage in more targeted phishing campaigns, such as spear phishing--which focuses on specific companies or organizations, n58 or whaling--which focuses on particularly valuable targets, often senior executives or high net worth individuals. n59

k. Rootkits

A rootkit is a set of software tools designed to conceal processes, files, or system data running on a computer. n60 It allows an intruder to maintain access to a computer undetected. n61 Rootkits can also be used for legitimate purposes, such as in the context of digital rights protection. n62 Either way, it modifies parts of a computer's operating system or installs itself as a driver or kernel module. n63

3. Instrument of Crime

In addition to being the object or subject of crime, a computer may also be an "instrument" used to commit traditional crimes. These traditional crimes include identity theft, n64 narcotics trafficking, n65 cyber-stalking, n66 distribution of child [*987] pornography, n67 "revenge porn," n68 copyright infringement, n69 and wire fraud. n70


A. Online Speech

The First Amendment protects and condemns the same forms of speech on the Internet that it does under traditional constitutional analysis. n71 Criminalization of speech, both online and traditional, raises constitutional concerns. The courts, however, have carved out specific exceptions for threat speech, child pornography, and spam, discussed below.

[*988] 1. Threat Speech

It is a federal crime to transmit through interstate commerce a threat to kidnap or injure anyone. n72 Of particular relevance to computer crimes, the First Amendment does not protect "true threats," n73 including those delivered by email message or public announcement on the Internet. n74 Courts disagree on how to define a "true threat." n75 Most courts use an objective test, which asks whether a reasonable person receiving the threat would believe it was a threat. n76 However, the Ninth Circuit n77 and several state supreme courts, relying on the Supreme Court's decision in Virginia v. Black, n78 employ a subjective test, which asks whether a reasonable speaker would foresee that the listener would interpret the speech as a threat of violence.

[*989] The Supreme Court heard oral arguments on this discrepancy in Elonis v. United States, but ultimately declined to resolve the Circuit split by deciding the case on Constitutional grounds. n79 The only point the Court made clear is a narrow statutory point that negligence with respect to the communication of a threat is not sufficient to support a conviction under 18 U.S.C. § 875(c). n80 After Elonis, lower courts still do not know whether the required mens rea for the "true threats" exception to the First Amendment is: 1) with the purpose of putting someone in fear; 2) knowing that the victim will be put in fear; 3) knowing there is a serious risk that victim will be put in fear; or 4) covers all statements that a reasonable person would view as aimed at putting the victim in fear. n81

2. Child Pornography and Sexual Communication with Minors

Obscenity, including child pornography, is also not protected by the First Amendment. Federal statutes that have tried to expand protection of children by limiting the information that may be sent to them over the Internet, however, have infringed the First Amendment. n82 Under Reno v. American Civil Liberties Union, legislation will not withstand scrutiny if it requires web surfers or Internet content providers to estimate the age of those with whom they communicate or to tag their communications as potentially indecent or offensive prior to engaging in "cyberspeech." n83 The Court found that while it might be easier to protect children on the Internet compared to television or radio because users rarely come across content on the Internet accidentally and warnings often precede sexually explicit images, n84 the global nature of the Internet renders it difficult, if not impossible, for users to predict when their potentially offensive communications will reach a minor. n85 Consequently, Reno requires courts to apply unqualified First Amendment scrutiny to speech restrictions affecting the Internet. n86 Note that "unqualified" protection does not cover obscenity or child pornography, which the government may ban [*990] outright. n87 Under this standard, parts of several federal child pornography laws discussed below and all of the Child Online Protection Act of 1998 ("COPA") n88 have been struck down as unconstitutional. n89

a. Communications Decency Act of 1996

The Communications Decency Act of 1996 ("CDA"), or Title V of the Telecommunications Act of 1996, n90 originally prohibited the transmission of "indecent," n91 "patently offensive," n92 or "obscene" n93 material to minors over the Internet. In Reno v. American Civil Liberties Union, the Supreme Court struck down those portions of the statute that banned "indecent" and "patently offensive" images as vague and overbroad. n94 The rest of § 223(a), which bans transmission of obscene speech to minors, remains in effect. n95

Under § 223(a), knowing transmission of obscene speech or images to minors is punishable by a fine, imprisonment of up to two years, or both. n96 The United States Sentencing Guidelines ("Guidelines") set a base offense level of ten years for transportation of obscene matter, which is automatically increased if the obscene matter is transmitted to a minor, n97 if the distribution was intended to convince a minor to engage in prohibited sexual conduct, n98 if the offense is related to distribution of material for pecuniary gain, n99 or if the material portrays sadistic, masochistic conduct, or other depictions of violence. n100

[*991] b. Child Pornography Prevention Act of 1996

In 1996, Congress passed the Child Pornography Prevention Act n101 ("CPPA"), which criminalized the production, distribution, and receipt of computer-generated, sexual images of children. n102 The CPPA sought to prohibit computer transmission of erotic photographs of adults doctored to resemble children. n103 However, in April 2002, the Supreme Court held that two provisions of the statute, n104 which prohibited pornography that appeared to depict minors but actually depicted young-looking adults, n105 were unconstitutionally vague and overbroad. n106

In response, Congress passed the Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today Act of 2003 ("PROTECT Act"). n107 The PROTECT Act includes a prohibition against advertisement, distribution, and solicitation of pornography that reflects a belief or induces others to believe that the material depicts real children. n108 After several circuit courts questioned the constitutionality of this provision under the reasoning of Ashcroft v. Free Speech Coalition, n109 the Supreme Court upheld the statute. n110

3. Spam

While levels of unsolicited commercial email ("spam") have declined in recent years, n111 it remains a significant problem with social media spam rising rapidly. n112 [*992] The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 n113 ("CAN-SPAM") was enacted to establish a national standard for electronic solicitations. n114

a. CAN-SPAM Provisions

CAN-SPAM has several key provisions that affect persons or companies sending commercial solicitations via email. n115 Section 1037 prohibits five wellknown deceptive or fraudulent practices commonly used in commercial emails. n116 First, § 1037(a)(1) prohibits unauthorized use of a computer to send multiple commercial messages. n117 Second, § 1037(a)(2) prohibits sending multiple commercial messages with the intent to obfuscate the originator's identity. n118 Third, § 1037(a)(3) prohibits sending commercial emails using materially falsified header information. n119 Fourth, § 1037(a)(4) prohibits multiple commercial messages from accounts registered using false identities. n120 This provision is triggered when the user registers five or more electronic mail accounts or two or more domain names. n121 Like § 1037(a)(3), § 1037(a)(4) applies when a user "materially" falsifies information, which occurs when the information is hidden or modified in a way that would hinder efforts to identify, locate, or respond to the originator or to investigate alleged offenses rising from the message. n122 Finally, § 1037(a)(5) prohibits intentionally sending multiple commercial electronic messages from five or more IP addresses for which the user falsely represents himself as the registrant. n123 Section 1037 as a whole addresses practices involving "multiple" [*993] commercial electronic messages, which the section defines as exceeding 100 messages in a 24-hour period, 1000 messages in a 30-day period, or 10,000 messages over the course of a year. n124

Section 7704 further prohibits similar deceptive practices, requiring that commercial email include a method for the recipient to opt-out of future solicitations and that subject lines contain a warning if email contains sexually oriented material. n125

b. Penalties

CAN-SPAM has provisions for both fines and criminal penalties enforced by the Federal Trade Commission ("FTC") and the DOJ. n126 Aviolator of the act is subject to a fine of up to $ 16,000 for each violative email. n127 An individual may be subject to criminal penalties--including imprisonment--for using someone else's computer to send spam, using false information to create multiple email addresses, sending multiple spam messages while deceiving the recipient about the origin of the messages, generating email addresses through dictionary attacks, and using open relays and proxies to send spam. n128

4. Miscellaneous Exceptions

The First Amendment does not protect speech inciting "imminent lawless action or" n129 fighting words. n130 Harassment by email or on the Internet also falls outside the First Amendment, as long as the harassment is sufficiently persistent and malicious to inflict, or is motivated by a desire to cause, substantial emotional or physical harm n131 and is directed at a specific person. n132 Additionally, the Supreme Court has struck a balance between the First Amendment and defamation claims, rejecting strict liability and requiring the private plaintiff to prove some fault or injury rather than actual malice. n133

[*994] 5. Anonymous Speech

The First Amendment protects the right to speak anonymously. n134 Most cases dealing with anonymous Internet speech involve claims filed against unknown defendants for content posted anonymously to websites. n135 The primary cause of action in most anonymous speech cases is defamation, often combined with other causes of action, such as breach of contract and copyright or trademark violations. n136

There has been a good deal of discussion and debate recently about an anonymous speaker's right to assert a qualified privilege to remain anonymous in response to a plaintiff's desire to obtain his identity. n137 The standard for overcoming this privilege depends on the nature of the speech, n138 and the plaintiff bears the initial burden of meeting "heightened" pleading requirements in order to unmask the John Doe defendant. n139

Share with your friends:
  1   2   3   4   5   6   7   8   9   10   11

The database is protected by copyright © 2019
send message

    Main page