September 25, 2017

Criminal Enforcement: Introduction to Computer Crime

There is no universally accepted definition of “computer crime” or “cybercrime.”  Certainly not every crime committed with a computer or that involves the use of a computer can or should be labeled as such.  Indeed, given the almost ubiquitous nature of computers in modern life, if the definition of computer crime simply included the use of a computer then almost all crime could be defined as computer crime.  It is generally agreed however, that computers can be used in criminal activity in three ways.

First, a computer may be incidental to the crime, for example, where the defendant uses a computer to write a threatening letter or where a drug dealer uses a computer to keep a record of his transactions.  In these instances, a computer may provide law enforcement with valuable evidence of a crime.

Second, a computer may be used as the instrument or tool to offenses that occur in the physical world.  In these instances, the computer is often being used to further some form of more traditional crimes such as fraud, extortion, intellectual property violations, identity theft, child pornography, harassment, mail and wire fraud and various other crimes.  While these are not new crimes, the use of a computer may make the commission of such a crime much more easy and the prosecution more difficult under existing laws.  For example, a criminal can make an infinite number of counterfeit copyrighted works which can be transmitted anywhere in the world instantaneously.  Similarly, a child pornographer no longer has to be concerned about smuggling the illicit images through customs, but can simply download copies of such images from the Internet.

Third, a computer may be viewed as the subject or direct target of criminal activity.  This occurs when a criminal acts to illegally acquire information stored on the target system, to control the target system without authorization or payment, to alter the integrity of data, or to interfere with the availability of or damage the computer, server or communications device.  Examples of such crimes include computer hacking, computer viruses or worms, denial of service attacks, etc.  The individuals committing these crimes range from disgruntled insiders, hackers, organized crime groups, terrorists, foreign intelligence services and foreign militaries.

While it may be argued that this third category does not constitute a new type of crime because, for example, hacking can be analogized to trespass or burglary, this claim does not account for the real differences between the real world and the virtual world.  Prior to the invention of the computer and the rise of the Internet, an individual was required to have a physical presence within the country in which the crimes were committed, and the ability to commit a crime was limited by physical constraints such as the amount of property that could be physically carried or the number of houses that could be broken into within a day.  With a computer, an enterprising individual can cause tremendous damage to computer systems located anywhere in the world or can download vast amounts of information which may be worth far more than any physical property.  Criminals no longer need a physical  connection to a particular country  to commit a crime in that country.  Individuals can commit crimes remotely and anonymously, operating across national borders, leaving evidence of their activities just about anywhere in the world.  The crimes that fall under this category are really new types of crimes which cannot easily be prosecuted under traditional criminal statutes.  In response, Congress passed, in 1986, the Computer Fraud and Abuse Act  (“CFAA”), 18 U.S.C. section 1030, which has been amended numerous times since then.  [During my more than five years with the Computer Crime and Intellectual Property Section of the Criminal Division of the United States Department of Justice, I was involved in a number of investigations and prosecutions involving violations of this act.]

Computer Fraud and Abuse Act

The CFAA seeks to protect the confidentiality, integrity, and availability of data and systems.  The CFAA contains seven major provisions that create liability for different types of crimes against “protected computers”–those used in interstate or foreign commerce or communications, and any computer connected to the Internet.

1030(a)(1) Protection of Classified Government Information

Subsection 1030(a)(1) protects against the knowing access of government computers to obtain classified information.  This subsection criminalizes transmitting classified government information, to the detriment of the United States or to the benefit of a foreign country that was obtained by accessing government computer files without authority or by exceeding authority.  This specifically covers the conduct of a person who deliberately breaks into a computer without authority, or an insider who exceeds authorized access and thereby obtains classified information and then communicates the information to another person, or retains it without delivering it to the proper authorities with the belief that the classified information so obtained could be used to the injury of the United States or to the advantage of any foreign nation.

1030(a)(2) Protection of Financial, Government and Other Computer Information

Subsection 1030(a)(2) is concerned with the protection of information.  It prohibits the intentional access of a protected computer (essentially any computer connected to the Internet)without authorization or in excess of authorization for the purpose of obtaining information from financial institutions, the federal government, or private sector computers involved in interstate commerce or foreign communications.

1030(a)(3) Protection of Government Computer Systems

This subsection proscribes the intentional and unauthorized access of a United States department or agency non-public computer even when no information is obtained during such trespasses.  If the computer is not used exclusively by the government or a government agency, the illegal access must affect the government’s use of the computer in order to violate this subsection.

1030(a)(4) Unauthorized Use of Computers

This subsection addresses the access and fraudulent use of a protected computer (essentially any computer connected to the Internet).  It prohibits the unauthorized access of a protected computer, with the intent to defraud and obtain anything of value, including the use of the computer, if the value of the use exceeded $5,000.  This subsection therefore requires more than mere unauthorized use.  It also contains a “computer use” exception that exempts fraudulent conduct to obtain only the use of the computer where the computer use involved is less than $5,000 during any one-year period.

1030(a)(5) Protection from Damage to Computers

Subsection 1030(a)(5) generally applies to whomever knowingly or intentionally causes the transmission of a program, information, code, or command, and as a result of such conduct causes damage without authorization, to a protected computer.  Defendants can damage computers through a wide variety of actions, such as through a “denial of service attack” that prevents legitimate users from accessing the computer or by the transmission of a virus or worm that also makes the system unavailable to legitimate users.  This subsection is intended to address all of these situations.  The level of culpability under this provision depends upon the intent and authorization of the actor.

In particular, subsection 1030(a)(5)(A) criminalizes the knowing transmission of a program, information, code, or command, and as result of such conduct, intentionally causes damage without authorization, to a protected computer.  Thus this provision requires that the government establish beyond a reasonable doubt that the defendant “knowingly” cause the transmission of a program and “intentionally” cause damage.   This subsection applies to both insiders and outsiders; therefore, authorized users may be culpable for intentional damage to protected computers.  The dual mens rea requirement of 1030(a)(5)(A)  stands in contrast to subsections 1030(a)(5)(B) and (a)(5)(C) that proscribe the intentional access, without authorization of a protected computer, but do not require an intent to cause damage and apply only to outsiders,  those individuals who have no authority to access the computer system.  Subsection 1030(a)(5)(B) requires that the action be reckless, while 1030(a)(5)(C) does not contain any intent on the part of the defendant; therefore, unauthorized users can be culpable even if their transmission was not intentional, but merely caused damage and loss.

1030(a)(6) Trafficking in Passwords

This subsection proscribes trafficking in passwords or other similar information that would permit access, without authorization, to a government computer, or if such trafficking would affect interstate commerce or foreign communications.

1030(a)(7) Protection from Threats Directed Against Computers

This subsection prohibits the transmission of any threat, in interstate or foreign commerce, to cause damage to a protected computer with the intent to extort something of value.  Essentially, this provision criminalizes threats by hackers to crash a system if not given system privileges, money or some other thing of value.

Chapter 7 of my book, Intellectual Property & Computer Crimes, (Law Journal Press 2003) provides a detailed analysis of 18 U.S.C. section 1030.