Cybercrime

Charles R. Nesson

Last Updated: June 15, 2001

Table of Contents

Introduction
Case Studies and Readings
Further Discussion Topics
Further Reading


Introduction

"Cyber crime" is not a rigorously defined concept. For our purposes, consider it to embrace criminal acts that can be accomplished while sitting at a computer keyboard. Such acts include gaining unauthorized access to computer files, disrupting the operation of remote computers with viruses, worms, logic bombs, Trojan horses, and denial of service attacks; distributing and creating child pornography, stealing another's identity; selling contraband, and stalking victims. Cyber crime is cheap to commit (if one has the know-how to do it), hard to detect (if one knows how to erase one's tracks), and often hard to locate in jurisdictional terms, given the geographical indeterminacy of the net.

Our purpose in considering the subject of cyber crime is not to catalog it exhaustively, but rather to raise and consider questions of particular interest that are presented by cyber methodologies of committing crimes. The most interesting questions arise at the points where criminal opportunities presented by the new technologies stretch the bounds of our criminal law.

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading


Case Studies and Readings

Case Study 1: Cyberstalking
Case Study 2: Virtual Porn
Case Study 3: Hacking
Case Study 4: Where Did It Happen?
Case Study 5: Enforcement Across Borders


Case Study 1: Cyberstalking

Excerpts from Radosevich, Thwarting The Stalker: Are Anit-Stalking Measures Keeping Pace with Today's Stalker?, 2000 U. Ill. L. Rev. 1371 (2000) [Citations omitted]

Scope of the Problem

In the United States, recent data suggest that stalkers terrorize approximately one million women each year. Although stalking is not necessarily a gender-specific crime, seventy-five to eighty percent of stalking cases involve a male stalking a female. In addition, only a minority of stalking victims are celebrities; the majority of targets are ordinary citizens. Estimates from the early 1990s indicate ordinary citizens account for fifty-one percent of stalking targets but celebrities comprise only seventeen percent of all stalking victims; the remaining thirty-two percent of stalking victims are lesser-known entertainment figures....

As the Internet and other electronic communications technologies permeate virtually every aspect of society, electronic stalking has been increasing as well, although no detailed statistics have been developed for this phenomenon. However, both electronic harassment and stalking also seem to target women as victims. "In a 1993 survey of 500 members of Systers, an electronic mailing list for women in computer science, twenty percent of the respondents reported having been the targets of sexual harassment on-line."

The term "cyberstalking" has been coined to refer to the use of the Internet, e-mail, or other electronic communications devices to stalk another person. Because of the emerging nature of this form of stalking, the available evidence of cyberstalking is still largely anecdotal, but it suggests that the majority of cyberstalkers are men and the majority of their victims are women. As in off-line stalking, in many on-line cases, the cyberstalker and the victim had a prior relationship, and when the victim attempts to end the relationship, the cyberstalking begins.

Preliminary evidence on cyberstalking has come from incidents handled by state law-enforcement agencies. For example, the Stalking and Threat Assessment Unit of the Los Angeles District Attorney's Office has estimated that e-mail or other electronic communications were a factor in approximately twenty percent of the roughly 600 cases handled by the unit. About twenty percent of the cases handled by the Sex Crimes Unit in the Manhattan District Attorney's Office involved cyberstalking. Finally, by 1999, an estimated forty percent of the caseload in the Computer Investigations and Technology Unit of the New York City Police Department involved electronic threats or harassment, and "virtually all of these... occurred in the past three or four years." ...

Problems Unique to Cyberstalking Cases

"Stalkers harness the tremendous power of the Web to learn about their prey and to broadcast false information about the people they target. And the Internet - the same tool they use to investigate and spread terror - provides stalkers with almost impenetrable anonymity." In cyberspace, stalking and harassment may occur via e-mail and through user participation in news groups, bulletin boards, and chat rooms. One major difference from off-line stalking is that cyberstalkers can also dupe other Internet users into harassing or threatening victims. For example, a cyberstalker may post an inflammatory message to a bulletin board using the name, phone number, or e-mail address of the victim. Each subsequent response to the victim, whether from the actual cyberstalker or others, will have the intended effect on the victim, but the cyberstalker's effort is minimal.

The veil of anonymity offered by the Internet also puts the cyberstalker at an advantage. Internet users can conceal their true identity by using different Internet Service Providers (ISPs) and/or by adopting different screen names. When an individual creates an electronic mailbox through a web site on the Internet, most ISPs request some identifying information from the user, but rarely do the ISPs authenticate or confirm this information. If the services require payment, the user can typically pay in advance with a nontraceable form of payment, such as a money order. As long as payment is received in advance, the ISP has little incentive to verify any information given and will simply provide service to the account holder. Cyberstalkers can also change their screen names and use "mail servers that purposefully strip identifying information and transport headers from electronic mail." Stalkers can make the message nearly perfectly anonymous by first forwarding their mail through several of these types of servers.

Although ISPs are beginning to receive more complaints about harassing and threatening behavior on-line, they have yet to pay much attention to these types of complaints. On-line industry associations assert that providing more attentive protection to their customers (informing them as to the ISP's complaint procedures, the policies as to what constitutes prohibited harassment, and the ISP's follow-up procedures) would be costly and difficult. They argue that "no attempt to impose cyberstalking reporting or response requirements should be made unless fully justified," yet they assert that "the decentralized nature of the Internet would make it difficult for providers to collect and submit such data."

The anonymity of the cyberstalker's threat and potential lack of direct conduct between the stalker and the victim can be particularly ominous to a cyberstalking victim, and make it more difficult for ISPs and law enforcement to identify, locate, and arrest the stalker. Also, with the knowledge that they are anonymous, cyberstalkers might be more willing to pursue their victims, using additional information easily gleaned from the Internet. Furthermore, Internet web sites provide great assistance and resources to off-line stalkers and cyberstalkers alike. Web sites can teach an individual how to stalk a woman and how to research her social security number, her home address, and her driver's license number.

Stalking, and particularly cyberstalking, is a growing social problem. Criminal anti-stalking statutes have provided a first-step toward eradicating this behavior. By using anti-stalking statutes in the criminal justice system, the state controls the prosecution of the stalker and must prove its case beyond a reasonable doubt. The primary benefit for a victim of stalking is that, with a conviction after a criminal trial, a judge or jury can sentence the stalker to prison. Jailing a defendant provides at least temporary safety for the victim. However, for some victims, their stalkers are able to escape direct prosecution for stalking by skirting the language of the state's stalking statute and engaging in some form of cyberstalking. Until broader language is implemented to cover the use of new information technologies and methodologies in stalking cases, victims may have to search for alternative solutions.

***

Discussion Problem:

David posted a message on a Yahoo! discussion board saying that Jane was available for sex anytime of the day or night and listing her home phone number and home address. In the next week, Jane got as many as 25 calls a day, from as far away as Germany. Jane went to the authorities -- local, county, state, even the FBI -- trying to get help, but all said, "We have no idea how to help you."

"I felt like someone had broken into my house, touched all of my things, didn't take anything and left. I felt violated and scared for my life," said Jane.

Assuming that both David and Jane live in California, has David committed an offense under the following California statute?

Cal Pen Code 646.9: Stalking

"(a) Any person who willfully, maliciously, and repeatedly follows or harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety, or the safety of his or her immediate family, is guilty of the crime of stalking . . .

"(e) For the purposes of this section, 'harasses' means a knowing and willful course of conduct directed at a specific person that seriously alarms, annoys, torments, or terrorizes the person, and that serves no legitimate purpose. This course of conduct must be such as would cause a reasonable person to suffer substantial emotional distress, and must actually cause substantial emotional distress to the person.

"(f) For purposes of this section, 'course of conduct' means a pattern of conduct composed of a series of acts over a period of time, however short, evidencing a continuity of purpose. Constitutionally protected activity is not included within the meaning of 'course of conduct.'

"(g) For the purposes of this section, 'credible threat' means a verbal or written threat or a threat implied by a pattern of conduct or a combination of verbal or written statements and conduct made with the intent to place the person that is the target of the threat in reasonable fear for his or her safety or the safety of his or her family and made with the apparent ability to carry out the threat so as to cause the person who is the target of the threat to reasonably fear for his or her safety or the safety of his or her family. It is not necessary to prove that the defendant had the intent to actually carry out the threat. . . ."

***

What Problems do you see in prosecuting David under this California statute?

To what extent would the following amendment to the statute meet the problems?

This statute provides in part that "credible threat" means a verbal or written threat, including that performed through the use of an electronic communication device, or a threat implied by a pattern of conduct or a combination of verbal, written, or electronically communicated statements and conduct made with the intent to place the person that is the target of the threat in reasonable fear for his or her safety or the safety of his or her family and made with the apparent ability to carry out the threat so as to cause the person who is the target of the threat to reasonably fear for his or her safety or the safety of his or her family. It is not necessary to prove that the defendant had the intent to actually carry out the threat.

Consider the so-called "Nuremberg Files", a web site that lists names of doctors who perform abortions in a manner that is highly threatening to them. (WARNING: This material is very graphic in nature and may be disturbing to many readers.  It is presented in order to provide a complete view of the facts of the case).




Legalized ABORTION:
the baby butchers and butchered

Legend:  Black font (working); Greyed-out Name (wounded); Strikethrough (fatality)

If you follow the hyperlinked names, Use Your "BACK" button to return to the list 

Gloria Aponte   Norman M. Neches (DC)
Lawson Akpalonu (CA) Ben Graber (FL) James Newhall (OR)
K. B. Send Us Information! Richard S. Newman (DC)

 

Could those responsible for this site be prosecuted for stalking? Does the broadening of stalking statutes suggested by Radosevich raise constitutional questions? You might consider, in this connection, the Ninth Circuit's opinion that the First Amendment to the Constitution protects the Nuremberg Files.

 

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading


Case Study 2: Virtual Porn

The 1996 Child Pornography Prevention Act prohibits "visual depiction" that "appears to be" or "conveys the impression" of a minor engaging in sexually explicit conduct. By this act, Congress attempts to criminalize the transmission of digitally created pornographic images that merely look like children engaging in sexually explicit acts, even if no children are actually involved. Should the creation and trafficking in such images be criminal? Is it within the constitutional power of Congress to make such acts criminal?

***

Excerpts from Burke, The Criminalization of Virtual Child Pornography: A Constitutional Question, 34 Harv. J. on Legis. 339 (1997) [Citations omitted]

Freedom of press is not the freedom for the thought you love the most. It's freedom for the thought you hate the most.

--Larry Flynt

...

I. THE CONSTITUTIONAL FRAMEWORK

A. New York v. Ferber and its Implications

New York v. Ferber examined the constitutionality of a New York criminal statute prohibiting persons from knowingly promoting sexual performances by minors by distributing materials that depict such performances, even if the materials were not legally obscene. In upholding the statute, the Court concluded that states were "entitled to greater leeway in the regulation of pornographic depictions of children" for five reasons.

First, the Court found the prevention of sexual exploitation and abuse of children to be a "government objective of surpassing importance" because it recognized the harm to the physiological, emotional, and mental health of the child. The second reason given by the Court was that a state legitimately could conclude that sexual abuse is linked to the distribution of child pornography. The third justification emphasized the integral role that the advertising and selling of child pornography plays in the production of such materials, "an activity [that is] illegal throughout the Nation." Fourth, the Court concluded that "the value of permitting live performances and photographic reproductions of children engaged in lewd sexual conduct is exceedingly modest, if not de minimis," and that the "First Amendment interest is limited to that of rendering the portrayal somewhat more 'realistic' by utilizing or photographing children." Fifth and finally, the Court held that creating another classification of speech outside of First Amendment protection, that is, nonobscene child pornography, was not incompatible with earlier decisions, particularly when the class of materials "bears so heavily and pervasively on the welfare of children engaged in its production."

In holding that child pornography did not enjoy First Amendment protection, the Court placed it on the same level as obscene adult pornography, yet altered the definition somewhat. Obscenity that is not protected under the First Amendment is defined in Miller v. California by a conjunctive inquiry into "(a) whether the 'average person, applying contemporary community standards' would find that the work, taken as a whole, appeals to the prurient interest [in sex]; (b) whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable state law; and (c) whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value."

The Ferber Court adjusted the Miller formulation by stipulating that the trier of fact (1) did not need to find that the material appeals to the prurient interest of the average person, (2) is not required to find that the sexual conduct portrayed be done in a patently offensive manner, and (3) need not consider the material at issue as a whole. While the definition of unprotected child pornography is not exact and to a degree shares the same difficulty in consistent application as that of Miller, the Court suggested that the statute at issue in Ferber is directed at the "hard core of child pornography" and that permissible educational, medical, or artistic works would amount to little more than "a tiny fraction of the materials within the statute's reach."

The Ferber Court found that suppression of this speech was justified by the state's compelling interest in protecting its children from sexual abuse, an interest that complements an overall constitutional framework favoring statutory provisions that promote and protect the interests of children. Even so, the Ferber Court restricted this new category of unprotected expression to laws aimed at works that "visually depict sexual conduct by children below a specific age" wherein the conduct proscribed is suitably limited and described.

Thus, the Ferber category of unprotected expression is by its terms limited to visual depictions of actual minors engaged in sexually explicit conduct. The Court expressly noted that "the distribution of descriptions or other depictions of sexual conduct, not otherwise obscene, which do not involve live performance or photographic or other visual reproduction of live performances, retains First Amendment protection." Further, in questioning whether visual depictions of children performing sexual acts or lewdly exhibiting their genitals would ever constitute an important part of any serious work, the Court suggested that if it were necessary for literary or artistic value, there are alternatives to the use of a child. Either a person over the statutory age who looked younger could be used or a "simulation outside of the prohibition of the statute" could be employed. That the Court envisioned the performance of actual children within its definition of child pornography is further intimated by a subsequent decision that defined the scienter requirement for a violation of federal child pornography law as including either an actual or constructive knowledge of the actors' minority.

The Supreme Court thus far has unequivocally defined child pornography in terms of child participation. In Ferber, the Court repeatedly used language such as "the use of children," "sexual abuse," "lewd sexual conduct," and "children engaged in its production," while it characterized the production of child pornography as "an activity illegal throughout the nation." Nevertheless, in its 1996 legislation Congress expanded the definition to include visual depictions that only appear to involve the participation of minors. Because the Ferber Court suggested to pornographers that simulations outside the statutory prohibition would be permissible, the issue is whether or not Congress constitutionally can include a simulation in the category of unprotected speech, and if so, to what degree. In other words, did the Court concentrate its ruling in Ferber on participation because the New York statute was thus limited, or did the Court, notwithstanding the statute, define child pornography in terms of participation as a matter of constitutional law?

B. Osborne v. Ohio: Less than Unprotected Speech

Eight years after Ferber, the Supreme Court in Osborne v. Ohio was confronted with an Ohio statute that criminalized the possession and viewing of child pornography. The issue presented was akin to that in Stanley v. Georgia with respect to obscenity. In Stanley, the Court held that a Georgia statute that punished the private possession of obscene materials violated the First and Fourteenth Amendments to the Constitution. The Court stressed the privacy interests of Stanley and his right "to read or observe what he pleases--the right to satisfy his intellectual and emotional needs in the privacy of his own home." Even though the material at issue was concededly obscene, the interests advanced by Georgia in suppressing it--that is, a fear unsubstantiated by empirical evidence that exposure would lead to deviant sexual behavior or crimes of sexual violence, --did not override privacy considerations.

In contrast, in Osborne the Court found that Ohio did advance reasons that outweighed any privacy interest associated with the possession of child pornography. The Court concluded that three interests supported Ohio's criminalization of private possession. First, the Court followed Ferber in recognizing that the materials produced by child pornographers permanently recorded the victims' abuse, which would result in continuing harm to the child victims by haunting them for years to come. Second, because evidence suggested that pedophiles use child pornography to seduce children, the Court reasoned that the state could legitimately encourage the destruction of child pornography by banning its possession. Third, the Court found that it was reasonable for the state to conclude that production would decrease if demand decreased as a result of penalizing possession. While penalizing the possession of adult obscenity also would likely decrease demand and encourage its destruction, the State's overriding interest in the context of child pornography, that is, protecting the physical and psychological health of minors, is absent with respect to adult obscenity.

The Court's primary emphasis in Osborne centered on the possible exploitation of children as victims in the production of pornography. The gravity of its concern for the exploitative use of children not only justified the criminalization of the dissemination of child pornography, but its possession as well. Again, as in Ferber, the Court stressed the actual abuse of the child in the production of child pornography, suggesting that the essence of the definition involved the employment of minors in its production. The question then remains, did the Court concentrate its ruling in Osborne, as in Ferber, on participation because the Ohio statute was thus limited, or did the Court, notwithstanding the statute, define child pornography in terms of participation as a matter of constitutional law? Osborne suggests there is something more pernicious about child pornography than obscenity. Is it the conduct involved? Or is it the fact that the State's interest in suppression is greater with respect to child pornography than with respect to obscenity?

***

Discussion Problem:

Andy, an artist who works in multimedia, produces a series of depictions of a single scene in which a minor child is engaging in sexually explicit conduct. Andy intends these various depictions to be viewed all together as one piece of art, titled "Continuum." Continuum is a display from left to right of an oil painting that is impressionistic, an oil painting that is realist, a photograph of the realist oil painting, and a digital rendering that is completely realistic. Andy created each element of Continuum without the use of a model. No actual child was involved in any way in the production of the work. Bill, with Andy's permission, posts digital images of the separate panels of Continuum on a web site. Is the conduct of either Andy or Bill criminal?

***

The constitutionality of the federal statute criminalizing virtual porn is presently before the United States Supreme Court in Ashcroft v. Free Speech Coalition.

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading

 


Case Study 3: Hacking

Hacking is the process of gaining unauthorized access to a computer system. Consider the following set of facts from United States v. Morris, 928 F.2d 504, (March 7, 2001):

In the fall of 1988, Morris was a first-year graduate student in Cornell University's computer science Ph.D. program. Through undergraduate work at Harvard and in various jobs he had acquired significant computer experience and expertise. When Morris entered Cornell, he was given an account on the computer at the Computer Science Division. This account gave him explicit authorization to use computers at Cornell. Morris engaged in various discussions with fellow graduate students about the security of computer networks and his ability to penetrate it.

In October 1988, Morris began work on a computer program, later known as the INTERNET "worm" or "virus." The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers. Morris designed the program to spread across a national network of computers after being inserted at one computer location connected to the network. Morris released the worm into INTERNET, which is a group of national networks that connect university, governmental, and military computers around the country. The network permits communication and transfer of information between computers on the network.

Morris sought to program the INTERNET worm to spread widely without drawing attention to itself. The worm was supposed to occupy little computer operation time, and thus not interfere with normal use of the computers. Morris programmed the worm to make it difficult to detect and read, so that other programmers would not be able to "kill" the worm easily.

Morris also wanted to ensure that the worm did not copy itself onto a computer that already had a copy. Multiple copies of the worm on a computer would make the worm easier to detect and would bog down the system and ultimately cause the computer to crash. Therefore, Morris designed the worm to "ask" each computer whether it already had a copy of the worm. If it responded "no," then the worm would copy onto the computer; if it responded "yes," the worm would not duplicate. However, Morris was concerned that other programmers could kill the worm by programming their own computers to falsely respond "yes" to the question. To circumvent this protection, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response. As it turned out, Morris underestimated the number of times a computer would be asked the question, and his one-out-of-seven ratio resulted in far more copying than he had anticipated. The worm was also designed so that it would be killed when a computer was shut down, an event that typically occurs once every week or two. This would have prevented the worm from accumulating on one computer, had Morris correctly estimated the likely rate of reinfection.

Morris identified four ways in which the worm could break into computers on the network:

(1) through a "hole" or "bug" (an error) in SEND MAIL, a computer program that transfers and receives electronic mail on a computer;
(2) through a bug in the "finger demon" program, a program that permits a person to obtain limited information about the users of another computer;
(3) through the "trusted hosts" feature, which permits a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and
(4) through a program of password guessing, whereby various combinations of letters are tried out in rapid sequence in the hope that one will be an authorized user's password, which is entered to permit whatever level of activity that user is authorized to perform.

On November 2, 1988, Morris released the worm from a computer at the Massachusetts Institute of Technology. MIT was selected to disguise the fact that the worm came from Morris at Cornell. Morris soon discovered that the worm was replicating and reinfecting machines at a much faster rate than he had anticipated. Ultimately, many machines at locations around the country either crashed or became "catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a solution. Eventually, they sent an anonymous message from Harvard over the network, instructing programmers how to kill the worm and prevent reinfection. However, because the network route was clogged, this message did not get through until it was too late. Computers were affected at numerous installations, including leading universities, military sites, and medical research facilities. The estimated cost of dealing with the worm at each installation ranged from $200 to more than $53,000.

Morris was found guilty, following a jury trial, of violating 18 U.S.C. 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision.

Morris had relatively good intentions. Unlike Morris, most hackers do not. Or do they? Consider the following piece written by an individual known as The Mentor upon his arrest:

Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering." "Damn kids. They're all alike." But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world. Mine is a world that begins with school. I'm smarter than most of the other kids, this crap they teach us bores me. "Damn underachiever. They're all alike." I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head." "Damn kid. Probably copied it. They're all alike." I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me, or feels threatened by me, or thinks I'm a smart ass, or doesn't like teaching and shouldn't be here. Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.

***

Discussion Problem:

Should intent to cause harm make a difference? Should Morris have been convicted? If the Mentor committed the same acts as Morris, would he deserve a greater sentence? Consider that most hackers are young; many are minors. Should this fact shape how the criminal law approaches the crime?

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading


Case Study 4: Where Did It Happen?

18 U.S.C. Section 875(c), provides:

Whoever transmits in interstate or foreign commerce any communication containing any threat to kidnap any person or any threat to injure the person of another, shall be fined under this title or imprisoned not more than five years, or both.

On January 16, 1997, Mr. Kammersell, then nineteen years old, logged on to the Internet service provider (ISP) America Online ("AOL") from his home computer in Riverdale, Utah. Mr. Kammersell's girlfriend was employed at AOL's service center in Ogden, Utah. He sent a bomb threat to her computer terminal via "instant message," hoping that the threat would enable her to leave work early so they could go on a date. Mr. Kammersell claims that the jurisdictional element of 875(c) cannot be met if based solely on the route of the transmission, where the sender and recipient are both in the same state.

Every message sent via AOL automatically goes from the state of origin to AOL's main server in Virginia before going on to its final destination. This pattern of transmission is the same whether the communication is an electronic mail (e-mail) message or an instant message. When Kammersell sent the bomb threat, it was automatically transmitted through interstate telephone lines from his computer in Utah to the AOL server in Virginia and then back to Utah to his girlfriend's terminal at the Ogden service center.

Discussion Problem:

Should this make a difference?

Historically, state governments have asserted the primary responsibility for creating and enforcing criminal laws. Does the Internet call for a different approach? Should all computer crimes be considered federal? What role should the states play?

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading


Case Study 5: Enforcement Across Borders

Excerpts from Michael A. Sussman, The Critical Challenges from International High-Tech and Computer-Related Crime at the Millenium, 9 Duke J. Comp. & Int'l L. 451 (1999) [Citations omitted]

THE CHALLENGES

Imagine this scene out of tomorrow's headlines: A hacker, going on-line through the Internet, breaks into computers that the Federal Aviation Administration (FAA) uses for air traffic control. He disrupts a regional air traffic network, and the disruption causes the crash of a DC-10 in the Rocky Mountains, killing all aboard. The FAA and the FBI know there has been a hacker intrusion, originating through the Internet, but nothing else. Since anyone can access the Internet from anywhere in the world, the FBI has no idea where the hacker may be located. Moreover, they do not know the motive of the attack or the identity of the attackers. Is it a terrorist group, targeting the United States and likely to strike again at any time, or is it a fourteen-year-old hacker whose prank has spun tragically out of control?

Let us follow this scenario a bit further. Within thirty minutes of the plane crash, the FBI tracks the source of the attack to an Internet Service Provider (ISP) in Germany. Assuming the worst, another attack could occur at any time, and hundreds of planes in flight over the United States are at risk. The next investigative step is to determine whether the ISP in Germany is a mere conduit, or whether the attack actually originated with a subscriber to that service. In either case, the FBI needs the assistance of the German ISP to help identify the source of the attack, but it is now 3:00 a.m. in Germany.

Does the FBI dare wait until morning in Europe to seek formal legal assistance from Germany or permission from the German government to continue its investigation within their borders?

Does the Department of Justice authorize the FBI's computer experts to conduct a search, without German consent, on the German ISP from their terminals in Washington?

Does the FBI agent need a U.S. court order to access private information overseas? What would be the reach of such an order?

If the FBI agent plows forward and accesses information from computers in Germany, will the German government be sympathetic to the U.S. plight, will the violation of German sovereignty be condemned, or both?

What are the diplomatic and foreign policy implications of the United States remotely (and without advance notice) conducting a search that may intrude into German sovereignty?

The legal and policy implications of possible "transborder searches," such as the one contemplated in this scenario, are quickly becoming a concern for law enforcement agencies around the globe as they grapple with new challenges posed by networked communications and new technologies. Traditional investigative procedures - and particularly the often cumbersome procedures that govern investigations at the international level - may not be adequate to meet the need in computer crime cases for immediate law enforcement action reaching beyond national borders. The globalization of criminal activity has created vexing problems that, in some cases, defy simple solutions....

...At a meeting of senior law enforcement officials from the G-8 countries in January 1997, Attorney General Reno stated:

"Until recently, computer crime has not received the emphasis that other international crimes have engendered. Even now, not all affected nations recognize the threat it poses to public safety or the need for international cooperation to effectively respond to the problem. Consequently, many countries have weak laws, or no laws, against computer hacking - a major obstacle to solving and to prosecuting computer crimes."

The solution to this problem is simple to state: "[countries] need to reach a consensus as to which computer and technology-related activities should be criminalized, and then commit to taking appropriate domestic actions." But it is not as easy to implement. An international "consensus" concerning the activities that universally should be criminalized may take time to develop. Meanwhile, individual countries that lack this kind of legislation will each have to pass new laws, an often cumbersome and time-consuming process. In the United States, for example, action by both the Congress and the President is required for new legislation.

***

Discussion Problem:

The FBI suspected Vasily Gorshkov, a Russian national, of being the person who broke into computer systems at several American corporations, then sent email to company officials demanding payment in exchange for not distributing or destroying sensitive data. To catch Gorshkov and prove his guilt, the FBI set up sting operation. It created a shell computer security company called Invita in Seattle and invited Gorshkov to come to Seattle to test the Invita system by trying to hack into it. Gorshkov fell for the bait and accepted the challenge. Operating from a computer at the Invita office, he demonstrated his hacking skill by penetrating the security system. In doing so, however, he accessed hacking tools he kept on his home machine in Russia. All the while, the FBI secretly used a "sniffer" program that logs every keystroke a person types. Using passwords recorded by the "sniffer," the FBI then was able to enter the computers in Russia, where Gorshkov kept his data, and download immense amounts of information tying Gorshkov to the criminal extortion of the American companies.

In court documents, Gorshkov's lawyer has challenged the FBI's right to use that material, claiming his client's privacy was invaded because he did not consent to have his computer usage recorded. Gorshkov's lawyer contends the FBI should have obtained a search warrant before downloading the information. The investigators say they had to follow this procedure because they needed to secure the incriminating information before the suspect's Russian counterparts destroyed data.

How far can U.S. law enforcement go to catch non-citizens who break into American systems? Should countries have a right to conduct transborder searches of computers located in other countries to effectuate their own domestic laws?

Should the United States cooperate with German investigations into the dissemination of Neo-Nazi propaganda over the Internet into Germany when such propaganda is protected by the First Amendment in the United States? If not, can the U.S. complain when a country that does not criminalize the possession of child pornography refuses to cooperate with a U.S. criminal investigation into child pornography? Will the Internet create a "lowest common denominator" approach to enforcing computer crime laws, in which any Country in the world can create a safe-haven that effectively blocks other countries from investigating computer crimes?

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading


Further Discussion Topics

1. What conduct should be criminal in cyberspace? How is computer crime different from traditional crime?

2. When existing legal structures prove inadequate to deal with criminal activities, how should governments and individuals proceed? Should it be legal for a victim to "hack back"?

3. Some have proposed that tort law applied to internet service providers would be more effective than criminal law in handling computer crimes. The argument is that if ISPs are held liable for crimes committed on their networks, then they will more effectively police activity under their auspices. Furthermore, ISPs would have an incentive to implement new technologies, such as IPv6, that enhance accountability and traceability. Do you agree with this assessment? Is an ISP-policed Internet preferable to one supervised by the government? See Lee, et al, Electronic Commerce, Hackers, And The Search For Legitimacy: A Regulatory Proposal, 14 Berkeley Tech. L. J. 839 (1999).

4. Wire and mail fraud laws often serve as a "stopgap" measure when legislatures have failed to keep pace with technology. Prosecutors use this laws to indict individuals for actions that have not yet specifically been made criminal. Is this an appropriate way to handle the problem of lag time before legislatures recognize new cyber-crimes? If not, what is?

5. Judge Easterbrook makes the following argument: No law school offers a class entitled "The Law of the Horse." Such a course would be pointless: one would learn little about any substantive area of law by reading unrelated cases, some commercial, some tort, and all of which involved horses. Similarly, Easterbrook argues, cyber-law is meaningless as a separate discipline. Problems posed by technology can be solved using traditional approaches. Is this applicable in the area of cyber-crime? Or are the problems posed by technology qualitatively different? See Frank Easterbrook, Cyberspace and the Law of the Horse, 1996 U. Chi. Legal F. 207; Lawrence Lessig, The Law of the Horse: What Cyberlaw Might Teach, 113 Harv. L. Rev. 501 (December, 1999).

6. Can state governments effectively prosecute cyber-crimes? Is the prevalence of crimes in cyberspace an effective argument in favor of the federalization of crimes?

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading


Further reading

Dorothy E. Denning, Information Warfare and Security (1999)

David Goldstone & Betty Shave, International Dimensions of Crimes in Cyberspace, 22 Fordham Int'l L.J. 1924 (1999).

Department of Defense Office of the General Counsel, An Assessment of International Legal Issues in Information Operations (1999).

Neal Katyal, Criminal Law in Cyberspace, 149 U.Penn. L. Rev. 1003 (2001)

Wendy R. Leibowitz, Kid Stuff: Judges Having Hard Time with Computer Crime; Sentencing Standards Aren't Clear-Cut, 20 National Law Journal 45, July 6, 1998.

Draft Convention on Cyber-crime European Committee on Crime Problems, Committee of Experts on Crime in Cyber-Space, Draft Convention on Cyber-crime and Explanatory Memorandum Related Thereto, CDPC (2001) 2 Rev., Draft No. 27 Rev., May 25, 2001.

The Draft Convention on Cyber-crime will be submitted to the European Committee on Crime Problems (CDPC) at its 50th plenary session, June 18-22, 2001.

Back to Top | Intro | Case Studies | Discussion Topics | Further Reading


Berkman Center for Internet & Society