|
Charles R. Nesson and William Fisher Table of Contents Introduction "Cybercrime" is not a rigorously defined concept. For our purposes, consider it to embrace criminal acts that can be accomplished while sitting at a computer keyboard. Such acts include gaining unauthorized access to computer files, disrupting the operation of remote computers with viruses, worms, logic bombs, Trojan horses, and denial of service attacks; distributing and creating child pornography, stealing another's identity; selling contraband, and stalking victims. Cybercrime is cheap to commit (if one has the know-how to do it), hard to detect (if one knows how to erase one's tracks), and often hard to locate in jurisdictional terms, given the geographical indeterminacy of the Net. Our purpose in considering the subject of cybercrime is not to catalog it exhaustively, but rather to raise and consider questions of particular interest that are presented by cyber methodologies of committing crimes. The most interesting questions arise at the points where criminal opportunities presented by the new technologies stretch the bounds of our criminal law. Case Studies and Case Study 1: Cyberstalking Case Study 4: Denial of Service Attacks and Attacks on Critical Infrastructure Case Study 1: Cyberstalking Excerpts from Radosevich, Thwarting The Stalker: Are Anti-Stalking Measures Keeping Pace with Today's Stalker?, 2000 U. Ill. L. Rev. 1371 (2000) [Citations omitted] Scope of the Problem In the As the Internet and other electronic communications technologies permeate virtually every aspect of society, electronic stalking has been increasing as well, although no detailed statistics have been developed for this phenomenon. However, both electronic harassment and stalking also seem to target women as victims. "In a 1993 survey of 500 members of Systers, an electronic mailing list for women in computer science, twenty percent of the respondents reported having been the targets of sexual harassment on-line." The term "cyberstalking" has been coined to refer to the use of the Internet, e-mail, or other electronic communications devices to stalk another person. Because of the emerging nature of this form of stalking, the available evidence of cyberstalking is still largely anecdotal, but it suggests that the majority of cyberstalkers are men and the majority of their victims are women. As in off-line stalking, in many on-line cases, the cyberstalker and the victim had a prior relationship, and when the victim attempts to end the relationship, the cyberstalking begins. Preliminary evidence on cyberstalking has come from incidents handled by state law-enforcement agencies. For example, the Stalking and Threat Assessment Unit of the Los Angeles District Attorney's Office has estimated that e-mail or other electronic communications were a factor in approximately twenty percent of the roughly 600 cases handled by the unit. About twenty percent of the cases handled by the Sex Crimes Unit in the Manhattan District Attorney's Office involved cyberstalking. Finally, by 1999, an estimated forty percent of the caseload in the Computer Investigations and Technology Unit of the New York City Police Department involved electronic threats or harassment, and "virtually all of these... occurred in the past three or four years." ... Problems Unique to Cyberstalking Cases "Stalkers harness the tremendous power of the Web to learn about their prey and to broadcast false information about the people they target. And the Internet - the same tool they use to investigate and spread terror - provides stalkers with almost impenetrable anonymity." In cyberspace, stalking and harassment may occur via e-mail and through user participation in news groups, bulletin boards, and chat rooms. One major difference from off-line stalking is that cyberstalkers can also dupe other Internet users into harassing or threatening victims. For example, a cyberstalker may post an inflammatory message to a bulletin board using the name, phone number, or e-mail address of the victim. Each subsequent response to the victim, whether from the actual cyberstalker or others, will have the intended effect on the victim, but the cyberstalker's effort is minimal. The veil of anonymity offered by the Internet also puts the cyberstalker at an advantage. Internet users can conceal their true identity by using different Internet Service Providers (ISPs) and/or by adopting different screen names. When an individual creates an electronic mailbox through a web site on the Internet, most ISPs request some identifying information from the user, but rarely do the ISPs authenticate or confirm this information. If the services require payment, the user can typically pay in advance with a nontraceable form of payment, such as a money order. As long as payment is received in advance, the ISP has little incentive to verify any information given and will simply provide service to the account holder. Cyberstalkers can also change their screen names and use "mail servers that purposefully strip identifying information and transport headers from electronic mail." Stalkers can make the message nearly perfectly anonymous by first forwarding their mail through several of these types of servers. Although ISPs are beginning to receive more complaints about harassing and threatening behavior on-line, they have yet to pay much attention to these types of complaints. On-line industry associations assert that providing more attentive protection to their customers (informing them as to the ISP's complaint procedures, the policies as to what constitutes prohibited harassment, and the ISP's follow-up procedures) would be costly and difficult. They argue that "no attempt to impose cyberstalking reporting or response requirements should be made unless fully justified," yet they assert that "the decentralized nature of the Internet would make it difficult for providers to collect and submit such data." The anonymity of the cyberstalker's threat and potential lack of direct conduct between the stalker and the victim can be particularly ominous to a cyberstalking victim, and make it more difficult for ISPs and law enforcement to identify, locate, and arrest the stalker. Also, with the knowledge that they are anonymous, cyberstalkers might be more willing to pursue their victims, using additional information easily gleaned from the Internet. Furthermore, Internet web sites provide great assistance and resources to off-line stalkers and cyberstalkers alike. Web sites can teach an individual how to stalk a woman and how to research her social security number, her home address, and her driver's license number. Stalking, and particularly cyberstalking, is a growing social problem. Criminal anti-stalking statutes have provided a first-step toward eradicating this behavior. By using anti-stalking statutes in the criminal justice system, the state controls the prosecution of the stalker and must prove its case beyond a reasonable doubt. The primary benefit for a victim of stalking is that, with a conviction after a criminal trial, a judge or jury can sentence the stalker to prison. Jailing a defendant provides at least temporary safety for the victim. However, for some victims, their stalkers are able to escape direct prosecution for stalking by skirting the language of the state's stalking statute and engaging in some form of cyberstalking. Until broader language is implemented to cover the use of new information technologies and methodologies in stalking cases, victims may have to search for alternative solutions. *** Discussion Problem: David posted a message on a Yahoo! discussion board saying that Jane was available for sex anytime of the day or night and listing her home phone number and home address. In the next week, Jane got as many as 25 calls a day, from as far away as "I felt like someone had broken into my house, touched all of my things, didn't take anything and left. I felt violated and scared for my life," said Jane. Assuming that both David and Jane live in Cal Pen Code § 646.9 (2005): Stalking "(a) Any person who willfully, maliciously, and repeatedly follows or willfully and maliciously harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety, or the safety of his or her immediate family, is guilty of the crime of stalking . . . "(e) For the purposes of this section, 'harasses' means a knowing and willful course of conduct directed at a specific person that seriously alarms, annoys, torments, or terrorizes the person, and that serves no legitimate purpose "(f) For purposes of this section, 'course of conduct' means a two or more acts occurring over a period of time, however short, evidencing a continuity of purpose. Constitutionally protected activity is not included within the meaning of 'course of conduct.' "(g) For the purposes of this section, 'credible threat' means a verbal or written threat or a threat implied by a pattern of conduct or a combination of verbal or written statements and conduct made with the intent to place the person that is the target of the threat in reasonable fear for his or her safety or the safety of his or her family and made with the apparent ability to carry out the threat so as to cause the person who is the target of the threat to reasonably fear for his or her safety or the safety of his or her family. It is not necessary to prove that the defendant had the intent to actually carry out the threat. . . ." *** What Problems do you see in prosecuting David under this To what extent would the following amendment to section (g) of the statute meet the problems? C.f. People v. Swanger, 2004 (g) This statute provides in part that "credible threat" means a verbal or written threat, including that performed through the use of an electronic communication device, or a threat implied by a pattern of conduct or a combination of verbal, written, or electronically communicated statements and conduct made with the intent to place the person that is the target of the threat in reasonable fear for his or her safety or the safety of his or her family and made with the apparent ability to carry out the threat so as to cause the person who is the target of the threat to reasonably fear for his or her safety or the safety of his or her family. It is not necessary to prove that the defendant had the intent to actually carry out the threat. Consider the so-called "Nuremberg Files", a web site that lists names of doctors who perform abortions in a manner that could be considered as highly threatening to them. Although the web site has been taken down, its content poses some interesting questions. (WARNING: This material is very graphic in nature and may be disturbing to many readers. It is presented in order to provide a complete view of the facts of the case).
Legend: Black font (working); Greyed-out Name (wounded); If you follow the hyperlinked names, Use Your "BACK" button to return to the list
Could those responsible for this site be prosecuted for stalking? Do you believe the website constitutes a “true threat of force”? Would you think differently about this if you were told that each bit of information on this website is already available publicly elsewhere (albeit not collated or presented in the same manner)? Do the unique characteristics of the Internet alter your analysis? Does the broadening of stalking statutes suggested by Radosevich, supra p.5, raise constitutional questions? You might consider, in this connection, the Ninth Circuit's opinion that the First Amendment to the Constitution protects the Nuremberg Files. Planned Parenthood of the Columbia/Willamette, Inc. v. Am. Coalition of Life Activists, 244 F.3d 1007 (9th Cir. 2001) available at http://cyber.law.harvard.edu/ilaw/Cybercrime/planned-parenthood.html. Please note that this case was reheard en banc by the Ninth Circuit where the majority decided that the Files did constitute a “true threat” and were not protected speech. Planned Parenthood of the Colombia/Willamette, Inc. v. Am. Coalition of Life Activists, 290 F.3d 1058 (9th Cir. Or. 2002) available at http://www.ca9.uscourts.gov/ca9/newopinions.nsf/A3AC4A8F164DA30288256BBA0080B31D/$file/9935320.pdf. To further explore the issues raised by the Nuremberg Files click here and here. Case Study 2: Virtual Porn The 1996 Child Pornography Prevention Act (CPPA) prohibits "visual depiction" that "appears to be" or "conveys the impression" of a minor engaging in sexually explicit conduct. By this Act, Congress attempted to criminalize the transmission of digitally created pornographic images that merely look like children engaging in sexually explicit acts, even if no children are actually involved. Should the creation and trafficking in such images be a criminal offence? Is it within the constitutional power of Congress to make such acts criminal? *** Excerpts from Burke, The Criminalization of Virtual Child Pornography: A Constitutional Question, 34 Harv. J. on Legis. 339 (1997) [Citations omitted] Freedom of press is not the freedom for the thought you love the most. It's freedom for the thought you hate the most. --Larry Flynt ... I. THE CONSTITUTIONAL FRAMEWORK A. New York v. Ferber examined the constitutionality of a First, the Court found the prevention of sexual exploitation and abuse of children to be a "government objective of surpassing importance" because it recognized the harm to the physiological, emotional, and mental health of the child. The second reason given by the Court was that a state legitimately could conclude that sexual abuse is linked to the distribution of child pornography. The third justification emphasized the integral role that the advertising and selling of child pornography plays in the production of such materials, "an activity [that is] illegal throughout the Nation." Fourth, the Court concluded that "the value of permitting live performances and photographic reproductions of children engaged in lewd sexual conduct is exceedingly modest, if not de minimis," and that the "First Amendment interest is limited to that of rendering the portrayal somewhat more 'realistic' by utilizing or photographing children." Fifth and finally, the Court held that creating another classification of speech outside of First Amendment protection, that is, nonobscene child pornography, was not incompatible with earlier decisions, particularly when the class of materials "bears so heavily and pervasively on the welfare of children engaged in its production." In holding that child pornography did not enjoy First Amendment protection, the Court placed it on the same level as obscene adult pornography, yet altered the definition somewhat. Obscenity that is not protected under the First Amendment is defined in Miller v. California by a conjunctive inquiry into "(a) whether the 'average person, applying contemporary community standards' would find that the work, taken as a whole, appeals to the prurient interest [in sex]; (b) whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable state law; and (c) whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value." 413 U.S. 15 (1973), available at http://www.law.umkc.edu/faculty/projects/ftrials/conlaw/miller.html. The Ferber Court adjusted the Miller formulation in the context of child pornography by stipulating that the trier of fact (1) did not need to find that the material appeals to the prurient interest of the average person, (2) is not required to find that the sexual conduct portrayed be done in a patently offensive manner, and (3) need not consider the material at issue as a whole. Id at 764-65. While the definition of unprotected child pornography is not exact and to a degree shares the same difficulty in consistent application as that of Miller, the Court suggested that the statute at issue in Ferber is directed at the "hard core of child pornography" and that permissible educational, medical, or artistic works would amount to little more than "a tiny fraction of the materials within the statute's reach." The Thus, the Ferber category of unprotected expression is by its terms limited to visual depictions of actual minors engaged in sexually explicit conduct. The Court expressly noted that "the distribution of descriptions or other depictions of sexual conduct, not otherwise obscene, which do not involve live performance or photographic or other visual reproduction of live performances, retains First Amendment protection." The Supreme Court thus far has unequivocally defined child pornography in terms of child participation. In Ferber, the Court repeatedly used language such as "the use of children," "sexual abuse," "lewd sexual conduct," and "children engaged in its production," while it characterized the production of child pornography as "an activity illegal throughout the nation." Nevertheless, in its 1996 legislation Congress expanded the definition to include visual depictions that only appear to involve the participation of minors. Because the B. Osborne v. Eight years after Ferber, the Supreme Court in Osborne v. Ohio was confronted with an In contrast, in Osborne the Court found that The Court's primary emphasis in Osborne centered on the possible exploitation of children as victims in the production of pornography. The gravity of its concern for the exploitative use of children not only justified the criminalization of the dissemination of child pornography, but its possession as well. Again, as in Ferber, the Court stressed the actual abuse of the child in the production of child pornography, suggesting that the essence of the definition involved the employment of minors in its production. The question then remains, did the Court concentrate its ruling in Osborne, as in Ferber, on participation because the Ohio statute was thus limited, or did the Court, notwithstanding the statute, define child pornography in terms of participation as a matter of constitutional law? Osborne suggests there is something more pernicious about child pornography than obscenity. Is it the conduct involved? Or is it the fact that the State's interest in suppression is greater with respect to child pornography than with respect to obscenity? *** Discussion Problem: Andy, an artist who works in multimedia, produces a series of depictions of a single scene in which a minor child is engaging in sexually explicit conduct. Andy intends these various depictions to be viewed all together as one piece of art, titled "Continuum." Continuum is a display from left to right of an oil painting that is impressionistic, an oil painting that is realist, a photograph of the realist oil painting, and a digital rendering that is completely realistic. Andy created each element of Continuum without the use of a model. No actual child was involved in any way in the production of the work. Bill, with Andy's permission, posts digital images of the separate panels of Continuum on a web site. Is the conduct of either Andy or Bill criminal? Can you think of reasons why their conduct ought to be criminal/criminalized? What would be the counter-arguments to these? Think about these issues before you proceed to consider the Supreme Court’s opinion described below. *** The Supreme Court’s verdict: The United States Supreme Court, in Ashcroft v. Free Speech Coalition, adjudged that some of the key provisions of the CPPA were overbroad and therefore unconstitutional and that the creation, display and distribution of virtual child pornography constituted constitutionally protected speech. 535 U.S. 234 (2002), available at http://supct.law.cornell.edu/supct/html/00-795.ZS.html. The question before the Court, as Justice Kennedy framed it, was “whether the CPPA is constitutional where it proscribes a significant universe of speech that is neither obscene under Miller nor actual child pornography under Ferber.” The crux of the majority’s objection to §§2256(8)(B)--outlawing any image that “is or appears to be of a minor engaging in sexually explicit conduct”--was that the provision bears only an attenuated relationship to the stated goal of protecting children from sexual abuse since actual children are not involved in the production of virtual pornographic images. See id. at 424-25. Justice Kennedy, speaking for the majority, rejected a number of proposed justifications for the ban, including: · that virtual child pornography is “intrinsically related” to sexual abuse of children (any causal link is “contingent and indirect”); · that such material is necessarily without value (Ferber suggested that virtual images could be a lawful alternative for speech possessing literary or artistic value); · that the images would be used to seduce children (“the Government cannot ban speech fit for adults simply because it may fall into the hands of children”) · that it would “whet the appetites of pedophiles” (“[t]he Government ‘cannot constitutionally premise legislation on the desirability of controlling a person’s private thoughts’”) · that prohibition of simulated images is necessary to eliminate the market for actual child pornography (if the former are dangerous because they are indistinguishable from the latter, then one would expect the licit to drive the illicit from the market); · that difficulty in establishing the “authenticity” of actual child pornography at trial will hamper prosecution of the real crime (banning protected speech as a means of combating unprotected speech “turns the First Amendment upside down”) [Case abstract from Neal Katyal, HLS course on Criminal Law Advanced: Computer Crime, Fall 2002, Outline] Also consider the concurrence, the dissent and the other opinions linked to off this page. Case Study 3: Hacking Hacking is the process of gaining unauthorized access to a computer system. Consider the following set of facts from United States v. Morris, 928 F.2d 504(2001): In the fall of 1988, Morris was a first-year graduate student in In October 1988, Morris began work on a computer program, later known as the INTERNET "worm" or "virus." The goal of this program was to demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects that Morris had discovered. The tactic he selected was release of a worm into network computers. Morris designed the program to spread across a national network of computers after being inserted at one computer location connected to the network. Morris released the worm into INTERNET, which is a group of national networks that connect university, governmental, and military computers around the country. The network permits communication and transfer of information between computers on the network. Morris sought to program the INTERNET worm to spread widely without drawing attention to itself. The worm was supposed to occupy little computer operation time, and thus not interfere with normal use of the computers. Morris programmed the worm to make it difficult to detect and read, so that other programmers would not be able to "kill" the worm easily. Morris also wanted to ensure that the worm did not copy itself onto a computer that already had a copy. Multiple copies of the worm on a computer would make the worm easier to detect and would bog down the system and ultimately cause the computer to crash. Therefore, Morris designed the worm to "ask" each computer whether it already had a copy of the worm. If it responded "no," then the worm would copy onto the computer; if it responded "yes," the worm would not duplicate. However, Morris was concerned that other programmers could kill the worm by programming their own computers to falsely respond "yes" to the question. To circumvent this protection, Morris programmed the worm to duplicate itself every seventh time it received a "yes" response. As it turned out, Morris underestimated the number of times a computer would be asked the question, and his one-out-of-seven ratio resulted in far more copying than he had anticipated. The worm was also designed so that it would be killed when a computer was shut down, an event that typically occurs once every week or two. This would have prevented the worm from accumulating on one computer, had Morris correctly estimated the likely rate of re-infection. Morris identified four ways in which the worm could break into computers on the network: (1) through a "hole" or "bug" (an error) in SEND MAIL, a computer program that transfers and receives electronic mail on a computer; On Morris was found guilty, following a jury trial, of violating 18 U.S.C. § 1030(a)(5)(A). He was sentenced to three years of probation, 400 hours of community service, a fine of $10,050, and the costs of his supervision. Morris had relatively good intentions. Unlike Morris, most hackers do not. Or do they? Consider the following piece written by an individual known as The Mentor upon his arrest: Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering." "Damn kids. They're all alike." But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world. Mine is a world that begins with school. I'm smarter than most of the other kids, this crap they teach us bores me. "Damn underachiever. They're all alike." I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head." "Damn kid. Probably copied it. They're all alike." I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me, or feels threatened by me, or thinks I'm a smart ass, or doesn't like teaching and shouldn't be here. Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike. *** Discussion Problem: Should intent to cause harm make a difference? Should the extent of harm caused make a difference to sentencing? What is the interplay between extent of harm and intent? Should a certain amount/extent of harm be intended or should a perpetrator be held responsible for both intended and unintended effects of an intended act? Should Morris have been convicted? If the Case Study 4: Denial of Service Attacks and attacks on Critical Infrastructure Before proceeding with this case study, please read the following: 1. The text of United States Code Title 18 Section 1030 (Fraud and Related Activity in Connection with Computers) 2. United States Department of Justice, Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001 (Read especially the guidance on Section 814 of the USA Patriot Act which amends U.S. Code Title 18 Section 1030) 3. The Electronic Frontier Foundation's Analysis Of The Provisions Of The USA PATRIOT Act That Relate To Online Activities ( Denial of Service Attacks Over the last few years, distributed denial of service (DDOS) attacks have generated a tremendous amount of concern from governments as well as the private sector. Hackers gain unauthorized access to a computer system(s) and place software code on it that renders that system a "master". The hackers also intrude into other networks and place malicious code, which converts those systems into agents (also known as "slaves"). Each master can control multiple agents. Network owners typically are unaware that these tools have been placed and reside on their systems. The masters are activated either remotely or by internal programming (such as a command to begin an attack at a prescribed time) and are used to send information to the agents, activating a DDOS attack. The agents then generate numerous requests to connect with various targeted websites. The agents will typically leave a fictitious or "spoofed" IP (Internet Protocol) address, thus providing a falsified identity as to the source of the request. In laypersons terms, the agents request the same web page continuously and the volume of traffic is so high as to make the requested website inaccessible. Due to the volume of requests the targeted website's computer becomes overwhelmed in its efforts to acknowledge and complete a transaction with the sending computers. The targeted server must deny service to legitimate website visitors -- hence the term "Denial of Service" An analogy would be if someone launched an automated program to have thousands of phone calls placed to the same switchboard simultaneously. Many incoming callers would receive busy signals due to the high volume of telephone traffic. In February 2000, news reports indicated that that Yahoo, Cable News Network, eBay, Amazon.com, E*Trade, and Buy.com, (among other sites) experienced distributed denial of service ("DDOS") attacks. The challenges to apprehending the suspects proved substantial. In many cases, the attackers used "spoofed" IP addresses, so that the address that appeared on the target's log was not the true address of the system that sent the messages. The FBI was able to identify a 16-year old Canadian teenager, known as "Mafiaboy" as a suspect by reviewing Internet chat room logs that showed Mafiaboy asking others what sites he should take down - before the sites were attacked. For example, there was discussion of a possible denial of service attack on CNN before CNN's site was taken down. Mafiaboy was arrested in April 2000. In January of 2001, Mafiaboy pleaded guilty to 56 counts of "mischief to data" in relation to the DDOS attacks from February 2000. He was charged with "a DDOS attack that brought down CNN.com, Amazon.com, eBay, Dell Computer and others between February 8 and 14, 2000. The teenager eventually received a sentence of eight months in detention followed by a year of probation for his actions. The judge also required him to donate $250 to charity. Mafiaboy allegedly caused more than US $1.5 billion in damage in connection with the various DDOS attacks. In the Also in January 2001, an Alaskan resident, Scott Dennis, a former systems administrator for the United States District Court in Critical Infrastructure The United States government has become worried that international groups as well as terrorist organizations may use DDOS tools as well as other criminal methods as a form of political protest in cyberspace. The United States National Infrastructure Protection Center ("NIPC"), has issued bulletins alerting government entities and the general public to the threat posed by such attacks. Such attacks are described as politically motivated because the sites that are attacked are in some way linked to the issues that the group is protesting. Even more worrying are attacks on critical infrastructure (often privately owned), aimed at causing physical and economic harm to people and the economy. Consider a few incidents where critical infrastructures were actually affected through interference with computer systems. Juvenile Computer Hacker Cuts Off FAA Tower Aussie hacker jailed for sewage attacks Internal glitches shut down Boston hospital for four days Is the threat real? What is being done to counter this threat? Mock cyberwar fails to end mock civilization The National Cyberspace Strategy For Clarke, a Career of Expecting the Worst Discussion Questions: One longstanding principle of criminal law is that criminal punishment should be reserved only for acts that are themselves harmful. Does the criminalization of DDOS attacks compromise this standard? Remember that a single request for a web page is, quite obviously, not criminal, while repeated requests to make a web page inaccessible is criminal. What distinguishes criminal from non-criminal acts here? Again, as we asked in Case Study 3, is intent relevant? When would an attempted (but failed) DDOS attack be “sufficiently” criminal? Which parties have causes of action in case of a DDOS attack – the subject of the attack, the owners of the “zombie” computers? Is the threat of cyber-terrorism clear, present and serious? Does the Patriot Act go far enough or too far in dealing with this threat? Are the compromises on personal liberties that have been made justified by the collective interest in security? What is the best way for the Government to protect critical infrastructure when much of it is privately owned? Does online connectivity make the infrastructure providers more or less vulnerable? In what ways?
Case Study 5: Where Did It Happen? 18 U.S.C. Section 875(c) (1994), provides: Whoever transmits in interstate or foreign commerce any communication containing any threat to kidnap any person or any threat to injure the person of another, shall be fined under this title or imprisoned not more than five years, or both. On Every message sent via AOL automatically goes from the state of origin to AOL's main server in Compare United States v. Kammersell, 196 F.3d 1137 (10th Cir. 1999); United States v. Brown, 2005 U.S. App. LEXIS 4917 (10th Cir. 2005) with United States v. Paredes, 950 F. Supp. 584, 590 (S.D.N.Y. 1996), aff'd, 162 F.3d 1149 (2nd Cir. 1998) (table). Discussion Problem: Should this make a difference? Historically, state governments have asserted the primary responsibility for creating and enforcing criminal laws. Does the Internet call for a different approach? Should all computer crimes be considered federal? What role should the states play? Case Study 6: Enforcement Across Borders Excerpts from Michael A. Sussman, The Critical Challenges from International High-Tech and Computer-Related Crime at the Millenium, 9 Duke J. Comp. & Int'l L. 451 (1999) [Citations omitted] THE CHALLENGES Imagine this scene out of tomorrow's headlines: A hacker, going on-line through the Internet, breaks into computers that the Federal Aviation Administration (FAA) uses for air traffic control. He disrupts a regional air traffic network, and the disruption causes the crash of a DC-10 in the Let us follow this scenario a bit further. Within thirty minutes of the plane crash, the FBI tracks the source of the attack to an Internet Service Provider (ISP) in Does the FBI dare wait until morning in Does the Department of Justice authorize the FBI's computer experts to conduct a search, without German consent, on the German ISP from their terminals in Does the FBI agent need a If the FBI agent plows forward and accesses information from computers in Germany, will the German government be sympathetic to the U.S. plight, will the violation of German sovereignty be condemned, or both? What are the diplomatic and foreign policy implications of the The legal and policy implications of possible "transborder searches," such as the one contemplated in this scenario, are quickly becoming a concern for law enforcement agencies around the globe as they grapple with new challenges posed by networked communications and new technologies. Traditional investigative procedures - and particularly the often cumbersome procedures that govern investigations at the international level - may not be adequate to meet the need in computer crime cases for immediate law enforcement action reaching beyond national borders. The globalization of criminal activity has created vexing problems that, in some cases, defy simple solutions.... ...At a meeting of senior law enforcement officials from the G-8 countries in January 1997, Attorney General Reno stated: "Until recently, computer crime has not received the emphasis that other international crimes have engendered. Even now, not all affected nations recognize the threat it poses to public safety or the need for international cooperation to effectively respond to the problem. Consequently, many countries have weak laws, or no laws, against computer hacking - a major obstacle to solving and to prosecuting computer crimes." The solution to this problem is simple to state: "[countries] need to reach a consensus as to which computer and technology-related activities should be criminalized, and then commit to taking appropriate domestic actions." But it is not as easy to implement. An international "consensus" concerning the activities that universally should be criminalized may take time to develop. Meanwhile, individual countries that lack this kind of legislation will each have to pass new laws, an often cumbersome and time-consuming process. In the *** Discussion Problem: The FBI suspected Vasily Gorshkov, a Russian national, of being the person who broke into computer systems at several American corporations, then sent email to company officials demanding payment in exchange for not distributing or destroying sensitive data. To catch Gorshkov and prove his guilt, the FBI set up a sting operation. It created a shell computer security company called Invita in Seattle and invited Gorshkov to come to Gorshkov challenged the FBI's right to use that material as violating the Fourth Amendment, claiming his privacy was invaded because he did not consent to have his computer usage recorded. Gorshkov contended that the FBI should have obtained a search warrant before downloading the information. The investigators claimed that they had to follow the procedure they used because they needed to secure the incriminating information before the Gorshkov’s Russian counterparts destroyed data. On this issue, a Seattle District Court ruled that Gorshkov gave up “any expectation of privacy” by using computers in what he believed was the offices of a public company. It was held that “[w]hen (the) defendant sat down at the networked computer … he knew that the systems administrator could and likely would monitor his activities.” Crucially, the court also held that the Fourth Amendment did not apply to the Russian computers, since they were the property of a non-resident and located outside the Discussion Questions: How far can/should Should the Consider this article about Sealand, an offshore haven in the North Sea. If the U.S. DoJ is dealing with a cyber-criminal seeking refuge in Sealand’s laws what legal/diplomatic/other options might be open to the DoJ? Consider how Sealand gets its own bandwidth? Is it worth putting pressure on third parties through co-operating governments? 1. What conduct should be criminal in cyberspace? How, if at all, is computer crime different from traditional crime? Do the differences make us need to rethink basic principles of criminal law or are computers merely new instruments by which the same old crimes are being committed? Does the anonymity of cyberspace mean that social norms are insufficiently enforced as a means of behavioural control? Does it matter that there is little, if any, cost of perpetration of cybercrime (and that this does not change with extent of damage caused or the seriousness of the offence)? 2. When existing legal structures prove inadequate to deal with criminal activities, how should governments and individuals proceed? Should it be legal for a victim to "hack back"? Should we try and find architectural (code based) solutions rather than legal ones? Would this, in turn, make these functionally equivalent (non-legislative) measures immune from constitutional challenge - hypothetically, if someone were to write software to ensure that all computer users would be unable to alter/manipulate visual images of children (rendering them incapable of creating virtual child pornography) would this amount to private, non-transparent law-making through software code? Should we be wary of such attempts to constrain online behavior? For instance, Adobe Photoshop and other image-manipulation software producers have include “anti-counterfeiting code” to prevent the manipulation of currency. 3. Some have proposed that tort law applied to internet service providers (ISPs) would be more effective than criminal law in handling computer crimes. The argument is that if ISPs are held liable for crimes committed on their networks, then they will more effectively police activity under their auspices. Furthermore, ISPs would have an incentive to implement new technologies, such as IPv6, that enhance accountability and traceability. Do you agree with this assessment? Is an ISP-policed Internet preferable to one supervised by the government? See Lee, et al, Electronic Commerce, Hackers, And The Search For Legitimacy: A Regulatory Proposal, 14 Berkeley Tech. L. J. 839 (1999). 4. Wire and mail fraud laws often serve as a "stopgap" measure when legislatures have failed to keep pace with technology. Prosecutors use these laws to indict individuals for actions that have not yet specifically been made criminal. Is this an appropriate way to handle the problem of lag time before legislatures recognize new cyber-crimes? If not, what is? 5. Judge Easterbrook makes the following argument: No law school offers a class entitled "The Law of the Horse." Such a course would be pointless: one would learn little about any substantive area of law by reading unrelated cases, some commercial, some tort, and all of which involved horses. Similarly, Easterbrook argues, cyber-law is meaningless as a separate discipline. Problems posed by technology can be solved using traditional approaches. Is this applicable in the area of cyber-crime? Or are the problems posed by technology qualitatively different? See Frank Easterbrook, Cyberspace and the Law of the Horse, 1996 U. Chi. Legal F. 207; Lawrence Lessig, The Law of the Horse: What Cyberlaw Might Teach, 113 Harv. L. Rev. 501 (December, 1999). 6. Can state governments effectively prosecute cyber-crimes? Is the prevalence of crimes in cyberspace an effective argument in favor of the federalization of crimes? Further reading Dorothy E. Denning, Information Warfare and Security (1999) David Goldstone & Betty Shave, International Dimensions of Crimes in Cyberspace, 22 Fordham Int'l L.J. 1924 (1999). Department of Defense Office of the General Counsel, An Assessment of International Legal Issues in Information Operations (1999). Neal Katyal, Criminal Law in Cyberspace, 149 U.Penn. L. Rev. 1003 (2001) (Link to abstract) Wendy R. Leibowitz, Kid Stuff: Judges Having Hard Time with Computer Crime; Sentencing Standards Aren't Clear-Cut, 20 National Law Journal 45, July 6, 1998. The International Cybercrime Treaty The ACLU’s Eight Reasons the US Should Reject the International Cybercrime Treaty.
View Responses (21) |
Post Response
|
