Computer Crime Research Center

etc/map.jpg

Types of computer crime

Date: November 25, 2005
Source: Computer Crime Research Center
By: Scott Charney, Kent Alexander

... countries to enact or strengthen their computer crime laws. In fact, other countries have been working both domestically and internationally in this area. Australia, Denmark, and the U.K. have recently arrested hackers who attacked U.S. computers, [47] and the Germans were responsible for the Cuckoo's Egg prosecutions. [48] Other countries have also been working closely with U.S. officials and share our concern about computer crime. [49] As part of this international effort, the Organization of Economic Cooperation and Development's (OECD) 1992 Guidelines for the Security of Information Systems call for prompt assistance from all parties in cases where information security has been breached. [50] Additionally, the Council of Europe's recent Recommendation R95 calls for "expedited and adequate procedures" so that evidence can be obtained internationally [51].

VI. EXISTING LAWS AND THE NEED FOR NEW ONES

As noted above, a computer crime may simply be a high-tech rendition of a traditional offense. Thus, as in other areas of federal criminal law, one individual act may violate several criminal statutes. For example, a computerized scheme designed to steal money from the government may constitute both wire fraud [52] and theft of government property. [53] Such conduct may also violate the Computer Fraud and Abuse Act, [54] a statute specifically tailored by Congress to address computer crimes.

Last amended on October 3, 1996, the Computer Fraud and Abuse Act contains eleven separate provisions designed to protect the confidentiality, integrity, and availability of data and systems. Section 1030(a)(1) protects the confidentiality of classified information. This provision makes it a crime to knowingly access a computer without or in excess of authorization and then obtain classified information. To constitute an offense, the actor must have reason to believe that such information could be used to the injury of the United States or to the advantage of any foreign nation, and the actor must either willfully send the information to a person not entitled to receive it or willfully retain the information and fail to return it to the government. This crime is a felony. [55]

Section 1030(a)(2) contains three separate provisions which protect the confidentiality of unclassified data. This section it makes it a crime to access a computer without or in excess of authority and obtain (1) financial information from a financial institution or credit reporting company, (2) any information in the possession of the government, or (3) any private information where the defendant's conduct involves interstate or foreign commerce. It is important to note that "obtaining information" includes simply reading the material. It is not necessary that the information be physically moved or copied. [56]

The penalty for a violation of this section depends on the value of the information obtained, or the use to which the information is put. Merely obtaining the information is a misdemeanor, but the crime is a felony if the offense was committed for purposes of commercial advantage or private financial gain; the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or the value of the information obtained exceeds $5,000 [57].

Section 1030(a)(3) is a strict trespass provision protecting computers used full-time or part-time by the government. Any unauthorized access violates this statute, even if no damage is done or no property is stolen. If the computer is used only part-time by the government, the prosecution must show that the defendant's conduct affected the government's use of the computer [58].

Section 1030(a)(4) punishes those who use computers in schemes to defraud victims of property. This crime proscribes an individual from knowingly and with intent to defraud accessing a "protected computer" without or in excess of authorization, and by means of such conduct furthering the intended fraud and obtaining anything of value. There is an exception which provides that if the only thing obtained is less than $5,000 of computer crime, this fraud provision does not apply. [59]

The term "protected computer" is significant. A protected computer is one used exclusively by the United States or a financial institution; one used partly by the United States or a financial institution, in which the defendant's conduct affects the government's or financial institution's operation of the computer; or any computer which is used in interstate or foreign commerce or communications. The last portion of this definition is extremely important because it allows a computer owned by a private company to be a "protected computer" and thus be protected by the statute [60].

Section 1030(a)(5) creates three separate offenses, two felonies and one misdemeanor, depending upon the intent and authority of the actor. Under this provision, whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage, without authorization, to a protected computer is guilty of a felony [61]. It does not matter whether the actor is an outsider (e.g., a hacker) or an insider (e.g., a disgruntled employee); anyone who intends to cause damage without authority can be prosecuted.

Damage is broadly defined to include any impairment to the integrity or availability of data, a program, a system, or information, that (1) causes loss aggregating to at least $5,000 in value during any one-year period to one or more indivduals; (2) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals; (3) causes physical injury to any person; or (4) threatens public health or safety. [62]

The other two provisions of 1030(a)(5) govern access without authority; that is, they only cover outsiders. An individual who intentionally accesses a protected computer without authorization and, as a result of such conduct, recklessly causes damage is guilty of a felony [63]. By contrast, an individual who intentionally accesses a protected computer without authorization and, as a result of such conduct, causes damage is guilty of a misdemeanor when it cannot be shown that the damage caused was either intentional or reckless [64].

Section 1030(a)(6) prohibits trafficking in passwords or other similar information through which a computer may be accessed without authorization if such trafficking affects interstate or foreign commerce or such computer is used by or for the government. [65]

Section 1030(a)(7) punishes anyone who, with intent to extort any money or other thing of value from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer. This provision deals with a new threat: hackers who threaten to crash systems if not given system privileges, money, or other things of value. [66]

In addition, the sentencing provisions of the Computer Fraud and Abuse Act need to be amended. First and foremost, individuals convicted under 18 U.S.C. 1030 are sentenced pursuant to United States Sentencing Guideline 2F1.1. [67] In determining the appropriate sentence under that Guideline, the most significant factor is the amount of loss caused by the defendant. Yet many computer crimes involve nonfinancial harms such as invasion of privacy. For example, in one recent case, the defendants stole 176 credit reports from a credit reporting company, thus acquiring personal information on many unsuspecting individuals [68]. Working with the United States Sentencing Commission's Computer Fraud Working Group, [69] the Department is seeking to have such nonmonetary harms addressed by the sentencing court.

Moreover, under current law, someone who violates the statute more than once is subject to enhanced penalties only if the same subsection is violated twice. For example, if an individual violates the computer crime statute by committing fraud by computer [70] and later commits another computer crime offense by intentionally destroying medical records, [71] that individual is not a recidivist because the conduct violated two separate subsections. The law should provide that anyone who is convicted of committing a computer offense and later uses a computer for unlawful purposes again should be subjected to enhanced penalties.

The Department of Justice will, of course, press for other appropriate changes. We have noted in the past that the provision protecting classified government information has such an enhanced specific intent requirement [72] that prosecutors would rarely if ever charge it; similar conduct is punishable under 18 U.S.C. 793(e),[73] an espionage statute, with a lesser intent requirement. Congress also needs to consider a forfeiture provision, one that will allow government authorities to take away the defendant's computer if it is used to commit a criminal offense. As we have seen in the drug and pornography areas, the ability to take away the instrumentalities of the crime provides an excellent deterrent to further transgressions. More than that, taking away the perpetrator's weapon simply evidences good old-fashioned common sense.

The move to an intangible environment also requires that we re-evaluate those statutes that rely on the movement of corporeal items before affixing liability. For example, in United States v. Brown, [74] the Tenth Circuit held that the Interstate Transportation of Stolen Property Statute [75] did not apply to the interstate transportation of source code...


Add comment  Email to a Friend

Discussion is closed - view comments archieve
2010-03-05 06:45:11 - am doing a research on computer crime and... prince onyeani nwosu
2010-02-14 19:04:02 - I am looking for a lil information on... LU Thompson
2010-02-14 19:02:20 - what are the different types of computer... Lou thompson
2010-01-21 08:40:08 - whats up ppl???? andrea and laquan
2009-11-30 23:44:39 - can you discuss it more grace
2009-08-25 09:10:56 - hey!!! robyn
2008-09-27 07:44:36 - k jk
2008-07-07 16:39:22 - Hello everyone! My name is Jackie. I am a... Jacqueline McNeil
2008-06-17 21:29:03 - h!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!... emerzon mananzala
2008-04-24 16:01:01 - Hello I'm doing a research paper on... Regina Martinez
Total 32 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo