Unsolicited e-mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk e-mail. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). Spam is mostly used to advertise products and sometimes to broadcast some political or social commentary.
The term was supposedly coined from a Monty Python comedy sketch in the early 1970s, in which every item on a restaurant menu contained SPAM, and there was nothing a customer could do to get a meal without it. The sketch was derived from the fact that in England during World War II, SPAM (Hormel's processed meat) was abundantly available while other foods were rationed. Many believe spam is an acronym for "sales promotional advertising mail" or "simultaneously posted advertising message."
Spyware
Software that monitors user activity without user knowledge or consent.
Phishing
Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them." This interest Group' mission is to "to provide a resource for information on the problem and solutions for phishing and email fraud.
Pharming
luring people to disclose sensitive information by using bogus emails and websites
Spoofing attacks:
Brand spoofing: same as phishing.
Web spoofing: Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.
IP spoofing: Inserting the IP address of an authorized user into the transmission of an unauthorized user in order to gain illegal access to a computer system. Routers and other firewall implementations can be programmed to identify this discrepancy.
URL Rewriting:
Rewriting all of the URLs on some Web page so that they point to the attacker's server rather than to some real server.
Man-in-the-middle attack
In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims.
Everyday "Legal" Jargon
Cybercrime
Cybercrime is regarded as computer-mediated activities which are either illegal or considered illicit by certain parties and which can be conducted through global electronic networks.
International estimates indicate that cybercrime costs approximately $100 billion annually. In fact, only about 10% of all cybercrimes committed are actually reported and fewer than 2% result in a conviction. This is primarily due to two reasons. First, businesses and financial institutions feel that they have more to lose by reporting computer security breaches. They argue that customers will lose confidence in the company if business and financial transactions are know to be insecure. Second, a majority of cybercrime victims do not report crimes against them, assuming that law enforcement will provide little or no assistance....
Cyber-crime has reached epidemic proportions. More than 90 percent of the corporations and government agencies responding to a recent survey reported computer-security breaches. Disgruntled employees and hackers commit many cyber-crimes, and others are committed by con artists using the Web to perpetrate auction fraud, identity theft and other scams. Credit-card users are only liable for the first $50 of fraudulent charges, but financial institutions get hit hard. Identity thefts cost them $5.6 billion in losses and expenses . Some policymakers, wary of Internet-facilitated terrorist attacks, call for tough, new laws to prevent computer crimes. Others fear that such initiatives will trample on civil liberties. Still others want legislation to make Microsoft and other computer-software companies liable for damages caused by their software-security failures.
Leading financial institutions experienced a huge surge in the number of security attacks over the past year according to the Deloitte 2006 Global Security Survey released today. More than three-quarters (78%, up from 26% in 2005) of the world’s leading 150 institutions surveyed confirmed a security breach from outside the organization. "Almost half (49%, up from 35% in 2005) experienced at least one internal breach – confirming last year’s survey findings that internal breaches are an increasing threat." The fourth annual survey found that the top three most common attacks the global financial industry experienced over the past 12 months, both externally and internally, aimed to extort some form of monetary gain. "Phishing and pharming accounted for more than half (51%) of the external attacks, followed by spyware or malware utilisation (48%). "Insider fraud (28%) and leakage of customer data (18%) were cited by respondents among the top three most common internal breaches.
"Cybercrime" is not a rigorously defined concept. For our purposes, consider it to embrace criminal acts that can be accomplished while sitting at a computer keyboard. Such acts include gaining unauthorized access to computer files, disrupting the operation of remote computers with viruses, worms, logic bombs, Trojan horses, and denial of service attacks; distributing and creating child pornography, stealing another's identity; selling contraband, and stalking victims. Cybercrime is cheap to commit (if one has the know-how to do it), hard to detect (if one knows how to erase one's tracks), and often hard to locate in jurisdictional terms, given the geographical indeterminacy of the Net.
Our purpose in considering the subject of cybercrime is not to catalog it exhaustively, but rather to raise and consider questions of particular interest that are presented by cyber methodologies of committing crimes. The most interesting questions arise at the points where criminal opportunities presented by the new technologies stretch the bounds of criminal law.
In the United States, cybercrimes are the focus of legislation adopted at both the state and federal levels. The U.S. Constitution allocates lawmaking authority between the two levels according to certain principles, one of which is that even when federal jurisdiction to legislate exists, federal legislation is appropriate only when federal intervention is required. And while federal legislative authority can pre-empt the states' ability to legislate in a given area, it rarely does, so it is not unusual for federal criminal laws to overlap with state prohibitions that address essentially the same issues.
There are a number of federal statutes which address varieties of cybercrimes. The omnibus federal cybercrime statute is 18 U.S. Code § 1030. This statute makes it an offense to do any of the following to and/or by means of a computer used by a financial institution, by the federal government or used in interstate or foreign commerce or communication:
gain unauthorized entry into a government computer and thereby discover information which is intended to remain confidential, information which the perpetrator either unlawfully discloses to someone not authorized to receive it or retains in violation of the law;
gain unauthorized entry to a computer and thereby gains access to information to which the perpetrator is not entitled to have access;
gain unauthorized access to a computer and thereby furthers the perpetration of a fraud;
cause damage to a computer as the result either of gaining unauthorized access to it or of inserting a program, code or information into the computer; or
transmits, in interstate or foreign commerce, a threat to cause damage to a computer in order to extort money or property from a person or other legal entity.
Section 1462 of title 18 of the U.S. Code prohibits using a computer to import obscene material into the United States, while 18 U.S. Code Section 1463 outlaws using a computer to transport obscene material in interstate or foreign commerce. Section 2251 of title 18 of the U.S. Code makes it a crime to employ a minor in or induce a minor to participate in making a visual depiction of a sexually explicit act if the depiction was created using materials that had been transported (including transportation by computer) in interstate or foreign commerce. Section 2251(A) of title 18 of the U.S. Code prohibits using a computer to sell or transfer custody of a minor knowing the minor will be used to create a visual depiction of sexually explicit conduct. Sections 2252 and 2252(A) of title 18 of the U.S. Code makes it a crime to use a computer to transport child pornography in interstate or foreign commerce.
Another statute - 18 U.S.C. § 1028 - makes it a crime to produce, transfer or possess a device, including a computer, that is intended to be used to falsify identification documents. Finally, 18 U.S.C. § 2319 makes it a federal offense to infringe a valid copyright. Many of the other statutes outlaw "traditional" crimes - such as threatening the President's life - and in so doing, encompass conduct that is committed via a computer.
While some suggest cybercrime legislation and enforcement should be reserved for federal authorities, there is a historical preference for having states play the primary role in criminal law enforcement and they are addressing cybercrimes. This paper surveys legislation the various states have adopted to that end.
Framework
Each of the fifty states is free to assert its own legislative idiosyncrasies. There is no formal mechanism - at either the state or federal level - which requires or even prods states to adopt uniform, consistent laws. There are model statutes, such as the Restatements, Uniform Acts and the Model Penal Code, that are drafted by private groups and offered to the states as examples, in the hope that states will adopt their provisions and thereby move closer to uniform legislation.
The framework utilized below, based on the Model State Computer Crimes Code, was created by organizing state cybercrime statutes into eight categories: procedural issues; non-sexual crimes against persons; sexual crimes; crimes involving computer intrusions and damage; fraud and theft crimes; forgery crimes; gambling and other crimes against public morality; and crimes against government.
A. Procedural Issues
Many states have adopted legislation that targets procedural issues involved in prosecuting cybercrimes. Some have added definitional sections that augment cybercrime-specific statutes and/or general criminal statutes. Others have adopted statutes which set offense levels and penalties for cybercrimes, establish time periods for commencing prosecution of cybercrimes, and address possible defenses to cybercrime charges.
Still others address jurisdiction. It can be difficult to apply traditional jurisdictional predicates-such as committing all or part of a crime within a state or "causing harm" to someone in a state through acts committed outside a state -- to cybercrimes. In an effort to overcome these difficulties, states are devising different standards for cybercrimes. One approach declares that if someone perpetrates a crime by accessing a computer in another state, the offender will be "deemed to have personally accessed the computer" in both states and can be prosecuted in either state. Other states exercise jurisdiction if the "transmission that constitutes the offense" originates in that state or is received in it; Ohio asserts jurisdiction over one who allows "any writing, data [or] image... to be disseminated or transmitted into this state in violation of the law of this state." Some cyber-sex-crime laws base jurisdiction on the victim's presence within the prosecuting state and the defendant's awareness of facts which made the victim's presence within that state "a reasonable possibility;" others assert jurisdiction over one who commits "computer pornography" if the offense involved "a child residing in this state, or another person believed by the person to be a child residing in this state."
B. Non-sexual Crimes Against Persons
There are relatively few statutes dealing with non-sexual crimes against persons. No state, for example, has a "cyber-homicide" provision, though a few make it an offense to break into or tamper with a computer system and thereby cause the death of one or more persons or create a strong probability of causing death to one or more persons. Virginia makes it an offense to use "a computer or computer network without authority and with the intent to cause physical injury to an individual."
Only about sixteen states outlaw online stalking or harassment, and several of them require that an offender transmit a "credible threat" to injure the victim, the victim's family, or "any other person." Other statutes are broader, making it a crime to use a computer to "engage in a course of conduct" that would cause a "reasonable person" to "suffer intimidation or serious inconvenience, annoyance or alarm," as well as to fear death or injury to themselves or to members of their family. Some states have expanded their "obscene phone call" statutes so that they encompass using a telephone or an "electronic communication device" to contact someone and threaten to injure that person or his/her family, to use obscene language, or to make repeated contacts in an effort to annoy the person. Earlier this year, a New York court held that a similar provision encompassed harassing or threatening messages sent via the Internet. Bills have been introduced to make online stalking and/or harassment an offense in states where it is not currently outlawed.
C. Sexual Crimes
Next to the intrusion offenses discussed in the next section, sexual crimes account for the largest number of state cybercrime statutes. Most of the statutes are concerned with soliciting sex from minors or soliciting child pornography.
A number of states make it a crime to use a computer to solicit or lure a minor to engage in an "unlawful sex act." Since most, if not all, states have generic statutes that make it a crime for an adult to solicit sex from a child, and since these generic solicitation statutes would presumably encompass use of a computer for this purpose, these statutes appear to be redundant. States clearly do not agree, however, because bills have been introduced to add cyber-solicitation statutes to codes which do not already have them. For some reason, one state makes it a more serious offense to use a computer to solicit a child than to do so in person.
Several states make it a crime to use a computer to compile information about a child "for the purpose of facilitating, encouraging, offering or soliciting a prohibited sexual act" from that child. These statutes are part of an effort to outlaw child pornography. Many states prohibit using a computer to create, store and/or distribute child pornography, and many also prohibit using a computer to send obscene material to a child. Pennsylvania makes it an offense to use a computer to communicate with a child for the purpose of engaging in prostitution.
D. Crimes Involving Intrusion and Damage
By far the greatest number of state cybercrime statutes are concerned with computer intrusions and damage caused by intrusions. The intrusion statutes fall into two categories: trespass and vandalism statutes. Most states have a trespass ("hacking") statute which makes it a crime to purposely access a computer, computer system or network without authorization. Most states also have a vandalism ("cracking") statute which typically makes it a more serious crime to purposely access a computer without authorization and alter, damage or disrupt the operation of the computer and/or the data it contains. A few states add a "misuse of computer information" statute which prohibits copying, receiving or using information that was obtained by violating a hacking or cracking statute. New York has what is in effect a cyber-burglary statute that makes it a crime to break into a computer or computer system "with an intent to commit or attempt to commit or further the commission of any felony."
A few states outlaw the creation and transmission of viruses and other harmful programs, and bills to this effect have been introduced elsewhere. A handful make it a crime to introduce false information into a computer system for the purpose of "damaging or enhancing" someone's credit rating. A surprising number have created an "offense against computer equipment or supplies," which consists of modifying or destroying "equipment or supplies that are used or intended to be used in a computer, computer system, or computer network". Even more make it a crime to deny, disrupt, degrade, interrupt or cause the denial, disruption, degradation or interruption of computer services or of access to a computer. A few make it a crime to destroy computer equipment, and North Carolina makes it a crime to threaten to damage a computer or computer system in order "to extort money or any pecuniary advantage, or... to compel any person to do or refrain from doing any act against his will".
Several states outlaw "computer invasion of privacy," which consists of using a "computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority". Others make it a crime to disclose someone else's computer password.
E. Fraud and Theft Crimes
A substantial number of states outlaw using computers to commit fraud, i.e., using a "computer, computer system, computer network, or any part thereof for the purpose of devising or executing any scheme or artifice to defraud" or for "obtaining money, property, or services by means of false or fraudulent pretenses, representations, or promises". States tend to incorporate embezzlement crimes into their computer fraud statutes, rather than creating separate "computer embezzlement" provisions.
A substantial number of states also outlaw "computer theft," which can encompass any of several discrete offenses: information theft; software theft; computer hardware theft; and theft of computer services. It can also encompass using a computer to commit a theft in a more traditional sense, e.g., to steal property other than data or computer hardware or software. A few states prohibit the unlawful possession of computer data and/or computer software.
Some states have enacted "identity theft" statutes, which make it a crime to "knowingly and with intent to defraud for economic benefit" obtain, possess, transfer, use or attempt "to obtain, possess, transfer or use, one or more identification documents or personal identification number of another person other than that issued lawfully for the use of the possessor." These statutes are not usually phrased as computer crime statutes, but they should qualify as cybercrimes because computers often play an intrinsic role in identity theft offenses.
F. Forgery Crimes
A few states outlaw computer forgery, which is defined as follows: "Any person who creates, alters, or deletes any data contained in any computer or computer network, who, if such person had created, altered, or deleted a tangible document or instrument would have committed forgery . . . shall be guilty of the crime of computer forgery." At least one state makes it a crime to possess "forgery devices," which include computers, computer equipment and computer software "specially designed or adapted to such use."
G. Gambling and Other Crimes Against Public Morality
Only one state has outlawed online gambling: Louisiana created the crime of "gambling by computer," which consists of conducting or assisting in conducting a "game, contest, lottery, or contrivance whereby a person risks the loss of anything of value . . . to realize a profit when accessing the Internet [or] World Wide Web . . . by way of any computer." The Louisiana statute also makes it a crime to develop, maintain or provide computer services, software "or any other product accessing the Internet, World Wide Web, or any part thereof offering to any client for the primary purpose of the conducting as a business of any game . . . whereby a person risks the loss of anything of value in order to realize a profit." Legislation targeting online gambling has been proposed in other states.
At least one state has adopted legislation dealing with purchases of alcoholic beverages via the Internet. Others have proposed legislation to this effect, and some have proposed legislation which would make it illegal to sell cigarettes via the Internet to citizens of that state.
H. Crimes Against Government
Only a few states have make it a crime to use computers to obstruct law enforcement or the provision of government services. Illinois forbid using a computer to cause a "disruption of or interference with vital services or operations of State or local government or a public utility." Several states make it a crime to use a computer to interrupt or impair the delivery of essential services (e.g., services of a public or private utility, medical services, communication services or government services) or to otherwise endanger public safety.
Some states make it a crime to use a computer to obtain information "with the state or any political subdivision which is by statute required to be kept confidential." West Virginia prohibits the unauthorized accessing of information stored in a computer owned by its state legislature. Rhode Island makes it a crime to use a computer to destroy evidence for the purpose of obstructing an official investigation. Utah makes it an offense to fail to report a computer crime.
Proposed legislation
Some effort is being made to outlaw posting personal information about law enforcement officers on the Internet, as this Arizona bill illustrates: "It is unlawful for a person to knowingly make available on the World Wide Web the personal information of a peace officer if the dissemination of the personal information poses an imminent and serious threat to the peace officer's safety or the safety of the peace officer's immediate family and the threat is reasonably apparent to the person making the information available." A California bill discusses the importance of preventing the disclosure of a peace officer's or appointed official's home address via the Internet.
An Ohio bill would make it a misdemeanor to let prisoners have access to the Internet unless they are participating in "an approved educational program with direct supervision that requires the use of the Internet for training or research" and the access is provided in accordance with rules to be established by the Department of Corrections. And several states have introduced legislation that would criminalize "spamming," e.g., the sending of unsolicited email. A New Jersey bill would increase the penalties for accessing and/or damaging a "home computer." The legislative history of the provision explains that it is needed because the state's cybercrimes statutes currently do not provide sufficient protection for home computer owners who are victimized by hackers or crackers, since they tend to concentrate on intrusions and damage to commercial systems.
Conclusion
A review of cybercrime legislation adopted by the various states of the United States of America is an instructive exercise, for several reasons. On the one hand, one would expect that, as one of the more technologically advanced countries in the world, the constituencies which comprise the United States of America would have adopted substantive cybercrime legislation that is at once comprehensive and uniform. Yet that is not the case: As the previous sections demonstrate, there is a great deal of variation-both in terms of coverage and in terms of approaches-in the cybercrime legislation adopted by the various states.
This variation is no doubt the product of several factors. One factor is certainly the relative rapidity with which cybercrime has emerged as a distinctive problem; because cybercrime is such a new phenomenon, states, unsurprisingly, vary widely in the speed with which they have addressed the types of conduct which can be defined as "cybercrime." Another factor is the ambiguity inherent in the whole concept of "cybercrime:" On the one hand, we are confronted with what seem to be entirely new kinds of criminal activity which requires the adoption of new substantive criminal legislation; on the other hand, one can argue that we are simply dealing with "old wine in new bottles," e.g., with the use of the Internet and computer technology to facilitate the commission of long-extant crimes such as fraud. This ambiguity can, quite understandably, generate confusion and inaction among state legislators. And yet another factor is the complexity of the phenomena at issue; unlike much, if not most, of the criminal activity encountered in the "real world," the kinds of criminal activity that occur in cyberspace, in the "virtual world" can be quite complex and therefore can present significant challenges for legislators at both the state and federal level.
However, while one can justify the gaps that currently exist in state cybercrime legislation, this is not a situation that should continue, especially not in a country that prides itself on its technological advancement and expertise. Gaps in the law-especially in the law applicable to cybercrimes-benefit those who engage in socially-unacceptable conduct to exploit innocent persons. While this is an unacceptable state of affairs in the real, physical world, the effects of this failure-to-legislate can be particularly egregious when one is dealing with the cyber-world, in which individuals can be victimized by strangers, by persons whom they have never met, as to whose existence and motives they may well be quite ignorant and therefore as to whom they have no reason to be on notice, to be on guard and to attempt to take protective measures. Indeed, one aspect of the cyber-world is the essential futility discrete individuals encounter when trying to protect themselves from the often-creative depredations of online offenders.
Although the discrete states constituting the United States of America will necessarily encounter obstacles in their attempts to protect their citizens from these depredations, the enactment of adequate substantive cybercrime legislation is a necessary first step in the process. It is also an important symbolic gesture for other nations of the world, many of which are quite lacking in substantive cybercrime legislation. If the entities that comprise the United States of America do not, for example, adopt legislation making it a criminal offense to disseminate a computer virus, how can they condemn other nations for their failure to do so?
Ultimately, the adoption of substantive cybercrime legislation is a step taken toward recognizing that cybercrimes represent a new phenomenon in criminal activity: the globalization of criminal conduct. And the globalization of criminal conduct is a phenomenon which all jurisdictions - national as well as sub-national - must combine to combat.
The term was supposedly coined from a Monty Python comedy sketch in the early 1970s, in which every item on a restaurant menu contained SPAM, and there was nothing a customer could do to get a meal without it. The sketch was derived from the fact that in England during World War II, SPAM (Hormel's processed meat) was abundantly available while other foods were rationed. Many believe spam is an acronym for "sales promotional advertising mail" or "simultaneously posted advertising message."
Spyware
Software that monitors user activity without user knowledge or consent.
Phishing
Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, phishers are able to convince up to 5% of recipients to respond to them." This interest Group' mission is to "to provide a resource for information on the problem and solutions for phishing and email fraud.
Pharming
luring people to disclose sensitive information by using bogus emails and websites
Spoofing attacks:
Brand spoofing: same as phishing.
Web spoofing: Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.
IP spoofing: Inserting the IP address of an authorized user into the transmission of an unauthorized user in order to gain illegal access to a computer system. Routers and other firewall implementations can be programmed to identify this discrepancy.
URL Rewriting:
Rewriting all of the URLs on some Web page so that they point to the attacker's server rather than to some real server.
Man-in-the-middle attack
In cryptography, a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims.
Everyday "Legal" Jargon
Cybercrime
Cybercrime is regarded as computer-mediated activities which are either illegal or considered illicit by certain parties and which can be conducted through global electronic networks.
International estimates indicate that cybercrime costs approximately $100 billion annually. In fact, only about 10% of all cybercrimes committed are actually reported and fewer than 2% result in a conviction. This is primarily due to two reasons. First, businesses and financial institutions feel that they have more to lose by reporting computer security breaches. They argue that customers will lose confidence in the company if business and financial transactions are know to be insecure. Second, a majority of cybercrime victims do not report crimes against them, assuming that law enforcement will provide little or no assistance....
Cyber-crime has reached epidemic proportions. More than 90 percent of the corporations and government agencies responding to a recent survey reported computer-security breaches. Disgruntled employees and hackers commit many cyber-crimes, and others are committed by con artists using the Web to perpetrate auction fraud, identity theft and other scams. Credit-card users are only liable for the first $50 of fraudulent charges, but financial institutions get hit hard. Identity thefts cost them $5.6 billion in losses and expenses . Some policymakers, wary of Internet-facilitated terrorist attacks, call for tough, new laws to prevent computer crimes. Others fear that such initiatives will trample on civil liberties. Still others want legislation to make Microsoft and other computer-software companies liable for damages caused by their software-security failures.
Leading financial institutions experienced a huge surge in the number of security attacks over the past year according to the Deloitte 2006 Global Security Survey released today. More than three-quarters (78%, up from 26% in 2005) of the world’s leading 150 institutions surveyed confirmed a security breach from outside the organization. "Almost half (49%, up from 35% in 2005) experienced at least one internal breach – confirming last year’s survey findings that internal breaches are an increasing threat." The fourth annual survey found that the top three most common attacks the global financial industry experienced over the past 12 months, both externally and internally, aimed to extort some form of monetary gain. "Phishing and pharming accounted for more than half (51%) of the external attacks, followed by spyware or malware utilisation (48%). "Insider fraud (28%) and leakage of customer data (18%) were cited by respondents among the top three most common internal breaches.
"Cybercrime" is not a rigorously defined concept. For our purposes, consider it to embrace criminal acts that can be accomplished while sitting at a computer keyboard. Such acts include gaining unauthorized access to computer files, disrupting the operation of remote computers with viruses, worms, logic bombs, Trojan horses, and denial of service attacks; distributing and creating child pornography, stealing another's identity; selling contraband, and stalking victims. Cybercrime is cheap to commit (if one has the know-how to do it), hard to detect (if one knows how to erase one's tracks), and often hard to locate in jurisdictional terms, given the geographical indeterminacy of the Net.
Our purpose in considering the subject of cybercrime is not to catalog it exhaustively, but rather to raise and consider questions of particular interest that are presented by cyber methodologies of committing crimes. The most interesting questions arise at the points where criminal opportunities presented by the new technologies stretch the bounds of criminal law.
In the United States, cybercrimes are the focus of legislation adopted at both the state and federal levels. The U.S. Constitution allocates lawmaking authority between the two levels according to certain principles, one of which is that even when federal jurisdiction to legislate exists, federal legislation is appropriate only when federal intervention is required. And while federal legislative authority can pre-empt the states' ability to legislate in a given area, it rarely does, so it is not unusual for federal criminal laws to overlap with state prohibitions that address essentially the same issues.
There are a number of federal statutes which address varieties of cybercrimes. The omnibus federal cybercrime statute is 18 U.S. Code § 1030. This statute makes it an offense to do any of the following to and/or by means of a computer used by a financial institution, by the federal government or used in interstate or foreign commerce or communication:
gain unauthorized entry into a government computer and thereby discover information which is intended to remain confidential, information which the perpetrator either unlawfully discloses to someone not authorized to receive it or retains in violation of the law;
gain unauthorized entry to a computer and thereby gains access to information to which the perpetrator is not entitled to have access;
gain unauthorized access to a computer and thereby furthers the perpetration of a fraud;
cause damage to a computer as the result either of gaining unauthorized access to it or of inserting a program, code or information into the computer; or
transmits, in interstate or foreign commerce, a threat to cause damage to a computer in order to extort money or property from a person or other legal entity.
Section 1462 of title 18 of the U.S. Code prohibits using a computer to import obscene material into the United States, while 18 U.S. Code Section 1463 outlaws using a computer to transport obscene material in interstate or foreign commerce. Section 2251 of title 18 of the U.S. Code makes it a crime to employ a minor in or induce a minor to participate in making a visual depiction of a sexually explicit act if the depiction was created using materials that had been transported (including transportation by computer) in interstate or foreign commerce. Section 2251(A) of title 18 of the U.S. Code prohibits using a computer to sell or transfer custody of a minor knowing the minor will be used to create a visual depiction of sexually explicit conduct. Sections 2252 and 2252(A) of title 18 of the U.S. Code makes it a crime to use a computer to transport child pornography in interstate or foreign commerce.
Another statute - 18 U.S.C. § 1028 - makes it a crime to produce, transfer or possess a device, including a computer, that is intended to be used to falsify identification documents. Finally, 18 U.S.C. § 2319 makes it a federal offense to infringe a valid copyright. Many of the other statutes outlaw "traditional" crimes - such as threatening the President's life - and in so doing, encompass conduct that is committed via a computer.
While some suggest cybercrime legislation and enforcement should be reserved for federal authorities, there is a historical preference for having states play the primary role in criminal law enforcement and they are addressing cybercrimes. This paper surveys legislation the various states have adopted to that end.
Framework
Each of the fifty states is free to assert its own legislative idiosyncrasies. There is no formal mechanism - at either the state or federal level - which requires or even prods states to adopt uniform, consistent laws. There are model statutes, such as the Restatements, Uniform Acts and the Model Penal Code, that are drafted by private groups and offered to the states as examples, in the hope that states will adopt their provisions and thereby move closer to uniform legislation.
The framework utilized below, based on the Model State Computer Crimes Code, was created by organizing state cybercrime statutes into eight categories: procedural issues; non-sexual crimes against persons; sexual crimes; crimes involving computer intrusions and damage; fraud and theft crimes; forgery crimes; gambling and other crimes against public morality; and crimes against government.
A. Procedural Issues
Many states have adopted legislation that targets procedural issues involved in prosecuting cybercrimes. Some have added definitional sections that augment cybercrime-specific statutes and/or general criminal statutes. Others have adopted statutes which set offense levels and penalties for cybercrimes, establish time periods for commencing prosecution of cybercrimes, and address possible defenses to cybercrime charges.
Still others address jurisdiction. It can be difficult to apply traditional jurisdictional predicates-such as committing all or part of a crime within a state or "causing harm" to someone in a state through acts committed outside a state -- to cybercrimes. In an effort to overcome these difficulties, states are devising different standards for cybercrimes. One approach declares that if someone perpetrates a crime by accessing a computer in another state, the offender will be "deemed to have personally accessed the computer" in both states and can be prosecuted in either state. Other states exercise jurisdiction if the "transmission that constitutes the offense" originates in that state or is received in it; Ohio asserts jurisdiction over one who allows "any writing, data [or] image... to be disseminated or transmitted into this state in violation of the law of this state." Some cyber-sex-crime laws base jurisdiction on the victim's presence within the prosecuting state and the defendant's awareness of facts which made the victim's presence within that state "a reasonable possibility;" others assert jurisdiction over one who commits "computer pornography" if the offense involved "a child residing in this state, or another person believed by the person to be a child residing in this state."
B. Non-sexual Crimes Against Persons
There are relatively few statutes dealing with non-sexual crimes against persons. No state, for example, has a "cyber-homicide" provision, though a few make it an offense to break into or tamper with a computer system and thereby cause the death of one or more persons or create a strong probability of causing death to one or more persons. Virginia makes it an offense to use "a computer or computer network without authority and with the intent to cause physical injury to an individual."
Only about sixteen states outlaw online stalking or harassment, and several of them require that an offender transmit a "credible threat" to injure the victim, the victim's family, or "any other person." Other statutes are broader, making it a crime to use a computer to "engage in a course of conduct" that would cause a "reasonable person" to "suffer intimidation or serious inconvenience, annoyance or alarm," as well as to fear death or injury to themselves or to members of their family. Some states have expanded their "obscene phone call" statutes so that they encompass using a telephone or an "electronic communication device" to contact someone and threaten to injure that person or his/her family, to use obscene language, or to make repeated contacts in an effort to annoy the person. Earlier this year, a New York court held that a similar provision encompassed harassing or threatening messages sent via the Internet. Bills have been introduced to make online stalking and/or harassment an offense in states where it is not currently outlawed.
C. Sexual Crimes
Next to the intrusion offenses discussed in the next section, sexual crimes account for the largest number of state cybercrime statutes. Most of the statutes are concerned with soliciting sex from minors or soliciting child pornography.
A number of states make it a crime to use a computer to solicit or lure a minor to engage in an "unlawful sex act." Since most, if not all, states have generic statutes that make it a crime for an adult to solicit sex from a child, and since these generic solicitation statutes would presumably encompass use of a computer for this purpose, these statutes appear to be redundant. States clearly do not agree, however, because bills have been introduced to add cyber-solicitation statutes to codes which do not already have them. For some reason, one state makes it a more serious offense to use a computer to solicit a child than to do so in person.
Several states make it a crime to use a computer to compile information about a child "for the purpose of facilitating, encouraging, offering or soliciting a prohibited sexual act" from that child. These statutes are part of an effort to outlaw child pornography. Many states prohibit using a computer to create, store and/or distribute child pornography, and many also prohibit using a computer to send obscene material to a child. Pennsylvania makes it an offense to use a computer to communicate with a child for the purpose of engaging in prostitution.
D. Crimes Involving Intrusion and Damage
By far the greatest number of state cybercrime statutes are concerned with computer intrusions and damage caused by intrusions. The intrusion statutes fall into two categories: trespass and vandalism statutes. Most states have a trespass ("hacking") statute which makes it a crime to purposely access a computer, computer system or network without authorization. Most states also have a vandalism ("cracking") statute which typically makes it a more serious crime to purposely access a computer without authorization and alter, damage or disrupt the operation of the computer and/or the data it contains. A few states add a "misuse of computer information" statute which prohibits copying, receiving or using information that was obtained by violating a hacking or cracking statute. New York has what is in effect a cyber-burglary statute that makes it a crime to break into a computer or computer system "with an intent to commit or attempt to commit or further the commission of any felony."
A few states outlaw the creation and transmission of viruses and other harmful programs, and bills to this effect have been introduced elsewhere. A handful make it a crime to introduce false information into a computer system for the purpose of "damaging or enhancing" someone's credit rating. A surprising number have created an "offense against computer equipment or supplies," which consists of modifying or destroying "equipment or supplies that are used or intended to be used in a computer, computer system, or computer network". Even more make it a crime to deny, disrupt, degrade, interrupt or cause the denial, disruption, degradation or interruption of computer services or of access to a computer. A few make it a crime to destroy computer equipment, and North Carolina makes it a crime to threaten to damage a computer or computer system in order "to extort money or any pecuniary advantage, or... to compel any person to do or refrain from doing any act against his will".
Several states outlaw "computer invasion of privacy," which consists of using a "computer or computer network with the intention of examining any employment, medical, salary, credit, or any other financial or personal data relating to any other person with knowledge that such examination is without authority". Others make it a crime to disclose someone else's computer password.
E. Fraud and Theft Crimes
A substantial number of states outlaw using computers to commit fraud, i.e., using a "computer, computer system, computer network, or any part thereof for the purpose of devising or executing any scheme or artifice to defraud" or for "obtaining money, property, or services by means of false or fraudulent pretenses, representations, or promises". States tend to incorporate embezzlement crimes into their computer fraud statutes, rather than creating separate "computer embezzlement" provisions.
A substantial number of states also outlaw "computer theft," which can encompass any of several discrete offenses: information theft; software theft; computer hardware theft; and theft of computer services. It can also encompass using a computer to commit a theft in a more traditional sense, e.g., to steal property other than data or computer hardware or software. A few states prohibit the unlawful possession of computer data and/or computer software.
Some states have enacted "identity theft" statutes, which make it a crime to "knowingly and with intent to defraud for economic benefit" obtain, possess, transfer, use or attempt "to obtain, possess, transfer or use, one or more identification documents or personal identification number of another person other than that issued lawfully for the use of the possessor." These statutes are not usually phrased as computer crime statutes, but they should qualify as cybercrimes because computers often play an intrinsic role in identity theft offenses.
F. Forgery Crimes
A few states outlaw computer forgery, which is defined as follows: "Any person who creates, alters, or deletes any data contained in any computer or computer network, who, if such person had created, altered, or deleted a tangible document or instrument would have committed forgery . . . shall be guilty of the crime of computer forgery." At least one state makes it a crime to possess "forgery devices," which include computers, computer equipment and computer software "specially designed or adapted to such use."
G. Gambling and Other Crimes Against Public Morality
Only one state has outlawed online gambling: Louisiana created the crime of "gambling by computer," which consists of conducting or assisting in conducting a "game, contest, lottery, or contrivance whereby a person risks the loss of anything of value . . . to realize a profit when accessing the Internet [or] World Wide Web . . . by way of any computer." The Louisiana statute also makes it a crime to develop, maintain or provide computer services, software "or any other product accessing the Internet, World Wide Web, or any part thereof offering to any client for the primary purpose of the conducting as a business of any game . . . whereby a person risks the loss of anything of value in order to realize a profit." Legislation targeting online gambling has been proposed in other states.
At least one state has adopted legislation dealing with purchases of alcoholic beverages via the Internet. Others have proposed legislation to this effect, and some have proposed legislation which would make it illegal to sell cigarettes via the Internet to citizens of that state.
H. Crimes Against Government
Only a few states have make it a crime to use computers to obstruct law enforcement or the provision of government services. Illinois forbid using a computer to cause a "disruption of or interference with vital services or operations of State or local government or a public utility." Several states make it a crime to use a computer to interrupt or impair the delivery of essential services (e.g., services of a public or private utility, medical services, communication services or government services) or to otherwise endanger public safety.
Some states make it a crime to use a computer to obtain information "with the state or any political subdivision which is by statute required to be kept confidential." West Virginia prohibits the unauthorized accessing of information stored in a computer owned by its state legislature. Rhode Island makes it a crime to use a computer to destroy evidence for the purpose of obstructing an official investigation. Utah makes it an offense to fail to report a computer crime.
Proposed legislation
Some effort is being made to outlaw posting personal information about law enforcement officers on the Internet, as this Arizona bill illustrates: "It is unlawful for a person to knowingly make available on the World Wide Web the personal information of a peace officer if the dissemination of the personal information poses an imminent and serious threat to the peace officer's safety or the safety of the peace officer's immediate family and the threat is reasonably apparent to the person making the information available." A California bill discusses the importance of preventing the disclosure of a peace officer's or appointed official's home address via the Internet.
An Ohio bill would make it a misdemeanor to let prisoners have access to the Internet unless they are participating in "an approved educational program with direct supervision that requires the use of the Internet for training or research" and the access is provided in accordance with rules to be established by the Department of Corrections. And several states have introduced legislation that would criminalize "spamming," e.g., the sending of unsolicited email. A New Jersey bill would increase the penalties for accessing and/or damaging a "home computer." The legislative history of the provision explains that it is needed because the state's cybercrimes statutes currently do not provide sufficient protection for home computer owners who are victimized by hackers or crackers, since they tend to concentrate on intrusions and damage to commercial systems.
Conclusion
A review of cybercrime legislation adopted by the various states of the United States of America is an instructive exercise, for several reasons. On the one hand, one would expect that, as one of the more technologically advanced countries in the world, the constituencies which comprise the United States of America would have adopted substantive cybercrime legislation that is at once comprehensive and uniform. Yet that is not the case: As the previous sections demonstrate, there is a great deal of variation-both in terms of coverage and in terms of approaches-in the cybercrime legislation adopted by the various states.
This variation is no doubt the product of several factors. One factor is certainly the relative rapidity with which cybercrime has emerged as a distinctive problem; because cybercrime is such a new phenomenon, states, unsurprisingly, vary widely in the speed with which they have addressed the types of conduct which can be defined as "cybercrime." Another factor is the ambiguity inherent in the whole concept of "cybercrime:" On the one hand, we are confronted with what seem to be entirely new kinds of criminal activity which requires the adoption of new substantive criminal legislation; on the other hand, one can argue that we are simply dealing with "old wine in new bottles," e.g., with the use of the Internet and computer technology to facilitate the commission of long-extant crimes such as fraud. This ambiguity can, quite understandably, generate confusion and inaction among state legislators. And yet another factor is the complexity of the phenomena at issue; unlike much, if not most, of the criminal activity encountered in the "real world," the kinds of criminal activity that occur in cyberspace, in the "virtual world" can be quite complex and therefore can present significant challenges for legislators at both the state and federal level.
However, while one can justify the gaps that currently exist in state cybercrime legislation, this is not a situation that should continue, especially not in a country that prides itself on its technological advancement and expertise. Gaps in the law-especially in the law applicable to cybercrimes-benefit those who engage in socially-unacceptable conduct to exploit innocent persons. While this is an unacceptable state of affairs in the real, physical world, the effects of this failure-to-legislate can be particularly egregious when one is dealing with the cyber-world, in which individuals can be victimized by strangers, by persons whom they have never met, as to whose existence and motives they may well be quite ignorant and therefore as to whom they have no reason to be on notice, to be on guard and to attempt to take protective measures. Indeed, one aspect of the cyber-world is the essential futility discrete individuals encounter when trying to protect themselves from the often-creative depredations of online offenders.
Although the discrete states constituting the United States of America will necessarily encounter obstacles in their attempts to protect their citizens from these depredations, the enactment of adequate substantive cybercrime legislation is a necessary first step in the process. It is also an important symbolic gesture for other nations of the world, many of which are quite lacking in substantive cybercrime legislation. If the entities that comprise the United States of America do not, for example, adopt legislation making it a criminal offense to disseminate a computer virus, how can they condemn other nations for their failure to do so?
Ultimately, the adoption of substantive cybercrime legislation is a step taken toward recognizing that cybercrimes represent a new phenomenon in criminal activity: the globalization of criminal conduct. And the globalization of criminal conduct is a phenomenon which all jurisdictions - national as well as sub-national - must combine to combat.
Nenhum comentário:
Postar um comentário