E Law Home Search Subscribe Issue Index Subject Index Author Index Title Index Murdoch University
E LAW | Murdoch University Electronic Journal of Law - Copyright Policy
Frames:
Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law

Author: Susan W Brenner BA, MA, JD
Professor of Law, University of Dayton School of Law
Subjects: Computer crimes - Prevention
Computer security
Privacy right of law and legislation (Other articles)
Issue: Volume 8, Number 2 (June 2001)
Category: Comment
Contents:

Cybercrime Investigation and Prosecution: The Role of Penal and Procedural Law

    Introduction

  1. The development of the Internet and the proliferation of computer technology has created new opportunities for those who would engage in illegal activity.[1] The rise of technology and online communication has not only produced a dramatic increase in the incidence of criminal activity, it has also resulted in the emergence of what appear to be some new varieties of criminal activity.[2] Both the increase in the incidence of criminal activity and the possible emergence of new varieties of criminal activity pose challenges for legal systems, as well as for law enforcement. [3]

  2. This article argues that law enforcement officials cannot effectively pursue cybercriminals unless they have the legal tools necessary to do so. These legal tools include an arsenal of well-defined cybercrime offenses for use in prosecuting
    cybercriminals and procedural rules governing evidence-gathering and investigation. [4]
    Because cybercrime is often transnational in character, offenders can take advantage of gaps in existing law to avoid apprehension and/or prosecution. [5] It is, therefore, important that every legal system take measures to ensure that its penal and procedural law is adequate to meet the challenges posed by cybercrimes.

  3. Section II of the article provides an overview of the problems cybercrimes pose for law enforcement officials. Section III reviews the kinds of offenses that qualify as cybercrimes and points out how existing law can be deficient in this regard, e.g., where penal law often fails to encompass the kinds of activities cybercriminals engage in. Section III also discusses the extent to which new laws are needed to address these activities and considers whether existing laws can be modified so that they are adequate for this purpose. Section IV briefly reviews some of the obstacles procedural law can present for the investigation and apprehension of cybercriminals. While the focus of the article is primarily on penal law, inadequacies in penal and procedural law can interact to allow cybercriminals to evade responsibility for their actions. Section IV therefore examines jurisdictional limitations and the difficulties that arise when the procedural laws of different countries place inconsistent and conflicting limitations on the evidence-gathering process.

  4. The primary focus of the article is on penal laws simply because there tends to be more consistency in the way countries define criminal offenses than there is in the area of procedural law. Much of this is due to simple empirical necessity: In order to maintain the level of internal stability a nation must enjoy to survive and prosper, each country must have penal laws that protect the safety of individuals ("crimes against persons"), that preserve the integrity of at least certain types of property ("crimes against property"), that prohibit interference with the legal system ("crimes against the administration of justice"), and that proscribe attacks on the government ("crimes against the state"). While each nation will vary in how it defines the discrete offenses that fall into these categories, one can assume a certain generic consistency in penal laws. That generic consistency makes it possible to discuss general strategies nations can employ in adapting their penal laws to deal with the problem of cybercrime. It is, however, not possible to postulate the same level of generic consistency with regard to procedural law; although there are empirical constancies in the procedures law enforcement uses when investigating and prosecuting crimes, nations vary widely in the legal constraints they place on these processes. For that reason, the discussion will note areas of procedural law that are important in dealing with cybercrimes, but this portion of the discussion will be more general than that in Section III, which deals with the penal law.

    Cybercrime: An Overview of the Problem

  5. In early May of 2000, a computer virus known as the "love bug" emerged and spread rapidly around the globe. According to one report, the virus, which was designed to disseminate itself and to destroy various kinds of files on a victim's computer, "infected at least 270,000 computers in the first hours" after it was released.[6] The "love bug" forced the shutdown of computers at large corporations such as Ford Motor Company and Dow Chemical Company, as well as the computer system at the House of Lords.[7]

  6. After security experts determined that the virus had come from the Philippines, investigators from the Philippines and from the United States set about tracking down the person(s) who created and disseminated it. They were frustrated in this effort by the Philippines' lack of computer crime laws: For one thing, it took days for investigators to obtain a warrant to search the home of their primary suspect; local prosecutors had to comb through Philippines statutes to find laws that might apply to the dissemination of the virus, and then had to persuade a judge to issue a search warrant on the basis of one possibility.[8] For another, when a suspect-Onel de Guzman-was eventually apprehended, there were no laws criminalizing what he had done. The Philippines had no statutes making it a crime to break into a computer system, to disseminate a virus or other harmful software or to use a computer in an attempt to commit theft. Lacking the ability to charge de Guzman with precisely what he had done-e.g., with disseminating a virus-Philippine prosecutors charged him with theft and with violating a statute that covered credit card fraud.[9] Those charges were eventually dropped after the Department of Justice determined that "the credit card law [did] not apply to computer hacking and that investigators did not present adequate evidence to support the theft charge." [10]

  7. The "love bug" destroyed files and impeded e-mail traffic in more than twenty countries. [11] Some estimated that the virus caused $10 billion in damage, much of that in lost productivity.[12] The episode prompted the Philippines to adopt a cybercrime law that established fines and prison sentences for those hacked into computer systems and/or disseminated viruses or other harmful programs.[13] The new law could not be applied retroactively against the individual suspect of disseminating the "love bug" virus, so that crime went uncharged.[14]

  8. The "love bug" episode is instructive for those who are concerned about cybercrimes because it so clearly illustrates some of the problems this type of activity poses for law enforcement, i.e.:
    1. The lack of cybercrime-specific penal laws and/or the inadequacy of penal laws that were crafted to deal with criminal conduct occurring in the real, physical world, not in or by means of the virtual world of cyberspace;
    2. The lack of international agreements on cybercrimes which exacerbates the problems posed by the lack/inadequacy of local penal law and the oftenconflicting requirements local procedural laws;
    3. The difficulty of ascertaining which nation(s) has/have jurisdiction to prosecute a cybercriminal and, once this determination has been made, of asserting jurisdiction over that person;
    4. The difficulty of determining how many offenses have been committed, against whom and the damage resulting from those offenses.[15]

  9. Because of these and other issues, cybercrimes are a challenge for every nation, a challenge countries must address both individually and collectively.

  10. Individually, each nation must examine its own penal and procedural law to determine whether they are adequate for dealing with the so-far-identified varieties of cybercrimes. The "love bug" forced the Philippines to do this, at least insofar as its penal laws were concerned, and to adopt at least some remedial legislation. The Philippines government was forced to act, in large part, by the international outcry that arose as a result of the damage the "love bug" caused in other countries;[16] the virus seems to have had little effect within the Philippines. [17] But that is not always true; cybercriminals prey on their own countrymen as well as on people from other nations. Countries must, therefore, review their penal laws to ensure that they are adequate to protect their own citizens from cybercriminals, as it is not uncommon for internal prosecutions to fail for lack of applicable law.[18] If a country's review reveals that its penal laws are not adequate to deal with the so-far-identified varieties of cybercrime, it should immediately take steps to remedy the deficiencies, either by adopting new cybercrime-specific laws or by amending its existing laws so that they encompass cybercrimes.

  11. Because technology has made national borders permeable, cybercrime is not a phenomenon that can be dealt with only at the national level; as the "love bug" episode illustrates, with the emergence of cybercrimes we witness the correlate development of "remote offenders," perpetrators who can, while physically located in one country, easily wreak havoc in other nations. [19] International cooperation is required to deal with the cybercrime as a transnational phenomenon, e.g., with the offender who, working from a computer in County A, embezzles funds from a bank in County B or steals trade secrets from a corporation in County C.[20] If Country A does not have penal laws in place that outlaw the offender's conduct, we have a "love bug" scenario, e.g., the offender will not be prosecuted in his own country (indeed, he may even be regarded with admiration in his own country), [21] and Country A will not extradite him so he can be prosecuted in Country B and/or Country C.[22] Alternatively, if Country A has penal laws prohibiting the conduct at issue, it may allow the offender to be extradited to Country B or Country C, but its procedural laws may not allow/require it to give those countries access to critical evidence that is located in Country A, evidence without which prosecution may be a de facto impossibility.[23] Cybercrime cannot, therefore, be treated as a "local" phenomenon; when it comes to dealing with cybercrime, no country is an island.[24] Instead, nations must cooperate to deal with the problem of cybercrime by ensuring that cybercriminals cannot exploit gaps and loopholes in procedural laws to evade capture and prosecution.

    Penal Law: Old and New Offenses

  12. The previous section explained why countries need penal laws that adequately address cybercrime. But according to one estimate, over 100 countries do not have penal law adequate to deal with cybercrime.[25] And last year a study examined the penal laws of fifty-two countries and found that thirty-three of them had not "yet updated their laws to address any type of cyber crime." [26]

  13. What do assessments such as these actually establish? Both of these focused on whether the countries in question had adopted new cybercrime-specific penal laws,[27] especially laws targeting "high-profile" cybercrimes like hacking, virus dissemination, fraud and theft, [28] and both were no doubt accurate in their respective evaluations of these matters. But the real question is whether the assumption implicitly underlying these assessments and others like them, i.e., that new cybercrime-specific penal laws are needed to deal with the problems posed by computer-generated crime because traditional penal laws are inadequate for this purpose, [29] is correct. That assumption, which is widespread, rests on the premise that "cybercrime" is a distinct, unitary phenomenon, a new class of anti-social activity that cannot be dealt with through the application of extant laws.

  14. This premise and the assumption it gives rise to are in fact flawed, products of an oversimplification. As the remainder of this section demonstrates, "cybercrime" actually consists of a variety of discrete conduct, some of which can be reached under traditional penal law, some of which requires the modification of traditional penal law and some of which does, indeed, require the adoption of new penal laws. Rather than being a new phenomenon, "cybercrime" is simply the exploitation of a new technology to commit old crimes in new ways and, concededly, to engage in a limited variety of "new" types of criminal activity.[30]

  15. It might seem logical to structure the discussion which follows around these categories, i.e., to examine crimes that can be prosecuted under existing laws, crimes that can be prosecuted if existing law is modified and crimes the prosecution of which requires the adoption of new, cybercrime-specific penal laws. That is not the best approach because such a categorization ignores the internal logic of any penal code's offense structure. The more appropriate way to proceed is by analyzing offenses according to the traditional, empiricallyderived categories into which they fall, e.g., "crimes against persons," "crimes against property," "crimes against morality," "crimes against the administration of justice" and "crimes against the state." [31] The sub-sections below analyze the need for cybercrime legislation-either new penal laws or the modification of existing penal laws-to address offenses falling into each of these broad categories. The discussion is not intended to be an exhaustive treatment of every offense falling into each category; it is, instead, an illustrative examination of the extent to which traditional offenses can be extrapolated to encompass computer-related criminal activity.

    Crimes Against Persons

  16. Crimes against persons can be divided into sexual crimes and non-sexual crimes.[32] Non-sexual crimes against persons include, inter alia, homicide (causing the death of another person),[33] assault (causing bodily injury to another person)[34] and threats. [35] Sexual crimes against persons include, inter alia, rape and child pornography.[36] The traditional offense-definitions used to deal with both categories of crimes developed in the context of activity occurring in the real, physical world, e.g., with physical assaults and with "real world" rapes.[37] And it might seem that there is no need even to include these offenses in a discussion of cybercrime law, on the assumption that they cannot be committed in or via the "virtual world" of cyberspace but must involve actual physical confrontation between two or more persons.

  17. That is, however, not the case. It would, for example, be possible to commit homicide by hacking into the computer system of a hospital and altering the records establishing the type and dosage of medication a patient is to receive so that the patient actually receives a lethal dose of medication.[38] This is a traditional offense-murder-being committed in a non-traditional fashion, by a perpetrator who may be hundreds or even thousands of miles away from the victim at the time death occurs. As such, it is certainly an example of the "remote perpetrator" scenario discussed in Section II of this article. The offender may be in another jurisdiction, and this may well present serious problems of identifying and apprehending the perpetrator. This scenario does not, however, give rise to difficulties with regard to the application of criminal liability for the act of causing the victim's death: It is reasonable to assume that every nation will have laws making it an offense to cause the death of another human being, simply because no modern state can survive if individuals are allowed to commit murder at will. As a matter of general principle, there is, therefore, little or no doubt that the perpetrator, once identified and located, can be extradited for prosecution to the jurisdiction where the victim died.[39]

  18. In the homicide scenario described above, the computer is simply a tool used to commit a crime that is as old as mankind itself. Humans adapt technology to various uses, legitimate and illegitimate. Here, the computer substitutes for the knife, the gun, poison and any of a variety of other methods humans use to take the lives of their fellows. [40] And since legal systems do not generally parse homicide offenses according to the types of instrument used to inflict death, [41] e.g., "homicide by poison," "homicide by knife," "homicide by gun," etc., there appears to be no need to incorporate the use of the computer into extant homicide statutes. [42] This is a prime instance of a situation in which traditional penal law is adequate to address the use of a computer in the commission of criminal activity.

  19. It is rather more difficult to hypothesize how a "remote perpetrator" could use a computer to commit an assault, inflicting bodily injury on another person. This could, perhaps, be done if the perpetrator were able to use to the computer to engineer some product defect or engineering calamity that he knew was sufficient to inflict bodily injury without causing death.[43] If this were done, the result is analogous to that set out above for computer-facilitated homicide, e.g., the legal system should be able to impose liability on the perpetrator by using its traditional penal law and prosecuting him for assault.

  20. The same is true, and is not true, for non-corporeal attacks on another person: Penal laws have historically made it an offense to threaten another person with bodily injury or death.[44] The offense arose to deal with face-to-face threats (which arguably carry a greater threat of imminent danger), but the law had no difficulty accommodating threats transmitted by other means, such the postal service and/or telephone.[45] By the same token, extant law can be used to prosecute an offender if she uses a computer to transmit a threat to cause bodily injury or death.[46] Here, too, the computer simply becomes another tool used to carry out a traditional offense. [47]

  21. But that does not exhaust the analysis of non-corporeal attacks on another person: The rise of computer-generated and -transmitted communication has made it possible for perpetrators to engage in conduct that harasses and intimidates other persons without, however, rising to the level of "threatening" bodily injury. [48] This is illustrated by a case that arose in the United States of America, under federal law. Section 875 of title 18 of the U.S. Code makes it a federal crime, inter alia, to transmit a threat to injure another person in interstate or foreign commerce.[49] In United States v. Alkhabaz, [50] a federal court of appeals upheld the trial court's dismissal of charges that Jake Baker, also known as Alkhabaz, violated 18 U.S. Code ' 875 because it found that he did not transmit a Acredible threat@ to his alleged victim.[51] Baker, a student at the University of Michigan, had used e-mail to correspond with a friend; much of Baker's part of the correspondence consisted of vivid descriptions of fantasized sexual violence against a woman whose name was the same as that of one of his classmates.[52] When the correspondence came to light, he was prosecuted under 18 U.S. Code ' 875 for sending Athreats@ via interstate commerce.[53] The district court dismissed the charge because it found that the e-mail correspondence did not constitute Atrue threats@ and was therefore speech protected by the First Amendment to the U.S. Constitution.[54] The Sixth Circuit affirmed the dismissal because it agreed that the e-mail correspondence did not rise to the level of a Athreat.@[55]

  22. The Alkhabaz case is one instance in which existing law proved to be inadequate to deal with computer-facilitated anti-social conduct. Other examples abound, some of which were ultimately addressed by the amendment of existing law or the adoption of new penal law.[56] Stalking, or cyberstalking, is an example of conduct which has so far tended to elude the reach of the criminal law; in the United States, for example, there is no federal anti-cyberstalking penal law, and few of the several U.S. states have enacted legislation which reaches cyberstalking. [57] In 1999, the U.S. Department of Justice issued a report which, among other things, articulated the dangers cyberstalking poses for its victims and the challenges it poses for law enforcement:

  23. [C]yberstalking shares important characteristics with offline stalking. Many stalkers - online or off - are motivated by a desire to exert control over their victims and engage in similar types of behavior to accomplish this end. . . . Given the enormous amount of personal information vailable through the Internet, a cyberstalker can easily locate private information about a potential victim with a few mouse clicks or key strokes.

  24. . . . . [S]talkers can take advantage of the ease of communications as well as increased access to personal information. In addition, the ease of use and nonconfrontational, impersonal, and sometimes anonymous nature of Internet communications may remove disincentives to cyberstalking. . . . [W]hereas a potential stalker may be unwilling or unable to confront a victim in person or on the telephone, he or she may have little hesitation sending harassing or threatening electronic communications to a victim. Finally, . . . online harassment . . . may be a prelude to more serious behavior, including physical violence.

  25. . . . [T]he Internet and other communications technologies provide new avenues for stalkers to pursue their victims.

  26. A cyberstalker may send repeated . . . messages by the simple push of a button; more sophisticated cyberstalkers use programs to send messages at regular or random intervals without being physically present at the computer terminal. California law enforcement authorities say they have encountered situations where a victim repeatedly receives the message "187" on their pagers - the section of the California Penal Code for murder. In addition, a cyberstalker can dupe other Internet users into harassing or threatening a victim by utilizing Internet bulletin boards or chat rooms. For example, a stalker may post a controversial or enticing message on the board under the name, phone number, or e-mail address of the victim, resulting in subsequent responses being sent to the victim. Each message -- whether from the actual cyberstalker or others -- will have the intended effect on the victim, but the cyberstalker's effort is minimal and the lack of direct contact between the cyberstalker and the victim can make it difficult for law enforcement to identify, locate, and arrest the offender. [58]

  27. In one California case, the stalker-Gary Dellapenta--posed online as his female victim, who had spurned his romantic advances, and posted notices saying she wanted to be raped; when men responded to the notices, the stalker gave them her name, home phone number, address and advised them how to disable her home security system.[59] At least six different men showed up at the woman's home prepared to carry out what they thought was her request; she and her father were ultimately able to track the messages to Dellapenta, whom they reported to the police. [60] Fortunately, California did have penal law that could be used to prosecute such activity, [61] so when Dellapenta was identified he was charged, convicted and sentenced to serve six years in prison for what he had done.[62]

  28. The Dellapenta case illustrates how computer technology can give rise to new types of antisocial activity: Dellapenta was able, in effect, to use others as his "weapons" against his victim, with the "weapons" being unaware they were endeavoring to engage in criminal activity. Dellapenta was also able to carry out his activities with anonymity, at least for a time; this only intensified the victim's terror, as she had no idea why the men were appearing at her home.[63] Scenarios such as these-which are not uncommon and are only likely to increase in incidence [64] -pose difficulties not only for law enforcement officers investigating such activity but also for the legal system's ability to impose criminal liability if and when the perpetrator is apprehended. Many jurisdictions do not have stalking laws, let alone cyberstalking laws, and those that do tend to require that the perpetrator actually communicate a "threat" of bodily injury to the victim. [65]

  29. As the Dellapenta and Alkhabaz cases illustrate, computer technology and the rise of computer-facilitated communication require that jurisdictions carefully assess what kinds of penal laws are needed to address phenomena such as cyberstalking and/or online harassment. [66] The cyberworld can give a perpetrator the ability to inflict psychic damage on a victim without ever actually threatening to inflict physical harm, as in the case of Gilbert Davis. Davis was an American student who, among other things, created a web site containing an image of his former girlfriend's "head transforming into a skull." [67] If Davis were to be prosecuted under the statute used in Alkhabaz or a similar provision, he would no doubt succeed in having the charges dismissed on the theory that his conduct did not rise to the level of communicating a "threat" because the web site's contents were not specifically directed to the "victim." Indeed, Davis could perhaps argue that his web site's contents were "art," an homage to the woman he claimed to still love. Can/should posting artificial constructs on the Internet give rise to the imposition of criminal liability?

  30. Any attempt to answer this question has to include a consideration of sexual crimes against persons-e.g., rape and child pornography-as well as a consideration of activities such as cyberstalking and online harassment. [68] So far, there has only been one reported instance of "virtual rape" on the Internet, a case which arose when "virtual characters" participating in an online "virtual community"-LambdaMOO--were forced to engage in sexual activity against the will and inclinations of the individuals who had assumed those characters.[69] The case has given rise to debate as to whether "virtual crimes" can give rise to prosecution in the "real world." [70] Since activity such as the incident in LambdaMOO occurs only in cyberspace, it is not encompassed by the provisions of existing penal laws prohibiting rape and other physical attacks. [71] Indeed, much of penal law is predicated on the concept of some physical injury to person or property, which leads many to argue that criminal liability should not be imposed for "sexual assaults" occurring entirely in cyberspace. [72] Those who take this view argue that incidents such as the LambdaMOO attack are more properly handled within cyberspace, especially when the activity involved those who jointly chose to participate in an online activity such as the virtual community where this incident occurred. [73]

  31. While that argument may be appealing when "virtual sexual assaults" occur among what are, in effect, consenting adults, its appeal weakens when the assault is directed at someone who may have had no contact with the perpetrator and who, at the very least, cannot be said to have consented to the attack. A law enforcement officer in the United States described this scenario to the author: Assume a man lives next door to a woman; the man videotapes the woman as she walks outside, perhaps going from her home to her automobile. Using computer technology, the man then "morphs" the woman's head and face onto the body of a woman in a pornographic video and posts the morphed video onto a web site. [74] The victim can now see herself being raped on the web site, as can members of her family, her employer, etc. Is this a crime? Should it be a crime? If it should be a crime, what is the crime-is it a form of rape? There is no physical assault. So should this be treated as an entirely new category of crime, one that encompasses cyberstalking and harassment and other types of behaviors that are likely to crop up as computer technology becomes more sophisticated? Or should this not be a basis for imposing criminal liability-should the victim be limited to bringing a civil suit for damages and/or injunctive relief against the perpetrator? [75]

  32. A variation of this issue will be decided by the United States Supreme Court some time next year: The Supreme Court has agreed to decide whether a federal criminal statute which targets child pornography can criminalize pornography produced by the use of "morphing" techniques-in which the images of adults are altered so they appear to be children.[76] The Ninth Circuit U.S. Court of Appeals struck down the portion of the statute that targets this "virtual child pornography," in part because it found that the statute violated the First Amendment in that there was no "compelling" government need to prohibit pornography the production of which did not involve the use of actual children. [77] Other U.S. Courts of Appeal have reached the opposite conclusion, [78] which is why the U.S. Supreme Court has agreed to decide the matter.

  33. Regardless of what the U.S. Supreme Court decides in this case, the problem of determining whether, and when, criminal liability should be imposed for creating and disseminating artificial constructs and manipulating information that is freely available about individuals will persist.[79] This is an area that is not easily addressable, if at all, under existing penal legislation because, unlike computer-facilitated homicide, the conduct at issue does not consist simply of using computer technology as a means of committing offenses that have long been recognized by the penal law. [80] This is in essence "new" criminal activity--the conduct at issue exploits computer technology to achieve results that would not have been achievable in years past. [81] This is also an area that raises extraordinarily difficult legal questions for any nation that desires to maintain a balance between protecting the safety and security of individuals and guaranteeing the free dissemination of information and opinion. For all these reasons, this is an area that will present great challenges to those responsible for devising the penal laws of different nations; they will have to decide how this balance should be struck.

    Crimes Against Property

  34. There are many different types of crime against property, but because this is an illustrative, not an exhaustive, treatment of the interaction of computer technology and criminal activity, this section will focus on only a few: hacking, theft and forgery. Since, as is explained below, it is clear that computer technology is means of committing the traditional crimes of theft and forgery but this is not so clear with regard to hacking and related offenses, the discussion will begin with theft and forgery and conclude with an analysis of hacking and analogous activities.

  35. As section II(A) explained, using a computer to cause the death of another human being (by changing prescription records, say) does not constitute the commission of a new offense, "cyberhomicide." It is simply employing a new implement to commit an old crime, just as those with murderous intent at some point learned electricity could be used to cause death. The same is true for theft and forgery crimes, though perhaps it is more accurate to say the same can be true for these crimes, since the proliferation of computer technology and the concomitant increase in the number and types of intangible property concededly necessitates some revisions in the approaches to theft and forgery found in traditional penal laws. [82]

  36. Theft crimes take different forms, [83] but the essence of theft is unlawfully taking property that belongs to someone else[84] The taking can be accomplished by appropriating and carrying away property (larceny), by using force to take property from another person's possession (robbery), [85] by deception (fraud), [86] by threats (extortion), [87] by breaking and entering (burglary) [88] or by exploiting a position of trust (embezzlement). [89] Theft in cyberspace is analogous to "real world" theft insofar as it recapitulates most, if not all, of these different forms of "taking" property, but it also differs in one important respect.

  37. As to the analogies, computer-facilitated theft consists of using a computer to gain possession of ("take") property. The primary distinguishing factor of cybertheft is that it relies on the electronic transmission and manipulation of data-rather than acts and communications effected in the "real world"-- to effect a transfer of property from the rightful owner to the thief. In cyberextortion, the threats used to convince the victim to surrender her property are transmitted electronically; [90] in cyberembezzlement, funds are siphoned off electronically; [91] in cyberfraud, electronic communications transmit the false information that deceives the victim into parting with his property. [92] All of these are traditional theft accomplished by rather nontraditional means. One difference between online theft and "real world" theft is that cyberlarceny necessarily seems to be subsumed into cyberburglary, since it is difficult to imagine how a cyberthief can gain access to property for the purposes of carrying it away unless the thief illegally gains access to (breaks into) a computer system where the property is stored. [93]

  38. The area in which cybertheft differs-or, more properly, can differ-from real world theft lies in the nature of the theft itself, e.g., the nature of the property that is taken. Real world theft is a zero sum offense, that is, an offense in which the sole possession and use of property is transferred from one person (the rightful owner) to another (the thief). [94] The same can be true of cybertheft: If a cyberthief, for example, hacks into a bank's computer system and transfers funds into accounts over which he maintains control, the thief now has those funds but the rightful owners of the funds no longer do. [95] That is one form of cybertheft, and this variety is, indeed, analogous to "real world" theft. There is, however, another form of cybertheft, one that is not a zero sum offense. [96] Assume, for example, that a cyberthief hacks into a computer system containing proprietary information that is owned by a business and that confers economic advantages on the possessor of that information (i.e., it has "value" in monetary terms). [97] The cyberthief could, of course, extract the information from the database containing the proprietary information and extract it, thereby depriving the owner of the information and achieving a classic, zero sum offense. [98] Instead of doing this, the cyberthief, wanting to defer discovery of the theft for as long as possible, copies the information contained in the database; now, both the thief and the rightful owner possess the information. [99] Is this theft? It is not theft in classic terms, since the rightful owner still possesses the information. [100] It is, however, theft since the rightful owner has been deprived of some portion of the value of that information, the portion attributable to the rightful owner's formerly exclusive possession and use of the information. [101] One can characterize this type of theft as a dilution of the value of the information that has been copied by the cyberthief. [102]

  39. This is an area that can be-and has been-problematic for applying traditional penal law to cybertheft. [103] That is, traditional penal laws usually do not incorporate the notion of non-zero sum thefts, in which a portion of the value of intangible property is taken but the rightful owner of the property is not completely deprived of its possession and use. [104] This is not, however, a flaw which requires the adoption of new, cybertheft-specific penal laws; this is a loophole which can be addressed by amending existing theft laws so that they do encompass the concept of stealing intangible property by making one or more copies of it. [105]

  40. Forgery offenses can be dealt with more easily. The essence of forgery is the act of falsifying a document with the purpose of perpetrating a deception; in the past, the falsification was carried out on a paper document. [106] Cyberforgery simply introduces two new permutations, either of which can be adequately dealt with by amending extant forgery laws: (1) using computer technology to forge paper documents; or (2) using computer technology to forge electronic documents. This is not an area in which new, cybercrime-specific penal laws are required.[107]

  41. Hacking is, as was noted above, rather more problematic. For the purposes of this discussion, hacking will be defined as the act of gaining unauthorized access to a computer system. [108] So defined, hacking is conceptually analogous to the traditional offense of trespass; trespass is the act of unlawfully gaining access to some "real world" physical space, such as another's property or a building owned by someone else.[109] The essence of the offense of hacking, like that of the offense of trespass, is the act of unlawfully entering into an area which is owned by someone else and which is not open to the general public. [110] One can, therefore, argue that there is no need to adopt penal laws which specifically target hacking, as the activity at issue could be penalized by amending "real world" trespass laws so they encompass the act of "breaking into" a computer system. [111] That is, of course, quite true; hacking could be prosecuted as a trespass if criminal trespass laws were modified so that they reach "virtual" trespass as well as "real world" trespass. [112] However, given the physical distinctions between the conduct that constitutes hacking and the distinct methods necessary to consummate a break-in into a computer system, it seems more reasonable to enact penal laws that specifically target hacking, as differentiated from "real world" trespassing.[113]

  42. The same is true for "hactivism," which is less trespass-hacking and more a type of attack on a web site, an attack motivated for political purposes.[114] While hacktivism could, perhaps, be analogized to "real world" vandalism, it, too, should be addressed by laws that specifically target this type of activity. [115] The rationale for adopting distinct laws to address this type of activity is in part based on the same notions that militate for adopting penal laws that specifically target hacking, i.e., the physical distinctions that exist between "real world" vandalism and hacktivism and the distinct methods needed to consummate an act of hacktivism.[116] Hacktivism can also be distinguished from "real world" vandalism in terms of the amount of damage each is likely to inflict; "real world" vandalism tends to inflict relatively minor damage on physical property, but hacktivism tends not only inflict damage on a web site per se but also to impair the web site proprietor's ability to carry out its lawful activities.[117] Also, one could analogize the activity encompassed under the rubric of hacktivism to the "hate crimes" that have been the target of specific penal legislation in a number of countries,[118] on the theory that both warrant the adoption of specific penal laws because each involves the victimization of a person or entity who has been chosen for socially intolerable reasons, e.g., expressing certain views (hactivism) or belonging to a specific racial, ethnic or cultural group (hate crimes).

  43. There is, finally, another type of activity-i.e., "denial of service" attacks-- which clearly requires the imposition of some type of criminal liability but which might evade prosecution under traditional penal laws. In a denial of service attack, the attacker floods a site with data, thereby overwhelming its capacity to respond and effectively shutting down traffic to that site.[119] Denial of service attacks can inflict great damage on online businesses, causing astronomical losses.[120] Since they do not cause physical damage to the attacked site(s), they could not be prosecuted as vandalism; since the attacker does not obtain services from the attacked site, they could not be prosecuted as a theft of services;[121] and since they do not actually involve penetration of the web site's computer systems, they could not be prosecuted as hacking, trespass or even burglary. The most logical approach is probably to adopt legislation that specifically targets these and other types of attacks on web sites, including the acts of disseminating viruses, worms and Trojan Horses.

    Crimes Against Morality

  44. So far, at least, computers do not seem to have given rise to the commission of new kinds of offenses against morality. Computer technology is simply being used as a tool to facilitate the commission of existing offenses against morality such as gambling, prostitution and the dissemination of obscene material.[122]

  45. Therefore, while a country could adopt penal laws specifically targeting the use of computer technology to facilitate the commission of these and other offenses against morality,[123] that is not necessary as long as the country's existing penal laws are broad enough to encompass the activity at issue. If, for example, a country's penal laws make it a crime for a citizen of that country to gamble, then one who engaged in that activity can be prosecuted under those laws regardless of whether the gambling occurred in a "real world" casino or online, in a virtual casino.[124] And the same is true if the country's laws prohibit the receipt, possession and/or dissemination of obscene materials; one who uses computer technology to do any of these things has violated those laws and can therefore be prosecuted under them. An offender may, of course, raise the issue of jurisdiction, claiming the offense was not "committed" in the prosecuting jurisdiction but elsewhere, either in "cyberspace" or in the country hosting the web site where the online casino is located or from which the obscene material originated.[125] Jurisdiction is a separate issue, one that goes not to the existence of penal laws but to their application; it is addressed in section IV, below.

  46. The adequacy of a country's existing penal law will depend in part on the nature of the crime at issue: For the offenses discussed above-gambling and obscenitythe crime itself can be consummated online. This is not true for prostitution, at least not as prostitution has heretofore been defined. A country may, therefore, want to examine its prostitution and solicitation laws to ensure that they encompass using computer technology to facilitate the commission of the crime of prostitution.[126] And the same is true for other offenses against morality that can be facilitated by, but not committed via, computer technology.[127]

    Crimes Against the Administration of Justice

  47. Generally speaking, this is another area in which computer technology can be used as a tool to commit already-established crimes, but at least two new kinds of computer-facilitated activity that can undermine the administration of justice have emerged. The first paragraph below examines the use of computer technology to attack the administration of justice in traditional ways; the remainder of this section examine these new activities.

  48. Computer technology can be used to obstruct justice in a number of traditional ways: generating false evidence or destroying electronic evidence; altering or deleting court records to erase criminal convictions or charges; threatening law enforcement officers and judges;[128] filing false reports of crimes; and shutting down crime-reporting systems such as 911 operations.[129] Also, someone can use it to impersonate a law enforcement officer or public official. [130] Here, as with many of the offenses discussed in sectionsection III(A)-(C), computer technology is simply a tool that is used to commit an existing crime. Jurisdictional issues aside, there should be no difficulty in prosecuting an offender under a country's existing obstruction of justice laws if, of course, those laws encompass the use of computer technology to commit the prohibited acts. If the laws in question define the offense(s) in generic terms, that will generally be sufficient;[131] with a few exceptions, it is not necessary that the penal law explicitly incorporate the use of computer technology to commit the offense.[132] That may, however, be necessary with regard to statutes that prohibit creating or altering evidence or public records because falsification of evidence statutes are often drafted so that they only encompass acts directed at "physical evidence."[133] Even if an evidence-tampering or record-tampering statute is phrased in more neutral terms,[134] it may still be advisable to amend the statute so that it explicitly encompasses electronic records and the use of computer technology to alter or destroy records or data, in whatever form they are maintained.[135]

  49. Now, as to the new activities: The administration of justice is, in every nation, a state monopoly; that is, countries do not allow citizens to take justice into their own hands, to engage in self-help when they have been the victims of a crime, because governments recognize that to allow this invites anarchy. Historically, those who have taken justice into their own hands-often known as "vigilantes"-were prosecuted for what they did; the prosecution typically takes the form of charging the vigilante not with the distinct offense of vigilantism but for the crimes he committed in the course of "doing justice." [136] A "real world" vigilante might, for example, be prosecuted for murder, for assault and/or for kidnapping, since, whatever the motivations responsible for these acts, he is not lawfully authorized to administer justice and cannot, therefore, use force against someone who has violated a nation's penal laws.

  50. A comparable phenomenon-"cybervigilantism"-has emerged on the Internet. Frustrated by the actions of online offenders, some have either taken the law into their own hands or hired others to do so, to wreak vengeance for crimes (or other perceived wrongs) committed online, in the virtual world of cyberspace.[137] This is an issue nations need to examine: On the one hand, it may be possible to address cybervigilantism in the same way legal systems have addressed "real world" vigilantism, e.g., to prohibit and punish the discrete crimes those calling themselves vigilantes commit instead of trying to formulate a distinct offense of "cybervigilantism." On the other hand, since the tactics cybervigilantes exploit can bear little resemblance to the physical assaults their real world counterparts employ, it may be advisable for countries to adopt penal laws that specifically outlaw cybervigilantism. [138]

  51. Obstruction of justice laws usually make it a crime to make threats against those charged with the administration of justice, including law enforcement officers.[139] A web site hosted on a server in the United States is raising new questions about what it means to "threaten" a law enforcement officer. The site lists the names, ranks, home addresses, home telephone numbers, salaries and Social Security numbers of police officers in fifteen different departments.[140] One police department has filed a civil suit attempting to shut down the web site, arguing that it jeopardizes the safety of the officers, since it provides information that could be used to retaliate against them.[141]

  52. The issues raised by this web site are analogous to the issues raised by the cyberstalking variations discussed in section III(A), above. Here, as in the Alkhabaz and Dellapenta cases, there is no direct, "credible" threat communicated to a specific potential victim. Indeed, the information provided on this web site is in some senses far less "threatening" than the communications at issue in those two cases because it is content-neutral, e.g., it is simply a compilation of publicly-available information about a group of people selected because of the profession they all share. Of course, while the site dos not contain even fictive musings on inflicting harm to any of those who fall into this group, it can be characterized as an attempt to initiate a Dellapenta-style attack on one or more members of the group, e.g., to invite others to take action against them. But even if one accepts this characterization, an effort to impose criminal liability for creating and maintaining such a web site necessitates considering, and resolving, the issue raised in the concluding paragraph of section III(A), above. And even if a legal system were to resolve these issues and decide to enact penal law imposing liability for a web site that posts personal information, how would the scope of this offense be defined? Would the offense be limited to posting information about law enforcement officers?[142] Would it also encompass other governmental officials? Would it include those engaged in other professions? Or would it resolve these issues by prohibit posting information about anyone? Finally, if a statute were to be adopted that imposed criminal liability for posting personal information about individuals falling into any or all of these categories, how would the imposition of liability be structured so as to avoid imposing liability on sites that "legitimately" offer certain information, e.g., telephone numbers, home addresses, e-mail addresses, etc.?[143]

    Crimes Against the State

  53. Crimes against the state can take a variety of forms, including acts specifically directed at destroying the viability of the state (e.g., treason and sabotage), [144] acts undertaken to weaken the effectiveness of the state (e.g., espionage, the internal dissemination of misinformation and propaganda, rioting),[145] acts targeting various state infrastructures (e.g., terrorism directed at transportation systems, economic systems, public utilities, medical systems, etc.),[146] acts taken to undermine the state's fiscal stability (e.g., counterfeiting), [147] and the like. Crimes against religion can also be included in this category of offenses. [148]

  54. This category is made up of offenses the general contours of which have been clearly established, which means computer technology will become at most a tool used to commit these crimes. Treason, for example, is generally defined as actions by one who owes a duty of allegiance to a country but who levies war against that country or gives aid and comfort to its enemies. [149] Computer technology can of course be applied to this end; a traitor could, for example, break into a national computer system, extract vital national secrets and give those secrets to an enemy nation. [150] By the same token, computer technology can be used to attack essential infrastructures, [151] weaken a country's ability to respond to attacks from abroad, [152] and/or undermine its fiscal stability. [153] But each of these scenarios represents merely the application of new technology to achieve ends that have traditionally been prohibited by penal laws, since nations have long recognized that they cannot tolerate actions taken to undermine their very existence. Nations may want to reassess these laws to ensure that they explicitly encompass the use of computer technology to this end, but this is not an area in which there is a need to develop entirely new offenses, e.g., entirely new penal laws.[154]

    Procedural Law: Some General Issues

  55. As section I explained, the primary focus of the article is on penal laws because the generic consistency one encounters in penal laws permits a broad analysis of how these laws can be adapted to deal with cybercrime. Such an analysis is more problematic when one turns to procedural law, since there is much more variation among nations in this area. Notwithstanding that, it is important at least to note how procedural law may need to be revised to facilitate the investigation and apprehension of cybercriminals. After all, a country can have a comprehensive penal code that reaches every known variety of cybercrime but still be unable to prosecute cybercriminals because of gaps in its procedural law.

  56. Cybercrime is often transnational crime, which raises the issue of jurisdiction to prosecute the offender. [155] Countries must examine their procedural law and, if necessary, amend it so they can legitimately exercise jurisdiction over cybercrimes.[156] Traditionally, jurisdiction has been equated with territory, with the scope of a country's being defined by the limits of its territorial boundaries. [157] This territorial notion of jurisdiction to prosecute becomes problematic when dealing with cybercriminals. Determining where a cybercrime was "committed" can be difficult, since the perpetrator and the victim can be located in different countries and since the perpetrator may utilize computer systems in several countries in the course of attacking the victim. [158] One approach to this problem is to broaden the territorial notion of jurisdiction to prosecute so that it allows the nation to prosecute whenever the offender's conduct occurred in whole or in part in the prosecuting nation's territory.[159] This approach would, for example, give the country jurisdiction to prosecute a cybercriminal (a) when both the victim(s) and the perpetrator were located in the country at the time the crime was committed and the perpetrator utilized computer technology located in that country;[160] (b) when either the victim or the perpetrator was located in that country during the commission of the crime;[161] and/or (c) when any part of the crime was committed, planned or facilitated in that country. [162] Finally, countries can impose their own penal law on their citizens when the citizens are abroad, which means that a country could prosecute one of its nationals for committing a cybercrime even though the actual commission of the offense was carried out in another country and did not have harmful effects on people or property located within the prosecuting jurisdiction. [163]

  57. Because it exploits technology, cybercrime can create problems for investigators who must obey procedural rules crafted to deal with the investigation of crime in the "real world" of physical space, not the virtual world of cyberspace. Procedural law may, for example, only provide authorization to search for and seize tangible evidence.[164] Since the prosecution of cybercrimes usually requires collecting and analyzing intangible evidence, this omission can be a serious problem for investigators.[165] Countries must, therefore, evaluate their procedural law governing evidence-collecting and -analysis and amend it, as necessary, so that it does not suffer from this and other limitations.[166]

    Conclusion

  58. Cybercrimes raise new issues for legal systems. As the world's experience with the "Love bug" virus demonstrated, cybercriminals can exploit gaps in a nation's penal and procedural laws and thereby evade prosecution.

  59. This exploitation takes two forms. On the one hand, the permeability of national boundaries resulting from the Internet allows an offender situated in one country to perpetrate crimes in other countries; the remote offender may be able to operate with impunity, especially if the country in which he is located does not have penal laws which reach his conduct. This lack of adequate penal laws will prevent the offender's being prosecuted in his own country (assuming he did, in fact, commit offenses there as well), will prevent his being extradited to the countries he has victimized and can hamper law enforcement's ability to investigate and apprehend him. The world's experience with the "love bug" virus demonstrated all this: Onel de Guzman, suspected of disseminating the virus, could not be prosecuted in the Philippines because the Philippines' penal laws did not prohibit creating and disseminating a virus; since what he did was not a crime in his home country, he could not be extradited to countries in which it was a crime; and investigators found it difficult to get search warrants to investigate the episode because the dissemination of the virus was not a local crime. This scenario is intolerable, and not just because it is embarrassing for the offender's home country and frustrating for the countries whose citizens have been victimized; it is intolerable because it can so easily be repeated unless countries recognize that cybercrimes transcend borders and cannot, therefore, be treated as simply a local problem. One nation's inadequate penal laws can result in the victimization of citizens of other countries, countries which have tried to protect their citizens by adopting laws adequate to prohibit the conduct at issue.

  60. But it is not only remote cyberoffenders who exploit gaps in penal laws. A cybercriminal can take advantage of such gaps to commit crimes against individuals and/or businesses in his own country, knowing he cannot be prosecuted for what he does.

  61. The obvious solution to both forms of exploitation is for countries to ensure that their penal and procedural laws are adequate to permit the investigation and prosecution of cybercriminals. Indeed, this is a central feature of two conventions that have been drafted to deal with cybercrime. The Council of Europe's Draft Convention on Cyber-Crime seeks "to improve the means to prevent and suppress computer- or computer - related crime by establishing a common minimum standard of relevant offences." [167] Parties to the Convention would agree to adopt penal legislation addressing five types of cybercrimes: (1) illegal interception of and/or interference with computer data, illegal access to and/or interference with computer systems, and the misuse of devices to commit any of these offenses; (2) computer-related forgery and fraud; (3) child pornography; (4) the infringement of copyright and related rights; and (5) provisions governing the imposition of aiding and abetting and corporate liability.[168] They would also agree to adopt legislation guaranteeing the availability of certain procedures used to investigate cybercrime and apprehend cybercriminals.[169] The convention proposed by the Center for International Security and Cooperation (CISAC) has similar provisions, although it differs in some respects.[170] As to the adoption of penal laws, parties to the CISAC Convention would agree to adopt laws prohibiting the following: illegal entry into a computer system; manipulating data to affect the functioning of a computer system and/or to cause "substantial damage" to persons or property; interfering with authentication or tamper-detection mechanisms; manufacturing or distributing a device used to commit any offense within the scope of the Convention; and using computer technology to engage in activity outlawed by a list of treaties.[171] Like the Council of Europe's Draft Convention, the CISAC Convention addresses liability for aiding and abetting the commission of the identified cybercrimes and requires that signatories adopt procedural law governing mutual legal assistance in investigating cybercrimes.[172] Both the Council of Europe and CISAC Conventions consign the drafting of the legislation they respectively require to the parties who execute the convention; the architects of the Conventions recognized that nations have their own approaches to defining offenses and specifying the methods that can be used to investigate crimes.[173]

  62. These Conventions are estimable attempts to begin the process of establishing consistency in the cybercrime laws of the various nations. But regardless of whether a country executes, or plans to execute, one of these Conventions, it should conduct an audit of its penal and procedural laws to determine whether they provide police and prosecutors with the tools they need to pursue cybercriminals. This may mean adding new laws, amending existing laws and/or doing nothing if existing laws are adequate for this purpose. There is no need to adopt cybercrime-specific laws if a nation's existing laws are adequate or can be made adequate with some amendments; indeed, there are good reasons not to adopt cybercrime-specific laws when either of these conditions exists. For one thing, a country's law enforcement personnel will be familiar with the laws that already exist, having used them in the past; the interpretation of those laws will be clear and their legality under governing national principles will have been tested and established. For another, those drafting cybercrime-specific laws sometimes tie the legislation to existing technology, which means it can quickly become outmoded.[174] And, finally, duplicative laws-e.g., having cybercrime-specific offenses that are analogues of "real world" offenses-can sometimes be exploited by defendants, who can argue that they have been charged under the wrong statutory scheme and/or that the existence of a set of parallel laws somehow establishes that one legislative schema is flawed in some material and significant respect. [175]

  63. There may, or may not, be "virtual crimes" that will require new legislative responses,[176] but the prudent approach is to take a conservative tack in dealing with technologically-facilitated offenses, employing existing law whenever possible. One expert in this area hypothesizes the emergence of "computer crime in a box," e.g., of software programs that will "perform completed crimes including selection of victims, illegal acts, conversion to gain, and erasure of all evidence."[177] While the hypothesized scenario might seem to require the adoption of new law, it could, in fact, be substantially addressed by using tried and true legal principles.[178]

  64. Start with the premise that the software will be used to commit "crimes." What form might these crimes take? Since human motivation is the driver of any crime, and since the range of motives responsible for crime has been well established, it is almost certain that the "crimes" will fall into a known category, e.g., crimes against persons, crimes against property, crimes against morality, crimes against the administration of justice or crimes against the state. So the penal law will no doubt have addressed the underlying offense, which means that the purchaser and user of the software can be prosecuted for that offense.[179] The purveyor of the software can be prosecuted using other well-established legal principles: He can be prosecuted for aiding and abetting the underlying offense, since he provided the offender with the tools used to commit that offense.[180] The purveyor could also be prosecuted for conspiringwith the purchaser of the software, with the designer of the software and/or with anyone else involved in its dissemination-to commit the underlying offense.[181] And holding the purveyor liable under these theories is a just result, one which reflects the measure of harm he actually inflicted on the victims and on the legal system in which his actions occurred; he did not actually use the software to engage in the prohibited activity, so it is reasonable to apportion liability differently between the purveyor and the person who did engage in that activity.

  65. Legislative responses to cybercrime should be both rigorous and conservative. They should be rigorous in evaluating the legal system's EXISTING ability to deal with cybercrime, but they should be conservative in taking steps to improve that ability.

E Law Home Search Subscribe Issue Index Subject Index Author Index Title Index Murdoch University

Document author: Susan W Brenner
Document creation: June 2001
HTML last modified: June 2001
Authorised by: Archie Zariski, Managing Editor, E Law
Disclaimer & Copyright Notice © 2001 Murdoch University
URL: http://www.murdoch.edu.au/elaw/issues/v8n2/brenner82_text.html