Search
Sunday, November 4, 2007
Saturday, November 3, 2007
Cyber Crime . . . and Punishment
Overview
The growing danger from crimes committed against computers, or against information on
computers, is beginning to claim attention in national capitals. In most countries around the
world, however, existing laws are likely to be unenforceable against such crimes. This lack of
legal protection means that businesses and governments must rely solely on technical measures
to protect themselves from those who would steal, deny access to, or destroy valuable
information.
Self-protection, while essential, is not sufficient to make cyberspace a safe place to
conduct business. The rule of law must also be enforced. Countries where legal protections are
inadequate will become increasingly less able to compete in the new economy. As cyber crime
increasingly breaches national borders, nations perceived as havens run the risk of having their
electronic messages blocked by the network. National governments should examine their current statutes to determine whether they are sufficient to combat the kinds of crimes discussed in this report. Where gaps exist, governments should draw on best practices from other countries and work closely with industry to enact enforceable legal protections against these new crimes.
This report analyzes the state of the law in 52 countries. It finds that only ten of these
nations have amended their laws to cover more than half of the kinds of crimes that need to be
addressed. While many of the others have initiatives underway, it is clear that a great deal of
additional work is needed before organizations and individuals can be confident that cyber
criminals will think twice before attacking valued systems and information.
What’s Different About Cyber Crime?
Undeterred by the prospect of arrest or prosecution, cyber criminals around the world
lurk on the Net as an omnipresent menace to the financial health of businesses, to the trust of
their customers, and as an emerging threat to nations’ security. Headlines of cyber attacks
command our attention with increasing frequency. According to the Computer Emergency
Response Team Coordination Center (CERT/CC), the number of reported incidences of security
breaches in the first three quarters of 2000 has risen by 54 percent over the total number of
reported incidences in 1999.
Moreover, countless instances of illegal access and damage around the world remain nreported, as victims fear the exposure of vulnerabilities, the potential for copycat crimes, and the loss of public confidence.
Cyber crimes—harmful acts committed from or against a computer or network—differ
from most terrestrial crimes in four ways. They are easy to learn how to commit; they require few resources relative to the potential damage caused; they can be committed in a jurisdiction
without being physically present in it; and they are often not clearly illegal.
As this report shows, the laws of most countries do not clearly prohibit cyber crimes.
Existing terrestrial laws against physical acts of trespass or breaking and entering often do not
cover their “virtual” counterparts. Web pages such as the e-commerce sites recently hit by
widespread, distributed denial of service attacksmay not be covered by outdated laws as
protected forms of property. New kinds of crimes can fall between the cracks, as the Philippines
learned when it attempted to prosecute the perpetrator of the May 2000 Love Bug virus, which caused billions of dollars of damage worldwide.
Effective law enforcement is complicated by the transnational nature of cyberspace.
Mechanisms of cooperation across national borders to solve and prosecute crimes are complex
and slow. Cyber criminals can defy the conventional jurisdictional realms of sovereign nations,
originating an attack from almost any computer in the world, passing it across multiple national
boundaries, or designing attacks that appear to be originating from foreign sources. Such
techniques dramatically increase both the technical and legal complexities of investigating and
prosecuting cyber crimes.
Six weeks after the Love Bug attack, the Philippines outlawed most computer crimes as
part of a comprehensive e-commerce statute. In order to prevent a repeat of the catastrophe that prompted this action, however, the future of the networked world demands a more proactive approach, whereby governments, industry, and the public work together to devise enforceable laws that will effectively deter all but the most determined cyber criminals.
Poor Information Security Reduces the Competitiveness of Nations In our August 2000 report, Risk E-Business: Seizing the Opportunity of Global E-Readiness, McConnell International rated mid-level economies’ capacity to participate in the digital economy.
In considering nations’ information security, the report evaluated public trust
in the security of information processed and stored on networks in each country. In this context, information security included: an assessment of the strength of legal protections and progress in protecting intellectual property rights, especially for software; the extent of efforts to protect
electronic privacy; and the strength and effectiveness of the legal framework to authorize digital
signatures. The E-Readiness report also examined the existence of legal frameworks to
prosecute cyber criminals, for a predictable environment of strong deterrence for computer crime is critical to the effective protection of valuable information and networks.
Although several countries, particularly in Europe and Asia, were found to have addressed a number of these broader information security factors, few countries were able to demonstrate that adequate legal measures had been taken to ensure that perpetrators of cyber crime would be held accountable for their actions. Overall, nearly half of the countries included Victims of recent attacks include: Yahoo, CNN Interactive, Amazon.com, eBay, Datek Online, E*Trade, ZDNet, and Buy.com.
In the E-Readiness study were rated as needing substantial improvement in information security. In addition, only a small fraction of countries needing substantial improvement indicated that progress was currently underway.
Outdated laws and regulations, and weak enforcement mechanisms for protecting
networked information, create an inhospitable environment in which to conduct e-business
within a country and across national boundaries. Inadequate legal protection of digital
information can create barriers to its exchange and stunt the growth of e-commerce. As e-
business expands globally, the need for strong and consistent means to protect networked
information will grow.
The Cyber Crime Laws of Nations
Based on its findings in the E-Readiness study, and in the wake of the Philippines
inability to prosecute the student responsible for the “I Love You” virus, McConnell
International surveyed its global network of information technology policy officials to determine
the state of cyber security laws around the world. Countries were asked to provide laws that
would be used to prosecute criminal acts involving both private and public sector computers.
Over fifty national governments responded with recent pieces of legislation, copies of
updated statutes, draft legislation, or statements that no concrete course of action has been
planned to respond to a cyber attack on the public or private sector. Countries were provided the opportunity to review the presentation of the results in draft, and this report reflects their
comments.
Countries that provided legislation were evaluated to determine whether their criminal
statutes had been extended into cyberspace to cover ten different types of cyber crime in four
categories: data-related crimes, including interception, modification, and theft; network-related
crimes, including interference and sabotage; crimes of access, including hacking and virus
distribution; and associated computer-related crimes, including aiding and abetting cyber
criminals, computer fraud, and computer forgery.
Thirty-three of the countries surveyed have not yet updated their laws to address any type
of cyber crime. Of the remaining countries, nine have enacted legislation to address five or
fewer types of cyber crime, and ten have updated their laws to prosecute against six or more of
the ten types of cyber crime.
The countries evaluated are:
Albania, Australia, Brazil, Bulgaria, Burundi, Canada, Chile, China, Cuba, the Czech Republic, Denmark, Dominican Republic, Egypt, Estonia, Ethiopia, Fiji, France, Gambia, Hungary,Iceland, India, Iran, Italy, Japan, Jordan, Kazakhstan, Latvia, Lebanon, Lesotho, Malaysia, Malta, Mauritius,Moldova, Morocco, New Zealand, Nicaragua, Nigeria, Norway, Peru, Philippines, Poland, Romania, South Africa, Spain, Sudan, Turkey, United Kingdom, United States, Vietnam, Yugoslavia, Zambia, and Zimbabwe.
Finally, of the 33 countries with no updated laws in place, 13 indicated that progress toward the adoption of updated legislation to combat cyber crime is underway. Seven of these 13 countries are in Africa or the Middle East, indicating that, although these regions have not yet adequately addressed the issue of cyber crime, many countries are aware that action is needed.
Law Is Only Part of the Answer
Extending the rule of law into cyberspace is a critical step to create a trustworthy
environment for people and businesses. Because that extension remains a work in progress,
organizations today must first and foremost defend their own systems and information from
attack, be it from outsiders or from within. They may rely only secondarily on the deterrence
that effective law enforcement can provide.
To provide this self-protection, organizations should focus on implementing cyber
security plans addressing people, process, and technology issues. Organizations need to commit
the resources to educate employees on security practices, develop thorough plans for the
handling of sensitive data, records and transactions, and incorporate robust security technology-
such as firewalls, anti-virus software, intrusion detection tools, and authentication services--
throughout the organizations' computer systems.
These system protection tools--the software and hardware for defending information
systems--are complex and expensive to operate. To avoid hassles and expense, system
manufacturers and system operators routinely leave security features “turned off,” needlessly
increasing the vulnerability of the information on the systems. Bugs and security holes with
known fixes are routinely left uncorrected. Further, no agreed-upon standards exist to
benchmark the quality of the tools, and no accepted methodology exists for organizations to
determine how much investment in security is enough. The inability to quantify the costs and
benefits of information security investments leave security managers at a disadvantage .
The growing danger from crimes committed against computers, or against information on
computers, is beginning to claim attention in national capitals. In most countries around the
world, however, existing laws are likely to be unenforceable against such crimes. This lack of
legal protection means that businesses and governments must rely solely on technical measures
to protect themselves from those who would steal, deny access to, or destroy valuable
information.
Self-protection, while essential, is not sufficient to make cyberspace a safe place to
conduct business. The rule of law must also be enforced. Countries where legal protections are
inadequate will become increasingly less able to compete in the new economy. As cyber crime
increasingly breaches national borders, nations perceived as havens run the risk of having their
electronic messages blocked by the network. National governments should examine their current statutes to determine whether they are sufficient to combat the kinds of crimes discussed in this report. Where gaps exist, governments should draw on best practices from other countries and work closely with industry to enact enforceable legal protections against these new crimes.
This report analyzes the state of the law in 52 countries. It finds that only ten of these
nations have amended their laws to cover more than half of the kinds of crimes that need to be
addressed. While many of the others have initiatives underway, it is clear that a great deal of
additional work is needed before organizations and individuals can be confident that cyber
criminals will think twice before attacking valued systems and information.
What’s Different About Cyber Crime?
Undeterred by the prospect of arrest or prosecution, cyber criminals around the world
lurk on the Net as an omnipresent menace to the financial health of businesses, to the trust of
their customers, and as an emerging threat to nations’ security. Headlines of cyber attacks
command our attention with increasing frequency. According to the Computer Emergency
Response Team Coordination Center (CERT/CC), the number of reported incidences of security
breaches in the first three quarters of 2000 has risen by 54 percent over the total number of
reported incidences in 1999.
Moreover, countless instances of illegal access and damage around the world remain nreported, as victims fear the exposure of vulnerabilities, the potential for copycat crimes, and the loss of public confidence.
Cyber crimes—harmful acts committed from or against a computer or network—differ
from most terrestrial crimes in four ways. They are easy to learn how to commit; they require few resources relative to the potential damage caused; they can be committed in a jurisdiction
without being physically present in it; and they are often not clearly illegal.
As this report shows, the laws of most countries do not clearly prohibit cyber crimes.
Existing terrestrial laws against physical acts of trespass or breaking and entering often do not
cover their “virtual” counterparts. Web pages such as the e-commerce sites recently hit by
widespread, distributed denial of service attacksmay not be covered by outdated laws as
protected forms of property. New kinds of crimes can fall between the cracks, as the Philippines
learned when it attempted to prosecute the perpetrator of the May 2000 Love Bug virus, which caused billions of dollars of damage worldwide.
Effective law enforcement is complicated by the transnational nature of cyberspace.
Mechanisms of cooperation across national borders to solve and prosecute crimes are complex
and slow. Cyber criminals can defy the conventional jurisdictional realms of sovereign nations,
originating an attack from almost any computer in the world, passing it across multiple national
boundaries, or designing attacks that appear to be originating from foreign sources. Such
techniques dramatically increase both the technical and legal complexities of investigating and
prosecuting cyber crimes.
Six weeks after the Love Bug attack, the Philippines outlawed most computer crimes as
part of a comprehensive e-commerce statute. In order to prevent a repeat of the catastrophe that prompted this action, however, the future of the networked world demands a more proactive approach, whereby governments, industry, and the public work together to devise enforceable laws that will effectively deter all but the most determined cyber criminals.
Poor Information Security Reduces the Competitiveness of Nations In our August 2000 report, Risk E-Business: Seizing the Opportunity of Global E-Readiness, McConnell International rated mid-level economies’ capacity to participate in the digital economy.
In considering nations’ information security, the report evaluated public trust
in the security of information processed and stored on networks in each country. In this context, information security included: an assessment of the strength of legal protections and progress in protecting intellectual property rights, especially for software; the extent of efforts to protect
electronic privacy; and the strength and effectiveness of the legal framework to authorize digital
signatures. The E-Readiness report also examined the existence of legal frameworks to
prosecute cyber criminals, for a predictable environment of strong deterrence for computer crime is critical to the effective protection of valuable information and networks.
Although several countries, particularly in Europe and Asia, were found to have addressed a number of these broader information security factors, few countries were able to demonstrate that adequate legal measures had been taken to ensure that perpetrators of cyber crime would be held accountable for their actions. Overall, nearly half of the countries included Victims of recent attacks include: Yahoo, CNN Interactive, Amazon.com, eBay, Datek Online, E*Trade, ZDNet, and Buy.com.
In the E-Readiness study were rated as needing substantial improvement in information security. In addition, only a small fraction of countries needing substantial improvement indicated that progress was currently underway.
Outdated laws and regulations, and weak enforcement mechanisms for protecting
networked information, create an inhospitable environment in which to conduct e-business
within a country and across national boundaries. Inadequate legal protection of digital
information can create barriers to its exchange and stunt the growth of e-commerce. As e-
business expands globally, the need for strong and consistent means to protect networked
information will grow.
The Cyber Crime Laws of Nations
Based on its findings in the E-Readiness study, and in the wake of the Philippines
inability to prosecute the student responsible for the “I Love You” virus, McConnell
International surveyed its global network of information technology policy officials to determine
the state of cyber security laws around the world. Countries were asked to provide laws that
would be used to prosecute criminal acts involving both private and public sector computers.
Over fifty national governments responded with recent pieces of legislation, copies of
updated statutes, draft legislation, or statements that no concrete course of action has been
planned to respond to a cyber attack on the public or private sector. Countries were provided the opportunity to review the presentation of the results in draft, and this report reflects their
comments.
Countries that provided legislation were evaluated to determine whether their criminal
statutes had been extended into cyberspace to cover ten different types of cyber crime in four
categories: data-related crimes, including interception, modification, and theft; network-related
crimes, including interference and sabotage; crimes of access, including hacking and virus
distribution; and associated computer-related crimes, including aiding and abetting cyber
criminals, computer fraud, and computer forgery.
Thirty-three of the countries surveyed have not yet updated their laws to address any type
of cyber crime. Of the remaining countries, nine have enacted legislation to address five or
fewer types of cyber crime, and ten have updated their laws to prosecute against six or more of
the ten types of cyber crime.
The countries evaluated are:
Albania, Australia, Brazil, Bulgaria, Burundi, Canada, Chile, China, Cuba, the Czech Republic, Denmark, Dominican Republic, Egypt, Estonia, Ethiopia, Fiji, France, Gambia, Hungary,Iceland, India, Iran, Italy, Japan, Jordan, Kazakhstan, Latvia, Lebanon, Lesotho, Malaysia, Malta, Mauritius,Moldova, Morocco, New Zealand, Nicaragua, Nigeria, Norway, Peru, Philippines, Poland, Romania, South Africa, Spain, Sudan, Turkey, United Kingdom, United States, Vietnam, Yugoslavia, Zambia, and Zimbabwe.
Finally, of the 33 countries with no updated laws in place, 13 indicated that progress toward the adoption of updated legislation to combat cyber crime is underway. Seven of these 13 countries are in Africa or the Middle East, indicating that, although these regions have not yet adequately addressed the issue of cyber crime, many countries are aware that action is needed.
Law Is Only Part of the Answer
Extending the rule of law into cyberspace is a critical step to create a trustworthy
environment for people and businesses. Because that extension remains a work in progress,
organizations today must first and foremost defend their own systems and information from
attack, be it from outsiders or from within. They may rely only secondarily on the deterrence
that effective law enforcement can provide.
To provide this self-protection, organizations should focus on implementing cyber
security plans addressing people, process, and technology issues. Organizations need to commit
the resources to educate employees on security practices, develop thorough plans for the
handling of sensitive data, records and transactions, and incorporate robust security technology-
such as firewalls, anti-virus software, intrusion detection tools, and authentication services--
throughout the organizations' computer systems.
These system protection tools--the software and hardware for defending information
systems--are complex and expensive to operate. To avoid hassles and expense, system
manufacturers and system operators routinely leave security features “turned off,” needlessly
increasing the vulnerability of the information on the systems. Bugs and security holes with
known fixes are routinely left uncorrected. Further, no agreed-upon standards exist to
benchmark the quality of the tools, and no accepted methodology exists for organizations to
determine how much investment in security is enough. The inability to quantify the costs and
benefits of information security investments leave security managers at a disadvantage .
Computer Crime
Introduction:
There are no precise, reliable statistics on the amount of computer crime and the economic loss to victims, partly because many of these crimes are apparently not detected by victims, many of these crimes are never reported to authorities, and partly because the losses are often difficult to calculate. Nevertheless, there is a consensus among both law enforcement personnel and computer scientists who specialize in security that both the number of computer crime incidents and the sophistication of computer criminals is increasing rapidly. Estimates are that computer crime costs victims in the USA at least US$ 5×108/year, and the true value of such crime might be substantially higher. Experts in computer security, who are not attorneys, speak of "information warfare". While such "information warfare" is just another name for computer crime, the word "warfare" does fairly denote the amount of damage inflicted on society. I have posted a separate document, Tips for Avoiding Computer Crime, which includes suggestions for increasing the security and reliability of personal computers, as well as links to websites on computer viruses, computer crime, and anti-virus and firewall software.
Two comments on word usage in this essay:
I normally write in a gender neutral way, but here I use the masculine pronoun for computer criminals, because (1) female computer criminals are rare and (2) I can't imagine a feminist attacking me because I deny equal recognition to women criminals.
To some professional computer programmers, the word "hacker" refers to a skilled programmer and is neither pejorative nor does it refer to criminal activity. However, to most users of English, the word "hacker" refers to computer criminals, and that is the usage that I have adopted in this essay. I originally wrote this essay in May 1999. I do not have the spare time that would be required for a thorough search and analysis of reported cases and statutes on computer crime, as well as newspaper accounts (most criminal proceedings are resolved without generating any judicial decision that is reported in legal databases or books), so my revisions are mostly generalizations.
New crimes in cyberspace
There are three major classes of criminal activity with computers:
-unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojan Horse program.
-creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse).
-harassment and stalking in cyberspace.
-old crimesWhen lay people hear the words "computer crime", they often think of obscene pictures available on the Internet, or solicitation of children for sex by pedophiles via chat rooms on the Internet. The legal problem of obscenity on the Internet is mostly the same as the legal problem of obscenity in books and magazines, except for some technical issues of personal jurisdiction on the Internet. I have discussed obscenity on the Internet in my May 1997 essay on law & technology and I have nothing further to say about obscenity in this essay on computer crime. Similarly, many crimes involving computers are no different from crimes without computers: the computer is only a tool that a criminal uses to commit a crime. For example,
Using a computer, a scanner, graphics software, and a high-quality color laser or ink jet printer for forgery or counterfeiting is the same crime as using an old-fashioned printing press with ink.
Stealing a laptop computer with proprietary information stored on the hard disk inside the computer is the same crime as stealing a briefcase that contains papers with proprietary information.
-Using the Internet or online services to solicit sex is similar to other forms of solicitation of sex, and so is not a new crime.
-Using computers can be another way to commit either larceny or fraud. In contrast to merely using computer equipment as a tool to commit old crimes, this essay is concerned with computer crimes that are new ways to harm people.
false originThere are many instances of messages sent in the name of someone who neither wrote the content nor authorized the sending of the message. For example:
-E-mails with bogus From: addresses were sent automatically by malicious programs (e.g., the --Melissa virus in 1999, the BadTrans worm in 2001, the Klez program in 2002).
-Posting messages in an Internet newsgroup or online bulletin board with a false author's name that is intended to harm the reputation of the real person of that name. These acts might be punishable by existing criminal statutes that prohibit impersonation, forgery, deceit, or fraud.
However, a judge might decide that the specific language in old statutes about writing or signature does not apply to e-mail. Rather than write new statutes for forged e-mail addresses or unauthorized sending of e-mail in someone else's name, I would prefer that legislatures broaden the existing criminal statutes for analogous crimes with paper and ink. Similar issues arise in both: (1) fictitious From: addresses in some unsolicited commercial e-mail, also called spam or junk e-mail, and (2) fictitious source IP addresses in denial of service attacks.
1. Unauthorized UseUnauthorized use of computers tends generally takes the following forms:
Computer voyeur. The criminal reads (or copies) confidential or proprietary information, but data is neither deleted nor changed. In 1999, the Melissa virus infected a [possibly confidential] document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people. Subsequently, the SirCam and Klez malicious programs made a similar release of [possibly confidential] documents from a victim's computer. These malicious programs are a new way to release confidential information from a victim's computer, with the confidential information going not to the author of the malicious program, but to some person unknown to the author of the malicious program.
Changing data.
For example, change a grade on a school transcript, add "money" to a checking account, etc. Unauthorized changing of data is generally a fraudulent act.
Deleting data. Deleting entire files could be an act of vandalism or sabotage.
Denying service to authorized users. On a modern time-sharing computer, any user takes some time and disk space, which is then not available to other users. By "denying service to authorized users", I mean gobbling unreasonably large amounts of computer time or disk space, for example:
--by sending large amounts of junk e-mail in one day, a so-called "mail bomb",
by having the computer execute a malicious program that puts the processing unit into an infinite loop, or,
--by flooding an Internet server with bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the server. This is called a denial of service (DoS) attack. During 1950-1975, computer programs and data were generally stored on cardboard cards with holes punched in them. If a vandal were to break into an office and either damage or steal the punch cards, the vandal could be adequately punished under traditional law of breaking and entering, vandalism, or theft. However, after about 1975, it became common to enter programs and data from remote terminals (a keyboard and monitor) using a modem and a telephone line. This same technology allowed banks to retrieve a customer's current balance from the bank's central computer, and merchants to process credit card billing without sending paper forms. But this change in technology also meant that a criminal could alter data and programs from his home, without physical entry into the victim's building. The traditional laws were no longer adequate to punish criminals who used computer modems. Most unauthorized use of a computer is accomplished by a person in his home, who uses a modem to access a remote computer. In this way, the computer criminal is acting analogous to a burglar.
The classic definition of a burglary is:
the breaking and entering of a building with the intent to commit a felony therein.In traditional burglaries, the felony was typically larceny, an unlawful taking of another person's property. However, in the unauthorized use of another's computer, the criminal "enters" the computer via the telephone lines, which is not breaking into the building. Either the burglary statute needed to be made more general or new criminal statute(s) needed to be enacted for unauthorized access to a computer. Legislatures chose to enact totally new statutes. To successfully use a remote computer, any user (including criminals) must have both a valid user name and valid password.
There are several basic ways to get these data:
Call up a legitimate user, pretend to be a system administrator, and ask for the user name and password. This sounds ridiculous, but many people will give out such valuable information to anyone who pretends to have a good reason. Not only should you refuse to provide such information, but please report such requests to the management of the online service or the local police, so they can be alert to an active criminal.
Search user's offices for such data, as many people post their user name and password on the side of their monitor or filing cabinet, where these data can be conveniently seen.
Write a program that tries different combinations of user names and passwords until one is accepted.
Use a packet "sniffer" program to find user names and passwords as they travel through networks.
Search through a garbage bin behind the computer building in a university or corporate campus, find trash paper that lists user names and passwords.A disgruntled employee can use his legitimate computer account and password for unauthorized uses of his employer's computer. This can be particularly damaging when the disgruntled employee is the computer system administrator, who knows master password(s) and can enter any user's file area. Such disgruntled employees can perpetrate an "inside job", working from within the employer's building, instead of accessing a computer via modem. The computer voyeurs, like petty criminals who peek in other people's windows, generally hack into other people's computers for the thrill of it. In the 1970s and early 1980s, many of these computer voyeurs also used technology to make long-distance telephone calls for free, which technology also concealed their location when they were hacking into computers. Many of these voyeurs take a special thrill from hacking into military computers, bank computers, and telephone operating system computers, because the security is allegedly higher at these computers, so it is a greater technical challenge to hack into these machines. The criminals who change or delete data, or who deliberately gobble large amounts of computer resources, have a more sinister motive and are capable of doing immense damage. Of course, there is always the possibility that a computer voyeur will "accidentally" bumble around an unfamiliar system and cause appreciable damage to someone else's files or programs. Traditional criminal law in the USA places a great deal of emphasis on willful or intentional conduct, so such "accidental" damage would not satisfy the traditional requirement of mens rea (literally "guilty mind" or criminal intent). My personal opinion is that someone who deliberately hacks into someone else's computer should be accountable under criminal law for whatever damage is done by the unauthorized hacking, even if the damage is "accidental". In this regard, I would make an analogy to a homicide that occurs "accidentally" during the commission of a felony: the perpetrators are then charged with "felony murder": the intent to commit the hacking constitutes the malice or intent to cause the damage. In the 1970s and early 1980s, a common reaction was that hackers were a minor nuisance, like teenagers throwing rolls of toilet paper into trees. Then, in August 1983, a group of young hackers in Milwaukee hacked into a computer at the Sloan-Kettering Cancer Institute in New York City. That computer stored records of cancer patients' radiation treatment. Altering files on that computer could have killed patients, which reminded everyone that hacking was a serious problem. This 1983 incident was cited by the U.S. Congress in the legislative history of a federal computer crime statute.S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480. There is an interesting case under California state law for a criminal who improved his clients' credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).
Altering websitesIn recent years, there have been a large number of attacks on websites by hackers who are angry with the owner of the website. Victims of such attacks include various U.S. Government agencies, including the White House and FBI. Attacking the FBI website is like poking a lion with a stick. In a typical attack, the hacker will delete some pages or graphics, then upload new pages with the same name as the old file, so that the hacker controls the message conveyed by the site. This is not the worst kind of computer crime. The proper owner of the site can always close the website temporarily, restore all of the files from backup media, improve the security at the site, and then re-open the site. Nonetheless, the perpetrator has committed a computer crime by making an unauthorized use of someone else's computer or computer account. The Internet is a medium for freely sharing information and opinions. However the criminals who trash other people's websites are acting as self-appointed censors who deny freedom of speech to those with whom they disagree. These criminals often make the self-serving excuse for their actions that they only attack sites sponsored by bad corporations or bad people. However, this excuse makes these criminals into vigilantes who serve as legislature, judge, jury, and executioner: arrogantly determining what is in the best interests of society. One example of punishment for the crime of defacing a website is the case of Dennis M. Moran. On 9 March 2001, Moran (alias "Coolio"), a high school dropout, was sentenced in New Hampshire state court to nine months incarceration and ordered to pay a total of US$ 15000 restitution to his victims for defacing two websites:
In November 1999, he defaced the website of DARE America, an organization that campaigns against use of illicit drugs, whose website was in Los Angeles, California.
In February 2000, he defaced the website of RSA Security in Massachusetts.
In February 2000, he made "unauthorized intrusions" into computers at four different U.S. Army and Air Force installations.See the New Hampshire DoJ press release.
Denial of Service (DoS)
AttacksA denial of service attack occurs when an Internet server is flooded with a nearly continuous stream of bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the webserver.
Criminals have developed a simple technique for executing a distributed DoS attack:
The criminal first plants remote-control programs on dozens of computers that have broadband access to the Internet. The remote-control program will, at the command of the criminal, issue a nearly continuous series of pings to a specified victim's website.
When the criminal is ready to attack, he instructs the programs to begin pinging a specific target address. The computers containing the remote-control programs act as "zombies".
The victim computer responds to each ping, but because the zombie computers gave false source addresses for their pings, the victim computer is unable to establish a connection with the zombie computers. Because the victim computer waits for a response to its return ping, and because there are more zombie computers than victims, the victim computer becomes overwhelmed and either (a) does nothing except respond to bogus pings or (b) crashes.
Typically, after one or two hours, the criminal instructs his programs to stop pinging the victim. This brief duration is not because the criminal is a nice person, but because long-duration attacks make it easier for engineers at the victim's website to promptly trace the source of the attacks. This may sound sophisticated, but the remote-control programs, and instructions for using them, are readily available from many pro-hacker websites since June 1999. My essay, Tips for Avoiding Computer Crime, has specific suggestions for how you can use firewall software on your computer to prevent your computer from being used by criminals in DoS attacks on victims. Another kind of DoS attack uses a so-called "ping of death" to exploit bugs in software on webservers. A study during three weeks in February 2001, showed that there are about 4000 DoS attacks each week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts. David Dittrich, a senior security engineer at the University of Washington and expert on Unix system administration, has posted a large collection of links to resources on distributed DoS attacks.
The following is one case involving a famous series of DoS attacks:
The Yahoo website was attacked at 10:30 PST on Monday, 7 Feb 2000. The attack lasted three hours. Yahoo was pinged at the rate of one gigabyte/second.
The websites of amazon.com buy.com cnn.com eBay.com were attacked on Tuesday, 8 Feb 2000. Each attack lasted between one and four hours. CNN reported that the attack on its website was the first major attack since its website went online in August 1995.
The websites of E*Trade, a stock broker, and ZDNet, a computer information company, were attacked on Wednesday, 9 Feb 2000.
About fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in these DoS attacks.
The attacks received the attention of President Clinton and the U.S. Attorney General, Janet Reno. The FBI began to investigate. A CNN news report posted at 18:44 EST on 9 Feb 2000 quotes Ron Dick of the FBI's National Infrastructure Protection Center as saying "A 15-year-old kid could launch these attacks. It doesn't take a great deal of sophistication to do."
His remark was prophetic, because, on 18 April 2000, a 15-year-old pupil in Montréal Canada was arrested and charged with two counts of "mischief to data" arising from his DoS attack on CNN. Because he was a juvenile, his name can not be publicly disclosed, so he was called by his Internet pseudonym Mafiaboy. The Royal Canadian Mounted Police seized Mafiaboy's computer.
CNN reported that Mafiaboy was granted bail, with the following conditions:
"may only use computers under the direct supervision of a teacher."
"prohibited from connecting to the Internet" prohibited from entering "a store or company where computer services or parts are sold." "barred from communicating with three of his closest friends."
On 3 August 2000, Canadian federal prosecutors charged Mafiaboy with 54 counts of illegal access to computers, plus a total of ten counts of mischief to data for his attacks on Amazon.com, eBay, Dell Computer, Outlaw.net, and Yahoo. Mafiaboy had also attacked other websites, but prosecutors decided that a total of 66 counts was enough. Mafiaboy pled not guilty.
In November 2000, Mafiaboy's bail was revoked, because he skipped school in violation of a court order. He spent two weeks in jail.
In December 2000, Mafiaboy, now 16 y old, dropped out of school (after being suspended from school six times since the beginning of that academic year, and failing all of his classes except physical education), and was employed at a menial job. He was again granted bail.
On 18 Jan 2001, Mafiaboy pleaded guilty to 5 counts of mischief to data and 51 counts of illegal access to computers. As part of a plea agreement between his attorney and prosecutors, the prosecution dismissed the remaining ten counts.
On 20 June 2001, a social worker reported to the court that Mafiaboy "shows no sign of remorse" and "he's still trying to justify what he did was right."
On 12 Sep 2001, Mafiaboy was sentenced to spend eight months in a juvenile detention center, then spend one year on probation. Because Mafiaboy was a child at the time of his crime, the maximum sentence that he could have received would be incarceration for two years.
In issuing the sentence, Judge Gilles Ouellet commented:
This is a grave matter. This attack weakened the entire electronic communications system. And the motivation was undeniable, this adolescent had a criminal intent."The above facts are taken from reports at CNN, CBC, CNEWS, and the sentence is reported at wired.com.
Malicious computer programs
The following are general terms for any computer program that is designed to harm its victim(s):
Malicious computer programs are divided into the following classes:
A virus is a program that "infects" an executable file. After infection, the executable file functions in a different way than before: maybe only displaying a benign message on the monitor, maybe deleting some or all files on the user's hard drive, maybe altering data files. There are two key features of a computer virus:
the ability to propagate by attaching itself to executable files (e.g., application programs, operating system, macros, scripts, boot sector of a hard disk or floppy disk, etc.) Running the executable file may make new copies of the virus.
The virus causes harm only after it has infected an executable file and the executable file is run. The word "virus" is also commonly used broadly to include computer viruses, worms, and Trojan Horse programs. For example, so-called "anti-virus software" will remove all three classes of these malicious programs. Beginning with the Melissa virus in 1999, viruses could automatically send e-mail with the victim's name as the alleged source.
A worm is a program that copies itself. The distinction between a virus and worm, is that a virus never copies itself – a virus is copied only when the infected executable file is run. In the pure, original form, a worm neither deleted nor changed files on the victim's computer — the worm simply made multiple copies of itself and sent those copies from the victim's computer, thus clogging disk drives and the Internet with multiple copies of the worm. Releasing such a worm into the Internet will slow the legitimate traffic on the Internet, as continuously increasing amounts of traffic are mere copies of the worm. Beginning with the Klez worm in early 2002, a worm could drop a virus into the victim's computer. This kind of worm became known as a blended threat, because it combined two different types of malicious code.
A Trojan Horse is a deceptively labeled program that contains at least one function that is unknown to the user and that harms the user. A Trojan Horse does not replicate, which distinguishes it from viruses and worms. Some of the more serious Trojan horses allow a hacker to remotely control the victim's computer, perhaps to collect passwords and credit card numbers and send them to the hacker, or perhaps to launch denial of service attacks on websites. Some Trojan Horses are installed on a victim's computer by an intruder, without any knowledge of the victim. Other Trojan Horses are downloaded (perhaps in an attachment in e-mail) and installed by the user, who intends to acquire a benefit that is quite different from the undisclosed true purpose of the Trojan Horse.
A logic bomb is a program that "detonates" when some event occurs. The detonated program might stop working (e.g., go into an infinite loop), crash the computer, release a virus, delete data files, or any of many other harmful possibilities. A time bomb is a type of logic bomb, in which the program detonates when the computer's clock reaches some target date.
A hoax is a warning about a nonexistent malicious program. I have a separate essay that describes how to recognize hoaxes, and how to respond to them. Some confusion about the distinction between a virus and a worm is caused by two distinctly different criteria:
a virus infects an executable file, while a worm is a stand-alone program.
A virus requires human action to propagate (e.g., running an infected program, booting from a disk that has infected boot sectors) even if the human action is inadvertent, while a worm propagates automatically.For most viruses or worms, these two different criteria give the same result. However, there have been a few malicious programs that might be considered a virus by some and a worm by others. Ultimately, the taxonomy matters only to computer scientists who are doing research with these malicious programs. The first computer virus found "in the wild" was written in 1986 in a computer store in Lahore, Pakistan. In the 1980s, computer viruses were generally spread by passing floppy disks from one user to another user. In the late 1990s, computer viruses were generally spread via the Internet, either in e-mail (e.g., a virus contained in a Microsoft Word macro, or a worm contained in an attachment to e-mail) or in programs downloaded from a website. The distribution of viruses via the Internet permitted a much more rapid epidemic, so that more computers could be infected in a shorter time than when floppy disks were used to spread the infection. The first prosecution under the Federal computer crime statute, 18 USC § 1030, was for a release of a worm. Robert Tappan Morris, then a graduate student in computer science at Cornell University, released his worm into the Internet on 2 Nov 1988. The worm rapidly copied itself and effectively shut down the Internet. Morris was convicted of violating 18 USC §1030 in 1990 and the conviction was upheld in U.S. v. Morris, 928 F.2d 504 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991). My long discussion of a few famous malicious programs is in a separate essay, emphasizes the nonexistent or weak punishment of the authors of these programs. There is a reported case under state law for inserting a logic bomb into custom software. Wisc. v. Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994).
"justification" for malicious programsDesigning and releasing malicious computer programs is not only unethical, but also unlawful. However, some people defend the authors of malicious code by offering one or more of the following justifications:
The malicious code exposes security flaws in operating systems and applications software.
There is no doubt that the publicity surrounding an epidemic of a virus or worm increases awareness of security flaws. However, this incidental benefit does not justify the more than US$ 106 cost to clean the malicious code from more than a thousand infected computers.
Regardless of any benefits to society, a worm or virus is still an unauthorized access of a person's computer.
A rational and socially acceptable response to discovering a security flaw is to privately notify the software vendor that issued the flawed software. That vendor can then develop a patch and, when the patch is ready for public distribution, the vendor can inform system administrators. In that way, the vulnerability is not publicly disclosed for criminals to exploit before the patch is available.
Computer viruses and worms have been widely known since 1988. Despite this awareness, infection reports continue to show that viruses and worms that are more than one year old are continuing to propagate. This result shows that either computer users are not routinely updating their anti-virus software to protect against the most recent threats or computer users are continuing to operate infected machines, which continue to spew viruses and worms via e-mail. So, even if one accepts the reasoning that malicious code is desirable because it increases awareness of security issues, the increased awareness is practically ineffective, hence this "justification" fails.
Worse, the publicity about security vulnerabilities may encourage additional people to release malicious programs. For example, a number of copycat variants appear soon after a major new malicious program is reported in the news media. Such malicious programs, as well as tool kits for generating new malicious programs, are easily available from many hacker websites. Only minimal computer skills are required to produce and release a malicious program.
Low pressure in automobile tires causes tire failure, which, in turn, causes automobile accidents. Would it be reasonable for someone to walk around in the parking lot, letting some air out of tires, so tires are seriously underinflated, with the justification that the ensuing accidents will call attention to the problem of underinflated tires? This justification is ludicrous in the context of automobile tires and it is no better in the context of computer security.
It is the victim's fault if they are infected by a worm or virus that exploits a known security flaw, for which a patch is available.
It is certainly a good idea to install patches or updates for the software that one uses. However, failure to install such patches or updates is not an invitation to criminals to attack a victim's computer.
Prof. Spafford said:
To attempt to blame these individuals [i.e., computer systems administrators] for the success of the Worm is equivalent to blaming an arson victim because she didn't build her house of fireproof metal.
Eugene H. Spafford, The Internet Worm Incident, Purdue University Computer Science Department Technical Report TR-933, at page 15, 19 Sep 1991.
There is no legal obligation in criminal law for a victim to use the latest or best computer hardware and software. Simply: a victim neither invites nor consents to a crime. However, if a victim were to sue the author of malicious code in tort, then the victim's alleged negligence would be a proper legal issue. It is important to distinguish criminal law from torts, which are part of civil law.
It is ok if the author of the malicious code does not alter or delete any of the victim's data files.No. The victim is still harmed by the cost of removing the malicious program, the costs of lost productivity during the removal of the malicious program, possible exposure of confidential information (e.g., either to a hacker who examines data files via a Trojan Horse program, or a malicious program that sends a document on the victim's computer to potential future victims), among other possible harms. Furthermore, the privacy and property rights of the victim have been violated by the author of malicious code. Any unauthorized access of a computer is, or should be, criminal, regardless of the perpetrator's intent once inside the computer.
The virus/worm was a laboratory experiment gone awry.The Internet, including e-mail, is neither a laboratory nor a playground. Scientists, engineers, professors, businesses, governments, etc. depend on the routine functioning of the Internet for their work, distributing information, and for other public services. Anyone wishing to play with viruses or worms should use a quarantined system that is not connected to the Internet. An "experimenter" must not create a big mess that requires computer system administrators worldwide to devote much time to remove. In considering the actions of Morris, a graduate student at Cornell who released his worm into the Internet, a commission of five Cornell professors said:
This was not a simple act of trespass analogous to wandering through someone's unlocked house without permission[,] but with no intent to cause damage. A more apt analogy would be the driving of a golf cart on a rainy day through most houses in a neighborhood. The driver may have navigated carefully and broken no china, but it should have been obvious to the driver that the mud on the tires would soil the carpets and that the owners would later have to clean up the mess.
Theodore Eisenberg, David Gries, Juris Hartmanis, et al., The Computer Worm, A Report to the Provost of Cornell University ..., p. 7 (see also p. 40), Feb 1989. Summary reprinted in Communications of the ACM, Vol. 32, pp. 706-709, June 1989. Summary also reprinted in Peter J. Denning, editor, Computers Under Attack, Addison-Wesley Publishing Co., 1990. The above quote is on page 258 of Denning's book.It is self-serving to associate a criminal's actions with the prestige of a scientist who does an experiment. Scientists follow a professional code of ethics, in addition to behaving in a lawful way, and avoid harming other people. Scientists work together in a collegial way, with implicit trust. As pointed out by Eisenberg, et al. in The Computer Worm, pages 7, 25, 41, releasing malicious code is a violation of trust.
The virus/worm was "accidentally" released.First, there is no acceptable reason to create malicious software that alters or deletes data files from the victim's hard disk, releases confidential information from the victim's computer along with a copy of the virus/worm to potential future victims, attempts to disable anti-virus software on the victim's computer, or any of the other harms that have been observed in real malicious programs. There is no rational reason to write a program that one intends never to use. Second, if one writes such a destructive program, then one must use extraordinary care (i.e., the same care that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to make certain that the program is never released. Society ought to demand that those who release malicious programs, even if the release is an "accident", be held legally responsible for the damage caused by their malicious programs.
The author of the virus/worm did not know how rapidly the virus/worm would propagate.In my companion essay on Examples of Malicious Computer Programs, I explained why this excuse is bogus.
Although not a common excuse offered by defenders of an author of a malicious computer program, the author himself often seems to believe that his virus/worm is proof of his programming ability.However, careful examination of famous malicious programs that have caused extensive damage shows that these programs commonly contain many programming errors (so-called "bugs"). Such bugs often prevent a malicious program from causing more damage; sometimes bugs make a program worse than its author probably intended. Either way, a program full of bugs is not evidence of programming skill. And, more importantly, someone who writes malicious programs is a criminal, not the type of person who an ethical employer would want to hire. Such specious excuses for authors of malicious code were fairly common from professional programmers in the 1980s, but are less frequent now. The worm released into the Internet by Robert Morris in Nov 1988 seems to have jolted most computer professionals into realizing that ethics and law are essential to the computer profession. Now, specious excuses are mostly offered by criminals and their attorneys.
Harassment & Stalking
In general, the harasser intends to cause emotional distress and has no legitimate purpose to his communications. Harassment can be as simple as continuing to send e-mail to someone who has said they want no further contact with the sender. Harassment may also include threats, sexual remarks, pejorative labels (i.e., hate speech). A particularly disturbing form of harassment is sending a forged e-mail that appears to be from the victim and contains racist remarks, or other embarrassing text, that will tarnish the reputation of the victim. It is often difficult to get law enforcement personnel and prosecutors interested in harassment, unless threats of death or serious bodily harm are made, simply because the resources of the criminal justice system are strained by "more serious" criminal activities. I put "more serious" in quotation marks, because the victim of harassment certainly is adversely affected by the harassment, therefore it is a serious matter to the victim. But the law treats harassment as a misdemeanor, the group of less serious crimes.
Weak Punishment in USA
I have a general concern about the inability of the criminal justice system to either deter criminal conduct or protect society. This concern is particularly acute in the area of computer crime, where immense damage is being done to corporations by computer viruses and worms. Public safety is threatened by criminals who hack into the telephone system and crash 911 services, among other examples. There are many theories that justify punishment of criminals. While severe punishment may not deter criminal conduct, punishment does express the outrage of decent society at criminal conduct. One of the earliest reported cases in federal courts in the USA on computer crime was that of Robert Riggs.U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990), 743 F.Supp. 556 (N.D.Ill. 1990), aff'd, 967 F.2d 561 (11thCir. 1992).Riggs was first convicted in 1986 for his unauthorized use of a computer and was sentenced to a mere 15 days of community service and placed on probation for 18 months. 967 F.2d at 562. In 1990 Riggs was indicted again for making unauthorized access to computers, during which he stole proprietary information from a telephone company. This time he was sentenced to 21 months in prison, followed by two years of "supervised release" during which time he was forbidden to either own or use any computer for his personal use. Riggs was allowed to use computers in his employment, if supervised by someone. This sentence was upheld on appeal. 967 F.2d at 563. In March 1997, a young hacker disabled the telephone service at the Worcester, Massachusetts airport for six hours, which disabled the air-traffic control system and other critical services. This same hacker also copied patients' records from a computer in a pharmacy on four separate occasions in January, February, and March 1997. This hacker was the first juvenile to be prosecuted by the U.S. Government for computer crime. He pled guilty and was placed on probation for two years, was ordered to provide 250 hours of community service, and forfeited all of the computer equipment used during his criminal activity. I have a long discussion of a few famous malicious programs and the legal punishment of their authors in a separate essay. The point made in that essay is that, out of approximately 61000 malicious programs for the Microsoft Windows operating system, there have been arrests and convictions of the author(s) of only five malicious programs:
the author of a worm released in 1988,
the author and distributors of the MBDF virus,
the author of the Pathogen virus,
the author of the Melissa virus, and
the author of the Anna worm. Except for the author of the Pathogen virus, each of these criminals received very light punishment.
Computer Crime Statutes in USA
There are many federal statutes in the USA that can be used to prosecute computer criminals:
15 USC § 1644, prohibiting fraudulent use of credit cards
18 USC § 1029, prohibiting fraudulent acquisition of telecommunications services
18 USC § 1030, prohibiting unauthorized access to any computer operated by the U.S. Government, financial institution insured by the U.S. Government, federally registered securities dealer, or foreign bank.
18 USC § 1343, prohibiting wire fraud
18 USC § 1361-2, prohibiting malicious mischief
18 USC § 1831, prohibiting stealing of trade secrets
18 USC § 2314, prohibiting interstate transport of stolen, converted, or fraudulently obtained material; does apply to computer data files U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990).
18 USC § 2319 and 17 USC § 506(a), criminal violations of copyright law
18 USC § 2510-11, prohibiting interception of electronic communications
18 USC § 2701, prohibiting access to communications stored on a computer (i.e., privacy of e-mail)
47 USC § 223, prohibiting interstate harassing telephone calls
State Statutes in USA
There is wide variation in state statutes on computer crime in the USA: in my opinion, most state statutes are not adequate to punish computer criminals. California, Minnesota, and Maine are among the few states to prohibit explicitly release of a computer virus or other malicious program.California Statutes, Title 13 (Penal Code), §§ 502(b)(10) and 502(c)(8).Minnesota Statutes, §609.87(12) and §609.88(1)(c).Maine Statutes, 17-A (Criminal Code), § 433(1)(C).In states without an explicit statute, release of a malicious program would probably be prosecuted as "malicious mischief". California also provides for the forfeiture of computer systems used in the commission of a computer crime. If the defendant is a minor, the parents' computer system can be forfeited.California Statutes, Title 13 (Penal Code), §§ 502(g) and 502.01(a)(1) In November 1996 and July 1997, I made comprehensive searches of the WESTLAW databases of reported cases in both state and federal courts in the USA on computer crimes. I was surprised to find that, in sharp contrast to most other areas of law, there was very little reported case law on computer crimes, except obscenity cases. I have the impression that most computer criminals who are apprehended plead guilty to a lesser offense (a so-called "plea bargain") and avoid a trial. Plea bargains are common the U.S.A., as they dispose of cases without large investments of prosecutorial and judicial time. In the specific area of computer crimes, prosecuting such a case would be difficult for prosecutors, because the jury would need to learn about complex technical matters. In addition to making life easier for prosecutors and judges, many victims (particularly banks and other corporations) may be embarrassed to admit that some teenager defeated their security features, thus these victims refuse to testify in court.
Sue in tort
In addition to any criminal penalties, victim(s) of computer crimes can sue the perpetrator in tort. For example, unauthorized use of a computer system could be "trespass on chattels". A computer voyeur might also be sued in tort for invasion of privacy or disclosure of a trade secret. A harasser might be sued in tort for intentional infliction of emotional distress.
There is also the possibility of a class action by corporate and personal victims against a person who wrote and initially released a computer virus.The downside of such tort litigation is that the perpetrators are generally young people (often between 12 and 25 years of age) and have little assets that could be seized immediately to satisfy a judgment. On the other hand, judgments in the USA are generally valid for 20 years, so future income of the wrongdoer can be used to satisfy the judgment.
Moreover, the publicity surrounding such a trial might impress potential hackers with the seriousness of such wrongful conduct and deter other potential hackers. In addition, such trials might express the outrage of society at the behavior of hackers.Defendants between 7 and 14 y of age may be sued in tort, but their duty of care is generally less than an adult's duty. There is one exception, when children engage in an adult activity (e.g., fly an airplane), the law imposes an adult's duty of care on the child. Restatement (Second) Torts, § 283A, comment c (1965).
In my opinion, there are good reasons why computer programming (e.g., design of a virus) or hacking qualifies as an "adult activity". However, there appear to be no reported court cases in the USA that have decided this issue.There is another remedy in civil law, besides damages awarded in tort litigation: a victim can get a temporary restraining order (TRO), then an injunction, that enjoins continuance of wrongs (e.g., disclosure of proprietary or private data) that will cause irreparable harm or for which there is no adequate remedy at law.
Journalists
One of the functions of the criminal justice system is to deter crime by other people. Journalists play an important role in this deterrence by reporting on the crime (and how people were harmed), arrest, trial, and sentence of the guilty criminals. One hopes that people contemplating computer crimes will read these reports by journalists, and say to themselves: "I should not write a computer virus, because I don't want to be put in prison like David Lee Smith," the author of the Melissa virus. However, reports of computer crime by journalists are less than satisfactory:
There are no precise, reliable statistics on the amount of computer crime and the economic loss to victims, partly because many of these crimes are apparently not detected by victims, many of these crimes are never reported to authorities, and partly because the losses are often difficult to calculate. Nevertheless, there is a consensus among both law enforcement personnel and computer scientists who specialize in security that both the number of computer crime incidents and the sophistication of computer criminals is increasing rapidly. Estimates are that computer crime costs victims in the USA at least US$ 5×108/year, and the true value of such crime might be substantially higher. Experts in computer security, who are not attorneys, speak of "information warfare". While such "information warfare" is just another name for computer crime, the word "warfare" does fairly denote the amount of damage inflicted on society. I have posted a separate document, Tips for Avoiding Computer Crime, which includes suggestions for increasing the security and reliability of personal computers, as well as links to websites on computer viruses, computer crime, and anti-virus and firewall software.
Two comments on word usage in this essay:
I normally write in a gender neutral way, but here I use the masculine pronoun for computer criminals, because (1) female computer criminals are rare and (2) I can't imagine a feminist attacking me because I deny equal recognition to women criminals.
To some professional computer programmers, the word "hacker" refers to a skilled programmer and is neither pejorative nor does it refer to criminal activity. However, to most users of English, the word "hacker" refers to computer criminals, and that is the usage that I have adopted in this essay. I originally wrote this essay in May 1999. I do not have the spare time that would be required for a thorough search and analysis of reported cases and statutes on computer crime, as well as newspaper accounts (most criminal proceedings are resolved without generating any judicial decision that is reported in legal databases or books), so my revisions are mostly generalizations.
New crimes in cyberspace
There are three major classes of criminal activity with computers:
-unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojan Horse program.
-creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse).
-harassment and stalking in cyberspace.
-old crimesWhen lay people hear the words "computer crime", they often think of obscene pictures available on the Internet, or solicitation of children for sex by pedophiles via chat rooms on the Internet. The legal problem of obscenity on the Internet is mostly the same as the legal problem of obscenity in books and magazines, except for some technical issues of personal jurisdiction on the Internet. I have discussed obscenity on the Internet in my May 1997 essay on
Using a computer, a scanner, graphics software, and a high-quality color laser or ink jet printer for forgery or counterfeiting is the same crime as using an old-fashioned printing press with ink.
Stealing a laptop computer with proprietary information stored on the hard disk inside the computer is the same crime as stealing a briefcase that contains papers with proprietary information.
-Using the Internet or online services to solicit sex is similar to other forms of solicitation of sex, and so is not a new crime.
-Using computers can be another way to commit either larceny or fraud. In contrast to merely using computer equipment as a tool to commit old crimes, this essay is concerned with computer crimes that are new ways to harm people.
false originThere are many instances of messages sent in the name of someone who neither wrote the content nor authorized the sending of the message. For example:
-E-mails with bogus From: addresses were sent automatically by malicious programs (e.g., the --Melissa virus in 1999, the BadTrans worm in 2001, the Klez program in 2002).
-Posting messages in an Internet newsgroup or online bulletin board with a false author's name that is intended to harm the reputation of the real person of that name. These acts might be punishable by existing criminal statutes that prohibit impersonation, forgery, deceit, or fraud.
However, a judge might decide that the specific language in old statutes about writing or signature does not apply to e-mail. Rather than write new statutes for forged e-mail addresses or unauthorized sending of e-mail in someone else's name, I would prefer that legislatures broaden the existing criminal statutes for analogous crimes with paper and ink. Similar issues arise in both: (1) fictitious From: addresses in some unsolicited commercial e-mail, also called spam or junk e-mail, and (2) fictitious source IP addresses in denial of service attacks.
1. Unauthorized UseUnauthorized use of computers tends generally takes the following forms:
Computer voyeur. The criminal reads (or copies) confidential or proprietary information, but data is neither deleted nor changed. In 1999, the Melissa virus infected a [possibly confidential] document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people. Subsequently, the SirCam and Klez malicious programs made a similar release of [possibly confidential] documents from a victim's computer. These malicious programs are a new way to release confidential information from a victim's computer, with the confidential information going not to the author of the malicious program, but to some person unknown to the author of the malicious program.
Changing data.
For example, change a grade on a school transcript, add "money" to a checking account, etc. Unauthorized changing of data is generally a fraudulent act.
Deleting data. Deleting entire files could be an act of vandalism or sabotage.
Denying service to authorized users. On a modern time-sharing computer, any user takes some time and disk space, which is then not available to other users. By "denying service to authorized users", I mean gobbling unreasonably large amounts of computer time or disk space, for example:
--by sending large amounts of junk e-mail in one day, a so-called "mail bomb",
by having the computer execute a malicious program that puts the processing unit into an infinite loop, or,
--by flooding an Internet server with bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the server. This is called a denial of service (DoS) attack. During 1950-1975, computer programs and data were generally stored on cardboard cards with holes punched in them. If a vandal were to break into an office and either damage or steal the punch cards, the vandal could be adequately punished under traditional law of breaking and entering, vandalism, or theft. However, after about 1975, it became common to enter programs and data from remote terminals (a keyboard and monitor) using a modem and a telephone line. This same technology allowed banks to retrieve a customer's current balance from the bank's central computer, and merchants to process credit card billing without sending paper forms. But this change in technology also meant that a criminal could alter data and programs from his home, without physical entry into the victim's building. The traditional laws were no longer adequate to punish criminals who used computer modems. Most unauthorized use of a computer is accomplished by a person in his home, who uses a modem to access a remote computer. In this way, the computer criminal is acting analogous to a burglar.
The classic definition of a burglary is:
the breaking and entering of a building with the intent to commit a felony therein.In traditional burglaries, the felony was typically larceny, an unlawful taking of another person's property. However, in the unauthorized use of another's computer, the criminal "enters" the computer via the telephone lines, which is not breaking into the building. Either the burglary statute needed to be made more general or new criminal statute(s) needed to be enacted for unauthorized access to a computer. Legislatures chose to enact totally new statutes. To successfully use a remote computer, any user (including criminals) must have both a valid user name and valid password.
There are several basic ways to get these data:
Call up a legitimate user, pretend to be a system administrator, and ask for the user name and password. This sounds ridiculous, but many people will give out such valuable information to anyone who pretends to have a good reason. Not only should you refuse to provide such information, but please report such requests to the management of the online service or the local police, so they can be alert to an active criminal.
Search user's offices for such data, as many people post their user name and password on the side of their monitor or filing cabinet, where these data can be conveniently seen.
Write a program that tries different combinations of user names and passwords until one is accepted.
Use a packet "sniffer" program to find user names and passwords as they travel through networks.
Search through a garbage bin behind the computer building in a university or corporate campus, find trash paper that lists user names and passwords.A disgruntled employee can use his legitimate computer account and password for unauthorized uses of his employer's computer. This can be particularly damaging when the disgruntled employee is the computer system administrator, who knows master password(s) and can enter any user's file area. Such disgruntled employees can perpetrate an "inside job", working from within the employer's building, instead of accessing a computer via modem. The computer voyeurs, like petty criminals who peek in other people's windows, generally hack into other people's computers for the thrill of it. In the 1970s and early 1980s, many of these computer voyeurs also used technology to make long-distance telephone calls for free, which technology also concealed their location when they were hacking into computers. Many of these voyeurs take a special thrill from hacking into military computers, bank computers, and telephone operating system computers, because the security is allegedly higher at these computers, so it is a greater technical challenge to hack into these machines. The criminals who change or delete data, or who deliberately gobble large amounts of computer resources, have a more sinister motive and are capable of doing immense damage. Of course, there is always the possibility that a computer voyeur will "accidentally" bumble around an unfamiliar system and cause appreciable damage to someone else's files or programs. Traditional criminal law in the USA places a great deal of emphasis on willful or intentional conduct, so such "accidental" damage would not satisfy the traditional requirement of mens rea (literally "guilty mind" or criminal intent). My personal opinion is that someone who deliberately hacks into someone else's computer should be accountable under criminal law for whatever damage is done by the unauthorized hacking, even if the damage is "accidental". In this regard, I would make an analogy to a homicide that occurs "accidentally" during the commission of a felony: the perpetrators are then charged with "felony murder": the intent to commit the hacking constitutes the malice or intent to cause the damage. In the 1970s and early 1980s, a common reaction was that hackers were a minor nuisance, like teenagers throwing rolls of toilet paper into trees. Then, in August 1983, a group of young hackers in Milwaukee hacked into a computer at the Sloan-Kettering Cancer Institute in New York City. That computer stored records of cancer patients' radiation treatment. Altering files on that computer could have killed patients, which reminded everyone that hacking was a serious problem. This 1983 incident was cited by the U.S. Congress in the legislative history of a federal computer crime statute.S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480. There is an interesting case under California state law for a criminal who improved his clients' credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).
Altering websitesIn recent years, there have been a large number of attacks on websites by hackers who are angry with the owner of the website. Victims of such attacks include various U.S. Government agencies, including the White House and FBI. Attacking the FBI website is like poking a lion with a stick.
In November 1999, he defaced the website of DARE America, an organization that campaigns against use of illicit drugs, whose website was in Los Angeles, California.
In February 2000, he defaced the website of RSA Security in Massachusetts.
In February 2000, he made "unauthorized intrusions" into computers at four different U.S. Army and Air Force installations.See the New Hampshire
Denial of Service (DoS)
AttacksA denial of service attack occurs when an Internet server is flooded with a nearly continuous stream of bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the webserver.
Criminals have developed a simple technique for executing a distributed DoS attack:
The criminal first plants remote-control programs on dozens of computers that have broadband access to the Internet. The remote-control program will, at the command of the criminal, issue a nearly continuous series of pings to a specified victim's website.
When the criminal is ready to attack, he instructs the programs to begin pinging a specific target address. The computers containing the remote-control programs act as "zombies".
The victim computer responds to each ping, but because the zombie computers gave false source addresses for their pings, the victim computer is unable to establish a connection with the zombie computers. Because the victim computer waits for a response to its return ping, and because there are more zombie computers than victims, the victim computer becomes overwhelmed and either (a) does nothing except respond to bogus pings or (b) crashes.
Typically, after one or two hours, the criminal instructs his programs to stop pinging the victim. This brief duration is not because the criminal is a nice person, but because long-duration attacks make it easier for engineers at the victim's website to promptly trace the source of the attacks. This may sound sophisticated, but the remote-control programs, and instructions for using them, are readily available from many pro-hacker websites since June 1999. My essay, Tips for Avoiding Computer Crime, has specific suggestions for how you can use firewall software on your computer to prevent your computer from being used by criminals in DoS attacks on victims. Another kind of DoS attack uses a so-called "ping of death" to exploit bugs in software on webservers. A study during three weeks in February 2001, showed that there are about 4000 DoS attacks each week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts. David Dittrich, a senior security engineer at the University of Washington and expert on Unix system administration, has posted a large collection of links to resources on distributed DoS attacks.
The following is one case involving a famous series of DoS attacks:
The Yahoo website was attacked at 10:30 PST on Monday, 7 Feb 2000. The attack lasted three hours. Yahoo was pinged at the rate of one gigabyte/second.
The websites of amazon.com buy.com cnn.com eBay.com were attacked on Tuesday, 8 Feb 2000. Each attack lasted between one and four hours. CNN reported that the attack on its website was the first major attack since its website went online in August 1995.
The websites of E*Trade, a stock broker, and ZDNet, a computer information company, were attacked on Wednesday, 9 Feb 2000.
About fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in these DoS attacks.
The attacks received the attention of President Clinton and the U.S. Attorney General, Janet Reno. The FBI began to investigate. A CNN news report posted at 18:44 EST on 9 Feb 2000 quotes Ron Dick of the FBI's National Infrastructure Protection Center as saying "A 15-year-old kid could launch these attacks. It doesn't take a great deal of sophistication to do."
His remark was prophetic, because, on 18 April 2000, a 15-year-old pupil in Montréal Canada was arrested and charged with two counts of "mischief to data" arising from his DoS attack on CNN. Because he was a juvenile, his name can not be publicly disclosed, so he was called by his Internet pseudonym Mafiaboy. The Royal Canadian Mounted Police seized Mafiaboy's computer.
CNN reported that Mafiaboy was granted bail, with the following conditions:
"may only use computers under the direct supervision of a teacher."
"prohibited from connecting to the Internet" prohibited from entering "a store or company where computer services or parts are sold." "barred from communicating with three of his closest friends."
On 3 August 2000, Canadian federal prosecutors charged Mafiaboy with 54 counts of illegal access to computers, plus a total of ten counts of mischief to data for his attacks on Amazon.com, eBay, Dell Computer, Outlaw.net, and Yahoo. Mafiaboy had also attacked other websites, but prosecutors decided that a total of 66 counts was enough. Mafiaboy pled not guilty.
In November 2000, Mafiaboy's bail was revoked, because he skipped school in violation of a court order. He spent two weeks in jail.
In December 2000, Mafiaboy, now 16 y old, dropped out of school (after being suspended from school six times since the beginning of that academic year, and failing all of his classes except physical education), and was employed at a menial job. He was again granted bail.
On 18 Jan 2001, Mafiaboy pleaded guilty to 5 counts of mischief to data and 51 counts of illegal access to computers. As part of a plea agreement between his attorney and prosecutors, the prosecution dismissed the remaining ten counts.
On 20 June 2001, a social worker reported to the court that Mafiaboy "shows no sign of remorse" and "he's still trying to justify what he did was right."
On 12 Sep 2001, Mafiaboy was sentenced to spend eight months in a juvenile detention center, then spend one year on probation. Because Mafiaboy was a child at the time of his crime, the maximum sentence that he could have received would be incarceration for two years.
In issuing the sentence, Judge Gilles Ouellet commented:
This is a grave matter. This attack weakened the entire electronic communications system. And the motivation was undeniable, this adolescent had a criminal intent."The above facts are taken from reports at CNN, CBC, CNEWS, and the sentence is reported at wired.com.
Malicious computer programs
The following are general terms for any computer program that is designed to harm its victim(s):
Malicious computer programs are divided into the following classes:
A virus is a program that "infects" an executable file. After infection, the executable file functions in a different way than before: maybe only displaying a benign message on the monitor, maybe deleting some or all files on the user's hard drive, maybe altering data files. There are two key features of a computer virus:
the ability to propagate by attaching itself to executable files (e.g., application programs, operating system, macros, scripts, boot sector of a hard disk or floppy disk, etc.) Running the executable file may make new copies of the virus.
The virus causes harm only after it has infected an executable file and the executable file is run. The word "virus" is also commonly used broadly to include computer viruses, worms, and Trojan Horse programs. For example, so-called "anti-virus software" will remove all three classes of these malicious programs. Beginning with the Melissa virus in 1999, viruses could automatically send e-mail with the victim's name as the alleged source.
A worm is a program that copies itself. The distinction between a virus and worm, is that a virus never copies itself – a virus is copied only when the infected executable file is run. In the pure, original form, a worm neither deleted nor changed files on the victim's computer — the worm simply made multiple copies of itself and sent those copies from the victim's computer, thus clogging disk drives and the Internet with multiple copies of the worm. Releasing such a worm into the Internet will slow the legitimate traffic on the Internet, as continuously increasing amounts of traffic are mere copies of the worm. Beginning with the Klez worm in early 2002, a worm could drop a virus into the victim's computer. This kind of worm became known as a blended threat, because it combined two different types of malicious code.
A Trojan Horse is a deceptively labeled program that contains at least one function that is unknown to the user and that harms the user. A Trojan Horse does not replicate, which distinguishes it from viruses and worms. Some of the more serious Trojan horses allow a hacker to remotely control the victim's computer, perhaps to collect passwords and credit card numbers and send them to the hacker, or perhaps to launch denial of service attacks on websites. Some Trojan Horses are installed on a victim's computer by an intruder, without any knowledge of the victim. Other Trojan Horses are downloaded (perhaps in an attachment in e-mail) and installed by the user, who intends to acquire a benefit that is quite different from the undisclosed true purpose of the Trojan Horse.
A logic bomb is a program that "detonates" when some event occurs. The detonated program might stop working (e.g., go into an infinite loop), crash the computer, release a virus, delete data files, or any of many other harmful possibilities. A time bomb is a type of logic bomb, in which the program detonates when the computer's clock reaches some target date.
A hoax is a warning about a nonexistent malicious program. I have a separate essay that describes how to recognize hoaxes, and how to respond to them. Some confusion about the distinction between a virus and a worm is caused by two distinctly different criteria:
a virus infects an executable file, while a worm is a stand-alone program.
A virus requires human action to propagate (e.g., running an infected program, booting from a disk that has infected boot sectors) even if the human action is inadvertent, while a worm propagates automatically.For most viruses or worms, these two different criteria give the same result. However, there have been a few malicious programs that might be considered a virus by some and a worm by others. Ultimately, the taxonomy matters only to computer scientists who are doing research with these malicious programs. The first computer virus found "in the wild" was written in 1986 in a computer store in Lahore, Pakistan. In the 1980s, computer viruses were generally spread by passing floppy disks from one user to another user. In the late 1990s, computer viruses were generally spread via the Internet, either in e-mail (e.g., a virus contained in a Microsoft Word macro, or a worm contained in an attachment to e-mail) or in programs downloaded from a website. The distribution of viruses via the Internet permitted a much more rapid epidemic, so that more computers could be infected in a shorter time than when floppy disks were used to spread the infection. The first prosecution under the Federal computer crime statute, 18 USC § 1030, was for a release of a worm. Robert Tappan Morris, then a graduate student in computer science at Cornell University, released his worm into the Internet on 2 Nov 1988. The worm rapidly copied itself and effectively shut down the Internet. Morris was convicted of violating 18 USC §1030 in 1990 and the conviction was upheld in U.S. v. Morris, 928 F.2d 504 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991). My long discussion of a few famous malicious programs is in a separate essay, emphasizes the nonexistent or weak punishment of the authors of these programs. There is a reported case under state law for inserting a logic bomb into custom software. Wisc. v. Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994).
"justification" for malicious programsDesigning and releasing malicious computer programs is not only unethical, but also unlawful. However, some people defend the authors of malicious code by offering one or more of the following justifications:
The malicious code exposes security flaws in operating systems and applications software.
There is no doubt that the publicity surrounding an epidemic of a virus or worm increases awareness of security flaws. However, this incidental benefit does not justify the more than US$ 106 cost to clean the malicious code from more than a thousand infected computers.
Regardless of any benefits to society, a worm or virus is still an unauthorized access of a person's computer.
A rational and socially acceptable response to discovering a security flaw is to privately notify the software vendor that issued the flawed software. That vendor can then develop a patch and, when the patch is ready for public distribution, the vendor can inform system administrators. In that way, the vulnerability is not publicly disclosed for criminals to exploit before the patch is available.
Computer viruses and worms have been widely known since 1988. Despite this awareness, infection reports continue to show that viruses and worms that are more than one year old are continuing to propagate. This result shows that either computer users are not routinely updating their anti-virus software to protect against the most recent threats or computer users are continuing to operate infected machines, which continue to spew viruses and worms via e-mail. So, even if one accepts the reasoning that malicious code is desirable because it increases awareness of security issues, the increased awareness is practically ineffective, hence this "justification" fails.
Worse, the publicity about security vulnerabilities may encourage additional people to release malicious programs. For example, a number of copycat variants appear soon after a major new malicious program is reported in the news media. Such malicious programs, as well as tool kits for generating new malicious programs, are easily available from many hacker websites. Only minimal computer skills are required to produce and release a malicious program.
Low pressure in automobile tires causes tire failure, which, in turn, causes automobile accidents. Would it be reasonable for someone to walk around in the parking lot, letting some air out of tires, so tires are seriously underinflated, with the justification that the ensuing accidents will call attention to the problem of underinflated tires? This justification is ludicrous in the context of automobile tires and it is no better in the context of computer security.
It is the victim's fault if they are infected by a worm or virus that exploits a known security flaw, for which a patch is available.
It is certainly a good idea to install patches or updates for the software that one uses. However, failure to install such patches or updates is not an invitation to criminals to attack a victim's computer.
Prof. Spafford said:
To attempt to blame these individuals [i.e., computer systems administrators] for the success of the Worm is equivalent to blaming an arson victim because she didn't build her house of fireproof metal.
Eugene H. Spafford, The Internet Worm Incident, Purdue University Computer Science Department Technical Report TR-933, at page 15, 19 Sep 1991.
There is no legal obligation in criminal law for a victim to use the latest or best computer hardware and software. Simply: a victim neither invites nor consents to a crime. However, if a victim were to sue the author of malicious code in tort, then the victim's alleged negligence would be a proper legal issue. It is important to distinguish criminal law from torts, which are part of civil law.
It is ok if the author of the malicious code does not alter or delete any of the victim's data files.No. The victim is still harmed by the cost of removing the malicious program, the costs of lost productivity during the removal of the malicious program, possible exposure of confidential information (e.g., either to a hacker who examines data files via a Trojan Horse program, or a malicious program that sends a document on the victim's computer to potential future victims), among other possible harms. Furthermore, the privacy and property rights of the victim have been violated by the author of malicious code. Any unauthorized access of a computer is, or should be, criminal, regardless of the perpetrator's intent once inside the computer.
The virus/worm was a laboratory experiment gone awry.The Internet, including e-mail, is neither a laboratory nor a playground. Scientists, engineers, professors, businesses, governments, etc. depend on the routine functioning of the Internet for their work, distributing information, and for other public services. Anyone wishing to play with viruses or worms should use a quarantined system that is not connected to the Internet. An "experimenter" must not create a big mess that requires computer system administrators worldwide to devote much time to remove. In considering the actions of Morris, a graduate student at Cornell who released his worm into the Internet, a commission of five Cornell professors said:
This was not a simple act of trespass analogous to wandering through someone's unlocked house without permission[,] but with no intent to cause damage. A more apt analogy would be the driving of a golf cart on a rainy day through most houses in a neighborhood. The driver may have navigated carefully and broken no china, but it should have been obvious to the driver that the mud on the tires would soil the carpets and that the owners would later have to clean up the mess.
Theodore Eisenberg, David Gries, Juris Hartmanis, et al., The Computer Worm, A Report to the Provost of Cornell University ..., p. 7 (see also p. 40), Feb 1989. Summary reprinted in Communications of the ACM, Vol. 32, pp. 706-709, June 1989. Summary also reprinted in Peter J. Denning, editor, Computers Under Attack, Addison-Wesley Publishing Co., 1990. The above quote is on page 258 of Denning's book.It is self-serving to associate a criminal's actions with the prestige of a scientist who does an experiment. Scientists follow a professional code of ethics, in addition to behaving in a lawful way, and avoid harming other people. Scientists work together in a collegial way, with implicit trust. As pointed out by Eisenberg, et al. in The Computer Worm, pages 7, 25, 41, releasing malicious code is a violation of trust.
The virus/worm was "accidentally" released.First, there is no acceptable reason to create malicious software that alters or deletes data files from the victim's hard disk, releases confidential information from the victim's computer along with a copy of the virus/worm to potential future victims, attempts to disable anti-virus software on the victim's computer, or any of the other harms that have been observed in real malicious programs. There is no rational reason to write a program that one intends never to use. Second, if one writes such a destructive program, then one must use extraordinary care (i.e., the same care that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to make certain that the program is never released. Society ought to demand that those who release malicious programs, even if the release is an "accident", be held legally responsible for the damage caused by their malicious programs.
The author of the virus/worm did not know how rapidly the virus/worm would propagate.In my companion essay on Examples of Malicious Computer Programs, I explained why this excuse is bogus.
Although not a common excuse offered by defenders of an author of a malicious computer program, the author himself often seems to believe that his virus/worm is proof of his programming ability.However, careful examination of famous malicious programs that have caused extensive damage shows that these programs commonly contain many programming errors (so-called "bugs"). Such bugs often prevent a malicious program from causing more damage; sometimes bugs make a program worse than its author probably intended. Either way, a program full of bugs is not evidence of programming skill. And, more importantly, someone who writes malicious programs is a criminal, not the type of person who an ethical employer would want to hire. Such specious excuses for authors of malicious code were fairly common from professional programmers in the 1980s, but are less frequent now. The worm released into the Internet by Robert Morris in Nov 1988 seems to have jolted most computer professionals into realizing that ethics and law are essential to the computer profession. Now, specious excuses are mostly offered by criminals and their attorneys.
Harassment & Stalking
In general, the harasser intends to cause emotional distress and has no legitimate purpose to his communications. Harassment can be as simple as continuing to send e-mail to someone who has said they want no further contact with the sender. Harassment may also include threats, sexual remarks, pejorative labels (i.e., hate speech). A particularly disturbing form of harassment is sending a forged e-mail that appears to be from the victim and contains racist remarks, or other embarrassing text, that will tarnish the reputation of the victim. It is often difficult to get law enforcement personnel and prosecutors interested in harassment, unless threats of death or serious bodily harm are made, simply because the resources of the criminal justice system are strained by "more serious" criminal activities. I put "more serious" in quotation marks, because the victim of harassment certainly is adversely affected by the harassment, therefore it is a serious matter to the victim. But the law treats harassment as a misdemeanor, the group of less serious crimes.
Weak Punishment in USA
I have a general concern about the inability of the criminal justice system to either deter criminal conduct or protect society. This concern is particularly acute in the area of computer crime, where immense damage is being done to corporations by computer viruses and worms. Public safety is threatened by criminals who hack into the telephone system and crash 911 services, among other examples. There are many theories that justify punishment of criminals. While severe punishment may not deter criminal conduct, punishment does express the outrage of decent society at criminal conduct. One of the earliest reported cases in federal courts in the USA on computer crime was that of Robert Riggs.U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990), 743 F.Supp. 556 (N.D.Ill. 1990), aff'd, 967 F.2d 561 (11thCir. 1992).Riggs was first convicted in 1986 for his unauthorized use of a computer and was sentenced to a mere 15 days of community service and placed on probation for 18 months. 967 F.2d at 562. In 1990 Riggs was indicted again for making unauthorized access to computers, during which he stole proprietary information from a telephone company. This time he was sentenced to 21 months in prison, followed by two years of "supervised release" during which time he was forbidden to either own or use any computer for his personal use. Riggs was allowed to use computers in his employment, if supervised by someone. This sentence was upheld on appeal. 967 F.2d at 563. In March 1997, a young hacker disabled the telephone service at the Worcester, Massachusetts airport for six hours, which disabled the air-traffic control system and other critical services. This same hacker also copied patients' records from a computer in a pharmacy on four separate occasions in January, February, and March 1997. This hacker was the first juvenile to be prosecuted by the U.S. Government for computer crime. He pled guilty and was placed on probation for two years, was ordered to provide 250 hours of community service, and forfeited all of the computer equipment used during his criminal activity. I have a long discussion of a few famous malicious programs and the legal punishment of their authors in a separate essay. The point made in that essay is that, out of approximately 61000 malicious programs for the Microsoft Windows operating system, there have been arrests and convictions of the author(s) of only five malicious programs:
the author of a worm released in 1988,
the author and distributors of the MBDF virus,
the author of the Pathogen virus,
the author of the Melissa virus, and
the author of the Anna worm. Except for the author of the Pathogen virus, each of these criminals received very light punishment.
Computer Crime Statutes in USA
There are many federal statutes in the USA that can be used to prosecute computer criminals:
15 USC § 1644, prohibiting fraudulent use of credit cards
18 USC § 1029, prohibiting fraudulent acquisition of telecommunications services
18 USC § 1030, prohibiting unauthorized access to any computer operated by the U.S. Government, financial institution insured by the U.S. Government, federally registered securities dealer, or foreign bank.
18 USC § 1343, prohibiting wire fraud
18 USC § 1361-2, prohibiting malicious mischief
18 USC § 1831, prohibiting stealing of trade secrets
18 USC § 2314, prohibiting interstate transport of stolen, converted, or fraudulently obtained material; does apply to computer data files U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990).
18 USC § 2319 and 17 USC § 506(a), criminal violations of copyright law
18 USC § 2510-11, prohibiting interception of electronic communications
18 USC § 2701, prohibiting access to communications stored on a computer (i.e., privacy of e-mail)
47 USC § 223, prohibiting interstate harassing telephone calls
State Statutes in USA
There is wide variation in state statutes on computer crime in the USA: in my opinion, most state statutes are not adequate to punish computer criminals. California, Minnesota, and Maine are among the few states to prohibit explicitly release of a computer virus or other malicious program.California Statutes, Title 13 (Penal Code), §§ 502(b)(10) and 502(c)(8).Minnesota Statutes, §609.87(12) and §609.88(1)(c).Maine Statutes, 17-A (Criminal Code), § 433(1)(C).In states without an explicit statute, release of a malicious program would probably be prosecuted as "malicious mischief". California also provides for the forfeiture of computer systems used in the commission of a computer crime. If the defendant is a minor, the parents' computer system can be forfeited.California Statutes, Title 13 (Penal Code), §§ 502(g) and 502.01(a)(1) In November 1996 and July 1997, I made comprehensive searches of the WESTLAW databases of reported cases in both state and federal courts in the USA on computer crimes. I was surprised to find that, in sharp contrast to most other areas of law, there was very little reported case law on computer crimes, except obscenity cases. I have the impression that most computer criminals who are apprehended plead guilty to a lesser offense (a so-called "plea bargain") and avoid a trial. Plea bargains are common the U.S.A., as they dispose of cases without large investments of prosecutorial and judicial time. In the specific area of computer crimes, prosecuting such a case would be difficult for prosecutors, because the jury would need to learn about complex technical matters. In addition to making life easier for prosecutors and judges, many victims (particularly banks and other corporations) may be embarrassed to admit that some teenager defeated their security features, thus these victims refuse to testify in court.
Sue in tort
In addition to any criminal penalties, victim(s) of computer crimes can sue the perpetrator in tort. For example, unauthorized use of a computer system could be "trespass on chattels". A computer voyeur might also be sued in tort for invasion of privacy or disclosure of a trade secret. A harasser might be sued in tort for intentional infliction of emotional distress.
There is also the possibility of a class action by corporate and personal victims against a person who wrote and initially released a computer virus.The downside of such tort litigation is that the perpetrators are generally young people (often between 12 and 25 years of age) and have little assets that could be seized immediately to satisfy a judgment. On the other hand, judgments in the USA are generally valid for 20 years, so future income of the wrongdoer can be used to satisfy the judgment.
Moreover, the publicity surrounding such a trial might impress potential hackers with the seriousness of such wrongful conduct and deter other potential hackers. In addition, such trials might express the outrage of society at the behavior of hackers.Defendants between 7 and 14 y of age may be sued in tort, but their duty of care is generally less than an adult's duty. There is one exception, when children engage in an adult activity (e.g., fly an airplane), the law imposes an adult's duty of care on the child. Restatement (Second) Torts, § 283A, comment c (1965).
In my opinion, there are good reasons why computer programming (e.g., design of a virus) or hacking qualifies as an "adult activity". However, there appear to be no reported court cases in the USA that have decided this issue.There is another remedy in civil law, besides damages awarded in tort litigation: a victim can get a temporary restraining order (TRO), then an injunction, that enjoins continuance of wrongs (e.g., disclosure of proprietary or private data) that will cause irreparable harm or for which there is no adequate remedy at law.
Journalists
One of the functions of the criminal justice system is to deter crime by other people. Journalists play an important role in this deterrence by reporting on the crime (and how people were harmed), arrest, trial, and sentence of the guilty criminals. One hopes that people contemplating computer crimes will read these reports by journalists, and say to themselves: "I should not write a computer virus, because I don't want to be put in prison like David Lee Smith," the author of the Melissa virus. However, reports of computer crime by journalists are less than satisfactory:
- Journalists often glorify or praise the criminal suspect, by admiring his programming "talent", or even calling him a "genius". In the 1980s, most hackers committed fraud to get a username and password for a computer account, and then logged on to the computer without proper authorization, and browsed through files, copying some, deleting or altering others. Such work does not require any knowledge of computer programming, just a rudimentary knowledge of a few operating system commands. Since 2000, authors of malicious programs use resources readily available on the Internet to create a "new" computer virus or worm, or launch a denial of service attack. Again, such activities do not demonstrate a high level of proficiency in computer programming. It is an anti-social act for journalists to praise the exploits of hackers: hackers are criminals who deserve scorn and ostracism. And when hackers are publicly praised as geniuses, the wrong message is sent to serious students in computer science who behave ethically and who are ignored by journalists, despite the fact that the students are both smarter and more ethical than hackers.
- I have noticed that many online newspapers: devote considerable space to reporting the crime when it happens, describe the arrest of the criminal suspect in detail, but the trial of the suspect receives less attention from journalists, and the verdict and sentence often go unreported in the media.If punishment is to have a deterrent effect on other people, then the coverage of the trial, verdict, and sentence must be increased. Aside from my main point about deterrence of future crimes, by reporting of sentencing and punishment of computer criminals, there is another issue. The widespread reporting of the crime and the arrest of a suspect tarnishes the name of the suspect, by linking the crime and the suspect's name in people's minds. However, the suspect might later be found not guilty of the crime. The lack of reporting of the trial and its outcome provides no opportunity for an innocent suspect to rehabilitate his good name.
- Part of the problem is that many journalists who write about computer crime are themselves computer-illiterate. (Their ignorance shows in the technical mistakes made in their articles.) From the perspective of a computer-illiterate journalist, the work of a computer criminal may indeed be incomprehensible. Arthur C. Clarke said anything sufficiently advanced appears as magic. That may be, but it is unprofessional for journalists to write on subjects that they do not personally understand. News media hire journalists who understand economics and finance to report business news, and journalists who understand sports to report on sports, so why can't the news media hire journalists who understand computers to report on computer crime?
The fundamental issue in most computer crime is the criminals' lack of respect for the property or privacy of other people. I hope that society will recognize the seriousness of computer crime and demand more severe punishment for such criminals.
Subscribe to:
Posts (Atom)