A. Defining Computer Crime
B. Types of Computer-Related Offenses II. FEDERAL APPROACHES
A. Federal Criminal Code
1. Computer Abuse Amendments Act of 1994
a. Offenses Under the Statute
2. Other Statutes
a. Copyright Act
b. National Stolen Property Act
c. Mail and Wire Fraud
d. Electronic Communications Privacy Act
e. Telecommunications Act of 1996
B. Enforcement Strategies
1. Computer Fraud and Abuse Act
2. Other Statutes
a. Copyright Act
b. National Stolen Property Act
c. Mail and Wire Fraud
d. Electronic Communications Privacy Act
D. Ancillary Issues
1. Searches of Computer Records
2. First Amendment Issues III. STATE APPROACHES
A. Overview of State Criminal Codes
B. Conflict Between State and Federal Laws
C. Prosecution of Computer-Related Crimes IV. INTERNATIONAL APPROACHES V. RECENT DEVELOPMENTS
This article tracks developments in computer-related criminal law and legal literature. An analysis of federal computer crime legislation and enforcement, and a discussion of state and international approaches are presented in the article. Finally, recent developments in this area are reviewed.
A. Defining Computer Crime
The rapid emergence of computer technologies has spawned a variety of new criminal behaviors and an explosion in specialized legislation to combat them.(1) While computer crimes include traditional crimes committed with a computer, the term also encompasses offenses against intellectual property and other crimes that do not fall within traditional criminal statutes. The diversity of computer-related offenses thus demands a broad definition. The Department of Justice defines computer crimes as "any violations of criminal law that involve[s] a knowledge of computer technology for their perpetration, investigation, or prosecution."(2)
Estimates of the predominant sources and extent of computer crimes vary. Many experts value losses due to computer crimes in the hundreds of millions and even in the billions of dollars.(3) While the exploits of youthful computer hackers have received the most press coverage,(4) experts maintain that insider crimes committed by disgruntled or greedy employees have caused far more damage.(5)
B. Types of Computer-Related Offenses
There are no "typical" computer-related crimes and no typical motive for committing such crimes.(6) Computer criminals can be teenage hackers, disgruntled employees, mischievous technicians, or international terrorists.(7) However, classifying computer-related crimes by considering the role the computer plays in a particular crime is possible.(8)
First, a computer may be the "object"(9) of a crime, meaning the computer itself is targeted. In this category are theft of computer processor time and computerized services. Second, the computer may be the "subject"(10) of a crime. In these cases, the computer is the physical site of a crime, or is the source of or reason for unique forms of assets lost.(11) The use of "viruses'"(12) and "logic bombs"(13) fit into this category. These crimes present novel legal problems because of the intangible nature of the electronic information that is the object of the crime.(14) Third, a computer may be an "instrument"(15) used to commit traditional crimes, such as theft, fraud, embezzlement, or trespass,(16) but in a more complex manner.(17) For example, a computer might be used to scan telephone codes automatically to make unauthorized use of a telephone system.(18)
II. FEDERAL APPROACHES
A. Federal Criminal Code
Congress has treated computer-related crimes as distinct federal offenses since 1984 after passage of the Counterfeit Access Device and Computer Fraud and Abuse Law.(19) Since they passed the 1984 Act, the volume of such legislation has expanded greatly to address the many types of computer-related crimes. However, massive inter-networking within a decentralized computer industry make regulation extremely difficult.(20) Regulation began as a piecemeal effort, and initially regulators were unaware of the full scope of the problem.(21) As more data about computer crimes has become available, the law has attempted to adapt with the Computer Abuse Amendments Act of 1994.(22) This section examines the major federal statutes directed at computer-related crimes and some of their practical shortcomings.
1. Computer Abuse Amendments Act of 1994
The current version of the Computer Abuse Act, titled the Computer Abuse Amendments Act of 1994,(23) attempts to address the criticisms(24) of its previous version, the Computer Fraud and Abuse Act of 1986.(25) The 1994 Act prohibits unauthorized, intentional access to federal interest computers.(26)
a. Offenses Under the Statute
The statute proscribes six types of illegal activities.(27) Sections 1030(a)(1)-(3) prohibit unauthorized access of a computer: (1) to obtain information relating to national defense or foreign relations;(28) (2) to obtain information in a financial record of a financial institution or consumer reporting agency;(29) or (3) to manipulate information on a computer that would adversely affect(30) the United States government's operation of the computer.(31) Section 1030(a)(4) of the statute prohibits accessing a "federal interest computer" without or in excess of authorization and with intent to defraud or obtain anything of value.(32)
Subsection 1030(a)(5) prohibits the intentional(33) access of a "federal interest computer" without authorization, where such access alters, damages, or destroys information, or prevents "authorized use" of the computer.(34) The 1994 Act includes three significant additions to [sections] 1030(a)(5), amending the 1986 Act. First, the 1994 Act changes coverage from acts committed on federal interest computers and affecting such computers to acts committed on computers used in interstate commerce or communications and affecting any computer.(35) Second, the threshold requirement of "unauthorized access" has been removed.(36) As a result, the class of those potentially liable has been expanded to include, among others, company insiders and users of computer networks who were arguably immune under the 1986 Act because their access was authorized.(37) Finally, the 1994 Act criminalizes certain types of reckless conduct in addition to intentional acts.(38) This may facilitate prosecution of hackers who cause the transmission of malevolent software, such as computer viruses, if such actions are sufficiently reckless but would not have been considered intentional under the 1986 Act.(39)
Finally, [sections] 1030(a)(6) prohibits: "knowingly," and with intent to defraud, trafficking in passwords which either would permit unauthorized access to a government computer, or affect interstate or foreign commerce.(40)
Under the amended statute' intentional computer crimes committed on interstate computers are felonies,(41) while reckless acts on interstate computers are misdemeanors.(42) The 1994 Act also provides an incentive for victims to report computer-related crimes by allowing civil remedies for victims of intentional computer crimes.(43) Additionally, the 1994 Act amends subsection (a)(3) to insert "adversely" before "affects the use of the Government's operation of such computer,"(44) implying that a trespasser might affect the computer benignly and escape prosecution.
Punishment for an attempt to commit an offense is identical under this section to punishment for commission of an offense.(45) The 1986 Act expressly grants investigatory authority to the United States Secret Service, in addition to any other agency having such authority.(46)
There are a variety of defenses available under [sections] 1030, including defenses relating to jurisdiction, statutory interpretation, damages, and intent.
For acts covered by the 1986 Act, a "federal interest" computer must be used and affected.(47) If an individual installs a virus that damages a network without federal interest computers, that person's conduct is not covered by the federal statute.(48)
Defenses to charges under the 1986 Act may also focus on undefined portions of the statutory language.(49) However, in United States v. Morris,(50) the Second Circuit rejected a defense based on ambiguities in the statutory language.(51) Furthermore, the 1994 Act may have closed some of the loopholes if courts interpret the "reckless disregard" provision to reach programmers who introduce a virus into a network by giving an innocent third party an infected program.(52)
Another defense to charges under either the.1986 Act or the 1994 Act is that the requisite $1,000 loss did not occur. Neither the 1986 Act nor the Morris decision articulate how to calculate this loss.(53) However, in United States v. Sablan,(54) only those losses directly resulting from the defendant's criminal activity were included. The Sablan court measured the direct losses, which amounted to over $20,000, by a "reasonable estimate" given the "available information," and utilizing a valuation based on the damaged business' normal business charges.(55) Even if a dollar value can be attached to a loss, there is still some question whether the government can aggregate losses or whether there must be $1,000 worth of damage at one particular site.(56)
Another available defense under both the 1986 Act and the 1994 Act is that a defendant lacked the requisite intent. The intent defense to charges under the 1986 Act has been narrowed by limiting the issue to the intent to access the computer.(57) In Morris, the Second Circuit rejected the contention that the adverb "intentionally" in the 1986 Act requires both intentional access and intentional harm; all that is required is intentional access.(58) The Sablan(59) court not only adopted the rule announced in Morris, but also upheld the constitutionality of the computer fraud statute's mens rea requirement. As a result, once intentional access is proven, courts will reject a defense claiming that the effects of a program exceeded the programmer's intentions. The 1994 Act affirms the Morris and Sablan holdings by criminalizing certain reckless conduct.(60)
2. Other Statutes
Other statutes have been useful in prosecuting computer-related crimes falling outside the Computer Fraud and Abuse Act. Computer-related crimes can be charged under at least forty different federal statutes.(61) The following discussion provides a brief overview of the statutes most commonly used to prosecute computer-related crimes which are not covered by the Computer Fraud and Abuse Act.(62) Such offenses range from theft of computer software to unauthorized access of a computer system without causing damage.(63)
a. Copyright Act
Any person who unlawfully copies and distributes software may be subject to punishment for criminal copyright infringement.(64) The criminal copyright infringement statute has three elements: (1) infringement of a copyright; (2) done willfully; and (3) for commercial advantage or private financial gain.(65) The first element of copyright infringement may be satisfied by the mere unauthorized copying of computer software'(66) but the second and third elements are often more difficult to prove.(67)
b. National Stolen Property Act
The National Stolen Property Act(68) prohibits the transportation in interstate commerce of "any goods, wares, securities or money" valued at $5,000 or more and known to be stolen or fraudulently obtained.(69) This statute has been applied to various computer-related crimes, including fraudulent computerized transfers of funds.(70) Courts have held that computer software does not constitute "goods" or "wares" under the National Stolen Property Act if the programs were solely in an intangible form.(71) However, courts have distinguished theft of software alone from theft of tangible hardware, determining that the latter constitutes "goods" and "wares" as protected by the National Stolen Property Act.(72)
c. Mail and Wire Fraud
The federal mail and wire fraud statutes(73) prohibit using interstate wire communications or the mails to further a fraudulent scheme to obtain money or property.(74) One commentator suggests that these statutes would seem to apply to "any computer-aided theft involving the use of interstate wire, the mails or a federally insured bank."(75) Several cases have so held.(76) Furthermore, any attempt to obtain an unauthorized copy of a computer program in an intangible form may be covered by the mail and wire fraud statutes.(77) However, district courts have divided on the issue of whether the wire fraud statute reaches copyrighted material.(78)
d. Electronic Communications Privacy Act
The Electronic Communications Privacy Act of 1986(79) (ECPA) updated the federal law pertaining to wire and electronic communications interception(80) to prohibit unauthorized interception of computer communications.(81) Additionally, it created a new offense of obtaining, altering, or preventing authorized access to data stored electronically in a facility through intentional, unauthorized access of the facility.(82) The offense created by [sections] 2701 seems to provide additional deterrence to hacking, although there have been no successful prosecutions under the statute.(83)
The ECPA was intended to prevent hackers from intercepting computer communications by: (1) expanding the protection of individuals' privacy;(84) and (2) expanding the number of crimes that can be investigated through electronic surveillance methods.(85) In the context of modification of satellite television descramblers, arguably analogous to computer crimes, the majority of courts favor a broad interpretation of the ECPA.(86) Thus, the statute may also be interpreted broadly to apply to computer-related crime. Section 2707(a) provides for civil damages for violations of [sections] 2701, and it is possible that governmental "entities" may fall within the scope of civil liability.(87)
e. Telecommunications Act of 1996
The Telecommunications Act of 1996(88) was enacted to restructure the telecommunications industry and encourage the rapid deployment of new telecommunications technologies. Title V of the Telecommunications Act of 1996 is the Communications Decency Act of 1996 ("CDA"). The CDA establishes new computer crimes. Under the CDA, a modem is a telecommunications device, and under [sections] 223(a)(1)(B) obscene or indecent communications via such devices are criminalized. In addition, [sections] 223 (d)(1) of the CDA criminalizes the use of an interactive computer service to send or display patently offensive sexual or excretory activities or organs to a person under age 18. Defenses to subsections (a) or (d) include not creating the content of a communication although providing access or connections and the absence of employer liability unless knowing or reckless. More limited defenses include good faith, reasonable efforts to prevent communications access to minors, restricted access using verified credit cards, debit accounts, adult access codes/indentification numbers or other FCC described measures. The constitutionality of the CDA was challenged in court immediately upon its being signed into law. At the time of this writing, the cases are still at the district court level and the courts have held the CDA unconstitutional on its face.(89)
B. Enforcement Strategies
Although federal computer crime laws were drafted to aid prosecutors, there have been few indictments under these laws. The 1984 Computer Abuse Act resulted in only one prosecution.(90) Between January 1989 and April 1993, there were only seventy-six convictions under 18 U.S.C. [sections] 1030.(91) Of the fifty cases studied, more than half were convictions for general fraud under [sections] 1030(a)(4).(92)
The reason for the scarcity of prosecutions under the 1984 and 1986 Acts is unclear, but three possible causes warrant consideration. First, there are not many reported instances of computer crimes involving "federal interest" computers. Furthermore, owners of large federal interest computers may prefer to handle security problems themselves to avoid the embarrassment of a public trial focusing on the vulnerability of their computers.(93) It remains to be seen whether the broadened scope of the 1994 Act and its provision of civil remedies will lead to increased prosecution. Second, computer crimes which might be characterized as federal crimes may instead be prosecuted under state computer crime laws. As more people are successfully prosecuted under state computer crime laws, prosecutions in the federal sphere may be encouraged.(94) Third, many prosecutors are limited by laws originally designed to target other media which fail to effectively include computer crime or that are too inflexible to encompass advancing technology.(95)
Law enforcement officials fear that the development of encryption devices will further hinder their ability to enforce computer crime laws. Powerful encryption software has become increasingly accessible, enabling users to effectively prevent even the National Security Agency from decoding messages.(96)
While the volume of computer-crime prosecution is low, federal authorities are taking steps to raise the profile of computer-crime prosecution.(97) Enforcement against well-known hackers appears to be on the rise.(98) In addition, federal prosecutors are securing controversial indictments for computer crimes under a broad reading of wire fraud and criminal copyright infringement statutes.(99) Finally, the proliferation of computer bulletin boards and other on-line services has led to prosecution of illegal distribution of computerized pornographic materials(100) and of computer-related sexual assault on minors.(101)
In late 1991, the Department of Justice established the Computer Crime Unit ("CCU") within the Criminal Division. The CCU was given the responsibility for prosecuting computer crimes, lobbying for strengthened penalties, and pushing for expanded coverage of the federal computer crime statues.(102) However, there have been few judicial opinions under the 1986 Act since the new Computer Crime Unit was established.(103)
1. Computer Fraud and Abuse Act
As part of the Violent Crime Control and Law Enforcement Act of 1994, the maximum monetary limitations on fines for sentencing of computer-related crimes were eliminated from provisions in several federal statutes, including the Computer Fraud and Abuse Act(104) Subsection (c) sets forth the punishment for an offense under the Act. Punishment depends on which specific prohibited act was committed under subsections (a) and (b).(105)
Violators of [subsections] 1030(a) and (b) are sentenced under the Federal Sentencing Guidelines.(106) These guidelines determine the base offense level for violations of [subsections] 1030(a)(1),(107) 1030(a)(2)-(6),(108) and 1030(b).(109) While courts are allowed to depart from the Guidelines under certain circumstances when sentencing a defendant for a violation of the Act, they rarely do so.(110)
2. Other Statutes
a. Copyright Act
The punishment for criminal copyright infringement is set forth in [sections] 2319 of title 18.(111) Section 2319(b) provides variable prison terms and fines for copyright infringements through the reproduction or distribution of phonorecords with a retail value of more than $2,500.(112) First-time offenders who sell more than ten copies or phonorecords of a copyrighted work within an 180-day period, could face up to five years in prison; subsequent offenders can face up to ten years imprisonment.(113)
Defendants convicted of criminal copyright infringement are sentenced under [sections] 2B5.3.(114) The base offense level is six.(115) If the retail value of the infringing items exceeds $2,000, then the offense level is increased by the corresponding number of levels from the table in [sections] 2F1.1.(116)
b. National Stolen Property Act
Punishment for a violation of the National Stolen Property Act may include either a fine under Title 18, imprisonment of not more than ten years, or both.(117) Defendants convicted of violating the National Stolen Property Act are sentenced under [sections] 2B1.1.(118) The base offense level of four is based upon a total loss to the victim of $100.(119) The offense level is raised as the financial loss to the victim increases, up to a maximum increase of twenty offense levels for a loss exceeding $80,000,000.(120) If the offense involved more than minimal planning, the offense level is increased by two levels.(121) Additionally, if the defendant is a person in the business of receiving and selling stolen property, the offense level is increased by four levels.(122)
c. Mail and Wire Fraud
Violations of the mail and wire fraud statutes are punishable by fines, imprisonment of up to five years, or both.(123) If the violation affects a financial institution, the punishment is a fine of not more than $1,000,000, imprisonment of not more than thirty years, or both.(124)
Defendants convicted of mail and wire fraud are subject to sentencing provisions under [subsections] 2C1.7 and 2F1.1.(125) The base offense level is ten, and is raised according to a table in [sections] 2F1.1 if the loss to the government or the value gained by a public official exceeds $2000. If the offense involves an elected official or one holding a decision-making or sensitive position, the offense level is increased by eight.(126)
d. Electronic Communications Privacy Act
Punishment for violation of the Electronic Communications Privacy Act is provided for in 18 U.S.C. [subsections] 2511 and 2701. A violation of [sections] 2511(1) can result in a fine, imprisonment for not more than five years, or both.(127) For first-time offenders under [sections] 2511(4)(a), when the statute is violated for purposes other than for financial gain and the illegally received communication is not scrambled or part of a cellular telephone communication, punishment is limited to imprisonment of not more than one year, and a fine under Title 18.(128)
If violation of [sections] 2701(a) is for financial gain, a first time offender shall be fined under Title 18, imprisoned for not more than one year, or both.(129) A repeat offender shall be fined according to Title 18, imprisoned for not more than two years, or both.(130) Other violations of [sections] 2701(a) could result in fines under Title 18, a maximum imprisonment of six months, or both.(131)
D. Ancillary Issues
1. Searches of Computer Records
In United States v. Sawyer,(132) a search warrant listing general categories of business records, including "computer records and printouts relating to customer accounts, which are evidence and fruits of, and the means of commission of violations of [certain U.S. statutes]," withstood Fourth Amendment(133) scrutiny.(134) The court stated that the particularity requirement of the Fourth Amendment must be applied flexibly, and in cases involving a "pervasive scheme to defraud, all the business records of the enterprise may properly be seized."(135) The seizure of computer disks is allowed even when the warrant refers only to records and documents.(136) Police with a warrant to seize records may search computer hardware and software so long as they have reason to believe that the items contain records whose seizure is covered by the warrant.(137) When police conduct such a search, they may seize and examine a disk, even if its label indicates that it does not contain information within the scope of the warrant.(138) The police may take the hardware and software off the premises to conduct their examination.(139) They may not, however, seize peripheral items, such as printers, to assist them in their review of the seized items.(140) Finally, assistance of advisers to identify computer-related items encompassed by a search warrant is permissible.(141)
2. First Amendment Issues
An interesting overlap exists between Fourth Amendment and First Amendment(142) issues. The question for debate is whether electronic data constitutes speech, and whether a computer which disseminates this data to the public can be considered a "newspaper" which enjoys the freedoms protected by the First Amendment and the Privacy Protection Act of 1980.(143) The First Amendment may protect some records from seizure,(144) and may also protect the internet from content regulation.(145)
III. STATE APPROACHES
A. Overview of State Criminal Codes
Since attempts to apply general criminal codes to computer-related offenses were largely unsuccessful,(146) and because of the serious economic threats posed by such crime, states began to enact statutes specially drafted for the emerging computer technologies.(147) The first specialized computer crime statute was enacted in Florida in 1978.(148) Since then, every state except Vermont has enacted some form of computer-specific criminal statute.(149) The precise definitions and penalties in these specialized provisions offer significant advantages over general criminal codes by explicitly addressing the unique issues posed by computer crimes, thereby promoting computer security, enhancing deterrence, and facilitating prosecution.(150) Recent reforms in state computer crime statutes have featured provisions expanding forfeiture of computer equipment used in crimes, with several states enacting provisions which allow state authorities to seize property involved in computer crimes.(151) While Federal law does not yet define any crimes relating to the sending of electronic mail,(152) a few states have begun to respond to the growing concerns of on-line harassment. A handful of states have criminalized threats and specifically included electronic communication under "unconsented contact" in anti-stalking statutes,(153) and incorporated computers and electronic communications devices into general telephone harassment statutes.(154) However, these statutes may face significant constitutional challenges.(155)
Other states have recognized that catching and prosecuting computer criminals may be much more difficult than preventing computer crimes. For instance, Nebraska's computer crime statute permits potential victims of computer crimes to implement their own security measures.(156) Some states, such as Arkansas, Georgia, Oklahoma, and Rhode Island, have statutes encouraging victims of computer crimes to come forward by providing a civil cause of action for compensatory damages.(157)
One commentator has discerned the following ten areas addressed by state computer crime statutes.(158)
1. Expansion of the traditional concept of property. These statutes attack computer-related crimes by expanding the traditional notion of "property" to include electronic and computer technologies.(159)
2. Destruction. Many states criminalize acts which "alter, damage, delete or destroy computer programs or files."(160)
3. Aiding and abetting. Some statutes prohibit use of a computer to facilitate the commission of a crime such as embezzlement or fraud.(161)
4. Crimes against intellectual property. This type of statute defines new offenses in terms that are analogous to trespassing (unauthorized computer access), vandalism (maliciously altering or deleting data), and theft (copying programs or data). No actual damage is required to prosecute under such a statute.(162)
5. Knowing, unauthorized use. These statutes prohibit the act of "accessing" or "using" computer systems beyond the consent of the owner.(163)
6. Unauthorized copying. This unusual approach appears to be a close cousin of federal criminal copyright infringement. Few states have defined copying programs and data as a distinct state offense.(164)
7. Prevention of authorized use. This approach, taken by approximately one-fourth of the states, outlaws any activity which impairs the ability of authorized users to obtain the full utility of their computer systems. Unauthorized execution of programs which slow down the computer's ability to process information falls under such statutes.(165)
8. Unlawful insertion or contamination. These statutes criminalize the highly publicized "viruses," "worms," and "logic bombs" which may be planted on computers or transmitted over telephone lines or on floppy disks. Unlawful insertion provisions do not require actual "access" of a computer by the offender because the offending programs may be communicated indirectly over networks or on floppy disks by offenders who never use the affected computer.(166)
9. Computer voyeurism. Computers contain a wide range of confidential personal information. To protect the public's right to privacy in this information, several states have enacted laws criminalizing unauthorized access to a computer system even if only to examine its contents and not make any changes or extract any data.(167)
10. "Taking possession." These provisions prohibit the act of assuming control over a computer system and its contents without authorization.(168)
B. Conflict Between Federal and State Laws
The growth of state computer crime legislation has created conflicts between federal and state authorities in prosecuting computer criminals. State computer crime laws have criminalized a broad range of conduct including unauthorized access, computer fraud, and theft or misuse of computer programs and user time on shared networks.(169) Those state statutes dealing with theft or misuse of copy rightable material, such as computer programs, raise an immediate federalism issue, as copyright law remains the exclusive domain of the federal government.(170)
In Rosciszewski v. Arete Assoc., Inc.,(171) the Fourth Circuit ruled that the section of Virginia's Computer Crimes Act(172) covering reproduction of a copyrighted computer program was pre-empted by the Federal Copyright Act;(173) thus, only the federal government could prosecute illegal copying of computer software. In ruling for federal pre-emption of the Virginia Act, the court held that the state law's mens rea requirement "does not add an element qualitatively changing the state claim from one of unauthorized copying."(174)
Although few reported cases have considered the conflict between federal copyright law and state computer crime statutes,(175) the reasoning in Rosciszewski could probably invalidate several other state laws implicating federal intellectual property laws.(176) As one commentator observed, the Rosciszewski decision may seriously hamper states' efforts to prosecute computer criminals.(177) As the volume and economic harm caused by computer crimes grows, state and federal law enforcement resources will be increasingly taxed. Rosciszewski, by foreclosing any state prosecution of conduct involving computer software, would put the burden increasingly on a federal legal system which, thus far, has not actively prosecuted in this area.(178)
C. Prosecution of Computer-Related Crimes
Venue provisions are included in some states' laws regarding computer-related crimes.(179) Some states deem a violation to occur where any act performed in furtherance of the offense occurs, where the victim's residence or principle place of business is located, or where an unlawfully accessed computer system is located. Since modems allow a person who commits a computer crime to access a computer miles away, an offender could conceivably face prosecution in more than one jurisdiction.(180)
However, the highly technical nature of computer crimes and the evidentiary difficulties of proving unauthorized access to or modification of a computer system have led to the result that only a handful of cases involving computer-related crime have been prosecuted in state courts,(181) and most have dealt with defining the meaning of the terms used in the particular state statute.(182)
Despite the extremely limited body of precedent, several state supreme and appellate courts have recently handed down decisions fleshing out the computer crime statutes of their respective states.(183) These decisions reflect the mix of political and policy concerns state judges face in tackling the unique technical, definitional, and evidentiary problems posed by computer crimes, and may lead courts to place greater emphasis on the net results of a defendant's actions when determining the scope of impermissible access to computer programs and data under computer crime statutes.(184)
IV. INTERNATIONAL APPROACHES
There is general agreement among national governments and multilateral organizations that a coordinated international effort to fight computer crimes is necessary.(185) Many computer systems can be easily and surreptitiously accessed through the global telecommunications network from anywhere in the world.(186) International financial institutions are common targets for computer fraud and embezzlement schemes.(187) The development of sophisticated computer technology has also enabled organized crime groups to bypass government detection and enter into the international realm of drug trafficking and money laundering.(188) In addition, the specter of computer terrorism(189) calls for an international strategy to preserve global security.(190)
While "computer crime" remains loosely defined, most industrialized countries have amended their legislation to address four needs created by computer crimes: (1) protection of privacy; (2) prosecution of economic crimes; (3) protection of intellectual property; (4) and procedural provisions to aid in the prosecution of computer crimes.(191) Worldwide, national governments are adopting computer-specific criminal codes that address unauthorized access and manipulation of data, similar to the Computer Fraud and Abuse Act of 1986 in the United States.(192) Criminalization of copyright infringement is also gaining momentum around the world.(193) In general, countries have taken three approaches in criminalizing computer offenses. First, the "evolutionary" approach simply incorporates computer offenses into existing statutes. Second, "computer-specific offenses" may be defined in terms of existing crimes. Third, "computer-specific statutes" define entirely new crimes.(194)
In addition to the criminalization of new computer offenses, many nations are facing the problem of the "computerization" of traditional offenses. Countries which are restrictive in their political discourse are facing the problem that the Internet provides a source of "illegal" information which is difficult to regulate.(195) Moreover, what is "acceptable" speech in the various countries on the "information super-highway" differs greatly. In Germany, for example, the dissemination of Nazi propaganda denying the Holocaust is illegal.(196) Such material, however, is easily accessible via the World Wide Web.(197) While Germany has chosen to target Internet Service providers in their efforts to curb this problem,(198) it is conceivable that nations may begin targeting the individuals who create "objectionable" home-pages.
While a number of differences remain,(199) there are significant areas of convergence in national legislation.(200) By defining specific new offenses and penalties, these codes avoid analytical difficulties that arise when general criminal laws are applied to computer crimes. But even when computer-specific criminal statutes are in place, prosecution in a number of industrialized countries could continue to be hindered until the rules of evidence are adapted to computer crimes.(201)
Comparing the experiences of other nations can assist with evaluating the success of American computer crime proposals. The Netherlands, for example, passed a strict anti-hacker code in 1992.(202) Dutch computer crime police reported that the number of cases they had to handle doubled from 1991 to 1992.(203) The Dutch law's approach focuses on unauthorized access to secured computer systems. By excluding unsecured systems, the law provides incentives to improve computer security. The penalties provided by the Dutch code vary, depending upon the severity of the intrusion.(204)
Ultimately, the global interconnection of vulnerable computer systems may require a uniform legal framework for dealing with multinational computer-related crimes. One possible solution, according to a commentator, is to adopt an international convention standardizing domestic statutes and facilitating cooperative enforcement efforts.(205) In order to achieve an effective reduction in international computer-related crimes, several essential goals have also been recommended: (1) consistent extradition of criminals; (2) cooperation in the retention of witnesses and evidence; (3) recognition and enforcement of criminal judgments issued by a nation's court; and (4) a combined effort between each nation's law enforcement and prosecutorial organizations.(206)
International organizations and private corporations are each working to combat computer crimes. International organizations have contributed to the drive to harmonize national legislation.(207) The Business Software Alliance,(208) a software industry trade group, has launched an international copyright enforcement program involving national software trade associations and law enforcement agencies which have begun by focusing on distribution of counterfeit software.(209) According to that group, international software piracy costs United States software makers $12 billion dollars annually.(210)
Infiltration of international computer networks has also prompted greater private-sector initiatives.(211) Currently, American computer companies have been restricted from exporting strong security encryption programs(212) because they are considered an effective way for terrorists and organized crime groups to communicate without fear of government intervention.(213) In October of 1996, however, President Clinton issued an executive order permitting companies to export stronger encryption systems. Controversially, the White House established the condition that in the next two years the computer industry must develop a key escrow system.(214) Key escrow systems have been under near continuous attack from both the general public and Congress.(215) It is therefore highly probable that the 105th Congress will revive proposed legislation which would ease export regulations for encryption technology and prohibit the use of a key escrow system.(216)
V. RECENT DEVELOPMENTS
Despite efforts by both Congress and various state legislatures to address the many questions posed by changing technology, a number of unresolved issues remain. Perhaps most notable is the fate of the Communications Decency Act, or CDA.(217) Signed into law on Feb. 8, 1996, as part of the Telecommunications ACt of 1 996,(218) the CDA makes it illegal to provide "indecent" or "patently offensive" material in on-line areas accessible to minors.(219) Violators face Up to two years in prison and a maximum $250,000 fine.(220) The CDA was originally targeted at on-line pornography(221) but was immediately challenged in two suits(222) by a broad coalition of businesses, librarians, and journalists who also feared prosecution.(223) The CDA was declared unconstitutional in both Philadelphia and New York district courts,(224) and the U.S. Supreme Court has agreed to review the matter during its 1996-97 term.(225)
The increasingly global nature of computer networks also continues to raise complex questions of venue, jurisdiction, and choice of laws. In U.S. v. Thomas,(226) the Sixth Circuit affirmed the conviction in Tennessee district court of the operators of a California adult bulletin board system (BBS) whose content was held to violate Tennessee obscenity standards.(227) The court held that venue was proper in Tennessee(228) and that the Thomases could be held to that state's community standards(229) given that they knowingly solicited and accepted business from Tennessee consumers.
It remains unclear, however, whether the logic of the Thomas decision also applies to prosecutions involving the Internet. Despite noting the unique difficulties in verifying users' age and identity over the Internet,(230) dicta from the Philadelphia CDA opinion nonetheless concludes that Thomas would allow for Internet prosecutions.(231)
Two civil cases, however, highlight the difficulties that courts face in applying traditional legal tests to Internet-related cases. In Bensusan v. King,(232) a New York court dismissed for lack of jurisdiction a trademark infringement suit brought by a New York nightclub owner against the owner of a Missouri club of the same name. The court held that advertising the Missouri club on the Internet's World Wide Web did not constitute sufficient minimum contacts to subject the Missouri owner to New York jurisdiction.
Faced with similar facts, a Connecticut court reached the opposite result. In Inset Systems v. Instruction Set,(233) a Connecticut district court found that soliciting business via a web site, accessible in, among other places, Connecticut, did establish sufficient contacts to give the court jurisdiction over a Massachusetts defendant. Similar to the Connecticut decision is the Sixth Circuit's opinion in CompuServe v. Patterson,(234) which held that using only the Internet to negotiate a contract with the Ohio-based CompuServe did allow for Ohio jurisdiction over a Texas defendant, even though he had never physically entered the forum state.(235)
(1.) Richard D. Marks, Security, Privacy, and Free Expression in the New World of Broadband Networks, 32 Hous. L. Rev. 501, 501-508 (1995).
(2.) National Institute of Justice, U.S. Dep't of Justice, Computer Crime: Criminal Justice Resource Manual 2 (1989) [hereinafter Criminal Justice Resource Manual]. Another broad definition of computer crimes includes any illegal act involving a computer that may be prosecuted under criminal laws. Catherine Conly, Organizing for Computer Crime Investigation and Prosecution 6 (1989). For a more detailed breakdown of the types of computer crimes, see generally David Icove et al., Computer Crime: A Crimefighters Handbook (1995).
(3.) The FBI's National Computer Crime Squad was created by the government to address the computer crime industry that may be costing up to $5 billion annually. Gordon Witkin, Wanted, in Cyberspace Hacker Crime, U.S. News & World Rep., Mar. 14, 1994, at 71. The Business Software Alliance estimated lost revenue from software piracy at $ 15 billion a year. Elizabeth Corcoran, In Hot Pursuit of Software Pirates; Industry Sends out Private Investigators to Fight $15 Billion Trade in Illicit Copying, Wash. Post, Aug. 23, 1995, at F1. See also United States v. LaMacchia, 871 F Supp. 535, 540 (D. Mass. 1994) (software piracy was costing $2.4 billion in lost revenues annually, as reported, in 1992, by the Software Publishers Association to the Subcommittee on Intellectual Property and Judicial Administration of the House Committee on the Judiciary). The cost of hacker crimes are more difficult to gauge, since many companies-particularly banks-decline to report computer intrusions for fear of losing consumer confidence. M.J. Zuckerman, Computer Crimes Surge: Companies Fear Losing Privacy, Customers Trust, USA Today, July 2, 1996, at IA. For example, a 1996 Senate survey of 500 major corporations garnered only 236 replies, but found that 58 percent of respondents reported computer break-ins during the preceeding year. Nearly 18 percent reported losing over $1 million in the attacks, and more than 66 percent suffered losses of over $50,000. Twenty-two percent of the reported attacks were attributed to industrial espionage, and 37 percent of respondents said they would only report such crimes if required by law. M.J. Zuckerman, Cybercrime against business frequent, costly, USA Today, Nov. 21, 1996, at 1A.
(4.) For example, though it caused no loss of data or lasting damage, an attack the Department of Justice computers drew considerable attention when a hacker altered the DOJ web site to display obscene and racist material. Hiawatha Bray, Obscenities Posted on Federal Web Page, Boston Globe, Aug. 18, 1996, at A 19. The Central Intelligence Agency fell victim to a similar attack the following month. Norman Kempster, CIA Shuts Internet Site After Hacker Breaks In, Defaces It, Los Angeles Times, Sept. 20, 1996, at A25.
(5.) Richard C. Hollinger & Lonn Lanza-Kanduce, The Process of Criminalization: The Case of Computer Crime Laws, 26 Criminology 101, 116-17 (1988); 10 Computer Related Crime: Analysis of Legal Pol'y 33-34 (1986); Douglas M. Reimer, Judicial and Legislative Responses to Computer Crimes, 53 Ins. Courts. J. 406, 419 (1986). According to one source, 55 percent of all computer losses are caused by human error. Twenty percent are caused by physical problems such as natural disasters and power outages. Ten percent of all losses are caused by "dishonest employees," or those who profit from their attacks, while nine percent are caused by "disgruntled employees"--presumably, those bent on merely causing harm. Viruses are said to account for four percent of losses, while only one to three percent are deemed to be caused by outside hackers. Icove, supra note 2, at 22.
(6.) One commentator has identified six motives for committing computer-related crimes where computers are subjects or objects of crime: (1) to exhibit technical prowess; (2) to highlight vulnerabilities in computer security systems; (3) to punish or retaliate; (4) to engage in computer voyeurism; (5) to assert a philosophy of open access to computer systems; and (6) to sabotage. Anne W. Branscomb, Rogue Computer Programs and Computer Rogues: Tailoring the Punishment to Fit the Crime, 16 Rutgers Computer & Tech. L.J. 1, 24-26 (1990).
(7.) Some argue that computer offenders are changing from mischievous, thrill-seeking teenagers to criminals intent on making large profits. William C. Flanagan & Brigid McMenamin, The Playground Bullies are Learning How to Type, Forbes, Dec. 21, 1992, at 184. As they move into adulthood, many hackers are marketing their skills as security consultants. Larry Lange, Trust a Hacker Over 30? You'd Better, Electronic Engineering Times, Aug. 19, 1996, at 4. By contrast, a Russian software engineer and five accomplices stole $10 million from Citibank between June and October 1994 in one of the most professional computer heists yet reported Amy Harmon, Hacking Theft of $10 Million from Citibank Revealed, L.A. Times, Aug. 19, 1995, at D1. There is also evidence that organized crime is extending its reach to high-tech came. Robert Kruger, Drugs, Guns and Counterfeit Software-Organized Crime has Entered the Counterfeit Software Business, Windows, Aug. 1, 1996, at 55; Joshua Cooper Ramo, Online Mobsters from Around the World are Wiring for the Future: Can the Cops Keep Up?, Time, Sept. 23, 1996, at 32. For a look at how law enforcement officials are attempting to crack down on the more youthful offenders, see generally Bruce Sterling, The Hacker Crackdown: Law and Disorder on the Electronic Frontier (1992).
(8.) Criminal Justice Resource Manual, supra note 2, at 2.
(9.) Id. (describing how computer processor time and services are targeted for theft).
(10.) Id. (describing how a computer is the subject of a crime).
(11.) Id. (describing how the computer is the source of asset loss).
(12.) A computer "virus" is a program which replicates itself and spreads through a computer system or network. Viruses may be benign or destructive; some cause unexpected screen displays, delete computer files, create false information, or cripple a computer's ability to process information. Camille Cardoni Marion, Computer Viruses and the Law, 93 Dick. L. Rev. 625, 627 (1989). See also Susan M. Mello, Comment, Administering the Antidote to Computer Viruses: A Comment on United States v. Morris, 19 Rutgers Computer & Tech. L.J. 259, 259 n.4 (1993) (describing and defining computer viruses)
(13.) "Logic bombs" are destructive programs which are "detonated" by the occurrence of a specific event, such as a particular date or time See, e.g., United States v. Lauffenberger, No. 91-0594-T (S.D. Cal. 1990) (employee planted a logic bomb in his employer's computer system)
(14.) Hollinger & Lanza-Kaduce, supra note 5, at 103.
(15.) Criminal Justice Resource Manual, supra note 2, at 2.
(16.) Computer trespass, or "voyeurism," includes intentional, non-malicious, unauthorized access of computer files. Hollinger & Lanza-Kaduce, supra note 5, at 103-04.
(17.) Many traditional crimes, when committed using a computer, have been specially defined in computer-specific federal and state statutes. See infra notes 20-46 and accompanying text (federal computer statute includes offenses where computer is an instrumentality) and infra notes 146-168 and accompanying text (state statutes).
(18.) Hollinger & Lanza-Kaduce, supra note 5, at 103-04.
(19.) Pub.L. No.98-473, 98 Stat. 2190 (1984) [hereinafter the 1984 Act] (codified et 18 U.S.C. [sections] 1030(1994), amended by Pub. L. No. 99-474, 100 Stat. 1213 (1986) (codified at 18 U.S.C. [sections] 1030 (1994)). For legislative history of the 1984 Act, see H.R. Rep. No. 98-894, at 9 (1984) (indicating that difficulties in prosecuting computer-related crime arise because the property involved is intangible, making prosecution under theft and larceny statutes difficult). See also Glenn D. Baker, Note, Trespassers Will Be Prosecuted: Computer Crime in the 1990s, 12 Computer L.J.61, 63-66 (1993) (discussing background of the 1984Act) [hereinafter Trespassers Will Be Prosecuted].
For discussion of federal prosecution of computer crimes prior to 1984, see Note, Addressing the Hazards of the New High Technology Workplace, 104 Harv. L. Rev. 1898, 1900-01 (1991) (discussing inadequacies of prosecuting computer-related crime under traditional criminal statutes). See also John Montgomery, Note, Computer Crime: White-Collar Crime Fourth Survey of Legal Substantive Crimes, 24 Am. Crim. L. Rev. 429, 430-432 (1987) (review of pre-1984 federal prosecution of computer-related crime).
(20.) For an analysis of problems with enforcing computer-crime laws and an argument for alternatives to ex post criminalization of computer crimes, see generally Michael P. Dierks, Computer Network Abuse, 6 Harv. J.L. & Tech. 307 (1993) (suggesting that the "invisible hand" of the market for computer security equipment will determine efficient levels of spending on preventative measures to ensure against computer abuse); Gene Barton, Taking a Byte Out of Crime: E-Mail Harassment and the Inefficacy of Existing Law, 70 Wash. L. Rev. 465 (1995) (outlining the shortcomings of existing laws attempting to combat computer harrassment).
(21.) See Marks, supra note 1, at 503-504 (advances in computer technology inevitably allow users to develop new techniques to outstrip patchwork computer legislation); See also Dodd S. Griffith, Note, The Computer Fraud and Abuse Act of 1986: A Measured Response to a Growing Problem, 43 Vand. L. Rev. 453, 482-83 (1990) (drafting legislation is difficult because of a lack of concrete knowledge about the problem) (hereinafter A Measured Response).
(22.) 18 U.S.C. [sections] 1030 (1994). See also Griffith, supra note 21, at 483-84 (Computer Fraud and Abuse Act of 1986 sought to increase deterrence of computer crimes affecting compelling federal interests by tightening statutory language and modifying the elements of existing offenses).
(23.) 18 U.S.C. [sections] 1030 (1994) [hereinafter the " 1994 Act"].
(24.) For a critique of the 1986 Act's limited utility, see Michael Todd Friedman, The Misuse of Electronically Transferred Confidential Information in Interstate Commerce: How Well Do Our Present Laws Address the Issue?, 4 Software L.J. 529, 548 n.107 (1991). See also A Measured Response, supra note 21, at 455-456 (describing criticism leading to 1986 amendment).
The 1994 Act attempted to strengthen and clarify the 1984 Act. Friedman, supra note 24, at 548 n.107. See United States v. Morris, 928 F.2d 504, 507-510 (2d Cir. 1991) (outlining changes made in 1986 amendments and analyzing legislative history to determine appropriate interpretation of those changes).
(25.) 18 U.S.C. [sections] 1030.
(26.) A "computer" is defined as:
an electronic, magnetic, optical, electrochemical, or other high speed
data processing device performing logical, arithmetic, or storage
functions, and includes any data storage facility or
communications facility directly related to or operating in conjunction
with such device, but such term does not include an automated typewriter or
typesetter, a portable hand held calculator, or other similar device.
18 U.S.C. [sections] 1030(e)(2) (1994). "Federal interest computer" is defined as:
a computer exclusively for the use of a financial institution or the United
States Government, or, in the case of a computer not exclusively for such
use, used by or for a financial institution or the United States Government
and the conduct constituting the offense affects the use of the financial
institution's operation or the Government's operation of such computer; or
which is one of two or more computers used in committing the offense, not
all of which are located in the same State.
Id. See also Morris, 928 F.2d at 507 (extending the interpretation of federal interest computers to include many privately owned computers); United States v. Fernandez, No. 92-CR-563, 1993 WL 88197 (S.D.N.Y. Mar. 25, 1993) (rejecting the argument that the words "used in committing the offense" in [sections] 1030(e)(2)(B) are unconstitutionally vague because they describe the crime through reference to the offense itself and stating that "Federal interest computer" relates only to the federal courts jurisdiction).
(27.) 18 U.S.C. [sections] 1030(a)(1)-(6) (1994).
(28.) 18 U.S.C. [sections] 1030(a)(1) (1994).
(29.) 18 U.S.C. [sections] 1030(a)(2) (1994). A "financial record" is defined as "information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution." 18 U.S.C. [sections] 1030(e)(5) (1994).
"Financial institution" is defined as:
(A) an institution with deposits insured by the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal reserve including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union Administration;
(D) a member of the Federal home loan bank system and any home loan bank;
(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and
(I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act.
18 U.S.C. [sections] 1030(e)(4) (1994).
(30.) "[A]dversely" was added to the 1986 Act.
(31.) 18 U.S.C. [sections] 1030(a)(3) (1994).
(32.) 18 U.S.C. [sections] 1030(a)(4) (1994). "[E]xceed[ing] authorized access" is defined as: access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. 18 U.S.C. [sections] 1030(e)(6) (1994).
(33.) See United States v. Morris, 928 F.2d 504, 506 (2d Cir. 1991) (determining that "intentionally" modifies "access[ing] a federal interest computer" and not preventing others from using it, and thus causing a loss); United States v. Sablan, 92 F.3d 865 (9th Cir. 1996) (ruling that the government is not required to prove intentional damage but only intentional access to a computer without authorization).
(34.) 18 U.S.C. [sections] 1030(a)(5) (1994). However, it is unclear whether there is a loss if malevolent software, such as a virus, does not destroy files, but simply overloads the network, thus slowing down processing speed or using up some of a system's underutilized capacity.
Some of these questions may have been answered in Morris, 928 F.2d at 506, where the court "accepted the government's view that 1986 amendments to the [Computer Fraud and Abuse Act] eliminated any distinction between a break-in that damages files or steals money and what Morris was found guilty of, intentional unauthorized access that prevented authorized use." Harold L. Burstyn, Computer Whiz Guilty,, 76 A.B.A. J. 20 (1990). See also United States v. Sablan, 92 F.3d 865, 865 (9th Cir. 1996)(the government does not have to prove intentional damage to a computer file but only intentional access without authorization).
(35.) Compare the 1994 Act (amending [sections] 1030(a)(5) to apply to " [whoever] through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information code or command to a computer or computer system . . . .") with the 1986Act ([sections] 1030(a)(5) read "[whoever] . . . accesses a Federal interest computer . . . and . . . alters. damages or destroys information in any such computer. . . ."). (36.) Compare the 1994 Act (amending [sections] 1030(a)(5) to apply to "[whomever] through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information code or command to a computer or computer system . . . .") with the 1986 Act ([sections] 1030(a)(5) read "[whoever] intentionally accesses a Federal interest computer without authorization . . . .").
(37.) See American Computer Trust Leasing v. Jack Farrell Implement Co., 763 F.Supp. 1473, 1500 (D. Minn. 1991) (where access to information authorized, ECPA claim failed).
(38.) 18 U.S.C. [sections] 1030(a)(5)(B)(i) (1994). This provision extends liability to whoever, through an interstate computer, knowingly transmits a code or command with reckless disregard of a substantial and unjustifiable risk that the transmission will cause damage to or deny access to a computer or computer system. Id.
(39.) See Bradley S. Davis, Note, It's Virus Season Again, Has Your Computer Been Vaccinated? A Survey of Computer Crime Legislation as a Response to Malevolent Software, 72 WASH. U. L.Q. 411, 438-440 (1994) (discussing application of the 1994 Act in its then-proposed form to creators of computer viruses).
(40.) 18 U.S.C. [sections] 1030(a)(6) (1994).
(41.) 18 U.S.C. [sections] 1030(c)(3)(A) (1994).
(42.) 18 U.S.C. [sections] 1030(c)(3)(B) (1994).
(43.) The 1994 Act adds 18 U.S.C. [sections] 1 030(g), which provides as follows:
Any person who suffers damage or loss by reason of a violation
of the section, other than a violation of subsection (a)(5)(B) [reckless
conduct], may maintain a civil action against the violator to obtain
compensatory damages and injunctive relief or other equitable relief.
Damages for violations of any subsection other than subsection
(a)(5)(A)(ii)(II)(bb) [intentional modification or impairment of medical
records] or (a)(5)(B)(ii)(II)(bb) [reckless modification or impairment
of medical records] are limited to economic damages. No action may be
brought under this subsection unless such action is begun within 2 years
of the date of the act complained of or the date of the discovery of the
290001(d), 108 Stat. at 2098. There is no civil remedy for reckless conduct which causes loss. However, if the amendment is to be read that no civil action may be maintained against a violator of subsection (a)(5)(B), it is unclear why damages for violations of subsection (a)(5)(B)(ii)(II)(bb) may include more than economic damages.
(44.) 18 U.S.C. [sections] 1030(a)(3) (1994).
(45.) 18 U.S.C. [sections] 1030(b) (1994).
(46.) 18 U.S.C. [sections] 1030(d) (1994).
(47.) See 18 U.S.C.A. [sections] 1030 (a)(6)(A) (limiting the statute's reach to any computer accessed without authorization which affects interstate or foreign commerce or any computer used by or for the United States Government).
(49.) 18 U.S.C.A [sections] 1030(a)(5)(1994).
(50.) 928 F.2d 504 (2d Cir. 1991).
(51.) Moms was prosecuted for releasing a "worm" into a computer network which spread to thousands of other computers and prevented access by duplicating itself so many times that the computer crashed. Id. at 505-06. He argued that under [sections]1030(a)(5) of the 1986 Act, the government was required to prove not only that he intended unauthorized access to a federal interest computer, but also that he intended to prevent others from accessing the federal interest computer. Since he possessed authorized access to the computer, he argued that he could not be prosecuted under the statute because his only wrong was to exceed the scope of his authorization. Id. at 511. The Second Circuit, based on its reading of the legislative history, rejected this argument. The court found that the drafters of the Act, cognizant that people with authorized access to a federal interest computer might try to gain unauthorized access to other federal interest computers, did not intend for authorization for some federal interest computers to constitute authorization for all federal interest computers. Id. Thus, the statute applied to Morris, although the court noted that this defense was not categorically invalid, since a situation could arise which "falls within a nebulous area in which the line between accessing [a computer] without authorization and exceeding authorization might not be clear." Id.
(52.) Since the 1986 Act required that the defendant illegally access a computer, it did not reach this activity. Id. See Davis, supra note 39, at 438-440 (discussing application of the 1994 Act in its then-proposed form to creators of computer viruses).
(53.) The court in Morris stated that the worm affected computers at "numerous installations" and that fixing the problem cost anywhere from $200 to $53,000.928 F.2d at 506.
(54.) 92 F.3d 865 (9th Cir. 1996).
(55.) Id at 869-870.
(56.) See Michael C. Gemignani, Viruses and Criminal Law, 32 Communications of the ACM 669 (1991) (discussing loopholes in the federal Computer Fraud and Abuse Act).
In one instance, a defense based solely on questioning the method for determining losses proved successful. In 1990, a college student faced up to sixty years in prison and a fine of up to $ 122,000 in connection with charges that he published a purloined electronic memo about a telephone company's 911 system. Rosalind Resnick, The Outer Limits, Nat'l L.J., Sept. 16, 1991, at 32. The telephone company, by factoring in hardware expenses, software expenses, and administrative costs, valued the file at $79,000. Dispute Over Hacked Bell South 911 Document Lingers in Texas Case, Comm. Daily, Sept. 9, 1991, at 2. Later, after it emerged that the same information that was in the memo was available to the public in non-computerized form for about twenty dollars, the charges were dropped. Id.
(57.) Morris, 928 F.2d at 507. Morris argued that he had no intent to create a virus which would harm computer networks; he only intended to create a program which would spread innocuously through the network to many computers. Id. His experiment went awry, however, when the program began to duplicate itself uncontrollably, crashing thousands of computers. Student Tells How "Worm " Went Wild, L.A. Times, Jan. 19, 1990, at A4.
(58.) Morris, 928 F.2d at 507.
(59.) 92 F.3d 865 (9th Cir. 1996).
(60.) 18 U.S.C. [sections] 1030(a)(5)(B)(i) (1994).
(61.) United States Sentencing Commission, Computer Fraud Working Group, Report Summary: Summary of Findings at 3 (1993) (hereinafter "Report Summary) (suggesting that while the prosecution of computer fraud and abuse continues under traditional statutes that are sufficiently generic to apply to many computer-related offenses, there are some offenses that are unique to computers and, therefore, require prosecution under an act specific to computer operation and related activity).
(62.) For additional perspectives on prosecution under other statutes, see generally Trespassers Will Be Prosecuted, supra note 19 (discussing application of federal statutes other than the 1986 Act to computer crimes).
(63.) Stanley S. Arkin et al., Prevention and Prosecution of Computer and Technology Crime, 3-20 (1991). For an analysis of how some statutes might be applied to computer crimes, see also Stephen Fishbein, What Victims of Computer Crime Should Know and Do, N.Y. L.J., Nov. 12, 1993, at 1.
(64.) Copyright Infringement Act, 17 U.S.C. [sections] 506(a) (1994). See generally Intellectual Property article in this issue. For a historical overview of the development of criminal copyright law through 1992, see United States v. LaMacchia, 871 F.Supp. 535, 538-540 (D. Mass. 1994).
(65.) 17 U.S.C. [sections] 506(a). While Title 17 defines criminal copyright infringement for financial gain, prosecution of the actual piracy of copyrighted works is governed by 18 U.S.C. [sections] 2319 (1994). Mary I. Saunders, Criminal Copyright Infringement and the Copyright Felony Act, 71 Deny. U. L. Rev. 671 (1994) (examining nature of copyright protection and the offense of criminal copyright infringement as defined by the Copyright Felony Act of 1992).
(66.) To prove the first element of copyright infringement, the prosecution must show (1) the existence of a valid copyright, and (2) that the defendant copied original elements of copyrighted work. Montgomery County Ass'n of Realtors, Inc. v. Realty Photo Master Corp., 878 F. Supp. 804, 810 (D. Md. 1995) (holding that while Realtors' association's computerized database is entitled to copyright protection because it contained their marketing "puffery," it is question of fact to determine if defendant's downloading of database qualifies as unauthorized copying); see also Feist Publications, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 345 (1991) (determining that a mere alphabetical listing of information in telephone directory does not possess at least a minimal degree of creativity, and, thus, does not qualify for copyright protection); but see CCC Info. Servs. v. Maclean Hunter Market Reports, 44 F.3d 61 (2d Cir. 1994) (explaining that the standard of originality in the selection and arrangement of information to achieve copyright protection required by Feist is low); see also Charles Von Simson, Feist or Famine: American Database Copyright as an Economic Model for the European Union, 20 Brook. J. Int'l L.729 (1995) (noting that circuit courts are split interpreting Feist).
(67.) See United States v. LaMacchia, 871 F. Supp. 535, 536, 541 (D. Mass. 1994) (holding that although defendant's usage of bulletin board to facilitate copying of copyrighted computer software caused an estimated loss of one million dollars, government cannot prosecute under criminal computer copyright infringement if it cannot show that defendant sought or derived personal benefit). See also Susan H. Nycum, International Issues of Data Protection and Data Providing in the Online Environment, 444 PLI/Pat 367 (1996) (explaining that following LaMacchia, Congress is considering legislation to criminalize the willful infringement of a copyright by reproducing or distributing copies with a $5,000 or more retail value).
(68.) 18 U.S.C. [sections] 2314 (1994). See generally Intellectual Property Crimes article in this issue.
(69.) 18 U.S.C. [sections] 2314 (1994).
(70.) See United States v. Jones, 553 F.2d 351, 356 (4th Cir. 1977) (holding that fraudulent diversion of funds by computer violates National Stolen Property Act).
(71.) LaMacchia, 871 F.Supp. at 536-538 (using computer bulletin board to copy copyrighted computer software does not involve "physical taking" and, thus, cannot be prosecuted under Stolen Property Act); see, e.g., United States v. Wang, 898 F.Supp. 758, 760 (D. Colo. 1995) (holding that a computer program does not qualify as "goods, wares, merchandise, securities or money" for purposes of National Stolen Property Act); United States v. Brown, 925 F.2d 1301, 1308 (10th Cir. 1991) (concluding that computer program in source code form is not tangible item and, thus, did not constitute "goods" or "wares" under National Stolen Property Act).
(72.) See United States v. Lyons, 992 F.2d 1029, 1033 (10th Cir. 1993) (rejecting defendant's claim that Brown precludes consideration of the value of stolen software in determining sentencing under the National Stolen Property Act).
(73.) 18 U.S.C. [subsections] 1341, 1343 (1994). See generally MA[L AND WIRE FRAUD article in this issue.
(74.) 18 U.S.C. [subsections] 1341, 1343 (1994).
(75.) Arkin, supra note 63, at 3-77.
(76.) United States v. Briscoe, 65 F.3d 576 (7th Cir. 1995) (holding that fraudulent transfer of funds through computer system violates wire fraud statute); United States v. Gaind, 31 F.3d 73, 75 (2d Cir. 1994) (finding that government contractor altered computer clocks to "backdate" reports to the Environmental Protection Agency to falsely represent that tests had been completed within specified period, constituting a violation of the wire fraud statute); Mid Atlantic Telecom, Inc. v. Long Distance Servs., Inc., 18 F.3d 260 (4th Cir. 1994) (civil action under RICO based on violations of [subsections] 1341 and 1343 where reseller of long distance telephone service used computer program to randomly add minutes to calls of customers), cent denied, 115 S. Ct. 323 (1994); United States v. Seidlitz, 589 F.2d 152, 155 (4th Cir. 1978) (former employee's unauthorized attempt to access computer to obtain company property violated wire fraud statute); United States v. Slusher, 1995 WL 417077 (S.D.N.Y. July 13, 1995) (determining that exchange of DMV license approval for bribes through DMV's computer terminals constitutes violation of wire fraud statute); United States v. Upton, 856 F. Supp.727, 733 (E.D.N.Y 1994) (finding that defendants falsified computer transactions regarding airplane maintenance).
Additionally, to convict under the wire fraud statute, the interstate communication must be forseeable. United States v. Brumley, 59 F.3d 517, 521-522 (5th Cir. 1995) (Western Union's interstate transfer of funds resulting from defendant's request to transfer to destination within his state not forseeable, and thus defendant not liable under wire fraud statute).
(77.) 18 U.S.C. [sections] 1346 (1994); see also Arkin, supra note 63, at 3-33 (intangible property is covered by federal mail and fraud statutes).
(78.) See United States v. Wang, 898 F. Supp. 758, 759 (D. Colo. 1995) (denying motion to dismiss charge of wire fraud because computer program, while intangible, is still property, and therefore may possibly be prosecuted under both copyright act and wire fraud statute); but see LaMacchia, 871 F. Supp at 535, 540-544 (allowing motion to dismiss wire fraud charge that was based on use of computer billboard to facilitate illegal copying of copyrighted computer software partially because no plain congressional intent found for wire fraud statute to reach copyrighted material).
(79.) 18 U.S.C. [subsections] 2510-2521, 2701-2710 (1994).
(80.) 18 U.S.C. [subsections] 2510-2521 (1994).
(81.) 18 U.S.C. [sections] 2511(1)(e) (1994). It is not always clear which provisions of the ECPA cover electronic communication such as electronic mail, which is both transmitted and stored. See Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457, 458 (5th Cir. 1994) (holding that government seizure of a computer used to operate an electronic bulletin board, and containing private electronic mail that had been sent to (stored on) the bulletin board but not read (retrieved) by the intended recipient, was not an "interception" under [sections] 2510 of the ECPA).
(82.) 18 U.S.C. [sections] 2701.
(83.) See Steve Jackson Games, 816 F. Supp. at 442 (holding that affidavit supporting warrant to seize information from computer bulletin board was inadequate under 18 U.S.C. [sections] 2703(d)), aff'd, 36 F.3d 457 (5th Cir. 1994).
(84.) 18 U.S.C. [sections] 2510(1) (1994).
(85.) 18 U.S.C. [sections] 2516 (1994). See United States v. McNulty, 47 F.3d 100, 102-103 (4th Cir. 1995) (holding that conversations on cordless telephone are not communications protected by ECPA, and, thus, are open to warrantless police monitoring); United States v. Fregoso, 60 F.3d 1314, 1320 (8th Cir. 1995) (holding that caller identification service decoding electronic impulses to display telephone number of receiving call was not protected by ECPA [subsections] 2510-2522). For a discussion on the conflict between protecting data privacy while allowing for police monitoring of that data for enforcement and national security reasons, see Marks, supra note I (noting that advances in computer technology inevitably allow users to develop new techniques to outstrip patchwork computer legislation). See also Arkin, supra note 63, at 9-11.
(86.) See United States v. Crawford, 52 F.3d 1303, 1309-1310 (5th Cir. 1995) (determining that the manufacture or sale of devices for unauthorized interception of cable television signals violates ECPA); see also United States v. Chick, 61 F.3d 682, 687-688 (9th Cir. 1995) (selling illegaly modified satellite descramblers can be prosecuted under ECPA [sections] 2512); United States v. One Macom Video Cipher 11, 985 F.2d 258, 261 (6th Cir. 1993) (holding that neither [sections] 2111 nor [sections] 2512 of the ECPA nor 47 U.S.C. [sections] 605 exclude modification of satellite descramblers from coverage); United States v. Harrell, 983 F.2d 36,37-38 (5th Cir. 1993) (stating that ECPA applies to modified satellite descramblers); United States v. Davis, 978 F.2d 415, 417-418 (8th Cir. 1992) (overruling United States v. Hux, 940 F.2d 314 (8th Cir. 1991), with respect to its holding that manufacture of satellite descrambler was not a violation of [sections] 2512(1)(b)).
(87.) See Brown v. Waddell, 50 F.3d 285, 294 (4th Cir. 1995) (holding that police officer's use of clone pagers to intercept numeric transmissions received on digital display pagers violates electronic communications privacy act); Organizacion JD LTDA v. U.S. Dept. of Justice, 18 F.3d 91, 94-95 (2d Cir. 1994) (per curiam) (holding that governmental "entities" are subject to liability under [sections] 2707(a) and remanding where appellants were intended recipients of electronic fund transfers that were seized by DEA agents as proceeds of illegal money-laundering and narcotics transactions), cert. denied, 114 S. Ct. 2679 (1994); see also United States v. Daccarett, 6 F.3d 37, 54 (2d Cir. 1993) (related case arising under the same facts holding that seizures of EFTs were not "interceptions" under the ECPA because no "device" was used, as required by 18 U.S.C. [sections] 2510(4)), cert. denied 114 S. Ct. 1294 (1994); but see Tucker v. Waddell, 83 F.3d 688 (4th Cir. 1996) (stating that the Act does not authorize a civil suit against a government entity for improperly obtaining a customer's records).
(88.) 110 Stat.56, Pub. L. 104-104, February 8, 1996.
(89.) See American Civil Liberties Union v. Reno, 929 F. Supp. 824 (E.D. Penn. 1996) (granting a preliminary injunction because prohibiting transmission of obscene or indecent communications via a telecommunications device or patently offensive communications via an interactive computer service to a person under 18 violates the First Amendment, and the terms "indecent" and "patently offensive" are so vague as to violate the free speech and due process clauses); see also Shea v. Reno, 930 F.Supp. 916 (S.D.N.Y. 1996) (granting a preliminary injunction because criminalizing the use of an interactive computer service to send or display patently offensive materials, although not too vague, is unconstitutionally overbroad).
(90.) See Joseph B. Thompkins, Jr. & Frederick S. Ansell, Computer Crime: Keeping Up with High Tech Criminals, 1 Crim. Just. 30, 32 (1987) (discussing United States v. Fadriquela, No. 85-CR-40 (D. Colo. 1985)).
(91.) Report Summary, supra note 60, at 3; see, e.g., United States v. Morris, 928 F.2d 504, 505 (2d Cir. 1991) (upholding defendant's conviction under [sections] 1030(a)(5) for introducing a "worm" into the federal Internet computer network, jamming up to 6,000 federal and federal interest computers across the country).
(92.) Report Summary, supra note 61, at 3-4.
(93.) See Gray H. Anthes, Federal Computer Crime Czar Speaks Out, Computerworld, May 22, 1995, at 56 (chief of Computer Crime Unit in Criminal Division of Justice Department, Scott Charney, discusses methods of improving enforcement of computer crime laws); Chris Nerney, Failure to Report Break-Ins Offers License to Hack, Network World, Aug. 12, 1996, at 1 (giving reasons for failure to report computer break-ins). One commentator has suggested that the Computer Fraud and Abuse Act be amended to require businesses and others to report computer crimes committed against them. In addition, a provision allowing civil remedies and restitution, as adopted in the 1994 Act, would provide additional incentives for victims to report computer crimes. A Measured Response, supra note 21, at 487-89. See also S. 8, 103d Cong., 1st Sess. (1993) (proposing civil remedies in computer crime cases); H.R. 2847, 103d Cong., 1st Sess. (1993) (providing civil remedies for federal computer offenses under 1986 Act).
(94.) See infra notes 146-168 and accompanying text (summary of state computer crime statutes).
(95.) Gene Barton, Taking a Byte out of Crime: E-Mail Harassment and the Inefficacy of Existing Law, 70 WASH. L. REV. 465, 469 (1995).
(96.) See Howard S. Dakoff, Note, The Clipper Chip Proposal: Deciphering the Unfounded Fears That Are Wrongfully Derailing Its Implementation, 29 J. Marshall L. Rev. 475 (1996) (arguing that security concerns warrant the implementation of key-escrow encryption technology, which includes keys providing for government deciphering); Cf. Henry R. King, Note, Big Brother, The Holding Company: A Review of Key-Escrow Encryption Technology, 21 Rutgers Computer & Tech. L.J. 224 (1995) (arguing that government controlled key-escrow proposals should not be implemented).
(97.) See M.A. Stapleton, As Hacker Ranks Grow, Justice Department Aims to Take a Byte Out of Crime, Chi. Daily Law Bull., May 15, 1996, at I (reporting Department of Justice response to increased incidents of computer crime). For a profile of some prominent cases involving the Internet, see Michael Meyer & Anne Underwood, Crimes of the `Net', Newsweek, Nov. 14, 1994, at 46. In the largest enforcement action to date, "Operation Sundevil," the Department of Justice and the Secret Service launched a nationwide crackdown on telephone and credit card fraud involving stolen card numbers and customer access codes from national telephone and credit card computer networks. See Marc Rotenberg, Let's Look Before We Legislate, Computerworld, Oct. 21, 1991, at 25 (identifying problems with the U.S. Justice Department's proposed amendments to federal computer crime laws); Mark Lewyn & Evan I. Schwartz, Why `The Legion of Doom' Has Little Fear of the Feds, Bus. Week, Apr. 15, 1991, at 31 (describing setbacks in indicting suspects identified through "Operation Sundevil"). The investigation covered 14 cities and resulted in the seizure of some 23,000 computer disks. The first conviction in this case did not come until February, 1992, when a suspect pleaded guilty to possession of illegal telephone access codes. No other indictments were obtained because of the difficulty of successfully prosecuting computer cases. Michael Alexander, Operation Sundevil Nabs First Suspect; Defendant Pleads Guilty To Possession of Access Codes, Faces 10-Year Term, Computerworld, Feb. 17, 1992, at 15.
Law enforcement officers also faced problems in Steve Jackson Games, Inc. v United States Secret Service, 816 F.Supp. 432 (W.D. Tex. 1993), aff'd, 36 F.3d 457 (5th Cir. 1994). The district court found that the officers' zeal exceeded their statutory authority when they seized documents and information from the company. The officers also failed to promptly return information protected by the Stored Wired and Electronic Communications and Transactional Records Access Act, 18 U.S.C. [subsections] 2701-11. Id. at 443 n.7. The company successfully sued the Secret Service, recovering expenses and economic damages. Id. at 438.
(98.) For a list of well known hackers see Cyberblotter The Internet's Most Wanted, Pittsburgh Post-Gazette, July 25, 1995, at C4. In one of the most celebrated on-line criminal cases to date, prosecutors arrested Kevin Mitnick for allegedly raiding corporate computer systems and stealing 20,000 credit card numbers over a two-year period. Although he was initially charged with 23 counts of computer fraud, all but one were dropped. He pled guilty to illegally possessing 15 telephone numbers to access computer systems and agreed to serve eight months in jail. Computer Hacker Agrees to Plea Bargain, WASH. POST, July 2, 1995, at A7; Bruce Haring, Computer Hacker's Biggest Backer, USA Today, Sept. 14, 1995, at D8.
A more recent arrest occurred on September 11, 1995, where 6 computer hackers were charged with stealing credit card numbers and cellular phone accounts. Their arrests, and the seizure of 20 computer systems, were the result of an eight-month sting operation set up by the U.S. Secret Service. Jeffrey Gold, Secret Service Nabs On-Line Data Thieves, WASH. POST, Sept. 12, 1995, at D2.
An employee of MCI Communications Corp., known as "Knight Shadow," was sentenced to three years and two months in prison for stealing more than 50,000 telephone calling-card numbers that were eventually sold in the United States and Europe and were used to make more than $28 million worth of phone calls, many of them to computer bulletin boards. Hackers Sentenced in Telephone Fraud, Chi. Trib., Mar. 26, 1995, at A 12; Jeri Rowe, N.C. Man Laments Calling Card Scam on His Way to Prison, Greensboro News & Rec., Apr. 30, 1995, at B1.
Two members of a computer-based conspiracy to win radio contest prizes that included new cars and trips to Hawaii were convicted in 1994. "Dark Dante," who led the conspiracy, pled guilty to single counts of conspiracy, computer fraud, mail fraud, obstructing justice and money laundering, and two counts of intercepting a wire communication. Guilty Plea Entered in Radio Contest Conspiracy, L.A. Times, June IS, 1994, at B2. The second member, known as "Agent Steal," was re-arrested after absconding prior to being sentenced for his computer crimes. He was sentenced in November, 1995, to serve 41 months in a federal prison. Leslie Berger, Computer Hacker Who Jumped Bail Gets 41 Months, L.A. Times, Nov. 28, 1995, at B5.
Another well-known hacker who was arrested and convicted of computer crimes in 1988, "Condor," is the subject of an FBI investigation for unauthorized entry into Pacific Bell Telephone Co. computers. John Johnson & Julie Tamaki, Authorities Again Seek Legendary Hacker, L.A. Times, July 10, 1994, at B1.
(99.) See United States v. LaMacchia, 871 F. Supp 535, 545 (D. Mass. 1994) (prosecutors failed to prove breach of fiduciary duty essential for wire fraud conviction, and failed to prove defendant benefited from venture essential for copyright infringement conviction).
While the defendant in LaMacchia apparently did not attempt to sell copyrighted software, others have. "One of the first successful criminal prosecutions involving network software copyright infringement" involved an individual who sold illegal copies of Novell's NetWare network operating system. Bob Brown, Novell Helps Feds Win Case Against Copyright Violator, Network World, April 27, 1992, at 25; see also Barbara Carton, Man Charged in Software Piracy, BOSTON GLOBE, Sept. 1, 1994, at Econ. 41 (man charged with conspiracy and criminal copyright infringement for allegedly distributing copyrighted software to his bulletin board subscribers).
(100.) See United States v. Thomas, 74 F.3d 701 (6th Cir. 1996) (upholding conviction in Western District of Tennessee under federal obscenity laws of couple who operated a computer bulletin board from their home in California); United States v. Kimbrough, 69 F.3d 723 (5th Cir. 1995) (upholding conviction for receipt and possession of child pornography obtained from computer bulletin board); United States v. Chapman, 60 F.3d 894 (1st Cir. 1995) (holding computer transmission of child pornography is not sexual exploitation of a minor for the purpose of sentencing).
In September 1995, the Justice Department revealed that the 12 arrests it made in the spring, along with the 125 searches of suspects' homes nationwide, were the result of operation "Innocent Images," a two-year FBI investigation of America Online, the nation's largest commercial computer network. The FBI found that America Online was being used to distribute child pornography and lure minors into sex acts. Jon Jeter, FBI Agents Posed as Teenagers in On-Line Child Porn Inquiry, Wash. Post, Sept. 15, 1995, at A3.
A raid also occurred in June 1995, where authorities targeted not only purveyors of pornography, but also more than 100 individuals for allegedly downloading pornographic images of children through America Online. Steven Levy, No Place for Kids? A Parent's Guide to Sex on the Net, Newsweek, July 3, 1995, at 47. See also United States v. Maxwell, 42 M.J. 568, 580 (A.F. Ct. Crim. App. 1995) (defendant convicted of using personal computer to transport pornographic materials).
A college student who posted an electronic message on the Internet describing rape and torture of a fellow student was arrested for transmitting threats across state lines. The dismissal of the case by the district court has been appealed to the U.S. Court of Appeals for the Sixth Circuit. John Nolan, Reinstated Charges Sought Against Man in E-mail Torture Case, The Plain Dealer (Cleveland), Aug. 17, 1996, at 5B (discussing appeal of United States v. Baker, 890 F. Supp. 1375 (E.D.Mich. 1995)).
As with other computer-related crimes, encryption technology has also hindered detection of child pornography consumers. In 1994, a child molester stored his victims' names in an encrypted computer file, thereby thwarting police officials' efforts to identify them. See Steven Levy, Battle of the Clipper Chip, N.Y. Times Mag., June 12, 1994, at 6.
(101.) See Barton, supra note 95. See, e.g., Rajiv Chandrasekaran, Undercover on the Dark Side of Cyberspace, Wash. Post, Jan. 2, 1996, at D1 ("Innocent Images" investigation produces arrests for solicitation of minors after suspects arranged sexual meetings with FBI agent posing as minors on a on-line service); Computer Pedophile Link Feared, Newsday, Oct. 7, 1994 at A5 (pedophiles use computer bulletin boards to meet victims); Sandy Rovner, Molesting Children by Computer, Wash. Post, Aug. 2, 1994, at Z15 (minors give out information on bulletin boards that makes them vulnerable to assault).
(102.) Michael Alexander, Justice Revs Up Battle on Computer Crime, Computerworld, Oct. 7, 1991, at 4.
(103.) See United States v. Brady, 13 F.3d 334, 337 (10th Cir. 1993) (altered cellular telephones for purposes of free riding on the cellular telephone system are not "access devices" within the meaning of 18 U.S.C. [sections] 1029(a)); United States v. Sykes, 4 F.3d 697, 698 (8th Cir. 1993) (defendant pled guilty to computer access fraud under 18 U.S.C. [sections] 1030(a)(4) for unauthorized use of an automatic teller machine).
(104.) H.R. Conf. Rep. No. 711, 103d Cong., 2d Sess. [sections] 330016 (1994), reprinted in 1994 U.S.C.C.A.N. 1839 (removing outmoded fines from 18 U.S.C. [subsections] 1030, 1341, 1343, 2314, 2314, 2511 (1994)).
(105.) 18 U.S.C. [sections] 1030(c) (1994).
(106.) U.S. Guidelines Manual (hereafter U.S.S.G.) App. A (Nov. 1994). See also U.S.S.G. Ch. 3 (setting forth criteria for upward and downward adjustments of offense levels).
(107.) 18 U.S.C. [sections] 1030(a)(1) (1994). The Guidelines set the base offense level for [sections] 1030(a)(1) at 35 if the information is top secret, and at 30 for all other information. U.S.S.G. [sections] 2M3.2(a).
(108.) 18 U.S.C. [sections] 1030(a)(2)-(6) (1994). The base offense level for a violation of [sections] 1030(a)(2)-(6) is dependent on the value of the loss suffered. U.S.S.G. [sections] 2F1.1. For a complete explanation of the application of [sections] 2F1.1, see the Mail and Wire Fraud article in this issue. See, e.g., United States v. Sykes, 4 F.3d 697, 698 (8th Cir. 1993) (per curiam) (upheld sentence of 27 months for conviction for stolen checks and computer fraud violation of [subsections] 1030(a)(4)(b) and (c)(3)(a) involving an automatic teller machine); United States v. Lewis, 883 F.2d 76 (6th Cir. 1989) (sentence of two years imprisonment imposed for a violation of [sections] 1030(a)(4)).
(109.) 18 U.S.C. [sections] 1030(b) (1994). Defendants convicted of [sections] 1030(b) violations receive a base offense level from the guideline for the substantive offense, plus any adjustments from such guideline that can be established as reasonably applicable. U.S.S.G. [sections] 2X1.1(a) Additionally, [sections] 2X1.1(b) delineates possible reductions in the base offense level.
(110.) But see, e.g., United States v. DeMonte, 25 F.3d 343, 349 (6th Cir. 1994) (affirming justification for downward departure from sentencing guidelines for computer fraud where defendant had exhibited an extraordinary level of cooperation); United States v. Riggs, 967 F.2d 561, 563 (11th Cir. 1992) (departing upward from sentencing guideline for violation of [sections] 1030 and requiring period of supervised use of computers, where the defendant had previously committed similar crimes).
(111.) 18 U.S.C. [sections] 2319 (1994).
(112.) 18 U.S.C. [sections] 2319(b)(1)-(3) (1994).
(113.) 18 U.S.C. [sections] 2319(b)(1). See U.S.S.G. [sections] 2B5.3. The ten copies can represent an infringement of one copyrighted work, or an aggregation of different works of authorship. H.R. Rep. No. 997, 102d Cong., 2d Sess. 4 (1992), reprinted in 1992 U.S.C.C.A.N. 3569,3572.
(114.) U.S.S.G. App. A. See, e.g., United States v. Hicks, 46 F.3d 1128 (4th Cir. 1995) (unpublished disposition) (upheld calculation of loss under the Guidelines to apply a sentence of three years' probation, a $40,000 fine and restitution for a copyright infringement of satellite decryption systems); United States v. Larracuente, 952 F.2d 672, 674-75 (2d Cir.1992) (affirming sentencing for criminal copyright infringement based on retail price of films used by defendant to create "bootleg" videotapes).
(115.) U.S.S.G. [sections] 2B5.3(a).
(116.) U.S.S.G. [sections] 2B5.3(b)(1).
(117.) 18 U.S.C. [sections] 2314 (1994). See United States v. Pierro, 32 F.3d 611, 620 (1st Cir. 1994) (affirming lower court's ruling that a downward departure from the sentencing guidelines was unwarranted because defendant's theft and interstate resale of stolen computer components fell clearly within [sections] 2314 and guideline provisions).
(118.) U.S.S.G. App. A.
(119.) U.S.S.G. [sections] 2B1.1.
(120.) U.S.S.G. [sections] 2B1.1(b).
(121.) U.S.S.G. [sections] 2B1.1(b)(5)(A).
(122.) U.S.S.G. [sections] 2B1.1(b)(5)(B).
(123.) 18 U.S.C. [subsections] 1341, 1343 (1994).
(125.) U.S.S.G. App. A.
(126.) U.S.S.G. [subsections] 2C1.7, 2F1.1. See, e.g., United States v. ReBrook, 58 F.3d 961, 969 (4th Cir. 1995) (upholding increase in offense level according to [sections] 2C1.7 (b)(1)(B) for wire fraud conviction regarding video lottery systems as defendant was an official holding a high-level decision-making or sensitive position); United States v. Catalfo, 64 F.3d 1070 (7th Cir. 1995) (enhancement of sentencing for wire fraud by illegal computerized futures trading upheld because defendant could have foreseen possible loss from his conduct and was therefore held accountable for monetary loss under [sections] 2F1.1). For a complete explanation of these provisions, see the MAIL AND WIRE FRAUD article in this issue.
(127.) 18 U.S.C. [sections] 2511 (4)(a) (1994). Under the Guidelines, defendants convicted of intercepting communications or eavesdropping receive abase offense level of nine. U.S.S.G. [sections] 2H3.1(a). If the purpose of the conduct was to obtain direct or indirect commercial advantage or economic gain, the offense level is increased by three levels. U.S.S.G. [sections] 2H3.1(b)(1). Additionally, if the purpose of the conduct was to facilitate another offense, the guideline applicable to an attempt to commit that offense should be applied if the resulting offense level would be greater. U.S.S.G. [sections] 2H3.1(c)(1).
(128.) 18 U.S.C. [sections] 2511(4)(b) (1994). Interception of a radio communication that is not scrambled and is intended for retransmission to the public is not punishable under this section. 18 U.S.C. [sections] 2511 (4)(c).
(129.) 18 U.S.C. [sections] 2701(b)(1)(A) (1994).
(130.) 18 U.S.C. [sections] 2701(b)(1)(B) (1994).
(131.) 18 U.S.C. [sections] 2701(b)(2) (1994).
(132.) 799 F.2d 1494 (11th Cir. 1986).
(133.) The Fourth Amendment states that "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." U.S. Const. amend. IV.
(134.) Sawyer, 799 F.2d at 1508, n.15. Compare People v. Fleisher, 630 N.Y.S.2d 483 (1995) (finding police did not exceed the scope of the warrant by searching the contents of a computer's internal drive and external disks when the warrant only authorized taking possession of the property) with Washington v. Riley, 846 P.2d 1365, 1369 (Wash. 1993) (invalidating as overbroad a search warrant permitting the seizure of broad categories of computer records without specifying the crimes being investigated).
(135.) Sawyer, 799 F.2d at 1508.
(136.) United States v. Musson, 650 F. Supp. 525, 532 (D. Colo. 1986).
(137.) See United States v. Sissler, No. 1:90-CR- 12, 1991 U.S. Dist. LEXIS 16465, at *11 (W.D. Mich. Aug. 30, 1991) (because police "are permitted to search any container found within the premises if there is reason to believe that the evidence sought pursuant to a warrant is in it . . . police [are] permitted to examine the computer's internal memory and the disks since there was every reason to believe that they contained records whose seizure was authorized by the warrant") (citing United States v. Ross, 456 U.S. 798, 820-21 (1982)). Cf. United States v. Ponce, No. 91-50256, 1993 U.S. App. LEXIS 7462 *10-11 (9th Cir. Apr. 1, 1993), aff'd, 51 F.3d 820 (9th Cir. 1995) (affirming admission of printout made from computer disk seized in a search on the grounds that the disk, from which the printout was made, contained a drug ledger and was found at the defendant's home).
(138.) Sissler, 1991 U.S. Dist. LEXIS 16465, at *11-12 ("The police were not obligated to give deference to the descriptive labels placed on the discs. Otherwise, records of illicit activity could be shielded from seizure by simply placing an innocuous label on the computer disk containing them."). See also Baughman v. State, 38 Cal. App. 4th 182 (1995) (officers were immune from the loss defendant suffered and were within the scope of their duty when they inadvertently destroyed data on defendant's floppy disks while conducting a search authorized by a warrant that described a variety of media and computer components but was not specific as to the defendant's name or to the disks containing the destroyed data).
(139.) Sissler, 1991 U.S. Dist. LEXIS 16465, at *11.
The police also were not obligated to inspect the computer and disks at
the . . . residence because passwords and other security devices are often
used to protect the information stored in them. Obviously, the police was
permitted to remove them . . . so that a computer expert could attempt to
`crack' these security measures, a process that takes some time and effort.
(140.) Id. at * 12 n.7.
(141.) State v. Wade, 544 So.2d 1028, 1030 (Flat Dist. Ct. App.1989) (permitting use of competitor's employees to identify items).
(142.) The First Amendment states, in part, that "Congress shall make no law . . . abridging the freedom of speech, or of the press ...." U.S. Const. ammend. I.
(143.) 42 U.S.C. [subsections] 2000aa to 2000aa-12 (1994). The Privacy Protection Act explicitly includes "mechanically, magnetically or electronically recorded cards, tapes, or discs" in its definition of "documentary materials." Id. [sections] 2000aa-7(a) (1994).
(144.) This issue was considered in Steve Jackson Games, Inc. v. United States Secret Serv., 816 F. Supp. 432 (W.D. Tex. 1993), aff'd, 36 F.3d 457 (5th Cir. 1994). The court ruled that the Secret Service was in violation of the Act when it seized computer media, including floppy and hard disks, because these materials were possessed in anticipation of communicating the materials to the public. Id. at 440-41.
(145.) Id. at 440. Preliminary injunctions have been issued on First Amendment grounds to prevent the enforcement of portions of the Computer Decency Act of 1996. See infra Part V. Recent Developments. Those portions of the Computer Decency Act criminalizing the use of computer services to display patently offensive or indecent material available to persons under the age of eighteen were declared overbroad. See Shea v. Reno, 930 F. Supp. 916 (S.D.N.Y. 1996) (granting preliminary injunction); ACLU v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996) granting preliminary injunction).
(146.) See Jerome Y. Roache, Computer Crime Deterrence, 13 AM. J. Crim. L. 391, 399-401 (1986). The author catalogs traditional criminal law theories used to combat computer-related crimes and demonstrates the ineffetiveness of each:
Larceny--When programs or data are copied, but not deleted, from a computer, it is unclear whether property was wrongfully "taken."
Burglary--Requires a physical intrusion into a building, which is not necessary when computers may be accessed remotely.
Embezzlement--Of limited use in computer context, because offense requires that the perpetrator initially has lawful possession or access to the system.
Malicious or criminal mischief--Damage must impair the utility of property or diminish its value. Monetary value of damage due to computer break-ins is often negligible or impossible to determine.
Theft of services--As above, theft of computer services may have a minimal permanent impact on the computer system. Courts generally require a substantial showing of injury. But see Hancock v. State, 402 S.W.2d 906, 908 (Text Crim. App. 1966), (finding that commercial computer programs constituted "property" for purposes of the state's theft statute); South Cent. Bell Tel. Co. v. Barthelemy, 631 So.2d 1340, 1343 (La. App. 4 Cir. 1994) (refusing to define computer programs as personal property and instead defining them as "intellectual property"). Cf. New York v. Vanguard Meter Serv., Inc., 611 N.Y.S.2d 430, 436 (N.Y. Sup. Ct. 1994). Despite the existence of statutes directed specifically at computer-related crime, some offenses are skill prosecuted under other statutes. Cf. State v. Smith, 798 P.2d 1146, 1148-49 (Wash. 1990) (federal copyright law did not preempt prosecution under state theft statute for unauthorized copying of computer software).
(147.) The Arkansas state legislature stated its purpose in passing its computer-related crimes statute:
"It is found and determined that computer-related crime poses a major
problem for business and government; that losses for each incident of
computer-related crime are potentially astronomical; that the opportunities
for computer-related crime in business and government through the
introduction of fraudulent records into a computer system, the unauthorized
use of computers, the alteration or destruction of computerized information
or files, and the stealing of financial instruments, data, and other
assets are great; that computer-related crime has a direct effect on state
commerce; and that, while various forms of computer-related crime might
possibly be the subject of criminal charges based on other provisions of
law, it is appropriate and desirable that a statute be enacted which deals
directly with computer-related crime."
Ark. Code Ann. [sections] 5-41-101 (Michie 1993).
Some states also recognized the threat to privacy interests. See Cal. Penal Code [sections] 502 (Deering 1983 & Supp. 1995) ("The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data.").
(148.) Fla. Stat. ch. 815.01-.07 (1993 & Supp. 1994).
(149.) Ala. Code [sections] 13A-8-100 to -103 (1994); Alaska Stat. [subsections] 11.46.200(3), 11.46.740 (1989); Ariz. Rev. Stat. Ann. [sections] 13-2316 (1989 & Supp. 1994); Ark. Code Ann. [subsections] 5-41-101 to -107 (Michie 1993); Cal. Penal Code [sections] 502 (Deering 1983 & Supp. 1995); Colo. Rev. Stat. [subsections] 18-5.5-101 to -102 (1990 & Supp. 1994), Conn. Gen. Stat. [sections] 53a-250 to -261 (1994); Del. Code Ann. tit. 11, [sections] 931-939 (1987 & Supp. 1994); Fla. Stat. ch. 815.01-.07 (1993 & Supp. 1994); Ga. Code Ann. [subsections] 16-9-90 to -94 (1992); Haw. Rev. Stat. [subsections] 708-890 to -893 (1985 & Supp. 1992);Idaho Code [subsections] 18-2201 to -2202 (1987); 720 ILCS 5/16D-I to -7 (formerly Ill. Rev. Stat. ch. 38, para. 16D-I to -7) (1993); Ind. Code [subsections] 3543-14, 3543-2-3 (1993); Iowa Code [subsections] 716A.1 to .16 (1995); Kan. Stat. Ann. [subsections] 21-3755 (Supp. 1993); Ky. Rev. Stat. Ann. [subsections] 434.840 to .860 (Michie/Bobbs-Merrill 1985); La. Rev. Stat. Ann. [subsections] 14:73.1 to .5 (West 1986 & Supp. 1995); Me. Rev. Stat. Ann. tit. 17-A, [subsections] 431-433 (West Supp. 1994); Md. Ann. Code art. 27, [sections] 146 (1993); Mass. Gen. Laws Ann. ch. 266, [sections] 30 (West 1990); Mich. Comp. Laws Ann. [subsections] 752.791 to .797 (West 1991); Minn. Stat. [subsections] 609.87 to .893 (1994); Miss. Code Ann. [subsections] 97-45-1 to -13 (1994); Mo. Rev. Stat. [subsections] 569.093 to. 099 (1994); Mont. Code Ann. [subsections] 45-6-310 to -311 (1993 & Supp. 1994); Neb. Rev. Stat. [subsections] 28-1343 to -1348 (1989 & Supp. 1994); Nev. Rev. Stat. [subsections] 205.473 to .491 (1993); N.H. Rev. Stat. Ann. [subsections] 638:16 to :19 (1986); N.J. Rev. Stat. [subsections] 2C:20-23 to -34 (Supp. 1994); N.M. Stat. Ann. [subsections] 30-45-1 to -7 (Michie 1989); N.Y. Penal Law [subsections] 156.00 to .50 (McKinney 1988 & Supp. 1995); N.C. Gen. Stat. [subsections] 14453 to -457 (1994); N.D. Cent. Code [subsections] 12.1-06.1-08 (1985 &E Supp. 1993); Ohio Rev. Code Ann. [sections] 2913.04 (Anderson 1993); Okla. Stat. tit. 21, [subsections] 1951-1958 (Supp. 1995); Or. Rev. Stat. [subsections] 164.125, 164.377 (1993); 18 Pa. Cons. Stat. [sections] 3933 Supp. 1994); Ri. Gen. Laws [subsections] 11-52-1 to -8 (1994); S.C. Code Ann. [subsections] 16-16-10 to 40 (Law. Co-op. 1985 & Supp. 1994); S.D. Codified Laws Ann. [subsections] 43-43B-1 to -8 (1983 & Supp. 1995); Tenn. Code Ann. [subsections] 39-14-601 to -603 (1991 & Supp. 1994); Tex. Penal Code Ann. [subsections] 33.01 to .05 (West 1994); Utah Code Ann. [subsections] 76-6-701 to -705 (1995 & Supp. 1995); Va. Code Ann. [subsections] 18.2-152.2 to .4 (Michie 1988 & Supp. 1995); Wash. Rev. Code [subsections] 9A.52.110 to .130 (1992 & Supp. 1994); W. Va. Code [subsections] 61-3C-1 to -21 (1992 & Supp. 1995); Wis. Stat. [sections] 943.70 (Supp. 1994); Wyo. Stat. [subsections] 6-3-501 to -505 (1988).
(150.) Roache, supra note 146, at 392. Computer security is enhanced because potential victims of computer crimes are more aware of specific possible violations, potential violators are more likely to know which particular activities are unlawful, and prosecution is aided by eliminating the need for prosecutors, attorneys, and judges to rationalize the application of a traditional criminal law in a technical, computer-related context.
(151.) See, e.g., Cal. Penal Code [sections] 502.01 (Deering 1983 & Supp. 1995); 720 ILCS 5/16D-6 (1993); N.M. Stat. Ann. [sections] 30-45-7 (Michie 1989). Illinois' provision distributes half the forfeited proceeds to the local government agency which investigated the computer fraud, for training and enforcement purposes, and half to the county in which the prosecution was brought, where it is placed in a special fund and appropriated to the State's Attorney for use in training and enforcement.
(152.) Gene Barton, Taking a Byte Out of Crime: E-Mail Harassment and the Inefficacy of Existing Law, 70 Wash. L. Rev. 465, 470 (1995).
(153.) Alaska Stat. [sections] 11.41.270 (Supp. 1994); Mich. Comp. Laws [sections] 750.411(h)(e)(vi); Okla. Stat. tit. 21, [sections] 1173 (Supp. 1995); Wyo. Stat. [sections] 6-2-506 (Supp. 1994).
(154.) Ala. Code [sections] 13A-11-8(b)(1)(a) (1994); 1995 Conn. Legis. Serv. 95-143 (West) (amending 53a-183 to include Computer networks as a mode of Communication); Idaho Code [sections] 18-6710 (3) (Supp. 1994); N.H. Rev. Stat. Ann. [sections] 644:4(11) (Supp. 1994); N.Y. Penal Law [sections] 240.30 (McKinney Supp. 1995).
(155.) See generally, Barton supra note 152, at 481-82. suggesting that in their current form several of the 432 statutes could be unconstitutional on First Amendment grounds, as some state courts have found they infringe on protected speech or are overly broad).
(156.) Neb. Rev. Stat. [sections] 28-1343(5) (1989 & Supp. 1994) (a "computer security system" is "a computer program or device that . . . [i]s intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system and [d]isplays a conspicuous warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorized code to the program or device in order to gain access").
(157.) Ark. Coded Ann. [sections] 5-41-106 (Michie 1993); Ga. Code Ann. [sections] 16-9-93 (1992); Okla. Stat. tit. 21 [sections] 1955 (Supp. 1995); R.I. Gen. Laws [sections] 11-52-6 (1994). See Blue Cross & Blue Shield of Connecticut, Inc. v. DiMartino, No. 30-06-42, 1991 LEXIS 1570 (Cone. Super. Ct. July 2, 1991) (mem.) (plaintiff entitled to any actual damages suffered as a result of defendant's unauthorized removal from computer system of thousands of pages of documents containing information concerning a vast number of accounts, trebled because defendant's conduct was willful and malicious; however, no recovery awarded because no actual damages proven).
(158.) Anne W. Branscomb, Rogue Computer Programs and Computer Rogues: Tailoring the Punishment to Fit the Crime, 16 Rutgers Computer & Tech. L.J. 1, 32-36 (1990). For a detailed analysis of the statutory language in state computer came codes, see Paul C. Ray, Computer Viruses And The Criminal Law: A Diagnosis And A Prescription, 7 Ga. St. U. L. Rev. 455 (1991).
(159.) Branscomb, supra note 158, at 32. See, e.g., Mont. Code Ann. [sections] 45-6-311 (1993 & Supp. 1994) ("unlawful use of computer" defined as an offense against property, in the section of the code relating to theft); Mass. Gen. Laws Ann. ch. 266, [sections] 30(2) (West 1990) (larceny statute provides that "[t]he term `property'. . . shall include . . . electronically processed or stored data, either tangible or intangible, [and] data while in transit"); Nev. Rev. Stat. [sections] 205.4755 (1993) ("property" includes "information, electronically produced data, program[s], and any other tangible or intangible item of value").
(160.) Branscomb, supra note 158, at 33. See, e.g., Idaho Code [sections] 18-2202(2) (1987) (liability attaches to "[a]ny person who knowingly and without authorization alters, damages, or destroys any computer, computer system, or computer network . . . or any computer software, program, documentation, or data contained in such computer, computer system, or computer network"); Md. Ann. Code art. 27, [sections] 146(c)(2) (1993) (proscribing acts which "[a]lter, damage, or destroy data or a computer program").
(161.) Branscomb, supra note 158, at 34. See, e.g., Haw Rev Stat. [sections] 708-891(b) (1985 & Supp. 1992) (a person commits computer fraud by "access[ing] or caus[ing] to be accessed any computer, computer system, computer network, or any of its parts with the intent of obtaining money, property or services by means or embezzlement or false or fraudulent representations"); Ariz Rev. Stat. Ann. [sections] 13-2316 (1989) (computer fraud requires "the intent to devise or execute any scheme or artifice to defraud or deceive, or control property or services by means of false of fraudulent pretenses"). Cf. Colo. Rev. Stat. [sections] 18-17-103(5) (1990 & Supp. 1994) (racketeering activity includes committing, attempting to commit, or conspiring to commit offenses involving computer crimes, as defined in 18-5.5).
(162.) Branscomb, supra note 158, at 34. See, e.g., Ala. Code [sections] 13A-8-102 (1994) (unauthorized access, modification, destruction, or disclosure of computer programs or data constitutes a crime against intellectual property); Miss. Code Ann. [sections] 97-45-1, 97-45-9 (1994) (intentional and unauthorized "destruction, insertion or modification," "disclosure, use, copying, taking or accessing" of data, computer programs for software, and "confidential or proprietary information in any form or medium when such is stored in, produced by or intended for use or storage with or in a computer, a computer system or a computer network" is an offense against intellectual property).
(163.) Branscomb, supra note 158, at 34. See, e.g., Ohio Rev. Code Ann. [sections] 2913.04 (Anderson 1993) ("[n]o person shall knowingly gain access to any computer . . . without the consent of, or beyond the . . . consent of, the owner"); Neb. Rev. Stat. [sections] 28-1347 (1989) (unlawful to "knowingly and intentionally exceed the limits of. . . authorization"); Me. Rev. Stat. Ann. tit. 17-A, [sections] 432 (West Supp. 1995) (a person who "intentionally accesses any computer resource knowing that the person is not authorized to do so" is guilty of criminal invasion of computer privacy); Iowa Code [sections] 716A.2 (1993) (proscribing unauthorized access).
(164.) Branscomb, supra note 158, at 35. Compare N.Y. Penal Law [sections] 156.30 (McKinney 1988 & Supp. 1995) (the copied material need not be copyrightable; the offender must "deprive or appropriat[e] from an owner . . . en economic value or benefit in excess of [$2000]") with N.J. Rev. Stat. [sections] 2C:20-33 (1995) (copying or altering a computer program or computer software is not theft if it is of a retail value of $1000 or less and is not copied for resale).
(165.) Branscomb, supra note 158, at 35. See Wyo. Stat. [sections] 6-3-504 (1988) ("crime against computer users" occurs if offender "[d]enies computer system services to an authorized user"); La. Rev. Stat. Ann. [sections] 14:73.4 (West 1986) (an offense against computer users takes place when an authorized user is intentionally denied "the full and effective use of or access to a computer, a computer system, a computer network, or computer services.")
(166.) Branscomb, supra note 158, at 35. See, e.g., Cal. Penal Code [sections] 502(b)(10) (Deering & Supp. 1995) ("computer contaminant" defined to include viruses and worms and other sets of instructions designed to "usurp the normal operation of the computer"); Conn. Gen. Stat. [sections] 53a-251(e) (1994) (unlawful to make or cause to be made an unauthorized display, use, disclosure or copy of data, or add data to data residing within a computer system); Del. Code Ann. tit. 11, [sections] 935 (1987 & Supp. 1994) (proscribing "interrupt[ion] or add[ition of] data to data residing within a computer system"); Minn. Stat. [sections] 609.87 (1994) (criminalizing "[d]estructive computer program" that "degrades performance," "disables," or "destroys or alters" data); W. Va. Code [sections] 61-3C-8 (1992 & Supp. 1995) (prohibiting "disruption or degradation of computer services").
(167.) Branscomb, supra note 158, at 36. See, e.g., Mo. Rev. Stat. Ann. [sections] 569.095(5) (Supp. 1996) (computer tampering occurs when a person "[a]ccesses a computer, computer system, or a computer network, and intentionally examines information about another person"); W. VA. CODE [sections] 61-3C-12 (1992) (to commits "[c]omputer invasion of privacy" an offender must "knowingly, willfully, and without authorization access a computer or computer network and examine any employment, salary, credit or any other financial or personal information relating to any other person."). But see Ky. Rev. Stat. Ann. [sections] 434.845(2) (Michie/Bobbs-Merrill 1985) (unauthorized access, even if obtained fraudulently, "shall not constitute a violation . . . if the sole purpose of the access was to obtain information".)
(168.) Branscomb, supra note 158, at 37. See, e.g., Wis. Stat. [sections] 943.70(2)(4) (Supp. 1995).
(169.) See supra part III.A. of this article (overview of state criminal codes).
(170.) Section 301(a) of the Copyright Act explicitly prohibits states from enacting copyright legislation. 17 U.S.C. [sections] 301(a) (1988). This exercise of legislative power by Congress rests on the Article I, [sections] 8 grant of exclusive authority to "promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries." U.S. Const. art I, [sections] 8.
(171.) 1 F.3d 225 (4th Cir. 1993).
(172.) Va. Code [subsections] 18.2-152.3 (Michie 1988 & Supp. 1995) (criminalizing the conduct of one who uses a computer or computer network, without authority and with the intent to obtain property or services by false pretense or to convert the property of another).
(173.) 1 F.3d at 230. (174.) Id.
(175.) See Wisconsin v. Corcoran, 522 N.W.2d 226, 230-31 (Wis. Ct. App. 1994) (holding defendant lacked any copyright protected by federal statute, and could be prosecuted and convicted under Wis. Stat. [sections] 943.70 (Supp. 1994) for destroying data in programs he developed for his employer).
(176.) See Kenneth E. North, Copyright Act Snarls Computer Crime Laws, The Nat'l L.J., Nov. 1, 1993, at S36. For example, Illinois' Computer Crime Prevention Law includes copyrighted information in its definition of property; thus, any criminal conduct involving copyrighted "property' could not be prosecuted under state criminal law. 720 ILCS 5/16D-2(d)(3) (1993).
(177.) North, supra note 176, at S36.
(178.) Id. The virtual absence of reported decisions involving federal prosecutions for criminal software infringement indicates a lack of enforcement in this area. If this is true, then Rosciszewski may overburden the federal system. Id.
(179.) Ark. Code Ann. [sections] 5-41-105 (Michie 1993); Del. Code Ann. tit. 11, [sections] 938 (1995); Ga. Code Ann. [sections] 16-9-94 (1992); Ky. Rev. Stat. Ann. [sections] 434.860 (Michie/Bobbs-Merrill 1985); Miss. Code Ann. [sections] 97-45-11 (1994); N.H. Rev. Stat. Ann. [sections] 638:19 (1986); S.C. Code Ann. [sections] 16-16-30 (Law. Co-op. 1985); S.D. Codified Laws Ann. [sections] 43-43B-8 (Supp 1995); Tenn. Code Ann. [sections] 39-14-603 (1991); VA. CODE ANN. [sections] 18.2-152.10 (Michie 1988 & Supp. 1995); W. Va. Code [sections] 61-3C-18 (1992).
(180.) Several venue provisions are particularly broad. See, e.g., Ga. Code Ann. [sections] 16-9-94(4) (1992) (venue exists for violations committed " [i]n any county from which to which, or through which any use of a computer or computer network was made, whether by wires, electromagnetic waves, microwaves, or any other means of communication").
A person may also face federal prosecution, depending on whether he or she lives in the same state as the computer to which he or she gains unauthorized access. For example, assume that hacker A lives in state X and hacker B lives in state Y. "If both hackers gain unauthorized access to a private, non-financial computer system in state X and both subsequently cause identical damage, A is subject to the laws of state X while B is subject to federal law." As a result, they may be subject to very different penalties for identical acts. See Michael R Dierks, Electric Communications and Legal Change: Computer Network Abuse, 6 Harv. J.L. & Tech. 307, 331-32 (1993) (arguing that although jurisdictional boundaries always create arbitrary legal lines, these lines are particularly arbitrary in the world of cyberspace because the sites of the act and actor may not be the same).
(181.) See Richard Raysman and Peter Brown, Computer Law: Interpretation of New York 's Tampering Statute, N.Y. L.J., Apr. 12, 1994, at 3. See generally People v. Johnson, 560 N.Y.S.2d 238, 241 (N.Y. Crim. Ct. 1990) (information charging defendant for the unauthorized use of a telephone credit card number is facially sufficient since credit card numbers are central to a sophisticated computerized communication system); State v. Moran, 784 F.2d 730, 734 (Ariz. Ct. App. 1989) (defendant did not criminally damage his employer's program by encoding it because he did so with his employer's permission; his refusal to decode was an omission, not an act, and criminal damage is defined in Arizona as a crime of commission, not omission); People v. Weg, 450 N.Y.S.2d 957, 961-62 (N.Y. Crim. Ct.1982) (allegations that a computer programmer employed by a public agency used his employer's computer for his own commercial benefit with the knowledge that he was not entitled to do so, fail to make out the crime of theft of services, since the computer was not used for profit in trade or commerce, but as an administrative tool).
For other explanations of the lack of diligence in prosecuting computer crimes, see Michael Todd Friedman, Comment, The Misuse of Electronically Transferred Confidential Information in Interstate Commerce: How Well Do Our Present Laws Address the Issue ?, 4 Software L.J. 529, 552-53 (1991) (the laws may have gaping holes which make enforcement problematic); Hollinger & Lanza-Kaduce, supra note 5, at 117 (the laws may be more symbolic than functional); Brenda Nelson, Note, Straining the Capacity of the Law: The Idea of Computer Crime in the Age of the Computer Worm Straining the Capacity of the Law: The Idea of Computer Crime in the Age of the Computer Worm, 11 Computer L.J. 299, 320-21 (1991) (present laws may be incorrectly conceived). For an interesting discussion of the problems with ex post measures to prevent abuse, see Dierks, supra note 180, at 330-36.
(182.) See, e.g., State v. Rowell, 895 F.2d 232, 236-39 (N.M. Ct. App. 1995) (using a telephone and dialing long-distance numbers with intent to defraud amounted to "accessing a computer" in violation of N.M. Stat. Ann. [sections] 30-45-1 to 30-45-7 (Michie 1989)); Gallagher v. State, 618 So.2d 757, 758 (Flat Dist. Ct. App. 1993) (dissenting) ("exceeding one's authorized use" is not proscribed as "unauthorized access" under Fla. Stat. [sections] 815.06(1) (1993 & Supp. 1994)); People v. Jemison, 466 N.W.2d 378 (Mich. Ct. App. 1991) (to "cause access to be made" to a computer within the meaning of Mich. Comp. Laws Ann. [sections] 752.794 (West 1991) "requires more than merely supplying information which ultimately finds its way into a computer system in the normal course of business"); State v. Lindsly, 808 F.2d 727, 729 (Or. Ct. App. 1991) (investigatory expenses qualify as pecuniary damages under Or. Rev. Stat. [sections] 137.103(2) (1993)); Schalk v. State, 767 S.W.2d 441, 448 (Text Ct. App. 1988) (defining computer programs as a trade secret).
(183.) See Newberger v. Florida, 641 So.2d 419, 421 (Flat Dist. Ct. App. 1994) (applying the interpretation of "alter" in People v. Versaggi, 629 N.E.2d 1034, 1034 (N.Y. 1994), in rejecting the defendant's vagueness challenge to Fla. Stat. [sections] 815.04 (1993 & Supp. 1994), but concluding that defendant, unlike Versaggi, had not used the computer program to do something which changed what the system was designed to do); Versaggi, 629 N.E.2d 1034, 1038-39 (N.Y. 1994) (interpreting N.Y. Penal Law [sections] 156.20 (McKinney 1988 & Supp. 1995) to uphold the conviction of a former Eastman Kodak computer technician who secretly activated built-in computer commands to shut down the company's telephone system, holding that the legislature also meant to criminalize changes or modifications of the program's intended purpose); State v. Bonnie, 898 F.2d 1356, 1358 (Or. Ct. App. 1995) (affirming the conviction for computer theft by receiving under Or. Rev. Stat. [subsections] 164.055, 164.095 (1993) but reversing the order for restitution because the destruction of data from the hard drive while the defendant was in possession of the computer did not result in pecuniary damages); Pennsylvania v. Gerulis, 616 A.2d 686, 693 (Pa. Super. Ct. 1992) (interpreting the definition of "computer" under 18 Pa. Cons. Stat. Ann. [sections] 3933 (Supp. 1994) to encompass voice mailbox systems in upholding the conviction of defendant for secretly using the voice mailbox system of a major hospital to,store stolen telephone credit card numbers); Washington v. Riley, 846 F.2d 1365, 1373 (Wash. 1993) (finding a telephone company's long-distance switch was a "computer" in upholding the conviction for computer trespass of a hacker who attempted to illegally steal individual long-distance access codes).
(184.) See Richard Raysman and Peter Brown, Interpretation of New York's Tampering Statute, N.Y. L.J., Apr. 12, 1994, at 6.
(185.) See generally Joel S. Solomon, Forming a More Secure Union: The Growing Problem of Organized Crime in Europe as a Challenge to National Sovereignty, 13 Dick. J. Int'l L. 623, 643 (1995) (discussing the World Ministerial Conference on Organized Crime held by the United Nations which attempted to address the hurdles sovereignty poses to effective cooperation on international computer crimes); Ulrich Sieber, Computer Crimes and Other Crimes Against Information Technology: Commentary and Preparatory Questions for the Colloquium of the Association Internationale de Droit Penal in Wurzburg 64 Rev. Int'l de D. Penal 67 (1993) (describing international efforts to harmonize computer crime laws).
(186.) Note, Computer-Related Crime: An International Problem in Need of an International Solution, 27 Texas Int'l L.J. 479, 494 (1992) [hereinafter Computer-Related Crime]. As more companies advance into cyberspace for commercial purposes, the risk of infiltration from around the world increases. A recent national survey of 150 security directors of major corporations indicated that 98.6% of their companies had been victims of computer-related crimes. The largest reported increases of criminal activity included cellular phone fraud and theft of confidential client information and trade secrets from computer viruses and unauthorized access. Brian S. Akre, On-Line Snoops, Thieves Lurk Around Corporate Computers, Morning News Trib. (Associated Press), Nov. 1, 1995, at A12.
(187.) See generally the Financial Institutions Fraud and Securities Fraud articles in this issue. See also Growing EFTPOS Fraud in Europe Warning, Telecomworldwire, Apr. 20, 1995, available in WESTLAW, File No. 10098543 (banks face new problem from computer "hackers" who break into Internet-access computers to steal personal information about customers' debit cards that are being used to fraudulently withdraw money from Electronic Funds Transfer services across Europe). See also Larry Lange, Trust a Hacker Under 30? You'd Better, Elec. Engineering Times, Aug. 19, 1996, available in 1996 WL 11550843 (An estimated $800 million was lost by banks and other corporations due to attacks on their computer systems. An example of which is Russian programmer Vladimir Levin tampering with Citibank's computer system and transferring ten million dollars to various bank accounts around the world).
(188.) See generally Solomon, supra note 185 (reporting on the use of new computer technology as an effective and dangerous mechanism exploited by international criminals).
(189.) An example of potential terrorist activities via the computer occurred in Los Angeles, where a group of hackers broke in to a Los Angeles Hospital computer and doubled all the dosages of medicine for patients in the intensive care ward. See, Matthew R. Burnstein, Conflicts on the Net: Choice of Law in Transnational Cyberspace, 29 Vand. J. Transnat'l L. 75, 85 (1996).
(190.) Thus far, unlawful computer system intrusions have fallen short of disastrous terrorist attacks. However, the potential danger is evident. In one example, a Lithuanian nuclear power plant operator unsuccessfully introduced a virus into the plant's computers, intending to disrupt the nuclear reactor. Nikolai Lashkevich, Malefactor at Ignalina Nuclear PlantMalefactor at Ignalina Nuclear Plant, Izvestiia, Feb.3, 1992, at 8.
Computer infiltration may already be an effective weapon of war. United States intelligence agents reportedly planted a computer virus in Iraqi military computers to disable the Iraqi air defense network during the 1991 Persian Gulf War. Special Report; The Gulf War Flu, U.S. News & World Rep., Jan. 20, 1992, at 50. Contra Report of Sabotage to Iraq Computer May Be Hoax, Chi. Trim., Jan. 14, 1992, at 6.
(191.) Sieber,supra note 185, at 69-70.
(192.) For reports on computer-crime legislation and prosecution in a number of countries, see Colloquium, Computer Crime and Other Crimes Against Information Technology, 64 Rev. Int'l de Droit Penal 1 (1993) (reporting on Austria, Belgium, Brazil, Canada, Chile, China, Czechoslovakia, Egypt, Finland, France, Germany, Greece, Hungary, Israel, Italy, Japan, Luxembourg, the Netherlands, Poland, Portugal, Romania, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, the United Kingdom, and the United States). See also Stefano Agostini, Focus on Italy: Overview of Intellectual Property Legislation, 7 No. 1 J. Proprietary Rts. 8 (1995) (describing recent modifications of the Italian Criminal Code's computer crime rules and criminalization of software copyright violations).
(193.) Taiwan and South Korea have indicted companies for illegally copying software for internal use Business Software Alliance, BSA World-Wide Report 1990-91, Sept. 1991. In Great Britain, software piracy carries prison terms up to two years. Business Software Alliance, United Kingdom: Software Piracy and the Law. Similar French laws also provide for restitution, doubled penalties for repeat offenders, and court-ordered business closings. Business Software Alliance, France: Software Piracy and the Law. Singapore provides for up to five years imprisonment for illegally copying software. Business Software Alliance, Singapore: Software Piracy and the Law. See generally the Intellectual Property article in this issue.
(194.) Computer-Related Crime, supra note 186, at 494.
(195.) For example, the Chinese government is finding it increasingly difficult to prevent political dissidents from spreading information inside of China as well as prevent their importation of information from abroad via the Internet. See, Steven Mufson, Chinese Protest Finds a Path on the Internet: Beijing Tightens Its Control; Can't Prevent On-Line Access, Wash. Post, Sept. 17, 1996, at A9.
Arab Countries are also struggling with the growth of the Internet. Habib Al-Rida, Assistant Under-Secretary of the UAE Ministry of Information noted, "The challenge facing us now is how to protect our society against the potentially harmful influences coming through the system, whether criminal or otherwise, while at the same time, making it possible for our companies and individuals to benefit from the valuable access to the worldwide pool of skills and information that the Internet represents." See, Ahmad Mardini, Gulf-Culture: Officials Worry About Smut on Internet, Inter Press Service, Jan. 19, 1996, available in 1996 WL7881040.
(196.) See, Andy Riga, Governments Grappling With Net Curbs, Montreal Gazette, Mar. 16, 1996, at B2, available in 1996 WL4175432.
(197.) For example, German born Ernst Zundel operated a neo-Nazi web-page on a Santa Cruz, California Server. See, Hiawatha Bray, UMass Shuts Down Web Site Containing Neo-Nazi Material; Student Intended Protest of German Censorship, Boston Globe, Feb. 2, 1996, available in 1996 WL 6848660.
(198.) After threats of prosecution under German law, CompuServe, Germany's largest Internet provider, decided to ban access to over 200 UseNet Newsgroups to all of its customers world wide. See, Kate Gerwig, CompuServe Caves In: What Happens When a Local Government Tries to Police Its Borders in a Borderless Medium?, NetGuide, Mar. 1, 1996, available in 1996 WL 8536961.
Similarly, T-Online, another major Internet provider in Germany, responded to German prosecutorial threats by banning subscriber's access to a Neo-Nazi website. See America Online Warned Over Neo-Nazi Web Site, REC. N. N.J., Feb. 3, 1996, available in 1996 WL 6073558.
(199.) For example, some European laws focus more on data protection for privacy reasons than in the United States. See Comment, The Right to Financial Privacy Versus Computerized Law Enforcement: A New Fight in an OW Battle, 86 Nw. U. L. Rev. 1169, 1169-72, 1215-19 (1992) (comparing creation and purpose of U.S. Treasury Department's Financial Crimes Enforcement Network with independent privacy protection agencies in Sweden, Germany and France).
In addition, approaches to prosecuting computer hackers still differ. See generally Comment, Computer Hacking: A Global Offense, 3 Pace Y.B. Int'l L. 199 (1991) (comparing legislation governing hackers and prosecutions thereunder in Canada, the United States, and the United Kingdom).
(200.) See Cole Durham, The Emerging Structures of Criminal Information Law: Tracing the Contours of a New Paradigm: General Report for the Association Internationale de Droit Penal Colloquium 64 Rev. Int'l de Droit Penal 79, 97-109 (1993) (discussing patterns of convergence with regard to unauthorized access, unauthorized interception, unauthorized use of a computer, alteration of data or programs, computer sabotage, computer espionage, unauthorized use or reproduction of a computer program, unauthorized reproduction of a topography, computer forgery, and computer fraud).
(201.) See generally Clifford Miller, Electronic Evidence-Can You Prove the Transaction Took Place? 9, No. 5 Computer Law 21 (1992) (analyzing problems of getting evidence of computer crimes admitted under the rules of evidence in the United Kingdom as representative of the challenge to prosecutors in the United States, Belgium, Germany and France); English Law on Computer Evidence to be Reformed Newsbyte News Network, July 14, 1995, available in WESTLAW, File No. 9329355 (discussing the English Law Commission's recent recommendation that evidence extracted from computers be accepted in the UK as a reliable source unless there is an obvious contrary indication; this could directly benefit computer-specific prosecutions under the provisions criminalizing unauthorized access and data modification).
(202.) The Netherlands Passes Anti-hacking Law, Computer Fraud and Sec. Bull., Sept. 1992.
(203.) Dutch Police See Hacking Surge, Computer Fraud and Security Bull., Jan. 1993.
(204.) The Dutch law provides for six months' imprisonment for unauthorized access, up to four years for unauthorized modification, and up to six years for breaking into systems that serve socially important purposes, such as those of hospitals. James Daly, Netherlands, Mexico Chase After Hackers, Computerworld, July 13, 1992, at 14.
(205.) Computer-Related Crime, supra note 186, at 503-04 (cooperative international solutions could begin on a regional level, such as within the European Community). While the EC's 1991 Software Directive is aimed at harmonizing European copyright laws rather than computer security per se, it does mandate that member States adopt prescribed penalties for software piracy and procedures for seizing illegally-copied software, a first step towards addressing broader issues raised by computer crimes. Council Directive 91/250/EEC, 1991 O.J. (L122) 42, 42-46.
(206.) Solomon, supra note 185, at 633 (citing M. Cherif Bassiouni, Effective National and international Action Against Organized Crime and Terrorist Criminal Activities, 4 Emory Int'l L. Rev. 9, 20 (1990)).
(207.) Durham, supra note 200, at 97 n.51 (citing efforts by the United Nations, the Council of Europe and the OECD).
(208.) The Business Software Alliance is a Washington, D.C. based organization funded by major software publishers.
(209.) The Business Software Alliance together with the Mexican federal attorney's office, initiated a 1992 software piracy investigation which led to seizure of illegally reproduced software programs. James Daly, Netherlands, Mexico Chase After Hackers, Computerworld, July 13, 1992, at 14.
(210.) This Lobby Speaks Software and Crimes a Big Stick, Bus. Wk., March 22, 1993, at 88.
(211.) See e.g., Firewalls Provide Effective Internet Security Links, Worldwide Videotex Update, vol. 14, Nov. 1, 1995, available in WESTLAW, File No. 1995 WL 8118444 (security systems being developed by corporations that block and check all incoming on-line traffic, and limit access to authorized users to prevent criminal activity); UK-Chip Theft Recovery Service Offered, Newsbytes News Network, Aug. 25, 1995, available in WESTLAW, File No.9986610 (British organization will provide a hotline and on-call replacement service to assist businesses in recovering more rapidly from the crippling theft of computer components); CMG System Combats Moscow Mobile Phone Fraud, Newsbytes News Network, Jan. 31, 1995, available in WESTLAW, File No. 2205434 (describing private company's installation of a security system in Russia to prevent fraudulent cloning of mobile phones and use of computer scanning systems to gain international access to cellular phone codes).
(212.) The law prohibiting the exportation of encryption technology garnered extensive media coverage due to the Zimmerman case. Zimmerman, creator of an encryption program called Pretty Good Privacy (PGP,) was being investigated for allegedly placing it on the Internet in violation of federal law. See, Philip L. Dubois, The Zimmerman Case: Issues in Encryption Software, Colo. Lawyer, May 25, 1996.
(213.) Jared Sandberg, French Hacker Cracks Netscape Code, Shrugging Off U.S. Encryption Scheme, Wall St. J., Aug. 17, 1995, at B3.
(214.) Elizabeth Corcoran, U.S. to Ease Encryption Restrictions; Privacy Advocates Wary of Proposal for Software Exports, Wash. Post, Oct. 1, 1996, at A1.
A key escrow system is where the government or designated third party maintains a "key" which will decode encrypted material from a given program or piece of hardware.
(215.) See generally, Electronic Privacy Information Council (visited Nov. 1, 1996).
(216.) See The Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1996, S.1726, 104th Congress (Bill to prohibit domestic key escrow proposals and permit exportation of encryption technology for non-military end use).
(217.) 47 U.S.C. [sections] 223 (1934).
(218.) 47 U.S.C. [sections] 151 (1934).
(219.) 47 U.S.C. [sections] 223(d).
(221.) The drive to curb on-line pornography gained added impetus from a widely-publicized but highly controversial survey of pornographic material available in a variety of on-line fora. Marty Rimm, Note, Marketing Pornography on the Information Superhighway: a Survey of 917,410 Images, Descriptions, Short Stories, and Animations Downloaded 8.5 Million Times in over 2000 Cities in Fort,v Countries, Provinces, and Territories, 83 Geo. L.J. 1849 (1995). But see Howard Kurtz, A Flaming Outrage; A `Cyberporn' Critic Gets a Harsh Lesson in '90s Netiquette, Wash. Post, July 16, 1995, at C1 (noting the controversy surrounding the Rimm study and a Time magazine editor's admission that "I screwed up" in touting it), and Philip Elmer-DeWitt, Firestorm on the Computer Nets: A New study of Cyberporn, Reported in a Time Cover Story, Sparks Controversy, Time, July 24, 1996, at 57 (noting that "serious questions have been raised regarding the study's methodology, the ethics by which its data were gathered and even its true authorship). In addition, a Philadelphia court reviewing the CDA estimated that only 0.1 percent of Internet addresses contain sexually explicit content. Martin Flumenbaum and Brad S. Karp, The Communication Decency Act and the Internet, N.Y. L.J., Aug. 28, 1996, at 3.
(222.) American Civil Liberties Union v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996), prob. jurist noted, 65 U.S.L.W. 3414 (U.S. Dec. 6, 1996) (No.96-511); Shea v. Reno, 930 F. Supp. 916 (S.D.N.Y. 1996). Section 561(a) of the CDA provides for expedited review by a three-judge panel of any constitutional challenges to the Act, pursuant to 28 U.S.C. [sections] 2284. Section 561(b) of the CDA allows the panel's decisions to be appealed within 20 days directly to the U.S. Supreme Court.
(223.) The 20 plaintiffs in ACLU v. Reno included Human Rights Watch, the Electronic Frontier Foundation, the Safer Sex Page, Planned Parenthood, and the National Writers Union, among others. Id at 827. Shea v. Reno was filed by the publisher of an on-line newspaper. Id at 922.
(224.) The Philadelphia court held the Act's indecency provision impermissibly vague and found the Act as a whole overbroad, finding that it chilled constitutionally protected speech among adults in its effort to protect minors. ACLU, 929 E Supp. at 854-56. The New York court held that the statute s use of the FCC's indecency standard defeated the vagueness claim, but it invalidated the Act nonetheless for overbreadth. Shea, 930 F. Supp. at 936-941. Both opinions contain detailed findings on the history, nature, and uses of the Internet, which may be of interest to practitioners unfamiliar with the technology.
(225.) ACLU, 929 F. Supp 824.
(226.) 74 F.3d 701 (6th Cir. 1996).
(227.) Robert and Carleen Thomas were convicted of violating federal obscenity laws, 18 u.s.c. [sections] 1462 and 18 U.S.C. [sections] 1465, as judged by Tennessee community standards. Their BBS allowed paid subscribers who, inter alia, identified their home state as part of an application process to connect to a California computer via modem and download sexually explicit pictures, order explicit videotapes, and engage in sexually explicit on-line "chats." Id. at 704.
(228.) Id. at 709.
(229.) Id. at 710.
(230.) ACW, 929 F. Supp. at 845-8.
(231.) Id. at 865.
(232.) 937 F. Supp. 295 (S.D.N.Y. 1996).
(233.) 937 F. Supp. 161 (D. Conn. 1996).
(234.) 89 F.3d 1257 (6th Cir. 1996).
(235.) For a discussion of the compuserve and Inset cases and the issues raised therein, see Richard Baysman and Peter Brown. Resolving Jurisdiction