Criminal Law in Cyberspace
Total Page:16
File Type:pdf, Size:1020Kb
CRIMINAL LAW IN CYBERSPACE NEAL KUMAR KATYAL INTRODUCTION ................................................................................... 1004 I. WHAT IS CYBERCRIME? ................................................................... 1013 A. UnauthorizedAccess to ComputerPrograms and Files.................. 1021 B. UnauthorizedDisruption ........................................................... 1023 1. Viruses ............................................................................... 1023 2. Worms ............................................................................... 1024 3. Logic Bombs and Trojan Horses ...................................... 1025 4. Distributed Denial of Service ........................................... 1026 C. Theft of Identity......................................................................... 1027 D. Carnying Out a TraditionalOffense ........................................... 1028 1. Child Pornography ........................................................... 1028 2. Copyright ........................................................................... 1031 3. Cyberstalking ..................................................................... 1034 4. Illegal Firearms Sales ........................................................ 1037 II. TREATING CYBERCRIME DIFFERENTLY ........................................... 1038 A. First-PartyStrategies .................................................................. 1038 1. Five Constraints on Crime ................................................ 1038 2. The Efficiency of Cybercrime ........................................... 1042 a. Conspiracy s Demise........................................................ 1042 b. Pseudonymity and Encoyption......................................... 1047 c. Tracing and Escape........................................................ 1071 B. Second-Party Strategies of Victim Precaution................................ 1077 1. Optimal Victim Behavior .................................................. 1077 2. The Limits of Victim Precaution ...................................... 1082 3. The Emergence of a Special Form of Crime: Targeting Networks .......................................................... 1087 4. New De Minimis Crime .................................................... 1090 5. Supersleuth Victims and Electronic Vigilantism ............. 1091 C. Third-PartyStrategies of Scanning, Coding, and Norm Enforcement...................................................................... 1094 t Associate Professor of Law, Georgetown University Law Center. Thanks to Bruce Ackerman, Akhil Amar, Fred Cohen, Julie Cohen, Dhammika Dharmapala, Michael Froomkin, Jennifer Granick, Julie Hilden, Adam Isles, Jerry Kang, Sonia Katyal, Gillian Lester, Josh Liston, Wayne Mink, Wendy Perdue, Mark Rasch, Jeffrey Rosen,Joanna Rosen,Jonathan Rusch, Warren Schwartz, Mike Seidman, Anna Selden, Andrew Shapiro, Neal Stephenson, Cliff Stoll, Lynn Stout, Mark Tushnet, Eugene Volokh, and participants in a Georgetown University Faculty Workshop. (1003) 1004 UNIVERSITYOFPENNSYLVANIA LAWREVEW [Vol. 149:1003 1. Internet Service Providers ................................................ 1095 2. Credit Card Companies .................................................... 1101 3. Software and Hardware Manufacturers ........................... 1102 4. Public Enforcement of Social Norms ............................... 1106 a. The Influence of Social Norms ......................................... 1107 b. Broken Windows in Cyberspace....................................... 1109 CONCLUSION ....................................................................................... 1112 INTRODUCTION The new millennium brings new crimes. Witness two of the most talked-about crimes of last year, the ILoveYou computer worm (in terms of economic damage, perhaps the most devastating crime in history, causing more than $11 billion in losses) and the denial-of- service attacks on Yahoo!, eBay, E*Trade, and other sites (which caused $1.2 billion in damage). These events suggest that a new breed of crime has emerged over the past decade: cybercrime. This umbrella term covers all sorts of crimes committed with computers- from viruses to Trojan horses; from hacking into private e-mail to undermining defense and intelligence systems; from electronic thefts of bank accounts to disrupting web sites. Law has not necessarily caught up with these crimes, as the recent dismissal of charges against the author of the ILoveYou worm demonstrates. 2 How should the law think about computer crime? Some academics see cyberspace as a new area in which first principles of law need to be rethought. David Johnson and David Post, for example, contend that existing legal rules are not suitable for the digital age and that governments should not necessarily impose legal order on the internet.3 Others, in contrast, believe that a I Russ Banham, Hacking 14 CFO MAG., Aug. 1, 2000, http://vww.cfo.com/ printarticle/1,1883,0111AD1874,00.html (describing the denial of service attacks as "causing more than $1.2 billion in total losses"); Harvey Stark, eirus Signs Marketing and Sales Contract and Readies for Expansion, Bus. WIRE, Aug. 1, 2000, 8/1/00 BWIRE 09:21:00 ("[T]he 'I Love You' virus caused estimated damages of US$11 billion worldwide in May, 2000."). See Philippines Drops Charges in "ILoveYou" Virus Cas4 at http://www.cnn.com/ 2000/TECH/computing/08/21/computers.philippines.reut/index.html (Aug. 21, 2000). 3 See David R. Johnson & David G. Post, And How Shall the Net Be Governed?: A Meditation on the Relative Virtues of Decentralized, Emergent Law, in COORDINATING THE INTERNET 62, 68 (Brian Kahin & James H. Keller eds., 1997) (proposing a model for internet governance based on "decentralized, emergent law" stemming from the "voluntary acceptance of standards"); David R. Johnson & David Post, Law and 20011 CRIA NAL LA W IN CYBERSPA CE 1005 computer is merely an instrument and that crime in cyberspace should be regulated the same way as criminal acts in realspace 4 The recent U.S. Department of Justice ("DOJ") report on cybercrime typifies this approach.' I contend that neither view is correct and that each camp slights important features that make cybercrime both different from and similar to traditional crime. Underlying the "cybercrime is not different" position is a worry about a unique form of geographic substitution. The concern is that disproportionately punishing activity in either realspace or cyberspace will induce criminals to shift their activities to that sphere in which the expected punishment is lower. For example, if the electronic theft of one million dollars warrants five years imprisonment, and the physical theft of one million dollars warrants ten years imprisonment, B,,rderi-The Rise of Law in Cyberspace, 48 STAN. L. REv. 1367, 1372-75 (1996); see also Benjamin Wittes, Is Law Enforcement Ready for Cybercrime?, LEGAL TIMES, Oct. 10, 1994, at I (discussing how some describe the internet as "'qualitatively different' from other platform,, for crime" and how others, such as Stewart Baker, former general counsel at the National Security Agency, believe that such a characterization is "broadly speaking-rTong"). See. e.g., Catherine Th~rfse Clarke, From CrimlNet to Cyber-Perp: Toward an Inclusive Apfoach to Policing the Evolving CriminalMens Rea on the Internet, 75 OR. L. REV. 191, 204-05 (1996) (discussing an informal survey of lawyers revealing that "most lawers consider criminals on the 'net to be exactly the same as those outside the 'net"); Jack L. Goldsmith, Against Cyberanarchy, 65 U. CHI. L. REv. 1199 (1998) (arguing that cyberspace can be regulated in many traditional ways); Christopher M. Kelly, The Cyber~pace Separatism Fallacy, 34 TEx. INT'L L.J. 413, 414 (1999). In an important middle approach, Larry Lessig contends that cyberspace can be regulated through law and programming code. LAWRENCE LESSIG, CODE AND OTHER LAWS OF CMBERSPACE 53-60 (1999). Some courts have also suggested that crimes might be different in cyberspace because there is a lack of tangible media, such as a briefcase that may be "stolen." See, ,'g.,United States v. Carlin Communications, Inc., 815 F.2d 1367, 1371 (10th Cir. 1987) (declining to apply the federal obscenity statute to abusive or harassing phone call% because such calls do not constitute "tangible objects" of commerce). Others have disagreed. See United States v. Thomas, 74 F.3d 701, 707 (6th Cir. 1996) (concluding that computer image files are tangible and therefore subject to the federal obscenity statute); United States v. Gilboe, 684 F.2d 235, 238 (2d Cir. 1982). The Justice Department believes that "substantive regulation of unlawful conduct... should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world. If an activity is prohibited in the physical world but not on the Internet, then the Internet becomes a safe haven for that unlawful activity." U.S. DEPT. OF JUSTICE, THE ELECTRONIC FRONTIER: THE CHALLENGE OF UNLX UL CONDUCr INVOLVING THE USE OF THE INTERNET 11 (2000), available at http://wwt.usdoj.gov/criminal/cybercrime/unlaful.htrn [hereinafter DOJ REPORT]. Current federal law, in general, embraces the view that there are no differences. See id. at vi ("[Existing substantive federal laws generally do not distinguish between unlawful conduct committed through the use of the Interet and the same conduct committed through the use of other, more traditional means