While the internet has revolutionized business and
communication almost overnight, laws regulating its use and misuse haven't developed as swiftly.
But in the last few years Congress and the courts have started responding to
the threat posed by computer crime. Before 1996--when the Computer Fraud and
Abuse Act was amended significantly--prosecutors had to rely on old statutes to make their cases and many of these statutes were inadequate when applied to the new area of computer crime.
Below is a synopsis of the philosophy underlying the regulation of
computer code, followed by a summary of laws that have been enacted,
specifically or not, to counter computer-related crime.
U.S. courts have established that most original computer code is
intellectual property since it involves creativity and the use and application
of mental faculties. In many ways, U.S. law treats code in the same manner as
it treats books, musical recordings and other creative activities. Such
intellectual properties are considered a form of speech and are protected under
the First Amendment of the U.S. Constitution.
There are, of course, limitations on First Amendment protections afforded
to "speech," or computer
code in this case. Generally, the government cannot prevent it from being
freely created and disseminated. Limitations can be enforced if there is a need
to protect the public's welfare, but such restrictions have been very difficult
to enact. In fact, many potentially dangerous pieces of intellectual property
have appeared in the U.S.--articles on how to make bombs and how to commit
assassinations--and the courts have routinely suppressed any restraints on
After extensive litigation, the courts have extended that same logic to the dissemination of computer code, including encryption software which scrambles information so that only authorized users can read it. In a case that began in 1993, the U.S. State Department ruled that Daniel Bernstein, then a graduate student at the University of California at Berkeley, would have to register as an international weapons dealer if he wanted to post an encryption program online. The government feared encryption technology could be used to conceal illegal activity, so it restricted its export under the Int'l Traffic in Arms Regulations portion of the Arms Export Control Act.
Bernstein filed suit in 1995, arguing that the government was violating his constitutional right to the freedom of speech. In 1997 a U.S. District Court determined the code was, indeed, a form of speech and that the government could not restrict its dissemination.
While the development and possession of harmful computer code is not a
criminal act, using the code can be. The Computer Fraud and Abuse Act (CFAA)
[18 U.S.C. Section 1030] makes it illegal for anyone to distribute computer
code or place it in the stream of commerce if they intend to cause either
damage or economic loss. The CFAA focuses on a code's damage to computer
systems and the attendant economic losses, and it provides criminal penalties
for either knowingly or recklessly releasing a computer virus into computers
used in interstate commerce. Someone convicted under the CFAA could face a
prison sentence as long as 20 years and a fine of up to $250,000.
When the CFAA was enacted in 1984 (as the Counterfeit Access Device and
Computer Fraud and Abuse Act), it applied only to federal government computers
and computers owned by large financial institutions. It was designed simply to
give the Secret Service the jurisdiction to conduct investigations into
computer crime. The first person prosecuted under the CFAA was Robert Morris, the Cornell University graduate student who released the first worm onto the internet. Yet additional prosecutions weren't immediately forthcoming: The unamended version of the 1984 CFAA resulted in only one prosecution. Since then, however, it has been amended many times to counter new instances of computer crime.
For example, the National Information Infrastructure Protection Act, which
was signed into law by then-President Clinton in 1996, significantly amended
the CFAA. Its definition of a "protected computer" was expanded to effectively
cover any computer connected to the internet. Damages, as defined in the
original, must reach $5,000, but that requirement is waived if the intrusion
hampered medical care, harmed anyone, or posed a threat to national
As it reads today, each major subsection of the CFAA is intended to explain
a particular aspect of computer crime. In simple terms, the CFAA prohibits:
- accessing a computer without authorization and subsequently transmitting
classified government information. [Subsection 1030(a)(1)];
- theft of financial information [Subsection 1030(a)(2)];
- accessing a "protected computer," which the courts have recently
interpreted as being any computer connected to the internet, even if the
intruder obtains no data [Subsection 1030(a)(3)];
- computer fraud [Subsection 1030(a)(4)];
- transmitting code that causes damage to a computer system [Subsection
- trafficking in computer passwords for the purpose of affecting interstate
commerce or a government computer [Subsection 1030(a)(6)];
- and computer extortion [Subsection 1030(a)(7)].
The Electronic Communications Privacy Act (ECPA) [18 U.S.C. Sections
2510-2521, 2701-2710], which was signed into law in 1986, amended the Federal
Wiretap Act to account for the increasing amount of communications and data
transferred and stored on computer systems. The ECPA protects against the
unlawful interceptions of any wire communications--whether it's telephone or
cell phone conversations, voicemail, email, and other data sent over the wires.
The ECPA also includes protections for messages that are stored--email
messages that are archived on servers, for instance. Now, under the law,
unauthorized access to computer messages, whether in transit or in storage, is
a federal crime.
There is a clause in the ECPA, however, that permits employees at an
internet service provider (ISP) to read the messages in order to maintain service or to immure the provider itself from damage. For example, if an ISP suspects that a virus is being disseminated via its systems, it has a right to intercept messages to determine whether its service is, indeed, a carrier of a virus.
Like traditional wiretapping, the ECPA allows the government to obtain a
warrant to access electronic communications or records. The first "data
wiretap," for example, was used to apprehend some of the principal actors in
the Phonemasters case.
Interestingly, the ECPA itself was amended by Congress in 1994 when the
Communications Assistance for Law Enforcement Act (CALEA) was passed. The
amended ECPA required telecommunications carriers to modernize their equipment
so that they comply with authorized electronic surveillance. Three prominent
advocacy groups--the American Civil Liberties Union (ACLU), the Electronic
Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC)--opposed the law. In a 1998 joint statement, the organizations said that they "continue to oppose the funding of [CALEA], an FBI-backed law that--despite the record levels to which law enforcement wiretapping has soared--would require the telecommunications industry to build enhanced digital wiretapping
capabilities into the Nation's telephone system."
There are other laws in the federal statutes that have been applied to
hacker cases. These laws aren't designed specifically to counter computer
crime, but have been applied to certain cases when existing law has proved
inadequate in scope:
Enacted in 1996, the Economic Espionage Act (EEA) has both domestic and
international components and condemns foreign espionage as well as theft of
trade secrets. It has been used to prosecute industrial espionage through
traditional means as well as the newer electronic pilfering methods. In
essence, the EEA makes it a federal crime to take, download, receive, or
possess trade secret information obtained without the owner's authorization.
The Wire Fraud Act makes it illegal to use interstate wire communications
systems, which ostensibly includes the internet, to commit a fraud to obtain
money or property. In addition, computer-aided theft involving the use of
interstate wires or mails is considered criminal.
The National Stolen Property Act (NSPA) prohibits the transportation in
interstate commerce of "any goods, wares, securities, or money" valued at
$5,000 or more that are known to be stolen or fraudulently obtained.
Computerized transfers of funds have been covered by this law.
The Identity Theft and Assumption Deterrence Act (ITADA) [18 U.S.C.
Section 1028(a)(7)] was passed by Congress in 1998. It criminalizes
identity theft and allows courts to assess the losses suffered by individual
consumers. According to the act, identity theft is defined as follows:
Whoever knowingly transfers or uses, without lawful authority, a means of
identification of another person with the intent to commit, or otherwise
promote, carry on, or facilitate any unlawful activity that constitutes a
violation of federal law ...
Therefore, anyone who steals any name or number that may be used to
identify a specific individual is committing a federal crime and may be forced
to pay damages. While the CFAA covers certain aspects of identity theft, the
ITADA addresses restitution and relief for the victims.
According to a March 1999 study in Information & Communications
Technology Law, 33 states have enacted their own laws to combat computer
crime, while 11 more have laws pending in state legislatures. The laws from
state to state vary widely in structure and wording, but not in intent. Almost
all of the present state laws criminalize the unauthorized access to or use of
computers and databases, using a computer as an instrument of fraud, and known
and foreseeable acts of computer sabotage.
By nature, however, state laws are limited in scope. While most law
enforcement has historically been left to the states, states are ill-equipped
to deal with the extraterritoriality of computer crime. State law enforcement
agencies cannot execute search warrants, subpoena witnesses, or make arrests
beyond their own borders. Yet computer crimes are hardly ever confined to a
specific locality. The "Morris Worm," for example, ultimately crippled 6,200
computers all over the country.
Most experts agree that the CFAA affords the broadest protection against computer crimes.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation