homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

computer crime laws

While the internet has revolutionized business and communication almost overnight, laws regulating its use and misuse haven't developed as swiftly. But in the last few years Congress and the courts have started responding to the threat posed by computer crime. Before 1996--when the Computer Fraud and Abuse Act was amended significantly--prosecutors had to rely on old statutes to make their cases and many of these statutes were inadequate when applied to the new area of computer crime.

Below is a synopsis of the philosophy underlying the regulation of computer code, followed by a summary of laws that have been enacted, specifically or not, to counter computer-related crime.

Computer Code and the First Amendment

U.S. courts have established that most original computer code is intellectual property since it involves creativity and the use and application of mental faculties. In many ways, U.S. law treats code in the same manner as it treats books, musical recordings and other creative activities. Such intellectual properties are considered a form of speech and are protected under the First Amendment of the U.S. Constitution.

There are, of course, limitations on First Amendment protections afforded to "speech," or computer code in this case. Generally, the government cannot prevent it from being freely created and disseminated. Limitations can be enforced if there is a need to protect the public's welfare, but such restrictions have been very difficult to enact. In fact, many potentially dangerous pieces of intellectual property have appeared in the U.S.--articles on how to make bombs and how to commit assassinations--and the courts have routinely suppressed any restraints on free speech.

After extensive litigation, the courts have extended that same logic to the dissemination of computer code, including encryption software which scrambles information so that only authorized users can read it. In a case that began in 1993, the U.S. State Department ruled that Daniel Bernstein, then a graduate student at the University of California at Berkeley, would have to register as an international weapons dealer if he wanted to post an encryption program online. The government feared encryption technology could be used to conceal illegal activity, so it restricted its export under the Int'l Traffic in Arms Regulations portion of the Arms Export Control Act.

Bernstein filed suit in 1995, arguing that the government was violating his constitutional right to the freedom of speech. In 1997 a U.S. District Court determined the code was, indeed, a form of speech and that the government could not restrict its dissemination.

computer fraud and abuse act

While the development and possession of harmful computer code is not a criminal act, using the code can be. The Computer Fraud and Abuse Act (CFAA) [18 U.S.C. Section 1030] makes it illegal for anyone to distribute computer code or place it in the stream of commerce if they intend to cause either damage or economic loss. The CFAA focuses on a code's damage to computer systems and the attendant economic losses, and it provides criminal penalties for either knowingly or recklessly releasing a computer virus into computers used in interstate commerce. Someone convicted under the CFAA could face a prison sentence as long as 20 years and a fine of up to $250,000.

When the CFAA was enacted in 1984 (as the Counterfeit Access Device and Computer Fraud and Abuse Act), it applied only to federal government computers and computers owned by large financial institutions. It was designed simply to give the Secret Service the jurisdiction to conduct investigations into computer crime. The first person prosecuted under the CFAA was Robert Morris, the Cornell University graduate student who released the first worm onto the internet. Yet additional prosecutions weren't immediately forthcoming: The unamended version of the 1984 CFAA resulted in only one prosecution. Since then, however, it has been amended many times to counter new instances of computer crime.

For example, the National Information Infrastructure Protection Act, which was signed into law by then-President Clinton in 1996, significantly amended the CFAA. Its definition of a "protected computer" was expanded to effectively cover any computer connected to the internet. Damages, as defined in the original, must reach $5,000, but that requirement is waived if the intrusion hampered medical care, harmed anyone, or posed a threat to national security.

As it reads today, each major subsection of the CFAA is intended to explain a particular aspect of computer crime. In simple terms, the CFAA prohibits:

  • accessing a computer without authorization and subsequently transmitting classified government information. [Subsection 1030(a)(1)];
  • theft of financial information [Subsection 1030(a)(2)];
  • accessing a "protected computer," which the courts have recently interpreted as being any computer connected to the internet, even if the intruder obtains no data [Subsection 1030(a)(3)];
  • computer fraud [Subsection 1030(a)(4)];
  • transmitting code that causes damage to a computer system [Subsection 1030(a)(5)];
  • trafficking in computer passwords for the purpose of affecting interstate commerce or a government computer [Subsection 1030(a)(6)];
  • and computer extortion [Subsection 1030(a)(7)].

electronic communications privacy act

The Electronic Communications Privacy Act (ECPA) [18 U.S.C. Sections 2510-2521, 2701-2710], which was signed into law in 1986, amended the Federal Wiretap Act to account for the increasing amount of communications and data transferred and stored on computer systems. The ECPA protects against the unlawful interceptions of any wire communications--whether it's telephone or cell phone conversations, voicemail, email, and other data sent over the wires. The ECPA also includes protections for messages that are stored--email messages that are archived on servers, for instance. Now, under the law, unauthorized access to computer messages, whether in transit or in storage, is a federal crime.

There is a clause in the ECPA, however, that permits employees at an internet service provider (ISP) to read the messages in order to maintain service or to immure the provider itself from damage. For example, if an ISP suspects that a virus is being disseminated via its systems, it has a right to intercept messages to determine whether its service is, indeed, a carrier of a virus.

Like traditional wiretapping, the ECPA allows the government to obtain a warrant to access electronic communications or records. The first "data wiretap," for example, was used to apprehend some of the principal actors in the Phonemasters case.

Interestingly, the ECPA itself was amended by Congress in 1994 when the Communications Assistance for Law Enforcement Act (CALEA) was passed. The amended ECPA required telecommunications carriers to modernize their equipment so that they comply with authorized electronic surveillance. Three prominent advocacy groups--the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC)--opposed the law. In a 1998 joint statement, the organizations said that they "continue to oppose the funding of [CALEA], an FBI-backed law that--despite the record levels to which law enforcement wiretapping has soared--would require the telecommunications industry to build enhanced digital wiretapping capabilities into the Nation's telephone system."

Other  Federal Laws

There are other laws in the federal statutes that have been applied to hacker cases. These laws aren't designed specifically to counter computer crime, but have been applied to certain cases when existing law has proved inadequate in scope:

Economic Espionage Act

Enacted in 1996, the Economic Espionage Act (EEA) has both domestic and international components and condemns foreign espionage as well as theft of trade secrets. It has been used to prosecute industrial espionage through traditional means as well as the newer electronic pilfering methods. In essence, the EEA makes it a federal crime to take, download, receive, or possess trade secret information obtained without the owner's authorization.

Wire Fraud Act

The Wire Fraud Act makes it illegal to use interstate wire communications systems, which ostensibly includes the internet, to commit a fraud to obtain money or property. In addition, computer-aided theft involving the use of interstate wires or mails is considered criminal.

National Stolen Property Act

The National Stolen Property Act (NSPA) prohibits the transportation in interstate commerce of "any goods, wares, securities, or money" valued at $5,000 or more that are known to be stolen or fraudulently obtained. Computerized transfers of funds have been covered by this law.

Identity Theft and Assumption Deterrence Act

The Identity Theft and Assumption Deterrence Act (ITADA) [18 U.S.C.  Section  1028(a)(7)] was passed by Congress in 1998. It criminalizes identity theft and allows courts to assess the losses suffered by individual consumers. According to the act, identity theft is defined as follows:

Whoever knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or otherwise promote, carry on, or facilitate any unlawful activity that constitutes a violation of federal law ...

Therefore, anyone who steals any name or number that may be used to identify a specific individual is committing a federal crime and may be forced to pay damages. While the CFAA covers certain aspects of identity theft, the ITADA addresses restitution and relief for the victims.

state laws

According to a March 1999 study in Information & Communications Technology Law, 33 states have enacted their own laws to combat computer crime, while 11 more have laws pending in state legislatures. The laws from state to state vary widely in structure and wording, but not in intent. Almost all of the present state laws criminalize the unauthorized access to or use of computers and databases, using a computer as an instrument of fraud, and known and foreseeable acts of computer sabotage.

By nature, however, state laws are limited in scope. While most law enforcement has historically been left to the states, states are ill-equipped to deal with the extraterritoriality of computer crime. State law enforcement agencies cannot execute search warrants, subpoena witnesses, or make arrests beyond their own borders. Yet computer crimes are hardly ever confined to a specific locality. The "Morris Worm," for example, ultimately crippled 6,200 computers all over the country.

Most experts agree that the CFAA affords the broadest protection against computer crimes.

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2014 WGBH educational foundation