Computer Crime:
Current Practices, Problems and Proposed Solutions
Second Draft
Brian J. Peretti
It would have been surprising if there had been
satisfactory
road traffic legislation before the invention of the
wheel, but
it would also have been surprising if the law on the
passage of
laden donkeys proved entirely satisfactory when
applied to
vehicles.1
I. Introduction
Within recent years, computer crime has
become a
preoccupation with law enforcement officials. In
California, a
group of West German hackers2 using phone lines and
satellite
hookups, gained unauthorized access into civilian and
military
computers and stole sensitive documents that were sold to
the
Soviet Union.3 A young New York programmer broke
into a
Washington computer to run a program that he could not run
from
his personal computer.4 After Southeastern Bell Stated
that a
document published in an electronic publication5 was
valued at
more than $75,000 the publisher was arrested and brought to
trial
before the discovery that the document could be publicly
bought
from the company for $12.6 The Chaos Computer Club, a
Hamburg,
Germany, club, went into government computers and
access
information and gave it to reporters.7 In May, 1988, the
United
States government launched Operation Sun Devil, which lead
to the
seizure of 23,000 computer disks and 40 computers.8
In
addition, poor police performance9 has also been
blamed on
computers.
Since its creation, the computer has become
increasing
important in society.10 The law, as in the past, has not
been
able to evolve as quickly as the rapidly
expanding
technology.11 This lack of movement on the part of
governments
shows a lack of understanding with the area. The need to
create
a comprehensive regulation or code of ethics has
become
increasing necessary.
Due to the nature of computer systems and
their
transnational connections through telephone lines12,
an
individual state's action will only stop the problems
associated
with computer crime if many states join together. The
patchwork
of legislation that exists covers only a small part of
the
problem. To adequately address computer crime, greater
efforts
must be made within the computer community to
discourage
unauthorized computer access, countries must strengthen and
co-ordinated their computer related laws, as well as
proper
enforcement mechanism created, computer program copyright
laws be
enhanced and computer systems should be created to allow
those
who wish to explore computer systems which will not
disrupt the
users of computer systems.
This paper will first set out a definition of computer
crime
and why laws or regulation by the computer community
must be
created. Section II will then discuss the United
States law
concerning computer crime and why it needs to be
strengthened.
Section III will discuss the proposed Israeli computer
crime
bill, Britain's Computer Misuse Act and Ghana's proposed
law.
Section IV will discuss what can be done by both the
government
and computer owners and users to make computer crime
less
possible.
II. Computer crime
The definition of what constitutes a computer crime has
been
the subject of much controversy. A computer crime has
been
defined as "any illegal act for which knowledge of
computer
technology is used to commit an offense."13 The
typical
computer criminal has been described as between 15 and 45
years
old, usually male, no previous contact with law enforcement,
goes
after both government and business, bright, motivated, fears
loss
of status in computer community and views his acts as
games.14
For the purposes of this article, this will be the
definition
used because of its broad reach.
Estimates regarding how much is lost to computer crime
very
widely15. In the only authoritative study, the loss
due to
computer crime was given at $555,000,000, 930 personnel
years
lost and 153 computer time years lost.16 The amount of
total
incidents for 1988 was 485 resulting in 31 prosecutions17.
In
1987, there were 335 incidents with 8 prosecutions.18
Security
spent on prevention of computer crime is becoming
more
commonplace19.
The most publicized danger to computer systems
are
viruses20 and worms. A virus is a code segment which,
when
executed, replicates itself and infects another
program.21
These viruses may be created anywhere in the world22
and may
attack anything.23 A virus may be transmitted through a
trojan
horse24 program. A worm exists as a program in its own
right
and may spread over a network via electronic mail25. A
virus
attacks a program while a worm attacks the computer's
operating
system.26 The most notorious computer worm brought
the
Internet computer network to a halt.27
Computer virus attacks may be overrated.28 It is
said
that the biggest threat to computing includes "not
backing up
your data, not learning the ins and outs of your
application
programs, not putting enough memory in your computer,
not
organizing your hard disk, [and] not upgrading to the
latest
version of your applications.29 These computer programs
have
been compared to the AIDS virus.30 One author has stated
that
the viruses are used to both increase the amount of
profits of
computer program producers and anti-virus computer
programs.31
Computer viruses may also be used to benefit
computer
systems, by either detecting flaws in security
measures or
detecting other viruses.32 Virus are very dangerous,
though.
The effects of a virus called Datacrime, activated on
October 13,
1989, brought down 35,000 personal computers within the
Swiss
government and several companies in Holland.33
With the opening up of Eastern Europe, the virus
problem is
expected to increase.34 In Bulgaria, a country which
does not
have any laws against computer viruses, one new virus
appears
week.35 Computer viruses are created in countries like
the
Soviet Union as a way to punish computer pirates because
of the
lack of copyright laws.36
Perhaps the most dangerous threat to information
contained
in a computer is the "leakage" of radiation from the
computer
monitors.37 With inexpensive equipment38 a person can
"read"
the information off the computer screen and then
replicate the
information from the screen in a readable manner.39
The threat of attack on a computer system can also come
from
a hacker. A hacker is a person who breaks into,
whether
maliciously or not, computers or computer systems.40 A
hacker
can, if the system is not adequately secured, cause havoc
in the
computer by either deleting or altering programs or
data or
planting logic bombs or viruses in the computer
system.41
Threats from hackers to plant viruses have been made in
the
past.42 The threat from computer hackers, as with
viruses, has
been said to be overrated.43
The issues surrounding computers still have not been
decided
by those within the computer community. Whether or not
persons
should be allowed to access computer systems
without
authorization is still a subject of debate within the
computing
community. A West German Computing Club, called The
Chaos
Computing Club, holds the belief that it is not improper to
enter
any system which they can gain access to and to "look"
around
inside of the system as much as they wish.44 They do
not,
however, condone destroying or altering any of the
information
within the system.45 On the other side,
represented by
Clifford Stoll, when individuals break into computer systems
they
disrupt the trust that the computer system is based on.46
This
breach of trust not only makes operating the system
tougher for
the manager in control of the system, but also will
decrease the
amount of use of the system so less information
will be
transferred within the system.47
There is also conflicting views as to whether the
authors of
computer viruses should be punished. Marc Rotenberg48
holds
the belief that a virus should be granted first
amendment
protection in some instances.49 In response to the
Internet
worm, there were 21 editorials that stated that the attack
showed
the need for more security in computers while there
were 10
letters to editors that stated that the creator
should be
applauded rather then punished.50 They argue that this
was a
good way to raise consciousness concerning computer
security.51
Alan Solomon, a consultant who specializes in virus
detection and
eradication, believes that viruses are, at most,
an
inconvenience.52
III.United States Computer Legislation
The United States government53 and most states54
have
computer crime laws. In 1979, only six states had such
laws.55
Almost every computer crime will, in addition to
violating a
state and/or federal law, can also be prosecuted under
other
laws.56
A. Computer Fraud and Abuse Act.
Congress originally enacted the Counterfeit Access
Device
and Computer Fraud and Abuse Act57 to address the
problem of
computer crime. Understanding that the scope of the
original law
was too narrow,58 in 1986 Congress enacted amendments
to the
Computer Fraud and Misuse Act of 1984.59 The Act
essentially
lists acts that if done with a computer are illegal.
The Act
also makes individuals culpable for attempting to
commit a
computer crime.60
In order to commit any of the crimes mentioned in the
act,
the actor must have acted either "intentionally" or
"knowingly"
when committing the act. The law addresses national
security
issues by making a crime of anyone using a computer to
obtain
information and giving the information to foreign
countries.61
The penalty for this crime or its attempt is 10 years
for the
first offense62 and 20 years for subsequent offenses63.
If a
person intentionally accesses a computer either
without
authorization or in excess of his authorization and obtains
and
acquires information in a financial record of an
institution or
information contained in a financial record of an
individual64,
the person will have committed a misdemeanor for the
first
offense65 and a felony for subsequent offenses66. A
person
intentionally accessing a government computer
without
authorization which affects the government's use of
that
computer67 will have committed a misdemeanor for the
first
offense68 and a felony for the second offense.69
Accessing a
computer with knowledge and intent to defraud and
without or
exceeding authority is a crime if the person obtains
anything of
value other than use is a felony70. Accessing a
federal
interest computer without authorization and either
modifying
medical records or causing $1,000 or more worth of damage
within
a one year period71 is punishable with up to 5 years for
the
first offense72 and 10 years for any subsequent offense.73
The Act also criminalizes trafficking in
passwords.74 A
person who knowingly and with intent to defraud
traffics75 in
passwords or similar information may be sentenced for up
to one
year for the first offense76 and up to 10 years for
subsequent
offenses77 if the computer is used by or for the
Government of
the United States78 or affects interstate or
foreign
commerce.79
B. Criticisms
It is important to note that this statute only
applies to
"Federal interest computers" as defined by this section.80
If
a computer is not this type of computer, then any of the
above
mentioned crimes will not be prosecutable under this
section.
Congress intentionally made the scope of the law
narrow.81
This section has been criticized as not inclusive
enough.82
Individual and corporate computers which do not fall into
the
restrictive definition83 may not receive the protection
of the
statute.
The problem of computer viruses are not
addressed by
Act.84 The act does not punish those who add information
into
a computer, even though this may do more harm then just
accessing
information. The Congress has attempted to address this
issue
under two bills85, but neither one has been enacted.
Unauthorized access where there is no theft or damage
to the
system is not covered.86 For example, a person
access a
computer system and looks at information contained
therein, he
has not committed a punishable crime under the Act.87
Questions have also been brought up concerning many of
the
undefined terms within the Act.88 Terms such as
"intentionally
access" and "affects interstate commerce" are among the
terms not
defined.89 The need to clarify these terms is
important so
that an individual will know what action will constitute a
crime.
IV. Legislation From Around The World
A. Israel Proposed Computer Law
In March 1987, the Israeli Ministry of Justice
distributed a
draft of a comprehensive computer bill.90 This bill
covers a
wide range of areas concerning computers91. The Act first
sets
out a list of proposed definitions for computer,
program,
software, information, thing and act. Each of these,
while
short, are concise and attempt to give a brief but
comprehensive
definition.92
Chapter 2 sets out a list of offenses which, if
committed,
are punishable.93 A authorized person commits an act
upon any
computer and knows that the act will prevent or cause
disruption
of the proper operation is subject to seven
years
imprisonment.94 A person who, without authority,
commits an
act which precludes a person from using a computer
system or
deprives a person of using that system is punishable by
up to
seven years imprisonment.95 If a person prepares or
delivers
or operates software knowing that the software will
produce
faulty results and "having reasonable grounds to assume",
the
person is punishable for up to seven years.96 The Act
also
addresses those who supply, deliver or operates a computer
with
faulty data.97
Section 5 applies to those who use a computer to
attempt to
obtain some "thing"98 or with intent prevents another
from
obtaining some "thing".99 A person who prevents another
from
obtaining a "thing" by the use of software may
also be
punished.100 A person who deprives a person of an object
that
contains software, data or information and obtaining a
benefit
for himself.101 All of these crimes contain a prison
sentence
of five years.
A professional who relies on computer outputs that they
know
which are false is also subject to punishment.102 The
crime
carries a sentence of five years.103
This chapter does not apply to all computers, software
data
or information.104 It only applies to those computers,
data
or information which are used, designated to be used by
or for
(1) the state or a corporation that is supplying service
to the
public105 or (2) "business, industry, agriculture,
health
services, or for scientific purposes."106
Perhaps the most novel provision of this proposed law
is the
section governing the reporting of the offenses. Any
person who
is in charge of another and has reason to believe
that an
individual has committed an offense under the Act, he must
report
this to police as soon as possible.107 If the person
does not
do so, he may be imprisoned for up to one year.
B. Analysis
The Israeli computer crime bill is more comprehensive
then
the America bill. By creating a law which will apply not
only to
government computers, but also to those of "business,
industry,
agriculture, health services or for scientific
purposes,"108
the law essentially covers all computers in the
country.109
By creating such broad coverage, the law will be able to
make the
users of computers in Israel more secure in their knowledge
that
their systems are safe. B. Analysis
The Israeli computer crime bill is more comprehensive
then
the America bill. By creating a law which will apply not
only to
government computers, but also to those of "business,
industry,
agriculture, health services or for scientific
purposes,"110
the law essentially covers all computers in the
country.111
By creating such broad coverage, the law will be able to
make the
users of computers in Israel more secure in their knowledge
that
their systems are safe.
The most controversial provision in the act is the
proposal
requiring that individuals that may know of computer crime
must
report the crime or face fines themself. As Levenfeld
points
out112, this will mean that employers will have to
impose
internal spy rings to be able to tract down the
"reasonable
suspicions" that individuals have concerning illegal
activity.
Shalgi, however, believes that this is a good provision in
that
it will allow computer crime to come more to the
forefront so
that the crime can be more easily combatted.113
This provision is necessary for the government to
understand
exactly how large of a problem computer crime is. At
present,
statistics on computer crime are difficult to determine
because
of the lack of reporting.114 By making all persons who
would
be responsible for computer security, i.e. all persons who
use
computer systems, the problem will be brought into the
open and
can be addressed.
The proposed law also sets out a defense for those
who
violate the law. Under 11, if a person who violates
the law
makes another know that he did disrupt or alter the data, he
will
not be convicted of the crime. This will allow those who
perform
such acts to avoid the punishment of the law. Individuals
who
wish to destroy or alter such information will have an
incentive
to bring forth their mischievous acts so that when brought
before
the court they could say that they took precautions so
that
individuals would not rely on the information. This
provision
will encourage those who do such activity to come forth
without
fear of conviction.
The ability of a court to not impose a punishment
on a
person is contained in section 12.115 This allows the
court
to abstain from punishment if the offense is not grave and
was
not committed with malice. This section, in effect, will
allow
those who commit computer crime to be able to forgo
punishment if
their acts were not serious. This will be beneficial to
those
who are hackers in the original sense of the word,116
yet
still allow for punishment of those individuals who enter
systems
to do harm to it.
The law also creates standards for how a computer
may be
seized. Neither a computer, nor any part of it, may be
seized
without a court order.117 Although this seems to be a
good
provision in its effects on individual rights118, the
section
is not focused enough. The law does not address the
issue of
whether a floppy, as opposed to a hard disk, is part
of a
computer. The hard disk is located inside of a computer,
while
floppy disks may be removed from the computer. This law
should
address this issue by stating that the floppy disk is also a
part
of a computer in its definitions.119
This section also does not address what standard may be
used
for the court order. Must the officer only have a
reasonable
suspicion or probable cause to seize the computer? By
stating
explicitly in the statute that the officer must have
probable
cause to seize the computer, an overzealous police officer
will
not be able to as easily seize the computer.
C. The Great Britain Computer Misuse Act
In response to computer program concerning AIDS that
was
distributed to doctors in Great Britain and Europe that
contained
a virus,120 Michael Colvin, a British MP introduced
the
Computer Misuse Bill.121 On August 29, 1990, the
Computer
Misuse Act122 came into effect.123 It was estimated
that
the losses to British industry and government were one
billion
pounds.124 This Act is designed to not to
create a
confidential information right, but to rather protect
computer
system integrity125.
Prior to enactment, the English Law Commission
studied the
problem and laws regarding computer crime. It stated that
there
should be three new offenses to deal with computer misuse:
(1)
Unauthorized access to a computer, (2) Hacking with
intent to
commit a serious crime, and (3) Intentional destruction
of or
alteration to computer programs or data.126 The
Computer
Misuse Act states that unauthorized access occurs if the
person
is unauthorized to access the computer, he causes the
computer to
perform any function with intent to gain access to a
program or
data in the computer and he knows that this is the
case.127
He does not have to be directed to any particular program or
data
in the computer he attempted to get on or the data or
program he
wishes to access.128 If a person commits unauthorized
access
with the intent to commit129 or help another
offense,130
the person can be sentenced on summary conviction, up
to six
months in prison and a fine,131 or if convicted
after
indictment, to imprisonment of up to five years, a
fine or
both.132
If a person modifies computer material,133 the
person is
subject to a fine of up to 5 years, an unlimited
fine or
both.134 The person must knowingly modify a program
without
authorization and must have done so with the intent to
impair the
operation of the computer, to prevent or hinder access, or
impair
the operation of the program or resulting data.135
The
modification does not have to be permanent.136 A
modification
may be done by either altering, erasing or adding onto a
program
or data. By stating modification broadly, the act
attempts to
combat the placing of viruses, worms and logic
bombs on
computers.137
The Act also extends the scope of jurisdiction.138
A
person does not have to actually be in Great Britain at
the
commission of the crime. The crime itself must have
some
relation to Great Britain.139 The link must
be
"significant".140
D. Analysis
As opposed to the other statutes, the Computer Misuse Act
does not attempt to define computer. This was done
because of
the fear that any definition given for a computer may
become out
of date in a short period of time.141 Program and data
are
also not defined within the Act.
Great Britain's courts are granted large jurisdiction.
The
act allows for anyone who attempt to commit a crime under
the act
to be punished in Great Britain. The act, although
setting out
that the link must be significant,142 does not
attempt to
define this word. By this omission, the Great Britain's
courts
can expand this to any act that occurs in a foreign country
that
uses a British computer for even a short period of time.
The
defining of the word would clear up some misconceptions
that may
result from the act.
Of interest to note, the Act would not punish a
person who
distributes disks tat contain viruses on them. Although
the
drafter of the bill said that this was his goal, the law
ignores
this possibility. An amendment should be added to the law
which
will punish those who damage data even if they do not
access the
system.
E. Ghana
In response to the belief that their existing laws
were not
adequate, a draft law was proposed by the Ghana Law
Reform
Commission.143 The bill is rather simple as opposed to
the
other laws. It has definitions for access, computer,
computer
network, computer program and data.144 To commit
computer
related fraud, the person must have an intent to
defraud and
either alters, damages destroys data or program stored in or
used
by the computer or obtains information to his own advantage
or to
the disadvantage of another or uses a computer commits
and
offense.145 The Act Also sets out alternatives for
some
sections that may be adopted. The alternative states
that any
person who obtains access to a computer program or data
and
attempts to erase or alter the program or data with
intent to
help his own interests or damage other person's interest
commits
a crime.146
Damaging computer data occurs if any person, by any
means,
without authority, willfully does damage to data
commits a
crime.147 The crime of unauthorized use of a
computer is
simply defined as anyone who knowingly without authority
commits
an offence.148 Similarly, unauthorized access is anyone
who
knowingly gains access to a computer, network or any part
there
of, without authority to do so.149 The Ghana law also
creates
a crime for the knowingly and dishonestly introduction of
false
data and the omission to introduce, record or store
data.150
An authorized person who willfully or intentionally
allows
information to get into the hands of an unauthorized
person and
that person uses the information to his advantage also
commits a
crime.151
The penalties for the crimes are similar to those
of the
Great Britain law.152 On summary convictions, a jail
term may
be given of up to two years or the statutory maximum
fine or
both.153 On conviction on indictment, a prison term
of no
more then ten years or an unlimited fine, or both
may be
given.154
The jurisdiction that the Ghana courts have in accord
with
this jurisdiction is as large as their British
counterpart.155
The courts can hear any case if the accused person was in
Ghana
at the time of the act.156 Also, if the program or data
was
stored in or used with a computer or computer network in
Ghana
the person may be tried under the law.157
F. Analysis
The Ghana proposed Computer Crime Law is in accord
with the
United States, Great Britain and the proposed Israeli
laws. By
setting out definitions for the various terms used in
the
law158, the law clearly defines which acts may be
subject to
prosecution under the law. Although simple, the
definitions
attempt to capture within the law's grasp the various
different
acts which could be done with a computer that should be
outlawed.
The most original section of the act concerns the
newly
created crime of omission to introduce, record or
store
data.159 This section, however, will end up punishing
those
who work in corporations that are at the lowest level
skill-wise.
The government should, if the law is enacted, force
companies to
give each employee a sufficient amount of training on a
computer
so that the person will be able to act in accordance with
the
law. The act does provide a safeguard by making the mens
rea of
the crime "negligently or dishonestly"160
The act also sets out a crime for an individual who
allows
information to get into the hands of another.161 As
opposed
to the other laws, this section specifically address the
problem
of where an authorized individual gives information
to an
outsider. By specifically regulating this behavior,
anyone who
wishes to act according will know that the act is illegal.
The crime of computer-related fraud is
defined
broadly.162 This law effectively makes any type of
fraud
committed either with a computer or information within a
computer
a crime. The law adequately addresses the problems that
might
occur with a computer in fraud. A broad definition,
however, may
still let some act seem as though they are not covered
since the
act is not specific in the area of what constitutes a crime.
Most significantly, the act does not state which
types of
computers are covered by the act.163 By not giving a
limit on
which computers are covered, the act extends its
jurisdiction to
all "computer"164 and "computer network"165 in the
country.
If the definition of computer changes, due in part to
advance
technology, the law may have to change this section.
V. Proposed Solutions
Computer Crime laws have come a long way in
addressing the
problem of computer crime.166 The ability to regulate
the
activity will decrease the amount of crime that is
committed.
Those who use the computers of the world, however, must not
rely
totally on there respective governments to combat
this
problem.167
The best way to combat computer crime is to not let it
occur
at all. Many computer systems have not been given
enough
security by their system managers.168 It is possible to
have
a totally secure computer system169, but it is
impractical and
slows the free flow of information.170 By creating laws
that
will protect the integrity of computer systems while
also
allowing for the ability of our best and brightest to
develop and
learn about computer systems will the nation be able to
keep our
technological lead in the world.
In order to combat the problem of unauthorized access,
users
of computer systems must be taught to respect each others
privacy
within the various systems. Creating an standard of
ethics for
those who are users of computers will be the best way
since it
will hold the users to standards that must be met. Although
some
organizations have attempted to promogate standards
regarding the
ethical use of computer systems171 no one standard
has
emerged. Proposed rules of ethics should balance the
need of
individuals to be able to learn and discover about the
various
types of computer systems, while at the same time
allowing for
those who use those systems to be secure in the knowledge
that
the information stored on the computer will not be read by
those
other then person who should have access to it.
If computer crime laws are enacted, industries that
use
computers should not use the new laws as a replacement for
using
adequate security measures.172 Individuals or
corporations
that use computer have several ways to protect themselves
from
unauthorized access. If the computer can be accessed by a
modem,
the computer can have a dial back feature placed on the
phone
line so that one a computer is accessed, the computer will
then
call back to make sure that the call is coming from a line
which
is supposed to access the computer.173 The proper
use of
passwords174 are also an effective way to address the
problem
of unauthorized access. A recent study has shown that out
of 100
passwords files, approximately 30 percent were guessed by
either
using the account name or a variation of it.175 A
program
has recently been developed that will not allow a user to
select
an obvious password.176 Encryption programs, similar to
the
program used on Unix operating system, can scramble a
password in
a non reversible manner so that if the encrypted password
falls
into the hands of an individual who is not supposed to
access the
system, the person will not be able to get into the
system.
These systems can also be used so that if a hacker does get
into
a computer system and attempts to get information,
the
information will not be readable.177
A problem that must be address is the lack of
laws
concerning copyright protection of computer programs in
foreign
countries. The Pakistan Brain178 was written to
discourage
copying of a program without authorization. By creating
pirating
penalties a reason for the creation of computer viruses
will be
removed and less viruses will be created.179
Many in the field argue that computer programs should
not be
copyrighted.180 Copyright protection should not be
afforded
to computer programs since they are only
mathematical
equations.181 Copyright protection should be given to
the
maker of a computer programmer only for a short
period of
time.182
A novel concept which will both satisfy the computer
hackers
quest for knowledge through examining computer systems
and
protect the integrity of computer systems is to create a
computer
systems for the use of hackers alone.183 This computer
would
not be connected to other computer systems, but can be
accessed
through a modem.184 If created, accounts would be
given to
all interested computer enthusiasts. Those participating
will
not be prosecuted for exploring unauthorized areas of
the
system.185 Since other computer systems will not
be
accessible through this system, any activity on this system
will
not endanger the information on other systems.186 By
allowing
this to be done, a major problem will be solved, the
inability to
afford to buy a mainframe system, while a person will
still be
able to learn about different types of systems.
If any laws are to be made, they should make
"knowing"187
or "intentionally"188 unauthorized access into a
computer a
crime. By making the intent of the crime be knowing, it
will
allow those who accidently connect to a computer system that
they
think is theirs but is not to be excused from punishment.
The law must also be done in a way that will allow it
to be
enforced across national boundaries. A computer
hacker can
access computers from across the world without ever
leaving his
home country.189 If these laws can only be enforced
within
the home country, then a person can, in theory, go into a
country
of whose computers that he would never want to access and
access
into other computers without fear of punishment.190
An international convention should be convened to
address
this problem. Since the problem is of international
concern and
the crimes do occur across the boarders of countries, by
setting
standards by the international community concerning the
conduct
of computer users, the hodgepodge of computer crime laws
will be
eradicated in favor of a common international standard.
As the
boundaries in Western Europe disappear in anticipation of
1992,
international access is sure to accelerate.
Colleges, Universities and high schools must
institute
programs designed to address proper computer use.191
Although
not all computer users are not trained in school,
teaching the
ethical use of computers will allow users to understand the
need
for security on systems. These programs will also show
users
that computer crime is dangerous to society.192
Problems
concerning computer crime should be publicized so as
not to
mystify the crime.193
The United States and other countries must create
more
Computer Emergency Response Teams (CERT). These teams
are to
coordinate community responses to emergency
situations,
coordinate responsibility for fixing hole in computer
systems and
serve as a focal point for discussions concerning
computer
systems.194 These groups regularly post notices
concerning
computer viruses or other dangers in the Internet
computer
system. The scope of these groups should be expanded so
they may
be a focal point of the needs and desires of those
who use
computers. If they are used to gather information as a
clearing
house type operation, the spread of information
concerning
computer systems and problems with the systems will be
more
adequately addressed.
IV. Conclusion
Computer crime is a growing problem. With the advent
of the
computer and a more computer literate public, crimes
committed by
computers will increase. To effectively address the
problem,
laws must be created to outlaw activity which is
designed to
further illegitimate ends. These laws have moved in the
right
direction concerning what should be outlaws so as to
balance the
needs of computer users against those of the computer
owners. To
enforce these laws, governments must realize that the
problem of
computer crime is not only of local concern.
Educational programs and standards of ethics must be
created
from within the computer users community. Corporations
which use
computers must educate their employees to reduce the fear
that
one might have when addressing a computer security
issue.
Copyright laws must be strengthened in countries that
either do
not have or have weak copyright laws so that the need to
create
viruses to protect an individual's or corporation's work
will no
longer be necessary.
To satisfy users curiosity with computers, a
non-secure
computer system should be created. This system will allow
those
who wish to explore a system in order to understand the
system
may. Those individuals can do so without the
fear of
prosecution.
Only by directly addressing the causes of computer
crime and
drafting standards and laws to address the unique area
will the
problem of computer crime be adequately addressed. Light
must be
shined on the area so individuals will realize that fear
of the
machines is not justified. Only by doing so may we
enter the
21st century realizing the full potential of computers.
Appendix A
Ghana Computer Crime Law (Proposed)
Computer Crime Law
Computer Crime Law
In pursuance of the Provisional National Defense
Council
(Establishment) Proclamation 1981, this Law is hereby made:
1. Any person who, with intent to defraud,
(a) alters, damages, destroys or otherwise manipulates
data
or program stored in or used in connection with a computer,
or
(b) obtains by any means, information stored in a
computer
and uses it to his advantage or to another person's
advantage to
the disadvantage of any other person, or
(c) uses a computer
commits an offense.
Charge: Computer-related fraud.
ALTERNATIVE:
(1) A person commits an offense if that person
obtains
access to a computer program or data, whether
stored in
or used in connection with a computer or to a
part of
such program or data to erase or otherwise
alter the
program or data with the intention-
1. (a) of procuring an advantage for
himself or
another person: or
(b) of damaging another person's interests.
2. Any person who, by any means, without authority,
wilfully
destroys, damages, injures, alters or renders
ineffective
data stored in or used in connection with a computer
commits
an offense.
Charge: Damaging Computer data.
3. Any person who, without authority, knowingly uses a
computer
commits and offense.
Charge: Unauthorized use of a computer.
4. Any person who, without authority, knowingly gains
access to
a computer, computer network, or any part thereof
commits an
offense.
Charge: Unauthorized access to a computer.
5. Any person who, knowingly and dishonestly
introduces,
records or stores, or causes to be recorded,
stored or
introduced into a computer or computer network by any
means,
false or misleading information as data commits an
offense.
Charge: Insertion of false information as data.
ALTERNATIVE:
(5) A person commits an offense if, not having
authority to
obtain access to a computer program or data,
whether
stored in or used in connection with a computer,
or to
a part of such program or data, he obtains
such
unauthorized access and damages another
person's
interests by recklessly adding to, erasing or
otherwise
altering the program or the data.
6. Any person under a contractual or other duty to
introduce,
record or store authorised data into a computer
network, who
negligently or dishonestly fails to introduce,
record or
store, commits an offense.
Charge: Omission to introduce, record or store data.
ALTERNATIVE
(6) Any person under a contractual or other
duty to
introduce, record or store data into a
computer or
computer network who negligently or dishonestly
fails
to introduce, record or store, commits an offense.
7. Any authorised person who willfully or intentionally
allows
information from a computer to get into the hands
of an
unauthorised person who uses such information to
his
advantage commits an offense.
Charge: Allowing unauthorised person to use computer data.
8. A person guilty of an offense under this Law
shall be
liable:-
(a) on summary conviction, to imprisonment for a
term not
exceeding two years or to a fine not
exceeding the
statutory maximum or both; or
(b) on conviction on indictment, to imprisonment for a
term
not exceeding ten years or to an unlimited
fine, or
both.
9. A court in Ghana shall have jurisdiction to
entertain
proceedings for an offense under this Law, if at the
time
the offense was committed:-
(a) the accused was in Ghana; or
(b) the program or the data in relation to which
the
offence was committed was stored in or used
with a
or used
with
computer or computer network in Ghana.
computer network in Ghana.
10. In this Law, unless the context otherwise requires:-
"access" includes to log unto, instruct, store
data or
programs in, retrieve data or programs from, or
otherwise
communicate with a computer, or gain access to
(whether
directly or with the aid of any device) any data or
program.
"computer" includes any device which is
capable of
performing logical, arithmetical, classifactory,
mnemonic,
storage or other like functions by means of
optical,
electronic or magnetic signals.
"Computer network" includes the interconnection of
two or
more computers, whether geographically separated or in
close
proximity or the interconnection of communication
systems
with a computer through terminals, whether remote or
local.
"Computer program" includes an instruction or
statement or
series of instructions or statements capable of
causing a
computer to indicate, perform, or achieve any function.
"data" includes a representation in any form
whether
tangible or intangible that is capable of being stored
in or
retrieved by a computer.
ENDNOTES
1. Financial Times Limited (London) April, 1990.
2. See, infra, endnote 36 and accompanying text.
infra
3. Stoll, The Cuckoo's Egg (1990). [hereinafter Stoll].
The Cuckoo's Egg
4. Lyons, 13 Are Charged in Theft of Data from
Computers, New
York Times, August 17, 1990, B2, col. 3.
5. Although there is no set definition of a
computer
publication, it is created and published solely on a
computer.
Peretti, Computer Publications and the First Amendment
(1990)
(available at Princeton University FTP site and The
American
University Journal of International Law and Policy Office).
6. Dorothy Denning, The United States v. Craig
Neidorf
(available at The American University Journal of
International
Law and Policy office).
7. Schares, A German Hackers' Club that Promotes
Creative
Chaos, Business Week, Aug. 1, 1988, 71.
8. Barlow, Crime and Puzzlement: In advance of the Law
on the
Electronic Frontier, Whole Earth Review, Sept. 22, 1990, 44.
9. Kopetman, Computer Gave Them Bum Rap, Los Angeles
Times,
Los Angeles
Times
Jan. 10, 1991, at B1, col. 2.
10. See, J. Thomas McEwen, Dedicated Computer Crime Units
(19--)
See,
(stating how important computers have become to society).
In
1978 there were 5,000 desktop computers in the United
States. S.
Rep. No. 432, 99th Cong., 2d Sess. 2, reprinted in, 1986
U.S.
reprinted in
Code Cong. & Admin. News 2479, 2479. By 1986, this
number had
increased to about 5 million. Id.
Id.
11. See, S. 2476, Floor Statement by Senator Patrick Leahy.
12. See, Stoll at ___ (stating that all countries,
except
Albania, are connected via computer systems).
13. McEwen, Dedicated Computer Crime Units 1 (19--).
Another
_______________________________
definition used is the definition of computer crime was
"any
illegal act for which knowledge of computer
technology is
essential for successful investigation and prosecution".
Parker,
Computer Crime: Criminal Justice Resource Manual, (1989).
_________________________________________________
14. Conly, Organizing for Computer Crime Investigation
and
Prosecution, 6-7 (19--).
15. For instance, the estimated cost of the Internet
Worm, a
computer program created by Robert Morris, Jr. which shut
down
the Internet computer system, varies from $97,000,000
(John
McAfee, Chairman, Computer Virus Industry Association)
to
$100,000 (Clifford Stoll's low bound estimate).
Commitment to
Security, 34 (1989). It is difficult to determine
exactly the
cost of such crime because it is difficult to determine
what
should be included. The estimated downtime of a computer
due to
such activity could be used to determine the cost. This
may be
flawed, however, since it will not take into account how
much of
the down time actually would have been used. Electronic
Letter from Richard Stallman to Brian J. Peretti (Dec. 3,
1990)
(concerning computer crime).
16. Commitment to Security, 34. The average
facility,
consisting of 1,224 microcomputers, 96 minicomputers
and 10
mainframe computers, lost $109,000, 365 personnel hours
and 26
hours computer time loss per year. Id.
Id.
17. Id. at 23. 6 percent of incidents resulted in
prosecutions.
Id.
Id.
Id.
18. Id.
Id.
19. Only 1.5 percent of respondents to a National
Center for
Computer Crime Data used Anti-virus products in 1985. By
1988
this figure rose to 22 percent. By 1991, 53 percent of
the
respondents stated that they would be using anti-virus
software
by 1991. According to a Price Waterhouse survey in
Great
Britain, in 1985 26 percent installations spent
nothing on
security. Authers, Crime as a Business Risk-
Security/ A
Crime as a Business Risk-
Security/ A
Management as Well as a Technical Problem, Financial
Times
Management as Well as a Technical Problem
(London), November 7, 1990. By 1990 this figure had shrunk
to 4
percent and is expected to decline to 0 by 1995. Id. The
amount
Id.
spent on security for new systems has increased from 5
percent in
1985 to 9 percent by 1990. Id.
Id.
In Japan, less than 10 percent of groups that rely
heavily
on computers have taken measures to prevent virus
attacks.
Computer Users Fail to Protected Against Viruses. Although
Japan
Computer Users Fail to Protected Against Viruses.
does not have a computer crime law, there is a movement to
make
such a law. Computer Body Calls for Jail Sentences for
Hackers,
Computer Body Calls for Jail Sentences for
Hackers
Kyodo News Service, Nov. 15, 1990 (available from the
Nexis
library). The Japan Information Processing
Development
Association has stated that the new law should make the
crime
punishable of either one year of hard labor or a fine. Id.
Id.
20. The terms was first applied in 1984. Commitment to
Security,
34 (1989).
21. Ring, Computer Viruses; Once Revered as Hackers,
Technopaths
Threaten Security of Computer-Dependant Society,
Computergram,
July 7, 1989. Some of these viruses are extremely small,
e.g.
Tiny, which is 163 bytes, may be the smallest. Friday 13th
Virus
Alert, The Times (London), July 12, 1990.
22. Graggs, Foreign Virus Strains Emerge as Latest
Threat to
Foreign Virus Strains Emerge as Latest
Threat to
U.S. PCs, Infoworld, Feb. 4, 1991, 18. Viruses have
appeared
U.S. PCs
from Bulgaria, Germany, Australia, China and Taiwan. Id.
Some new
Id.
viruses include Armageddon, from Greece which attacks
through
modems and then dials to a talking clock in Crete, Liberty,
from
Indonesia, Bulgaria 50, which is thought to have come
from a
"laboratory" in Sofia, Victor, thought to originate in
the
U.S.S.R., the Joker, from Poland, which tells the user
that the
computer needs a hamburger, and Saturday the 14th,
presumed to
have been developed in South Africa, which destroys a
computer's
file allocation table. Id.
Some viruses also carry a message when they are
activated.
A virus that is though to have been developed by
students at
Wellington, New Zealand, tells the user that they have
been
"stoned" and requests that marijuana should be legalized.
Id.
Id.
Approximately 80 or 90 of the 300 viruses counted
for the
IBM personal computer originated in Bulgaria according to
Morton
Swimmer of Germany's Hamburg University Virus Test Center.
23. A report in La Liberation, a French newspaper, stated
that
La Liberation
computer viruses could be planted in French EXOCET
missiles to
misguide them when fired. La Liberation, Jan. 10,
1991,
reprinted in Klaus Brunnstein, Risks-Forum, vol. 10, iss.
78,
reprinted in
Jan. 22 1991 (available at American Journal of
International Law
and Policy Office).
24. A "trojan horse" is a program that does not seem
to be
infected, however, when used in a computer, the virus is
then
transferred the uninfected machine. On trojan horse
destroyed
168,000 files in Texas. Commitment to Security, 34 (1989).
25. Ring, Computer Viruses; Once Revered as Hackers,
Technopaths
Computer Viruses; Once Revered as Hackers,
Technopaths
Threaten Security of Computer-Dependent Society,
ComputerGram,
Threaten Security of Computer-Dependent Society
July 7, 1989.
26. Highland, One Wild Computer "Worm" Really Isn't a
Federal
One Wild Computer "Worm" Really Isn't a
Federal
Case, Newsday, Jan. 23, 1990, 51.
Case
27. Stoll, at 346. The amount of computers that were
actually
infected by the worm is still the subject of debate. Mr.
Stoll
estimates that 2,000 computers where infected, while the
most
commonly cited number is 6,000. Commitment to
Security, 34
(1989). The 6,000 estimate was based on an
Massachusetts
Institute of Technology estimate that 10 percent of the
machines
at the school were infected and was then inferred to the
total
number of machines across the country that were
affected.
General Accounting Office, Computer Security: Virus
Highlights
Need for Improved Internet Management, 17 (1989). This
number
may be inaccurate because not all locations had the same
amount
of vulnerable machines. Id.
Id.
28. For the first eight months of 1988, there
were 800
incidents concerning computer viruses. Commitment to
Security,
34. The Computer Virus Industry Association reported
that 96
percent of these reported infections were incorrectly
identified
as viruses. Id.
Id.
29. Robinson, Virus Protection for Network Users,
Washington
Post, Washington Business, p.44, Feb. 11, 1991.
30. Ross, Hacking Away at the Counterculture, 3
(1990)
(available at the American University Journal of
International
Law and Policy). On Saturday Night Live, during the news
update
segment, Dennis Miller stated, in comparing a computer
viruses to
the AIDS virus, "Remember, when you connect with
another
computer, you're connecting to every computer that
computer has
ever been connected to." Id.
Id.
31. Id. at 8-9.
Id.
32. Computer Virus Legislation, Hearing on H.R. 55 and
H.R. 287
before the Subcomm. on Criminal Justice of the House Comm.
on the
Judiciary, 100th Cong., 1st Sess. 49 (1989) (statement of
Marc
Rotenberg, Director, Computer Professionals for
Social
Responsibility). In Israel, Hebrew University used a
computer
virus to detect and destroy a virus that would have
destroyed
data files. Id.
33. Computergram International, October 14, 1990.
34.
35. Watts, Fears of Computer Virus Attack from East Europe
grow,
Fears of Computer Virus Attack from East Europe
grow
The Independent, November 24, 1990, p.6. On a trip to
Bulgaria,
a British computer consultant returned with 100 viruses
that do
not exist in the West. Id.
Id.
36. Id.
37. McGourty, When a Hacker Cracks the Code, The Daily
Telegraph
When a Hacker Cracks the Code
(London), October 22, 1990, p. 31.
38. The equipment would cost about 50 (British) pounds. Id.
Id.
39. Id. A British company, has stated that they have
developed
Id.
a glass that will reduce this problem. Tieman, Spy-Proof
Glass
to Beat the Hackers, The (London) Times, Jan 17, 1991.
A more recent problem concerns the ability of
computer
hackers to access into fax machines and either change or
reroute
information from the machine. Becket, Espionage fears
mounting as
Espionage fears
mounting as
hackers tap into faxes, The Daily Telegraph (London),
December 1,
hackers tap into faxes
1990, p. 23. This problem can be circumvented by the
use of
encryption devices or passwords on the machine. Id.
Id.
40. Stoll at 9. The word itself originally had two
meanings.
People originally called themselves hackers were software
wizards
who thoroughly knew computer systems. Id. In U.S. v.
Riggs, 739
U.S. v. Riggs
F. Supp. 414, 423 (N.D. Ill. 1990) the court defined
hackers as
"individuals involved with the unauthorized access of
computer
systems by various means." The New Hacker's Dictionary
defines
hackers as "A person who enjoys learning the
details of
programming systems and how to stretch their
capabilities, as
opposed to most users who prefer to learn only the
minimum
necessary." New Hacker's Dictionary, to be published
Spring,
1991.
Hacker has also been used in a non-evil sense with the
word
"cracker" taking the disreputable part of the word. In
this
light, hacker means "computer enthusiasts who `take
delight in
experimenting with system hardware, software and
communication
systems." and cracker meaning "a hacker who
specializes in
gaining illegal access to a system." One Wild Computer
`Worm'
One Wild Computer
`Worm'
Really Isn't a Federal Case, Newsday, January 23, 1990,
p.51.
Really Isn't a Federal Case
The typical hacker has been described as "a juvenile with a
home
computer who uses computerized bulletin board systems
for a
variety of illegal purposes. Conly, Organizing for
Computer
Crime Investigation and Prosecution, 8 (19--).
41. Sulski, How to Thwart Potential Saboteur, Chicago
Tribune,
How to Thwart Potential Saboteur
November 18, 1990, p.18.
42. Computerworld, December 3, 1990, p. 122. Kryptik, a
hacker
group, was stated as having planned to plant a virus
in a
telephone network on December 5, 1990. Id. It is
unclear,
Id.
however, if the virus actually was planted. Id.
Id.
43. Sulski, How to Thwart Potential Saboteur, Chicago
Tribune,
How to Thwart Potential Saboteur
November 18, 1990, p.18. Computer security experts state
that
the risk of having hacker break into your system is less
than
being burglarized or having a power outage due to lightning.
Id.
Id.
Errant opinion poll results have also been blamed on the
work of
hackers. Holdsworth, Hackers May Have Attacked TV
Poll
Hackers May Have Attacked TV
Poll
Computers-MP, Press Association Newsfile, May 4, 1990.
Computers-MP
44. Stoll, 312.
45. Id. This view is also shared by the editors of
2600, The
Id.
Hackers Quarterly. It is also held by these persons
that a
service is done to the computing community because
those who
break in to computer systems show the operators that their
system
is not strong enough and that it should be made stronger.
46. Stoll, at 354.
47. Mr. Stoll's computer was broken into by an
Australian
hacker who said he did so to show that Mr. Stoll's
security was
not good and that hackers are good because they show
where
security problems are in computer networks. Id. at 353-54.
He
Id.
rejected such arguments. Id.
Id.
48. Director, Computer Professionals for Social
Responsibility
49. Computer Virus Legislation, Hearing on H.R. 55 and
H.R. 287
before the Subcomm. on Criminal Justice of the House Comm.
on the
Judiciary, 100th Cong., 1st Sess. 26-27 (1989) (statement of
Marc
Rotenberg, Director, Computer Professionals for
Social
Responsibility). The Aldus peace virus, which displayed a
message
calling for peace and then disappeared without
damaging the
system itself, is an example of a virus which he believes
should
be protected. Id.
50. Commitment to Security, 34.
51. Stoll, 349.
52. "I can never understand why people think it is all
right to
run out of computer paper but not all right to be infected
with a
virus. The disruption is the same and it takes about the
same
amount of time to put matters right." Cane, Hygiene
See Off
Hygiene
See Off
Computer Viruses, Financial Times (London) October 14,
1989,
Computer Viruses
Section I, p. 24.
53. 18 U.S.C. 1030 (1988).
54. Ala. Code 13A-8-100 et.seq. (1990); Alaska
Stat.
Ala. Code Alaska
Stat.
11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985,
11.46.990
(1990); Ariz. Rev. Stat. Ann. 13-2301(E), 13-2316 (1990);
Cal.
Ariz. Rev. Stat. Ann.
Cal.
Penal Code 502 (West 1990); Colo. Rev. Stat.
18-5.5-101 et.
Penal Code Colo. Rev. Stat.
seq. (1990); Conn. Gen. Stat 53a-250 et. seq., 52-570b
(1990);
Conn. Gen. Stat
Del. Code Ann. tit. 11, 931 et seq. (1990); Fla.
Stat.
Del. Code Ann. Fla.
Stat.
815.01 et seq. (1990); Ga. Code Ann. 16-9-90 et seq
(1990);
Ga. Code Ann.
Haw. Rev. Stat. 708-890 et seq. (1990); Idaho Code
18-2201,
Haw. Rev. Stat. Idaho Code
2202 (1990); Ill. Ann. Stat. 15-1, 16-9 (1990); Ind.
Code
Ill. Ann. Stat Ind.
Code
35-43-1-4, 35-43-2-3 (1990); Iowa Code 716A.1 et.
seq.
Iowa Code
(1990); Kan. Stat. Ann. 21-3755 (1990); Ky. Rev. Stat.
Ann.
Kan. Stat. Ann. Ky. Rev. Stat.
Ann.
434.840 et. seq. (1990); La. Rev. Stat. Ann. 14(D)
71.1 et
La. Rev. Stat. Ann
seq. (1990); Me. Rev. Stat. Ann. chap. 15, tit. 17-A,
357
Me. Rev. Stat. Ann.
(1990); Md. Crim. Law Code Ann. Article 27 45A, 146
(1990);
Md. Crim. Law Code Ann.
Mass. Gen. L. ch 266, 30 (1990) see infra; Mich. Comp.
Laws
Mass. Gen. L. Mich. Comp.
Laws
28.529(1) et seq. (1990); Minn. Stat. 609.87 et seq.
(1990);
Minn. Stat.
Miss. Code Ann. 97-45-1 et seq (1990); Mo. Rev. Stat.
569.093
Miss. Code Ann. Mo. Rev. Stat.
et seq. (1990); Mont. Code Ann. 45-2-101,
45-6-310,45-6-311
Mont. Code Ann.
(1990); Neb. Rev. Stat. art. 13(p), 28-1343 et seq (1990);
Nev.
Neb. Rev. Stat.
Nev.
Rev. Stat. 205.473 et seq. (1990); N.H. Rev. Stat.
Ann.
Rev. Stat. N.H. Rev. Stat.
Ann.
638.16 et seq. (1990); N.J. Rev. Stat. 2C:20-1,
2C:20-23 et.
N.J. Rev. Stat.
seq., 2A:38A-1 et seq. (1990); N.M. Stat. Ann.
30-16A-1 et
N.M. Stat. Ann.
seq. (1990); N.Y. Penal Law 155.00, 156.00 et seq,
165.15(10),
N.Y. Penal Law
170.00, 175.00 (1990); N.C. Gen. Stat. 14-453 et seq
(1990);
N.C. Gen. Stat.
N.D. Cent. Code 12.1-06.1.01(3), 12.1-06.1-08 (1990); Ohio
Rev.
N.D. Cent. Code Ohio
Rev.
Code Ann. 2901.01, 2913.01, 1913.04, 1913.81 (Anderson
1990);
Code Ann.
Okla. Stat. tit. 21, 1951 et seq. (1990); Or. Rev.
Stat.
Okla. Stat Or. Rev.
Stat.
164.125, 164.377 (1990); Pa. Cons. Stat. 1933 (1990);
R.I.
Pa. Cons. Stat.
R.I.
Gen. Laws 11-52-1 et seq (1990); S.C. Code Ann.
16-16-10 et
Gen. Laws S.C. Code Ann.
seq (Law. Co-op 1990); S.D. Codified Laws Ann. 43-43B-1 et
seq.
S.D. Codified Laws Ann.
(1990); Tenn. Code Ann. 39-3-1401 et seq (1990); Texas
Code
Tenn. Code Ann. Texas
Code
Ann. tit 7 33.01 et seq. (Vernon 1990); 19 Utah Laws
76-6-
Ann. Utah Laws
701 et seq.; Va. Code Ann. 18.2-152.1 et seq. (1990);
Wash.
Va. Code Ann.
Wash.
Rev. Code Ann. 9A.48.100, 9A.52.010, 9A.52.110 et seq.
(1990);
Rev. Code Ann.
Wis. Stat. 943.70 (1990); Wyo. Stat. 6-3-501 et seq.
(1990).
Wis. Stat. Wyo. Stat.
55. Parker, Computer Crime: Criminal Justice Resource
Manual,
129 (1979).
56. McEwen, Dedicated Computer Crime Units, 60 (1989).
These
other laws include embezzlement, larceny, fraud, wire
fraud and
mail fraud. Id. at 60.
___
57. Pub. L. No. 98-473, 2102(a), 98 Stat. 1837, 2190
(codified
at 18 U.S.C. 1030).
58. S. Rep. No. 432, 99th Cong., 2d Sess., 1986
U.S. 2,
reprinted in, 1986 Cong. & Admin. News 2479, 2479.
reprinted in
59. Pub. L. No. 99-474, 2, 100 Stat. 1213 (amending 18
U.S.C.
1030).
60. 18 U.S.C. 1030(b).
61. 18 U.S.C. 1030(a)(1). The person must act
knowingly to
access a computer either without authorization or
exceeding the
authorization given and obtain information with the
intent or
reason to believe that the information will either
injure the
United States of American or give an advantage to a
foreign
nation. As seen by the placement of this section, it is
clear
that the Congress was particularity aware of the dangers
that
computer might have to the national security of the
United
States. This section parallels 18 U.S.C. 793, the
federal
espionage statute.
62. 1030(c)(1)(A).
63. 1030(c)(1)(B).
64. As defined by the Fair Credit Reporting Act, 15 U.S.C.
1681
et seq.
65. 1030(c)(2)(A).
66. 1030(c)(2)(B). The penalty is up to 10 years in
prison.
67. 18 U.S.C. 1030(a)(2).
68. 18 U.S.C. 1030(c)(2)(B).
69. 18 U.S.C. 1030(c)(2)(B).
70. The punishments that may be handed out are up to 5
years for
the first offense and 10 years for any subsequent offense.
71. 18 U.S.C. 1030(a)(5).
72. 18 U.S.C. 1030(c)(3)(A).
73. 18 U.S.C. 1030(c)(3)(B).
74. 18 U.S.C. 1030(a)(6).
75. As defined by 18 U.S.C. 1029.
76. 18 U.S.C. 1030(c)(2)(A).
77. 18 U.S.C. 1030(c)(2)(B).
78. 18 U.S.C. 1030(a)(6)(B).
79. 18 U.S.C. 1030(a)(6)(B).
80. These computers include computers used exclusively
for the
United States government or a financial institution or if
not
exclusively by the government one which the conduct of
the
computer affects the government's or the institution's
operation,
18 U.S.C. 1030(e)(2)(A), the computer is one of two or
more
computers that commit the offense, 18 U.S.C.
1030(e)(2)(A).
Financial institution is defined in 18 U.S.C. 1030(e)(4)
and
includes and institution whose deposits are insured by
the
Federal Deposit Insurance Corporation, 1030(e)(4)(A), the
Federal
Reserve or one of its members, 1030(e)(4)(B), a credit
union
insured by the National Credit Union
Administration,
1030(e)(4)(C), a Federal home loan bank system
member,
1030(e)(4)(D), institutions under the Farm Credit Act of
1971,
1030(e)(4)(F), a broker-dealer registered pursuant to 15
of the
Securities Exchange Act of 1934, 1030(e)(4)(F), or a
Securities
Investor Protection Corporation, 1030(e)(4)(G).
81. S. Rep. No. 432, 99th Cong., 2d Sess. 4, reprinted in,
1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2481.
82. Note, Computer Crime and The Computer Fraud and Abuse
Act of
1986, X Computer/Law Journal 71, 79, (1990).
83. 18 U.S.C. 1030 (e)(2) states:
As used in this section-
(2) The term "Federal interest computer" means a
computer-
(A) exclusively for the use of a financial
institution
or the United States Government, or, in the case of a
computer
not exclusively for such use, used by or for a
financial
institution or the United States Government and the
conduct
constituting the offense affects the use of the
financial
institution's operation or the Government's operation of
such
computer; or
(B) which is one of two or more computer used
in the
committing the offense, not all of which are located in the
same
state.
84. "[T]here is not statute specifically addressing
viruses."
135 Cong. Rec. E2124 (daily ed. June 14, 1989) (letter of
Rep.
Cong. Rec. E2124
Herger (quoting FBI Director William Sessions)).
85. H.R. 287 and H.R. 55.
86. "Existing criminal statues are not specific on the
question
of whether unauthorized access is a crime where no
theft or
damage occurs . . ." 135 Cong. Rec. E2124 (daily ed.
June 14,
Cong. Rec.
1989) (letter of Rep. Herger (quoting FBI Director
William
Sessions)).
87. Prosecution could occur under a trespass law. It may
not be
applicable, however, since trespass is a property based
crime and
courts have not recognized information in the same manner as
real
property.
88. Note, Computer Crime and The Computer Fraud and Abuse
Act of
1986, X Computer/Law Journal 71, 80 (1990).
89. Id.
Id.
90. Shalgi, Computer-ware: Protection and Evidence, An
Israeli
Computer-ware: Protection and Evidence, An
Israeli
Draft Bill, IX Computer/Law J. 299, 299 (1989)
[hereinafter
Draft Bill Computer/Law J.
Shalgi]. This proposed bill has not progressed much since
it was
proposed and is at the stage prior to an official "bill".
Letter
from Barry Levenfeld to Brian J. Peretti (December 13,
1990)
(concerning Israel's legislature progress on the
comprehensive
computer law). This paper will use the Shalgi
English
translation of the law.
91. Chapter 2 concerns Offenses and Accessing Computers,
Chapter
3, Damages, Chapter 4, Rights of Software Creators and
Chapter 5,
Evidence. Levenfeld, Israel Considers Comprehensive Computer
Law,
Israel Considers Comprehensive Computer
Law,
Int'l Computer L Advisor 4 (March 1988). The topics
covered in
Int'l Computer L Advisor
Chapters 2 through 5 are beyond the scope of this paper.
92.
93. Shagli, at 311.
94. Chapter 2, 2, Shagli at 311.
95. Chapter 2, 3(a), Shagli at 311. An employee is
exempt if
he commits this act when it was due to a strike
concerning a
labor dispute. Chapter 2, 3(b), Shagli at 311.
96. Chapter 2, 4(a).
97. Chapter 2, 4(b), Shagli at 311.
98. As defined by Chapter 1, 1.
99. Chapter 2, 5, Shagli at 311.
100. Chapter 2, 6, Shagli at 312.
101. Chapter 2, 7, Shagli at 312.
102. Chapter 2, 9, Shagli at 312.
103. Id.
Id.
104. Chapter 2, 10, Shagli at 312.
105. By not stating that this also applies to
individuals or
others (non-corporations) who are attempting to supply
services
to the public, some important services that may be offered
to the
public may not be done. Levenfeld, 8, translates the
word
corporation as entities which may solve the problem.
106. Shalgi, 312. Levenfeld, 5, states that since this
section
is so broad the only possible areas that are not
covered are
personal and academic uses.
107. Chapter 2, 14, Shagli at 313.
108. Section 5.
109. Levenfeld, 4-5. Perhaps the only computers not
covered
would be those used for personal or academic uses
exclusively.
Id. at 5.
Id.
110. Section 5.
111. Levenfeld, 4-5. Perhaps the only computers not
covered
would be those used for personal or academic uses
exclusively.
Id. at 5.
Id.
112. Levenfeld at 4.
113. Shalgi, 305.
114. See, Computers at Risk, Safe Computing in the
Information
Age, 36 (1991) (discussing the need for a repository to
gather
computer crime information).
115. Chapter 2, 12, Shagli at 313.
116. New Hacker's Dictionary.
117. Chapter 2, 13, Shagli at 313. The law states that
if the
owner of the computer is not given in his presence, the
order is
only good for twenty-four hours. Id.
Id.
118. Shagli, at 304. Under Israeli law, an object that
may be
proof of an offense may be seized without a court order.
Id. The
Id.
law will bring the seizure of computers in accord with the
United
States Constitution's sixth Amendment.
119. Chapter 1, 1, Shagli at 310.
120. Alexander, Suspect Arrested in AIDS Disk Fraud
Case,
Suspect Arrested in AIDS Disk Fraud
Case
Computerworld, Feb. 5, 1990, 8.
121. Colvin, Lock up the Keyboard Criminal,
Telecommunications
PLC (England), June 1990.
122. Computer Misuse Act, 1990, ch. 18.
123. In the five years prior to the adoption of the Act,
there
were 270 cases of computer misuse in Britain of which
only six
were brought to court and only 3 resulting convictions.
Fagan,
Technology: EC urged to strengthen laws on computer
crime, The
Technology: EC urged to strengthen laws on computer crime
Independent (London), February 13, 1990, p. 19.
124. Id.
Id.
125. Davies, Cracking down on the computer hackers, Fin.
Times
Cracking down on the computer hackers
(London), October 4, 1990.
126. Law Commission No. 186, Cm 819.
127. Computer Misuse Act, 1990, ch. 18, 1.
128. The penalty for this type of behavior is up to six
months in
prison, 2000 pounds or both.
129. Computer Misuse Act, 1990, ch. 18, 2(1)(a).
130. Computer Misuse Act, 1990, ch. 18, 2(1)(b).
131. Computer Misuse Act, 1990, ch. 18, 2(5)(a).
132. Computer Misuse Act, 1990, ch. 18, 2(5)(b).
133. Computer Misuse Act, 1990, ch. 18, 3(1).
134. Computer Misuse Act, 1990, ch. 18, 3(7).
135. Computer Misuse Act, 1990, ch. 18, 3(2).
136. Computer Misuse Act, 1990, ch. 18, 3(5).
137. Id. Colvin, Lock up the Keyboard
Criminal ,
Id.
Telecommunications PLC (England), June 1990.
138. Computer Misuse Act, 1990, ch. 18, 4.
139. Computer Misuse Act, 1990, ch. 18, 4(1).
140. 5(2) states that a significant link under 1 can be
(a) the
person was in Great Britain at the time in which he
caused the
computer to act in a certain way or (b) the computer he
attempted
to get access to was in Great Britain. 5(3) states
that a
significant link under 3 can be (a) that the person was
Great
Britain at the time when he did the act or (b) the
modification
took place in Great Britain. However, this may not an
exhaustive
list.
141. Davies, Cracking down on the computer hackers, Fin.
Times
Cracking down on the computer hackers
(London), October 4, 1990.
142. Computer Misuse Act, 1990, ch. 18, 5.
143. Although proposed on February 14, 1989, the proposed
bill
has not yet become law.
144. Appendix A, 10.
145. Appendix A, 1.
146. Appendix A, 1, alternative.
147. Appendix A, 2.
148. Appendix A, 3.
149. Appendix A, 4.
150. Appendix A, 5.
151. Appendix A, 7.
152. The Ghana Law Reform Commission states that they
created
their proposed law from the Scottish Law Commission and
the Law
Reform Commission of Tasmania, Australia reports on
computer
crime.
153. Appendix A, 9(a).
154. Appendix A, 8(b).
155. See, infra, endnote __ and accompanying text.
infra
156. Appendix A, 9(a).
157. Appendix A, 9(b).
158. Appendix A, 10.
159. Appendix A, 6.
160. Id.
Id.
161. Appendix A, 7.
162. Appendix A, 1.
163. Appendix A, 10.
164. Id.
Id.
165. Id.
Id.
166. The first computer crime law in the United States
was
enacted in 1979.
167. S. Rep. No. 432, 99th Cong., 2d Sess. 3, reprinted in
1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2481.
168. By increasing security, the ease with which one can
enter
the system will become more difficult. Some systems,
believing
that if such unauthorized access does occur that no
sensitive
information will be stolen, opt to have less security then
other
systems. In actuality, by one system not having enough
security,
the entire network can be put at danger when a mischievous
user
wishes to break into a users account which may be
accessed by
that system. See Stoll, 353-54 (stating an Australian
hacker
broke into Mr. Stoll's computer account because a
connected
computer's system manager did not wish to have a high
level of
security.
169. Stoll, 32. Many military computers and
sensitive
scientific computers operate in a secure environment.
This is
created by not allowing the computer system to have any
telephone
links to the outside world (i.e. outside of the building.
170. By having a secure system, information at the computer
site
can only be removed by a person walking into the computer
center,
copying the information and then walking out with it.
This is
both burdensome (it is much easier to access the computer
from
one's home or office) and cumbersome (since a person will
have to
walk around with reels of data that will later be put back
into
the system.
171. Computer Virus Legislation, Hearing on H.R. 55 and
H.R. 287
before the Subcomm. on Criminal Justice of the House Comm.
on the
Judiciary, 100th Cong., 1st Sess. 44, n. 27 (1989)
(statement of
Marc Rotenberg, Director, Computer Professionals for
Social
Responsibility).
172. Colvin, Lock up the Keyboard Criminal,
Telecommunications
Lock up the Keyboard Criminal
PLC (England), June 1990, p. 38. Michael Colvin, the
author of
Great Britain's Computer Misuse Act stated that the
passage of
the bill should not be looked at that the computer owner
should
not have security measures on their computers. Id. The
bill, he
Id.
states, was made only to compliment, not substitute, the
users
security measures. Id. In West Germany, the severity
of the
Id.
punishment for hacking depends on the effort that was
required to
commit the offense. Fagan, Technology: EC urged to
Strengthen
Technology: EC urged to
Strengthen
Laws on Computer Crime, The Independent, Feb. 13, 1990, 19.
Laws on Computer Crime
173. McGourty, When a hacker cracks the code, The
Daily
When a hacker cracks the code
Telegraph, October 22, 1990, p. 31.
174. A Password is a word that is either given to the
user by
the system or selected by the user to prevent others
from
accessing his computer or account within the computer.
This
words, groups of letters or symbols are supposed to be
kept
secret so as to not let other who are not authorized to
access
the system have access to it.
175. Donn Seeley, A Tour of the Worm, Department of
Computer
_____________________
Science, University of Utah, Nov. 1988, reprinted in
General
reprinted in
Accounting Office, Computer Security: Virus Highlights
Need for
Improved Internet Management, 20 (1989).
176. Authers, Armed with a secret weapon, Financial
(London)
Times, Feb. 5, 1991, Section I, 16.
177. Id.
178. For a discussion of this virus, see, Branscomb,
Rogue
see
Rogue
Computer Programs and Computer Rogues: Tailoring the
Punishment
Computer Programs and Computer Rogues: Tailoring the
Punishment
to Fit the Crime, 16 Rutgers Computer & Tech. L.J.
1, 14-16
to Fit the Crime _______________________________
(1990) (discussing the applicability of state and federal
law to
computer viruses).
179. Jim Thomas, publisher of the Computer Underground
digest
argues that computer pirates actually buy more programs
then the
average computer program buyer. Letter from Jim Thomas to
Brian
J. Peretti ( (discussing computer pirating of software)
180. See, GNU Manifesto (available at American University
Journal
of International Law and Policy). See also, Stallman, GNU
EMACS
See also,
General Public License, (Feb. 11, 1988) (available at
American
University Journal of International Law and Policy).
181. The GNU Manifesto (available at the American
University
Journal of International Law and Policy).
182. The author proposes that such copyright protection
last for
only two years. By granting the creator such protection
for a
short period of time, he will be able to recover the
expenses
that he put into the writing of the program.
If this type of protection is granted, it
should be
understood that the creator of the program has a copyright
to the
sourcecode of the program for that period. If he updates
the
program after the two year period, the updated code
will be
protected, but the original code will not be granted
the
protection. In this manner, an author cannot attempt to
give
copyright protection to a program after the copyright
has
expired.
183. Electronic letter from Brian J. Peretti to Dorothy
Denning
(Nov. 13, 1990) (concerning computer crime).
184. This will be a semi-secure system.
185. The system, of course, will have a system manager who
will
create the accounts for the users. His account will be
off
limits to those who wish to use the system. At the same
time,
individuals will be encouraged to attempt to break into
the
manager's account and tell him how it was done in
order to
improve security for this and other systems.
186. The problem still exists that information learned
through
the use of this system may allow those who use the
system to
break into other computer systems. This problem can be
corrected
by having the system manager and the users communicate
problems
with the system so that they may be corrected on other
systems.
187. United States v. United States Gypsum Co., 438 U.S.
422, 425
(1978).
188. S. Rep. No. 432, 99th Cong., 2d Sess. 6, reprinted in
1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2484.
189. Stoll, The Cuckoo's Egg.
190. The countries which a person can go to could be any
country
in the world, except Albania, since they are the only
country
whose computers are not connected to outside computers.
Stoll.
191. A school in Red Bank, New Jersey, has instituted a
"computer
responsibility training". Weintraub, Teaching Computer
Ethics in
Teaching Computer
Ethics in
the Schools, The School Administrator 8, 9 (apr. 1986).
the Schools, ________________________
192. S. Rep. No. 432, 99th Cong., 2d Sess. 3, reprinted in
1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2481.
193. Electronic Mail Letter from Rop Gonggrijp to
Brian J.
Peretti (Jan. 25, 1991) (concerning computer viruses). "We
have
to watch that we keep telling people how virusses work,
because
that is the only solution to the problem: mystifying the
whole
thing ans just hunting down "computer terrorists" is
useless and
(as proven in the US and Germany) leads to a questionable
style
of government in the field of information technology..." Id.
Id.
194. General Accounting Office, Computer Security:
Virus
Highlights Need for Improved Internet Management, 25 (1989).
0 Comments:
Post a Comment