With the advent of the
computer age, legislatures have been struggling to redefine the law to fit crimes
perpetrated by computer age criminals. Although copyright law is effective for
civil litigation, many computer crimes resemble more traditional offenses such
as trespass and theft. In 1978, Florida became the first state to pass criminal
statutes specifically directed towards computer crime, an act quickly followed
by all other states.1 However, computer crimes remain an enigma.
A Lexis search of all jurisdictions reported only thirty-six published opinions
mentioning computer crimes, and half of those were cases addressing separate
legal issues.2 Yet, the government estimates that over $500 million
a year is lost due to specific computer crimes.3 With the advent
of the internet and the ease of telecommunications many potential computer crimes
have moved beyond the jurisdiction of individual states. The Federal Government
must now shoulder the burden of enforcement and prevention. Although existing
federal statutes enable prosecution of computer crimes, these statutes have
proven inadequate. This paper examines the weakness in federal legislation used
for computer crime, the inadequacies of states to fully enforce computer crimes,
and suggests a union of state law and federal jurisdiction as a possible solution.
I. The Inadequacy of
The Computer Fraud and
Abuse act of 19864 (CFAA) was intended to be the chief weapon for
a federal assault on computer crimes. The statute criminalizes six activities:
(1) the unauthorized access of a computer to obtain information of national
secrecy with an intent to injure the United States; (2) the unauthorized access
of a computer to obtain protected financial information; (3) the unauthorized
access of a computer intended for the exclusive use of the federal government;
(4) the unauthorized interstate access of a computer system with an intent to
defraud; (5) the unauthorized interstate access of computer systems that results
in at least $1000 aggregate damage; and (6) the fraudulent trafficking in computer
passwords affecting interstate commerce.5 However, CFAA is rarely
used and has received little attention from Federal prosecutors.
Since its enactment, there
has been one successful prosecution under CFAA. In 1991, the Second Circuit
upheld the conviction of a college graduate student who released a virus on
the internet causing several governmental computer systems to crash.6
The court refrained from a broad interpretation of CFAA, and instead limited
their scope to discussing the intent requirement in the statute. Although the
Circuit Court upheld the conviction, the court's narrow construction has limited
CFAA for future prosecution.
The weakness in CFAA results
from Congress' original purpose to narrow the statute to fraud and abuse only
against the federal government. Although the act also criminalizes unauthorized
interstate access of computer systems, this section only encompasses cases involving
"federal interest computers," which are defined specifically in the
act.7 Congress wanted to allow the states more leeway in enforcing
state criminal statutes, but failed to comprehend the exponential increase in
private interstate computer activity. Even if CFAA is construed broadly by another
court, the $1000 minimum damage amount in subsection (5) will force prosecutors
to estimate the worth of various forms of intellectual property, a problem already
evident under other criminal statutes. Stealing confidential information, such
as prospective business plans or personal information, may have incredible subjective
value, but worth little to an uninterested party. Because of its narrow scope,
prosecutors have avoided CFAA, and instead relied on the more effective, Wire
Fraud Statute and the National Stolen Property Act.
The Federal Wire Fraud
Statute proscribes the use of wire communications in interstate or foreign commerce
to further a scheme to defraud.8 A scheme to defraud is wronging
one in his property rights by dishonest methods or schemes, usually through
depriving someone something of value by trick, deceit, chicane, or overreaching.9
While the statute has been used for computer crimes, the application is often
One of the first cases applying computer crime to the Wire Fraud Statute was United States v. Seidlitz.10 In Seidlitz, the defendant helped prepare software developed for a government project in Maryland. Following his resignation, Seidlitz later downloaded software from the project by breaking into the government's security system.11 The court upheld the government's theory that the defendant had devised a scheme to defraud in obtaining the software. According to the court, the scheme was based on Seidlitz defrauding the government's computer--there were no individuals being defrauded.
In a more recent case,
United States v. Riggs12, two students broke into a computer
owned by Bell South Telephone in order to steal emergency services software.
One of the students accessed the computer through the phone lines, acquired
the software, and then disguised his unauthorized access by using account codes
of current employees. He then transferred the code through modem to another
state where his accomplice edited the code to conceal its origin and published
the text in a computer newsletter. Similar to Seidlitz, the government
proved that the two defendants had devised a scheme to defraud by downloading
information, rather than defrauding individuals.
Wire Fraud has also been
used where the perpetrators never even physically or electronically acquired
the property. In United States v. Schreier, the defendant schemed to
acquire airplane tickets through American Airlines by fraudulently rearranging
frequent flyer miles through the airline's computer system. The court held that
the Wire Fraud Statute does not require that the defendant actually acquire
the property, only if any person actually obtains the property. Furthermore,
because of the fraud, American Airlines now had an economic liability -they
owed someone a free ticket.13 In this case, the information was merely
transferred from one account to another, yet the defendant never actually received
the tickets. Schreier seems to follow the same logic of well settled
law that fraudulently obtaining money through electronic transfers is wire fraud.14
Thus, the holding may limit prosecution under wire fraud where property has
no objective tangible value, but is still valuable to the owner.
Establishing the concept
of property for computer code as applied to the Wire Fraud Statute, has raised
some serious questions in the courts. Most notably, whether or not the information
stolen was something of value or was something tangible. When someone steals
software from a computer system, the thief only acquires a copy, thus they are
not depriving the owner of title to the information, only the rights to sole
ownership and possible future profits.15 Both Riggs and Seidlitz
concerned information of value, and the defendants had intent to use the information
for profit. Consequently, if fraudulently acquiring property has no economic
gain or loss to the parties, Wire Fraud may be unusable.
The Supreme Court has yet
to rule on the applicability of the Wire Fraud Statute to computer crimes, but
has addressed the issue of pure intellectual rights in Mail Fraud. In United
States v. McNally16, the court held that mail fraud is limited
to schemes aimed at causing deprivations of money or property. A few months
later, the court modified its reasoning in United States v. Carpenter17,
ruling that there is a property interest if the scheme deprives one of "exclusive
use" to their information. These contrasting opinions predict an unclear future
for defining intangible property rights in Wire Fraud. Craig M. Bradley argues
that future cases may require an economic gain to the defendant or economic
loss to the victim.18 Bradley points out that if "exclusive
use" is the standard, "exclusive use" may be violated without
any clear scheme to defraud. For example, if the defendant in Carpenter
were to come home and explain to his family about the article he was going to
write, he would still be depriving his employer of exclusive use over the article.
However, the loss of confidential information is only a deprivation of a property
interest if the loss threatens the victim with economic harm.19 Bradley
argues that to maintain consistency in the law, an economic interest must be
a requirement for fraud.20 The Sixth Circuit agreed with Bradley's
reasoning. In a subsequent case, the Circuit Court interpreted McNally
and Carpenter as limiting Mail Fraud to schemes that have as their goal
the transfer of something of economic value to the defendant.21
Requiring an economic gain
or loss in Wire Fraud will limit the statute's application to some computer
crimes. If a thief downloaded a personal journal from another computer, the
journal will probably not have any economic value to the defendant or victim,
yet the act is still criminal. Downloading a personal journal without consent
is theft, just as stealing a journal from a desk is theft. However, the actual
journal has real property value in its pages and binding, while the computer
version has none.
Additionally, the traditional
notion of fraud seems to exclude some computer crimes. Congress' original intent
with Mail Fraud contemplated wronging one in his property rights by dishonest
methods or schemes.22 With common law theft, however, there is no
dishonesty to another party before acquiring the property-the property is merely
taken without consent. Downloading computer information without authorization
seems to resemble theft more then fraud, while breaking into a computer system
resembles trespass more than a scheme to defraud. Even though simple trespass
and theft may fit into Wire Fraud, a court would probably not find a scheme
to defraud if the defendant in Riggs had only planned the scheme through
electronic mail and then physically picked the lock at Bell South to steal certain
documents. In response to maintaining a tighter fit between traditional theft
and computer theft, federal prosecutors have attempted to use the National Stolen
Property Act as a basis for conviction.
The National Stolen Property
Act (NSPA) criminalizes interstate transportation of stolen or fraudulently
obtained property in excess of $1000.23 The Riggs court also
convicted the defendants under NSPA. However, the classification of intangible
property is in more jeopardy under NSPA than Mail Fraud. The Supreme Court suggested
in United States v. Dowling, that NSPA does not apply to the taking of
purely intangible property.24 Riggs distinguished Dowling
on the ground that the Supreme Court never construed the meaning of "goods,
wares or merchandise." The court noted that NSPA literally applied to theft
of a tangible medium where intangible property was attached to it, such as a
chemical formula written on a piece of paper. The court then reasoned that using
a modem to steal the information, rather than taking an actual data disk or
printout, should be no different - even though the information was stored inside
a computer rather than on a disk, it was still "transferable and accessible."25
The 10th Circuit disagreed with Riggs. In United States v. Brown,
the Circuit Court held that stolen computer software did not constitute goods,
wares, or merchandise as applied under NSPA.26 However, the Brown
interpretation allows inequitable results by punishing theft differently depending
on the worth of physical property. For example, if X uses his own diskette to
steal a computer file worth $ 1000, and Y steals a diskette worth $ 1 containing
a file worth $ 999. Under Brown, X may be prosecuted under the NSPA for
theft of $ 1000 worth of property, while Y may not be prosecuted under the NSPA
at all. Yet, both acts result in the same economic loss. The battle between
the Riggs and Brown view is not over, and further differences
in interpretation will only lead to a complete abandonment of using NSPA for
Another area that both
NSPA and Wire Fraud fail to cover is the viewing of computer data. If someone
breaks into a computer system and then views certain information, such an act
is still criminal and can be equally effective at obtaining wanted information-
just as if Riggs had broken into South Bell and looked through file cabinets,
rather than physically stealing the files. Although crimes of this type may
fall under other areas, common law trespass would be more effective, since the
more obvious criminal act is breaking into the computer system, not defrauding
The use of NSPA has been
more sparse then Wire Fraud in prosecuting computer crimes, and like Wire Fraud,
will continue to challenge federal prosecutors and courts in fighting computer
crime. However, the federal government is not alone in fighting computer crime,
states have also enacted statutes addressing this new technology. Although state
laws attack computer crimes in more practical ways, they carry a heavier burden
II. The Inadequacy of
State Jurisdiction and Resources
State statutes are generally
more practical in fitting computer crime with other traditional statutess.
Some academics argue that state law is currently adequate to handle computer
crime and that further federal legislation is unnecessary.27 In reality,
states do not have to enact specific computer crime law - defining property
rights and other computer lingo may be enough to use existing statutes against
theft, destruction of property, and trespass for prosecution.28 However,
as the internet continues to expand and crimes continue to become more interstate,
state legislation will be less effective. Determining proper venue for the crime
is bound to become an issue. Only one published case has ruled on venue from
county to county in the same state, but none has specifically addressed jurisdiction
between sovereigns.29 Furthermore, contrasting laws between states
pose greater problems. For example, if a casino in Las Vegas decided to run
a roulette wheel through the internet so users could play live - using their
credit cards as money, the casino may escape liability. The gambling operation
is perfectly legal in Nevada, while illegal under Wisconsin law. In Wisconsin
the gambler can be prosecuted, because state law only requires that a "bet"
be made.30 Prosecuting the Las Vegas casino in Wisconsin is another
difficulty, yet the casino is clearly criminal by an extension of their gambling
into Wisconsin through the internet. Furthermore, Wisconsin officials will be
inhibited at stamping out casino gambling, since prosecuting every individual
is more difficult and less effective than prosecuting the source of the gambling.
Criminal conduct originating out of state carries a greater burden of prosecution
due to extra travel, availability of witnesses, and accessibility to information.
In an era of budget limitations, state legislatures may be unwilling to cough
up additional resources for interstate crime, especially if they see interstate
computer crime as a federal issue.
State courts may also be
ineffective. Computer technology is often difficult to understand and it is
important to consider the ramifications for setting precedent in computer law.
Because federal judges are sparse and have smaller case loads, they will be
more able to envision the national scope of computer crime. A unified law makes
prosecution more efficient and more likely, thus also increasing deterrence
for future computer criminals.
will continue to haunt prosecution of computer crimes as long as state statutes
remain diverse. Problems such as difficulty in proving venue and extraditing
criminals will only lead to some criminals escaping the law due to inadequate
resources. The expanding scope of private interstate computer crime clearly
points to the federal government as the ultimate enforcer. However, Congress
first needs to learn from the states in enacting proper statutes that attack
computer crimes more traditionally and more vigorously. The next section suggests
a union between these two issues: federal jurisdiction and state law.
III. Combining State
and Federal Strengths through Federal Legislation
To enable more diligent
prosecution of computer crimes, Congress must rehabilitate federal computer
crime law. Current manipulation of Wire Fraud, a narrow vision of CFAA, and
contrasting opinions of property value in the National Stolen Property act only
serve to inhibit the government in successful prosecution of serious crimes.
First, Congress must address all possible crimes that may be committed interstate
through a computer. Although crimes such as theft and trespass are usually considered
local crimes, computer activity elevates these crimes to an interstate level
- legislation should handle them at an interstate level. To supersede state
criminal statutes, federal statutes should address all traditional state crimes
applicable to computer activity limiting the crimes to computers so as not to
usurp other areas state jurisdiction.31 Allowing prosecutors to charge
crimes more relevant to actual conduct will limit the potential for absurd charging
decisions and confusing precedent. Furthermore, federal attention to computer
crimes will assure jurisdictional certainty and will relieve states from the
burdens of complex investigation and extradition of those who may reside in
Federal agents are better
equipped to investigate interstate computer criminals. In addition to the vast
technical resources of the federal government, there are government agents in
every state, reducing the overhead cost of investigating interstate crime. If
a crime is committed in Wisconsin by a casino in Las Vegas through the internet,
federal agents in Nevada are in a better position to respond more quickly and
more effectively than Wisconsin investigators.
Furthermore, to gradate
crimes of damage and theft for sentencing requirements, confusing damage assessments
must be amended to allow alternatives. Because estimating the actual worth of
intellectual property is controversial, much time and resources will be spent
on judging the worth of property stolen or damaged. Instead, a sentencing structure
could be gradated based on the number of bytes transferred or destroyed in addition
to monetary thresholds. For example, the threshold for theft of computer property
at level 1 in the federal guidelines could be $100 or 100 kilobytes, subject
to the prosecutor's choice.
In addition to federal
legislation, the reporting of computer crime must be encouraged. One method
may be federal regulation of computer security requirements and diligent reporting
of criminal activity to insurance companies. However, regulation may not be
necessary. As losses continue to rise because of computer fraud and theft, insurance
companies may demand more security, and reports of crimes from clients in exchange
for more coverage and lower rates.
As the climate of interstate
computer use continues to change, the law needs to adapt. Current federal statutes,
such as the Computer Fraud and Abuse Act, Wire Fraud, and the National Stolen
Property Act, are inadequate to handle what should be more typical state law
crimes of trespass and theft. While state statutes remain more practical, their
effectiveness is limited to state jurisdiction and state resources. Federal
legislation encompassing state computer crime statutes will overcome the difficulties
existing in current federal legislation, However, with the advent of new technologies
such as artificial intelligence, computer crime legislation is bound to encounter
new roadblocks. If current law is unsettled, future law will be disastrous.
1 Fla. Stat.
2 Lexis search done on 5/2/95 for all state and federal courts using "Computer Crime" as a search key
3Dierks, Michael P. "Computer Network Abuse," 6 Harv. J.Law and Tech 307, 319.
4 18 U.S.C. §1030.
5 Id. at §1030(a)(1)-(a)(6).
6 United States v. Morris, 928 F.2d 504 (2nd Cir. 1991).
7 18 U.S.C. §1030(e)(2).
8 18 U.S.C. §1343.
9 United States v. McNally, 483 U.S. 350, 358 (1987).
10 589 F.2d 152 (4th Cir. 1978), cert. denied, 441 U.S. 922 (1979).
11 To "download" means to acquire information electronically through the telephone lines or remotely from a separate computer.
12 739 F.Supp 414 (N.D. Ill. 1990),
13 908 F.2d 645 (10th Cir. 1990), cert. denied, 111 S. Ct. 787 (1991).
14 See United States v. Kroh, 896 F2d 1524 (1990); United States v. Lagerquist, 820 F.2d 969 (8th Cir. 1987); United States v. Levy, 579 F.2d 1332 (5th Cir. 1978).
15 See U.S. v. Prows, 1995 U.S. App. LEXIS 6548, 16 (The court found Wire Fraud in that fraudulently obtaining software from the Wordperfect company with intent to sell deprived the company of software, and indirectly of profits
16 107 S.Ct., 2875, 2881 (1987).
17 108 S.Ct. 316, 320 (1987).
18 Bradley, Craig M. "The Essence of Mail Fraud" 79 J. Crim. L. 573.
19 International News Service v. Associated Press, 248 U.S. 215, 236 (1918).
20 Bradley, 79 J. Crim. L. 573, 581..
21 United States v. Baldinger, 838 F.2d 176 (6th Cir. 1988).
22Bradley, 79 J. Crim. L. 573, 581.
23 18 U.S.C. §2314.
24 110 S.Ct. 669 (1990).
25 Riggs, 739 F.Supp. at 421.
26 925 F,2d 1301, 1308 (10th Cir. 1991).
27 Dierks, Michael P. "Computer Network Abuse" 6 Harv. J. Law and Tec 307.
28 Wisconsin provides a good example of statutory language that avoids the use of fraud as an element. "Whoever willfully, knowingly, and without authorization (1) Modifies data; (2) Destroys data; (3)Access data; (4) takes possession of data; (5) copies data; (6) discloses access codes. Wis. Stats. §943.70(2)(b)(1-6). See also Minn. Stat. 609.89 for statutes that resemble traditional common law crimes.
29 The Pennsylvania Supreme Court held that "venue may lie at the location of the central computer" Commonwealth v. Katsafanas, 464 A.2d 1270 (Penn. 1982).
30 Wis. Stats. §945.02
31 Wisconsin provides a good example of statutory language that would work well on the federal level "Whoever willfully, knowingly, and without authorization (1) Modifies data; (2) Destroys data; (3)Access data; (4) takes possession of data; (5) copies data; (6) discloses access codes. Wis. Stats. §943.70(2)(b)(1-6)
Composed by Jeff Sloan - email firstname.lastname@example.org