Computer Crime:
Current Practices, Problems and Proposed Solutions
Second Draft
Brian J. Peretti
It would have been surprising if there had been satisfactory
road traffic legislation before the invention of the wheel, but
it would also have been surprising if the law on the passage of
laden donkeys proved entirely satisfactory when applied to
vehicles.1
I. Introduction
Within recent years, computer crime has become a
preoccupation with law enforcement officials. In California, a
group of West German hackers2 using phone lines and satellite
hookups, gained unauthorized access into civilian and military
computers and stole sensitive documents that were sold to the
Soviet Union.3 A young New York programmer broke into a
Washington computer to run a program that he could not run from
his personal computer.4 After Southeastern Bell Stated that a
document published in an electronic publication5 was valued at
more than $75,000 the publisher was arrested and brought to trial
before the discovery that the document could be publicly bought
from the company for $12.6 The Chaos Computer Club, a Hamburg,
Germany, club, went into government computers and access
information and gave it to reporters.7 In May, 1988, the United
States government launched Operation Sun Devil, which lead to the
seizure of 23,000 computer disks and 40 computers.8 In
addition, poor police performance9 has also been blamed on
computers.
Since its creation, the computer has become increasing
important in society.10 The law, as in the past, has not been
able to evolve as quickly as the rapidly expanding
technology.11 This lack of movement on the part of governments
shows a lack of understanding with the area. The need to create
a comprehensive regulation or code of ethics has become
increasing necessary.
Due to the nature of computer systems and their
transnational connections through telephone lines12, an
individual state's action will only stop the problems associated
with computer crime if many states join together. The patchwork
of legislation that exists covers only a small part of the
problem. To adequately address computer crime, greater efforts
must be made within the computer community to discourage
unauthorized computer access, countries must strengthen and
co-ordinated their computer related laws, as well as proper
enforcement mechanism created, computer program copyright laws be
enhanced and computer systems should be created to allow those
who wish to explore computer systems which will not disrupt the
users of computer systems.
This paper will first set out a definition of computer crime
and why laws or regulation by the computer community must be
created. Section II will then discuss the United States law
concerning computer crime and why it needs to be strengthened.
Section III will discuss the proposed Israeli computer crime
bill, Britain's Computer Misuse Act and Ghana's proposed law.
Section IV will discuss what can be done by both the government
and computer owners and users to make computer crime less
possible.
II. Computer crime
The definition of what constitutes a computer crime has been
the subject of much controversy. A computer crime has been
defined as "any illegal act for which knowledge of computer
technology is used to commit an offense."13 The typical
computer criminal has been described as between 15 and 45 years
old, usually male, no previous contact with law enforcement, goes
after both government and business, bright, motivated, fears loss
of status in computer community and views his acts as games.14
For the purposes of this article, this will be the definition
used because of its broad reach.
Estimates regarding how much is lost to computer crime very
widely15. In the only authoritative study, the loss due to
computer crime was given at $555,000,000, 930 personnel years
lost and 153 computer time years lost.16 The amount of total
incidents for 1988 was 485 resulting in 31 prosecutions17. In
1987, there were 335 incidents with 8 prosecutions.18 Security
spent on prevention of computer crime is becoming more
commonplace19.
The most publicized danger to computer systems are
viruses20 and worms. A virus is a code segment which, when
executed, replicates itself and infects another program.21
These viruses may be created anywhere in the world22 and may
attack anything.23 A virus may be transmitted through a trojan
horse24 program. A worm exists as a program in its own right
and may spread over a network via electronic mail25. A virus
attacks a program while a worm attacks the computer's operating
system.26 The most notorious computer worm brought the
Internet computer network to a halt.27
Computer virus attacks may be overrated.28 It is said
that the biggest threat to computing includes "not backing up
your data, not learning the ins and outs of your application
programs, not putting enough memory in your computer, not
organizing your hard disk, [and] not upgrading to the latest
version of your applications.29 These computer programs have
been compared to the AIDS virus.30 One author has stated that
the viruses are used to both increase the amount of profits of
computer program producers and anti-virus computer programs.31
Computer viruses may also be used to benefit computer
systems, by either detecting flaws in security measures or
detecting other viruses.32 Virus are very dangerous, though.
The effects of a virus called Datacrime, activated on October 13,
1989, brought down 35,000 personal computers within the Swiss
government and several companies in Holland.33
With the opening up of Eastern Europe, the virus problem is
expected to increase.34 In Bulgaria, a country which does not
have any laws against computer viruses, one new virus appears
week.35 Computer viruses are created in countries like the
Soviet Union as a way to punish computer pirates because of the
lack of copyright laws.36
Perhaps the most dangerous threat to information contained
in a computer is the "leakage" of radiation from the computer
monitors.37 With inexpensive equipment38 a person can "read"
the information off the computer screen and then replicate the
information from the screen in a readable manner.39
The threat of attack on a computer system can also come from
a hacker. A hacker is a person who breaks into, whether
maliciously or not, computers or computer systems.40 A hacker
can, if the system is not adequately secured, cause havoc in the
computer by either deleting or altering programs or data or
planting logic bombs or viruses in the computer system.41
Threats from hackers to plant viruses have been made in the
past.42 The threat from computer hackers, as with viruses, has
been said to be overrated.43
The issues surrounding computers still have not been decided
by those within the computer community. Whether or not persons
should be allowed to access computer systems without
authorization is still a subject of debate within the computing
community. A West German Computing Club, called The Chaos
Computing Club, holds the belief that it is not improper to enter
any system which they can gain access to and to "look" around
inside of the system as much as they wish.44 They do not,
however, condone destroying or altering any of the information
within the system.45 On the other side, represented by
Clifford Stoll, when individuals break into computer systems they
disrupt the trust that the computer system is based on.46 This
breach of trust not only makes operating the system tougher for
the manager in control of the system, but also will decrease the
amount of use of the system so less information will be
transferred within the system.47
There is also conflicting views as to whether the authors of
computer viruses should be punished. Marc Rotenberg48 holds
the belief that a virus should be granted first amendment
protection in some instances.49 In response to the Internet
worm, there were 21 editorials that stated that the attack showed
the need for more security in computers while there were 10
letters to editors that stated that the creator should be
applauded rather then punished.50 They argue that this was a
good way to raise consciousness concerning computer security.51
Alan Solomon, a consultant who specializes in virus detection and
eradication, believes that viruses are, at most, an
inconvenience.52
III.United States Computer Legislation
The United States government53 and most states54 have
computer crime laws. In 1979, only six states had such laws.55
Almost every computer crime will, in addition to violating a
state and/or federal law, can also be prosecuted under other
laws.56
A. Computer Fraud and Abuse Act.
Congress originally enacted the Counterfeit Access Device
and Computer Fraud and Abuse Act57 to address the problem of
computer crime. Understanding that the scope of the original law
was too narrow,58 in 1986 Congress enacted amendments to the
Computer Fraud and Misuse Act of 1984.59 The Act essentially
lists acts that if done with a computer are illegal. The Act
also makes individuals culpable for attempting to commit a
computer crime.60
In order to commit any of the crimes mentioned in the act,
the actor must have acted either "intentionally" or "knowingly"
when committing the act. The law addresses national security
issues by making a crime of anyone using a computer to obtain
information and giving the information to foreign countries.61
The penalty for this crime or its attempt is 10 years for the
first offense62 and 20 years for subsequent offenses63. If a
person intentionally accesses a computer either without
authorization or in excess of his authorization and obtains and
acquires information in a financial record of an institution or
information contained in a financial record of an individual64,
the person will have committed a misdemeanor for the first
offense65 and a felony for subsequent offenses66. A person
intentionally accessing a government computer without
authorization which affects the government's use of that
computer67 will have committed a misdemeanor for the first
offense68 and a felony for the second offense.69 Accessing a
computer with knowledge and intent to defraud and without or
exceeding authority is a crime if the person obtains anything of
value other than use is a felony70. Accessing a federal
interest computer without authorization and either modifying
medical records or causing $1,000 or more worth of damage within
a one year period71 is punishable with up to 5 years for the
first offense72 and 10 years for any subsequent offense.73
The Act also criminalizes trafficking in passwords.74 A
person who knowingly and with intent to defraud traffics75 in
passwords or similar information may be sentenced for up to one
year for the first offense76 and up to 10 years for subsequent
offenses77 if the computer is used by or for the Government of
the United States78 or affects interstate or foreign
commerce.79
B. Criticisms
It is important to note that this statute only applies to
"Federal interest computers" as defined by this section.80 If
a computer is not this type of computer, then any of the above
mentioned crimes will not be prosecutable under this section.
Congress intentionally made the scope of the law narrow.81
This section has been criticized as not inclusive enough.82
Individual and corporate computers which do not fall into the
restrictive definition83 may not receive the protection of the
statute.
The problem of computer viruses are not addressed by
Act.84 The act does not punish those who add information into
a computer, even though this may do more harm then just accessing
information. The Congress has attempted to address this issue
under two bills85, but neither one has been enacted.
Unauthorized access where there is no theft or damage to the
system is not covered.86 For example, a person access a
computer system and looks at information contained therein, he
has not committed a punishable crime under the Act.87
Questions have also been brought up concerning many of the
undefined terms within the Act.88 Terms such as "intentionally
access" and "affects interstate commerce" are among the terms not
defined.89 The need to clarify these terms is important so
that an individual will know what action will constitute a crime.
IV. Legislation From Around The World
A. Israel Proposed Computer Law
In March 1987, the Israeli Ministry of Justice distributed a
draft of a comprehensive computer bill.90 This bill covers a
wide range of areas concerning computers91. The Act first sets
out a list of proposed definitions for computer, program,
software, information, thing and act. Each of these, while
short, are concise and attempt to give a brief but comprehensive
definition.92
Chapter 2 sets out a list of offenses which, if committed,
are punishable.93 A authorized person commits an act upon any
computer and knows that the act will prevent or cause disruption
of the proper operation is subject to seven years
imprisonment.94 A person who, without authority, commits an
act which precludes a person from using a computer system or
deprives a person of using that system is punishable by up to
seven years imprisonment.95 If a person prepares or delivers
or operates software knowing that the software will produce
faulty results and "having reasonable grounds to assume", the
person is punishable for up to seven years.96 The Act also
addresses those who supply, deliver or operates a computer with
faulty data.97
Section 5 applies to those who use a computer to attempt to
obtain some "thing"98 or with intent prevents another from
obtaining some "thing".99 A person who prevents another from
obtaining a "thing" by the use of software may also be
punished.100 A person who deprives a person of an object that
contains software, data or information and obtaining a benefit
for himself.101 All of these crimes contain a prison sentence
of five years.
A professional who relies on computer outputs that they know
which are false is also subject to punishment.102 The crime
carries a sentence of five years.103
This chapter does not apply to all computers, software data
or information.104 It only applies to those computers, data
or information which are used, designated to be used by or for
(1) the state or a corporation that is supplying service to the
public105 or (2) "business, industry, agriculture, health
services, or for scientific purposes."106
Perhaps the most novel provision of this proposed law is the
section governing the reporting of the offenses. Any person who
is in charge of another and has reason to believe that an
individual has committed an offense under the Act, he must report
this to police as soon as possible.107 If the person does not
do so, he may be imprisoned for up to one year.
B. Analysis
The Israeli computer crime bill is more comprehensive then
the America bill. By creating a law which will apply not only to
government computers, but also to those of "business, industry,
agriculture, health services or for scientific purposes,"108
the law essentially covers all computers in the country.109
By creating such broad coverage, the law will be able to make the
users of computers in Israel more secure in their knowledge that
their systems are safe. B. Analysis
The Israeli computer crime bill is more comprehensive then
the America bill. By creating a law which will apply not only to
government computers, but also to those of "business, industry,
agriculture, health services or for scientific purposes,"110
the law essentially covers all computers in the country.111
By creating such broad coverage, the law will be able to make the
users of computers in Israel more secure in their knowledge that
their systems are safe.
The most controversial provision in the act is the proposal
requiring that individuals that may know of computer crime must
report the crime or face fines themself. As Levenfeld points
out112, this will mean that employers will have to impose
internal spy rings to be able to tract down the "reasonable
suspicions" that individuals have concerning illegal activity.
Shalgi, however, believes that this is a good provision in that
it will allow computer crime to come more to the forefront so
that the crime can be more easily combatted.113
This provision is necessary for the government to understand
exactly how large of a problem computer crime is. At present,
statistics on computer crime are difficult to determine because
of the lack of reporting.114 By making all persons who would
be responsible for computer security, i.e. all persons who use
computer systems, the problem will be brought into the open and
can be addressed.
The proposed law also sets out a defense for those who
violate the law. Under 11, if a person who violates the law
makes another know that he did disrupt or alter the data, he will
not be convicted of the crime. This will allow those who perform
such acts to avoid the punishment of the law. Individuals who
wish to destroy or alter such information will have an incentive
to bring forth their mischievous acts so that when brought before
the court they could say that they took precautions so that
individuals would not rely on the information. This provision
will encourage those who do such activity to come forth without
fear of conviction.
The ability of a court to not impose a punishment on a
person is contained in section 12.115 This allows the court
to abstain from punishment if the offense is not grave and was
not committed with malice. This section, in effect, will allow
those who commit computer crime to be able to forgo punishment if
their acts were not serious. This will be beneficial to those
who are hackers in the original sense of the word,116 yet
still allow for punishment of those individuals who enter systems
to do harm to it.
The law also creates standards for how a computer may be
seized. Neither a computer, nor any part of it, may be seized
without a court order.117 Although this seems to be a good
provision in its effects on individual rights118, the section
is not focused enough. The law does not address the issue of
whether a floppy, as opposed to a hard disk, is part of a
computer. The hard disk is located inside of a computer, while
floppy disks may be removed from the computer. This law should
address this issue by stating that the floppy disk is also a part
of a computer in its definitions.119
This section also does not address what standard may be used
for the court order. Must the officer only have a reasonable
suspicion or probable cause to seize the computer? By stating
explicitly in the statute that the officer must have probable
cause to seize the computer, an overzealous police officer will
not be able to as easily seize the computer.
C. The Great Britain Computer Misuse Act
In response to computer program concerning AIDS that was
distributed to doctors in Great Britain and Europe that contained
a virus,120 Michael Colvin, a British MP introduced the
Computer Misuse Bill.121 On August 29, 1990, the Computer
Misuse Act122 came into effect.123 It was estimated that
the losses to British industry and government were one billion
pounds.124 This Act is designed to not to create a
confidential information right, but to rather protect computer
system integrity125.
Prior to enactment, the English Law Commission studied the
problem and laws regarding computer crime. It stated that there
should be three new offenses to deal with computer misuse: (1)
Unauthorized access to a computer, (2) Hacking with intent to
commit a serious crime, and (3) Intentional destruction of or
alteration to computer programs or data.126 The Computer
Misuse Act states that unauthorized access occurs if the person
is unauthorized to access the computer, he causes the computer to
perform any function with intent to gain access to a program or
data in the computer and he knows that this is the case.127
He does not have to be directed to any particular program or data
in the computer he attempted to get on or the data or program he
wishes to access.128 If a person commits unauthorized access
with the intent to commit129 or help another offense,130
the person can be sentenced on summary conviction, up to six
months in prison and a fine,131 or if convicted after
indictment, to imprisonment of up to five years, a fine or
both.132
If a person modifies computer material,133 the person is
subject to a fine of up to 5 years, an unlimited fine or
both.134 The person must knowingly modify a program without
authorization and must have done so with the intent to impair the
operation of the computer, to prevent or hinder access, or impair
the operation of the program or resulting data.135 The
modification does not have to be permanent.136 A modification
may be done by either altering, erasing or adding onto a program
or data. By stating modification broadly, the act attempts to
combat the placing of viruses, worms and logic bombs on
computers.137
The Act also extends the scope of jurisdiction.138 A
person does not have to actually be in Great Britain at the
commission of the crime. The crime itself must have some
relation to Great Britain.139 The link must be
"significant".140
D. Analysis
As opposed to the other statutes, the Computer Misuse Act
does not attempt to define computer. This was done because of
the fear that any definition given for a computer may become out
of date in a short period of time.141 Program and data are
also not defined within the Act.
Great Britain's courts are granted large jurisdiction. The
act allows for anyone who attempt to commit a crime under the act
to be punished in Great Britain. The act, although setting out
that the link must be significant,142 does not attempt to
define this word. By this omission, the Great Britain's courts
can expand this to any act that occurs in a foreign country that
uses a British computer for even a short period of time. The
defining of the word would clear up some misconceptions that may
result from the act.
Of interest to note, the Act would not punish a person who
distributes disks tat contain viruses on them. Although the
drafter of the bill said that this was his goal, the law ignores
this possibility. An amendment should be added to the law which
will punish those who damage data even if they do not access the
system.
E. Ghana
In response to the belief that their existing laws were not
adequate, a draft law was proposed by the Ghana Law Reform
Commission.143 The bill is rather simple as opposed to the
other laws. It has definitions for access, computer, computer
network, computer program and data.144 To commit computer
related fraud, the person must have an intent to defraud and
either alters, damages destroys data or program stored in or used
by the computer or obtains information to his own advantage or to
the disadvantage of another or uses a computer commits and
offense.145 The Act Also sets out alternatives for some
sections that may be adopted. The alternative states that any
person who obtains access to a computer program or data and
attempts to erase or alter the program or data with intent to
help his own interests or damage other person's interest commits
a crime.146
Damaging computer data occurs if any person, by any means,
without authority, willfully does damage to data commits a
crime.147 The crime of unauthorized use of a computer is
simply defined as anyone who knowingly without authority commits
an offence.148 Similarly, unauthorized access is anyone who
knowingly gains access to a computer, network or any part there
of, without authority to do so.149 The Ghana law also creates
a crime for the knowingly and dishonestly introduction of false
data and the omission to introduce, record or store data.150
An authorized person who willfully or intentionally allows
information to get into the hands of an unauthorized person and
that person uses the information to his advantage also commits a
crime.151
The penalties for the crimes are similar to those of the
Great Britain law.152 On summary convictions, a jail term may
be given of up to two years or the statutory maximum fine or
both.153 On conviction on indictment, a prison term of no
more then ten years or an unlimited fine, or both may be
given.154
The jurisdiction that the Ghana courts have in accord with
this jurisdiction is as large as their British counterpart.155
The courts can hear any case if the accused person was in Ghana
at the time of the act.156 Also, if the program or data was
stored in or used with a computer or computer network in Ghana
the person may be tried under the law.157
F. Analysis
The Ghana proposed Computer Crime Law is in accord with the
United States, Great Britain and the proposed Israeli laws. By
setting out definitions for the various terms used in the
law158, the law clearly defines which acts may be subject to
prosecution under the law. Although simple, the definitions
attempt to capture within the law's grasp the various different
acts which could be done with a computer that should be outlawed.
The most original section of the act concerns the newly
created crime of omission to introduce, record or store
data.159 This section, however, will end up punishing those
who work in corporations that are at the lowest level skill-wise.
The government should, if the law is enacted, force companies to
give each employee a sufficient amount of training on a computer
so that the person will be able to act in accordance with the
law. The act does provide a safeguard by making the mens rea of
the crime "negligently or dishonestly"160
The act also sets out a crime for an individual who allows
information to get into the hands of another.161 As opposed
to the other laws, this section specifically address the problem
of where an authorized individual gives information to an
outsider. By specifically regulating this behavior, anyone who
wishes to act according will know that the act is illegal.
The crime of computer-related fraud is defined
broadly.162 This law effectively makes any type of fraud
committed either with a computer or information within a computer
a crime. The law adequately addresses the problems that might
occur with a computer in fraud. A broad definition, however, may
still let some act seem as though they are not covered since the
act is not specific in the area of what constitutes a crime.
Most significantly, the act does not state which types of
computers are covered by the act.163 By not giving a limit on
which computers are covered, the act extends its jurisdiction to
all "computer"164 and "computer network"165 in the country.
If the definition of computer changes, due in part to advance
technology, the law may have to change this section.
V. Proposed Solutions
Computer Crime laws have come a long way in addressing the
problem of computer crime.166 The ability to regulate the
activity will decrease the amount of crime that is committed.
Those who use the computers of the world, however, must not rely
totally on there respective governments to combat this
problem.167
The best way to combat computer crime is to not let it occur
at all. Many computer systems have not been given enough
security by their system managers.168 It is possible to have
a totally secure computer system169, but it is impractical and
slows the free flow of information.170 By creating laws that
will protect the integrity of computer systems while also
allowing for the ability of our best and brightest to develop and
learn about computer systems will the nation be able to keep our
technological lead in the world.
In order to combat the problem of unauthorized access, users
of computer systems must be taught to respect each others privacy
within the various systems. Creating an standard of ethics for
those who are users of computers will be the best way since it
will hold the users to standards that must be met. Although some
organizations have attempted to promogate standards regarding the
ethical use of computer systems171 no one standard has
emerged. Proposed rules of ethics should balance the need of
individuals to be able to learn and discover about the various
types of computer systems, while at the same time allowing for
those who use those systems to be secure in the knowledge that
the information stored on the computer will not be read by those
other then person who should have access to it.
If computer crime laws are enacted, industries that use
computers should not use the new laws as a replacement for using
adequate security measures.172 Individuals or corporations
that use computer have several ways to protect themselves from
unauthorized access. If the computer can be accessed by a modem,
the computer can have a dial back feature placed on the phone
line so that one a computer is accessed, the computer will then
call back to make sure that the call is coming from a line which
is supposed to access the computer.173 The proper use of
passwords174 are also an effective way to address the problem
of unauthorized access. A recent study has shown that out of 100
passwords files, approximately 30 percent were guessed by either
using the account name or a variation of it.175 A program
has recently been developed that will not allow a user to select
an obvious password.176 Encryption programs, similar to the
program used on Unix operating system, can scramble a password in
a non reversible manner so that if the encrypted password falls
into the hands of an individual who is not supposed to access the
system, the person will not be able to get into the system.
These systems can also be used so that if a hacker does get into
a computer system and attempts to get information, the
information will not be readable.177
A problem that must be address is the lack of laws
concerning copyright protection of computer programs in foreign
countries. The Pakistan Brain178 was written to discourage
copying of a program without authorization. By creating pirating
penalties a reason for the creation of computer viruses will be
removed and less viruses will be created.179
Many in the field argue that computer programs should not be
copyrighted.180 Copyright protection should not be afforded
to computer programs since they are only mathematical
equations.181 Copyright protection should be given to the
maker of a computer programmer only for a short period of
time.182
A novel concept which will both satisfy the computer hackers
quest for knowledge through examining computer systems and
protect the integrity of computer systems is to create a computer
systems for the use of hackers alone.183 This computer would
not be connected to other computer systems, but can be accessed
through a modem.184 If created, accounts would be given to
all interested computer enthusiasts. Those participating will
not be prosecuted for exploring unauthorized areas of the
system.185 Since other computer systems will not be
accessible through this system, any activity on this system will
not endanger the information on other systems.186 By allowing
this to be done, a major problem will be solved, the inability to
afford to buy a mainframe system, while a person will still be
able to learn about different types of systems.
If any laws are to be made, they should make "knowing"187
or "intentionally"188 unauthorized access into a computer a
crime. By making the intent of the crime be knowing, it will
allow those who accidently connect to a computer system that they
think is theirs but is not to be excused from punishment.
The law must also be done in a way that will allow it to be
enforced across national boundaries. A computer hacker can
access computers from across the world without ever leaving his
home country.189 If these laws can only be enforced within
the home country, then a person can, in theory, go into a country
of whose computers that he would never want to access and access
into other computers without fear of punishment.190
An international convention should be convened to address
this problem. Since the problem is of international concern and
the crimes do occur across the boarders of countries, by setting
standards by the international community concerning the conduct
of computer users, the hodgepodge of computer crime laws will be
eradicated in favor of a common international standard. As the
boundaries in Western Europe disappear in anticipation of 1992,
international access is sure to accelerate.
Colleges, Universities and high schools must institute
programs designed to address proper computer use.191 Although
not all computer users are not trained in school, teaching the
ethical use of computers will allow users to understand the need
for security on systems. These programs will also show users
that computer crime is dangerous to society.192 Problems
concerning computer crime should be publicized so as not to
mystify the crime.193
The United States and other countries must create more
Computer Emergency Response Teams (CERT). These teams are to
coordinate community responses to emergency situations,
coordinate responsibility for fixing hole in computer systems and
serve as a focal point for discussions concerning computer
systems.194 These groups regularly post notices concerning
computer viruses or other dangers in the Internet computer
system. The scope of these groups should be expanded so they may
be a focal point of the needs and desires of those who use
computers. If they are used to gather information as a clearing
house type operation, the spread of information concerning
computer systems and problems with the systems will be more
adequately addressed.
IV. Conclusion
Computer crime is a growing problem. With the advent of the
computer and a more computer literate public, crimes committed by
computers will increase. To effectively address the problem,
laws must be created to outlaw activity which is designed to
further illegitimate ends. These laws have moved in the right
direction concerning what should be outlaws so as to balance the
needs of computer users against those of the computer owners. To
enforce these laws, governments must realize that the problem of
computer crime is not only of local concern.
Educational programs and standards of ethics must be created
from within the computer users community. Corporations which use
computers must educate their employees to reduce the fear that
one might have when addressing a computer security issue.
Copyright laws must be strengthened in countries that either do
not have or have weak copyright laws so that the need to create
viruses to protect an individual's or corporation's work will no
longer be necessary.
To satisfy users curiosity with computers, a non-secure
computer system should be created. This system will allow those
who wish to explore a system in order to understand the system
may. Those individuals can do so without the fear of
prosecution.
Only by directly addressing the causes of computer crime and
drafting standards and laws to address the unique area will the
problem of computer crime be adequately addressed. Light must be
shined on the area so individuals will realize that fear of the
machines is not justified. Only by doing so may we enter the
21st century realizing the full potential of computers.
Appendix A
Ghana Computer Crime Law (Proposed)
Computer Crime Law
Computer Crime Law
In pursuance of the Provisional National Defense Council
(Establishment) Proclamation 1981, this Law is hereby made:
1. Any person who, with intent to defraud,
(a) alters, damages, destroys or otherwise manipulates data
or program stored in or used in connection with a computer, or
(b) obtains by any means, information stored in a computer
and uses it to his advantage or to another person's advantage to
the disadvantage of any other person, or
(c) uses a computer
commits an offense.
Charge: Computer-related fraud.
ALTERNATIVE:
(1) A person commits an offense if that person obtains
access to a computer program or data, whether stored in
or used in connection with a computer or to a part of
such program or data to erase or otherwise alter the
program or data with the intention-
1. (a) of procuring an advantage for himself or
another person: or
(b) of damaging another person's interests.
2. Any person who, by any means, without authority, wilfully
destroys, damages, injures, alters or renders ineffective
data stored in or used in connection with a computer commits
an offense.
Charge: Damaging Computer data.
3. Any person who, without authority, knowingly uses a computer
commits and offense.
Charge: Unauthorized use of a computer.
4. Any person who, without authority, knowingly gains access to
a computer, computer network, or any part thereof commits an
offense.
Charge: Unauthorized access to a computer.
5. Any person who, knowingly and dishonestly introduces,
records or stores, or causes to be recorded, stored or
introduced into a computer or computer network by any means,
false or misleading information as data commits an offense.
Charge: Insertion of false information as data.
ALTERNATIVE:
(5) A person commits an offense if, not having authority to
obtain access to a computer program or data, whether
stored in or used in connection with a computer, or to
a part of such program or data, he obtains such
unauthorized access and damages another person's
interests by recklessly adding to, erasing or otherwise
altering the program or the data.
6. Any person under a contractual or other duty to introduce,
record or store authorised data into a computer network, who
negligently or dishonestly fails to introduce, record or
store, commits an offense.
Charge: Omission to introduce, record or store data.
ALTERNATIVE
(6) Any person under a contractual or other duty to
introduce, record or store data into a computer or
computer network who negligently or dishonestly fails
to introduce, record or store, commits an offense.
7. Any authorised person who willfully or intentionally allows
information from a computer to get into the hands of an
unauthorised person who uses such information to his
advantage commits an offense.
Charge: Allowing unauthorised person to use computer data.
8. A person guilty of an offense under this Law shall be
liable:-
(a) on summary conviction, to imprisonment for a term not
exceeding two years or to a fine not exceeding the
statutory maximum or both; or
(b) on conviction on indictment, to imprisonment for a term
not exceeding ten years or to an unlimited fine, or
both.
9. A court in Ghana shall have jurisdiction to entertain
proceedings for an offense under this Law, if at the time
the offense was committed:-
(a) the accused was in Ghana; or
(b) the program or the data in relation to which the
offence was committed was stored in or used with a
or used with
computer or computer network in Ghana.
computer network in Ghana.
10. In this Law, unless the context otherwise requires:-
"access" includes to log unto, instruct, store data or
programs in, retrieve data or programs from, or otherwise
communicate with a computer, or gain access to (whether
directly or with the aid of any device) any data or program.
"computer" includes any device which is capable of
performing logical, arithmetical, classifactory, mnemonic,
storage or other like functions by means of optical,
electronic or magnetic signals.
"Computer network" includes the interconnection of two or
more computers, whether geographically separated or in close
proximity or the interconnection of communication systems
with a computer through terminals, whether remote or local.
"Computer program" includes an instruction or statement or
series of instructions or statements capable of causing a
computer to indicate, perform, or achieve any function.
"data" includes a representation in any form whether
tangible or intangible that is capable of being stored in or
retrieved by a computer.
ENDNOTES
ENDNOTES
1. Financial Times Limited (London) April, 1990.
2. See, infra, endnote 36 and accompanying text.
infra
3. Stoll, The Cuckoo's Egg (1990). [hereinafter Stoll].
The Cuckoo's Egg
4. Lyons, 13 Are Charged in Theft of Data from Computers, New
York Times, August 17, 1990, B2, col. 3.
5. Although there is no set definition of a computer
publication, it is created and published solely on a computer.
Peretti, Computer Publications and the First Amendment (1990)
(available at Princeton University FTP site and The American
University Journal of International Law and Policy Office).
6. Dorothy Denning, The United States v. Craig Neidorf
(available at The American University Journal of International
Law and Policy office).
7. Schares, A German Hackers' Club that Promotes Creative
Chaos, Business Week, Aug. 1, 1988, 71.
8. Barlow, Crime and Puzzlement: In advance of the Law on the
Electronic Frontier, Whole Earth Review, Sept. 22, 1990, 44.
9. Kopetman, Computer Gave Them Bum Rap, Los Angeles Times,
Los Angeles Times
Jan. 10, 1991, at B1, col. 2.
10. See, J. Thomas McEwen, Dedicated Computer Crime Units (19--)
See,
(stating how important computers have become to society). In
1978 there were 5,000 desktop computers in the United States. S.
Rep. No. 432, 99th Cong., 2d Sess. 2, reprinted in, 1986 U.S.
reprinted in
Code Cong. & Admin. News 2479, 2479. By 1986, this number had
increased to about 5 million. Id.
Id.
11. See, S. 2476, Floor Statement by Senator Patrick Leahy.
12. See, Stoll at ___ (stating that all countries, except
Albania, are connected via computer systems).
13. McEwen, Dedicated Computer Crime Units 1 (19--). Another
_______________________________
definition used is the definition of computer crime was "any
illegal act for which knowledge of computer technology is
essential for successful investigation and prosecution". Parker,
Computer Crime: Criminal Justice Resource Manual, (1989).
_________________________________________________
14. Conly, Organizing for Computer Crime Investigation and
Prosecution, 6-7 (19--).
15. For instance, the estimated cost of the Internet Worm, a
computer program created by Robert Morris, Jr. which shut down
the Internet computer system, varies from $97,000,000 (John
McAfee, Chairman, Computer Virus Industry Association) to
$100,000 (Clifford Stoll's low bound estimate). Commitment to
Security, 34 (1989). It is difficult to determine exactly the
cost of such crime because it is difficult to determine what
should be included. The estimated downtime of a computer due to
such activity could be used to determine the cost. This may be
flawed, however, since it will not take into account how much of
the down time actually would have been used. Electronic Mail
Letter from Richard Stallman to Brian J. Peretti (Dec. 3, 1990)
(concerning computer crime).
16. Commitment to Security, 34. The average facility,
consisting of 1,224 microcomputers, 96 minicomputers and 10
mainframe computers, lost $109,000, 365 personnel hours and 26
hours computer time loss per year. Id.
Id.
17. Id. at 23. 6 percent of incidents resulted in prosecutions.
Id.
Id.
Id.
18. Id.
Id.
19. Only 1.5 percent of respondents to a National Center for
Computer Crime Data used Anti-virus products in 1985. By 1988
this figure rose to 22 percent. By 1991, 53 percent of the
respondents stated that they would be using anti-virus software
by 1991. According to a Price Waterhouse survey in Great
Britain, in 1985 26 percent installations spent nothing on
security. Authers, Crime as a Business Risk- Security/ A
Crime as a Business Risk- Security/ A
Management as Well as a Technical Problem, Financial Times
Management as Well as a Technical Problem
(London), November 7, 1990. By 1990 this figure had shrunk to 4
percent and is expected to decline to 0 by 1995. Id. The amount
Id.
spent on security for new systems has increased from 5 percent in
1985 to 9 percent by 1990. Id.
Id.
In Japan, less than 10 percent of groups that rely heavily
on computers have taken measures to prevent virus attacks.
Computer Users Fail to Protected Against Viruses. Although Japan
Computer Users Fail to Protected Against Viruses.
does not have a computer crime law, there is a movement to make
such a law. Computer Body Calls for Jail Sentences for Hackers,
Computer Body Calls for Jail Sentences for Hackers
Kyodo News Service, Nov. 15, 1990 (available from the Nexis
library). The Japan Information Processing Development
Association has stated that the new law should make the crime
punishable of either one year of hard labor or a fine. Id.
Id.
20. The terms was first applied in 1984. Commitment to Security,
34 (1989).
21. Ring, Computer Viruses; Once Revered as Hackers, Technopaths
Threaten Security of Computer-Dependant Society, Computergram,
July 7, 1989. Some of these viruses are extremely small, e.g.
Tiny, which is 163 bytes, may be the smallest. Friday 13th Virus
Alert, The Times (London), July 12, 1990.
22. Graggs, Foreign Virus Strains Emerge as Latest Threat to
Foreign Virus Strains Emerge as Latest Threat to
U.S. PCs, Infoworld, Feb. 4, 1991, 18. Viruses have appeared
U.S. PCs
from Bulgaria, Germany, Australia, China and Taiwan. Id. Some new
Id.
viruses include Armageddon, from Greece which attacks through
modems and then dials to a talking clock in Crete, Liberty, from
Indonesia, Bulgaria 50, which is thought to have come from a
"laboratory" in Sofia, Victor, thought to originate in the
U.S.S.R., the Joker, from Poland, which tells the user that the
computer needs a hamburger, and Saturday the 14th, presumed to
have been developed in South Africa, which destroys a computer's
file allocation table. Id.
Id.
Some viruses also carry a message when they are activated.
A virus that is though to have been developed by students at
Wellington, New Zealand, tells the user that they have been
"stoned" and requests that marijuana should be legalized. Id.
Id.
Approximately 80 or 90 of the 300 viruses counted for the
IBM personal computer originated in Bulgaria according to Morton
Swimmer of Germany's Hamburg University Virus Test Center.
23. A report in La Liberation, a French newspaper, stated that
La Liberation
computer viruses could be planted in French EXOCET missiles to
misguide them when fired. La Liberation, Jan. 10, 1991,
reprinted in Klaus Brunnstein, Risks-Forum, vol. 10, iss. 78,
reprinted in
Jan. 22 1991 (available at American Journal of International Law
and Policy Office).
24. A "trojan horse" is a program that does not seem to be
infected, however, when used in a computer, the virus is then
transferred the uninfected machine. On trojan horse destroyed
168,000 files in Texas. Commitment to Security, 34 (1989).
25. Ring, Computer Viruses; Once Revered as Hackers, Technopaths
Computer Viruses; Once Revered as Hackers, Technopaths
Threaten Security of Computer-Dependent Society, ComputerGram,
Threaten Security of Computer-Dependent Society
July 7, 1989.
26. Highland, One Wild Computer "Worm" Really Isn't a Federal
One Wild Computer "Worm" Really Isn't a Federal
Case, Newsday, Jan. 23, 1990, 51.
Case
27. Stoll, at 346. The amount of computers that were actually
infected by the worm is still the subject of debate. Mr. Stoll
estimates that 2,000 computers where infected, while the most
commonly cited number is 6,000. Commitment to Security, 34
(1989). The 6,000 estimate was based on an Massachusetts
Institute of Technology estimate that 10 percent of the machines
at the school were infected and was then inferred to the total
number of machines across the country that were affected.
General Accounting Office, Computer Security: Virus Highlights
Need for Improved Internet Management, 17 (1989). This number
may be inaccurate because not all locations had the same amount
of vulnerable machines. Id.
Id.
28. For the first eight months of 1988, there were 800
incidents concerning computer viruses. Commitment to Security,
34. The Computer Virus Industry Association reported that 96
percent of these reported infections were incorrectly identified
as viruses. Id.
Id.
29. Robinson, Virus Protection for Network Users, Washington
Post, Washington Business, p.44, Feb. 11, 1991.
30. Ross, Hacking Away at the Counterculture, 3 (1990)
(available at the American University Journal of International
Law and Policy). On Saturday Night Live, during the news update
segment, Dennis Miller stated, in comparing a computer viruses to
the AIDS virus, "Remember, when you connect with another
computer, you're connecting to every computer that computer has
ever been connected to." Id.
Id.
31. Id. at 8-9.
Id.
32. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287
before the Subcomm. on Criminal Justice of the House Comm. on the
Judiciary, 100th Cong., 1st Sess. 49 (1989) (statement of Marc
Rotenberg, Director, Computer Professionals for Social
Responsibility). In Israel, Hebrew University used a computer
virus to detect and destroy a virus that would have destroyed
data files. Id.
Id.
33. Computergram International, October 14, 1990.
34.
35. Watts, Fears of Computer Virus Attack from East Europe grow,
Fears of Computer Virus Attack from East Europe grow
The Independent, November 24, 1990, p.6. On a trip to Bulgaria,
a British computer consultant returned with 100 viruses that do
not exist in the West. Id.
Id.
36. Id.
37. McGourty, When a Hacker Cracks the Code, The Daily Telegraph
When a Hacker Cracks the Code
(London), October 22, 1990, p. 31.
38. The equipment would cost about 50 (British) pounds. Id.
Id.
39. Id. A British company, has stated that they have developed
Id.
a glass that will reduce this problem. Tieman, Spy-Proof Glass
to Beat the Hackers, The (London) Times, Jan 17, 1991.
A more recent problem concerns the ability of computer
hackers to access into fax machines and either change or reroute
information from the machine. Becket, Espionage fears mounting as
Espionage fears mounting as
hackers tap into faxes, The Daily Telegraph (London), December 1,
hackers tap into faxes
1990, p. 23. This problem can be circumvented by the use of
encryption devices or passwords on the machine. Id.
Id.
40. Stoll at 9. The word itself originally had two meanings.
People originally called themselves hackers were software wizards
who thoroughly knew computer systems. Id. In U.S. v. Riggs, 739
U.S. v. Riggs
F. Supp. 414, 423 (N.D. Ill. 1990) the court defined hackers as
"individuals involved with the unauthorized access of computer
systems by various means." The New Hacker's Dictionary defines
hackers as "A person who enjoys learning the details of
programming systems and how to stretch their capabilities, as
opposed to most users who prefer to learn only the minimum
necessary." New Hacker's Dictionary, to be published Spring,
1991.
Hacker has also been used in a non-evil sense with the word
"cracker" taking the disreputable part of the word. In this
light, hacker means "computer enthusiasts who `take delight in
experimenting with system hardware, software and communication
systems." and cracker meaning "a hacker who specializes in
gaining illegal access to a system." One Wild Computer `Worm'
One Wild Computer `Worm'
Really Isn't a Federal Case, Newsday, January 23, 1990, p.51.
Really Isn't a Federal Case
The typical hacker has been described as "a juvenile with a home
computer who uses computerized bulletin board systems for a
variety of illegal purposes. Conly, Organizing for Computer
Crime Investigation and Prosecution, 8 (19--).
41. Sulski, How to Thwart Potential Saboteur, Chicago Tribune,
How to Thwart Potential Saboteur
November 18, 1990, p.18.
42. Computerworld, December 3, 1990, p. 122. Kryptik, a hacker
group, was stated as having planned to plant a virus in a
telephone network on December 5, 1990. Id. It is unclear,
Id.
however, if the virus actually was planted. Id.
Id.
43. Sulski, How to Thwart Potential Saboteur, Chicago Tribune,
How to Thwart Potential Saboteur
November 18, 1990, p.18. Computer security experts state that
the risk of having hacker break into your system is less than
being burglarized or having a power outage due to lightning. Id.
Id.
Errant opinion poll results have also been blamed on the work of
hackers. Holdsworth, Hackers May Have Attacked TV Poll
Hackers May Have Attacked TV Poll
Computers-MP, Press Association Newsfile, May 4, 1990.
Computers-MP
44. Stoll, 312.
45. Id. This view is also shared by the editors of 2600, The
Id.
Hackers Quarterly. It is also held by these persons that a
service is done to the computing community because those who
break in to computer systems show the operators that their system
is not strong enough and that it should be made stronger.
46. Stoll, at 354.
47. Mr. Stoll's computer was broken into by an Australian
hacker who said he did so to show that Mr. Stoll's security was
not good and that hackers are good because they show where
security problems are in computer networks. Id. at 353-54. He
Id.
rejected such arguments. Id.
Id.
48. Director, Computer Professionals for Social Responsibility
49. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287
before the Subcomm. on Criminal Justice of the House Comm. on the
Judiciary, 100th Cong., 1st Sess. 26-27 (1989) (statement of Marc
Rotenberg, Director, Computer Professionals for Social
Responsibility). The Aldus peace virus, which displayed a message
calling for peace and then disappeared without damaging the
system itself, is an example of a virus which he believes should
be protected. Id.
Id.
50. Commitment to Security, 34.
51. Stoll, 349.
52. "I can never understand why people think it is all right to
run out of computer paper but not all right to be infected with a
virus. The disruption is the same and it takes about the same
amount of time to put matters right." Cane, Hygiene See Off
Hygiene See Off
Computer Viruses, Financial Times (London) October 14, 1989,
Computer Viruses
Section I, p. 24.
53. 18 U.S.C. 1030 (1988).
54. Ala. Code 13A-8-100 et.seq. (1990); Alaska Stat.
Ala. Code Alaska Stat.
11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985, 11.46.990
(1990); Ariz. Rev. Stat. Ann. 13-2301(E), 13-2316 (1990); Cal.
Ariz. Rev. Stat. Ann. Cal.
Penal Code 502 (West 1990); Colo. Rev. Stat. 18-5.5-101 et.
Penal Code Colo. Rev. Stat.
seq. (1990); Conn. Gen. Stat 53a-250 et. seq., 52-570b (1990);
Conn. Gen. Stat
Del. Code Ann. tit. 11, 931 et seq. (1990); Fla. Stat.
Del. Code Ann. Fla. Stat.
815.01 et seq. (1990); Ga. Code Ann. 16-9-90 et seq (1990);
Ga. Code Ann.
Haw. Rev. Stat. 708-890 et seq. (1990); Idaho Code 18-2201,
Haw. Rev. Stat. Idaho Code
2202 (1990); Ill. Ann. Stat. 15-1, 16-9 (1990); Ind. Code
Ill. Ann. Stat Ind. Code
35-43-1-4, 35-43-2-3 (1990); Iowa Code 716A.1 et. seq.
Iowa Code
(1990); Kan. Stat. Ann. 21-3755 (1990); Ky. Rev. Stat. Ann.
Kan. Stat. Ann. Ky. Rev. Stat. Ann.
434.840 et. seq. (1990); La. Rev. Stat. Ann. 14(D) 71.1 et
La. Rev. Stat. Ann
seq. (1990); Me. Rev. Stat. Ann. chap. 15, tit. 17-A, 357
Me. Rev. Stat. Ann.
(1990); Md. Crim. Law Code Ann. Article 27 45A, 146 (1990);
Md. Crim. Law Code Ann.
Mass. Gen. L. ch 266, 30 (1990) see infra; Mich. Comp. Laws
Mass. Gen. L. Mich. Comp. Laws
28.529(1) et seq. (1990); Minn. Stat. 609.87 et seq. (1990);
Minn. Stat.
Miss. Code Ann. 97-45-1 et seq (1990); Mo. Rev. Stat. 569.093
Miss. Code Ann. Mo. Rev. Stat.
et seq. (1990); Mont. Code Ann. 45-2-101, 45-6-310,45-6-311
Mont. Code Ann.
(1990); Neb. Rev. Stat. art. 13(p), 28-1343 et seq (1990); Nev.
Neb. Rev. Stat. Nev.
Rev. Stat. 205.473 et seq. (1990); N.H. Rev. Stat. Ann.
Rev. Stat. N.H. Rev. Stat. Ann.
638.16 et seq. (1990); N.J. Rev. Stat. 2C:20-1, 2C:20-23 et.
N.J. Rev. Stat.
seq., 2A:38A-1 et seq. (1990); N.M. Stat. Ann. 30-16A-1 et
N.M. Stat. Ann.
seq. (1990); N.Y. Penal Law 155.00, 156.00 et seq, 165.15(10),
N.Y. Penal Law
170.00, 175.00 (1990); N.C. Gen. Stat. 14-453 et seq (1990);
N.C. Gen. Stat.
N.D. Cent. Code 12.1-06.1.01(3), 12.1-06.1-08 (1990); Ohio Rev.
N.D. Cent. Code Ohio Rev.
Code Ann. 2901.01, 2913.01, 1913.04, 1913.81 (Anderson 1990);
Code Ann.
Okla. Stat. tit. 21, 1951 et seq. (1990); Or. Rev. Stat.
Okla. Stat Or. Rev. Stat.
164.125, 164.377 (1990); Pa. Cons. Stat. 1933 (1990); R.I.
Pa. Cons. Stat. R.I.
Gen. Laws 11-52-1 et seq (1990); S.C. Code Ann. 16-16-10 et
Gen. Laws S.C. Code Ann.
seq (Law. Co-op 1990); S.D. Codified Laws Ann. 43-43B-1 et seq.
S.D. Codified Laws Ann.
(1990); Tenn. Code Ann. 39-3-1401 et seq (1990); Texas Code
Tenn. Code Ann. Texas Code
Ann. tit 7 33.01 et seq. (Vernon 1990); 19 Utah Laws 76-6-
Ann. Utah Laws
701 et seq.; Va. Code Ann. 18.2-152.1 et seq. (1990); Wash.
Va. Code Ann. Wash.
Rev. Code Ann. 9A.48.100, 9A.52.010, 9A.52.110 et seq. (1990);
Rev. Code Ann.
Wis. Stat. 943.70 (1990); Wyo. Stat. 6-3-501 et seq. (1990).
Wis. Stat. Wyo. Stat.
55. Parker, Computer Crime: Criminal Justice Resource Manual,
129 (1979).
56. McEwen, Dedicated Computer Crime Units, 60 (1989). These
other laws include embezzlement, larceny, fraud, wire fraud and
mail fraud. Id. at 60.
___
57. Pub. L. No. 98-473, 2102(a), 98 Stat. 1837, 2190 (codified
at 18 U.S.C. 1030).
58. S. Rep. No. 432, 99th Cong., 2d Sess., 1986 U.S. 2,
reprinted in, 1986 Cong. & Admin. News 2479, 2479.
reprinted in
59. Pub. L. No. 99-474, 2, 100 Stat. 1213 (amending 18 U.S.C.
1030).
60. 18 U.S.C. 1030(b).
61. 18 U.S.C. 1030(a)(1). The person must act knowingly to
access a computer either without authorization or exceeding the
authorization given and obtain information with the intent or
reason to believe that the information will either injure the
United States of American or give an advantage to a foreign
nation. As seen by the placement of this section, it is clear
that the Congress was particularity aware of the dangers that
computer might have to the national security of the United
States. This section parallels 18 U.S.C. 793, the federal
espionage statute.
62. 1030(c)(1)(A).
63. 1030(c)(1)(B).
64. As defined by the Fair Credit Reporting Act, 15 U.S.C. 1681
et seq.
65. 1030(c)(2)(A).
66. 1030(c)(2)(B). The penalty is up to 10 years in prison.
67. 18 U.S.C. 1030(a)(2).
68. 18 U.S.C. 1030(c)(2)(B).
69. 18 U.S.C. 1030(c)(2)(B).
70. The punishments that may be handed out are up to 5 years for
the first offense and 10 years for any subsequent offense.
71. 18 U.S.C. 1030(a)(5).
72. 18 U.S.C. 1030(c)(3)(A).
73. 18 U.S.C. 1030(c)(3)(B).
74. 18 U.S.C. 1030(a)(6).
75. As defined by 18 U.S.C. 1029.
76. 18 U.S.C. 1030(c)(2)(A).
77. 18 U.S.C. 1030(c)(2)(B).
78. 18 U.S.C. 1030(a)(6)(B).
79. 18 U.S.C. 1030(a)(6)(B).
80. These computers include computers used exclusively for the
United States government or a financial institution or if not
exclusively by the government one which the conduct of the
computer affects the government's or the institution's operation,
18 U.S.C. 1030(e)(2)(A), the computer is one of two or more
computers that commit the offense, 18 U.S.C. 1030(e)(2)(A).
Financial institution is defined in 18 U.S.C. 1030(e)(4) and
includes and institution whose deposits are insured by the
Federal Deposit Insurance Corporation, 1030(e)(4)(A), the Federal
Reserve or one of its members, 1030(e)(4)(B), a credit union
insured by the National Credit Union Administration,
1030(e)(4)(C), a Federal home loan bank system member,
1030(e)(4)(D), institutions under the Farm Credit Act of 1971,
1030(e)(4)(F), a broker-dealer registered pursuant to 15 of the
Securities Exchange Act of 1934, 1030(e)(4)(F), or a Securities
Investor Protection Corporation, 1030(e)(4)(G).
81. S. Rep. No. 432, 99th Cong., 2d Sess. 4, reprinted in, 1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2481.
82. Note, Computer Crime and The Computer Fraud and Abuse Act of
1986, X Computer/Law Journal 71, 79, (1990).
83. 18 U.S.C. 1030 (e)(2) states:
As used in this section-
(2) The term "Federal interest computer" means a computer-
(A) exclusively for the use of a financial institution
or the United States Government, or, in the case of a computer
not exclusively for such use, used by or for a financial
institution or the United States Government and the conduct
constituting the offense affects the use of the financial
institution's operation or the Government's operation of such
computer; or
(B) which is one of two or more computer used in the
committing the offense, not all of which are located in the same
state.
84. "[T]here is not statute specifically addressing viruses."
135 Cong. Rec. E2124 (daily ed. June 14, 1989) (letter of Rep.
Cong. Rec. E2124
Herger (quoting FBI Director William Sessions)).
85. H.R. 287 and H.R. 55.
86. "Existing criminal statues are not specific on the question
of whether unauthorized access is a crime where no theft or
damage occurs . . ." 135 Cong. Rec. E2124 (daily ed. June 14,
Cong. Rec.
1989) (letter of Rep. Herger (quoting FBI Director William
Sessions)).
87. Prosecution could occur under a trespass law. It may not be
applicable, however, since trespass is a property based crime and
courts have not recognized information in the same manner as real
property.
88. Note, Computer Crime and The Computer Fraud and Abuse Act of
1986, X Computer/Law Journal 71, 80 (1990).
89. Id.
Id.
90. Shalgi, Computer-ware: Protection and Evidence, An Israeli
Computer-ware: Protection and Evidence, An Israeli
Draft Bill, IX Computer/Law J. 299, 299 (1989) [hereinafter
Draft Bill Computer/Law J.
Shalgi]. This proposed bill has not progressed much since it was
proposed and is at the stage prior to an official "bill". Letter
from Barry Levenfeld to Brian J. Peretti (December 13, 1990)
(concerning Israel's legislature progress on the comprehensive
computer law). This paper will use the Shalgi English
translation of the law.
91. Chapter 2 concerns Offenses and Accessing Computers, Chapter
3, Damages, Chapter 4, Rights of Software Creators and Chapter 5,
Evidence. Levenfeld, Israel Considers Comprehensive Computer Law,
Israel Considers Comprehensive Computer Law,
Int'l Computer L Advisor 4 (March 1988). The topics covered in
Int'l Computer L Advisor
Chapters 2 through 5 are beyond the scope of this paper.
92.
93. Shagli, at 311.
94. Chapter 2, 2, Shagli at 311.
95. Chapter 2, 3(a), Shagli at 311. An employee is exempt if
he commits this act when it was due to a strike concerning a
labor dispute. Chapter 2, 3(b), Shagli at 311.
96. Chapter 2, 4(a).
97. Chapter 2, 4(b), Shagli at 311.
98. As defined by Chapter 1, 1.
99. Chapter 2, 5, Shagli at 311.
100. Chapter 2, 6, Shagli at 312.
101. Chapter 2, 7, Shagli at 312.
102. Chapter 2, 9, Shagli at 312.
103. Id.
Id.
104. Chapter 2, 10, Shagli at 312.
105. By not stating that this also applies to individuals or
others (non-corporations) who are attempting to supply services
to the public, some important services that may be offered to the
public may not be done. Levenfeld, 8, translates the word
corporation as entities which may solve the problem.
106. Shalgi, 312. Levenfeld, 5, states that since this section
is so broad the only possible areas that are not covered are
personal and academic uses.
107. Chapter 2, 14, Shagli at 313.
108. Section 5.
109. Levenfeld, 4-5. Perhaps the only computers not covered
would be those used for personal or academic uses exclusively.
Id. at 5.
Id.
110. Section 5.
111. Levenfeld, 4-5. Perhaps the only computers not covered
would be those used for personal or academic uses exclusively.
Id. at 5.
Id.
112. Levenfeld at 4.
113. Shalgi, 305.
114. See, Computers at Risk, Safe Computing in the Information
Age, 36 (1991) (discussing the need for a repository to gather
computer crime information).
115. Chapter 2, 12, Shagli at 313.
116. New Hacker's Dictionary.
117. Chapter 2, 13, Shagli at 313. The law states that if the
owner of the computer is not given in his presence, the order is
only good for twenty-four hours. Id.
Id.
118. Shagli, at 304. Under Israeli law, an object that may be
proof of an offense may be seized without a court order. Id. The
Id.
law will bring the seizure of computers in accord with the United
States Constitution's sixth Amendment.
119. Chapter 1, 1, Shagli at 310.
120. Alexander, Suspect Arrested in AIDS Disk Fraud Case,
Suspect Arrested in AIDS Disk Fraud Case
Computerworld, Feb. 5, 1990, 8.
121. Colvin, Lock up the Keyboard Criminal, Telecommunications
PLC (England), June 1990.
122. Computer Misuse Act, 1990, ch. 18.
123. In the five years prior to the adoption of the Act, there
were 270 cases of computer misuse in Britain of which only six
were brought to court and only 3 resulting convictions. Fagan,
Technology: EC urged to strengthen laws on computer crime, The
Technology: EC urged to strengthen laws on computer crime
Independent (London), February 13, 1990, p. 19.
124. Id.
Id.
125. Davies, Cracking down on the computer hackers, Fin. Times
Cracking down on the computer hackers
(London), October 4, 1990.
126. Law Commission No. 186, Cm 819.
127. Computer Misuse Act, 1990, ch. 18, 1.
128. The penalty for this type of behavior is up to six months in
prison, 2000 pounds or both.
129. Computer Misuse Act, 1990, ch. 18, 2(1)(a).
130. Computer Misuse Act, 1990, ch. 18, 2(1)(b).
131. Computer Misuse Act, 1990, ch. 18, 2(5)(a).
132. Computer Misuse Act, 1990, ch. 18, 2(5)(b).
133. Computer Misuse Act, 1990, ch. 18, 3(1).
134. Computer Misuse Act, 1990, ch. 18, 3(7).
135. Computer Misuse Act, 1990, ch. 18, 3(2).
136. Computer Misuse Act, 1990, ch. 18, 3(5).
137. Id. Colvin, Lock up the Keyboard Criminal ,
Id.
Telecommunications PLC (England), June 1990.
138. Computer Misuse Act, 1990, ch. 18, 4.
139. Computer Misuse Act, 1990, ch. 18, 4(1).
140. 5(2) states that a significant link under 1 can be (a) the
person was in Great Britain at the time in which he caused the
computer to act in a certain way or (b) the computer he attempted
to get access to was in Great Britain. 5(3) states that a
significant link under 3 can be (a) that the person was Great
Britain at the time when he did the act or (b) the modification
took place in Great Britain. However, this may not an exhaustive
list.
141. Davies, Cracking down on the computer hackers, Fin. Times
Cracking down on the computer hackers
(London), October 4, 1990.
142. Computer Misuse Act, 1990, ch. 18, 5.
143. Although proposed on February 14, 1989, the proposed bill
has not yet become law.
144. Appendix A, 10.
145. Appendix A, 1.
146. Appendix A, 1, alternative.
147. Appendix A, 2.
148. Appendix A, 3.
149. Appendix A, 4.
150. Appendix A, 5.
151. Appendix A, 7.
152. The Ghana Law Reform Commission states that they created
their proposed law from the Scottish Law Commission and the Law
Reform Commission of Tasmania, Australia reports on computer
crime.
153. Appendix A, 9(a).
154. Appendix A, 8(b).
155. See, infra, endnote __ and accompanying text.
infra
156. Appendix A, 9(a).
157. Appendix A, 9(b).
158. Appendix A, 10.
159. Appendix A, 6.
160. Id.
Id.
161. Appendix A, 7.
162. Appendix A, 1.
163. Appendix A, 10.
164. Id.
Id.
165. Id.
Id.
166. The first computer crime law in the United States was
enacted in 1979.
167. S. Rep. No. 432, 99th Cong., 2d Sess. 3, reprinted in 1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2481.
168. By increasing security, the ease with which one can enter
the system will become more difficult. Some systems, believing
that if such unauthorized access does occur that no sensitive
information will be stolen, opt to have less security then other
systems. In actuality, by one system not having enough security,
the entire network can be put at danger when a mischievous user
wishes to break into a users account which may be accessed by
that system. See Stoll, 353-54 (stating an Australian hacker
broke into Mr. Stoll's computer account because a connected
computer's system manager did not wish to have a high level of
security.
169. Stoll, 32. Many military computers and sensitive
scientific computers operate in a secure environment. This is
created by not allowing the computer system to have any telephone
links to the outside world (i.e. outside of the building.
170. By having a secure system, information at the computer site
can only be removed by a person walking into the computer center,
copying the information and then walking out with it. This is
both burdensome (it is much easier to access the computer from
one's home or office) and cumbersome (since a person will have to
walk around with reels of data that will later be put back into
the system.
171. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287
before the Subcomm. on Criminal Justice of the House Comm. on the
Judiciary, 100th Cong., 1st Sess. 44, n. 27 (1989) (statement of
Marc Rotenberg, Director, Computer Professionals for Social
Responsibility).
172. Colvin, Lock up the Keyboard Criminal, Telecommunications
Lock up the Keyboard Criminal
PLC (England), June 1990, p. 38. Michael Colvin, the author of
Great Britain's Computer Misuse Act stated that the passage of
the bill should not be looked at that the computer owner should
not have security measures on their computers. Id. The bill, he
Id.
states, was made only to compliment, not substitute, the users
security measures. Id. In West Germany, the severity of the
Id.
punishment for hacking depends on the effort that was required to
commit the offense. Fagan, Technology: EC urged to Strengthen
Technology: EC urged to Strengthen
Laws on Computer Crime, The Independent, Feb. 13, 1990, 19.
Laws on Computer Crime
173. McGourty, When a hacker cracks the code, The Daily
When a hacker cracks the code
Telegraph, October 22, 1990, p. 31.
174. A Password is a word that is either given to the user by
the system or selected by the user to prevent others from
accessing his computer or account within the computer. This
words, groups of letters or symbols are supposed to be kept
secret so as to not let other who are not authorized to access
the system have access to it.
175. Donn Seeley, A Tour of the Worm, Department of Computer
_____________________
Science, University of Utah, Nov. 1988, reprinted in General
reprinted in
Accounting Office, Computer Security: Virus Highlights Need for
Improved Internet Management, 20 (1989).
176. Authers, Armed with a secret weapon, Financial (London)
Times, Feb. 5, 1991, Section I, 16.
177. Id.
178. For a discussion of this virus, see, Branscomb, Rogue
see Rogue
Computer Programs and Computer Rogues: Tailoring the Punishment
Computer Programs and Computer Rogues: Tailoring the Punishment
to Fit the Crime, 16 Rutgers Computer & Tech. L.J. 1, 14-16
to Fit the Crime _______________________________
(1990) (discussing the applicability of state and federal law to
computer viruses).
179. Jim Thomas, publisher of the Computer Underground digest
argues that computer pirates actually buy more programs then the
average computer program buyer. Letter from Jim Thomas to Brian
J. Peretti ( (discussing computer pirating of software)
180. See, GNU Manifesto (available at American University Journal
of International Law and Policy). See also, Stallman, GNU EMACS
See also,
General Public License, (Feb. 11, 1988) (available at American
University Journal of International Law and Policy).
181. The GNU Manifesto (available at the American University
Journal of International Law and Policy).
182. The author proposes that such copyright protection last for
only two years. By granting the creator such protection for a
short period of time, he will be able to recover the expenses
that he put into the writing of the program.
If this type of protection is granted, it should be
understood that the creator of the program has a copyright to the
sourcecode of the program for that period. If he updates the
program after the two year period, the updated code will be
protected, but the original code will not be granted the
protection. In this manner, an author cannot attempt to give
copyright protection to a program after the copyright has
expired.
183. Electronic letter from Brian J. Peretti to Dorothy Denning
(Nov. 13, 1990) (concerning computer crime).
184. This will be a semi-secure system.
185. The system, of course, will have a system manager who will
create the accounts for the users. His account will be off
limits to those who wish to use the system. At the same time,
individuals will be encouraged to attempt to break into the
manager's account and tell him how it was done in order to
improve security for this and other systems.
186. The problem still exists that information learned through
the use of this system may allow those who use the system to
break into other computer systems. This problem can be corrected
by having the system manager and the users communicate problems
with the system so that they may be corrected on other systems.
187. United States v. United States Gypsum Co., 438 U.S. 422, 425
(1978).
188. S. Rep. No. 432, 99th Cong., 2d Sess. 6, reprinted in 1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2484.
189. Stoll, The Cuckoo's Egg.
190. The countries which a person can go to could be any country
in the world, except Albania, since they are the only country
whose computers are not connected to outside computers. Stoll.
191. A school in Red Bank, New Jersey, has instituted a "computer
responsibility training". Weintraub, Teaching Computer Ethics in
Teaching Computer Ethics in
the Schools, The School Administrator 8, 9 (apr. 1986).
the Schools, ________________________
192. S. Rep. No. 432, 99th Cong., 2d Sess. 3, reprinted in 1986
reprinted in
U.S. Code Cong. & Admin. News 2479, 2481.
193. Electronic Mail Letter from Rop Gonggrijp to Brian J.
Peretti (Jan. 25, 1991) (concerning computer viruses). "We have
to watch that we keep telling people how virusses work, because
that is the only solution to the problem: mystifying the whole
thing ans just hunting down "computer terrorists" is useless and
(as proven in the US and Germany) leads to a questionable style
of government in the field of information technology..." Id.
Id.
194. General Accounting Office, Computer Security: Virus
Highlights Need for Improved Internet Management, 25 (1989).
Adsense 3 Column best blogger templates
15 years ago
No comments:
Post a Comment