This column starts my foray into working with Hacksurfer (a client here) in explaining the legal side of cybercrime. These articles are first published at the Hacksurfer site, which is a very good resource for this issue. This article was published there about 3 months ago; more current articles are located there. In the coming articles I am going to start from ground zero, introduce basic legal constructs and concepts, go through primarily federal criminal statutes, and then start working through major cases. If I am successful and you manage to stay awake through it, you will have a deep understanding of the major aspects of cybercrime law. I will throw in a little procedure as well, but criminal procedure is tedious, heavily constitutional, and frankly, more relevant to prosecutors and defense counsel than the average reader here. I will also be reviewing all of the computer security laws that impact regular businesses, and going over common pitfalls, errors and issues that businesses face trying to navigate through the mass of computer security laws, rules, regulations and orders.
Just a real quick background on me – I grew up in the early 70’s and worked on every computer I could get my hands on – and learned any programming language I could when I was young. Back then there were no remotely affordable hard drives – I learned on old IBM punch card decks, mainframes and low level consumer computers like the “Trash” 80, Commodore 64 and similar products. There was no internet as we know it today, no email, and really, no electronic communications like electronic mail, short message service or instant messaging that someone not inside of ARPANET could get their hands on. To me, “hacking” always meant “hacking code” that is, trying to make the code more efficient elegant, robust, and resilient. After a few movies popularizing unauthorized acces to computers, which labeled that activity “hacking” – the term has become more criminal sounding than programming sounding. In these articles I will usually use “cracking” to describe the efforts to gain unauthorized access to a computer, and “hacking” to refer to source code development – i.e. “code hacking.”
Also a brief word about citations. I will cite to both primary source materials (i.e. the actual code, case etc) and to secondary sources, such as Wkipedia. My articles are not intended to be scholarly, so I have not verified any source or statement. I merely provide the user with additional points of reference if they are interested. Note that I am also not treating the telephone system as a general purpose computer, and for the purposes of these articles, excluding unauthorized access to non digital telephone networks.
So, let’s start at the beginning. The first real digital computer, the ENIAC, was invented in 1945, and began operations in 1946. [Ref] That computer, and all digital computers after it, until a digital transmission network was reliably established (the first true digital communication packet was transmitted on October 29, 1969 via ARPANET) had one important common feature – they were accessible only from a standard input terminal and had physical limitations, that is, they were generally not accesible remotely.
While these computers could be accessed without authorization, early computers had extremely proprietary software interfaces, it was very hard to gain physical access to them, and they tended to be operated for military or other government activity and hence were very secure. The number of reported computer crimes against these early computers is very low, and tended to be committed by employees or other persons who had physical access to the computer – true computer crime was likely related to spying. See generally, Kabay, M.E., A Brief History of Computer Crime: An Introduction for Students, at p. 5 (2008).
So before there was “cyber crime” there was “computer crime” – and conceptually this is quite a distinct crime. Computer crime was more akin to breaking and entering, or vandalism, because it tended to be destruction of the computer itself. Cybercrime as we know it today involves unauthorized access to, or exceeding authorized access in respect of, a protected computer. The key to most current cybercrime statutes is this concept of a protected computer. A protected computer is defined as “a computer— (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States” See 18 USC Sec 1030(e)(2). (emphasis added).
The emphasized language is the first step into the green is blue world of law, and your first introduction to legal terms of art. A term of art in law is a word or phrase that has a common english meaning, but has a very technical specific meaning in the legal context. In this particular case, “used in or affecting interstate commerce” essentially means any computer connected to the internet.
More on how we get there in the next installment, where we will discover how the law impacts a person accessing a protected computer. (consider momentarily you and your spouse are separating, and you want to view your spouses emails for infidelity . . . how does this concept of “protected computer” impact what you can do without committing a felony?) We will see . . .
Best – mike oliver