INFOJACKING@: CRIMES ON THE INFORMATION SUPERHIGHWAY!

By: Marc S. Friedman and Kristin Bissinger¹

INTRODUCTION: A WHOLE NEW WORLD OF CRIME

This morning seems like all others. You sit down to breakfast, open your newspaper over a freshly brewed cup of coffee and begin your day. However, the news reported in today=s paper is different than the news reported over the last five, ten or twenty years. For example, you read that Harold J. Nicholson, a veteran C.I.A. agent responsible for training novice agents in the art of capturing the secrets of foreign governments and eluding Aenemy@ detection, has used his personal computer over a period of two years to sell top secret United States government information to Russia.

Computer crime reports -- like that of the rogue C.I.A. agent -- are beginning to crop up on a daily basis.² For instance, recently a Columbia University doctoral student, was charged with sexually assaulting a female student he met over the Internet. In another case, an Internet user attempted to electronically hire someone to rape and sexually mutilate his wife.³

Of course, these are sensational computer crimes compared to the less-publicized instances of computer fraud and intellectual property infringement which regularly occur on the Internet. But when such fraud and infringement cases are analyzed and the data compiled, then the extent of damage suffered by governments, private corporations and even individuals from these lesser-known computer crimes makes them equally, if not more Asensational@.

A study conducted by WarRoom Research found that 58% of the 236 corporate respondents suffered computer break-ins within the previous 12 months. Of such corporations experiencing break-ins, 18% of the losses incurred exceeded $1 million each and 66% exceeded $50,000⁴. That was merely the monetary loss incurred. What of the start-up software development company whose only asset is its intellectual property? Imagine the catastrophic effect that piracy of that property and mass distribution via the electronic channels has on a small software business. ⁵ It has been estimated that 40% of the software used in the United States is illegal and that six out of seven users of software overseas utilize pirated software.⁶

Moreover, many businesses are reluctant to admit that their computers were broken into. According to William J. Cook, the author of the Justice Department's manual on computer prosecution, organizations often swallow losses quietly rather than notifying the authorities and advertising their vulnerability to shareholders and clients.⁷ Thus, the losses are likely far greater than reflected in published reports.

Espionage, abuse, fraud and intellectual property piracy are just some examples of computer crimes that have become prevalent with the ubiquitousness of the Internet and the explosion of electronic communication. Ordinarily, the law keeps pace with the technological changes in society. However, rapid technological advancements like the Internet clearly threaten to leave the law behind. This article describes the Internet, the Acomputer crime@ laws which govern the Internet, the types of crimes now appearing on the Information Superhighway⁸, jurisdictional concerns and prosecutorial resources available in the United States.

OVERVIEW OF THE INTERNET

To a technical specialist, the Internet is a global network of computers based on TCP/IP and other high speed communications protocols with thousands of nodes and millions of users. For the rest of the world, the Internet is an exciting new way to communicate. The main uses of the Internet are to exchange electronic mail, transfer files between computers, and remotely access host computers. Over 100 countries allow millions of individuals and military, educational, governmental and commercial organizations access to the Internet. Distance between the parties is irrelevant -- it is as easy for a Manhattanite to communicate with a Parisian as with someone in Brooklyn. The Internet is also truly mass-media. The inherent limitation of traditional mass-media is that it is a one way street: the masses cannot talk back. On the Internet, masses communicate (i.e. Anet-surf@) with masses.

Businesses are also net-surfing. Major corporations maintain Aweb sites@ that can solicit feedback and advertise new products on the world wide web. Today consumers can even download samples of music before making purchases via the Internet⁹ and can place mail orders for compact disks through the Internet. In 1994, the Rolling Stones selected an online agent to market their merchandise and to allow fans to download video clips and information about the band.¹⁰ The Stones later broadcasted five songs from a Dallas concert over the Internet.¹¹ These songs -- as well as other Rolling Stones' songs -- can be downloaded to a PC and played in A.wav@ format.

This is all made possible by digitizing information (i.e. encoding it into a series of ones and zeroes). Digitized information can be copied endlessly and perfectly. Indeed, software, games, multimedia, audio, video, still pictures, conversations -- virtually any type of information -- is now digitized.

Since the 1980's, digitization and cheap and widely available personal computers have made copying easy, perfect, and fast -- regardless of how many generations of copies have been made, how the information is stored, or how many people are copying it. Since quickly making thousands of perfect copies is possible for anyone with a PC, the only remaining barrier to widespread copying is access to material worth copying. Advanced communications networks like the Internet provide virtual access to material which really is worth copying.

Unfortunately, the wide variety of information that can be transferred, the open, unregulated nature of the Internet, and the irrelevance of geography means that the Internet also provides fertile ground for criminal enterprises. Since the Internet is composed of computers, crimes occurring on the Internet are Acomputer crimes@. But defining a Acomputer crime@ is difficult. A computer can be the subject of a crime by being stolen or damaged; it can be the site of a crime (such as fraud or copyright infringement); or it can be the instrument of a crime, such as when it is used to access other machines or store information illegally. These are all computer crimes in the sense that a computer is involved, just as the theft of a target pistol, a murder committed with a handgun, and attaching a silencer to a revolver are all Ahandgun crimes@.

Since the Internet's strength and purpose is facilitation of communications, traditional crimes such as conspiracy, solicitation, securities fraud, and even espionage can be committed via the Internet. Since so many different types of crimes can be committed with computers -- especially on the Internet -- it is difficult to draft effective Acomputer crime@ legislation. Prosecutors have typically fit computer crime prosecutions into existing laws which were drafted without computers in mind.

THE LEGISLATIVE RESPONSE: COMPUTER CRIME STATUTES

A. THE COMPUTER FRAUD AND ABUSE ACT OF 1984

Federal and state legislatures responded to the problem by enacting statutes that prohibit Acomputer crimes@. The first federal computer crime statute was the Computer Fraud and Abuse Act of 1984, 18 U.S.C. '1030 (1984) (the ACFAA@). The difficulty in drafting effective computer crime legislation is illustrated by the fact that only one indictment was ever made under the CFAA before it was amended in 1986.¹² Under the CFAA today, it is a crime to knowingly access a computer without authorization and to obtain certain defense, foreign relations, financial information, or atomic secrets.¹³ It is also a criminal offense to use a computer to commit fraud, to Atrespass@ on a protected computer, to transmit programs, information, calls or commands that intentionally cause damage to a protected computer and to traffic in unauthorized passwords. AProtected computers@ are defined by law as computers being used in interstate commerce or foreign commerce or communications.¹⁴ Thus, a computer used for private business or commercial purposes which transverses interstate lines for communication or commerce is a protected computer. Punishments for the foregoing acts include substantial fines and long jail sentences.

Prosecutors' use of the CFAA is illustrated by the Morris case¹⁵, which perhaps is the most infamous crime committed on the Internet. On November 2, 1988, Robert Morris sent a computer Aworm@ across the Internet from the MIT computers. The Aworm@ replicated itself through the network much faster than Morris had anticipated, and thereby caused an estimated 6,200 Internet computers to shut down.¹⁶ The cost of eradicating the worm from the machines was estimated variously to be in the hundreds of thousands, millions, or even hundreds of millions of dollars.¹⁷ If Morris had coded his worm to be destructive, untold additional damage would have been done. Morris was subsequently charged with violation of ' 1030(a)(5)(A) of the CFAA which prohibits intentional unauthorized access to a federal interest computer with a resulting loss of $1000. Morris's defense was that although he did intend unauthorized access, he never intended to cause damage. But the District Court (and later the Second Circuit) found that intent to access the federal interest computer was sufficient by itself to warrant conviction. Morris was sentenced to three years probation, 400 hours of community service and a fine of $10,500.¹⁸

Ironically, when Morris discovered the damage being done, he considered writing a Aworm killer@ antidote program, but decided that he had caused enough damage. Although the antidote might have been effective, it also would have exposed Morris to additional criminal liability on a second offense.

Morris' antidote worm raises the question of whether all worms or viruses are evil, and should be prohibited. For example, software vendors might want to release a Agood@ worm which looks for and reports suspicious activity, such as the caching of pirated software.¹⁹ Whether this is also illegal under the CFAA is questionable. Already there is a legitimate program called, ASecurity Analysis Tool for Auditing Networks@ (ASATAN@) which attempts to breach security devices. SATAN is intended to be used by system administrators to expose security flaws in networks. Is using SATAN a crime? Are SATAN's authors liable as accomplices if SATAN is used illegally? Only time will tell.

A second curious feature of worms and viruses is that they are only harmful when activated. A copy of an inactive worm could be transmitted across the Internet without causing any harm, because until it is activated no harm is done. Under current federal laws, the programmer could be charged with attempt only. The danger is clear: one command and a destructive worm can activate and wreak havoc.

The danger of viruses is not at all restricted to the United States. In November, 1995, Christopher Pile of Great Britain was prosecuted under that country's Computer Misuse Act of 1990 for creating two viruses named APathogen@ and AQueeg.@ The viruses are particularly dangerous since they come with a third program whose only function is to conceal the viruses from standard virus checking software. For his crime, Mr. Pile was sentenced to eighteen months in prison. Nevertheless, the damage was done -- the viruses spread throughout the world and inflicted widespread damage. In fact, Pile=s prosecutor stated in court that one company alone had lost over $750,000.²⁰

B. THE ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 1986

In 1986, Congress also passed the Electronic Communications Privacy Act of 1986, 18 U.S.C. ''2510-20, ''2710-20 (1992), (the AECPA@). This updated the Federal Wiretap Act to apply to the illegal interception of electronic (i.e., computer) communications or the intentional, unauthorized access of electronically stored data. On October 25, 1994, Congress amended the ECPA by enacting the Communications Assistance for Law Enforcement Act²¹ (ACALEA@) and, in so doing, noted in House Report No. 103-827 that, AIn the eight years since the enactment of ECPA, society's patterns of using electronic communications technology have changed dramatically. Millions of people now have electronic mail addresses. Business, nonprofit organizations and political groups conduct their work over the Internet.@²²

C. MORE TRADITIONAL CRIMINAL LAWS

Often, a computer crime can be prosecuted under traditional laws. For example, federal law prohibits threatening the President's life. This legislation was not drafted with e-mail in mind, but e-mail is one method for making such threats. In April of 1994, Matthew Thomas sent a message over the Internet to President Clinton stating that he was going to Acome to Washington and blow your little head off. . . .@²³ The threat itself is a crime, and in June, 1994, Mr. Thomas pled guilty to the felony of violating Title 18 U.S.C. ' 875(c).²⁴

A more disturbing case of threats on the Internet involved University of Michigan student Jake Baker.²⁵ Mr. Baker posted a story to the Internet entitled, APamela's Ordeal@ which graphically described the torture, rape, and murder of a woman who, coincidentally, had the same name as one of Baker's female classmates. Although Mr. Baker was jailed after his arrest on charges of violating 18 U.S.C. '875(c), the District Court eventually dismissed the charges.²⁶ The latest in this string of cases involves the electronic musings of an anti-hunting activist who remarked online that California State Senator Tim Leslie ought to be hunted himself after voting to allow a resumption of cougar hunting. The activist, Jose Savedra, was charged with terrorism.²⁷

Espionage laws also were drafted without the Internet in mind, but may be applied to Internet users. The real threat is that sensitive information can be quickly sent overseas to hostile governments. Hans Heirich Hubner was a hacker whose espionage group was able to use networks to access, steal, and subsequently sell American software to the KGB.²⁸ Not unreasonably, the federal government views certain American software as a military asset worthy of protection as a matter of national security. Unfortunately, any type of information, including software placed on the Internet, may be intercepted and sent abroad. Among the software used in America for encrypting data is a software package called Pretty Good Privacy (APGP@) written by Phillip Zimmerman. The package is so secure, that the U.S. Government considered it an armament and prohibited its export. When the package was placed on the Internet by one of Zimmerman's friends, the government targeted Zimmerman for violating U.S. export laws.²⁹ Although the government decided not prosecute Zimmerman, the debate over encryption technology rages on. PGP can be obtained by American citizens today, however special procedures must be followed and only certain versions of the software are legal within the United States.³⁰

The reason for the debate is two-fold: (i) legitimate retailers who market their wares on the Internet are concerned that hackers will intercept their customers' credit card numbers; and (ii) ordinary citizens believe that their right to privacy should prevent the U.S. government from freely reading their electronic mail. Their solution has been to use encryption software. How secure encrypted credit card numbers are is a relatively novel question. If a relatively weak encryption system (such as the one favored by the government) can be broken by hackers, then the potential losses are staggering.

D. THE COMMUNICATIONS DECENCY ACT OF 1995

On February 1, 1995, Senator Exon introduced additional federal legislation of computer crime. Entitled the ACommunications Decency Act of 1995@, among other things, the bill is aimed at prohibiting obscene or harassing communications made through a computer.³¹ In the wake of the April 19, 1995 bombing of the Federal Building in Oklahoma City, Oklahoma, the Senate Judiciary Subcommittee on Terrorism, Technology and Government Information scheduled a series of hearings to determine whether the federal government could curb the dissemination of materials containing instructions on how to create explosives and anti-Semitic or racist pamphlets.³² In early 1996, President Clinton signed the bill into law. The resulting law, the Communications Decency Act of 1996, came under immediate fire from the American Civil Liberties Union (AACLU@) and major players in the computer and networking industry for its vague use of the term Aindecent.@ The ACLU argued that the law, as written, violated the constitutional right to freedom of speech and expression guaranteed by the First Amendment. However, the government felt the regulation was necessary in order to protect the interests of children and to prohibit obscenity and patently offensive information from being disseminated freely. On June 12, 1996, a panel of judges from the Third Circuit blocked the law on the grounds that it violated Constitutional free speech guarantees.³³ The government appealed this decision on September 29, 1996. The CDA provided a right of direct appeal to the Supreme Court; therefore a more common Acert@ petition was not applicable here. The Supreme Court must apply Astrict scrutiny@ -- the highest level of scrutiny applied in determining the constitutionality of legislation -- in its analysis of whether the CDA is overbroad or unconstitutionally vague.³⁴ Further, the legislation must provide the Aleast restrictive means@ of achieving its purpose of protecting children from viewing or accessing Aindecency@. The Supreme Court heard oral argument in ACLU v Reno in March 1997.

On June 26, 1997, the Supreme Court of the United States held that the CDA lacked the precision that the First Amendment requires when legislation attempts to regulate the content of speech. The Aindecent transmission@ and Apatently offensive display@ language in the CDA abridged freedom of speech protections granted by the First Amendment. The Supreme Court noted in its decision that the CDA failed to define what was considered Aindecent@, in addition to the fact that there was no requirement in the CDA that Apatently offensive@ materials lack any redeeming societal value. The government is expected to present a modified and redrafted version of the CDA shortly in an attempt to address the Supreme Court=s reasoning for finding portions of the CDA invalid and create a constitutionally permissible statute that also meets the government=s objectives.

E. THE ANTI-COUNTERFEITING CONSUMER PROTECTION ACT

In July 1996 the Anticounterfeiting Consumer Protection Act of 1996 (AACPA@) was passed. The ACPA is aimed at addressing the distribution of counterfeit software (as well as other multi-media products) and increases penalties for the pirating of copyrighted or trademarked intellectual property.³⁵ The ACPA, in addition to modifying the federal penal code, has amended sections of the Lanham Act so as to give a trademark owner a choice of statutory or actual damages.³⁶ This choice allows owners whose damages are small, but where the infringement is particularly egregious, to elect the statutory remedy of $100,000 as damages against the infringer.³⁷

Of course, as its name suggest, the ACPU also attempts to protect consumers against the importation and unknowing purchase of counterfeit goods by amending '526 of the Tariff Act of 1930 to allow the United States Custom Service to assess civil penalties against infringers/counterfeiters for the importation of fraudulent goods. ³⁸

F. THE ECONOMIC ESPIONAGE ACT OF 1996

Finally, on October 11, 1996, the Economic Espionage Act of 1996 was signed into law.³⁹ The intent of the Economic Espionage Act of 1996 is to crack down on trade secret misappropriation and provide the victims of such espionage with adequate penalties so as to dissuade future deception and fraud. Under the Act, it is a crime knowingly commit an offense which benefits a foreign government, foreign instrumentality or foreign agent. An offense is defined under the Economic Espionage Act as stealing, or without authorization, appropriating, taking, carrying away, concealing, copying, duplicating, sketching, drawing downloading, uploading or otherwise conveying a trade secret or receiving, buying or possessing the same knowing that the trade secret has been stolen.⁴⁰

Persons or organizations committing an offense or conspiring to commit an offense are subject to stiff penalties for their wrongdoing. Penalties for individuals misappropriating trade secrets for the benefit of foreign entities include fines up to $500,000 and fifteen (15) years in prison, while organizations breaking this law are subject to fines up to $10,000,000.⁴¹. The enforceability and adequacy of the Economic Espionage Act are still to be tested, and use of this legislation as a means of curbing trade secret espionage should present an interesting vehicle for prosecuting such crime in the future.

G. OTHER FEDERAL CRIMINAL STATUTES

Other federal criminal statutes used to prosecute computer crimes are the criminal copyright infringement statute (17 U.S.C.A. '506(a)), the wire fraud statute (18 U.S.C.A. '1343), the mail fraud statute (18 U.S.C.A. '1341) and the National Stolen Property Act (18 U.S.C.A. '2314). By the mid-1990s, nearly every state had enacted computer crime statutes. New Jersey's laws are typical: in 1984, New Jersey amended its theft statute, N.J.S.A. 2C:20-1, et seq, to allow a person to be convicted of theft for knowingly or purposely altering, damaging, taking, or destroying computer equipment, data, or programs. The seriousness of the offense is measured by the value of the data, service, or equipment which is wrongfully altered, damaged, taken or destroyed. Accessing a computer to commit fraudulent schemes or to interfere with financial instruments is also considered theft. The statute criminalizes wrongful access by itself and disclosure of data which is gained by wrongful access. Victims are entitled to compensatory and punitive damages, as well as the costs of investigation and litigation (including attorney's fees). Hackers may also be prosecuted under a state statute that corresponds roughly with the ECPA.

COPYCATS AND COPYRIGHTS

It has been estimated that tens of billions of dollars of revenue are lost each year to copyright infringements on the Internet. Messages in certain news groups on the Internet appear to be almost entirely composed of copyright infringements. It is unlikely that the copyright owners posted these messages on the Internet for free public consumption. Although video, audio, and text can be pirated easily via the Internet, software is the most common target.

The Internet has enabled a global software piracy industry. Huge amounts of pirated or bootlegged software can be (and are) copied (i.e. Acached@) onto unwitting host machines. Within a matter of hours or even minutes, multiple users around the world instantly make hundreds, or even thousands of illicit copies. When the owners of the host machine learn what has happened, they purge the pirated software, but the damage is done. The complete cycle from copying to shutdown occurs so quickly that court papers often cannot be drafted, much less filed. Moreover, the host computer actually may be in Hong Kong or Bulgaria, and the pirates are anonymous users with bogus identifications and nicknames.

Copyright infringement is a serious problem on the Internet because once copyrighted material is on the network, there is virtually no limit to its distribution. Under section 506(a) of Title 17, criminal copyright infringement may be prosecuted.⁴² To prove criminal copyright infringement, the government must show that (i) a copyright has been infringed, (ii) willfully, and (iii) for commercial advantage or private financial gain.⁴³ Already criminal copyright infringement has been proved with respect to illegally copied software (often called Apirated@ or Abootleg@ software). Copying files illicitly on the Internet satisfies the first and second elements. The third element, commercial advantage, is satisfied when pirated software is traded for other pieces of pirated software (or for money.)⁴⁴

At least in financial terms, copyright infringement probably is the most serious crime committed via the Internet. According to one commentator, a review of news groups such as alt.binaries.sounds.movies, alt.binaries.sounds.tv, and alt.binaries.sounds.misc, shows that the messages contained within the groups are almost entirely copyright infringements.⁴⁵ It is unlikely that the holders of these copyrights posted these messages on the Internet for free public consumption. Although video, audio, and text can be pirated easily via the Internet, it is software which is most often targeted. No one truly knows what copyright infringement costs copyright holders each year, but the true figure is probably in the billions of dollars, and possibly in the tens of billions of dollars.

NEW FRAUDS; OLD LAWS

Robert Morris was punished under the CFAA, but other fraud statutes have been used to successfully prosecute computer criminals. Although the Internet is a logical or virtual concept, it is manifested in the form of communications lines connecting computers. Fraudulent schemes conducted on the Internet therefore fall under Federal wire fraud statutes.⁴⁶ For the government to convict a defendant of wire fraud, the government must show: (i) a scheme to defraud by means of false pretenses; (ii) defendant's knowing and willful participation in scheme with intent to defraud; and (iii) use of interstate wire communications in furtherance of the scheme.⁴⁷ The plan does not need to succeed to warrant criminal liability.⁴⁸ Prosecuting wire frauds committed on the Internet is peculiar since a message from Buffalo to Manhattan may leave the State of New York and be routed through Phoenix. In this case, the communication is interstate even though the defendant may not have intended or even been aware of it. If the communication is not across state lines, then the statute is not satisfied.⁴⁹

If the scheme perpetrated through the Internet contemplates using the U.S. Mails (for example victims mailing money to defendant), then the defendant faces additional liability under the federal mail fraud statute.⁵⁰ Penalties for violations of these two acts include up to five years imprisonment and fines of $1000, unless the scheme involves a financial institution, in which case the penalties are increased to a maximum of $1,000,000 and thirty years imprisonment.

Mail fraud need not be committed by experienced criminals. Witness the activities of a fifteen year old Utah boy who was recently arrested for bilking Internet users out of as much as $10,000.⁵¹ The boy set up a mailbox using a false identity and then advertised computer parts over the Internet.⁵² Customers were asked to pay c.o.d. or by certified check. When the customer opened the box that supposedly contained the computer parts, it would be empty.⁵³ The customers would be unable to stop payment on the cashier's check and the money would be gone.⁵⁴

Conventional fraudulent schemes have found new life on the Internet. Federal law enforcement officers estimate that over ten billion dollars worth of data is stolen in the United States each year.⁵⁵ Credit card fraud schemes are possible by convincing victims to e-mail their credit card numbers for a free weekend, or some other bogus prize. Securities scams are also perpetrated on the network in a cyberspace version of the boiler room stock game. False news is spread on the rosy prospects of a little-traded penny stock to spur interest. As the price rises, the con artists sell their shares for a hefty (and illegal) profit. This practice has become so common that the Pennsylvania Securities Commission in conjunction with the North American Securities Administrators Association issued an Investor Bulletin for investors.

Another fraud which could easily be committed on the Internet is an e-mail version of the Computer Matching Institute fraud.⁵⁶ Louis Rex Curtis advertised the AComputer Matching Institute@ in newspapers. Respondents to the advertisements would be mailed an application to Apsychologically@ match them with the perfect partner. After mailing in the application -- with a fee -- the applicants would never hear from Curtis again. Such a scheme is perfectly suited to the Internet because of the younger demographics of Internet users.

In terms of dollars, the largest fraud may have been committed by Jim Lay of North Carolina.⁵⁷ The scam reportedly cost six telephone companies $28 million.⁵⁸ Using the computer name, AKnight Shadow,@ Lay, an MCI Telecommunications Inc. employee, sold between 50,000 and 100,000 telephone calling-card numbers world wide.⁵⁹ Lay is now in federal prison.⁶⁰

In a report released during the first week of June, 1996, the Federal Trade Commission (AFTC@) stated that it expects consumer fraud to increase on the Internet⁶¹. Already the FTC has investigated and halted several fraudulent schemes over the Internet, including a pyramid scheme that cheated investors out of $6 million.⁶²

At the corporate level, large companies, especially banks, are often the targets of computer fraud. A recent survey of 200 businesses yielded the startling statistic that 95% admitted to being victims of computer frauds.⁶³ Another recent survey by Ernst & Young found that of 1290 businesses surveyed, nearly half suffered financial losses due to a break of information security in the past two years. Twenty of these respondents suffered losses in excess of $1 million. In a September, 1995 incident, Citibank managed to recover all but $400,000 of $10 million that had been siphoned off by Russian hackers in fraudulent transactions.⁶⁴ The British Banking Association has estimated that $8 billion was lost by banks alone through computer fraud.⁶⁵ According to a recently released report from the Senate=s Permanent Investigations Subcommittee, major banks and corporations lost $800 million from intrusions by hackers in 1995.⁶⁶ The problem of information assault over the Internet is now so widespread, however, that some companies are admitting their vulnerability. Rockwell International, Inc. claims to be under attack on a Aregular basis@ from hackers attempting to break into the company's computers via the Internet.⁶⁷

Although the Internet is made up of physical devices (computers, wiring, modems, etc.), the vast majority of the Internet is composed of intangible intellectual property, some of which is owned by the U.S. Government. If this government property is stolen and sold, the seller faces criminal liability for the sale or conversion of Government property. Penalties are a $10,000 fine and ten years imprisonment unless the value of the property is less than $100, in which case penalties are reduced to $1,000 fine and one year imprisonment.⁶⁸ Information has been held to satisfy the statute.⁶⁹

It would seem likely that the National Stolen Property Act⁷⁰ (ANSPA@) could also be applied to the unlawful transportation of information across state lines via the Internet. The NSPA provides criminal penalties for the interstate transport of any stolen property, not just the government's stolen property. The NSPA requires that, Agoods, wares, merchandise, securities or money,@ be the illicitly obtained items which are transferred across state lines. Early cases split on whether the Agoods,

wares, and merchandise@ had to be tangible. In Dowling v United States,⁷¹ the Supreme Court seemed to settle the issue by holding that the NPSA does not apply to copyright infringement, but rather requires that physical goods themselves have been stolen, converted, or taken by fraud -- making the NSPA irrelevant in the intangible world of cyberspace.⁷²

But in U.S. v Riggs,⁷³ the court upheld the indictment of Robert J. Riggs, (a.k.a. AProphet@) and Craig Neidorf (a.k.a. AKnight Lightning@) on charges of wire fraud,⁷⁴ and violation of the NSPA for their theft of a Bell South text file containing 911 codes.⁷⁵ Riggs argued that Aelectronic impulses@ did not satisfy this requirement. In support of his argument, Riggs cited Dowling's⁷⁶ holding that unauthorized copies of copyrighted musical material did not satisfy the statute. The District Court distinguished Dowling by ruling that Riggs had transferred, Aconfidential, proprietary business information, not copyrights.@⁷⁷ Riggs' narrow distinction of copyrights from trade secrets has not gained widespread acceptance. In United States v Brown,⁷⁸ the Tenth Circuit relied on Dowling and explicitly rejected Riggs by refusing to allow the United States to indict John M. Brown under the NSPA for retaining a hard disk containing misappropriated source code. The Brown court ruled that source code did not constitute Agoods@ under the NSPA.⁷⁹

One item that certainly satisfied the requirement of being Agoods@ is the bust of Mickey Mantle that was stolen from Yankee stadium in the mid 1970's. The bust was recently offered for sale through the Internet after the Hall of Famer's death in 1995. Acting on tips from Internet users, the FBI ran a sting, recaptured the bust, and arrested Robert Pagani for violating the NPSA.⁸⁰

WHAT'S IN THE GUTTER OF THE INFORMATION SUPERHIGHWAY?

The apparent anonymity that users feel when communicating through a PC helps explain the relatively high levels of network traffic in pornography.⁸¹ It was recently reported that hackers had set up over a thousand hardcore pornographic images for distribution from the computers at the Lawrence Livermore National Laboratory.⁸² Since this was a government computer, the scheme was clearly illegal. If the computer were a private one, the problem is more difficult.

Since obscenity is determined -- at least in part -- on community standards, choosing the appropriate community standard can be problematic.⁸³ For example, on July 28, 1994, a Memphis, Tennessee jury convicted Robert and Carleen Thomas, a married couple from Milpitas, California, of 11 counts of transmitting obscenity through interstate telephone lines. The couple distributed pornographic pictures via their computer bulletin board which was connected to the Internet. The conviction resulted in substantial jail terms for each of them. And the Thomas= problems are not over. Utah is considering prosecuting them for the same acts when they are released from jail!

The same result could easily occur if, for example, a Times Square pornography shop went on-line. The shop, which might be staid by New York City standards, easily would be judged obscene by Memphis standards. Of course, the First Amendment's Acommunity standard@ paradigm does not apply overseas. For example, Hiroshi Kamebura of Tokyo was recently arrested for posting explicit pornographic images on his Internet home page. Whether Kamebura's home page was aberrant is questionable -- it was accessed over 100,000 times.⁸⁴

Everybody with a computer and a modem can gain access to the Internet and, as a result, children as well as adults can view to this vast warehouse of pornography. Distributing pornography to minors is a crime and, accordingly, adult bookstores usually forbid children. On the Internet, however, customers could be minors or adults -- there is no way of knowing. The problems that arise when children conceal their minority to adults pale in comparison with the problems that arise when adults conceal their majority to children.

The problem is that by presenting himself as a minor, a pedophile can engage children in e-mail conversations and thereby arrange clandestine meetings. In fact, a private investigator in Milwaukee posed as AJessica@, a fourteen year old girl on the Prodigy computer network.⁸⁵ The messages that she posted attracted a forty-five year old convicted child molester named Bryan Thomas Sisson.⁸⁶ He later sent her nude pictures of himself and several diskettes of child pornography and arranged a rendezvous at a Milwaukee motel.⁸⁷ When Mr. Sisson arrived at the motel on June 1, 1995, he was arrested by F.B.I. agents and charged with crossing state lines to have sex with a minor and sending child pornography through the mail.⁸⁸

Most e-mail users can be identified by looking at the origin of their messages, but this identity can be hidden by using an Aanonymous remailer@, i.e. one who will re-send the message with a fictitious origin. Thus, the child has no way of knowing that his or her e-mail Afriend@ is really a convicted child abuser in the next town. By the time the child discovers the ploy, it is too late.

The Sisson case is not alone. A fifty-one year old Seattle man, Alan Paul Barlow, was recently prosecuted for transmitting sexually explicit messages to a fourteen year old girl via e-mail.⁸⁹ On March 15, 1996, a Florida man was arrested for kidnaping after he used the Internet to befriend a thirteen year old suburban Chicago boy. The man, whose real identity remains a mystery, was arrested in Louisville, Kentucky as he stepped off a bus with the boy.⁹⁰ In March 1994, a Massachusetts man was charged with the rape of two youths he met by exchanging computer messages.⁹¹ In June, 1995, David Luera, was fined $1350 and sentenced to 240 hours of community service for downloading child pornography from the Internet.⁹² Mr. Luera was also ordered to register as a sex offender.⁹³ In January, 1996, Martin Crumpton of Birmingham, England gained the dubious distinction of being the first pedophile to be jailed in England for using the Internet to access child pornography.⁹⁴ The problem is so bad that America Online now offers parents a Akids-only@ chat room. But pornography still occasionally reaches youngsters who go online.

Because of the anonymity -- particularly if the messages are encrypted and the user's identity concealed -- the Internet provides a particularly good way to distribute illegal pornography. According to the National Law Journal, the largest child-pornography investigation in U.S. history took place in March 1993, in connection with the importation of child pornography from computer networks in Denmark. Law enforcement cannot discover the content of encrypted material without passwords, and passwords are only available from the sender or the receiver. If they are careful, both parties can conceal their true identities. The only real way to investigate such a scheme is an expensive, time consuming and possibly dangerous infiltration.

Finally, recent technological advances have blurred the definition of Akiddie porn.@ The traditional rationale for harsh punishment of child pornographers has been that they necessarily perpetrate sexual abuse on children. Now Scotland Yard has unearthed the use of computer graphics technology by pedophiles.⁹⁵ The pedophiles take pornographic images of adults, replace the adults' heads with those of children and slim down the limbs and torso of the adults to make them appear childlike.⁹⁶ The images can then be distributed over the Internet as Akiddie porn,@ but the pornographer can claim that it is simply ordinary pornography since no children were used.

ONE SMALL WORLD -- JURISDICTIONAL PROBLEMS IN CYBERSPACE

Japanese laws also prohibit gambling, but SSP International Sports Betting, Ltd., a British bookmaker, is already taking cyber wagers from Japanese citizens in Japan via the Internet. Whether an American casino in Atlantic City or Las Vegas could lawfully compete with its British counterparts raises issues of both Japanese and American law.⁹⁷ Since there are no boundaries on the Internet, a business like gambling which is legitimate in Great Britain or St. Maarten can be Aprojected@ into a country (like Japan or the United States) which either bars or heavily regulates that industry.

Another example of the Aprojection@ problem is the book Le Grand Secret. Le Grand Secret, authored by former French President Francois Mitterand=s doctor, describes the declining health of the former French President. The book was recently banned in France for privacy reasons. Nevertheless, eager French citizens have accessed the book from Internet sites in Pennsylvania, California, Great Britain and Switzerland.⁹⁸

Unfortunately, in many cases crossing international borders, jurisdiction is a major stumbling block in enforcing the legislation enacted. Very few treaties or international conventions exist addressing the proliferation of computer crime transversing national borders. It is this lack of a universal standard which has already begun to create enforcement problems and will only worsen. In addition, the inability of different nations to enforce their own legislation or control acts of their citizens or foreign citizens may prove a serious strain on international relations.

For instance, Germany restricts neo-Nazi propaganda which is permissible in the United States. Singapore and China restrict the on-line discussion of topics such as religion and politics--topics which are considered the most protected in the United States. Whether American cybernauts will face possible extradition to Germany, Singapore or China -- like the Thomases extradition from California to Tennessee -- may become an important issue.

Consider the case of an Argentinean student, Julio Caesar Arita. On March 28, 1996, Attorney General Janet Reno stated that a wiretap of the Internet had allowed federal prosecutors to obtain enough evidence to charge Ardita with three felony counts related to his hacking into United States military computers.⁹⁹ However, the United States extradition treaty with Argentina does not provide for his extradition to the United States. Cases like this illustrate the geographical problems and jurisdictional issues presented by the Internet.

CYBERCOPS AND ON-LINE PROSECUTORS

Much of the legislation currently in existence in the United States to prosecute computer crime is federal legislation. However, due to the variety of crimes committed using or related to high technology, a number of different federal agencies are responsible for investigation and prosecution. The U.S. Customs Services is likely be involved in a seizure of counterfeit software illegally brought to the United States from another country via plane or ship. In the same situation, the FBI may determine that it has jurisdiction under the Anticounterfeiting Consumer Protection Act--legislation aimed at upping the stakes on copyright and trademark infringement, as well as consumer fraud. Further, the Secret Service has jurisdiction over a multitude of consumer frauds and the very same counterfeiting scheme mentioned may fall within the Secret Service=s area of expertise and jurisdiction.

A. PROSECUTORIAL RESOURCES

The federal agency with the largest number of law enforcement personnel dedicated to investigating and prosecuting high-tech crime is the Department of Justice. The Department of Justice has its own Computer Crime Unit, and within the Department, the Federal Bureau of Investigation (AFBI@) has the National Computer Crime Squad (ANCCS@) with regional offices in New York, San Francisco and Washington. In addition, the FBI Computer Emergency Response Team (ACERT@) has agents in each field office whose priority duties include reporting and investigating computer criminal activity.¹⁰⁰ These two units exist specifically to fight growing technology crimes against businesses and private citizens and to root out high tech terrorists. Unfortunately, the proliferation of computer crime and complexity of technological, investigative and prosecutorial issues quite often requires federal personnel to either defer high-tech criminal activity until it becomes so egregious that allocation of resources is justified, or, to seek assistance from private, often interested parties, in the computer/information technology industry. Neither of these options is particularly palatable to the agencies. Nonetheless, the unique nature of high-technology crimes has required law enforcement to leave old practices behind.

The FBI estimates that each year it sees over a seventy percent (70%) rise in computer intrusion reports from government and private business.¹⁰¹ Further, many companies do not report incidents because they are either afraid of the serious data security questions they pose or they are simply unaware that computer files that include trade secrets or other valuable company materials have been accessed and copied.¹⁰²

The bottom line is that just about anyone with access to the Internet -- your mother, your brother, your dentist or your florist -- is a potential criminal or potential victim. As you can imagine, trying to keep up with this type of computer crime has thus far proven to be a losing battle. While the federal government has allocated certain resources, they are clearly not enough. The FBI=s NCCC has approximately 100 agents assigned to the task of receiving reports of computer crime or tracking criminal behavior, follow-up, and assisting the prosecuting attorneys with indictment and conviction.¹⁰³ While 100 agents may sound impressive, the fact that almost 6 of every 10 major U.S. corporations experienced break-ins by competitors or hackers in the last year, means more than just a heavy caseload for these agents--it means that crimes, where the threat of personal or company safety or significant monetary loss are unlikely, often get pushed aside for more imminent and serious dangers.¹⁰⁴

State and local law enforcement agencies are also charged with enforcing a state=s computer crime laws. Most states do not have divisions of their police force or district attorney staff dedicated to cases of computer theft, damage or injury and what is often perceived as victimless crime gets shuffled to the side.

B. PROBLEMS WITH PROSECUTION

In addition, computer crime, particularly crimes such as infringement and piracy, have not generated the levels of awareness or concern which makes law enforcement personnel quick to prosecute because they are often perceived to be Avictimless@ crimes.¹⁰⁵ As noted by Leonard Walton, Deputy Assistant Commissioner at the U.S. Customs Service, because the links between intellectual property crime and violent criminals causing imminent threat to life are more difficult to establish than other types of criminal activities, most often the investigative and prosecutorial resources do not act expeditiously and are less creative in applying the facts of the crime to existing legislation.¹⁰⁶ For instance, the U.S. Attorney=s office in Los Angeles declined taking part in the prosecution of a situation involving the seizure of more than $10.5 million in counterfeit software products, citing that the criminal RICO laws did not cover counterfeiting among its corrupt acts.¹⁰⁷

Another hurdle facing prosecutors and investigators of computer crime is their lack of technical understanding and experience. Litigation of intellectual property disputes are handled civilly by attorneys and sometimes whole firms, specializing in computer, technology and intellectual property. The plaintiffs and defendants are often computer companies or experts in the technology business who are able to lend support and interpretation to the case at hand. For the United States Attorney's Office or state district attorneys, finding qualified experts on staff is unusual and the costs of employing experts to handle discovery, preparation and testifying is prohibitive. The California case of The People vs. Gordon Eubanks is a good example of this.¹⁰⁸

Eugene Wang was formerly an officer of Borland International, a developer of software. He was hired by the President of Symantic Corporation, Gordon Eubanks. Symantic is a competitor of Borland. Both Eubanks and Wang were charged with the theft of trade secrets under California law. When Borland discovered that Wang had been communicating electronically with Eubanks prior to his departure from Borland and such communications contained Borland trade secrets, Borland contacted local authorities. However, since Santa Clara District Attorney=s office had no one on staff with the expertise to conduct delicate computer systems analysis at Symantic, the district attorney=s office asked Borland if it could provide computer specialists to assist. Borland declined to provide any of its employees for fear of obtaining unauthorized access to Symantic=s trade secrets, but Borland did agree to recommend alternate independent experts, and help the district attorney=s office in paying such experts for their time. Technology experts were obtained and Borland paid the invoices submitted to them for these services. In addition, local law enforcement in Santa Clara utilized outside computer specialists to retrieve Ashadow@ data from Wang=s personal computer at Borland as well as from the Symantic computers.¹⁰⁹ Later, because the fund used by the Santa Clara District Attorney=s Office to pay for professionals and expert witnesses was Aseriously constrained@, Borland was again asked to, and did, foot the bill for the specialists= work.

Although prosecution of Eubanks and Wang would probably have been impossible without Borland=s advice, participation and financial support, the corporation=s assistance to law enforcement also threatened to have the district attorney recused from the matter under the California penal code for a conflict of interest.¹¹⁰ The trial court required the Santa Clara District Attorney=s Office to recuse itself, however the Court of Appeal overturned such ruling. The case is now pending before the highest court in the state, the California Supreme Court.

C. THE FUTURE

As computer crime escalates, federal and state law enforcement will become even more burdened and less able to deal with the myriad of high technology abuses that arise each day. And, although legislation is being adopted to address such abuses, unless major changes are made within the federal and state systems, the actual resources available to investigate, prosecute and convict computer criminals will be even less adequate to handle the onslaught of computer crime as more and more people throughout the world access the Internet. The coming years will show just how hard it is to prevent or prosecute computer crimes committed on the Internet.