Computer crime: is hacking really that bad? An exploration of the cases and laws concerning unauthorised access to computers.
Peter Timusk, B.Math
for LAWS4908 the legal studies BA honours paper.
Supervisor Professor Neil Sargent
Carleton University, Department of Law.
Table of contents
1. Statement of research question
2. Introduction
3. Definition of computer crime
4. Placing the crime into a privacy framework
A) The basics of privacy in law
B) The information age and modern privacy legislation in the USA and Canada
C) The tort of invasion of privacy in the crime of hacking
D) Trespass, intellectual property and tangibility on the horizon
E) Further discussion
5. Statues and cases concerning computer crime
A) Cases of hacking and the creation of laws to deal with hacking
i.) R. v. McLaughlin, [1980] the first Canadian case at the Supreme court
ii.) The U.S. laws and early U.S. hacking cases
B) Why were these laws made?
C) Two infamous U.S. Hacking case
D) The further offence of fraud: some cases of computer crime involving fraud
E) Cases of hacking by law enforcement to gather evidence
6. Summary
7. Conclusions
Bibliography
Appendix A Canadian computer crime statutes
Appendix B U.S. computer crime statutes
This paper explores the functions of computer crime laws. It asks why unauthorised computer access or use was and is criminalised. Computers seem to be about knowledge, as in knowledge sorting, knowledge retrieval, storing knowledge, and sharing knowledge. But why do some citizens commit computer crime? And why is what they do a crime? What is it about knowledge and secrecy and private information that come to figure in computer crime? Computer crime is an issue that the law is coming to understand better. Thus it is an appropriate time in the information age to survey computer crime and the functions of computer crime laws.
Two ideas will be explored to see why computer crime exists and why there are laws against it. First, the private or secret nature of some information will be examined here. The second idea this paper will explore is the nature of the the harms involved once a computer has been accessed by a computer criminal. In other words, this second thread will be a consequentialist look at computer crime. By examining the effects of the crime we will be able to decide why it is that this is considered a crime. To really answer this second question this paper will need to trace the recent arrival of computers to the law and examine some actual cases of computer crime to assess the harm or consequences. Also there is a need to see if computer criminals are criminals as the law presently treats them. Perhaps this so called crime is not really all that harmful? Or perhaps it is? This paper will explore this question.
Introduction
Given that this paper is written in the context of studies in law in its social context, this paper is not directly about computer security. Rather this paper may also fit well in another context besides legal studies, but not technical computer security. That is this paper forms part of my present work in community informatics studies from a social impact perspective.
Using William McIver's paper on Global Perspectives on the Information Society,1 I can see this paper being that “area of focus of social informatics” that concerns itself with “the study of philosophical and ethical issues that arise due to the use of ICT[Information and Communication Technologies] in social and organizational contexts.”2 This field of social informatics is a later but now present focus of ICT studies, where community informatics is an even more recent field which McIver suggests could be argued to be a part of social informatics.3
Since I am also a worker in community informatics as a web designer for a local self-help network, I am approaching the subject of computer crime from an information society perspective, thus a knowledge society perspective. In this paper, I take legal information about computer crime from cases and legislation and secondary sources to develop and deepen my knowledge of computer crime. Knowledge meaning in McIver's view “domain specific understanding, experience, expertise and learning”.4 Thus this paper is an example of learning law and learning law in the information age.
Many scholars are seeking a framework to study the information society and many frameworks are being suggested by various scholars. McIver puts computer crime in the citizens and government perspective for such a framework,5 where law and legal studies fit in the academy. Legal studies concern studying laws and in some cases crimes or the breaking of these same criminal laws. But also legal studies must look at more than just laws. Legal studies need to examine such topics as an information age and in particular computer crime. To do this this paper will examine cases of computer crime and computer crime legislation. This paper will briefly examine the legal professions knowledge of the information age as a side product, as this is a factor in the topic of computer crime. This will call for tracing the legal systems response to the information age.
This paper will call those citizens who commit computer crime 'hackers'. These generally will be people charged with the offence of unauthorized access to a computer.
Also many computer crime historians focus on these people, the hackers as well. The stereotype of a computer break is a crime committed by smart teenagers.6 These teenagers the stereotype goes use computers obsessively to access guarded government and corporate computers. According to Wise the employee or insider computer crime is more common.7 Other authors agree this is in fact the most common type of computer crime.8 But Wise suggests that similar to other types of crime, computer crime has a dark figure of unreported crime.9 This is supported by a computer crime fighter handbook,10 written in the middle nineties written a few years after Wise, that suggests as well that corporations do not report computer crimes. The paper will also examine law enforcement and its recent use of hacking to gather evidence. As well cases will concern credit card fraud. Apparently most cases of computer crime are committed by employees and other insiders who have access to computers for legitimate reasons but then abuse these privileges.11 This type of case will also be examined.
Before we look directly at the law of computer crime, let us try to define the concept of computer crime.
Definition of Computer Crime
To begin to discuss computer crime legally a definition will be sought, much as Davis & Hutchinson start the arguments in their 1997 Carswell book Computer Crime in Canada.12 In terms of the timing of legal responses to computer crime, they start with an early Organization for Economic Co-operation and Development (OECD) definition from 1983: computer crime is “defined as any illegal, unethical, or unauthorized behavior involving automatic data-processing and/or transmission of data”.13 They continue then to introduce a Canadian law enforcement definition: “A criminal offence involving a computer as the object of the crime, or the tool used to commit a material component of the offence.”14
This Canadian law enforcement definition is also used more recently by the Canadian Criminal Justice Statistics Centre at Statistics Canada in Melanie Kowlaski's study into computer crime.15 Here she counts the number of charges under the subsections of the Canadian Criminal Code concerned with computer crime. These were: Mischief in relation to data ss. 430.(1.1), Theft of telecommunication service – s. 326, Possession of device to obtain telecommunication facility or service – s.327 Unauthorized use of computer – ss.342.1.16 These can be viewed in the Canadian Criminal Code Appendix to this paper.
Using both the law enforcement definition and the Criminal Code definition would seem to serve the purpose here. Included in the appendix are the sections of the criminal code involved in computer crime in Canada and the U.S. public code sections. This will help trace the history and development of the law of computer crime in Canada and the USA. These sections of criminal code are then used to select cases of computer crime to examine.
David Wall in his edited book Crime and The Internet,17 argues that there are various categories of computer crime in his search for a definition. He feels discerning between different levels and types of impact of computer crime will produce a working definition.18 He sees three main types of impact.19 One of these ways is to use the Internet or computers as a method of existing crimes, the second way is providing new opportunities for extending the impact of existing crime, and then finally “creating new types of criminal activity, and criminal opportunity”.20 David Wall seeks a consequentialist definition for computer crime based on the crime's impact. I have written elsewhere,21 that computer crime can be defended ethically only by examining the consequences of the crime. The cases examined here will tend to show that courts are also weighing the consequences in sentencing computer criminals.
Professor Edward M. Wise from the University of Michigan draws out these crimes from the OECD definition:
“(1) unauthorized access; (2) unauthorized use; (3) dishonest manipulation or alteration of data; (4) computer sabotage; and (5) theft of information.22
The first crime might be called hacking and in professor Wise's opinion hacking is the spectacular crime that the media focus on.23 The first one is also part of the Canadian Criminal Code section 342.1 (1) which begins “Every one who, fraudulently and without colour of right, (a) obtains, directly or indirectly, any computer service,”.24 This is also part of the U.S. Public code Title 18 § 1030. “Fraud and related activity in connection with computers (a) Whoever-- (1) having knowingly accessed a computer without authorization or exceeding authorized access,...”25 Looking at the British Computer Misuse Act (1990),26 we also find this covered there as section 1.—(1) A person is guilty of an offence if— (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case.” As can be seen unauthorised use, Wise's number 2 is also governed by these criminal statutes but not directly as use, but indirectly as access, in fact unauthorised access is limited to accessing certain types of information in the US code. The protected information in the U.S. code is either National secrets or financial information. In the British Act the illegal use is more serious only as a combination of unauthorised access with a further offence of another nature, which could be fraud. Wise's number 4 computer sabotage is covered under the Mischief sections of the Canadian Criminal code which also covers manipulation of data Wise's 3. Both of these are dealt within the U.S. Code 1030 itself and in the British Act. The British Act has this consequence as criminal: (a) to impair the operation of any computer; (b) to prevent or hinder access to any program or data held in any computer; or (c) to impair the operation of any such program or the reliability of any such data. Wise's number 2 unauthorised use is similar to unauthorised access and in fact one can see the insider crime in some respects as an unauthorised use or a case of exceeding authorised use. Especially the American code against computer crime has an offence of exceeding authorised use or use out side of regular workplace use. But generally unauthorised use is covered by the statutes as unauthorised access.
One Canadian case covered here will look at the aspect of insider computer crime. As well in cases of fraud Wise' number 3: dishonest manipulation or alteration of data will be seen to have happened in some cases. In the stereotype the teenager changes his/her school marks by breaking into the school computer. The fourth category computer sabotage will be seen in only one case. The final and fifth category theft of information will be examined both in terms of computer criminals stealing computer files in one case and also in a brief look at the case of R. v. Stewart,27 where the Supreme court declared information to be outside of the definition of property for theft laws.28 Thus this is a rather unsettled terrain but can be examined in relation to computer hacking or gaining knowledge by stealing computer files. R. v. Stewart was not a hacker case though.
Can we really find an agreeable definition? Wise was writing in 1994 and found there was no agreement.29 Parker writing in 1976 established a definition but even at that point in time admitted it was relative to perspective of who was defining computer crime.30 Carter and Perry two American scholars writing in 2004 also find no agreement but offer a U.S. department of Justice definition: “any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution”31
We can see that this recent definition includes the word knowledge in particular “knowledge of computer technology”. It seems knowledge has now been added to a working definition. Also this would seem a positive definition by defining the crime as breaking a law. Kowlaski in her study attempts to measure computer crime and seeks a common international definition so as to have working police and crime statistics.32
Placing the crime into a privacy framework
Sieber writing in a more recent and general context describes the nature of the new field of information law.33 As Sieber traces the new information age and its intersection with law the topic of harm comes up.34 Sieber is describing the new field of information law but must warn about the dangers of the information age.35 Harmful or illegal content, such as hate speech web pages, or child pornography on the Internet are one aspect of computer crime. But this is not in and of itself part of hacking nor the computer crime considered here in this paper. Sieber suggests that 'responsibility for information' in these cases of harmful information and for cases of false information will fit in our present laws whether public, civil, or criminal.36 Hacking though could be handled with newer laws.
We could take the idea of responsibility such as in auto traffic, and perhaps apply it to computers to reduce computer crime such as hacking. Much like an ID in a computer system or a national ID system like the social insurance system Internet access could be regulated as drivers are and users of computers could be licensed to a minimal level of knowledge that would reflect a responsibility in their use of computers. Thus hacking could be a regulatory provincial offence of an individual misusing a licensed machine. In some respects matters such as telegraphs have been a provincial legal domain.37 Sieber suggests as do others that with the Internet being about global connectivity and file transfer across borders governments can no longer control inter border data flows.38
But it his actually Sieber's discussion of privacy and secrecy that matters in the crime at hand. Here he suggests data protection laws are the answer. He focuses on privacy and secrecy in its manifestation in databases in his chapter but I would like to suggest that invasion of privacy is the real crime in hacking.
How do credit card companies protect their customer’s privacy? Protecting credit cards so that the contracts and promises to pay remain valid could be considered data protection and does concern protection of personal information. The misuse of credit cards by stealing the numbers and committing fraud is an issue of invasion of privacy. If this fraud is done by a hacker then perhaps more than the criminal law a private law tort of invasion of privacy could be an action in court.
As long as credit cards relate to private property we will have private computer files that will require that access to these files be restricted. Thus computers will have to be considered private property. Macordum, Nasheri & O'Hearn in their paper “Spies in Suites: New Crimes of the Information Age from the United States and Canadian Perspectives” look at the question of intangibles like computer files being property.39 They are concerned about business property as in intellectual property. If business is going to make money from intellectual property, intellectual property needs to be defined as property in theft statues too. They look at the Canadian case of R. v. Stewart where an employee list is the property that was not physically stolen. It was not even stolen as a computer file but that was the intention of the union organizer who was attempting to start a union drive and needed the membership list to secure a yes vote for union certification.40 The judges found that intangibles could not be considered property for the theft section of the criminal code.41 In their paper Macordum, Nasheri & O'Hearn are concerned with industry and intellectual property but this begs the broader question concerning hackers and accessing private files.
We will look briefly at Anglo North American criminal statues concerning hacking. But we can also consider the civil law approach of a tort for invasion of privacy. This could expand our view to corporate and government databases but it may also allow us to look at privacy from state interference and thus tackle the question of law enforcement's use of hacking. We will need to cover the regular aspects of privacy and the general direction of scholars on privacy in the information age. This will connect to computer crime and the idea of snooping on someone's personal information but we will not cover the legal gathering of personal information at length only illegally gathering this information. The actual legality of information gathering changes as new laws change the rules such as the U.S. Privacy Act,42 and the Canadian Personal Information Protection and Electronic Documents Act, [2000]43 and the Canadian Privacy Act (1985)44 ,and of course The Canadian Charter of Rights and Freedoms (1982).45 Most of the privacy and computer discussions do not really examine illegal invasions of privacy such as spying on credit card data by individuals such as hackers. There is much more concern for corporate invasion of privacy and government invasion of privacy than for criminal invasion of privacy.
The basics of privacy in law
Privacy came to mean in the law and philosophy control of information about ourselves. This was decided in the law because of an earlier invention that of photography combined with the newspaper. Thus legal scholars were on notice that recording personal information was an infringement of the right to privacy and that this infringement might happen to come out of technological progress such as cameras. Cameras and photojournalism had brought the issues to the Samuel D. Warren and Louis Brandeis in their 1890 article, “The Right to Privacy” in the Harvard Law Review.46
The information age and modern privacy legislation in the USA and Canada
The year 2004 brought the Personal Information Protection and Electronic Documents Act, [2000] in effect for businesses. Wise identified the privacy legislation phase as an early phase in U.S. computer law. Wise was writing about 15 years ago. Sieber is now defining a broader field of information law. Some writers are concerned about privacy because of new surveillance technology.47 Also writers are seeing surveillance as a crime fighter’s tool in the battle against computer crime.48
The tort of invasion of privacy in the crime of hacking
Torts can be analyzed with a frame work build around the defendant. In the tort of negligence various aspects of the framework must be proved in court such as duty of care, causation, and injury. For the tort of privacy the defendant in this case a hacker must have accessed information about the plaintiff such as the plaintiff’s credit card numbers. It might also need to be proved that the plaintiff took reasonable steps to protect the information and because of these steps the defendant did not just happen upon the information by chance or without deception or hacking. Some hackers steal passwords by finding discarded office documents others intercept email messages containing passwords.49 It is either by finding out a password by invading privacy or finding out a password using code breaking like software that hackers commit the offence of unauthorised access. This could also be phrased “fraudulent access”. It is assumed that passwords are confidential information as is the information the passwords protect..
Trespass, Intellectual Property and Tangibility on the horizon
Rather than view hacking as an invasion of privacy it can be dealt with in private law categories as an invasion of trespass. The computer security experts consider it analogous to breaking into a house.50 Information that is copyrighted can also be stated in this analogy of a break-in, to protect copyright as Margaret Jane Radin points out happened in the case of the new digital copyright law in the USA, in her expose of intellectual property.51 She also shows that protection of property as a tort of trespass when it is tangible property like real estate has more power than copyright protection of intangible property like books and music.52 But her point is that intangible property like information is becoming tangible.53 As works of art are digitally recorded we can view these works as electronic files.54 These files are in fact physical things as much as they may seem to be only virtual objects. They are in fact electronic values recorded in a memory chip or hard drive. This brings the case of R. v. McLaughlin,55 into our discussion and the courts views on telecommunications as pulses of electricity.56 The courts are developing an understanding of computers as hardware just like the programmers and hackers also view computers as hardware.
In R. v. Stewart the Supreme court in a noted decision declared that intellectual property is not property for theft laws.57 This is a possible loop hole for hackers who could argue they stole nothing they only copied files. One case will examine this situation as a consequence of hacking. Yet, Radin points out that intellectual property will become more valuable as a tangible object.58 In a case of protecting a database exposed on the web from snooping robots that would access the database,59 a U.S. court protected the use of the database by customers or users, against the use by robots. A company would use these software robots to access the auction web site ebay and then resell this information on another web site. It was reasoned in the decision in this case according to Radin that the robots accessing the database/auction web site were interfering with customer access to the auction web site.60 She is arguing that the law is bringing legal protection to databases which are not protected by copyright law presently, by bringing computer databases into a more tangible property position.61 The use of the database by the robots was quantified to cost ebay damages, because the legitimate users would not have as much use of the auction web site.62 The web site was while a virtual place considered and is a finite tangible resource.
What does this have to do with hacking and the tort of trespass? Well it is argued in this paper that hackers are taking intangible information and this is also to suggest that the mere copying of a file or browsing a file is harmless. Thus computer crime has at one end of the spectrum less harm. But if we see the physicality of the computer as property then the tort of trespass has strength. Radin argues that trespass is a stronger legal doctrine,63 and stronger than copyright.64 Yet privacy is not the same as but shares copyright like concepts like the publication of information or personal intellectual property. “Copyright law won't prevent publication of personal letters”65 We may need to keep information unpublished such as an embarrassing photograph. Here we can spin all kinds of scenarios such as the embarrassment or the exposure of sexualities only because they found expression in computer files that some hacker has accessed and perhaps published. Again this seems like an invasion of privacy. But it could be stronger to argue that unauthorised access to our computers is, in fact, trespassing. Thus viewing hacking as trespassing means that unauthorised access is always a potential crime and we can be comforted by the crime of unauthorised access being an offence in our criminal code.
Further discussion
There will be more discussion of what a computer crime means after the review of cases and legislation. By then the reader should have some understanding of the cases and how the courts have dealt with this crime.
The development of computer crime law from the 1970's to 2004 is examined in this paper. This will not be an examination of hackers and the history of hacking, as many authors present the history of hackers.66 Instead this papers attempts to avoid the hype of sensationalist journalists and examines the legal facts of hacking. This is intended to allow the question to remain open as to whether hacking is a real crime or perhaps harmless behavior. Other writers also question the degree of criminality of hacking. Douglas Thomas does this in his book, Hacker Culture,67 which is a far more academic book than any of the journalist’s accounts. To his credit Bruce Sterling, a journalist and cyberpunk fiction writer does also question the degree of criminality in his book the Hacker Crackdown.68 But he covers only the infamous cases where such a questioning may be applied .Thomas also focuses on these cases. He writes about hackers in movies and how these movies demonstrate “...the manner in which the culture of secrecy is able to hide and allow a deeper sense of criminality to ferment and function. In both cases [of movies], hackers, by violating the institutions secrecy, expose criminality by enacting criminality.”69 Thus hacking can expose this worse criminality in its culture of secrecy. This thus suggests some hackers although criminal are less dangerous than their victims. If a hacker breaks into a government computer and then discovers the government committing a crime does this excuse the criminality of the hacker? Is hacking a priori a wrong act? Again this seems a question in the infamous cases but is this really what is going on here? This opening of the question of criminality occurs because in some cases the harms may not be apparent. Also in some cases it is not the actual harms but the fear of technological threat according to Thomas.70
Author Douglas Thomas in his book Hacker Culture, finds possession of passwords and access devices the only way the law can criminalize the hacker rather than finding the act of breaking in illegal.71 In fact, Thomas makes his post modern points about hackers and their identities and bodies by examining hackers and the crime and technology of hacking through ideas from Foucault's 1977 work: Discipline and Punish.72 73 This possession or trafficking in passwords is reflected in the Canadian computer crime statute after it was amended by The Criminal Law Improvement Act, [1996],74 in1997 with section 342.1(2) which criminalize possession of access devices or passwords. Douglas Thomas sees hacking as coterminous or coexistent with secrecy.75 In particular the secrecy that is needed or perhaps not needed, but presently used so that computers can function as personal property. Passwords protect, make secure and create privacy for personal computers. Passwords are kept secret in this situation.
Related to secrecy is privacy. Privacy is a right to keep ones personality unpublished.76 But privacy is not like the right to property or private property.77 Privacy is needed to allow individual autonomy such as owning a credit card. This privacy is invaded in the crime of hacking with the further offence of credit card fraud.
Privacy laws in Canada were updated and made more complete recently. Let’s look at the USA for a moment in this regard because the U.S. laws follow a slightly different progression and one phase of this progression concerns privacy.
Edward Wise writing in Seiber's survey of international computer crime law identifies three phases of computer law in the USA78. The first is the privacy legislation phase which Wise connects to the Fair Credit Reporting Act of 1970,79 and then the Privacy Act of 1974.80 The second phase is identified as the computer crime phase that is examined in this paper. The third phase Wise identifies is the intellectual property phase. While many in the legal profession are writing and studying this final phase,81 it is not the intent here to look directly at intellectual property laws. There is of course the question in hacking of stealing property that is intangible. In fact, copying files is in some respects not theft, in the same way that teenagers stealing apples from a neighbors tree is. The apples no longer exist on the tree after they are taken but in some cases of hacking the files remain. The owner is not deprived of property but instead her privacy has been invaded.
Thomas also comes to the conclusion that the hacker functions with mastery of computers and as a role played out because of the complexity of computers and our fears of technology. This can be seen from the infamous U.S. cases. But this does not explain the Canadian case of McLaughlin where the crime was neither strictly economic fraud nor a threat in terms of public safety. McLaughlin was not a real threat he stole computer access and spied on computer files. Much like we now look at files over the Internet. In the past files on a computer really had no “public” as only a handful of computer programmers or operators read these files. Thus someone from the outside looking in was problematic. The web has changed all that with volumes upon volumes of personal computer files and technical documents shared willingly and perhaps mistakenly in some cases and all this shared over a computer mediated communication connection. As Thomas identifies it, it is really secrecy which allows the hacker to exist and computers have needed secrecy. Without an assumption of privacy and legal right of access there can be no spying on computer files and no unauthorized access.
Rather than answer our central question of why computer crime is a crime, with infamous cases as Thomas does, cases will be chosen from a wider sample of offences and consequences. These will be chosen for the laws that are broken. These laws concerning computer crime will now be examined. After a legislative review the paper will examine the history of cases concerning unauthorized use of a computer and related crimes such as credit card fraud, telecommunications theft, insider fraud, and the use of hacking by law enforcement. This history of cases will also include the infamous hacking cases that were the basis for the histories of hacking. Lesser known cases will also be examined here. We will look at cases of hacking with no further offence first, then hacking with a further fraud offence then finally hacking by law enforcement. Law enforcement hacking is not criminalised and is exempt from legislative prohibition in the USA statutes.
Statues and cases concerning computer crime
The examination of the statutes and the creation of the statutes concerning computer crime in the USA and Canada is interesting. These were introduced above but are further explored here for their origins. After this the U.S. codes will be explored further and discussed and cases of hacking will be brought in for discussion. Most of the cases below will include the sections of statutes involved and some discussion of how the crime did or did not fit the statute used in the charge. In the USA, Parker investigated computer crimes using media reports in the 1960's and 1970's.82 The first federal bill to address computer crime was created in 1977 but this bill did not become law.83 The bill helped prompt the first laws which were state computer crime laws,84 yet these laws did not get much use.85 There were lesser known cases occurring with these state laws but for example “less than 6 prosecutions were filed in the first five years of Florida's computer crime, the oldest state computer crime statute”.86 Florida passed its Computer Crimes Act in 1978.87
It is thought by many authorities of computer crime and some of the popular authors that this was because the police and the courts did not understand what a computer crime was.88 The Canadian case of R. v. McLaughlin seems to have been a case in hindsight where the law did not understand the crime. Or if the courts understood the crime there was as yet no law against the crime.
Cases of hacking and the creation of laws to deal with hacking
Defining hacking and the hacker is more difficult. The culture of hackers is examined in Douglas Thomas' Hacker Culture. The hacker is the criminal who commits the computer crime. Douglas Thomas concludes his first chapter with the statement he hopes will define a hacker.
“Hackers, however, are much more interested in finding security flaws and understanding how they threaten network and computer security. They are busy trying to understand how the system works, whether that be as a means to exploit it or to better understand it.”89
Could this include everyone with some curiosity about computers? Or do hackers have qualities in these descriptions that we admire and thus are likely to excuse? Are there books written to defend hackers? Are these defenses over inclusive? Why do the authors attribute too many good qualities to hackers? Why do writers write this way? Do the writers take positions on other crimes? Are these writers soft on crime?
I can't hope to answer all these questions. But Thomas does more than defend hackers. Although this academic defense is interesting what is more interesting in Thomas is his exploration of the hacker culture. But Thomas explores hackers socially rather than as individuals per say. He does conclude his book with a look at infamous cases. We will explore these cases a little in this paper but we will find much more than the infamous hacking occurring, that, in fact, Thomas seems to ignore. In fact, I believe these popular and academic writers who defend hacking ignore these more mundane yet legally significant cases.
So how does Thomas examine the social aspect that is the culture of hacking? He draws in publications that hackers make for themselves and also movies they make. He compares these movies that hackers make to mainstream movies which depict hackers, as he attempts to draw out the answer to who is a hacker and how do they behave? Here is a quote from Thomas on this aspect of culture:“Movies always show the hackers criminality but then that is a minor crime compared to the crimes these anti-heroes stop in these movies.”90
Again this is a defence of hacking. But the movies about hackers and the new public awareness have brought hacking into the public view. The law has followed very closely behind as we will now see. To go deeper into analysis of hacking we will examine the development of computer crime law in Canada and the United States of America both through cases and legislation. It is not the intent to explore hacking outside of its legal context.
R. v. McLaughlin, [1980] the first Canadian case at the Supreme court
In Canada the case of R. v. McLaughlin, [1980]91 had the Supreme court interpreting literally a theft of telecommunications law s. 287(1)(b) of the criminal code to take the term telecommunications in its plain meaning.92 This was to try a person who had without authorisation accessed a university time sharing system.93 A time sharing computer system was an early network like system that consisted of only one computer and allowed computer time to be shared between different users sometimes using terminals connected by phone. McLaughlin accessed this system without authorisation. The court felt that computers were for calculating and could not be considered equipment for communications.94 Thus the telecommunications theft statute failed to convict McLaughlin.
According to information society researcher William J. McIver, Jr.“the Canadian Government department of communications task force called the Telecommission, issued the report Instant World in 1971, which examined the societal implications of the combined use of computers and telecommunication.”95 McIver uses this fact to make a point about the right to communicate. But this points out that the Supreme Court was not aware of this report when it would not consider McLaughlin's remote access to a computer timesharing system at a university to be theft of telecommunications. The legal issue in this case brings forth the functioning of the criminal law. In the case the judges said you can not construe a criminal sanction if one does not already exist. Criminal law is too serious to literally push people into jail by pushing their crime into a law that does not fit. This was an interpretation rule that shows that criminal law statutes are to be construed towards liberty when there is doubt. In future cases such as R. v. Turner, [1998] 96 the decision of Laskin, C.J
in McLaughlin is cited for this interpretation rule.
Criminal statutes should, where there is uncertainty or ambiguity of meaning, be construed in favour of rather than against an accused. The accused must be brought fully within the statute and cannot be held guilty of a violation if it is only applicable in part. In this case the conduct of the accused was not clearly caught by the statute so as to warrant a conviction.97
Here we can see the decision may have not seen the extent of the computers use as a communications device. We also see the law in the written decision by Richie and Estey JJ. beginning to examine electricity and the electromagnetic transmission of data. I include this quote here as a side note on the actual understanding of technology by the then Supreme court judges.
Per Ritchie and Estey JJ.: An essential characteristic of a "telecommunication" is the "transmission ... of signals". Transmission connotes delivery from an origination point to a reception point. It does not connote a conceptual transfer of something with neither sender nor receiver, such as the electromagnetic impulses which flow inside a computer during its operation. It is useful to note that the same definition of "telecommunication" is used in various broadcasting legislation unrelated to the licensing or regulation of computers.98
Another case occurring at almost the same time shows the same use of the telecommunications theft statute to try unauthorised computer access and unauthorised use . This was the case of R. v. Maine Resource Analysts Ltd., [1980]99 although the facts are different. The facts point to insider unauthorised access and use without paying for the time on the system. The same legal issue of considering computers as telecommunications devices was left open for the Supreme court to decide in R. v. McLaughlin months later in June. In the case Maine Resource Analysts were charged with using a computer and billing the federal government for $ 27.30.100 Maine Resources was a contractor that had access to a university computer system but they went beyond their proscribed access and the computer time was billed to the Federal government.101 They were charged with theft of telecommunications and the theft of the $27.30. The court did not convict them for telecommunications theft then section 287(1)(b) fraudulent use of a telecommunications facility to commit theft the value of such use not exceeding $ 200 dollars .102 But they were convicted for the billing under section 421(c).103
It seemed a new law was needed that covered computers. Computers were becoming well known at the time and perhaps computer crime was also becoming popularized with for instance a film called War Games being released in 1983.104. The hero of the War Games film is a teenage computer hacker.105 Did we really need the criminal law to step in? Was this really harmful behaviour? The cases coming up could not be dealt with by the existing laws covering theft of telecommunications. According to Piragoff the R. v. McLaughlin, case prompted two private members bills in the Canadian parliament .106 Neither bill succeeded to become law. “At second reading one bill was withdrawn but the matter was referred to a parliamentary sub committee”,107 and this lead to the addition of the computer crime section 342.1 (1) (as this section is today) to the Canadian Criminal Code in 1985.108
The U.S. laws and early U.S. hacking cases
The USA originally created its laws for Federal cases in 1984 and 1986 at about the same time as Canada. The USA had as stated above state laws but in 1984 and 1986 there was a federal law created that concerns unauthorised access of federal interest computers, this is U.S. Public Code 1030.109 And U.S. Public Code 1029110 just before it in the public code is a law concerning access device fraud.111
There have been changes to the U.S. laws concerning computer crime in the 1990's and in the 2000's. The National Information Infrastructure Protection Act of 1996,112 had an effect on Section 1030 of Title 18 of the US code. As well the USA PATRIOT Act 2001,113 and the Cyber Security Enhancement Act of 2002,114 have affects on hacking law. Arthur J. Carter, IV and Audrey Perry also write about these more recent statues in their American Criminal Law Review article Computer Crimes.115 They cover the fact that because most computers are now connected to the Internet section 1030 will tend to apply to most computers. Section 1030 only applies in Federal jurisdiction to computers or computer connections involving Federal government computers or interstate commerce. Because all computers connect across state lines by connecting to the Internet federal legislation applies, in particular the conditions of section 1030 would apply to any given recent hacking case.116 Carter's and Perry's summary of these laws shows that the USA is getting tougher on computer crime by increasing sentencing and strengthening the scope of prohibitions in the law.117 The USA PATRIOT Act, [2001] lowered the thresholds for sabotage damage by computer and affected other parts of these statutes. Such things as recidivism are now more broad to include any previous conviction of a state law involving computer crime which figures in 1030(c).118 Also sentencing guidelines for hacking that is violent or endangers life have all been brought up in terms of sentenced time in prison.119
Why were these laws made?
Why we might ask was this considered criminal? What was the harm? Breaking into a computer may or may not mean theft or spying on files in that computer. Although Professor Wise considers unauthorised access the baseline criminality of hacking.120 Yet, the government considered hacking a crime in the USA, Canada and Britain. Although Britain used other laws until 1990 when the specific Computer Misuse Act, [1990] was passed. The new laws considered such consequences of hacking as stealing computer service or intercepting functions of a computer. This also includes hacking for financial gain, hacking that disrupts other computer users, espionage by hacking, life threatening consequences of hacking, and trafficking in hacking tools and passwords. The cases below are included to show some examples of these crimes.
Two infamous U.S. Hacking cases
The next case examined is an infamous U.S. hacking case. But the person who committed the crime of unauthorized access was not a hacker. In fact, it was the person's software that committed the unauthorized access. This was a software 'worm' case. The person Morris who wrote the software worm had not intended as much damage as his worm program caused but he had designed the software knowing it would access computers without authorization. He made an error in his program and caused significant damage to the Internet at the time.121 In fact, the Computer Emergency Response Task Force (CERT) was formed as a response to his crime.122 The worm accessed computers without authorisation including Federal government defence computers and caused an overuse of computer time and clogged these computer systems.123 His case United States v. Morris [1990]124 is brought up in many of the popular hacker histories and he too accessed federal interest computers because the worm accessed these computers bringing section 1030 upon him.125 His worm attacked Unix computers and brought down parts of the Internet.126 He did not financially benefit and was not given a prison sentence.127 He was sentenced to community service, probation and a fine.128
Morris was an insider in another way. His father was a government computer security expert.129 He was a Cornell University graduate student and the software was meant to be an experiment. Here is the section of 1030, as it stands today that Morris was charged with:
(a) (5) (A) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $ 5,000 in value;
damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;
Morris's worm was the program or code he intentionally used to damage both Federal defence computers and to have caused damage exceeding $ 1,000. This damage was assessed as a result of the computer systems being unusable for a time plus the costs of repair to the damaged systems and was the threshold amount in the law then not the $ 5,000 that is today. He appealed the issue of intention to access without authorisation and an issue of preventing others to access the computers but this appeal failed,130 and he was sentenced as stated above.
After Morris and still in 1990 and also the next case in many of the hackers histories is a case of true hacking but may be considered a case of little actual harm. The case resulted from a crackdown on hackers after a large regional power outage. The authorities initially but mistakenly believed the power outage had been caused by computer hackers. The F.B.I. launched a crackdown on hackers. The crackdown is covered in Bruce Sterling’s book The Hacker Crackdown.131 The case is United States of America, v. Robert J. Riggs, and Craig Neidorf.132
Neidorf and Riggs had broken into a Bell computer and had copied a technical document containing details about customer service for 911 service.133 The rise of the paramedic and the 911 system in the recent decades contributed to great fears when these hackers accessed a 911 phone system document from Bell.134 Later in the trial the defence pointed out that one could buy the document by mail order from Bell Core for less than 20$, and that the document was not meant to be private nor worth the amount the prosecution claimed in trial.135 The prosecution claimed the document was worth hundreds of thousands of dollars by including all the costs of making the document.136 Neidorf had published the document in a hacker magazine and in the end the charges against him were dismissed through a mistrial.137
Here is the section of 1030, as it stands today that Neidorf was charged with:
(a) (6) knowingly and with intent to defraud traffics (as defined in section 1029 [18 USCS § 1029]) in any password or similar information through which a computer may be accessed without authorization, if--
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
It was the conspiracy between the hackers that involved trafficking in the document. In other words the document gained by accessing the Bell computer had been shared. Riggs was convicted of wire fraud and theft of the document when he pled guilty.138
The further offence of fraud: some cases of computer crime involving fraud
Searching the 1980's for cases involving code 1030 we find a case of fraud. In this case United States v. Lewis, [1987],139 Shirley Lewis was charged under U.S.C 1030 as one count among many for a fraud scheme. She pled guilty on December 21, 1987. She made some appeals concerning her sentencing.
Shirley Lewis was an insider working for a trust company when she got the “access code” to allow her to access a “federal interest computer” for her fraud scheme. This was a real crime of fraud that involved unauthorised access of a computer. This was the typical insider crime. Here is the section of 1030, as it stands today that Lewis was charged with:
(a) (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period;
As can be seen her use of the access code outside of her work and in furtherance of her fraud scheme was covered by this section of the U.S. Public code 1030.
Hacking also continued to be more like the stereotypes of a teen age computer genius as hacker in the U.S. cases. In the case of United States v. Denich, [1992],140 Denich a computer hacker of 21 years of age was set up in a sting by the U.S. secret service and was caught in receiving a fraudulent purchase of computer equipment.141 He had hacked into a computer to gain knowledge of credit card numbers and fraudulently use these credit cards. The case reached the appeal level because Denich made statements without a lawyer and in the end these statements were suppressed United States Judge Charles S. Haight, JR.142 Perhaps the law and law enforcement are coming to understand computer crime and the dangers of hackers but at this point may have been over cautious and thus made mistakes in this case. It is not clear what happen to Denich after this case that suppressed his post arrest statements. He was cooperative with police and was involved in providing information to them about other hackers.143 What became of him is not clear from case material.
As can be seen by the following case United States v. Carron, [1991]144 computer crime is used to commit traditional crime such as passing bad checks and credit card fraud. Carron was charged with a misdemeanor count of 18 U.S.C. § 1030(a)(2), a section concerning accessing financial data such as credit card numbers, in relation to a felony charge of use of an access device for credit card fraud 18 U.S.C. § 1029(a)(2).145 He appealed his sentence for these crimes.146 His criminal history was considered and he was unsuccessful at appealing his sentence.147 He had been a bad check writer and been in jail for this and had for time not committed offences but then seemed to go back to this life of crime.148
We see from this case that the typical petty fraud criminal is also using unauthorised access to a computer to commit traditional crimes. This suggests that computer crime is becoming part of the traditional crime scene. Thus an information age is not a positive good alone but is affecting our whole society including petty criminals. This might suggest the computer is just a neutral tool and that it is still human action that alone can be judged right and wrong.
The felony count can be found in appendix as well but Carron pled guilty to the unauthorised access in exchange for the dropping of the felony count.
Now looking at the case of United States v. Zeneski, [1996]149 this is another case of real crime and credit card fraud. Zeneski was hired into hack hotel computers to discover credit card accounts. His co conspirators ordered large amounts of consumer computer equipment using the stolen credit card numbers. Zeneski got some of this equipment as payment.
In this appeals case Zeneski appealed his sentence length by trying to avoid responsibility for all the fraud on the credit cards rather than just the money he was paid by his co conspirators for the hacking, about 3,500 dollars. He was held responsible in terms of the severity of his sentence for the whole total stolen amount, about 200,000 dollars. He was considered an essential player in the overall offence. Without his hacking the crime would not have happened. Zeneski was charged with credit card fraud not unauthorized access.
Zeneski seems to be a real criminal. He is employed by criminals to do hacking. This would suggest that perhaps hacking is in fact part and parcel to crime in particular credit card fraud. Thus this points to harm being caused by computer crime. Zeneski is not an insider.
In the next case United States v. Czubinski, [1997],150 we do have an insider who abuses his privileges and allegedly commits wire fraud. Here we have someone who is not a hacker but still involves unauthorised access. Czubinski was an IRS employee in Boston who browsed files on the IRS computer.151 These were outside of his permitted access rights. This included browsing the IRS files of public figures such as a Presidential Candidate and a Chief of Police.152 He also browsed files of people he knew personally.153 He had signed an employment agreement regarding his access rights as an employee so would have knowledge that his accessing these files was not permitted.154 In the case the prosecution claimed a fraud scheme but in fact the court concluded that Czubinski was only browsing and nothing of value had been stolen and he was thus acquitted on all counts.155 The court felt the law required a fraud to have occurred not just a breach of confidentiality.156
Here is the section of 1030, as it stands today that Czubinski was charged with:
(a) (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period;Czubinski did not in fact steal anything of value and did not even release the confidential information he browsed.157 The courts conclusion on why this statute was not appropriate here is interesting: “On the other hand, they[The wire fraud statutes] might be used to prosecute kinds of behavior that, albeit offensive to the morals or aesthetics of federal prosecutors, cannot reasonably be expected by the instigators to form the basis of a federal felony.”158 So the court did find unauthorised access offensive but not a serious offence. This fits with the British statute where unauthorised access without a further offence is only a summary offence. Canadian law also permits summary and indictable offences but it is not clear what the bar is in section 342.1 (1) in the Canadian unauthorised access law. The Canadian Mischief section 430. (1) concerning data draws the bar around the consequences, making a life threatening consequence a more serious indictable offence for instance under 430. (2). This section reads: (2) Every one who commits mischief that causes actual danger to life is guilty of an indictable offence and liable to imprisonment for life.
It seems that some of the last cases we have looked at caused harm in that property was stolen by fraud. This does tend to point to hacking computers being a real crime valid for criminal law targeting. But some cases are less serious.
The previous few cases do not appear in any studies of hacking that this author has read. Nor did the Lewis case appear in any of the popular accounts of hackers. Only the Riggs and Morris cases seem to be the subject of computer crime histories. Next we have a case where the fraud was very much noticed by the press and computer security academics.
In Abraham D. Sofaer, & Seymour E Goodman's conference report The Transnational Dimension of Cyber Crime and Terrorism, they cite a case from 1997, that shows “Legislators and courts are rapidly coming to regard cyber activities as analogous to other activities already regarded as permitting prescription, investigation, and enforcement on any traditional bases for legal regulation.”159 This was a case of extradition of a Russian national, Mr. Levin from the UK to the USA to stand trial for the Federal offences of wire fraud and bank fraud and certain offences relating to the misuse of computers. The extradition case was Lord Hoffman, Reg. v. Governor of Brixton Prison, Ex parte Levin [1997] H.L.J. 160 Once in the USA he went to trial for breaking into a financial computer to access credit card accounts and further extortion.161 He had demanded $ 10,000 to help secure the computer he had broken into or he would destroy the computers if not paid.162 He was charged with 18 U.S.C. § § 1030(a)(7) and 1030(c)(3)(A) for these threats. He was also charged with 1030(a)(4) and 1030(c)(3)(A). for his fraud scheme. And because he had accessed a computer without authorisation for financial gain he was charged with 1030(a)(2)(C) and 1030(c)(2)(B).163 In the U.S.A. Mr. Levin attempted to have the case dismissed for lack of jurisdiction but the National Information Infrastructure Protection Act of 1996 amended and extended the jurisdiction of section 1030,164 and this contributed to his appeal over jurisdiction failing.165 It is not clear from the cases what became of this criminal.
Cases of hacking by law enforcement to gather evidence
Now by examining cases where police are now using hacking as a tool of investigation the question of hacking as a crime is brought to a close. The U.S. statutes allow an exemption for law enforcement in public code 1030 at subsection which reads: (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
In the Canadian case, R. v. Plant, [1993], S.C.C.,166 the police used computer hacking to investigate marijuana cultivation. The police had done a perimeter search of Plant's house after they obtained a warrant to search. What they then did was ask the hydro commission for access to Plant's hydro records by accessing the hydro utilities computer. The question at issue in the appeal was whether the grounds for the search warrant was reasonable and the courts found that the grounds were reasonable. There was also an issue of a violation of Plants rights by accessing the utility computer. The court decision, that this was not a violation, is interesting.
The court concluded that the police had not violated the Charter in their search of the electrical utilities computer because the hydro records were not personal property.167 This seems odd and perhaps this issue will be revisited in Canadian courts. Perhaps our hydro records are not our own property and in fact the Section 8 of Charter “protects people not property”,168 and are searchable by law enforcement when they have a reasonable suspicion as they did in this case.169 The appeal for violation of the Charter rights against unreasonable search was dismissed. In the decision McLachlin J. wrote a separate decision and disagreed with the idea that computerized records of public utilities are not personal property,170 but agreed with the over all decision.171 Of note is his statement that “computers may contain a wealth of information. Depending on its character that informant may be as private as any found in a dwelling house or hotel room.”172
The privacy issues are obvious when it is law enforcement doing the hacking. The police in this case did not break in they were give access by the hydro commission. In the next case we see that actual unauthorised access is not quite beyond police technique.
In the case, United States v. Kline, [2003]173 evidence was gathered by Bradley Willman a computer hacker and a person know to police to have large amounts of child pornography on his computer. He was allowed to keep the child pornography in return for information about other child pornographers.174 Willman acted as a police informant and used computer hacking to find others with child pornography and then the police would investigate these people.175 Kline whose computer was hacked by Willman it turned out was a United States judge and in his case the United States District Court in California found the search by the hacker to be a violation of the 4th amendment and suppressed the evidence found on Kline's computer.176 Willman was considered a government agent,177 when he did the computer hacking search of Kline's computer.178 But this was over turned on appeal,179 as the court felt Bradley was not a government agent. Just two weeks before this paper was completed the U.S. Supreme court denied a writ of certiorari.180 The case is yet to be decided.
Summary
We have seen that there are many different twists and turns to the computer crime laws. The statutes have been created and are applied to a variety of cases. Computer crime is better know these days by the law and it would seem from the Kline case also better known as a crime and perhaps tool for law enforcement. Also we have seen that often case involve credit card fraud as a further offence.
Computer crime is trans-boarder criminal activity and experts argue it will take international cooperation to solve and prosecute these crimes. I am more concerned with hacking crimes per say. In Abraham D. Sofaer, & Seymour E Goodman's conference report The Transnational Dimension of Cyber Crime and Terrorism,181 we find mention of disagreement between nations about traditional crimes committed in cyberspace, but then the authors further elucidate the definition I aim for in this paper.
Still, the exclusion of many conventional crimes involving the use of computers from an international agreement is less important than ensuring comprehensive coverage of harmful conduct aimed at computers and their operation, with a commitment to impose substantial penalties.182
These conventional crimes would include such crimes as theft, child pornography, abuse of various sorts or stalking but not hacking. Hacking is assumed to be a new non-traditional offence.
It is the “subject of crime” use of computers that more interests me. Aiming mischief at computers should be punished. The degree of punishment should vary depending on the harmful consequences of the offence. But not all computer crime is the same or causes the same harm. This paper has been about breaking into a computer. It has been seen that the legal cases of this often involve some further offence most commonly a crime of fraud. As well computer hacking has been a way of spying or invading privacy. As well governments in terms of law enforcement have also used hacking if this helps gather evidence. It has also been shown that by framing the computer crime problem as trespass has allowed the offence to pass into criminal law with some strength.
Conclusions
Where Wise says that the media create a hacker stereotype of a young genius committing these computer crimes he identifies as others do that the typical computer criminal is an insider to a company and in some way causes a financial lose.183
Here none of the infamous cases fit the bill. McLaughlin did not defraud, Neidorf did not defraud if he even stole rather than simply copied something he accessed through improper illegal channels and he didn't pay the few dollars that he could have paid to get the same document legal through a Bell document mail order catalog. Morris did not defraud. But Lewis did and she was an insider working for a trust company when she got the access code to allow her to access a “federal interest computer” for her fraud scheme. Here the garden vanilla economic crime fits the law written in section 1030 much better than the infamous hacking cases. Of these infamous cases in the USA, Morris, Neidorf neither of these “hackers” stole money or used credit cards fraudulently. This seems strange because U.S. code 1030 is right beside U.S. code 1029 which is about credit card fraud. Even the Canadian computer crime section is in the property section of the criminal code. Although the Canadian section is right after the telephone service theft section which is the section that was used to attempt to prosecute McLaughlin and failed.
While Thomas certainly makes some good points he excuses hackers from criminality as much as he examines their criminality. Other popular computer writers also excuse the hacker from the crime the fact is that credit card fraud is harmful and this is in fact what many of the computer crime cases involve. Thus we can not conclude generally that computer hacking is without harm or that it should not be criminalised. But we have also seen that hacking alone without theft is not a serious offence.
If nothing is stolen is there really a crime? If the typical crime seems to be an insider to a company what about the theft of credit card numbers and resulting theft by credit card fraud? We have to conclude that each case must be looked at in the details. We can't say for sure that unauthorised access is criminal, even if framed as trespass; and we can see from this that there is a reason for the popular histories of cases where no theft occurs simply access not theft. But there are many cases of theft after unauthorised access. Thus it can be concluded that unauthorised access is always part of this crime and should be criminalised but to varying extents.
Certainly knowledge of someone else's credit card numbers might be wrongful knowledge. Perhaps also here in computer crime we must find that some information, and the knowledge of it, and the knowledge derived from it, are considered private property. Perhaps this stolen information is also tangible property.
While some information should be publicly accessible, some information must remain private. Copyright laws cover such things as public information or fair use of information or intellectual property. In cases of hacking information seems intangible information that is not property for theft laws should not be protected by criminal law if not stolen. But credit card information and other information involved in perpetrating fraud was never intended to be protected by copyright. These 'other' laws where electronic financial records are involved must treat this electronic information as a tangible object connected to tangible money. This is one detail about the nature of the information hacked that will criminalize hacking. There are probably other details that could occur cases such as cases of property damage. It will in the future be more likely that computer crime will be very tangible and that this crime will become well known and that the laws will continue to adapt to this changing field of computer crime law.
Bibliography
LEGISLATION
Canada
Canadian Charter of Rights and Freedoms, s. 8 Part I of the Constitution Act, 1982, being Schedule B of the Canada Act 1982 (U.K.), 1982, c. 11.
Criminal Code, R.S.C 1985, c. 27 (1st Supp.).
The Criminal Law Improvement Act, 1996, S.C. 1997, c. 18, ss. 18, 19.
Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
Privacy Act, R.S. 1985, c. P-21.
United States Of America
The Cyber Security Enhancement Act, Pub. L. No. 107-296, § 225, (2002).
The Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681t (1970).
The National Information Infrastructure Protection Act, Pub.L. 104-294, (1996).
The Privacy Act, 5 U.S.C. § 552a (1974) as amended.
US Public Code 18 § 1029 (2004) [Lexis]
US Public Code 18 § 1030 (2000) [Lexis]
USA PATRIOT Act, Pub. L. No. 107-56, § 814 (2001).
Florida
F.L. Computer Crimes Act tit. XLVI Chapter 815 (1978) on-line <http://www.flsenate.gov/Statutes/index.cfm?App_mode=Display_Statute&URL=Ch0815/ch0815.htm>, (cited April, 2005).
British
Computer Misuse Act 1990 (U.K.), 1990, c. 18.
JURISPRUDENCE
Canada
R. v. Maine Resource Analysts Ltd., [1980] N.S.J. No. 95 [QL].
R. v. McLaughlin, [1980] 2 S.C.R. 331 [QL].
R. v. Stewart, [1988] 1 S.C.R. 963 [QL].
R. v. Plant, [1993] 3 S.C.R. 281 [QL].
R. v. Turner, [1998] S.J. No. 330, [QL].
United Kingdom
Lord Hoffman, Reg. v. Governor of Brixton Prison, Ex parte Levin [1997] H.L.J. No. 28 [QL].
United States
United States v. Carron, 1991 U.S. App. LEXIS 4838, [Lexis].
United States v. Czubinski, 106 F.3d 1069,1997 U.S. App. LEXIS 3077,[Lexis].
United States v. Denich, 1992 U.S. Dist. LEXIS 6996, [Lexis].
United States v. Ivanov, 175 F. Supp. 2d 367; 2001 U.S. Dist. LEXIS 23150, [Lexis].
United States v. Kline, 2003 U.S. Dist. LEXIS 18475, [Lexis].
United States v. Kline, 112 Fed. Appx. 562, 2004 U.S. App. LEXIS 20759, [Lexis]
Ronald Craver Kline, v. United States, 2005 U.S. LEXIS 2818, 73 U.S.L.W. 3569, [Lexis]
United States v. Lewis,872 F.2d 1030; 1989 U.S. App. LEXIS 5458, [Lexis].
United States v. Morris, 728 F. Supp. 95, 1990 U.S. Dist. LEXIS 21, [Lexis].
United States v. Morris, 928 F.2d 504, 1991 U.S. App. LEXIS 3682, [Lexis].United States v. Riggs, 743 F. Supp. 556, 1990 U.S. Dist. LEXIS 9304, [Lexis].
United States v. Riggs, 743 F. Supp. 556; 1990 U.S. Dist. LEXIS 9304, [Lexis].
United States v. Zeneski, 912 F. Supp. 43, 1996 U.S. Dist. LEXIS 447, [Lexis].
SECONDARY SOURCES
Bachman, Ronet & Schutt, Russel K. The Practice of Research in Criminology and
Criminal Justice 2nd ed. (Thousand Oaks, Cal.: Pine Forge Press, 2003).
Berleur, Jacques & Brunnstein, Klaus eds. Ethics of Computing: Codes, Spaces for
Discussion and Law (London: Chapman & Hall, 1996) at 83-86.
Bogard, William. The Simulation of Surveillance: Hypercontrol in Telematic Societies
(Cambridge, U.K.: Cambridge University, 1996).
Borchgrave, Arnaud de, et al. Cyber Threats and Information Security : Meeting the 21st
Century Challenge : a Report of the CSIS Homeland Defense Project
(Washington, D.C. : CSIS Press, 2001).
Brock, Gerald W. The Second Information Revolution (Cambridge, Mass.: Harvard
University, 2003).
Bush, George W., The President of the United States, Convention on Cybercrime,
message to the 108th Congress, 1st session, November, 17, 2003. on-line
<http://www.usdoj.gov/criminal/cybercrime/senateCoe.pdf> (Cited February 20,
2005).
Canadian Information Processing Society, Canadian Information Processing Society
(CIPS) Code of Ethics and Standards in Berleur, Jacques & Brunnstein, Klaus
eds. Ethics of Computing: Codes, Spaces for Discussion and Law (London:
Chapman & Hall, 1996) at 79-83
Carter, IV, Arthur J. & Perry, Audrey “Computer Crimes” (2004) 41 Am. Crim. L. Rev.
313, [Lexis].
Cavazos, Edward A. & Morin, Gavino. Cyberspace and the Law: Your Rights and Duties in the On-Line World (Cambridge, Mass.: MIT, 1994).
Davis, Robert W.K. & Hutchinson, Scott C. Computer Crime in Canada: An
Introduction to Technological Crime and Related Legal Issues (Toronto:Carswell, 1997).
Dowland, P.S. et al. “Computer Crime and Abuse: A Survey of Public Attitudes and
Awareness” (1999) 18:8 Computer & Security 715.
Duff, Antony. ed., Philosophy and the Criminal Law: Principle and Critique
(Cambridge, U.K.: Cambridge University, 1998).
Elbra, Tony. A Practical Guide to the Computer Misuse Act 1990 (U.K.: Department of
Trade and Industry-NCC Blackwell, 1991).
Forester, Tom& Morrison, Perry. Computer Ethics : Cautionary Tales and Ethical
Dilemmas in Computing (Oxford, UK: B. Blackwell, 1990).
Granstrand, Ove. Innovation and Intellectual Property Studies: An Introduction and
Overview of a Developing Field in Granstrand, Ove. ed. Economics, Law and
Intellectual Property: Seeking Strategies for Research and Teaching in a Developing
Field (Boston: Kluwer, 2003).
Hancock, Douglas H. “To What Extent Should Computer Related Crimes Be Subject to
Specific Legislative Attention?” (2001) 12 Alb. L.J. Sci. Tech. 97, [Lexis].
Himanen, Pekka. The Hacker Ethic and the Spirit of the Information Age (New York:
Random House, 2001).
Hollinger, Richard C. “Computer Hackers Follow a Guttman-Like Progression” (1988)
2:11 Phrack Inc. file 7, on-line <http://www.phrack.org/phrack/22/P22-07>.(Cited
February 20, 2005)
--- “Hackers: Computer Heroes or Electronic Highwaymen?” (1991) 21 Computers &
Society 6.
Icove, David, Seger, Karl, & VonStorch, William. Computer Crime: A Crimefighters
Handbook (Sebastopol, Cal.: O'Reilly, 1995).
Johnson, Deborah G. Computer Ethics, 3rd ed. (Upper Saddle River, NJ : Prentice Hall,
c2001).
Kowlaski, Melanie. Cyber-crime: Issues, Data Sources, and Feasibility of Collecting
Police-reported Statistics, Cat. # 85-558-XIE, (Ottawa: Canadian Centre for
Justice Statistics, December 19, 2002).
Law Commission of Canada. “What is Crime? Challenges and Alternatives” (Ottawa,
Ont: Law Commission of Canada, 2003) on-line <http://www.lcc-gc.ca> (Cited
September, 2004).
Lederman, Eli. Protected Frameworks of Information in Criminal Law in Lederman, Eli
& Shapira, Ron, eds. Law, Information and Information Technology (The Hague:
Kluwer, 2001) at 31-73.
Levi, Michael. "Between the risk and the reality falls the shadow": Evidence and urban
legends in computer fraud ( with apologies to T.S. Eliot) in Wall, David S. ed.,
Crime and the Internet (New York: Routledge, 2001).
Macordum, Donald. Nasheri, Hedieh. & O'Hearn, Timothy J. “Spies in Suites: New
Crimes of the Information Age from the United States and Canadian Perspectives”
(2001) 10:2 I. & Comm. T. L. 140.
Manion, Mark & Goodrum, Abby. “Terrorism or Civil Disobedience: Toward a Hackivist
Ethic” (2000) 30 Computers & Society 14.
Mawrey, Richard B. & Salmon, Keith J. Computers and the Law (Oxford: BSP
Professional, 1988).
Palfrey, Terry. “Surveillance as a Response to Crime in Cyberspace” (2000) 9:3 I. &
Comm. T. L. 173.
Parker, Donn. B. Crime by Computer (New York: Charles Scribners, 1976).
Piragoff, Donald K. Canada: Computer Crimes and Other Crimes against Information
Technology in Canada in Sieber, Ulrich. ed., Information Technology Crime:
National Legislation, Jus Informationis European Series on Information Law v 6
(Köln: Carl Heymanns Verlag, 1994) at 85-131.
Radin, Margaret, Jane. Information Tangibility Chap. 17 in Granstrand, Ove. Innovation and Intellectual Property Studies: An Introduction and Overview of a Developing Field in Granstrand, Ove. ed. Economics, Law and Intellectual Property: Seeking Strategies for Research and Teaching in a Developing Field (Boston: Kluwer, 2003) at 395-418.
Sieber, Ulrich. ed., Information Technology Crime: National Legislation,
Jus Informationis European Series on Information Law v 6 (Köln: Carl
Heymanns Verlag, 1994).
Sofaer, Abraham D. & Goodman, Seymour E. eds., The Transnational Dimension of
Cyber Crime and Terrorism (Stanford, Cal.: Hoover Institution, 2001).
--- Cyber Crime and Security: The Transnational Dimension in Sofaer, Abraham D. &
Goodman, Seymour E. eds., The Transnational Dimension of Cyber Crime and
Terrorism (Stanford, CA: Hoover Institution, 2001).
Thomas, Douglas. Hacker Culture (Minneapolis, Mo.: University of Minnesota, 2002).
Timusk, Peter. Computers:Ethical and Unethical Actions (Ottawa: Carleton University, 2000) term paper for Philosophy of Computer Ethics Course, on-line
<http://www.ncf.ca/~at571/page1.html>.
Wall, David S. Maintaining Order and Law on The Internet in Wall, David. ed., Crime
and The Internet (London: Routledge, 2001).
Whitehouse, Diane. Comments on the CIPS Code of Ethics and Standards of Conduct in
Berleur, Jacques & Brunnstein, Klaus eds. Ethics of Computing: Codes, Spaces for
Discussion and Law (London: Chapman & Hall, 1996) at 83-86.
Wise, Edward M. United States: Computer Crimes and Other Crimes against
Information Technology in the United States in Sieber, Ulrich. ed., Information
Technology Crime: National Legislation, Jus Informationis European Series on
Information Law v 6 (Köln: Carl Heymanns Verlag, 1994) at 509-529.
Appendix A Canadian Criminal Code
1. Theft of telecommunications section 326. (1)................................................. p 2
2. Concerning access devices for theft of telecommunications 327. (1) ............ p 3
3. The credit card theft and fraud laws 342. (1) ................................................. p 4
4. Concerning access devices for credit card fraud 342.01 (1)............................ p 6
5. The unauthorised access to computer law 342.1 (1)........................................ p 7
6. Concerning access devices for unauthorised access to a computer 342.2 (1) ..p 9
7. Canadian Mischief laws 430. (1) ..................................................................... p 10
The Canadian telecommunications theft laws
This section of the criminal code is contained in the offences like theft and robbery. Here are the significant sections starting with the theft of telecommunications section which at the time of R. v. McLaughlin was s. 287(1). After these section is the mischief section which is reproduced in full.
326. (1) Every one commits theft who fraudulently, maliciously, or without colour of right,
(a) abstracts, consumes or uses electricity or gas or causes it to be wasted or diverted; or
(b) uses any telecommunication facility or obtains any telecommunication service.
Definition of "telecommunication" (2) In this section and section 327, "telecommunication" means any transmission, emission or reception of signs, signals, writing, images or sounds or intelligence of any nature by wire, radio, visual or other electromagnetic system.
R.S., c. C-34, s. 287; 1974-75-76, c. 93, s. 23.
Concerning Access Devices for theft of telecommunications
Also significant for this paper this section concerning possession of device to obtain telecommunication facility or service
327. (1) Every one who, without lawful excuse, the proof of which lies on him, manufactures, possesses, sells or offers for sale or distributes any instrument or device or any component thereof, the design of which renders it primarily useful for obtaining the use of any telecommunication facility or service, under circumstances that give rise to a reasonable inference that the device has been used or is or was intended to be used to obtain the use of any telecommunication facility or service without payment of a lawful charge therefor, is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years.
Forfeiture (2) Where a person is convicted of an offence under subsection (1) or paragraph 326(1)(b), any instrument or device in relation to which the offence was committed or the possession of which constituted the offence, on such conviction, in addition to any punishment that is imposed, may be ordered forfeited to Her Majesty, whereupon it may be disposed of as the Attorney General directs.
Limitation (3) No order for forfeiture shall be made under subsection (2) in respect of telephone, telegraph or other communication facilities or equipment owned by a person engaged in providing telephone, telegraph or other communication service to the public or forming part of the telephone, telegraph or other communication service or system of such a person by means of which an offence under subsection (1) has been committed if such person was not a party to the offence.
1974-75-76, c. 93, s. 24.
The credit card theft and fraud laws.
Here is a section in between the telecommunications theft section and the unauthorised access to a computer section that is significant in the discussion of computer crime.
342. (1) Every person who
(a) steals a credit card,
(b) forges or falsifies a credit card,
(c) possesses, uses or traffics in a credit card or a forged or falsified credit card, knowing that it was obtained, made or altered
(i) by the commission in Canada of an offence, or
(ii) by an act or omission anywhere that, if it had occurred in Canada, would have constituted an offence, or
(d) uses a credit card knowing that it has been revoked or cancelled,
is guilty of
(e) an indictable offence and is liable to imprisonment for a term not exceeding ten years, or
(f) an offence punishable on summary conviction.
(2) An accused who is charged with an offence under subsection (1) may be tried and punished by any court having jurisdiction to try that offence in the place where the offence is alleged to have been committed or in the place where the accused is found, is arrested or is in custody, but where the place where the accused is found, is arrested or is in custody is outside the province in which the offence is alleged to have been committed, no proceedings in respect of that offence shall be commenced in that place without the consent of the Attorney General of that province.
(3) Every person who, fraudulently and without colour of right, possesses, uses, traffics in or permits another person to use credit card data, whether or not authentic, that would enable a person to use a credit card or to obtain the services that are provided by the issuer of a credit card to credit card holders is guilty of
(a) an indictable offence and is liable to imprisonment for a term not exceeding ten years; or
(b) an offence punishable on summary conviction.
(4) In this section, "traffic" means, in relation to a credit card or credit card data, to sell, export from or import into Canada, distribute or deal with in any other way.
R.S., 1985, c. C-46, s. 342; R.S., 1985, c. 27 (1st Supp.), ss. 44, 185(F); 1997, c. 18, s. 16.
Concerning access devices for credit card fraud
Here is the section dealing with access devices for credit card fraud.
342.01 (1) Every person who, without lawful justification or excuse,
(a) makes or repairs,
(b) buys or sells,
(c) exports from or imports into Canada, or
(d) possesses
any instrument, device, apparatus, material or thing that the person knows has been used or knows is adapted or intended for use in forging or falsifying credit cards is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.
(2) Where a person is convicted of an offence under subsection (1), any instrument, device, apparatus, material or thing in relation to which the offence was committed or the possession of which constituted the offence may, in addition to any other punishment that may be imposed, be ordered forfeited to Her Majesty, whereupon it may be disposed of as the Attorney General directs.
(3) No order of forfeiture may be made under subsection (2) in respect of any thing that is the property of a person who was not a party to the offence under subsection (1).
1997, c. 18, s. 17.
The unauthorised access to computer law
Now we look at the main section of concern here: unauthorized use of computer and it is this section that was created in 1985.
342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service,
(b) by means of an electro-magnetic, acoustic, mechanical or other device, intercepts or causes to be intercepted, directly or indirectly, any function of a computer system,
(c) uses or causes to be used, directly or indirectly, a computer system with intent to commit an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a computer system, or
(d) uses, possesses, traffics in or permits another person to have access to a computer password that would enable a person to commit an offence under paragraph (a), (b) or (c)
is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction
Definitions:
(2) In this section,
"computer password" « mot de passe » "computer password" means any data by which a computer service or computer system is capable of being obtained or used;
"computer program" «programme d'ordinateur» "computer program" means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;
"computer service" «service d'ordinateur» "computer service" includes data processing and the storage or retrieval of data;
"computer system" «ordinateur» "computer system" means a device that, or a group of interconnected or related devices one or more of which,
(a) contains computer programs or other data, and
(b) pursuant to computer programs,
(i) performs logic and control, and
(ii) may perform any other function;
"data" «données» "data" means representations of information or of concepts that are being prepared or have been prepared in a form suitable for use in a computer system;
"electro-magnetic, acoustic, mechanical or other device" «dispositif électromagnétique, acoustique, mécanique ou autre» "electro-magnetic, acoustic, mechanical or other device" means any device or apparatus that is used or is capable of being used to intercept any function of a computer system, but does not include a hearing aid used to correct subnormal hearing of the user to not better than normal hearing;
"function" «fonction» "function" includes logic, control, arithmetic, deletion, storage and retrieval and communication or telecommunication to, from or within a computer system;
"traffic" « trafic » "traffic" means, in respect of a computer password, to sell, export from or import into Canada, distribute or deal with in any other way.
R.S., 1985, c. 27 (1st Supp.), s. 45; 1997, c. 18, s. 18.
Concerning access devices for unauthorised access to a computer.
Now a section parallel to the credit section: possession of device to obtain computer service. This section was added in 1997 with the Criminal Law Improvement Act 1996.
342.2 (1) Every person who, without lawful justification or excuse, makes, possesses, sells, offers for sale or distributes any instrument or device or any component thereof, the design of which renders it primarily useful for committing an offence under section 342.1, under circumstances that give rise to a reasonable inference that the instrument, device or component has been used or is or was intended to be used to commit an offence contrary to that section,
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years; or
(b) is guilty of an offence punishable on summary conviction.
Forfeiture (2) Where a person is convicted of an offence under subsection (1), any instrument or device, in relation to which the offence was committed or the possession of which constituted the offence, may, in addition to any other punishment that may be imposed, be ordered forfeited to Her Majesty, whereupon it may be disposed of as the Attorney General directs.
Limitation (3) No order of forfeiture may be made under subsection (2) in respect of any thing that is the property of a person who was not a party to the offence under subsection (1).
1997, c. 18, s. 19.
Canadian Mischief laws
Now a section that is sometimes applied to computer crime and suggests both less serious offences and more serious such as threatening and endangering life.
430. (1) Every one commits mischief who wilfully
(a) destroys or damages property;
(b) renders property dangerous, useless, inoperative or ineffective;
(c) obstructs, interrupts or interferes with the lawful use, enjoyment or operation of property; or
(d) obstructs, interrupts or interferes with any person in the lawful use, enjoyment or operation of property.
Mischief in relation to data
(1.1) Every one commits mischief who wilfully
(a) destroys or alters data;
(b) renders data meaningless, useless or ineffective;
(c) obstructs, interrupts or interferes with the lawful use of data; or
(d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.
Punishment
(2) Every one who commits mischief that causes actual danger to life is guilty of an indictable offence and liable to imprisonment for life.
Punishment
(3) Every one who commits mischief in relation to property that is a testamentary instrument or the value of which exceeds five thousand dollars
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
Idem
(4) Every one who commits mischief in relation to property, other than property described in subsection (3),
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding two years; or
(b) is guilty of an offence punishable on summary conviction.
Mischief relating to religious property
(4.1) Every one who commits mischief in relation to property that is a building, structure or part thereof that is primarily used for religious worship, including a church, mosque, synagogue or temple, or an object associated with religious worship located in or on the grounds of such a building or structure, or a cemetery, if the commission of the mischief is motivated by bias, prejudice or hate based on religion, race, colour or national or ethnic origin,
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction and liable to imprisonment for a term not exceeding eighteen months.
Idem
(5) Every one who commits mischief in relation to data
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years; or
(b) is guilty of an offence punishable on summary conviction.
Offence
(5.1) Every one who wilfully does an act or wilfully omits to do an act that it is his duty to do, if that act or omission is likely to constitute mischief causing actual danger to life, or to constitute mischief in relation to property or data,
(a) is guilty of an indictable offence and liable to imprisonment for a term not exceeding five years; or
(b) is guilty of an offence punishable on summary conviction.
Saving
(6) No person commits mischief within the meaning of this section by reason only that
(a) he stops work as a result of the failure of his employer and himself to agree on any matter relating to his employment;
(b) he stops work as a result of the failure of his employer and a bargaining agent acting on his behalf to agree on any matter relating to his employment; or
(c) he stops work as a result of his taking part in a combination of workmen or employees for their own reasonable protection as workmen or employees.
Idem
(7) No person commits mischief within the meaning of this section by reason only that he attends at or near or approaches a dwelling-house or place for the purpose only of obtaining or communicating information.
Definition of "data"
(8) In this section, "data" has the same meaning as in section 342.1.
R.S., 1985, c. C-46, s. 430; R.S., 1985, c. 27 (1st Supp.), s. 57; 1994, c. 44, s. 28; 2001, c. 41, s. 12.
Appendix B U.S. Statutes
1. Public Code Title 18 § 1029. Fraud and related activity in connection
with access devices ......................................................................................p 3
2. Public Code Title 18 § 1030. Fraud and related activity in connection
with computers .............................................................................................p 9
Florida's present computer crime law statute Title XLVI CHAPTER 815
COMPUTER-RELATED CRIMES ........................................................p 18
Public Code Title 18
Here are the U.S. public code sections that are used in hacking cases wire fraud laws are not included.
U.S. law concerning fraud with an access device.
§ 1029. Fraud and related activity in connection with access devices
(a) Whoever--
(1) knowingly and with intent to defraud produces, uses, or traffics in one or more counterfeit access devices;
(2) knowingly and with intent to defraud traffics in or uses one or more unauthorized access devises during any one-year period, and by such conduct obtains anything of value aggregating $ 1,000 or more during that period;
(3) knowingly and with intent to defraud possesses fifteen or more devices which are counterfeit or unauthorized access devices;
(4) knowingly, and with intent to defraud, produces, traffics in, has control or custody of, or possesses device-making equipment;
knowingly and with intent to defraud effects transactions, with 1 or more access devices issued to another person or persons, to receive payment or any other thing of value during any 1-year period the aggregate value of which is equal to or greater than $ 1,000;
(6) without the authorization of the issuer of the access device, knowingly and with intent to defraud solicits a person for the purpose of--
(A) offering an access device; or
(B) selling information regarding or an application to obtain an access device;
(7) knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a telecommunications instrument that has been modified or altered to obtain unauthorized use of telecommunications services;
(8) knowingly and with intent to defraud uses, produces, traffics in, has control or custody of, or possesses a scanning receiver;
(9) knowingly uses, produces, traffics in, has control or custody of, or possesses hardware or software, knowing it has been configured to insert or modify telecommunication identifying information associated with or contained in a telecommunications instrument so that such instrument may be used to obtain telecommunications service without authorization; or
(10) without the authorization of the credit card system member or its agent, knowingly and with intent to defraud causes or arranges for another person to present to the member or its agent, for payment, 1 or more evidences or records of transactions made by an access device;
shall, if the offense affects interstate or foreign commerce, be punished as provided in subsection (c) of this section.
(b) (1) Whoever attempts to commit an offense under subsection (a) of this section shall be subject to the same penalties as those prescribed for the offense attempted.
(2) Whoever is a party to a conspiracy of two or more persons to commit an offense under subsection (a) of this section, if any of the parties engages in any conduct in furtherance of such offense, shall be fined an amount not greater than the amount provided as the maximum fine for such offense under subsection (c) of this section or imprisoned not longer than one-half the period provided as the maximum imprisonment for such offense under subsection (c) of this section, or both.
(c) Penalties.
(1) Generally. The punishment for an offense under subsection (a) of this section is--
(A) in the case of an offense that does not occur after a conviction for another offense under this section--
(i) if the offense is under paragraph (1), (2), (3), (6), (7), or (10) of subsection (a), a fine under this title or imprisonment for not more than 10 years, or both; and
(ii) if the offense is under paragraph (4), (5), (8), or (9) of subsection (a), a fine under this title or imprisonment for not more than 15 years, or both;
(B) in the case of an offense that occurs after a conviction for another offense under this section, a fine under this title or imprisonment for not more than 20 years, or both; and
(C) in either case, forfeiture to the United States of any personal property used or intended to be used to commit the offense.
(2) Forfeiture procedure. The forfeiture of property under this section, including any seizure and disposition of the property and any related administrative and judicial proceeding, shall be governed by section 413 of the Controlled Substances Act [21 USCS § 853], except for subsection (d) of that section.
(d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
(e) As used in this section--
(1) the term "access device" means any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument);
(2) the term "counterfeit access device" means any access device that is counterfeit, fictitious, altered, or forged, or an identifiable component of an access device or a counterfeit access device;
(3) the term "unauthorized access device" means any access device that is lost, stolen, expired, revoked, canceled, or obtained with intent to defraud;
(4) the term "produce" includes design, alter, authenticate, duplicate, or assemble;
(5) the term "traffic" means transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of;
(6) the term "device-making equipment" means any equipment, mechanism, or impression designed or primarily used for making an access device or a counterfeit access device;
(7) the term "credit card system member" means a financial institution or other entity that is a member of a credit card system, including an entity, whether affiliated with or identical to the credit card issuer, that is the sole member of a credit card system;
(8) the term "scanning receiver" means a device or apparatus that can be used to intercept a wire or electronic communication in violation of chapter 119 [18 USCS § § 2510 et seq.] or to intercept an electronic serial number, mobile identification number, or other identifier of any telecommunications service, equipment, or instrument;
(9) the term "telecommunications service" has the meaning given such term in section 3 of title I of the Communications Act of 1934 (47 U.S.C. 153);
(10) the term "facilities-based carrier" means an entity that owns communications transmission facilities, is responsible for the operation and maintenance of those facilities, and holds an operating license issued by the Federal Communications Commission under the authority of title III of the Communications Act of 1934 [47 USCS § § 301 et seq.]; and
(11) the term "telecommunication identifying information" means electronic serial number or any other number or signal that identifies a specific telecommunications instrument or account, or a specific communication transmitted from a telecommunications instrument.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, or any activity authorized under chapter 224 of this title. For purposes of this subsection, the term "State" includes a State of the United States, the District of Columbia, and any commonwealth, territory, or possession of the United States.
(g) (1) It is not a violation of subsection (a)(9) for an officer, employee, or agent of, or a person engaged in business with, a facilities-based carrier, to engage in conduct (other than trafficking) otherwise prohibited by that subsection for the purpose of protecting the property or legal rights of that carrier, unless such conduct is for the purpose of obtaining telecommunications service provided by another facilities-based carrier without the authorization of such carrier.
(2) In a prosecution for a violation of subsection (a)(9), (other than a violation consisting of producing or trafficking) it is an affirmative defense (which the defendant must establish by a preponderance of the evidence) that the conduct charged was engaged in for research or development in connection with a lawful purpose.
(h) Any person who, outside the jurisdiction of the United States, engages in any act that, if committed within the jurisdiction of the United States, would constitute an offense under subsection (a) or (b) of this section, shall be subject to the fines, penalties, imprisonment, and forfeiture provided in this title if--
(1) the offense involves an access device issued, owned, managed, or controlled by a financial institution, account issuer, credit card system member, or other entity within the jurisdiction of the United States; and
the person transports, delivers, conveys, transfers to or through, or otherwise stores, secrets, or holds within the jurisdiction of the United States, any article used to assist in the commission of the offense or the proceeds of such offense or property derived therefrom.
US law concerning fraud and unauthorised access to computers.
§ 1030. Fraud and related activity in connection with computers
(a) Whoever--
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and bymeans of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y.[(y)] of section 11 of the Atomic Energy Act of 1954 [42 USCS § 2014(y)], with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $ 5,000 in any 1-year period;
(5) (A) (i) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(ii) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage; and
(B) by conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in the case of an attempted offense, would, if completed, have caused)--
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $ 5,000 in value;
(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;
(6) knowingly and with intent to defraud traffics (as defined in section 1029 [18 USCS § 1029]) in any password or similar information through which a computer may be accessed without authorization, if--
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;
shall be punished as provided in subsection (c) of this section.
(b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this section is--
(1) (A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section; or an attempt to commit an offense punishable under this subparagraph;
(2) (A) except as provided in subparagraph (B), a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), or an attempt to commit an offense punishable under this subparagraph, if--
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $ 5,000; and
(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(3) (A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this section;
(4) (A) except as provided in paragraph (5), a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(A)(i), or an attempt to commit an offense punishable under that subsection;
(B) a fine under this title, imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(5)(A)(ii), or an attempt to commit an offense punishable under that subsection;
(C) except as provided in paragraph (5), a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to commit an offense punishable under either subsection, that occurs after a conviction for another offense under this section; and
(5) (A) if the offender knowingly or recklessly causes or attempts to cause serious bodily injury from conduct in violation of subsection (a)(5)(A)(i), a fine under this title or imprisonment for not more than 20 years, or both; and
(B) if the offender knowingly or recklessly causes or attempts to cause death from conduct in violation of subsection (a)(5)(A)(i), a fine under this title or imprisonment for any term of years or for life, or both.
(d)
(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section.
The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11y of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title [18 USCS § 3056(a)].
(3) Such authority shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
(e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term "protected computer" means a computer--
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
(3) the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;
(4) the term "financial institution" means--
(A) an institution, with deposits insured by the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union Administration;
(D) a member of the Federal home loan bank system and any home loan bank;
(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934 [15 USCS § 78o];
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978 [12 USCS § 3101(1) and (3)]); and
(I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act;
(5) the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution;
(6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
(7) the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive department enumerated in section 101 of title 5;
(8) the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information;
(9) the term "government entity" includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country;
(10) the term "conviction" shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer;
(11) the term "loss" means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and
(12) the term "person" means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage. No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection [enacted Sept. 13, 1994], concerning investigations and prosecutions under subsection (a)(5).
Florida's present computer crime law statute
CHAPTER 815
COMPUTER-RELATED CRIMES
815.01 Short title.
815.02 Legislative intent.
815.03 Definitions.
815.04 Offenses against intellectual property; public records exemption.
815.045 Trade secret information.
815.06 Offenses against computer users.
815.07 This chapter not exclusive.
815.01 Short title.--The provisions of this act shall be known and may be cited as the "Florida Computer Crimes Act."
History.--s. 1, ch. 78-92.
815.02 Legislative intent.--The Legislature finds and declares that:
(1) Computer-related crime is a growing problem in government as well as in the private sector.
(2) Computer-related crime occurs at great cost to the public since losses for each incident of computer crime tend to be far greater than the losses associated with each incident of other white collar crime.
(3) The opportunities for computer-related crimes in financial institutions, government programs, government records, and other business enterprises through the introduction of fraudulent records into a computer system, the unauthorized use of computer facilities, the alteration or destruction of computerized information or files, and the stealing of financial instruments, data, and other assets are great.
(4) While various forms of computer crime might possibly be the subject of criminal charges based on other provisions of law, it is appropriate and desirable that a supplemental and additional statute be provided which proscribes various forms of computer abuse.
History.--s. 1, ch. 78-92.
815.03 Definitions.--As used in this chapter, unless the context clearly indicates otherwise:
(1) "Access" means to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network.
(2) "Computer" means an internally programmed, automatic device that performs data processing.
(3) "Computer contaminant" means any set of computer instructions designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. The term includes, but is not limited to, a group of computer instructions commonly called viruses or worms which are self-replicating or self-propagating and which are designed to contaminate other computer programs or computer data; consume computer resources; modify, destroy, record, or transmit data; or in some other fashion usurp the normal operation of the computer, computer system, or computer network.
(4) "Computer network" means any system that provides communications between one or more computer systems and its input or output devices, including, but not limited to, display terminals and printers that are connected by telecommunication facilities.
(5) "Computer program or computer software" means a set of instructions or statements and related data which, when executed in actual or modified form, cause a computer, computer system, or computer network to perform specified functions.
(6) "Computer services" include, but are not limited to, computer time; data processing or storage functions; or other uses of a computer, computer system, or computer network.
(7) "Computer system" means a device or collection of devices, including support devices, one or more of which contain computer programs, electronic instructions, or input data and output data, and which perform functions, including, but not limited to, logic, arithmetic, data storage, retrieval, communication, or control. The term does not include calculators that are not programmable and that are not capable of being used in conjunction with external files.
(8) "Data" means a representation of information, knowledge, facts, concepts, computer software, computer programs, or instructions. Data may be in any form, in storage media or stored in the memory of the computer, or in transit or presented on a display device.
(9) "Financial instrument" means any check, draft, money order, certificate of deposit, letter of credit, bill of exchange, credit card, or marketable security.
(10) "Intellectual property" means data, including programs.
(11) "Property" means anything of value as defined in 1s. 812.011 and includes, but is not limited to, financial instruments, information, including electronically produced data and computer software and programs in either machine-readable or human-readable form, and any other tangible or intangible item of value.
History.--s. 1, ch. 78-92; s. 9, ch. 2001-54.
1Note.--Repealed by s. 16, ch. 77-342.
815.04 Offenses against intellectual property; public records exemption.--
(1) Whoever willfully, knowingly, and without authorization modifies data, programs, or supporting documentation residing or existing internal or external to a computer, computer system, or computer network commits an offense against intellectual property.
(2) Whoever willfully, knowingly, and without authorization destroys data, programs, or supporting documentation residing or existing internal or external to a computer, computer system, or computer network commits an offense against intellectual property.
(3)(a) Data, programs, or supporting documentation which is a trade secret as defined in s. 812.081 which resides or exists internal or external to a computer, computer system, or computer network which is held by an agency as defined in chapter 119 is confidential and exempt from the provisions of s. 119.07(1) and s. 24(a), Art. I of the State Constitution.
(b) Whoever willfully, knowingly, and without authorization discloses or takes data, programs, or supporting documentation which is a trade secret as defined in s. 812.081 or is confidential as provided by law residing or existing internal or external to a computer, computer system, or computer network commits an offense against intellectual property.
(4)(a) Except as otherwise provided in this subsection, an offense against intellectual property is a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
(b) If the offense is committed for the purpose of devising or executing any scheme or artifice to defraud or to obtain any property, then the offender is guilty of a felony of the second degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
History.--s. 1, ch. 78-92; s. 1, ch. 94-100; s. 431, ch. 96-406.
815.045 Trade secret information.--The Legislature finds that it is a public necessity that trade secret information as defined in s. 812.081, and as provided for in s. 815.04(3), be expressly made confidential and exempt from the public records law because it is a felony to disclose such records. Due to the legal uncertainty as to whether a public employee would be protected from a felony conviction if otherwise complying with chapter 119, and with s. 24(a), Art. I of the State Constitution, it is imperative that a public records exemption be created. The Legislature in making disclosure of trade secrets a crime has clearly established the importance attached to trade secret protection. Disclosing trade secrets in an agency's possession would negatively impact the business interests of those providing an agency such trade secrets by damaging them in the marketplace, and those entities and individuals disclosing such trade secrets would hesitate to cooperate with that agency, which would impair the effective and efficient administration of governmental functions. Thus, the public and private harm in disclosing trade secrets significantly outweighs any public benefit derived from disclosure, and the public's ability to scrutinize and monitor agency action is not diminished by nondisclosure of trade secrets.
History.--s. 2, ch. 94-100.
Note.--Former s. 119.165.
815.06 Offenses against computer users.--
(1) Whoever willfully, knowingly, and without authorization:
(a) Accesses or causes to be accessed any computer, computer system, or computer network;
(b) Disrupts or denies or causes the denial of computer system services to an authorized user of such computer system services, which, in whole or part, is owned by, under contract to, or operated for, on behalf of, or in conjunction with another;
(c) Destroys, takes, injures, or damages equipment or supplies used or intended to be used in a computer, computer system, or computer network;
(d) Destroys, injures, or damages any computer, computer system, or computer network; or
(e) Introduces any computer contaminant into any computer, computer system, or computer network,
commits an offense against computer users.(2)(a) Except as provided in paragraphs (b) and (c), whoever violates subsection (1) commits a felony of the third degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
(b) Whoever violates subsection (1) and:
1. Damages a computer, computer equipment, computer supplies, a computer system, or a computer network, and the monetary damage or loss incurred as a result of the violation is $5,000 or greater;
2. Commits the offense for the purpose of devising or executing any scheme or artifice to defraud or obtain property; or
3. Interrupts or impairs a governmental operation or public communication, transportation, or supply of water, gas, or other public service,
commits a felony of the second degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.(c) Whoever violates subsection (1) and the violation endangers human life commits a felony of the first degree, punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
(3) Whoever willfully, knowingly, and without authorization modifies equipment or supplies used or intended to be used in a computer, computer system, or computer network commits a misdemeanor of the first degree, punishable as provided in s. 775.082 or s. 775.083.
(4)(a) In addition to any other civil remedy available, the owner or lessee of the computer, computer system, computer network, computer program, computer equipment, computer supplies, or computer data may bring a civil action against any person convicted under this section for compensatory damages.
(b) In any action brought under this subsection, the court may award reasonable attorney's fees to the prevailing party.
(5) Any computer, computer system, computer network, computer software, or computer data owned by a defendant which is used during the commission of any violation of this section or any computer owned by the defendant which is used as a repository for the storage of software or data obtained in violation of this section is subject to forfeiture as provided under ss. 932.701-932.704.
(6) This section does not apply to any person who accesses his or her employer's computer system, computer network, computer program, or computer data when acting within the scope of his or her lawful employment.
(7) For purposes of bringing a civil or criminal action under this section, a person who causes, by any means, the access to a computer, computer system, or computer network in one jurisdiction from another jurisdiction is deemed to have personally accessed the computer, computer system, or computer network in both jurisdictions.
History.--s. 1, ch. 78-92; s. 11, ch. 2001-54.
815.07 This chapter not exclusive.--The provisions of this chapter shall not be construed to preclude the applicability of any other provision of the criminal law of this state which presently applies or may in the future apply to any transaction which violates this chapter, unless such provision is inconsistent with the terms of this chapter.
History.--s. 1, ch. 78-92.
1William J. McIver, Jr., Global Perspectives on the Information Society in Linda L. Brennan & Victoria E. Johnson, Social, Ethical and Policy Implications of Information Technology (Hershey, Pa: Information Science, 2004) 1-28. [McIver].
2Ibid. at 2.
3Ibid.
4Ibid. at 16.
5Ibid.
6Wise, Edward M. United States: Computer Crimes and Other Crimes against
Information Technology in the United States in Sieber, Ulrich. ed., Information
Technology Crime: National Legislation, Jus Informationis European Series on
Information Law v 6 (Köln: Carl Heymanns Verlag, 1994) at 509-529, at 515.
7Ibid.
8Icove, David, Seger, Karl, & VonStorch, William. Computer Crime: A Crimefighters
Handbook (Sebastopol, Cal.: O'Reilly, 1995) at 22..
9Wise supra note 6 At 512.
10Icove , supra note 8 at 3.
11Wise, supra note 6 at 515.
12Robert W.K. Davis, & Scott C. Hutchinson, Computer Crime in Canada: An
Introduction to Technological Crime and Related Legal Issues (Toronto,
Ont.: Carswell, 1997).13Ibid. at 3, quoting from Ulrick Seiber, The International Handbook on Computer Crime (New York: John Wiley & Sons, 1986) at 2.
14Supra note 12 at 4.
15Melanie Kowlaski, Cyber-crime: Issues, Data Sources, and Feasibility of Collecting Police-reported Statistics, Cat. # 85-558-XIE, (Ottawa, ON:, Canadian Centre for Justice Statistics, December 19, 2002) at 5.
16Ibid. at 16.
17David S. Wall, Maintaining Order and Law on The Internet in David Wall, Ed. Crime and The Internet (London: Routledge, 2001).
18Ibid. at 168
19Ibid.
20Ibid.
21Peter Timusk, Computers:Ethical and Unethical Actions (Ottawa: Carleton University, 2000) term paper for Philosophy of Computer Ethics Course, on-line <http://www.ncf.ca/~at571/page1.html> at 11.
22Supra note 6 Wise, at 515.
23Ibid.
24Criminal Code, R.S.C 1985, c. 27 (1st Supp.) s. 342.1(1).
25U.S. Public Code 18 § 1030 (2004) [Lexis]
26Computer Misuse Act 1990 (U.K.), 1990, c. 18.
27R. v. Stewart, [1988] 1 S.C.R. 963 [QL].
28Ibid. at 41.
29Wise supra note 6 at 513.
30Donn. B. Parker, Crime by Computer (New York: Charles Scribners, 1976) at 12.
31Carter, IV, Arthur J. & Perry, Audrey “Computer Crimes” (2004) 41 Am. Crim. L. Rev.
313, [Lexis] at 1 citing the National Institute of Justice, U.S. Department of Justice, Computer Crime: Criminal Justice Resource Manual 2 (1989).
32Supra note 15 at 5.
33Sieber, Ulrich. The Emergence of Information Law: Object and Characteristics of a New Legal Area in Lederman, Eli & Shapira, Ron, eds. Law, Information and Information Technology (The Hague: Kluwer, 2001) at 1-29.[Sieber 'Emergence of Information Law']
34Ibid. at 2.
35Ibid.
36Ibid. at 27.
37The Constitution Act, 1867: Division of Powers, (U.K.) 30 & 31 Vict., c. 3, s. 92, item 10(a).
38Supra note 33 [Sieber “Emergence of Information Law”] at 14 & 16-18.
39Donald Macordum, Hedieh Nasheri, & Timothy J. O'Hearn, “Spies in Suites: New
Crimes of the Information Age from the United States and Canadian Perspectives”
(2001) 10:2 I. & Comm. T. L. 140.
40Supra note 27 at 2.
41Ibid. at 41.
42The Privacy Act, 5 U.S.C. § 552a (1974) as amended.
43Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5.
44Privacy Act, R.S. 1985, c. P-21.
45Canadian Charter of Rights and Freedoms, s. 8 Part I of the Constitution Act, 1982, being Schedule B of the Canada Act 1982 (U.K.), 1982, c. 11.
46Samuel Warren, & Louis D. Brandeis “The Right to Privacy” (1890) 4 Harv. L.R. 193 at 196.
47Bogard, William. The Simulation of Surveillance: Hypercontrol in Telematic Societies (Cambridge, U.K.: Cambridge University, 1996).
48Palfrey, Terry. “Surveillance as a Response to Crime in Cyberspace” (2000) 9:3 I. & Comm. T. L. 173.
49Supra note 8 at 32
50Supra note 31 at 2.
51Radin, Margaret, Jane. Information Tangibility Chap. 17 in Granstrand, Ove. Innovation and Intellectual Property Studies: An Introduction and Overview of a Developing Field in Granstrand, Ove. ed. Economics, Law and Intellectual Property: Seeking Strategies for Research and Teaching in a Developing Field (Boston: Kluwer, 2003) at 395-418 at 400.
52Ibid.
53Ibid. at 397.
54Ibid. at 396 & 405.
55R v. McLaughlin [1980] 2 S.C.R. 331 [QL].
56Ibid. at 2.
57 Supra note 27 at 41
58Supra note 51 at 400.
59Ebay v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058 (2000).
60Supra note 51 at 404.
61Ibid.
62Ibid. at 404.
63Ibid. at 399.
64Ibid. at 400.
65Supra note 46 at 201.
66See Bruce Sterling, The Hacker Crackdown (New York: Bantam, 1992). See also Douglas Thomas, Hacker Culture (Minneapolis, Mo.: University of Minnesota, 2002) at 36. See also Paul Mungo & Bryon Clough, Approaching Zero: The Extraordinary World of Hackers, Phreaks, Virus Writers And Keyboard Criminals (New York: Random House, 1992). See also Katie Hafner & John Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier (New York: Simon and Schuster, 1991).
67Ibid. Thomas.
68Supra note 66 Sterling.
69Supra note 66 Thomas at 31.
70Ibid. at 179.
71Ibid. at 175 & 179.
72Ibid. at 182
73Michel Foucault, Discipline and Punish trans. Alan Sheridan ( New York: Vintage, 1977).
74The Criminal Law Improvement Act, 1996, S.C. 1997, c. 18, ss. 18, 19.
75Ibid. at 3.
76Supra note 46 at 207.
77Ibid. at 205
78Supra note 6 at 518-519.
79The Fair Credit Reporting Act, 15 U.S.C. §§ 1681-1681t (1970).
80 The Privacy Act, 5 U.S.C. § 552a (1974).
81Ove Granstrand, Innovation and Intellectual Property Studies: An Introduction and Overview of a Developing Field in Ove Granstrand, ed. Economics, Law and Intellectual Property: Seeking Strategies for Research and Teaching in a Developing Field (Boston: Kluwer, 2003) at 23.
82Supra note 28 at 24-25.
83Supra note 6 at 520.
84Ibid. See also Richard C. Hollinger, “Hackers: Computer Heroes or Electronic Highwaymen?” (1991) 21 Computers & Society 6 at 12[ Hollinger].
85Hollinger ibid .
86Hollinger ibid.
87F.L. Computer Crimes Act tit. XLVI Chapter 815 (1978) on-line <http://www.flsenate.gov/Statutes/index.cfm?App_mode=Display_Statute&URL=Ch0815/ch0815.htm>, (cited April, 2005).
88Hollinger ibid. at 11.
89Ibid. at 46.
90Ibid. at 51.
91Supra note 55.
92Ibid. at 2.
93Ibid. at 1.
94Ibid. at 2.
95Supra note 1 at 10.
96R. v. Turner, [1998] S.J. No. 330, [QL]
97Supra note 55.
98Ibid. at 2.
99R. v. Maine Resource Analysts Ltd., [1980] N.S.J. No. 95 [QL].
100Ibid. at para 15.
101Ibid.
102Ibid. at para 17.
103Ibid. at para 19.
104Supra note 61 at 22.
105Ibid. at xv.
106Piragoff, Donald K. Canada: Computer Crimes and Other Crimes against Information Technology in Canada in Sieber, Ulrich. ed., Information Technology Crime: National Legislation, Jus Informationis European Series on Information Law v 6 (Köln: Carl
Heymanns Verlag, 1994) at 90-91.107Ibid. at 91.
108See appendix A.
109U.S. Public Code 18 § 1030 (2004) [Lexis]
110U.S. Public Code 18 § 1029 (2004) [Lexis]
111See appendix B.
112The National Information Infrastructure Protection Act, Pub.L. 104-294, (1996).
113USA PATRIOT Act, Pub. L. No. 107-56, § 814 (2001).
114The Cyber Security Enhancement Act, Pub. L. No. 107-296, § 225, (2002).
115Supra note 31 at 2-4.
116Ibid. at 3.
117Ibid. at 3.
118Ibid. at 4.
119Ibid. at 4.
120Supra note 6 at 522.
121Supra note 66 Thomas at 28.
122Ibid. at 86.
123Ibid. at 28
124United States v. Morris, 928 F.2d 504, 1991 U.S. App. LEXIS 3682, [Lexis].
125Ibid. at 1.
126Ibid. See also supra note 66 Thomas at xxii and 28
127Supra note 8 at 196.
128 Edward. A. Cavazos, & Gavino Morin. Cyberspace and the Law: Your Rights and Duties in the On-Line World (Cambridge, Mass.: MIT, 1994) at 108.
129Supra note 66 Thomas at 67.
130Supra note 117 at para 4.
131Supra note 66 Sterling.
132United States v. Riggs, 743 F. Supp. 556, 1990 U.S. Dist. LEXIS 9304, [Lexis].
133Suora note 66 Sterling at part 4.
134Supra. note 84 Hollinger at 7.
135Supra note 66 Thomas at 125.
136Supra note 66 Sterling at part 4.
137Ibid.
138Ibid.
139United States v. Lewis,872 F.2d 1030; 1989 U.S. App. LEXIS 5458, [Lexis].
140United States v. Denich, 1992 U.S. Dist. LEXIS 6996, [Lexis].
141Ibid. at 1.
142Ibid. at decision.
143Ibid. at 1.
144United States v. Carron, 1991 U.S. App. LEXIS 4838, [Lexis].
145Ibid. at 1.
146Ibid.
147Ibid. at 3.
148Ibid.
149United States v. Zeneski, 912 F. Supp. 43, 1996 U.S. Dist. LEXIS 447, [Lexis].
150United States v. Czubinski, 106 F.3d 1069,1997 U.S. App. LEXIS 3077,[Lexis].
151Ibid. at 2.
152Ibid.
153Ibid.
154Ibid.
155Ibid. at 8.
156Ibid. at para 13.
157Ibid. at 8.
158Ibid. Chief Justice Torruella at conclusion.
159Abraham D. Sofaer, & Seymour E Goodman, Cyber Crime and Security: The Transnational Dimension in Sofaer, Abraham D. & Goodman, Seymour E. Ed. The Transnational Dimension of Cyber Crime and Terrorism (Stanford, CA: Hoover Institution, 2001) at 26.
160Lord Hoffman, Reg. v. Governor of Brixton Prison, Ex parte Levin [1997] H.L.J. No. 28 at para 4.[QL]
161United States v. Ivanov, 175 F. Supp. 2d 367; 2001 U.S. Dist. LEXIS 23150, [Lexis] at 1.
162Ibid.
163Ibid. at 2.
164Ibid. at 6.
165Ibid. at 7.
166R. v Plant, [1993] 3 S.C.R. 281.
167Ibid. at para. 37.
168Ibid. at para. 16.
169Ibid. at para. 10.
170Ibid. at para 42.
171Ibid. at para 39.
172Ibid. at para 45.
173United States v. Kline, 2003 U.S. Dist. LEXIS 18475, [Lexis].
174Ibid. at 2.
175Ibid.
176Ibid. at decision.
177Ibid. at 1.
178Ibid. at 2.
179United States v. Kline, 112 Fed. Appx. 562, 2004 U.S. App. LEXIS 20759, [Lexis]
180Ronald Craver Kline, v. United States, 2005 U.S. LEXIS 2818, 73 U.S.L.W. 3569, [Lexis]
181Abraham D. Sofaer, & Seymour E Goodman, Ed. The Transnational Dimension of Cyber Crime and Terrorism (Stanford, CA: Hoover Institution, 2001).
182Supra note 159 at 30.
183Supra note 84 Hollinger, Wise quoting in supra note 6 at 515 Also see National Centre for Computer Crime data ,quoted by Wise supra note 6 in footnote at 515
<Last Updated April 14th, 2006>