Executive Summary

Computer Crime Laws... What you need to know now!

Carleton University
Student: Peter Timusk B.Math, fourth year legal studies BA student.
Course: LAWS4305
Section: A
Term: Fall 2003
Date Due: November 20th, 2003
Date Submitted: November 20th, 2003

Introduction:

    Laws are established for many crimes. Theft is as old as the bible and sanctions against it are also as old. But computer hacking, a new crime only some 50 years old at most, is being seen as a break and enter^.1 It still has to be defined in comparison to existing crimes. It is really an invasion of privacy. The Canadian Criminal Code section 342.1 prohibits accessing a computer without authorisation. The question is does this law work and are those breaking this law getting the right punishment?

History

    Bruce Sterling, a computer writer, traces computer hacking back to the pranks that telephone switch boys used in 1878². Many histories of computer crime start with phone freaking as the precursor to hacking. Phone freaking is stealing long distance phone calls or other phone tricks which defraud the phone company in a minor but clever way . There are books such as Approaching Zero that give a history for hacking crimes along with some analysis of viruses.³ As well as this, the book The Cuckoos Egg by Cliff Stoll covers just one case of hacking used as a tool of espionage.⁴ Most of the hacking in the past has included the crime of using a phone line and a modem to send fraudulent or fake messages to computers such as logging into someone else's account.
    The law has been slow to understand and react to changes in technology. Perhaps lawyers and judges do not think the same way as engineers and programmers.
    Hackers are often employed in, or students of, the sciences, engineering or computers. That hackers are teenagers is only one characteristic that is, in fact, a slightly mythical stereotype rather than a proper factor in a Computer Crime Adversarial Matrix. The F.B.I. has developed the Computer Crime Adversarial Matrix for hacker characteristics that police or computer security administrators may use to solve computer hacking crimes.⁵     

Enforcement of the current laws.

    Recently, perhaps the public is more aware of hacking and most certainly the law is more aware. Section 342.1 is part of the criminal code now in Canada. Police officers have the tool to bring charges with this section. It will be some time before we see if this is appropriate law. In 1998/1999 there were 113 charges brought under section 342.1 which was the highest number for this data, in 1999-2000 there were 43, and in 2000-2001 58 charges were brought under section 342.1. As noted by Kowlaski in her report for the Centre for Justice Statistics there are no apparent trends in computer crime from this data.  She was looking at the number of charges brought under sections 342.1, 342.2, 327, 430(1.1) and 326, for the years 1995-2001.⁶
Assessment of the existing laws.
    The existing section 342.1 allows either summary conviction or conviction by indictment  for hacking. The British Law also has such a division but further defines the actus reus and mens rea for choosing to proceed with summary or indictment conviction.
    In the British Computer Misuse Act (1990) the mens rea for unauthorised access is intended access without authorisation.⁷ Intent to commit a further crime steps up the charge to indictment in the British law. So unauthorised access of a computer involving theft of money would be triable as an indictment, as well as, being triable as a theft of money.⁸ Without the intent to commit the further crime the charge is only on summary proceedings. This does not really add a technical or unfathomable dimension to computer crime. Whereas, the actus reus is where the technical nature of the crime comes to the fore.
    The actus reas is the actual invasion of privacy and would most often be committed accessing a computer by someone using a computer. Thus a whole new field of forensic science has opened up to examine computers and use computer hardware and software as evidence in these cases. The logs of activity in both phones and computers can be great clues for the case.

Discussion of sentencing in hacking cases.

    The cases of hacking quoted in the computer crime literature have sentencing ranging from non-conviction to time in federal prison in the case of Kevin Mitnick.⁹ The use of a two tier system using summary and indictable charges allows for varying the sentence depending on the seriousness of the offense. Often the sentence has been a community service order, with probation, and a fine. There are probably more summary convictions than indictments. Often cases of hacking will be interpreted in the original sense of hacking as pranks and be tried as mischief crimes rather than under hacking laws. There is really no evidence to base these generalizations on rather there are publicized cases that seem to affect a number of computer users as victims. When a computer virus affects almost all Internet users the case is well published and the criminal is invariably caught.

Leniency

    There have been some recent news stories in the computer press suggesting that hackers are only receiving community service orders as a sentence and that this is too lenient.¹⁰ But this report comes from an article in a California news source originating in the heart of the computer industry region. This suggests that there is an attempt going on to gain opinions from computer workers and computer business that would generate a call for more punitive action. This locational aspect of this report points to the capitalist nature of these charges in the first place and their existence to protect the computer owner much more than the computer user which is often not the same person. The term personal computer does not really cover all the computers workers and students use  in workplaces and schools. It is just these places where these crimes are committed. It maybe that victims tend to be computer owners but the contention is that computer crime laws are being developed to protect capitalist income and assets not any public safety standard nor anything more than a financial standard of privacy not really a moral standard.

Deterrence

    In a study into college students participation in hacking and piracy, the researchers Skinner and Fream suggest that the students would read stories of computer crime cases and see that the criminals received lenient treatment from the courts and that this reading of news stories reduced the deterrence affect of the law against hacking.¹¹

Recommendations to the laws.

    While the community sentence makes sense, a more serious offense can be tried with a more punitive sentence. As well as this, if a further offense occurs such as credit card fraud, charges for the further offense can also be brought. Although many Canadian Criminal Code sections prescribe both summary and indictable convictions, we should examine the phrasing of the British Computer Misuse Act (1990) for an understanding and for clarity on what degree of charge to bring and what elements could be used  to differentiate between serious and non-serious offenses. It seems that monetary damages will not work in the criminal courts for hacking crimes.¹² As the computer industry is a very speculative sector of the economy, damages, too, are not clearly understood. Also if we want a real law reflecting our social mores we should consider more than money.

Conclusion

    The computer ethics writer, Deborah Johnstone, states that computer ethics problems, which hacking is one type, are solved or thought about, by extending our existing morals and ethics.¹³ This would include extending existing criminal code sections for the further offenses and using mischief charges for non serious offenses. It will be interesting to watch the computer crime news in the next twenty years. As yet, no computer crime case has gone to the Supreme court. While, the legal professional was once behind in knowledge of computers, most of these professionals are using computers these days. The law is becoming a tool for guiding computer use behaviour. This law might become a more complete and clear legal doctrine in the future.

End Notes

1. R.C.M.P., R.C.M.P. Web site <www.rcmp-grc.gc.ca> (cited fall 2000) in computer crime section.
2. Sterling, B. The Hacker Crackdown 1992, (electronic version) updated July 1998.     <http://www.lysator.liu.se/etexts/hacker/digital1.html#1>(cited September 18, 2003) at Chronology.
3. Clough, B., & Mungo, P. Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus Writers, and Keyboard Criminals (New York, NY:Random House Electronic Pub, 1993)
4. Stoll, C., The Cuckoo's Egg (Toronto, ON: Pocket Books-Simon & Schuster Inc., 1990)
5. Icove, D., Seger, K., & VonStorch, W., Computer Crime, A Crimefighters Handbook, (     Sebastopol, CA: O'Reilly & Associates, Inc., 1995) at 65.
6. Kowlaski, M., Cyber-crime: issues, data sources, and feasibility of collecting police-    reported statistics, Cat. # 85-558-XIE, (Ottawa, ON:, Canadian Centre for Justice     Statistics, December 19, 2002) at 18.
7. Elbra, R. A., A Practical Guide to the Computer Misuse Act 1990 (United Kingdom; Department of Trade and Industry-NCC Blackwell; 1990) at 4.
8. Elbra, ibid. at 7.
9. State of California v. Kevin David Mitnick (1999) Free Kevin Mitnick The Official Kevin Mitnick Web Site, State of California v. Kevin David Mitnick March 20, 1999 <http://www.kevinmitnick.com/news-032099.html> (Cited November 20, 2003)
10. Mendoza, M., Web Virus Writer, Senders Rarely Jailed (SiliconValley.com, Saturday,
    August 30, 2003)<http://www.siliconvalley.com/mld/siliconvalley/news/editorial/6657374.htm>
(Cited November 18, 2003)
11. Skinner, W. F. & Fream, A. M., A Social Learning Theory Analysis of Computer Crime Amongst College Students  Journal of Research in Crime and Delinquency, Vol. 34 No. 4, November 1997, 495-518 (Sage Publications Inc., 1997) at 500.
12. E. A. Cavazos and Gavino M., Cyberspace and the Law: Your Rights and Duties in the On-Line World (Cambridge, Mass.; MIT Press, 1994) at 86.
13. Johnson, D. G.,  What is Computer Ethics? In Computer Ethics, 2nd ed. 1-15. Upper Saddle River, NJ: Prentice Hall. In Computer Ethics ed. D. Dubrule. Paper 1 (Ottawa, ON; The Coursepack Division-Carleton University, 2000) at 10 in original.

Bibliography

Cavazos, E. A. and Gavino M., Cyberspace and the Law: Your Rights and Duties in the On-Line World (Cambridge, Mass.; MIT Press, 1994)
Chesterman, J. & Lipman A., The Electronic Pirates, DIY Crime of the Century (London, UK: Routledge, 1988)
Clancy, R. E., A Nation On-Line, How Americans are Expanding their Use of the Internet ( New York, NY: Novinka Books, 2002)
Clough, B., & Mungo, P. Approaching Zero: The Extraordinary Underworld of Hackers, Phreakers, Virus Writers, and Keyboard Criminals (New York, NY:Random House Electronic Pub, 1993)
Crume, J., Inside Internet Security, What Hackers Don't Want You To Know (Don Mills, ON: Addison-Wesley, 2000)
Denning, D., Concerning Hackers Who Break Into Computer Systems 13th National Computer Security Conference speech, <http://www.swiss.ai.mit.edu/6095/articles/denning_defense_hackers.txt> (cited November 24th, 2000)
Elbra, R. A., A Practical Guide to the Computer Misuse Act 1990 (United Kingdom; Department of Trade and Industry-NCC Blackwell; 1990)
Godwin M., When Copying Isn't Theft: How Government Stumbled in a Hacker Case (Originally published in _Internet_World_, Jan./Feb. 1994) <http://www.eff.org/pub/Publications/Mike_Godwin/phrack_riggs_neidorf_godwin.article> (cited 20 October 2000)
Icove, D., Seger, K., & VonStorch, W., Computer Crime, A Crimefighters Handbook, ( Sebastopol, CA: O'Reilly & Associates, Inc., 1995)
Johnson, D. G.,  What is Computer Ethics? In Computer Ethics, 2nd ed. 1-15. Upper Saddle River, NJ: Prentice Hall. In Computer Ethics ed. D. Dubrule. Paper 1 (Ottawa, ON; The Coursepack Division-Carleton University, 2000)
Kowlaski, M., Cyber-crime: issues, data sources, and feasibility of collecting police-reported statistics, Cat. # 85-558-XIE, (Ottawa, ON:, Canadian Centre for Justice Statistics, December 19, 2002)
Mendoza, M., Web Virus Writer, Senders Rarely Jailed (SiliconValley.com, Saturday August 30, 2003)
<http://www.siliconvalley.com/mld/siliconvalley/news/editorial/6657374.htm> (Cited November 18, 2003)
Mueller, M. L., Ruling the Root, Internet Governance and the Taming of Cyberspace (Cambridge, MA: The MIT Press, 2002)
R.C.M.P., R.C.M.P. Web site <www.rcmp-grc.gc.ca> (cited fall 2000)
R.C.M.P., telephone conversations with High Tech crime unit and others in the R.C.M.P., (Ottawa, ON: fall 2003)
Schwartau, W., Information warfare : chaos on the electronic superhighway (New York, NY: Thunder's Mouth Press, 1994)
Skinner, W. F. & Fream, A. M., A Social Learning Theory Analysis of Computer Crime Amongst College Students  Journal of Research in Crime and Delinquency, Vol. 34 No. 4, November 1997, 495-518 (Sage Publications Inc., 1997)
Spafford, E.H., Are Computer Hacker Break-ins Ethical? Journal of Systems and Software, 17(1):41–48, January 1992. Reprinted in Computers, Ethics  and Society; M. David Ermann, Mary B. Williams, and Michele S. Shauf, eds. (Oxford University Press; 1997)
State of California v. Kevin David Mitnick (1999) Free Kevin Mitnick The Official Kevin Mitnick Web Site, State of California v. Kevin David Mitnick March 20, 1999 <http://www.kevinmitnick.com/news-032099.html> (Cited November 20, 2003)
Sterling, B. The Hacker Crackdown 1992, (electronic version) updated July 1998. <http://www.lysator.liu.se/etexts/hacker/digital1.html#1>(cited September 18, 2003)
Stoll, C., The Cuckoo's Egg (Toronto, ON: Pocket Books-Simon & Schuster Inc., 1990)