Common Criminal Laws Used in Cyberspace

A computer, or any electronic device, can play one of four roles in crime:

• To commit a crime—Unauthorized access to data (hacking) and online fraud are two examples where a computer is used to commit a crime.
• To facilitate a crime— Cyberstalking, identity theft, phishing scams, and software piracy are examples of crimes facilitated, or aided, by computers.
• As a target of crime—Denial of service (DoS) and distributed denial of service (DDoS) attacks, computer viruses, and communications sabotage are examples of crimes where the computer itself is the target of the crime.
• As a witness to crime—Computerized record-keeping systems may provide evidence of an underlying crime or event.

Just because a computer or electronic device is involved in a crime does not make that crime a cybercrime. For example, a person simply using a computer and printer to create a forged document commits a criminal act. It is no different than if that same person used a printing press and ink to forge the document. The crime is still a forgery.

Cybercrimes are different. Cybercrimes, also called computer crimes, are crimes that use computers as a medium to commit a crime or where the computer itself is the target of the crime. Cyberstalking, identity theft, and phishing scams are examples of crimes facilitated by computers. DoS and DDoS attacks, computer viruses, and communications sabotage are examples of crimes where the computer itself is the target of the crime. The distinction between the types of crime is subtle but important.

Both the federal government and individual states have created several laws that address cybercrime. This chapter talks primarily about federal cybercrime laws. Federal laws will likely have the most impact on cybercrime. This is because geography or state and national borders do not matter to cybercriminals. The internet truly blurs these lines. A criminal can easily initiate a cybercrime in one state and harm a victim in another. Also, because cybercrime statutes vary widely between the states, federal laws may end up being more comprehensive.

The Computer Fraud and Abuse Act (1984)

Congress passed the Computer Fraud and Abuse Act (CFAA) in 1984.¹⁴ It is the first piece of federal legislation that identified computer crimes as distinct offenses. The federal government used the CFAA in 1990 to prosecute the creator of the Morris worm. This was the first prosecution under the CFAA. The CFAA provides both criminal and civil penalties.

In enacting the CFAA, Congress chose to address a series of computer-related offenses in a single statute. The CFAA limits federal jurisdiction to situations where cybercrime is interstate in nature or when certain “protected computers” are the target of crime.

The CFAA criminalizes the act of causing certain types of damage to a protected computer without authorization or by exceeding authorized access. A protected computer is any of the following:

• A federal government computer
• A financial institution computer
• A computer used in interstate or foreign commerce¹⁶

FYI

The CFAA treats protected computers as the victim of a crime. It addresses the following types of criminal activity:

• Unauthorized access to a government computer
• Unauthorized access to information on a protected computer
• Unauthorized access to a protected computer that causes damage
• Unauthorized access to a protected computer with an intent to defraud
• Threatening to damage a protected computer
• Unauthorized trafficking of passwords or other computer access information that allows people to access other computers without authorization and with the intent to defraud
• Computer espionage

The CFAA does not just address intruders or outsider attacks on protected computers. It also considers that insiders may exceed the access that they have been granted in a protected computer system. Because these people already have access to these systems, their access is not unauthorized. However, in some cases, they commit a crime if they exceed their scope of authorized access. Under the CFAA, a person exceeds authorized access when he or she accesses a computer with authorization but uses that access to get or alter information that he or she is not allowed to use or alter.¹⁸

TABLE 12-1 summarizes the CFAA provisions and potential penalties. In all instances, the penalties described are increased significantly if a defendant has a previous CFAA conviction.

TABLE 12-1 Computer Fraud and Abuse Act Summary

Computer Trespass or Intrusion

The CFAA is the main federal law addressing cybercrime. In addition to the CFAA, the federal government has some other laws that address computer trespass or intrusion. These laws generally address computers that the U.S. government owns or controls. Some laws, such as the CFAA, expand this definition to include computers used in interstate commerce.

Federal law addresses fraud and related activity in connection with access devices. It outlaws the production, use, or sale of counterfeit or unauthorized access devices.²⁰ Access devices include any item that can be used to obtain money, goods, or things of value. They include items such as card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications services. A person who violates this law commits a felony. He or she can be imprisoned for 10 to 20 years depending upon the nature of the violation.

Theft of Information

Theft of information via computer networks is on the rise. Most of these crimes take the form of theft of personal identifying information or financial information. Financial gain is nearly always the motive for these crimes. The U.S. Federal Trade Commission (FTC) announced that fraud and identity theft were number one and two, respectively, on its list of top three consumer complaints for 2019.²¹

The federal Identity Theft and Assumption Deterrence Act (1998) makes identity theft a federal crime.²² The law makes it illegal for anyone to knowingly transfer or use another person’s identification with the intent to commit a crime. Under the law, an identification document is any document made or issued by the federal or a state government. Identifying information includes items you may be familiar with as personally identifiable information, such as name, Social Security number (SSN), and driver’s license number. It also includes:

• Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation
• Unique electronic identification number, address, or routing code
• Electronic serial number or any other number or signal that identifies a specific telecommunications device or account
• Any other piece of information that may be used to identify a specific person

If a person violates the law, she or he is subject to fines and criminal penalties of up to 15 years in prison. This period increases to 30 years in special circumstances, such as where identity theft is used to facilitate terrorism. Violators also must give any personal property used to commit identity theft crimes to the government. The U.S. Secret Service, FBI, U.S. Postal Inspection Service, and Social Security Administration’s Office of the Inspector General all have the power to investigate crimes committed under this law.

Interception of Communications Laws

Federal laws that address the illegal interception of communications forbid the use of eavesdropping technologies without a court order. Communications covered by the statutes include email, radio communications, electronic communications, data transmission, and telephone calls. The federal Wiretap Act (1968, amended) governs real-time interception of the contents of a communication.²³ It does not apply to transmission information. The Act forbids the real-time interception of any wire, oral, or electronic communication. Communications covered by the Act include email, radio communications, data transmissions, and telephone calls. A person who violates the Act can be fined or imprisoned for up to 5 years, or both.

The Electronic Communications Privacy Act (ECPA; 1986) governs access to stored electronic communications.²⁵ This includes access to the contents of the communication and the headers and other transmission information. The ECPA is an amendment to the original Wiretap Act.

The ECPA governs access to the contents of stored communications, as well as access to transmission data about the communications. Under the ECPA, no one may access the contents of these communications unless it is allowed somewhere else in the ECPA. A person who violates the Act can be fined or imprisoned for up to 5 years, or both. Repeat offenders can be imprisoned up to 10 years.

Spam and Phishing Laws

Congress created the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act in 2003.²⁶ The Act covers unsolicited commercial email messages known as spam. Spam is unsolicited electronic junk mail that a user may receive. Spam is a nuisance to the recipient. The CAN-SPAM Act has both civil and criminal provisions.

The CAN-SPAM Act requires commercial email senders to meet certain requirements. Commercial messages are messages with content that advertises or promotes a product or service. The Act also forbids sending sexually explicit email unless it has a label or marking that identifies it as explicit.²⁷

Commercial email message senders must meet the following CAN-SPAM requirements:

• Do not use false or misleading header information.
• Do not use deceptive subject lines.
• Identify the email message as a commercial advertisement.
• Include a valid physical postal address.
• Inform message recipients how to opt-out of future email messages.
• Promptly process opt-out requests.
• Monitor the actions of third parties that advertise on the sender’s behalf.²⁸

The FTC enforces the civil provisions of the CAN-SPAM Act. Violations of the Act are enforced by the FTC in the same way that it enforces unfair or deceptive trade practices.²⁹ The FTC also has promulgated rules for businesses to follow. The FTC completed its first review of the CAN-SPAM Act in 2019 and determined that it would make no changes to the rule because of its benefit to consumers.³⁰

The CAN-SPAM Act also has criminal provisions. It includes penalties for:

• Accessing another person’s computer without permission to send spam
• Using false information to register for multiple email accounts or domain names
• Relaying or retransmitting spam messages through a computer to mislead others about the origin of the email
• Harvesting email addresses or generating them through a dictionary attack
• Taking advantage of open relays or open proxies without permission to send spam³¹

The U.S. Department of Justice enforces the criminal provisions of the CAN-SPAM Act. Criminal penalties include fines or imprisonment of up to 5 years. The first conviction under the CAN-SPAM Act occurred in 2004. In that case, the defendant searched for unprotected wireless access hotspots and exploited them to send spam messages that advertised pornographic websites. Eventually, the court sentenced the defendant to 3 years’ probation and 6 months of home detention. He also had to pay a $10,000 fine.³²

FYI

Cybersquatting

Cybersquatting is the bad-faith registration of a domain name that is a registered trademark or trade name of another entity. Congress created the Anti-Cybersquatting Consumer Protection Act (ACPA) in 1999.³⁴ It is designed to stop people from registering domain names that are trademarks that belong to other entities.

The ACPA allows entities to sue cybersquatters. To prove such a case, the plaintiff must show that the cybersquatter registered the trademark in bad faith with the intent to profit from the registration. The ACPA includes nine factors that help a court determine bad faith.³⁵ Those factors are:

• A person’s intellectual property rights in the domain name
• Whether the domain name consists of the legal name of the person
• The person’s prior use of the domain name in connection with the sale of goods or services
• The person’s noncommercial or fair use of the domain name
• The person’s intent to divert consumers from the mark owner’s own website
• The person’s offer to sell the domain name without having used the domain name for the sale of goods or services
• Whether the person gave false or misleading contact information when registering the domain name
• Whether the person registered multiple domain names that are identical or confusingly similar to marks owned by others
• Whether the mark incorporated in the domain name is famous and distinctive

Under the law, a plaintiff can recover damages and ask the court to issue an injunction that stops the cybersquatter from using the contested domain name. Courts also can award the contested domain name to the winning party.

Malicious Acts

Common malicious information security acts include malware, worms, viruses, and Trojan horses. For the most part, the federal government can prosecute these types of activities under the CFAA.

Under the CFAA, the intentional transmission of malware, viruses, or worms that damage a protected computer is a felony. Remember that for the CFAA, almost any computer connected to the internet is a protected computer. The government can charge people who violate this provision of the CFAA with a felony that can be punished with up to 10 years in prison.

Cyberstalking, the use of the internet to stalk another person in a threatening way, is also a malicious act. Cyberstalkers could use email, instant messages, blogs, social networking platforms, and even entire websites to target their victims. Cyberstalking is sometimes also referred to as cyberharassment.

Many traditional state laws on stalking and harassment have been updated to include language about cyberstalking. Similar to many other cybercrimes, cyberstalking often crosses state borders. At the federal level, cyberstalking is prohibited under several different laws:

• The Telephone Harassment Act—Makes it illegal to use the internet to transmit any message to harass or threaten another person.³⁶
• The Interstate Stalking and Prevention Act—Makes it illegal for anyone who travels across states to use any interactive computer service to cause substantial emotional distress.³⁷
• The Interstate Communications Act—Makes it illegal to transmit in interstate commerce any threat to injure another person.³⁸

Cyberbullying is closely related to cyberstalking. The distinction is that cyberbullying is harassment that takes place between school-aged children.³⁹ Depending on the situation, state cyberbullying or cyberstalking laws tend to apply most in these cyberharassment situations. Currently, no federal law directly addresses cyberbullying. The federal government has attempted to expand the use of the CFAA into the area of cyberbullying with little success.

In 2008, the Department of Justice indicted Lori Drew for violating the CFAA.⁴⁰ The government argued that her activities on a social networking service exceeded her authorization in the use of a protected computer. She exceeded her authorized access by using the site in excess of the use authorized by the site’s terms of service agreement. A jury found her guilty of a misdemeanor CFAA violation. That conviction was set aside in August 2009. The judge found that there were several problems in applying the CFAA to the case.⁴¹ The government did not appeal the judge’s reversal. Many federal courts have since found that violating the terms of service agreement for a website is not a CFAA violation.

Well-Known Cybercrimes

The list of well-known cybercrimes changes every day. The CFAA, the “go-to” act for federal prosecution of cybercrime, is very broad, and almost any type of internet-related crime involving computers will fall within its scope. Prosecutors often include CFAA charges with other federal criminal charges if a computer is involved in the commission of a crime.

Some cybercrimes are well known because they were “first.” For example, the Morris worm was one of the first computer worms on the internet. At the time, it infected and overwhelmed many government systems. The creator of the worm was the first person charged with violating the CFAA.⁴²

The CFAA also was used to prosecute the creator of the Melissa virus.⁴³ When it was released, the Melissa virus was one of the fastest-moving and most destructive viruses. David Smith created and distributed the Melissa virus in 1999. The virus caused more than $80 million in damage. He was sentenced to 20 months in federal prison in May 2002. He also was fined $5,000.

Other cybercrimes are well known because they are among the biggest or the perpetrators have received notable punishments. For instance, one of the hackers in the TJX Companies, Inc. case received the harshest-ever sentence for a hacking case in March 2010. The federal government had charged him with violating the CFAA, federal laws related to access device fraud, and the Identity Theft and Assumption Deterrence Act. The hacker, Albert Gonzalez, was sentenced to 20 years in prison. He was also fined $250,000.⁴⁴