If cyberspace is a type of community, a giant neighborhood made up of networked computer users around the world, then it seems natural that many elements of a traditional society can be found taking shape as bits and bytes. With electronic commerce comes electronic merchants, plugged-in educators provide networked education, and doctors meet with patients in offices on-line. It should come as no surprise that there are also cybercriminals committing cybercrimes.
As an unregulated hodgepodge of corporations, individuals, governments, educational institutions, and other organizations that have agreed in principle to use a standard set of communication protocols, the Internet is wide open to exploitation. There are no sheriffs on the Information Superhighway waiting to zap potential offenders with a radar gun or search for weapons if someone looks suspicious. By almost all accounts, this lack of “law enforcement” leaves net users to regulate each other according to the reigning norms of the moment.
Community standards in cyberspace appear to be vastly different from the standards found at the corner of Main Street and Elm in Any City, USA. Unfortunately, cyberspace is also a virtual tourist trap where faceless, nameless con artists can work the crowds. Mimicking real life, crimes and criminals come in all varieties on the Internet. The FBI’s National Computer Crime Squad is dedicated to detecting and preventing all types of computer-related crimes. Some issues being carefully studied by everyone from Net veterans and law enforcement agencies to radical pundits include:
Using software tools installed on a computer in a remote location, hackers can break into computer systems to steal data, plant viruses or trojan horses, or work mischief of a less serious sort by changing user names or passwords. Network intrusions have been made illegal by the U. S. federal government, but detection and enforcement are difficult. Limitations with the law as it is currently written can be seen upon examining Kevin Mitnick’s recent plea bargain, wherein there is little connection between his final plea and the crimes he allegedly committed. Corporations, like governments, love to spy on the enemy.
Networked systems provide new opportunities for this, as hackers-for-hire retrieve information about product development and marketing strategies, rarely leaving behind any evidence of the theft. Not only is tracing the criminal labor-intensive, convictions are hard to obtain when laws are not written with electronic theft in mind. According to estimates by the U. S. Software Publisher’s Association, as much as $7. 5 billion of American software may be illegally copied and distributed annually worldwide. These copies work as well as the originals, and sell for significantly less money.
Piracy is relatively easy, and only the largest rings of distributors are usually caught. Moreover, software pirates know that they are unlikely to serve hard jail time when prisons are overcrowded with people convicted of more serious crimes. From the legal perspective, prosecutors in the Dave LaMacchia case found that matching charges to an alleged crime was not an easy task. This is one crime that is clearly illegal, both on and off the Internet. Crackdowns may catch some offenders, but there are still ways to acquire images of children in varying stages of dress and performing a variety of sexual acts.
Legally speaking, people who use or provide access to child porn face the same charges whether the images are digital or on a piece of photographic paper. Trials of network users arrested in a recent FBI bust may challenge the validity of those laws as they apply to online services. Software can be written that will instruct a computer to do almost anything, and terrorism has hit the Internet in the form of mail bombings. By instructing a computer to repeatedly send electronic mail (email) to a specified person’s email address, the cybercriminal can overwhelm the recipient’s personal account and potentially shut down entire systems.
This may or may not be illegal, but it is certainly disruptive. Well-known journalists Joshua Quittner and Michelle Slatalla learned the hard way what it feels like to be targeted by mail bombs when their home computer was flooded with jibberish and their phone lines were rerouted for a weekend. Password sniffers are programs that monitor and record the name and password of network users as they log in, jeopardizing security at a site. Whoever installs the sniffer can then impersonate an authorized user and log in to access restricted documents.
Laws are not yet set up to adequately prosecute a person for impersonating another person on-line, but laws designed to prevent unauthorized access to information may be effective in apprehending hackers using sniffer programs. The Wall Street Journal suggests in recent reports that hackers may have sniffed out passwords used by members of America OnLine, a service with more than 3. 5 million subscribers. If the reports are accurate, even the president of the service found his account security jeopardized.
Spoofing is the act of disguising one computer to electronically “look” like another computer in order to gain access to a system that would normally be restricted. Legally, this can be handled in the same manner as password sniffers, but the law will have to change if spoofing is going to be addressed with more than a quick-fix solution. Spoofing was used to access valuable documents stored on a computer belonging to security expert Tsutomu Shimomura. The U. S. Secret Service believes that half a billion dollars may be lost annually by consumers who have credit card and calling card numbers stolen from on-line databases.
Security measures are improving, and traditional methods of law enforcement seem to be sufficient for prosecuting the thieves of such information. Bulletin boards and other on-line services are frequent targets for hackers who want to access large databases of credit card information. Such attacks usually result in the implementation of stronger security systems. Since there is no single widely-used definition of computer-related crime, computer network users and law enforcement officials must distinguish between illegal or deliberate network abuse versus behavior that is merely annoying.
Legal systems everywhere are busily studying ways of dealing with crimes and criminals on the Internet. Currently, the prosecution of cybercriminals is handled differently from one jurisdiction to another. The results of high-profile cases involving Kevin Mitnick, Jake Baker, and Dave LaMacchia could have significant ramifications for the legal world. Kevin Mitnick, alternately described as anything from a genius to a menace, was arrested on February 15, 1995, for allegedly breaking into the home computer of Tsutomu Shimomura, a well-respected member of the computer security world.
Known to hackers around the planet as “Condor,” a name taken from the Robert Redford movie” Three Days of the Condor,” Mitnick was suspected of spoofing his way through Shimomura’s elaborate blockade and stealing computer security tools to distribute over the Internet. By July 1, Mitnick’s lawyer and federal prosecutors had reached a plea bargain agreement whereby Mitnick would admit to “possessing unauthorized access devices” and the prosecutors would drop the other 22 charges brought against the renowned hacker. Mitnick’s admission of guilt carried a maximum prison sentence of eight months.
Dave LaMacchia was indicted by a grand jury on April 7, 1994 on charges of “conspiracy and scheme to defraud. ” The charges stemmed from LaMacchia’s involvement in the operation of a pair of bulletin board systems (BBS) at the Massachusetts Institute of Technology (MIT). The boards, called CYNOSURE I and CYNOSURE II, were allegedly used as distribution centers for illegally copied software. In this case, the law was not prepared to handle whatever crimes may have been committed. The judge ruled that there was no conspiracy and dismissed the case.
If statutes were in place to address the liability taken on by a BBS operator for the materials contained on the system, situations like this might be handled very differently. Jake Baker, a student at the University of Michigan in Ann Arbor, was arrested by FBI agents on February 9, 1995 and charged with “transmitting threats across state lines. ” The charge came about after it was discovered that Baker had posted an erotic fantasy on the Internet in which he raped and tortured a character with the same name as one of Baker’s real-life classmates.
The charges were later revised to making a “threat to injure another person,” but in the meantime Baker had been suspended from the University of Michigan and his story had made headlines around the world. The case raises issues beyond the legality of posting a fantasy in which a living person’s name is used. Many people have expressed concern over whether Baker’s civil liberties were violated when he was suspended and how much liability an individual has when posting materials to the Internet.
Baker was eventually acquitted, in part because his story was determined to be “self expression” and did not constitute a threat. Legal systems are not yet adequately prepared for the variety of crimes that can be committed over computer networks. The legality or illegality of “cybercrimes” is ambiguous, although certain jurisdictions are taking steps to answer these questions. Florida, California, Texas, and Georgia are leading the way with statutes designed specifically to combat cybercrimes.
