jim.shamlin.com

Criminal Sanctions Against Electronic Intrusion

This chapter intends to discuss the "international dimension of electronic intrusion," including some of the different legislative approaches adopted by various countries in addressing both the incidence of crime and the specific problem of jurisdiction.

INTRODUCTION

Some basic facts:

  1. Electronic intrusion is an international phenomenon, in which the actions of a perpetrator in the borders of one nation may affect a victim in a different nation, resulting in issues of jurisdiction
  2. Nations have different approaches to electronic intrusion. Some do not consider it to be a crime, and refuse to prosecute, where others have detailed laws and remedies.
  3. The rapid evolution of technology has led to laws that are specific, but soon become obsolete, and laws that are too general to be enforceable.

As a result of these factors, there are no uniform solutions in combating electronic intrusions.

DEVELOPMENT OF COMPUTER SPECIFIC-LEGISLATION CONCERNING ELECTRONIC INTRUSION

Before the advent of the Internet, a computer was a location-specific device, and data was either contained within a computer system or transported on physical media (tapes, diskettes, etc.). During this period, computer-related crimes were limited (fraud by falsification of data, sabotage to systems, data espionage, and illegal access). Crime was location-specific and the questions of jurisdiction were clear, and laws to prevent "intrusion" to a computer system were unnecessary because there was a legal framework to prosecute the actions (unlawful entry, breaking and entering, etc.) requisite to having access.

With the advent of modem connections, a new form of crime emerged: "hacking" into remote data systems. The action was quickly criminalized (to varying degrees), and it remained fairly simple to detect and prosecute criminals because they were still largely limited by physical location (computers being bulky devices) and the communications network (telephone lines) was proprietary.

The advent of the Internet has made electronic intrusion a far more difficult problem: the network is always active, there is no central monitor or authority, and it is international. The author doesn't mention the portability of network-connected devices (a laptop computer) and the proliferation of open networks (especially wireless networks), and the large international audience the network has drawn.

National governments have not kept pace: while many recognize the problem, and accept the responsibility to treat electronic intrusion as a political matter, most governments act independently to address a problem that extends beyond their borders, and international cooperation has been scant and largely informal.

What follows in this chapter are general classifications of actions that are generally deemed illegal, and anecdotal evidence of the legal remedies that various nations or cooperative organizations among nations have adopted.

Illegal Access to Computer Systems and/or Hacking

"Hacking" (gaining access to data without authorization by the owner of that data) was one of the earliest computer crimes and one that remains the primary cause for concern). Initially, the act of hacking was difficult to prosecute: not only was it difficult to prove, but it was difficult to convince a jury that merely looking at data or making copies of files did any damage to the alleged victim.

To punish hacking, the act of merely gaining access to a computer or system had to be criminalized, in the absence of any consequence. In some instances, hacking is akin to fraud (presenting false credentials), in others, it is merely the intentional act of attempting to gain access to a secure system (though the precise actions may differ, a common theme is the perpetrator is aware they are not authorized and makes a concerted attempt to gain access).

The punishments prescribed for offenders also vary. In some instances, there is no criminal remedy unless the user took additional actions (downloaded information, attempted to sabotage systems, etc.) after hacking in. And as with larceny, some countries have graduating remedies depending on the extent of the damage (measured in dollars) that is done.

Other countries criminalize there mere act of hacking into a system - or even attempting top hack into a system (where harmful intent is presumed). In other countries, preparatory acts are punishable by law - possessing software, or writing code, whose purpose is to facilitate an automated hack.

Integrity of Information and Computer Systems

Hacking deals with gaining access to data, but there is a separate body of laws that protect the integrity of computers and information systems. As with hacking, unauthorized access was difficult to define and prove and difficult to convince juries that harm was done, except in cases where the action caused appreciable damage.

Additionally, laws that would protect the integrity of a system were lacking in specificity: what constitutes "authorized" access (password sharing), what constitutes a "secure" system (some systems were not locked down and people wandered in), what constitutes an intrusion - all these questions lacked clear definition.

Where interruption of service is concerned, attacks on the system and interference with network traffic to a system are defined differently - sometimes, one or the other is criminalized, sometimes both, and the two may be addressed by separate legislation. There are instances in which physical damage to a computer system is handled separately from other kinds of property damage, and others where existing statutes extend to computer systems. Also, there is substantial variance in the definition of the actions that constitute a violation.

On computer viruses, some laws punish creating one, possessing one, or disseminating one, and there are likewise differences in the definition. In some instances, a virus is not punishable, in itself, unless it causes damage - but in others, the mere possession of the program is criminal.

The motivation of the perpetrator is also a matter of some debate. In the strictest sense, an action may be punished without question as to the actor's intent; in others, the prosecution must prove an intent to destroy information or hinder functionality in a criminal case (though unintentional or negligent damages can often be pursued under civil statutes).

EN: I have skipped the anecdotal evidence - it gets rather lengthy. Point is: different countries have vastly different laws in this area.

Illegal Interception of Electronic Data Transfer

Most legal systems punish the intentional interception of data transfer as a violation of private communications. It is treated in a similar way to intercepting mail, wiretapping, or unauthorized surveillance of private communications (bugging). However, it may be handled as a civil or criminal matter.

In some instances, there are specific statutes for the electronic medium, and in others, there are limitations to what is considered "private" (unencrypted data transmission, information that is public knowledge, etc.). Generally, the intent of the actor to intercept information and knowledge the information was intended to be private is requisite to prosecution.

Misuse of Devices

Some statutes are in place to criminalize the creation, possession, transmission, or sale of devices (hardware and software) that could be used for nefarious purposes, even if no criminal act has been committed.

There is a great deal of variance in existing statues and the author asserts that all are inherently problematic. In particular, the statues do not consider the potential use of the devices for non-criminal activities, the use of these devices to test the security of a system, and the potential to mis-classify benign devices as criminal.

EN: There's additional discussion, but the fundamental principle of criminalizing an object as a means of controlling action is a common argument in many other venues (gun control, drugs, etc.)

Responsibility of Internet Service Provider

In addition to the criminal liability of the direct offender, some laws create an additional liability to a service provider who "assists" or "abets" the activity of a criminal by providing him with access (internet access, access to systems) that are used in a crime.

This is similar in nature to object criminalization (a vendor that sells a knife is liable to the stabbing victim) and has similar problems - but because the medium enables service providers to monitor and control the activities of users, there is a stronger case for requiring them to use this capability to prevent illegal actions, or hold them liable (if only by the standard of negligence) for failing to do so.

This is especially troublesome when a crime crosses national boundaries: a company in one jurisdiction may comply with the laws in that area, but may be nto be in compliance with the jurisdiction in the victim's locale (EN: this is especially troublesome with the state of California, which requires the entire internet to comply with their laws when communicating with their citizens).

CONCLUSION

While most legal systems of the world recognize the necessity to protect against electronic intrusion, there is great deal of variance that will cause strife when borders are crossed, and this may mean that innocent parties may be wrongfully prosecuted or guilty parties may be wrongfully pardoned - and in the civil courts, there will inevitably be conflict among the court systems in different states or nations, to the detriment of the electronic community and economy. Hence, the author stresses a need for a convention to work toward common ground.


Contents