From: Security Management, April, 1996, pp. 59-67

Computer security: Legal Lessons in the Computer Age

Computer technology has changed the nature of crime. And now legislatures and the courts are racing to catch up.

By Mark D. Rasch

Computers and computer networks create new categories of crimes that did not exist in the precomputer age. For example, files may be stolen even though the owner still retains copies. Money may be siphoned using so-called "salami-frauds" or "round-down" frauds where hundredths of a cent may be shaved off millions of transactions. Private information may be intercepted through interference with e-mail. Services, including the simple use of computers and computer networks, may be usurped by ingenious hackers.

While technology has advanced quickly, the law has not. New crimes often do not fit the parameters of the preexisting legal framework.

Since 1982, Congress has attempted to craft new statutes covering computer crime. Those efforts have helped, but gaps remain. As new cases make their way through the legal system, some of these gaps are being filled in by precedent setting decisions. Companies hoping to protect their systems and information, while also avoiding inadvertent violations of the law themselves, face the challenge of working within this confusing and evolving legal framework.

Current law

The first truly comprehensive federal computer crime statute was the Computer Fraud and Abuse Act of 1986 (CFAA). The statute was the rewritten version of a 1984 statute that proved inadequate in dealing with the problem of computer crime.

The act amended Title 18 United States Code Section 1030 to enhance penalties for six types of computer activities: the unauthorized access of a computer to obtain information of national secrecy with an intent to injure the United States or give advantage to a foreign nation; the unauthorized access of a computer to obtain protected financial or credit information; the unauthorized access into a computer used by the federal government; the unauthorized interstate or foreign access of a computer system with an intent to defraud; the unauthorized interstate or foreign access of computer systems that results in at least $1,000 aggregate damage; and the fraudulent trafficking in computer passwords affecting interstate commerce.

Perhaps the most famous application of this statute was United States v. Morris (Second Circuit, 1991), the 1989 prosecution of Robert Tappan Morris, a Cornell University graduate student who, on November 2, 1988, released a computer "worm" across the Internet computer network.

Despite the successful prosecution in the Morris case and several other famous computer crime prosecutions (including prosecutions of computer hackers of the Legion of Doom and Masters of Deception), problems continued with the statute. The most glaring was the omission of what was called malicious code -- computer viruses that could alter, damage, or destroy computerized information.

As a result, in 1992 Congress amended the computer crime statute to punish those who, without the knowledge and authorization of the "persons or entities who own or are responsible for" a computer, bring about the transmission of "a program, information, code, or command to a computer or computer system" with the intent to cause damage to the computer or information in the computer or prevent the use of the system.

As well as punishing intentional conduct, the amended statute criminalizes those who act "with reckless disregard or a substantial and unjustifiable risk" of damage or loss, and would create a civil cause of action to obtain compensatory damages or injunctive relief for "any person who suffers damage or loss by reason of a violation of the section."

In addition to protecting the data contained on computers, federal law also attempts to protect the integrity or confidentiality of electronic communications -- either during transmission or while stored. Section 2701 protects e-mail messages by making it illegal to destroy e-mail messages or access them without authorization.

In addition, in 1986 Congress amended the federal wiretap law, passing the Electronic Communications Privacy Act (ECPA) to expand federal jurisdiction and to criminalize the unauthorized "interception" of stored and transmitted electronic communications. The statute makes it unlawful to either intercept or disclose the contents of electronic communications, except as provided by statute. Thus, capturing or monitoring the contents of e-mail messages, electronic communications, or stored electronic communications may violate these provisions.

The law does permit providers of telecommunications facilities to engage in some monitoring for the protection of those iacilities. In addition, the law allows monitoring if at least one of the parties to the monitoring has consented. Thus many companies use warning banners to notify users of their intent to monitor electronic mail, creating an implied consent.

The Justice Department's Computer Crime Unit, in conjunction with a number of federal agencies known as the Computer Search and Seizure Working Group, have developed guidelines to address seizing computers and handling computer evidence. (See [Security Management's] "Legal Reporter," May 1995)

The guidelines run several hundred pages, addressing the many scenarios under which government officials could, in connection with criminal investigations, search or seize a company's (or a person's) computer data or equipment -- including everything from computer hardware to e-mail messages.

Additional computer crime provisions have been included in the Senate crime bill, S. 1495. and in the National Information Infrastructure Act, S. 982. If enacted. these measures would increase penalties for computer crime and include harassment through computer communications as a computer crime. S. 982 would also expand the scope of the federal computer crime statute to criminalize unauthorized access to all information contained in a computer. However, it is unclear whether these bills -- which have been stalled in committee -- will pass during this congressional session.

Evolving precedents

Where new laws have not kept up with the changing face of crime, authorities have used traditional statutes -- mail and wire fraud, larceny, theft of services, embezzlement, trespass, and destruction of property -- to prosecute individuals who commit forms of computer abuse. Because these laws were not written with computer crimes in mind, courts must carve out new precedents.

Information.

The application of common law concepts of fraud, theft, and trespass were an ill fit to the new technology that emerged in the late 1960s. For example, the federal embezzlement statute (18 U.S.C. Section 641) proscribes the "conversion" or taking for one's own purposes of federal property. (There is no federal statute relating to the taking of commercial property). But it was unclear from the statute's inception whether information contained on a computer was truly property subject to conversion. The computer crime law of 1986, as already discussed, carved out certain circumstances under which the tampering with or taking of computer information would be a crime, but it did not establish a blanket protection for digitized information.

While some early cases, such as Chappel v. United States (Ninth Circuit, 1959), held that the embezzlement statute applies only to "corporeal or tangible property," most courts have ruled in the opposite direction. Convictions have been upheld for unauthorized use of computer time, theft of grand jury transcripts, and photocopying government records. Most recently, in United States v. McAusland (Fourth Circuit, 1992), an employee was convicted of embezzlement for stealing a competitor's confidential bid information. The defendant, an employee of a defense contractor, obtained bid information by working with an employee at a competing company. The defendant was convicted of conspiracy to embezzle. While computer and computer information were not used in the crime, the case set the groundwork for determining whether information can be considered property.

Other difficulties arise in the prosecution of individuals for the theft of information. For example, the crime of theft or larceny, according to common law, requires proof of "asportation" or the "taking away" of the property. In the instance of theft of computerized information, the stolen property may remam precisely where it was, and the owner may not be deprived of its use.

Similarly, concepts of trespass and breaking and entering do not fit well into the electronic environment. There is no physical entry into the computer, and therefore, no common-law trespass. Prosecutors have attempted to base charges on provisions of the wire fraud statutes, again with mixed results. For example, in United States v. Riggs (Northern District of Illinois, 1990), defendants Robert Riggs and Craig Niedorf, admitted computer hackers, devised what the district court accepted to be a scheme to steal software and other intellectual property belonging to Bell South. The data was designed to regulate the company's enhanced 911 (E911) emergency call system.

Riggs accessed the Bell South computer using other people's passwords and downloaded a text file that described the system. Though theoretically the pair could have been convicted under the wire fraud statute for stealing passwords, the two were never charged with this crime. Instead, the case concentrated on whether the information stolen could be considered property. The attorneys for the defense argued that the E911 data did not constitute property and that, therefore, no crime was committed.

In this instance, the court shared the prosecutor's view that the old law could be adapted to address the new crime. The district court, in denying the motion to dismiss the wire fraud count, observed: "... the object of the defendants' scheme was the E911 text file, which Bell South considered to be valuable, proprietary information. The law is clear that such valuable, confidential information is 'property,' the deprivation of which can form the basis of a wire fraud charge."

Other courts have come to the opposite conclusion. For example, United States v. LaMacchia (District of Massachusetts, 1994) involved a twenty-one-year-old student (David LaMacchia) at the Massachusetts Institute of Technology who had created an electronic bulletin board on the Internet that was accessible to anyone. He actively encouraged correspondents to upload copyrighted commercial software, which he then posted to another bulletin board for download by others.

Because he made no money from this endeavor, LaMacchia could not be charged with criminal copyright violations. (The case is distinct from civil copyright cases, which require no evidence of economic benefit.) Instead, he was indicted for one count of conspiring to commit wire fraud. According to the indictment, he was facilitating the illegal copying and distribution of copyrighted software without payment of licensing tees and royalties to software manufacturers and vendors.

The district court, relying in large measure on the Supreme Court's holding in Dowling v. United States, 473 U.S. 207 (1985), took the unusual step of dismissing the wire fraud indictment prior to trial. In Dowling, the Supreme Court reversed a defendant's conviction for interstate transportation of stolen property. That case had involved the shipping of pirated Elvis Presley recordings across state lines without permission and without the payment of royalties to the copyright holder.

The Dowling court found that while a criminal copyright violation may have occurred in that case (because the transportation of the recordings was for profit), no violation of the statute could be found because the property transported across state lines -- the recordings -- was not truly stolen. The Supreme Court suggested that the recordings, while evidence of potential copyright violations, were not property "taken" by fraud.

In LaMacchia, the district court observed that the dismissal of the fraud indictment was mandated by the ruling in Dowling because of the fundamental difference between intellectual property and tangible property.

In another case, United States v. Brown (Tenth Circuit, 1991), the circuit court, also relying on Dowling, reversed the defendant's conviction for stealing a source code created by his former employer. The defendant had downloaded a copy of the source code onto his home computer, which was discovered later when a search was conducted in accordance with a warrant. This is not prosecutable under the Computer Fraud and Abuse Statute because it did not involve unauthorized entry. Dowling used his old password, which had not been purged from the computer system, to obtain the data.

In dismissing the indictment, the court observed that "Dowling holds that the statute applies only to physical goods, wares, or merchandise. Purely intellectual property is not within this category. It can be represented physically, such as through writing on a page, but the underlying, intellectual property itself, remains intangible."

While deprived of criminal remedies, companies can still pursue civil cases. The intent behind the law is to protect those that, for example, download copyrighted material to read later. It also makes these types of copying distinct from those taking material to resell it or gain other economic benefit.

The bills pending before Congress would expand the definition of economic benefit to include the bartering of software. Such a law might have criminalized LaMacchia's conduct.

Trade secrets.

Various states have statutes that criminally punish the theft or misappropriation of trade secrets. But charges would only be appropriate under this law if the prosecutor could demonstrate that the information at issue was a trade secret and that the owner of the property and the defendant had entered into an agreement restricting rights to the information that was taken.

Trade secret case law in the computer age was established in the 1970s in cases where employees were convicted under state trade secret laws for downloading and printing an employer's proprietary software.

Where the offender is not an insider, a trade secret prosecution is not an option. Furthermore, while the misuse of a trade secret, like the misuse for profit of copyrighted information, may constitute a criminal offense, the mere possession of a trade secret or its misappropriation may not constitute a crime.

A recent case typifies the problem of the enforcement of trade secrets in cyberspace. In Religious Technology Center v. Netcom et al (Northern District of California, 1995), the court declined to continue an injunction preventing the further publication of the trade secrets of the Church of Scientology.

One of the defendants in the case had obtained what the court concluded were secret internal documents of the church and had posted them on various Internet newsgroups. The defendant asserted that he had received some of the documents from various anonymous, publicly accessible Internet sites. The court concluded that information posted to the Internet could no longer be considered secret. Theretore, the individual who obtained the information from a public domain could not be held responsible for theft of trade secrets.

Further, the court ruled that "...evidence that another individual has put the alleged trade secrets into the public domain prevents the plaintiff from further enforcing its trade secret rights to those materials."(In a copyright case involving the same incident, a court ruled that copyrights still apply to material on the Internet.)

Privacy.

In Steven Jackson Games Inc., v. United States Secret Service (Fifth Circuit, 1994), the court held that the seizure of a computer containing unread e-mail is not an unlawful intercept under the Electronic Communications Privacy Act.

Steven Jackson Games, Inc., (SJG) -- a publisher of books, magazines, and computer games operated a bulletin board system that was accessible to SJG employees, customers, and freelance writers. One of SJG's employees was implicated in a scheme to steal proprietary information. As a result, the federal government seized SJG's computers, including unread email messages. SJG sued the Secret Service for violation of the Privacy Protection Act and the Electronic Communications Privacy Act -- under which it is illegal to intercept electronic communications but legal for government officials to view stored electronic communications after obtaining a warrant.

Because the Secret Service obtained a warrant to search the property but not to seize computer information, the appeals court awarded damages to SJG. However, the court also ruled that the Secret Service did not violate the first provision of the ECPA because the email communications on the computer were not intercepted while they were being transmitted.

Services. It is clear that computer time, in appropriate circumstances, constitutes a thing of value. Computers and computer networks are expensive machines and cost time and money to establish and maintain. However, the unauthorized use of computer time does not always deprive the owner of the use of his or her computer.

Efforts to apply theft statutes to the theft of computer services have met with mixed success. In several cases tried in the late 1970s, the courts found that unauthorized use of computer time did not constitute a crime. Since then, the court decisions have shifted. Some courts have found employees guilty of mail fraud and embezzlement tor using computers for personal business.

In Lund v. Commonwealth (Virginia, 1977), the court refused to find an offense in the unauthorized use of a computer. Likewise, in State v. McGraw (Indiana, 1985), the court found that an employee's computer use did not deprive the owner of the ability to use the computer system, nor did it constitute a theft of services. In United States v. Sampson (Northern District of California, 1978), the court found that unauthorized use of computer time constituted embezzlement, and in United State.s v. Kelly (Eastern District of Pennsylvania, 1981), an employee was convicted for mail fraud because computer time used for private means was considered a scheme to deprive the employer of services.

Most recently. the Arizona Court of Appeals has added another twist in Re Commodore Computers, 804 P.2d 100 (Arizona Appeals Court, 1991), finding that state and federal crime statutes were not sufficient to judge whether the defendant had used the computer to gain unauthorized access into his employer's computer system. A long distance telephone company had noticed repeated attempts to break into its computer system. An investigation found that the attacks were coming from a telephone company employee's personal computer.

The court ruled that such evidence did not prove that the person attempted to gain unauthorized access. In addition, the court ruled that the seizure of the employee's computer was unauthorized under the Arizona computer crimes act. The act states that a computer cannot be forteited due to an attempted computer break-in.

Property destruction. Another offense complicated by the nature of computers is the destruction of property. If an offender equipped with a sledge hammer pummels a computer into an unrecognizable pile of chips and wires, he or she has clearly committed the offense of destruction of property. If the same offender, equipped with a modem, deletes files from a computer system, all he or she has done is to change the polarity of a magnetic medium, which may or may not constitute a destruction of property.

While Congress attempted to address this concern with the Computer Fraud and Abuse law, it does not clearly define the concept of "loss." If information is stolen from a company, but the data still resides on the organization's computer system, it is unclear whether a loss has occurred.

The federal statute, rather than address destruction of property, addresses the concept of loss through unauthorized access, leaving open the question of whether computerized information is property and whether theft or deletion of the information is destruction of that property.

Companies may find their level of legal recourse for such destructive actions varies depending on the state in which the crime occurs. Texas, for example, adapted its legal code to criminalize unauthorized conduct that causes a computer to malfunction or that destroys or alters computer data.

In Burleson v. Texas (Texas Appeals Court, 1991), Burleson, a senior programmer, was fired. In retaliation, he inserted into the company's computer system a software program called a logic bomb. The program was designed to delete files responsible for calculating payroll commissions for more than 400 employees.

In this case, the crime was committed in a state that had brought its laws up to date. He was successfully prosecuted for violation of the Texas computer crime statute, passed in 1985 and updated in 1989, which makes it a crime for anyone to knowingly cause a computer to malfunction without the authorization of the owner or to alter, damage, or destroy data or programs without the consent of the owner.

The court's ruling illustrates that the insertion of software devices designed to disable computer systems without the authorization of the owner may subject the perpetrator to both civil and criminal liability.

Jurisdiction

As the previous section illustrates, some crimes have traditionally been handled at the state level, and states are adapting their legal framework with computer-related laws, but one of the biggest problems with applying traditional criminal law concepts to cyberspace is the difficulty of establishing jurisdiction and venue.

The law defines most crimes as having occurred either where the defendant committed the act or where the victim of the offense was located. Unfortunately, cyberspace has no clear location or boundaries. A user may be at one location, the computer in a second location, and the offending message or resulting act cauied by software may occur in a third or in multiple locations. Defamatory, malicious, or pornographic messages posted on the Intcrnct are globally accessible. From a business perspective, this can cause problems tor a company that is trying to hold a troublemaker accountable. It can also cause trouble for a company that unwittingly exposes itself to charges of wrongdoing on the Internet. That can occur because, by accessing the Internet, users may unintentionally find themselves subject to local jurisdictions at the other end of the network. Courts are only just beginning to wrestle with this issue.

A recent prosecution in Tennessee, United States v. Thomas (Sixth Circuit, 1996), illustrates the problem of jurisdiction in cyberspace. In 1994, Robert and Carleen Thomas, a couple living in San Francisco, were indicted by a federal grand jury in the Western District of Tennessee for operating a computer bulletin board that contained what the federal government considered obscene and pornographic photographs available for downloading by the general public. Prior to the indictment, police in Milpitas, California, conducted a search and found that the files did not violate the "contemporary community standards" of the San Francisco area and were, therefore, not legally obscene. The Thomases appealed the district court's decision.

On January 29, 1996, the Sixth Circuit affirmed the lower court's decision. The court ruled that, unlike the Internet, bulletin boards are under the control of the operator. Therefore, when a subscriber from Memphis, Tennessee, logged onto the Thomases' bulletin board, the couple agreed to abide by the community standard of Memphis.

State statutes

Every state except Vermont has enacted a computer crime statute. Many of these are based on the federal Computer Fraud and Abuse Act of 1986 referenced earlier. but they vary widely in their detinitions of computers, computer systems. computer networks. computer supplies, data, and other fundamental terms.

Recently, state legislatures have grappled with the issue of computer crime as has the federal government. States have met theie challenges with varying degrees of success. New York is considered a fairly typical representation of how states are handling computer crimes.

According to Lance Rose -- who discusses crimes and online services in his book Netlaw: Your Rights in the Online World -- New York first enacted a computer crimes statute in 1986 and amended it in 1992. The New York provision covers several kinds of computer crimes including unauthorized use, computer trespass, computer tampering, duplication of computer-related material, and criminal possession of computer-related material.

Unauthorized use.

Unauthorized use is a misdemeanor and the least serious of the New York computer crime offenses. It is designed to thwart the curious hacker who gains entry into another's computer system to look around rather than to do damage.

Computer trespass. To be deemed guilty of computer trespass, a user must gain unauthorized access to a computer system and then either commit a felony or obtain "computer material," which is narrowly defined under the New York law as protected commercial information available only to specified members of the company. Examples of computer material include trade secrets databases, and member lists. Information available to the public by computer or other means cannot be considered computer material.

Computer tampering. As redefined by the 1992 amendment to the computer crime statute, computer tampering includes four levels. First degree tampering, a misdemeanor, includes knowingly reformatting a system or deleting files. (The tampering provision does not apply if the information deleted is computer material. Such crimes would be prosecuted under the computer trespass section of the statute.)

Second, third, and fourth degree tampering are felonies. The severity of the felony increases as the nature of the crime -- and damage caused -- becomes more serious. To commit a computer tampering telony, a user must meet one of the following criteria:

Duplication of computer material. Also a felony, duplication of computerrelated material refers to the copying of computer data without permission, where the copier reaps an economic benefit of at least $2,500. The statute also makes it a felony to copy computer data while committing a telony.

New York has experienced some difficulty upholding this aspect of the statute because of a conflict with federal law. The U.S. Copyright Act forbids states to pass laws that make copying illegal.

Various bills pending before Congress would, if passed, expand the scope of federal copyright protection for digital information. One such bill, S. 1284, would adapt existing copyright law to apply to documents and materials in electronic format. The proposed legislation also prohibits the use, importation, manufacture, or distribution of any device that would disable or prevent the inclusion of copyright information on a document.

Criminal possession of of computer material. This provision makes it illegal to possess illegally copied computer data or programs knowingly. This language allows the state to prosecute an accomplice who is merely "holding" the data stolen by someone else; however, this aspect of the statute also conflicts with federal copyright law.

Other aspects of the statute have been tested in court. The computer tampering provision was upheld in The People v. Robert Versaggi (Rochester City Court. 1987). Versaggi was employed by the Eastman Kodak Corporation as a computer technician and was responsible tor the maintenance and repair of several telephone systems. Versaggi was charged with computer tampering that disrupted and disconnected Kodak's telephone system on several occasions.

The defensc argued that Versaggi was not guilty of altering Kodak's computer system because the features activated by Versaggi were existing features of the program. The defense argued that altering should be defined as adding or creating a destructive program, not activating an existing one.

The prosecution contended that Versaggi's action should be considered tampering because he intentionally interrupted telephone service by overriding existing computer commands.

Versaggi was convicted of computer tampering by the Rochester City Court in 1987. The case was affirmed by the New York State Court of Appeals in 1994.

This snapshot of current law and court rulings gives security professionals a glimpse into the evolving legal landscape that companies must be prepared to negotiate when pursuing those who might attempt to steal or damage computerized systems or information. Understanding what is criminal at the state and federal level and how the law views computerized assets is an important first step toward establishing good internal protection policies.


Mark D. Rasch, J.D., is the director of information security law and policy at the Center for Information Protection at Science Applications International Corporation in McLean, Virginia, a commercial information security consulting company. He is a frequent writer and speaker on computer crime, and headed the Department of Justice's computer crime efforts until 1991. He was responsible for prosecuting Robert Tappan Morris, the first use of the federal computer crime statute.