The term "cyberspace" was used by science fiction novelist William Gibson to describe the fantasy electronic world inhabited by the characters in his 1984 novel Neuromancer.(1) In this fictional world of cyberspace, "'computer cowboys' neurologically patch themselves into computer networks where matrices of electronic data become cerebral manifestations."(2) These cowboys proceed to navigate their way through the data of individuals, corporations and governments. As advances in technology make some of the concepts of this cyberspace less fictional, the term has become synonymous with the international electronic computer networks that link an estimated 21 million people worldwide.
The mere fact that a person produces an act in cyberspace does not make that action any less human, nor should it shield the actor from responsibility. To suggest that a person is not culpable for crimes conducted in cyberspace is to suggest that a person is not culpable for murder committed by a handgun.(3) The potential for disaster steadily increases as more and more governments, corporations and people decide to go "on-line." Many countries have acknowledged the vulnerability and potential hazards that go along with cyberspace and have adopted legislation to varying degrees to address them.(4) However, the vast majority of these countries have failed to address the more prevalent international aspects of computer-related crime.
This article focuses on the issues and difficulties arising from the interaction of computer law and the international community. It will treat all forms of computer abuse as falling under the category of "computer crime." A brief analysis of United States and British legislation will demonstrate that no nation is presently capable of dealing with computer abuse on the domestic and international levels simultaneously.
Computer crime or "hacking" is a crime unlike any other under international law. It is unique in that the "hacker" may commit a crime in one country without ever leaving his home or office in another. This presents an immediate problem to the country whose computers have been targeted, in conducting investigation and in obtaining jurisdiction over the offender. Hacking poses problems in the international community primarily because there is no customary principle outlawing it.(5) Because computer crime is relatively new, there are no international norms pertaining to it, no treaties and no United Nations Resolutions that directly address it.(6)
"The United States is currently doing its best to make computer crime a worldwide crime because, as it stands right now, though hackers in the United States who break in over the Internet can be prosecuted under U.S. law, that is not necessarily so with hackers overseas."(7) Traditional criminal law focuses on the situs of the act, which is usually the situs of the actor. In cyberspace, though, the situs of the act and actor are often not the same.(8) Because computer crimes instantaneously span a number of jurisdictions, a number of laws could arguably apply.(9)
In 1994, for example, U.S. investigators broke an international piracy ring of computer racketeers operating out of Majorca, Spain.(10) These racketeers were responsible for accessing and disseminating 140,000 telephone credit-card numbers over computer bulletin boards(11) in the United States and Europe.(12) Hackers used the numbers to make over $140 million in long-distance phone calls, sometimes to pay for their time on-line, other times to tap into remote computers to download hijacked software.(13) Which nation has jurisdiction here? What if the laws of one nation pertaining to computer abuse are not that of another or are inadequate or nonexistent? These are questions that have been lurking at the forefront of this technology since its inception but are just now manifesting themselves in the wake of international recognition of computer abuse.
Another incident might help answer some of these questions by illustrating the potential consequences of international hacking when countries do not have anti-hacking statutes. The New York Times reported on April 21, 1991, that a group of Dutch hackers had been breaking into U.S. military computers, linked to the Internet, for almost six months.(14) Although the Pentagon denies it, industry insiders say that these hackers managed to obtain information on troop and personnel movements during Operation Desert Storm.(15) No arrests were made, however, because there are no legal restrictions in the Netherlands barring this kind of activity.(16) As a result, the United States was forced, unsuccessfully, to rely on extradition procedures based upon U.S. statutory provisions criminalizing the "end results" of hacking.(17)
A. The Crime: Technology and Innovation Converge
The Department of Justice broadly defines a "computer crime" as "any illegal act for which knowledge of computer technology is essential for successful prosecution."(18) The term "computer hacker" or "cracker" as it is sometimes referred, has become synonymous with a computer user who uses this technology to gain unauthorized access to a computer system.(19) "Any computer that is connected to a telephone or any computer that is connected to a computer network is vulnerable. It doesn't matter what continent they are on."(20) Moreover, hacking has evolved from a mischievous pursuit of computer savvy teenagers to a legitimate threat to international communications and commerce perpetrated by persons of any age.(21) While the hacker community might see itself as a breeding ground for intellectual explorers, authorities believe that it has a criminal element that is steadily on the rise.(22) Catching those who are members of this element is a difficult task; convicting them is even harder.
The presence of hackers and the potential for abuse on the Internet raises "troubling questions about the vulnerability of technology to intruders operating beyond American borders."(23) The Internet has become a chaotic place where sophisticated hackers can vault from computer to computer, leaving few traces, if any. Computer crimes cut across state and international boundaries making them difficult to investigate because of jurisdictional limitations and differences in laws.(24) Before entering a computer at Florida State University, for example, hackers might pass through another computer in Finland that strips any names or addresses from their communications.(25) As a result, the practicality of detecting and prosecuting so-called "cyber-crime" is becoming exceedingly more complicated due to the overwhelming challenges of detection and the "wild west" culture of the Internet.
What are these hackers getting away with that has become so troublesome to so many? There is no single answer to this question. Computer crime covers a wide field that includes fraud, theft of information, sabotage through use of computer viruses,(26) military and industrial espionage, money laundering for drug dealers, terrorism,(27) child pornography,(28) and even gambling.(29) These and other crimes are limited only by the imagination and skill of those who are responsible for their perpetration. Our new virtual world, accessible with just a few strokes of the keyboard, is coming to resemble the real world -- with all its diversity and problems.(30) No one owns the Internet and therefore it has no rules and no police force. The effect of this implication is that "laws that bite here often lack teeth there."(31)
According to William Cook, Assistant U.S. Attorney for Chicago, Illinois, about half of the cases currently under investigation by the U.S. Department of Justice in Chicago, involve hackers who are illegally penetrating computer systems in the United States from overseas.(32) A precursor to this occurred in 1986 and was recently chronicled in a book written by computer science researcher, Clifford Stoll.(33) The Cuckoo's Egg, Stoll's account of his efforts to track a spy through a web of international computer networks, culminates in the arrest of a band of West German computer hackers turned agents for the KGB.(34) The hackers that Stoll encountered were searching for data about nuclear weapons, the Strategic Defense Initiative, intelligence satellites and other information that posed serious potential threats to the national security of the United States.(35) Nevertheless, Stoll's attempts to enlist the aid of the federal government initially were rebuffed when it was determined that the hackers were operating out of Europe and possibly beyond the jurisdiction of U.S. law enforcement.(36)
Eventually, however, the federal government, in cooperation with the Hannover police, closed in and arrested twenty four-year-old Marcus Hess, a member of the group, who revealed that the stolen information had been sold to the KGB for cocaine and thousands of dollars in cash.(37) The U.S. enforcement agencies turned the case over to West German authorities who never prosecuted Hess for his involvement.(38) Although Hess' computer was seized, the West German defense attorney kept the government from looking at the evidence and it was subsequently returned to him with no explanation. According to Jim Christy, assistant chief of computer crime at the U.S. Air Force Office of Special Investigations in Washington D.C., Hess' attorney exploited an unknown loophole and succeeded in keeping the government from examining crucial files that were held on the computer.(39) While it did prompt the FBI and Department of Justice to begin taking note, this case has become a textbook example of how the few laws governing international computer crime are vague, and interest in enforcing them is modest, at best.(40)
This trend may be changing as more and more countries begin to recognize the need for legislative amendments in order to address this new area of criminal development. For example, on April 20, 1990, three Australian hackers were arrested, culminating an extensive investigation that began in 1988 and involved the cooperation of both Australian and United States authorities.(41) The Australian Federal Police stated that they were aware of the illegal hacking activities since 1988 but were unable to begin their investigation until July of 1989 when Australia finally passed legislation covering computer crimes.(42) Fortunately for the Internet users in the United States, Australia's newly enacted statutes enabled the perpetrators to be brought to justice.(43) This may not be the case in countries that have not updated or amended their legislation. This particular hacking incident demonstrates the need for measures and legislation, both domestic and international, aimed at punishing, deterring and perhaps preventing, global hacking.(44)
B. Who has Jurisdiction?
One of the greatest challenges to the enforcement of existing legislation is the issue of jurisdiction. Police are overwhelmed by the mountains of data freely available on the Internet over which they have no jurisdiction because host computers are often located in other countries.(45) "There is no test case for cyber-crime yet," according to Toronto Metro Police Sergeant Chuck Konkel. Sergeant Konkel led a raid on ten houses in order to seize computers and dismantle a pornography distribution bulletin board in October of 1994.(46) While police eagerly await court rulings to establish the legal limits for their war on electronic crime, the courts continue to grapple with the issue of jurisdiction. Until there is some form of international enforcement cooperation, foreign based perpetrators of computer crimes will likely remain outside the grasp of the law.(47)
In keeping with traditional notions of customary international law, the bases of extraterritorial jurisdiction pertaining to the hacker and computer crime are slowly and unevenly developing in response to the actions and reactions of the international community. Under international law, the jurisdiction of a state depends upon the reconciliation of the interest of one state in exercising the particular jurisdiction with the interests of another to exercise the same.(48) According to the Restatement Third of Foreign Relations Law of the United States, a State has jurisdiction to prescribe law with respect to any conduct outside its territory which has or is intended to have a substantial effect within its territory.(49) In addition, section 402(3) extends jurisdiction to cover conduct outside its territory which threatens the security of the state.(50) Subject to the limitations set forth in section 403,(51) these two provisions may form a powerful basis for the United States to thwart both actual and potential hacking abuse directed at systems within its own territory.
Nation States are reluctantly coming to the realization that where international data communications are concerned, national boundaries may soon be technologically irrelevant, since computers can bypass traditional physical barriers with relative ease.(52) The United States has responded to this realization with a more direct application of its foreign sovereignty, becoming the subject of international criticism.(53) For example, U.S. courts have demonstrated a willingness, in the past, to apply their own laws abroad in a manner that has led to much foreign contempt.(54) Increasingly, the international consensus is that the term "extraterritoriality," usually defined as the attempt by one sovereign state to assert control over persons or conduct in another, has come, instead, to signify the enforcement of U.S. laws abroad.(55) In fact, incidents of heavy-handed extraterritorial application of U.S. laws have prompted several nations, including France, the United Kingdom, Australia, and New Zealand, to enact statutes that strictly forbid compliance with extraterritorial judicial orders pertaining to the transfer of data.(56)
When a U.S. court is faced with the issue of extraterritorial jurisdiction, the analysis applied entails determining: (1) whether the United States has the power to reach the conduct under international law; and (2) whether the statutes under which the defendant is charged are intended to have extraterritorial effect.(57) An illustration of this approach in U.S. v. Noriega,(58) codified Comment d of the Restatement (Third) which stands for the principle that a man should be answerable in the country where his conduct has taken effect.(59) This so-called "objective territorial theory" of jurisdiction can be traced to Justice Holmes' statement that "[a]cts done outside a jurisdiction, but intended to produce or producing effects within it, justify a state in punishing the cause of the harm as if he had been present at the effect, provided the state should succeed in getting him within its power."(60) It is this last part of Justice Holmes' statement wherein lies the difficulty.
C. Limitations and the Principle of Double Criminality
Section 3181 of Title 18 of the United States Code limits the scope of extradition to those nations which have entered into treaties of extradition with the United States.(61) Although the list of nations forming these treaties with the United States is exhaustive, several nations, not on the list, have permitted substantial acts of piracy and hacking to be directed from within their own borders towards systems located in the United States and beyond. These nations have refused to adopt sufficient legislation to prevent computer abuse. Moreover, they have refused to form treaties with the United States that would permit those offenders to be extradited who, produce or intend to produce substantial effects within the United States from their own borders.(62) Even where effective treaties of extradition are currently in place, the process of bringing an offender within the jurisdiction of the United States can be hindered by any number of other factors.
The principle of double criminality,(63) for example, is vital in ensuring that a defendant's liberty is not restricted by offenses that are not recognized as criminal in the state receiving the extradition request.(64) This has become a source of frustration to investigators and prosecutors in the United States when the requested state's laws fail to address and punish computer-related offenses.(65) If a hacker were to be a national and resident of a state that doesn't recognize computer crime, he or she may illegally access computers abroad and be relatively free from prosecution in the affected state. Although the United States has aggressively pursued domestic perpetrators of computer crime in its efforts to quell the alarming rise in computer invasions,(66) many nation states have not. Some are reluctant to modify existing laws to encompass computer crime because they have not experienced it or have determined that the economic impact is too speculative.(67) Consequently, until all states recognize computer crime and/or amend current extradition treaties, the United States and other nations will continue to be hampered in their pursuit of computer offenders by the double criminality principle.
D. The U.K. and U.S. Models
The specific United States statute that prohibits hacking is the Federal Fraud and Computer Abuse Act of 1986(68) ("1986 Act") which was enacted to fill legislative gaps in previous statutes. Subsection (a)(1) of this act makes it a felony to knowingly access a computer without authorization and to obtain information with the intent to injure the United States or to benefit a foreign nation.(69) This subsection protects any information that has been determined, pursuant to an executive order or statute, to be vital to this nation's national defense or foreign relations.(70) In addition, the 1986 Act prohibits unauthorized access of information contained in a financial record or consumer reporting agency, provided a "federal interest computer"(71) is involved.
The first successful prosecution under the 1986 Act came in United States v. Morris,(72) which involved a typical hacking offense and its resultant damage.(73) The defendant, in this case, was charged and convicted under subsection (a)(5)(A) which makes it a felony to access intentionally any "federal interest" computer without authorization and alter, damage, destroy or prevent the authorized use of information resulting in the loss of at least one thousand dollars.(74) The success of this prosecution has demonstrated the ability of the United States judicial system to prosecute domestic computer crimes that involve sufficient national interests.
Despite this legislative grant of authority, the federal government has displayed a surprising reluctance to prosecute under the 1986 Act. The fact that most state legislatures of the U.S. have adopted their own legislation coupled with Congress' express intent not to usurp state court jurisdiction over computer related crimes, may account for this.
Another major shortcoming of the 1986 Act may be found in its failure to address computer crime on an international level since provisions for territoriality, extradition and double criminality have specifically been left out. This is of grave concern since these omissions may limit jurisdiction in United States courts to territorial jurisdiction, possibly making it inapplicable to those acting abroad.(75) Similarly, the 1986 Act would probably not apply to persons in the United States who hack into computers located abroad since it is unlikely that a significant federal interest would be found to satisfy the requisite provisions of the Act.
In its effort to halt computer related crime and to prevent England from becoming an "international hackers' haven,"(76) the United Kingdom passed the Computer Misuse Act of 1990 ("Misuse Act").(77) In order to secure computer material against unauthorized access, this act created three offenses: (1) causing a computer to perform any function with the intent to secure access to any program or data held in a computer;(78) (2) committing such an offense with the intent to commit or facilitate the commission of a further offense(79) ("ulterior intent"); and (3) causing an unauthorized modification of the contents of any computer.(80) To date, no cases have tested the applicability of the Misuse Act, however there is every indication that it will prove to be highly effective in attacking the problems associated with international hacking.
Unlike its American counterpart, the Misuse Act contains provisions dealing with jurisdiction and the territorial problems of hacking.(81) It states that British citizenship is immaterial(82) and includes additional provisions for extradition(83) and double criminality.(84) Although untested, these provisions of the Misuse Act are based on solid foundations and form an exemplary approach to addressing the various aspects of hacking on an international level.
Unlike most crime, the nature and extent of modern information technology uniquely intertwines computer-related crime with a full range of international aspects.(85) Whole sections of the Misuse Act have been devoted to addressing these issues. Subsections (4)(1) and (4)(3) provide that it is immaterial whether the accused was in the home country at the time of the illegal act for purposes of conviction, provided there is at least one significant link with domestic jurisdiction. In other words, these detailed provisions ensure that any computer-related crime possessing "significant" requisite links to Great Britain shall fall within the jurisdiction of British courts. According to subsection (5), an accused is presumed to have established these requisite links if he is in the home country at the time he performs the illegal act or if his actions, no matter where they are generated, produce or were intended to produce an unauthorized modification to a computer within the home country.(86) When either of the above acts are performed, the accused may be found guilty if what he intended to do or facilitate involves the commission of an offense under the law in force in the territory where the whole or any part of it was intended to take place.(87) This provision should prove particularly useful in situations in which the foreign jurisdiction has no applicable standard of conduct or fails to prosecute computer crimes.(88)
Double criminality poses a significant problem to the prosecution and punishment of hackers on an international level since hacking often is treated differently, and in some states not at all.(89) This lack of legal protection leads many hackers to believe that they will not be subject to prosecution. If a hacker happened to be a national and a resident of a country that does not have an anti-hacking law, it is possible that he or she may hack across international borders with impunity and be spared from extradition to the country where the computers were accessed.(90) The Misuse Act would appear to overcome this difficulty.
The Misuse Act provides an exemplary approach to addressing modern jurisdictional issues of international computer crime. It contains specific provisions which pertain to jurisdiction, including citizenship(91) and extradition.(92) As mentioned above, the purpose of these provisions is to ensure that any computer related offense having the requisite links to Great Britain shall fall within the jurisdiction of its courts. Although it is not as domestically effective as its United States counterpart, its resolve to protect its citizens from international computer abuse is noteworthy and should serve as a proper guideline for other nations to follow in formulating acts of their own.
E. Mutual Legal Assistance Treaties
In order to deal adequately with computer related crime and its unique international aspects, the major industrialized nations must reform their computer crime statutes along the lines of the British Misuse Act and develop agreements to facilitate international cooperation. Perhaps one of the best methods for fostering this cooperation, as it relates to computer abuse, is through the use of mutual legal assistance treaties.(93) As previously stated, the hacker is usually present in another country when he or she commits a computer crime. In these situations, the damaged country has no choice but to rely upon the investigatory authorities of the hacker's home country.(94) An example of what may result from such a reliance has been demonstrated in Clifford Stoll's Cuckoo's Egg which, as mentioned before, illustrates the potential problems that may occur when nations fail to provide adequate assistance to one another.(95)
Mutual legal assistance treaties generally do not list hacking as an included offense and therefore, it may be entirely necessary for nations to renegotiate or supplement their existing treaties. Since computer crime is generally treated differently and is not even illegal in some countries, failure to perform the above may result in drastic limitations on the effectiveness of these treaties in punishing offenders.(96) The present situation is such that a clever hacker may avoid prosecution by simply knowing the laws of where he or she commits the crime.
F. Proposal for an International Convention
The use of computer technology to facilitate criminal activity continues to be a complex and extremely diverse area of the law. As such, no one definition of computer crime may ever gain universal acceptance nor be entirely effective. Estimates of computer related losses are hard to establish because of the difficulty in defining this crime.(97) Consequently, computer security experts and computer law specialists have been demanding that the laws involving the theft of data or simply hacking into a system and browsing the data need to be more clearly defined.(98)
With our dependence on this technology and its accompanying vulnerability, it is imperative that nation states foster aggressive international cooperation to secure systems from possible intruders. Tantamount to achieving this objective may be the formation of an international convention for the purpose of defining computer crime. Ideally such a convention would provide a strong mechanism for combating computer crime without interfering with the world's communications networks.(99)
In defining this kind of abuse the drafters must develop flexible provisions capable of adapting to rapid changes in technology.(100) This might prove to be a major hurdle since such changes in computers and networking capabilities can and often do occur on a daily basis. In addition, the drafters will likely encounter enormous difficulty in arriving at a universally acceptable definition of computer crime.
One of the major sticking points will be the underlying issue of unauthorized access to data. While some nation states might prefer a strict definition making unauthorized entry unlawful, others believe that to criminalize those who access data is to criminalize the intellectually curious who have entered a remote system merely to "look around."(101) This reasoning is based on the notion that such entry without accompanying specific malicious intent is harmless and might actually be improving security by exposing weaknesses to system administrators.
Another major sticking point will arise because of varied interpretations concerning the nature of data and the level of protection it deserves. While some nations perceive data as a property right, others have strictly limited the scope of property to that which is tangible.(102)
World cooperation is essential for the purpose of universally criminalizing computer crime as well as educating hackers to the notion that the international community is serious about preventing their criminal acts. In light of the above difficulties, a serious attempt to reach agreement on a universal definition of computer crime would be a substantial step towards establishing this much needed foundation of international cooperation.
Exchange of information is the lifeblood of modern society and the computer networks that carry data have become vital circulatory systems for that exchange.(103) The kind of communication these networks have made possible is the closest our world has come to an international marketplace of free ideas.(104) However, these very same advances in technology that have enabled such a progression have also introduced opportunity and sophisticated methods of committing crime to hackers throughout the world.
The resulting reality that nations must face is that we are no longer living in isolated societies protected by time and space. Such spatial parameters are all but nonexistent in the virtual dimensions of cyberspace. As a result, we have found ourselves facing an alarming rise in computer invasions that traverse both geographic and jurisdictional boundaries.(105) Despite this fact, the vast majority of nations are still incapable of dealing with computer abuse at the international level. It is apparent that to successfully combat this rising trend of computer abuse, nation states must enact or update existing legislation.
In order to facilitate this process and foster much needed international cooperation, nation states should:
(1) incorporate clear and effective jurisdictional provisions into computer statutes such as those of the British Computer Misuse Act;
(2) expand current extradition treaties, in light of recent problems, to specifically include computer crime as an extraditable offense;
(3) coordinate international efforts through mutual legal assistance between nations to provide the means to properly investigate and prosecute perpetrators of international computer crime; and
(4) initiate a convention for the purpose of defining computer crime (as difficult as this may be).
Cooperation among nations regarding computer crime in cyberspace is essential as technology continues to advance and the global community becomes ever more dependent on that technology. The aforementioned guidelines should be considered in order to provide nations with the resources and opportunity to prosecute perpetrators whose criminal acts all too easily transgress the physical and geographical boundaries of our modern international community.
1. William Gibson, Neuromancer (1984).
2. Michael P. Dierks, Symposium: Electronic Communications and Legal Change: Computer Network Abuse, 6 Harv. J.L. & Tec. 307 (1993) [hereinafter Legal Change].
3. See 132 Cong. Rec. H3275-04 (daily ed. June 3, 1986) (statement of Rep. Nelson that "[c]omputers may not commit crimes--any more than guns commit crimes") [hereinafter Congressional Record].
4. The Law Commission, Computer Misuse 1, 109 (Working Paper No. 110, 1988).
5. See generally Organization for Economic Co-operation and Development, 10 Computer Related Crime: Analysis of Legal Policy (1986) [hereinafter OECD].
6. Cf., Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, Jan. 28, 1981, Europe, T.S. No. 108 (This convention does not directly apply to hacking but may indirectly apply to it.)
7. Mike Wallace, Highway Robbery, 60 Minutes (television broadcast, Feb. 26, 1995) (transcript p. 8).
8. Legal Change, supra note 2, at 331.
9. Id.
10. Michael Meyer, Stop! Cyberthief!, Newsweek, Feb. 6, 1995 at 37 [hereinafter Cyberthief].
11. A bulletin board is an electronic posting device which allows subscribers to upload and download software and information. It is often a common practice for pirates to upload pirated versions of software so that others may access the same.
12. Michael Meyer, Crimes of the Net, Newsweek, Nov. 14, 1994 at 47.
13. Cyberthief, supra note 10.
14. John Markoff, Dutch Computer Rogues Infiltrate American Systems with Impunity, N.Y. Times, Apr. 21, 1991, at A1, col.5 [hereinafter Computer Rogues].
15. Mike Wallace, Highway Robbery, 60 Minutes (television broadcast, Feb. 26, 1995) (transcript p. 6). The Pentagon denies this but they don't deny that other hackers have managed to access data on everything from ballistic missiles to advanced aircraft design. In fact, another incident in which a hacker used the Internet to break into the computers at Griffiss Air Force Base in New York was traced back to a 16-year-old in Great Britain. (Interview with Scott Charney, Director of the Computer Crime Unit, United States Department of Justice). Id.
16. Id.
17. The problem with reliance upon extradition in this case stemmed from two factors: (1) the principle of double criminality; and (2) the difficulty tracing the hackers without Dutch assistance. Since the Netherlands did not have any laws prohibiting the hacker's acts and did not perceive computer crime as an extraditable offense under existing treaties, Dutch authorities lacked investigatory jurisdiction and subsequently refused to extradite the perpetrators to the United States. Markoff, Computer Rogues, supra note 14, at A1, col.5.
18. Office of Technology Assessment, Federal Government Information Technology: Management, Security, and Congressional Oversight 86 (1986).
19. Steven Levy, Hackers: Heroes of the Computer Revolution 23 (1984).
20. John Markoff, Arrests in Computer Break-ins Show a Global Peril, N.Y. Times, Apr. 4, 1990 at A1, col. 2. This statement was made by Peter Newman, a computer scientist at SRI International, a research center in Menlo Park, California.
21. One estimate suggests that American companies lose $US 3 billion a year to computer crime. In New York, for example, computer related telephone fraud costs companies and individuals hundreds of millions of dollars a year. Lisa Mitchell, Australia: Criminal Hacker Activity Rising, Industry Watchdog Body Warns, The Age (Melbourne), Jan. 31, 1995 at 1.
22. Id. The article refers to a warning bulletin issued by the Australian Computer Emergency Response Team (AUSCERT) to users of the Internet concerning a new method of hacking called "IP Spoofing". This new technique is currently being used by crackers (hackers who use their skills to commit crimes) in the United States to invade computer networks located anywhere in the world. The process of IP Spoofing allows them to penetrate relatively secure systems by exploiting little known weaknesses in the way that computers communicate with each other. The process allows the cracker to disguise his or her identity. Crackers use Internet Protocol (IP) numbers, which identify computers on public and private networks, in order to trick or "spoof" corporate networks into believing that they are in fact a trusted internal computer.
23. See Congressional Record, supra note 3.
24. Michael Alexander, Justice Unit Spurred on by Cross-Border Hackers, Computerworld, Oct. 21, 1991 at 6.
25. Michael Meyer, Crimes of the Net, Newsweek, Nov. 14, 1994 at 46. A systems administrator at Florida State University discovered dozens of foreign hackers, many hailed from Asia, uploading pirated versions of new programs into a so-called invisible directory in order to avoid detection. The hackers routed their activities through computers in Finland to further complicate matters. Despite successfully tracing the intruders prosecution may still be complicated since piracy is not always considered a crime in Asia.
26. James Strodes, Wall Street View - It's Sunday - Switch off the Computer, The Sunday Telegraph Limited (STEL), London, June 27, 1993 at 44. While most viruses do little more than annoy, some new strains are highly destructive and expensive. The National Center for Computer Crime Data estimates that in the U.S. alone, $ 550 million is lost annually due to
alteration and theft of computer data. The Justice Department, in a recent case, is struggling to prosecute a London virus maker who mailed disks to US hospitals under the guise of being important new information on Aids. When staff inserted these disks into their computers, the hospital data and medical information base froze. There is a dispute over jurisdiction and also a question about the nature of computer viruses. In fact, some hackers argue that they have a free speech right to create these viruses and insert them into corporate databases. New strains are surfacing everywhere, often with foreign origins. For example, a virus called "Victor" deletes whole sub directories and is the first to come out of Russia.
27. Vic Sussman, Policing Cyberspace, U.S. News & World Report, Jan. 23, 1995 at 56. Since computers are the nerve centers of the world's financial transactions and communications systems, there are any number of nightmarish possibilities. Authorities worry that a hacker might penetrate Fedwire, the Federal Reserve's vital transfer system, or vital telephone switching stations. A recent investigation revealed that a group of hackers were planning to disrupt the entire 911 emergency network in nine states within the United States. Authorities, primarily the Federal Bureau of Investigation and the Federal Law Enforcement Training Center, are concerned that such concerted efforts coupled with terrorist motivation could lead to a disaster involving air traffic controllers or security agencies.
28. Id. Jefferson County, Ky., police Lt. Bill Baker broke a major kiddie-porn ring in England even though he never left Kentucky. An E-mailed tip from a source in Switzerland led Baker to an Internet site in Birmingham, England. The investigation lasted about three months and involved downloading 60 pages of file names related to child porn and 400 images. Lt. Baker then called on Interpol, New Scotland Yard and police in Birmingham, who arrested the distributor. Id.
29. Gambling operators are often perceived as some of the most innovative of entrepreneurs. I. Nelson Rose, Current Issues in Gambling Laws, Gambling and the Law, 210 (1986). The Internet might soon become a vast new medium for these entrepreneurs to establish themselves and reach an unprecedented client base. As of yet, however, Warren Eugene stands alone. His efforts to establish the very first on-line, offshore casino, if successful, would enable people in states where casino gambling is illegal to privately place wagers in cyberspace. Newsday, Entrepreneur to Offer Internet Gambling, The Boston Globe, Mar. 25, 1995. Although accepting wagers over phone and cable wires transgresses numerous laws in the United States, Eugene has not been dissuaded. He claims that his casino will be beyond the reach of U.S. legislation since he plans to operate out of the Bahamas where gambling is legal. Anthony N. Cabot, International Casino Law, (Institute for the Study of Gambling and Commercial Gaming, College of Business Administration, University of Nevada) 204 (1993). According to I. Nelson Rose, a professor at Whittier Law School in Los Angeles and a leading expert on gambling, offshore casinos run by foreigners are not bound by U.S. laws. Newsday, Entrepreneur to Offer Internet Gambling, The Boston Globe, March 25, 1995. Although the U.S. Justice Department is unclear about the rules governing Internet casinos, a spokesperson, Joe Krovisky, believes it would probably be similar to gambling over phone lines which violates four federal statutes. Id.
30. Cyberthief, supra note 10 at 36.
31. Id.
32. Overview; Inside Lines, Computerworld, Oct. 29, 1990, at 159.
33. Clifford Stoll, The Cuckoo's Egg (1989).
34. Michael Alexander, An Espionage Tale with a Criminal Computer Twist, Computerworld, Dec. 11, 1989, at 76. West German hackers methodically broke into some 400 computers connected to the Internet by exploiting little-known bugs in Unix software. Once inside the systems, they left behind "cuckoo's egg programs," which when hatched by the operating system empowered the hackers with super user status.
35. Id.
36. Id.
37. Id.
38. J.A. Savage, Loopholes, Apathy Open Gates to Hackers, Computerworld, Aug. 8, 1988 at 1 [hereinafter Loopoles].
39. Id.
40. Id.
41. John Markoff, Arrests in Computer Break-ins Show a Global Peril, N.Y. Times, Apr. 4, 1990, at A1, col. 2. Among institutions that were hacked into were the Los Alamos National Laboratory, Harvard University, Digital Equipment Corp., Lawrence Livermore National Laboratories and Boston University.
42. Id. at A16.
43. Id.
44. Robert J. Sciglimpaglia, Computer Hacking: A Global Offense, 3 Pace Y.B. Int'l L. 199, 203 (1991). In another similar incident, hackers accessed a Milwaukee Corporation's computer from Toronto and disabled it such that the corporation could not access any data stored in the system. Regina v. Turner, 27 B.C.L.R. 207, Ont. H.C. (1984), aff'd Ont. C.A. (1985).
45. Anthony Boadle, Police Powerless to Stop Crime on Electronic Highway, The Reuter European Business Report, May 3, 1994.
46. Id.
47. Id. The foreign source of pornography was deemed to be beyond the jurisdictional scope of Canadian enforcement capabilities. In another example, the Internet was recently used to bypass a court-ordered publication ban on the details of the most gruesome sex-slaying trial in Canadian history. The court, fearing publicity of a co-defendant's trial would seriously undermine the other defendant's chance for a fair trial, imposed a gag order on details of the crime and of prior defendant's trial. DC v. 371158 Ontario Ltd., 113 D.L.R. 4th 150 (1994). A group, claiming to be called Canadian's Concerned About Freedom of Speech, based in Buffalo, N.Y., obtained and posted the gory details of the case on bulletin boards throughout Canada and the United States and attempted to mask the origin of the posting through a computer in Finland. Anthony Boadle, Police Powerless to Stop Crime on Electronic Highway, The Reuter European Business Report, May 3, 1994.
48. Henkin, Pugh, Schachter & Smit, International Law (2d ed. 1987).
49. Restatement (Third) of Foreign Relations Law of the United States § 402(1) (a) (c) (1987).
50. Restatement (Third) of Foreign Relations Law of the United States § 402(3) (1987).
51. Restatement (Third) of Foreign Relations Law of the United States § 403 (1987). Jurisdiction must be reasonable upon evaluating the following factors: (a) the regulating state must have direct, substantial and foreseeable effect; (b) nationality of offender; (c) character of activity to be regulated; (d) the expectations that might be protected or hurt; (e) the importance of the regulation; (f) the extent it is consistent with international law; (g) the other state's interest in regulating; and (h) the likelihood of conflict. Id. §§ 403(1), 403(2). When more than one state has a reasonable basis for exercising jurisdiction, but the prescriptions of both conflict, each state shall evaluate its interest and defer to the other state if that state's interest is greater. Id. § 403(3).
52. Peter Robinson, Sovereignty and Data: Some Perspectives, Transnat'l Data Rep., Oct.-Nov. 1984, at 419.
53. Dan L. Burk, Patents in Cyberspace: Territoriality and Infringement on Global Computer Networks, 68 Tul. L. Rev. 1, 53 (1993).
54. See United States v. Bank of Nova Scotia, 691 F.2d 1384, 1391 (11th Cir. 1982). The 11th Circuit enforced a contempt order against the Bank of Nova Scotia for its refusal to divulge confidential banking records that were protected by Bahamian banking laws.
55. John T. Burnett, Information, Banking Law and Extraterritoriality, Transnat'l Data & Comm. Rep., Jan. 1986, at 17, 18.
56. Peter Robinson, Sovereignty and Data: Some Perspectives, Transnat'l Data Rep., Oct.-Nov. 1984, at 419, 420.
57. U.S. v. Noriega, 746 F.Supp. 1506, 1512 (S.D.Fla. 1990).
58. Id. at 1506.
59. See Restatement (Third) of Foreign Relations Law of the United States § 402, cmt.d (1987).
60. Strassheim v. Daily, 221 U.S. 280, 285 (1910).
61. 18 U.S.C. § 3181 (1948).
62. Amy R. Edge, Preventing Software Piracy Through Regional Trade Agreements: The Mexican Example, 20 N.C. J. Int'l L. & Com. Reg. 175, 187 (1994). Those nations placed on the 1994 watch list, as "priority nations," were the European Union, Japan, South Korea, Saudi Arabia, Thailand, and Turkey. Id. "Priority foreign nations" are those nations that: (1) have the most onerous and egregious acts, policies and practices which have the greatest adverse impact on the United States; and (2) are not making significant progress to address these problems. Often, the problem with nations like those of the European Union is that they don't view extraterritorial computer crime as an extraditable offense under existing treaties. USTR Announcement and Fact Sheets on Decisions Affecting Foreign Government Procurement, Intellectual Property Protection, and U.S-Japan Supercomputer Pact, 11 Int'l Trade Rep. (BNA) No. 18, at 722, (May 4, 1994).
In addition to computer software piracy, South Korea is also becoming known as a hotbed for all forms of international computer crime. The United States' concern is greatly influenced by the fact that South Korea has taken no legislative measures to criminalize hacking activities and has refused to engage in negotiations concerning this matter. Amy R. Edge, Preventing Software Piracy Through Regional Trade Agreements: The Mexican Example, 20 N.C. J. Int'l L. & Com. Reg. 175, 187 (1994).
63. Double criminality means that an act is not extraditable unless it constitutes a crime under the laws of both the state requesting extradition and the state from which extradition is requested. International Criminal Law: A Guide to U.S. Practice and Procedure 336, 365 (Nanda & Bassiouni, ed. 1987).
64. Id.
65. See Computer Rogues, supra note 14.
66. Michael Alexander, Justice Unit Spurred on by Cross-Border Hackers, Computerworld, Oct. 21, 1991, at 6. The U.S. Department of Justice launched a computer crime unit to be better prepared to prosecute computer criminals. The unit held a pivotal role in Operation Sundevil's much publicized roundup of computer hackers in several U.S. states. The unit will coordinate efforts with foreign law enforcers to prosecute hackers who enter U.S. computers from abroad while also working to promote greater cooperation in prosecution.
67. Organization for Economic Co-operation and Development, 10 Computer Related Crime: Analysis of Legal Policy (1986) at 12.
68. 18 U.S.C. § 1030 (1988).
69. See id. § 1030(a)(1).
70. Id.
71. 18 U.S.C. § 1030(e)(2) defines a federal interest computer as one:(A) exclusively for the use of a financial institution of the United States Government, or in the case of a computer not exclusively for such use, used by or for a financial institution of the United States Government and the conduct constituting the offense affects the use of the financial institution's operation or the Government's operation of such computer; or (B) which is one of two or more computers used in committing the offense, not all of which are located in the same state. 18 U.S.C. §§ 1030(e)(2)(A),(B) (1988).
72. United States v. Morris, 928 F.2d 504 (1991). This case involved a Cornell University graduate student who unleashed a computer worm program on November 2, 1988, causing a virus to invade more than five thousand computers throughout the United States. A worm program is
a computer instruction or small hidden program inserted into the operating system of a computer. When activated, it may reproduce itself many times infecting every program on a computer or disk. As it reproduces it may be passed on through disk transfers, modems, or network connections. Morris was convicted in 1990 and fined ten thousand dollars. See also Cyberthief!, supra note 10, at 38.
73. Robert J. Sciglimpaglia, Computer Hacking: A Global Offense, 3 Pace Y.B. Int'l L. 199, 231 (1991). Damage included the disabling of a significant number of businesses, universities and even NASA for an extended period of time. The result was millions of dollars in losses.
74. See 18 U.S.C. 1030 § (a)(5)(A).
75. See EEOC v. Arabian Am. Oil Co., 499 U.S. 224 (1991). This case involved a Title VII employment discrimination action brought under the Civil Rights Act of 1964. The plaintiff, a naturalized U.S. citizen, worked for a Delaware corporation in Saudi Arabia. The Court refused to extend Title VII to U.S. citizens in foreign jurisdictions. Id. at 1234. The Court stated that "legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States." Id. at 1230.
76. Bill to Curb Hacking Sent to Lords, The Daily Telegraph, May 5, 1990, at 11.
77. The Computer Misuse Act, 1990, ch. 18 (LEXIS, International library, U.K. file).
78. Id. § 1.
79. Id. § 2.
80. Id. § 3.
81. Section 4, "Territorial scope of offenses under this Act," states:
(1) Except as provided below in this section, it is immaterial for the purpose of any offense
(a) whether any act or other event proof of which is required for conviction of the offence occurred in the home country concerned; or
(b) whether the accused was in the home country concerned at the time of any such act or event.
(2) Subject to subsection (3) below, in the case of such an offence at least one significant link with domestic jurisdiction must exist in the circumstances of the case for the offence to be committed.
(3) There is no need for any such link to exist for the commission of an offence under section 1 above to be established in proof of an allegation to that effect in proceedings for an offence under section 2 above.
(4) Subject to section 8 below where-
(a) any such link does in fact exist in the case of an offence under section 1 above; and
(b) commission of that offence is alleged in proceedings for an offence under section 2 above; section 2 above shall apply as if anything the accused intended to do or facilitate in any place outside the home country concerned which would be an offence to which section 2 applies if it took place in the home country concerned were the offence in question.
Id. § 4.
82. Section 9, "British citizenship immaterial," states:
(1) In any proceedings brought in England and Wales in respect of any offence to which this section applies it is immaterial to guilt whether or not the accused was a British citizen at the time of any act, omission or other event proof of which is required for conviction of the offence.
(2) This section applies to the following offenses-
(a) any offence under this Act;
(b) conspiracy to commit an offence under this Act;
(c) any attempt to commit an offence under section 3 above; and
(d) incitement to commit an offence under this Act.
Id. § 9.
83. Section 15, "Extradition where Schedule 1 to the Extradition Act 1989 applies," states:
The offenses to which an Order in Council under section 2 of the Extradition Act 1870 can apply shall include-
(a) offenses under section 2 or 3 above;
(b) any conspiracy to commit such an offence; and
(c) any attempt to commit an offence under section 3 above.
Id. § 15.
84. Section 8, "Relevance of external law," states:
(1) A person is guilty of an offence triable by virtue of section 4(4) only if what he intended to do or facilitate would involve the commission of an offence under the law in force where the whole or any part of it was intended to take place.
Id. § 8(1).
85. Office of Technology Assessment, Critical Connections: Communication for the Future 29, 49 (1990).
86. The Computer Misuse Act, Ch. 18 § 5 (1990).
87. Id. § 8(1).
88. Steve Shackleford, Computer Related Crime: An International Problem in Need of an International Solution, 27 Tex. Int'l L.J. 479, 503 (1992).
89. See generally Organization for Economic Co-operation and Development, 10 Computer Related Crime: Analysis of Legal Policy (1986) [hereinafter OECD].
90. Id. at 68.
91. The Computer Misuse Act, Ch. 18 § 9 (1990). (British citizenship is immaterial).
92. Id. § 15.
93. International Criminal Law: A Guide to U.S. Practice and Procedure 336-63, 233-234 (Nanda & Bassiouni eds., 1987). The treaties provide for a broad range of assistance in criminal matters, including: (1) executing requests relating to criminal matters, (2) taking testimony or statements of persons, (3) effecting the production, preservation and authentication of documents, records, or articles of evidence, (4) returning to the requesting party any objects, articles or any other property or assets belonging to it or obtained by the accused through criminal offenses, (5) serving judicial documents, writs, summonses, records of judicial verdicts and court judgments or decisions, (6) effecting the appearance of a witness or expert before a court of the requesting party, (7) locating persons and (8) providing judicial records, evidence and information. Id.
94. An example of how a victimized nation may be forced to rely upon the authorities of another nation may be found in the Australian hacking example. See Savage, Loopholes, supra note 38. The United States found itself at the mercy of Australian officials to track down hackers who had damaged systems in the United States.
95. See supra note 38 and accompanying text.
96. See generally OECD, supra note 89, at 68.
97. Deborah Wise, UK Department of Trade and Industry Backs Survey to Calculate Cost of Computer Hackers, The Guardian, Oct. 26, 1991, at 15.
98. Savage, Loopholes, supra note 38, at 1.
99. Steve Shackelford, Computer Related Crime: an International Problem in Need of an International Solution, 27 Tex. Int'l L.J. 479, 504 (1992).
100. Office of Technology Assessment, Critical Connections: Communication for the Future 29 (1990).
101. Dick Dahl, Cyberspace; Pioneers will Define the Law in the New Electronic Frontier, Lawyers Weekly, Mar. 4, 1991 at 33.
102. UK: A Crime of the Times, Independent, Oct. 25, 1993, at 24.
103. Al Gore, Infrastructure for the Global Village, Scientific American, Sept. 1991, at 150, 152.
104. See Dahl, supra note 101.
105. Michael Alexander, Justice Unit Spurred on by Cross Boarder Hackers,
Computerworld, Oct. 21, 1991, at 6.
All contents copyright © 1997, New England School of Law, Boston, Massachusetts.
All Rights Reserved.