Georgetown University Law Center 2000 Working Paper Series In Business, Economics and regulatory policy d Public Law and Legal Theory Working Paper No. 249030 Criminal Law in Cyberspace by Neal Kumar Katyal a revised version of this working paper is forthcoming in the University of Pennsylvania Law Review, Volume 149, April 2001 So This paper can be downloaded without charge from the ocial Science research Network electronic Paper collection at http://papers.ssrn.com/paper.taf?abstractid=249030
1 Georgetown University Law Center 2000 Working Paper Series in Business, Economics and Regulatory Policy and Public Law and Legal Theory Criminal Law in Cyberspace by Neal Kumar Katyal A revised version of this working paper is forthcoming in the University of Pennsylvania Law Review, Volume 149, April 2001 This paper can be downloaded without charge from the Social Science Research Network Electronic Paper Collection at http://papers.ssrn.com/paper.taf?abstract_id=249030 Working Paper No. 249030
Criminal Law in Cyberspace Neal Kumar Katyal Forthcoming: 149 U Penn. L. Rev.-(April, 2001) NTRODUCTION WHAT IS CYBERCRIME? A. Unauthorized Access to Computer Programs and Files Unauthorized Disruption 1 orms 3. Logic Bombs Trojan Horses Distributed denial of service C. Theft of Identity Carrying out a Traditional Offense 1. Child Pornography 2. Copyright......... ..27 Illegal Firearms Sales 33 II TREATING CYBERCRIME DIFFERENTLY A. First-Party Strate 1. Five Constraints on Crime 2. The Efficiency of Cybercrime a) Conspiracy's Demise b) Pseudonymity and Encryption racing and Escape Second-Party Strategies of Victim Precaution 1. Optimal victim Behavior 2. The Limits of victim Precaution 4448938乃3987 3. The Emergence of a Special Form of Crime, Targeting Networks 5. Supersleuth Victims Electronic Vigilantism Third Party Strategies of Scanning, Coding, and Norm Enforcement 92 Internet service providers Credit Card Companies Software and Hardware Manufacturers Public Enforcement of Social Norms 105 CONCLUSION..,,,.,.,,.,.,..,.,.,..,,.,.,,.,..,,..,,,..,,,. Associate Professor of Law, Georgetown University Law Center. Thanks to Akhil Amar, Julie Cohen, Fred Cohen Michael Froomkin, Jennifer Granick, Jerry Kang, Sonia Katyal, Josh Liston, Wayne Mink, Wendy Perdue, Mark Rasch, Jeffrey rosen, Joanna Rosen, Jonathan Rusch, Mike Seidman, Warren Schwartz, Anna Selden, Andrew Shapiro, Neal Stephenson, Cliff Stoll, Lynn Stout, Mark Tushnet, Eugene Volokh, Robin West, and participants in a georgetown University Faculty Workshop
*Associate Professor of Law, Georgetown University Law Center. Thanks to Akhil Amar, Julie Cohen, Fred Cohen, Michael Froomkin, Jennifer Granick, Jerry Kang, Sonia Katyal, Josh Liston, Wayne Mink, Wendy Perdue, Mark Rasch, Jeffrey Rosen, Joanna Rosen, Jonathan Rusch, Mike Seidman, Warren Schwartz, Anna Selden, Andrew Shapiro, Neal Stephenson, Cliff Stoll, Lynn Stout, Mark Tushnet, Eugene Volokh, Robin West, and participants in a Georgetown University Faculty Workshop. Criminal Law in Cyberspace Neal Kumar Katyal* Forthcoming: 149 U. Penn. L. Rev. – (April, 2001) INTRODUCTION ................................................................ 2 I. WHAT IS CYBERCRIME? ................................................... 10 A. Unauthorized Access to Computer Programs and Files ....................... 17 B. Unauthorized Disruption ............................................. 19 1. Viruses ................................................... 19 2. Worms .................................................... 20 3. Logic Bombs & Trojan Horses .................................. 21 4. Distributed Denial of Service ................................... 22 C. Theft of Identity ................................................... 23 D. Carrying out a Traditional Offense ...................................... 24 1. Child Pornography ........................................... 24 2. Copyright .................................................. 27 3. Cyberstalking ............................................... 30 4. Illegal Firearms Sales ......................................... 33 II TREATING CYBERCRIME DIFFERENTLY ........................................ 34 A. First-Party Strategies ............................................... 34 1. Five Constraints on Crime ...................................... 34 2. The Efficiency of Cybercrime ................................... 38 a) Conspiracy’s Demise ................................... 39 b) Pseudonymity and Encryption ............................. 43 c) Tracing and Escape .................................... 68 B. Second-Party Strategies of Victim Precaution .............................. 73 1. Optimal Victim Behavior ....................................... 73 2. The Limits of Victim Precaution ................................. 79 3. The Emergence of a Special Form of Crime, Targeting Networks ......... 85 4. New De Minimis Crime ....................................... 87 5. Supersleuth Victims & Electronic Vigilantism ........................ 89 C. Third Party Strategies of Scanning, Coding, and Norm Enforcement ............. 92 1. Internet Service Providers ...................................... 93 2. Credit Card Companies ........................................ 99 3. Software and Hardware Manufacturers ........................... 100 4. Public Enforcement of Social Norms ............................. 105 CONCLUSION ................................................................ 110
INTROdUCTION The new millennium brings new crimes. Witness two of the most talked-about crimes of the year, the ILove You computer worm(in terms of economic damage, perhaps the most devastating crime in history, causing more than $11 billion in losses )and the denial of service attacks on Yahoo eBay, ETrade and other sites(which caused $1.2 billion in damage ). These events suggest that a new breed of crime has emerged over the past decade: Cybercrime. This umbrella term covers all sorts of crimes committed with computers-from viruses to trojan horses; from hacking into private email to undermining defense and intelligence systems; from electronic thefts of bank accounts to disrupting web sites. Law has not necessarily caught up with these crimes, as the recent dismissal of charges against he author of the ILove You worm demonstrates. How should the law think about computer crime? Some academics see cyberspace as a new area where first principles of law need to be rethought. David Johnson and David Post, for example, contend that existing legal rules are not suitable for the digital age, and that governments should not necessarily impose legal order on the Internet. 3 Others, by contrast, believe that a computer is merely an instrument and that crime in cyberspace e virus Signs Marketing and Sales Contract, BUSINESS WIRE, Aug 1, 2000(totaling damage from ILove You virus at $ll billion ); Russ Banham, Computer Viruses, CFO Magazine, Aug. 1, 2000(describing Yankee Group Consulting Firm study of February's denial of service attacks and its damage calculation of $1. 2 billion) PhilippinesDropsChargesinlloVeYouVirusCaseathttp://www.cnn.com/2000/tech /computing/08/21/computers. philippines reut/index. html(Aug 21, 2000)(reporting that Phillippines dropped charges because the only law against hacking was passed after the crimes took place) dAvid R Johnson David G Post, And How Shall the Net Be Governed? A Meditation on the Relative Virtues of Decentralized Emergent Law, in CooRDINATING THE INTERNET 62(Brian Kahin James H. Keller eds. 1997); David R. Johnson David Post, Law and Borders-The Rise of Law in Cyberspace, 48 STAN. L REV. 1367, 1372-75(1996) see also Benjamin Wittes, Is Law Enforcement Ready for Cyber Crime LEGAL TIMES, October 10, 1994 at 17 (describing how "some describe the Internet as'qualitatively different from other platforms for crime"and how others, such as Stewart Baker, former general counsel at the National Security Agency, believe that such descriptions are"broadly speaking-wrong")
1 eVirus Signs Marketing and Sales Contract, BUSINESS WIRE, Aug. 1, 2000 (totaling damage from ILoveYou virus at $11 billion); Russ Banham, Computer Viruses, CFO Magazine, Aug. 1, 2000 (describing Yankee Group Consulting Firm study of February’s denial of service attacks and its damage calculation of $1.2 billion). 2Philippines Drops Charges in ILoveYou Virus Case, at http://www.cnn.com/2000/TECH /computing/08/21/computers.philippines.reut/index.html(Aug 21, 2000) (reporting that Phillippines dropped charges because the only law against hacking was passed after the crimes took place). 3David R. Johnson & David G. Post, And How Shall the Net Be Governed? A Meditation on the Relative Virtues of Decentralized Emergent Law, in COORDINATING THE INTERNET 62 (Brian Kahin & James H. Keller eds. 1997); David R. Johnson & David Post, Law and Borders–The Rise of Law in Cyberspace, 48 STAN. L. REV. 1367, 1372-75 (1996); see also Benjamin Wittes, Is Law Enforcement Ready for Cyber Crime?, LEGAL TIMES, October 10, 1994 at 17 (describing how “some describe the Internet as ‘qualitatively different’ from other platforms for crime” and how others, such as Stewart Baker, former general counsel at the National Security Agency, believe that such descriptions are “broadly speaking–wrong”). INTRODUCTION The new millennium brings new crimes. Witness two of the most talked-about crimes of the year, the ILoveYou computer worm (in terms of economic damage, perhaps the most devastating crime in history, causing more than $11 billion in losses) and the denial of service attacks on Yahoo, eBay, ETrade and other sites (which caused $1.2 billion in damage).1 These events suggest that a new breed of crime has emerged over the past decade: Cybercrime. This umbrella term covers all sorts of crimes committed with computers–from viruses to trojan horses; from hacking into private email to undermining defense and intelligence systems; from electronic thefts of bank accounts to disrupting web sites. Law has not necessarily caught up with these crimes, as the recent dismissal of charges against the author of the ILoveYou worm demonstrates.2 How should the law think about computer crime? Some academics see cyberspace as a new area where first principles of law need to be rethought. David Johnson and David Post, for example, contend that existing legal rules are not suitable for the digital age, and that governments should not necessarily impose legal order on the Internet.3 Others, by contrast, believe that a computer is merely an instrument and that crime in cyberspace
Criminal Law in Cyberspace should be regulated the same way as other acts in realspace. The U.S. Department of Justice(Doj recent report on cybercrime typifies this approach. I contend that neither view is correct, and that each camp slights important features that make cybercrime both different from and similar to traditional crime Underlying the"cybercrime is not different position is a worry about a unique form of geographic substitution. The concern is that disproportionately punishing activity in either realspace or cyberspace will induce criminals to shift their activities to that sphere in which the expected punishment is lower. For example, if the electronic theft of $1 million warrants five years'imprisonment, and the physical theft of Sl million warrants ten years' imprisonment, criminals are likely to opt for the electronic theft. Such analysis is, however, incomplete. Beccaria and Becker have observed that the expected penalty for criminal activity is not only the sentence in the criminal code, it is also a function of See, e. g, Christopher M. Kelly, The Cyberspace Separatism Fallacy, 34 TEX INT'L L.J. 413(1999)(book review); Catherine T Clarke, From CrimiNet to Cyber-perp: Toward an Inclusive Approach to Policing the Evolving Criminal Mens Rea on the Internet, 75 OR. L REv. 191, 204-05 (1996)(discussing informal surveys of lawyers revealing that"most lawyers consider criminals on the'net to be exactly the same as those outside the 'net); Jack L Goldsmith, Against Cyberanarchy, 65 U CHI. L REv. 1199(1998)(arguing that cyberspace can be regulated in many traditional ways). An important middle approach is Larry Lessig's, who contends that cyberspace can be regulated hrough law and programming code. See LAWRENCE LESSIG, CODE AND OTHER LAWS OF CYBERSPACE 52-60(1999) Some courts have also suggested that crimes might be different in cy berspace because there is a lack of ngible media, such as a briefcase that may be"stolen. "See, e. g, United States v. Carlin Commun., Inc, 815 F2d 1367, 1371(10th Cir. 1987). Others have disagreed. See United States v. Thomas, 74 F. 3d 701, 707(6th Cir. 1996) United States v Gilboe, 684 F2d 235 (2d Cir 1982) The Justice Department believes that"substantive regulation of unlawful conduct. should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world. If an activity is prohibited the physical world but not on the Internet, then the Internet becomes a safe haven for that unlawful activity. UNITED STATES DEPARTMENT OF JUSTICE. THE FLECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING THE USE OF THE INTERNET 11(2000)[hereinafter DOJ REPORTI Current federal law, in general, embraces the view that there are no differences. See id at vi("Existing substantive federal laws generally do not distinguish between unlawful conduct committed through the use of the Internet and the same conduct committed through the use of other, more traditional means of communication
Criminal Law in Cyberspace Page 3 4 See, e.g., Christopher M. Kelly, The Cyberspace Separatism Fallacy, 34 TEX INT’L L.J. 413 (1999) (book review); Catherine T. Clarke, From CrimiNet to Cyber-perp: Toward an Inclusive Approach to Policing the Evolving Criminal Mens Rea on the Internet, 75 OR. L. REV. 191, 204-05 (1996) (discussing informal surveys of lawyers revealing that “most lawyers consider criminals on the 'net to be exactly the same as those outside the 'net”); Jack L. Goldsmith, Against Cyberanarchy, 65 U. CHI. L. REV. 1199 (1998) (arguing that cyberspace can be regulated in many traditional ways). An important middle approach is Larry Lessig’s, who contends that cyberspace can be regulated through law and programming code. See LAWRENCE LESSIG, CODE AND OTHER LAWS OF CYBERSPACE 52-60 (1999). Some courts have also suggested that crimes might be different in cyberspace because there is a lack of tangible media, such as a briefcase that may be “stolen.” See, e.g., United States v. Carlin Commun., Inc., 815 F.2d 1367, 1371 (10th Cir. 1987). Others have disagreed. See United States v. Thomas, 74 F. 3d 701, 707 (6th Cir. 1996); United States v. Gilboe, 684 F.2d 235 (2d Cir. 1982). 5 The Justice Department believes that “substantive regulation of unlawful conduct. . .should, as a rule, apply in the same way to conduct in the cyberworld as it does to conduct in the physical world. If an activity is prohibited in the physical world but not on the Internet, then the Internet becomes a safe haven for that unlawful activity.” UNITED STATES DEPARTMENT OF JUSTICE, THE ELECTRONIC FRONTIER: THE CHALLENGE OF UNLAWFUL CONDUCT INVOLVING THE USE OF THE INTERNET 11 (2000) [hereinafter DOJ REPORT]. Current federal law, in general, embraces the view that there are no differences. See id. at vi (“Existing substantive federal laws generally do not distinguish between unlawful conduct committed through the use of the Internet and the same conduct committed through the use of other, more traditional means of communication.”) should be regulated the same way as other acts in realspace.4 The U.S. Department of Justice (DOJ) recent report on cybercrime typifies this approach.5 I contend that neither view is correct, and that each camp slights important features that make cybercrime both different from and similar to traditional crime. Underlying the “cybercrime is not different” position is a worry about a unique form of geographic substitution. The concern is that disproportionately punishing activity in either realspace or cyberspace will induce criminals to shift their activities to that sphere in which the expected punishment is lower. For example, if the electronic theft of $1 million warrants five years’ imprisonment, and the physical theft of $1 million warrants ten years’ imprisonment, criminals are likely to opt for the electronic theft. Such analysis is, however, incomplete. Beccaria and Becker have observed that the expected penalty for criminal activity is not only the sentence in the criminal code, it is also a function of
Criminal Law in Cyberspace age he probability that one will get caught 6 To the extent that cybercrimes are easier to get away with, sentences might be increased to compensate for this lower probability In addition to the probability of being caught, another variable overlooked by the"cybercrime is not different camp is the perpetration cost of engaging in crime. A bank robbery in realspace, for example, consumes tremendous criminal resources. A robber would have to hire lookouts and firepower, garner inside knowledge about the bank, and so on. Profits would be split between five, Six, or even more people. A computer theft, by contrast, involves fewer resource inputs and may even be accomplished by a single person sitting down at a computer. Because cybercrime requires fewer resources and less investment to cause a given level of harm, the law might want to approach these crimes differently These variations suggest that cyberspace is a unique medium for three reasons. First, and most importantly, the use of computers and other equipment is a cheaper means to perpetrate crime Criminal law must be concerned not only with punishing crime ex post, but with creating ex ante barriers to inexpensive ways of carrying out criminal activity. In this Article, this principle-which is generally applicable in criminal law- will be called cost deterrence. The idea is that law should strive to channel crime into outlets that are more costly to criminals. Cyberspace presents unique opportunitie for criminals to reduce their perpetration costs the probability of success achieved by a given expenditure is greater. Accordingly, the law should develop mechanisms to neutralize these efficiency advantages See gary S. Becker, Crime and Punishment: An Economic Approach, 76 J. POL. ECON. 169(1968); Cesare Beccaria On Crimes and Punishments, in ON CRIMES AND PUNISHMENTS AND OTHER WRITINGS 1, 21(Richard Bellamy ed Richard Davies et al. trans., Cambridge Univ Press 1995)(1764)
Criminal Law in Cyberspace Page 4 6 See Gary S. Becker, Crime and Punishment: An Economic Approach, 76 J. POL. ECON. 169 (1968); Cesare Beccaria, On Crimes and Punishments, in ON CRIMES AND PUNISHMENTS AND OTHER WRITINGS 1, 21 (Richard Bellamy ed. & Richard Davies et al. trans., Cambridge Univ. Press 1995) (1764). the probability that one will get caught.6 To the extent that cybercrimes are easier to get away with, sentences might be increased to compensate for this lower probability. In addition to the probability of being caught, another variable overlooked by the “cybercrime is not different” camp is the perpetration cost of engaging in crime. A bank robbery in realspace, for example, consumes tremendous criminal resources. A robber would have to hire lookouts and firepower, garner inside knowledge about the bank, and so on. Profits would be split between five, six, or even more people. A computer theft, by contrast, involves fewer resource inputs and may even be accomplished by a single person sitting down at a computer. Because cybercrime requires fewer resources and less investment to cause a given level of harm, the law might want to approach these crimes differently. These variations suggest that cyberspace is a unique medium for three reasons. First, and most importantly, the use of computers and other equipment is a cheaper means to perpetrate crime. Criminal law must be concerned not only with punishing crime ex post, but with creating ex ante barriers to inexpensive ways of carrying out criminal activity. In this Article, this principle–which is generally applicable in criminal law–will be called cost deterrence. The idea is that law should strive to channel crime into outlets that are more costly to criminals. Cyberspace presents unique opportunities for criminals to reduce their perpetration costs; the probability of success achieved by a given expenditure is greater. Accordingly, the law should develop mechanisms to neutralize these efficiency advantages
Criminal Law in Cyberspace age 5 Some neutralization techniques, however, risk punishing utility-producing activities. For example, encryption has the potential to further massive terrorism ( which leads many in the law enforcement community to advocate its criminalization) but also the potential to facilitate greater security in communication and encourage freedom(which leads many others to push for unfettered access to the technology ) This is a standard dilemma that the law encounters in regulation of technology, call it the dual-use problem. The problem arises when an activity has both positive and negative uses, and forbidding the act forfeits the good uses. To help solve the problem, I introduce a conventional tool, the sentencing enhancement, as a mechanism that selectively targets improper uses. Policymakers and cademic have given little attention to sentencing enhancements, and lack a theory of when they should e used. This Article endeavors to fill that gap, arguing that they are suited for acts whose benefits and harms are context specific. It shows, for example, how enhancements provide a solution to the encryption debate because they can be aimed at encryptions harmful applications Second, cybercrime adds additional parties to the traditional perpetrator-victim scenario of crime. In particular, much cybercrime is carried out through the use of Internet Service Providers (ISPs), such as America OnLine. Criminal law should consider imposing responsibilities on third parties because doing so promotes cost deterrence. Third parties can develop ways to make crime more expensive, and may be able to do so in ways that the govemment cannot directly accomplish. The same logic sometimes applies to victims of cybercrime; law can develop mechanisms to encourage optimal victim behavior as well. As part of this discussion, the Article shows how victim self-help depends on changing police behavior, and outlines a strategy to make police departments behave more like fire departments(focusing on warning and prevention, and less on chasing people after they commit crimes
Criminal Law in Cyberspace Page 5 Some neutralization techniques, however, risk punishing utility-producing activities. For example, encryption has the potential to further massive terrorism (which leads many in the law enforcement community to advocate its criminalization) but also the potential to facilitate greater security in communication and encourage freedom (which leads many others to push for unfettered access to the technology). This is a standard dilemma that the law encounters in regulation of technology, call it the dual-use problem. The problem arises when an activity has both positive and negative uses, and forbidding the act forfeits the good uses. To help solve the problem, I introduce a conventional tool, the sentencing enhancement, as a mechanism that selectively targets improper uses. Policymakers and academics have given little attention to sentencing enhancements, and lack a theory of when they should be used. This Article endeavors to fill that gap, arguing that they are suited for acts whose benefits and harms are context specific. It shows, for example, how enhancements provide a solution to the encryption debate because they can be aimed at encryption’s harmful applications. Second, cybercrime adds additional parties to the traditional perpetrator-victim scenario of crime. In particular, much cybercrime is carried out through the use of Internet Service Providers (ISPs), such as America OnLine. Criminal law should consider imposing responsibilities on third parties because doing so promotes cost deterrence. Third parties can develop ways to make crime more expensive, and may be able to do so in ways that the government cannot directly accomplish. The same logic sometimes applies to victims of cybercrime; law can develop mechanisms to encourage optimal victim behavior as well. As part of this discussion, the Article shows how victim self-help depends on changing police behavior, and outlines a strategy to make police departments behave more like fire departments (focusing on warning and prevention, and less on chasing people after they commit crimes)
Criminal Law in Cyberspace Page 6 Two features of cyberspace, however, suggest that these burden-shifting strategies will be difficult. The first, which borrows from the New Economy jingo of Network effects, " contends that interconnectivity is an important goal that should not be sacrificed lightly. If victims and ISPs are forced to take precautionary measures-from building strong firewalls to forgoing communication with risky computer systems-it may diminish the value of the Internet. A strong public law enforcement presence necessary to prevent the Net from fragmenting into small regions accessible only to subsets of trusted users with passkeys. A second feature that limits burden-shifting arises because of the asymmetric incentives between ISPs and their users. Because an isP derives little util ity from providing access to a risky subscriber, a legal regime that places liability on an IsP for the acts of its subscribers will quickl lead the IsP to purge risky ones from its system. ISPs, as private entities, face no constitutional constraints and little public accountability, the results of ISP liability may be unfair and risk undermining the Net's benefits Third, and more generally, a host of thorny problems arise because most activities that occur cyberspace are invisible to third parties-and sometimes even to second parties, such as the very website that is being hacked In a type of space where crimes are invisible, strategies that focus on trying to prevent crime by maintaining public order, such as Broken Windows Policing, are of limited utility(though some insights can be adapted to cyberspace). Social norms cannot operate as effectively to prevent crime on the Net, for its users are not necessarily constrained by the values of realspace nor can norms sometimes be enforced as easily as they can in realspace On the other side of the ledger, the danger of overly aggressive law enforcement is multiplied in yberspace. Each new major cybercrime leads law enforcement to push for changes to the technical infrastructure to create better monitoring and tracing. If these codes are hidden in private hardware and
Criminal Law in Cyberspace Page 6 Two features of cyberspace, however, suggest that these burden-shifting strategies will be difficult. The first, which borrows from the New Economy jingo of “Network effects,” contends that interconnectivity is an important goal that should not be sacrificed lightly. If victims and ISPs are forced to take precautionary measures–from building strong firewalls to forgoing communication with risky computer systems–it may diminish the value of the Internet. A strong public law enforcement presence is necessary to prevent the Net from fragmenting into small regions accessible only to subsets of trusted users with passkeys. A second feature that limits burden-shifting arises because of the asymmetric incentives between ISPs and their users. Because an ISP derives little utility from providing access to a risky subscriber, a legal regime that places liability on an ISP for the acts of its subscribers will quickly lead the ISP to purge risky ones from its system. ISPs, as private entities, face no constitutional constraints and little public accountability; the results of ISP liability may be unfair and risk undermining the Net’s benefits. Third, and more generally, a host of thorny problems arise because most activities that occur in cyberspace are invisible to third parties–and sometimes even to second parties, such as the very website that is being hacked. In a type of space where crimes are invisible, strategies that focus on trying to prevent crime by maintaining public order, such as Broken Windows Policing, are of limited utility (though some insights can be adapted to cyberspace). Social norms cannot operate as effectively to prevent crime on the Net, for its users are not necessarily constrained by the values of realspace nor can norms sometimes be enforced as easily as they can in realspace. On the other side of the ledger, the danger of overly aggressive law enforcement is multiplied in cyberspace. Each new major cybercrime leads law enforcement to push for changes to the technical infrastructure to create better monitoring and tracing. If these codes are hidden in private hardware and
Criminal Law in Cyberspace age 7 software, however, public accountabil ity may be undermined. a similar point is true about enforcement by police; because police are invisible on the Internet, the potential for entrapment may be greater. The ultimate effect of this loss of police visibility may be to poison legitimate activity on the Net because confidence in communication may be undermined. A man cannot be sure that he is talking to a friend and not a government interloper seeking to document a criminal case. Because the technology of law enforcement is not well understood among the public, citizens will fear the Net, and its advantages will be stymied. Consider the public uproar over a third prominent news item from this year: the discovery that the Federal Bureau of Investigation(FBi has a system to read private emails with the poorly chosen title of "Carnivore Nevertheless, the differences between crimes that take place in cyberspace and those that occur in realspace should not obscure their similarities. For example, if crime in cyberspace is easier to commit due to technical prowess, then the law needs to begin to think about how to treat offline crimes that hamess technical ability. Similarly, if acts in cyberspace portend criminal activity in realspace, then this dangerous complementarity can- if sufficiently strong-justify punishing acts in cyberspace(an example might be electronic stalkers, who may graduate to stalking in realspace). This notion undoes the standard idea that criminal punishment should be reserved only for acts that are harmful; the point here is not that a certain act is harmful, but that its commission will lead to a harmful act. Preventing the former act is a mechanism the government may use to discourage the commission of the latter Review U, WASH. POST, Aug. 11, 2000, at 23; Ted Bridis, FBI Mon't Provide Data on Carnivore Congress 3 g 'See McVeigh v. Cohen, 983 F Supp. 215, 217 (D D.C. 1998)(officer discharged on basis of gays-in-military po fter government obtains America OnLine email where he indicated his homosexuality) SSee infra note 184(discussing exaggerated fears of Carnivore); see also David A. Vise, Carnivore Going Requested, WALL ST J, Aug 10, 2000, Neil King, FBI'S Wiretaps to Scan E-mail Spark Concern, N.Y. TIMES, July
Criminal Law in Cyberspace Page 7 7 See McVeigh v. Cohen, 983 F.Supp. 215, 217 (D.D.C. 1998) (officer discharged on basis of gays-in-military policy after government obtains America OnLine email where he indicated his homosexuality). 8 See infra note 184 (discussing exaggerated fears of Carnivore); see also David A. Vise, Carnivore Going to Review U., WASH. POST, Aug. 11, 2000, at 23; Ted Bridis, FBI Won't Provide Data on Carnivore Congress Requested, WALL ST. J., Aug. 10, 2000; Neil King, FBI'S Wiretaps to Scan E-mail Spark Concern, N.Y. TIMES, July 11, 2000, at A3. software, however, public accountability may be undermined. A similar point is true about enforcement by police; because police are invisible on the Internet, the potential for entrapment may be greater. The ultimate effect of this loss of police visibility may be to poison legitimate activity on the Net because confidence in communication may be undermined. A man cannot be sure that he is talking to a friend, and not a government interloper seeking to document a criminal case.7 Because the technology of law enforcement is not well understood among the public, citizens will fear the Net, and its advantages will be stymied. Consider the public uproar over a third prominent news item from this year: the discovery that the Federal Bureau of Investigation (FBI) has a system to read private emails with the poorly chosen title of “Carnivore.”8 Nevertheless, the differences between crimes that take place in cyberspace and those that occur in realspace should not obscure their similarities. For example, if crime in cyberspace is easier to commit due to technical prowess, then the law needs to begin to think about how to treat offline crimes that harness technical ability. Similarly, if acts in cyberspace portend criminal activity in realspace, then this dangerous complementarity can– if sufficiently strong–justify punishing acts in cyberspace (an example might be electronic stalkers, who may graduate to stalking in realspace). This notion undoes the standard idea that criminal punishment should be reserved only for acts that are harmful; the point here is not that a certain act is harmful, but that its commission will lead to a harmful act. Preventing the former act is a mechanism the government may use to discourage the commission of the latter
Criminal Law in Cyberspace Page 8 The problem of cybercrime is a larger one of how the law deals with new technologies Sometimes, the law treats crimes that employ new technologies as different and deserving of special gulation(wire fraud, hijacking of airplanes, grand theft auto)and other times it does not(crimes performed with typewriters and the theft of most objects, which carries the same penalty whether accomplished with James Bond-style panache or by a simple break-in). Lurking underneath this differential regulation is a complex symbiotic relationship between technology and law. Computer crime forces us to confront the role and limitations of criminal law, just as criminal law forces us to reconceptualize the role and limitations of technology After all, computer crime is not simply constrained by law. Before Bob Ellickson and Larry Lessig's pathbreaking work, many scholars assumed that law was the primary mechanism for the regulation of conduct. Ellickson and Lessig helped introduce a second constraint, social norms. They showed how such norms can regulate as effectively, or even more effectively than law could. Lessig's recent work has suggested a third form of regulation, architecture or Code. Rather than relying on social pressure or legal sanction, Lessig explains how physical and electronic barriers can prevent harmful acts. In realspace, installing lights on street comers can prevent muggings and other forms of street crime, and placing concrete barricades near inner-city highway ramps will prevent suburbanites from quickly driving in and out to purchase drugs. In cyberspace, Internet browsers can 9See CAROLYN MARVIN. WHEN OLD TECHNOLOGIES WERE NEW: THINKING ABOUT ELECTRIC COMMUNICATION IN THI LATE NINETEENTH CENTURY 6, 88-97(1988)(suggesting that electricity and telephones modified crime control) 1See Neal Kumar Katyal, Deterrence's Difficulty, 95 MICH L REV. 2385, 2416-20, 2447-55(1997)(distinguishing between three forms of social regulation: legal sanctions, monetary price, and social norms) ROBERT C ELLICKSON, ORDER WITHOUT LAW(1991); Lawrence Lessig, The Regulation of Social Meaning, 62U CHIL REV.943(1995 "LESSIG, supra note 4 Richard Weizel, A Tentative Farewell to the Bridgeport Barriers, N.Y. TIMES, July 5, 1998, at Sec. 14, p 1; Fred Musante, Drug Trade Links Bridgeport and its Suburbs, N.Y. TIMES, Feb. 14, 1993, at Sec. 13, p I
Criminal Law in Cyberspace Page 8 9 See CAROLYN MARVIN, WHEN OLD TECHNOLOGIES WERE NEW: THINKING ABOUT ELECTRIC COMMUNICATION IN THE LATE NINETEENTH CENTURY 6, 88-97(1988) (suggesting that electricity and telephones modified crime control). 10See Neal Kumar Katyal, Deterrence’s Difficulty, 95 MICH. L. REV. 2385, 2416-20, 2447-55 (1997) (distinguishing between three forms of social regulation: legal sanctions, monetary price, and social norms). 11ROBERT C. ELLICKSON, ORDER WITHOUT LAW (1991); Lawrence Lessig, The Regulation of Social Meaning, 62 U. CHI. L. REV. 943 (1995). 12LESSIG, supra note 4. 13Richard Weizel, A Tentative Farewell to the Bridgeport Barriers, N.Y. TIMES, July 5, 1998, at Sec. 14, p.1; Fred Musante, Drug Trade Links Bridgeport and its Suburbs, N.Y. TIMES, Feb. 14, 1993, at Sec. 13, p.1. The problem of cybercrime is a larger one of how the law deals with new technologies. Sometimes, the law treats crimes that employ new technologies as different and deserving of special regulation (wire fraud, hijacking of airplanes, grand theft auto) and other times it does not (crimes performed with typewriters and the theft of most objects, which carries the same penalty whether accomplished with James Bond-style panache or by a simple break-in). Lurking underneath this differential regulation is a complex symbiotic relationship between technology and law.9 Computer crime forces us to confront the role and limitations of criminal law, just as criminal law forces us to reconceptualize the role and limitations of technology. After all, computer crime is not simply constrained by law.10 Before Bob Ellickson and Larry Lessig’s pathbreaking work, many scholars assumed that law was the primary mechanism for the regulation of conduct. Ellickson and Lessig helped introduce a second constraint, social norms. They showed how such norms can regulate as effectively, or even more effectively, than law could.11 Lessig’s recent work has suggested a third form of regulation, architecture or Code.12 Rather than relying on social pressure or legal sanction, Lessig explains how physical and electronic barriers can prevent harmful acts. In realspace, installing lights on street corners can prevent muggings and other forms of street crime, and placing concrete barricades near inner-city highway ramps will prevent suburbanites from quickly driving in and out to purchase drugs.13 In cyberspace, Internet browsers can
Criminal Law in Cyberspace Page 9 be configured to prevent repeated password entry attempts for sensitive websites or could be coded to prevent certain forms of encryption This Article suggests the presence of two other constraints, physical harm and monetary cost The risk of physical harm in committing a crime is a rather obvious constraint, and one that is generally lower with computer crime as compared to realspace crime. Monetary costs, by contrast, are not thought of by criminal scholars as a deterrent, and this is unfortunate. One reason why computer crime is so dangerous is because it is so cheap to perpetrate The legal system, I contend, should rely more on perpetration costs. After all, unlike the probabilistic specter of legal sanction, these costs are certain to be incurred by all who commit a crime In some ways, the legal systems current focus on legal sanction at the expense of monetary costs is ironic. Criminals tend to be gamblers- willing to speculate on the chance that they will not be caught and vet the conventional wisdom is to set up a parlor from which to conduct the wager instead of relying on a certain perpetration cost. Governments use the threat of jail time to deter offenses when they know that the bulk of offenders discount the threat of long jail sentences because they have many years to live due to their youth. The lack of high perpetration costs is one factor that explains the rise in cybercrime. Indeed, the fact that crime is cheap to commit weakens the power of social norms, the ease of, for example, copying a Cd leads many to think of it as not a serious crime Monetary costs in short may deter a different stratum of the population than might law enforcement-those with less money. Suppose, for example, that the majority of hackers are teenagers. Teenagers, with their small wallets and purses, might be particularly sensitive to strategies that increase the monetary costs of crime. If dangerous software programs such as hackers tools were expensive, or if sensitive websites charged low admissions fees, these forms of regulation may deter
Criminal Law in Cyberspace Page 9 be configured to prevent repeated password entry attempts for sensitive websites or could be coded to prevent certain forms of encryption. This Article suggests the presence of two other constraints, physical harm and monetary cost. The risk of physical harm in committing a crime is a rather obvious constraint, and one that is generally lower with computer crime as compared to realspace crime. Monetary costs, by contrast, are not thought of by criminal scholars as a deterrent, and this is unfortunate. One reason why computer crime is so dangerous is because it is so cheap to perpetrate. The legal system, I contend, should rely more on perpetration costs. After all, unlike the probabilistic specter of legal sanction, these costs are certain to be incurred by all who commit a crime. In some ways, the legal system’s current focus on legal sanction at the expense of monetary costs is ironic. Criminals tend to be gamblers -- willing to speculate on the chance that they will not be caught – and yet the conventional wisdom is to set up a parlor from which to conduct the wager instead of relying on a certain perpetration cost. Governments use the threat of jail time to deter offenses when they know that the bulk of offenders discount the threat of long jail sentences because they have many years to live due to their youth. The lack of high perpetration costs is one factor that explains the rise in cybercrime. Indeed, the fact that crime is cheap to commit weakens the power of social norms; the ease of, for example, copying a CD leads many to think of it as not a serious crime. Monetary costs in short may deter a different stratum of the population than might law enforcement – those with less money. Suppose, for example, that the majority of hackers are teenagers. Teenagers, with their small wallets and purses, might be particularly sensitive to strategies that increase the monetary costs of crime. If dangerous software programs such as hackers’ tools were expensive, or if sensitive websites charged low admissions fees, these forms of regulation may deter