MIS

1. Computer Crime
Copyright 1999, 2002 by Ronald B. Standler
Table of Contents
Introduction
1. Unauthorized use of computer, Altering Websites, Denial of Service (DoS) Attacks
2. Malicious computer programs, Common, but Unacceptable, Justifications for Malicious
Programs
3. Harassment & Stalking
4. Weak punishment in USA
5. Computer crime statutes in USA
6. Sue criminals in tort
Journalists
Conclusion
Introduction
There are no precise, reliable statistics on the amount of computer crime and the economic loss to
victims, partly because many of these crimes are apparently not detected by victims, many of
these crimes are never reported to authorities, and partly because the losses are often difficult to
calculate. Nevertheless, there is a consensus among both law enforcement personnel and
computer scientists who specialize in security that both the number of computer crime incidents
and the sophistication of computer criminals is increasing rapidly. Estimates are that computer
crime costs victims in the USA at least US$ 5×108/year, and the true value of such crime might
be substantially higher. Experts in computer security, who are not attorneys, speak of
"information warfare". While such "information warfare" is just another name for computer
crime, the word "warfare" does fairly denote the amount of damage inflicted on society.
I have posted a separate document, Tips for Avoiding Computer Crime, which includes
suggestions for increasing the security and reliability of personal computers, as well as links to
websites on computer viruses, computer crime, and anti-virus and firewall software.
Two comments on word usage in this essay:
I normally write in a gender neutral way, but here I use the masculine pronoun for computer
criminals, because (1) female computer criminals are rare and (2) I can't imagine a feminist
attacking me because I deny equal recognition to women criminals. <grin>
To some professional computer programmers, the word "hacker" refers to a skilled programmer
and is neither pejorative nor does it refers to criminal activity. However, to most users of English,
the word "hacker" refers to computer criminals, and that is the usage that I have adopted in this
essay.
I originally wrote this essay in May 1999. I do not have the spare time that would be required for
a thorough search and analysis of reported cases and statutes on computer crime, as well as
newspaper accounts (most criminal proceedings are resolved without generating any judicial
decision that is reported in legal databases or books), so my revisions are mostly generalizations.
new crimes in cyberspace
There are three major classes of criminal activity with computers:
unauthorized use of a computer, which might involve stealing a username and password, or
might involve accessing the victim's computer via the Internet through a backdoor operated by a
Trojan Horse program.
Creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse).
1

2. Harassment and stalking in cyberspace.
Old crimes
When lay people hear the words "computer crime", they often think of obscene pictures available
on the Internet or solicitation of children for sex by pedophiles via chat rooms on the Internet. The
legal problem of obscenity on the Internet is mostly the same as the legal problem of obscenity in
books and magazines, except for some technical issues of personal jurisdiction on the Internet. I
have discussed obscenity on the Internet in my May 1997 essay on law & technology and I have
nothing further to say about obscenity in this essay on computer crime.
Similarly, many crimes involving computers are no different from crimes without computers: the
computer is only a tool that a criminal uses to commit a crime. For example,
Using a computer, a scanner, graphics software, and a high-quality color laser or ink jet printer for
forgery or counterfeiting is the same crime as using an old-fashioned printing press with ink.
Stealing a laptop computer with proprietary information stored on the hard disk inside the
computer is the same crime as stealing a briefcase that contains papers with proprietary
information.
Using the Internet or online services to solicit sex is similar to other forms of solicitation of sex,
and so is not a new crime.
Using computers can be another way to commit either larceny or fraud.
In contrast to merely using computer equipment as a tool to commit old crimes, this essay is
concerned with computer crimes that are new ways to harm people.
False origin
There are many instances of messages sent in the name of someone who neither wrote the content
nor authorized the sending of the message. For example:
E-mails with bogus From: addresses were sent automatically by malicious programs (e.g., the
Melissa virus in 1999, the BadTrans worm in 2001, the Klez program in 2002).
Posting messages in an Internet newsgroup or online bulletin board with a false author's name that
is intended to harm the reputation of the real person of that name.
These acts might be punishable by existing criminal statutes that prohibit impersonation, forgery,
deceit, or fraud. However, a judge might decide that the specific language in old statutes about
writing or signature does not apply to e-mail. Rather than write new statutes for forged e-mail
addresses or unauthorized sending of e-mail in someone else's name, I would prefer that
legislatures broaden the existing criminal statutes for analogous crimes with paper and ink.
Similar issues arise in both: (1) fictitious From: addresses in some unsolicited commercial e-mail,
also called spam or junk e-mail, and (2) fictitious source IP addresses in denial of service attacks.
1. Unauthorized Use
Unauthorized use of computers tends generally takes the following forms:
Computer voyeur. The criminal reads (or copies) confidential or proprietary information, but data
is neither deleted nor changed.
In 1999, the Melissa virus infected a [possibly confidential] document on a victim's computer,
then automatically sent that document and copy of the virus via e-mail to other people.
Subsequently, the SirCam and Klez malicious programs made a similar release of [possibly
confidential] documents from a victim's computer. These malicious programs are a new way to
release confidential information from a victim's computer, with the confidential information going
2

3. not to the author of the malicious program, but to some person unknown to the author of the
malicious program.
Changing data. For example, change a grade on a school transcript, add "money" to a checking
account, etc. Unauthorized changing of data is generally a fraudulent act.
Deleting data. Deleting entire files could be an act of vandalism or sabotage.
Denying service to authorized users. On a modern time-sharing computer, any user takes some
time and disk space, which is then not available to other users. By "denying service to authorized
users", I mean gobbling unreasonably large amounts of computer time or disk space, for example:
by sending large amounts of junk e-mail in one day, a so-called "mail bomb",
by having the computer execute a malicious program that puts the processing unit into an infinite
loop, or,
by flooding an Internet server with bogus requests for webpages, thereby denying legitimate users
an opportunity to download a page and also possibly crashing the server. This is called a denial of
service (DoS) attack.
During 1950-1975, computer programs and data were generally stored on cardboard cards with
holes punched in them. If a vandal were to break into an office and either damage or steal the
punch cards, the vandal could be adequately punished under traditional law of breaking and
entering, vandalism, or theft.
However, after about 1975, it became common to enter programs and data from remote terminals
(a keyboard and monitor) using a modem and a telephone line. This same technology allowed
banks to retrieve a customer's current balance from the bank's central computer, and merchants to
process credit card billing without sending paper forms. But this change in technology also meant
that a criminal could alter data and programs from his home, without physical entry into the
victim's building. The traditional laws were no longer adequate to punish criminals who used
computer modems.
Most unauthorized use of a computer is accomplished by a person in his home, who uses a
modem to access a remote computer. In this way, the computer criminal is acting analogous to a
burglar. The classic definition of a burglary is:
the breaking and entering of a building with the intent to commit a felony therein.
In traditional burglaries, the felony was typically larceny, an unlawful taking of another person's
property. However, in the unauthorized use of another's computer, the criminal "enters" the
computer via the telephone lines, which is not breaking into the building. Either the burglary
statute needed to be made more general or new criminal statute(s) needed to be enacted for
unauthorized access to a computer. Legislatures chose to enact totally new statutes.
To successfully use a remote computer, any user (including criminals) must have both a valid user
name and valid password. There are several basic ways to get these data:
Call up a legitimate user, pretend to be a system administrator, and ask for the user name and
password. This sounds ridiculous, but many people will give out such valuable information to
anyone who pretends to have a good reason. Not only should you refuse to provide such
information, but please report such requests to the management of the online service or the local
police, so they can be alert to an active criminal.
Search user's offices for such data, as many people post their user name and password on the side
of their monitor or filing cabinet, where these data can be conveniently seen.
Write a program that tries different combinations of user names and passwords until one is
accepted.
Use a packet "sniffer" program to find user names and passwords as they travel through networks.
3

4. Search through a garbage bin behind the computer building in a university or corporate campus,
find trash paper that lists user names and passwords.
A disgruntled employee can use his legitimate computer account and password for unauthorized
uses of his employer's computer. This can be particularly damaging when the disgruntled
employee is the computer system administrator, who knows master password(s) and can enter any
user's file area. Such disgruntled employees can perpetrate an "inside job", working from within
the employer's building, instead of accessing a computer via modem.
The computer voyeurs, like petty criminals who peek in other people's windows, generally hack
into other people's computers for the thrill of it. In the 1970s and early 1980s, many of these
computer voyeurs also used technology to make long-distance telephone calls for free, which
technology also concealed their location when they were hacking into computers. Many of these
voyeurs take a special thrill from hacking into military computers, bank computers, and telephone
operating system computers, because the security is allegedly higher at these computers, so it is a
greater technical challenge to hack into these machines.
The criminals who change or delete data, or who deliberately gobble large amounts of computer
resources, have a more sinister motive and are capable of doing immense damage.
Of course, there is always the possibility that a computer voyeur will "accidentally" bumble
around an unfamiliar system and cause appreciable damage to someone else's files or programs.
Traditional criminal law in the USA places a great deal of emphasis on willful or intentional
conduct, so such "accidental" damage would not satisfy the traditional requirement of mens rea
(literally "guilty mind" or criminal intent). My personal opinion is that someone who deliberately
hacks into someone else's computer should be accountable under criminal law for whatever
damage is done by the unauthorized hacking, even if the damage is "accidental". In this regard, I
would make an analogy to a homicide that occurs "accidentally" during the commission of a
felony: the perpetrators are then charged with "felony murder": the intent to commit the hacking
constitutes the malice or intent to cause the damage.
In the 1970s and early 1980s, a common reaction was that hackers were a minor nuisance, like
teenagers throwing rolls of toilet paper into trees. Then, in August 1983, a group of young hackers
in Milwaukee hacked into a computer at the Sloan-Kettering Cancer Institute in New York City.
That computer stored records of cancer patients' radiation treatment. Altering files on that
computer could have killed patients, which reminded everyone that hacking was a serious
problem. This 1983 incident was cited by the U.S. Congress in the legislative history of a federal
computer crime statute.
S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480.
There is an interesting case under California state law for a criminal who improved his clients'
credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).
Altering websites
In recent years, there have been a large number of attacks on websites by hackers who are angry
with the owner of the website. Victims of such attacks include various U.S. Government agencies,
including the White House and FBI. Attacking the FBI website is like poking a lion with a stick.
<grin>
In a typical attack, the hacker will delete some pages or graphics, then upload new pages with the
same name as the old file, so that the hacker controls the message conveyed by the site.
This is not the worst kind of computer crime. The proper owner of the site can always close the
website temporarily, restore all of the files from backup media, improve the security at the site,
4

5. and then re-open the site. Nonetheless, the perpetrator has committed a computer crime by
making an unauthorized use of someone else's computer or computer account.
The Internet is a medium for freely sharing information and opinions. However the criminals who
trash other people's websites are acting as self-appointed censors who deny freedom of speech to
those with whom they disagree. These criminals often make the self-serving excuse for their
actions that they only attack sites sponsored by bad corporations or bad people. However, this
excuse makes these criminals into vigilantes who serve as legislature, judge, jury, and
executioner: arrogantly determining what is in the best interests of society.
One example of punishment for the crime of defacing a website is the case of Dennis M. Moran.
On 9 March 2001, Moran (alias "Coolio"), a high school dropout, was sentenced in New
Hampshire state court to nine months incarceration and ordered to pay a total of US$ 15000
restitution to his victims for defacing two websites:
In November 1999, he defaced the website of DARE America, an organization that campaigns
against use of illicit drugs, whose website was in Los Angeles, California.
In February 2000, he defaced the website of RSA Security in Massachusetts.
In February 2000, he made "unauthorized intrusions" into computers at four different U.S. Army
and Air Force installations.
See the New Hampshire DoJ press release.
Denial of Service (DoS) Attacks
A denial of service attack occurs when an Internet server is flooded with a nearly continuous
stream of bogus requests for webpages, thereby denying legitimate users an opportunity to
download a page and also possibly crashing the webserver.
Criminals have developed a simple technique for executing a distributed DoS attack:
The criminal first plants remote-control programs on dozens of computers that have broadband
access to the Internet. The remote-control program will, at the command of the criminal, issue a
nearly continuous series of pings to a specified victim's website.
When the criminal is ready to attack, he instructs the programs to begin pinging a specific target
address. The computers containing the remote-control programs act as "zombies".
The victim computer responds to each ping, but because the zombie computers gave false source
addresses for their pings, the victim computer is unable to establish a connection with the zombie
computers. Because the victim computer waits for a response to its return ping, and because there
are more zombie computers than victims, the victim computer becomes overwhelmed and either
(a) does nothing except respond to bogus pings or (b) crashes.
Typically, after one or two hours, the criminal instructs his programs to stop pinging the victim.
This brief duration is not because the criminal is a nice person, but because long-duration attacks
make it easier for engineers at the victim's website to promptly trace the source of the attacks.
This may sound sophisticated, but the remote-control programs, and instructions for using them,
are readily available from many pro-hacker websites since June 1999. My essay, Tips for
Avoiding Computer Crime, has specific suggestions for how you can use firewall software on
your computer to prevent your computer from being used by criminals in DoS attacks on victims.
Another kind of DoS attack uses a so-called "ping of death" to exploit bugs in software on
webservers.
A study during three weeks in February 2001, showed that there are about 4000 DoS attacks each
week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts.
David Dittrich, a senior security engineer at the University of Washington and expert on UNIX
system administration, has posted a large collection of links to resources on distributed DoS
attacks.
5

6. The following is one case involving a famous series of DoS attacks:
The Yahoo website was attacked at 10:30 PST on Monday, 7 Feb 2000. The attack lasted three
hours. Yahoo was pinged at the rate of one gigabyte/second.
The websites of amazon.com buy.com cnn.com eBay.com were attacked on Tuesday, 8 Feb
2000. Each attack lasted between one and four hours. CNN reported that the attack on its website
was the first major attack since its website went online in August 1995.
The websites of E*Trade, a stock broker, and ZDNet, a computer information company, were
attacked on Wednesday, 9 Feb 2000.
About fifty computers at Stanford University, and also computers at the University of California
at Santa Barbara, were amongst the zombie computers sending pings in these DoS attacks.
The attacks received the attention of President Clinton and the U.S. Attorney General, Janet Reno.
The FBI began to investigate. A CNN news report posted at 18:44 EST on 9 Feb 2000 quotes Ron
Dick of the FBI's National Infrastructure Protection Center as saying "A 15-year-old kid could
launch these attacks. It doesn't take a great deal of sophistication to do."
His remark was prophetic, because, on 18 April 2000, a 15-year-old pupil in Montréal Canada
was arrested and charged with two counts of "mischief to data" arising from his DoS attack on
CNN. Because he was a juvenile, his name can not be publicly disclosed, so he was called by his
Internet pseudonym Mafiaboy. The Royal Canadian Mounted Police seized Mafiaboy's computer.
CNN reported that Mafiaboy was granted bail, with the following conditions:
"may only use computers under the direct supervision of a teacher."
"prohibited from connecting to the Internet"
prohibited from entering "a store or company where computer services or parts are sold."
"barred from communicating with three of his closest friends."
On 3 August 2000, Canadian federal prosecutors charged Mafiaboy with 54 counts of illegal
access to computers, plus a total of ten counts of mischief to data for his attacks on Amazon.com,
eBay, Dell Computer, Outlaw.net, and Yahoo. Mafiaboy had also attacked other websites, but
prosecutors decided that a total of 66 counts was enough. Mafiaboy pled not guilty.
In November 2000, Mafiaboy's bail was revoked, because he skipped school in violation of a
court order. He spent two weeks in jail.
In December 2000, Mafiaboy, now 16 y old, dropped out of school (after being suspended from
school six times since the beginning of that academic year, and failing all of his classes except
physical education), and was employed at a menial job. He was again granted bail.
On 18 Jan 2001, Mafiaboy pleaded guilty to 5 counts of mischief to data and 51 counts of illegal
access to computers. As part of a plea agreement between his attorney and prosecutors, the
prosecution dismissed the remaining ten counts.
On 20 June 2001, a social worker reported to the court that Mafiaboy "shows no sign of remorse"
and "he's still trying to justify what he did was right."
On 12 Sep 2001, Mafiaboy was sentenced to spend eight months in a juvenile detention center,
then spend one year on probation. Because Mafiaboy was a child at the time of his crime, the
maximum sentence that he could have received would be incarceration for two years. In issuing
the sentence, Judge Gilles Ouellet commented:
This is a grave matter. This attack weakened the entire electronic communications system. And
the motivation was undeniable, this adolescent had a criminal intent."
The above facts are taken from reports at CNN, CBC, CNEWS, and the sentence is reported at
wired.com.
2. Malicious computer programs
The following are general terms for any computer program that is designed to harm its victim(s):
Malicious code
Malicious program
Malware (by analogy with "software")
Rogue program
Malicious computer programs are divided into the following classes:
6

7. A virus is a program that "infects" an executable file. After infection, the executable file functions
in a different way than before: maybe only displaying a benign message on the monitor, maybe
deleting some or all files on the user's hard drive, maybe altering data files. There are two key
features of a computer virus:
the ability to propagate by attaching itself to executable files (e.g., application programs,
operating system, macros, scripts, boot sector of a hard disk or floppy disk, etc.) Running the
executable file may make new copies of the virus.
the virus causes harm only after it has infected an executable file and the executable file is run.
The word "virus" is also commonly used broadly to include computer viruses, worms, and Trojan
Horse programs. For example, so-called "anti-virus software" will remove all three classes of
these malicious programs.
Beginning with the Melissa virus in 1999, viruses could automatically send e-mail with the
victim's name as the alleged source.
A worm is a program that copies itself. The distinction between a virus and worm, is that a virus
never copies itself – a virus is copied only when the infected executable file is run.
In the pure, original form, a worm neither deleted nor changed files on the victim's computer —
the worm simply made multiple copies of itself and sent those copies from the victim's computer,
thus clogging disk drives and the Internet with multiple copies of the worm. Releasing such a
worm into the Internet will slow the legitimate traffic on the Internet, as continuously increasing
amounts of traffic are mere copies of the worm.
Beginning with the Klez worm in early 2002, a worm could drop a virus into the victim's
computer. This kind of worm became known as a blended threat, because it combined two
different types of malicious code.
A Trojan Horse is a deceptively labeled program that contains at least one function that is
unknown to the user and that harms the user. A Trojan Horse does not replicate, which
distinguishes it from viruses and worms.
Some of the more serious Trojan horses allow a hacker to remotely control the victim's computer,
perhaps to collect passwords and credit card numbers and send them to the hacker, or perhaps to
launch denial of service attacks on websites.
Some Trojan Horses are installed on a victim's computer by an intruder, without any knowledge
of the victim. Other Trojan Horses are downloaded (perhaps in an attachment in e-mail) and
installed by the user, who intends to acquire a benefit that is quite different from the undisclosed
true purpose of the Trojan Horse.
A logic bomb is a program that "detonates" when some event occurs. The detonated program
might stop working (e.g., go into an infinite loop), crash the computer, release a virus, delete data
files, or any of many other harmful possibilities. A time bomb is a type of logic bomb, in which
the program detonates when the computer's clock reaches some target date.
A hoax is a warning about a nonexistent malicious program. I have a separate essay that describes
how to recognize hoaxes, and how to respond to them.
Some confusion about the distinction between a virus and a worm is caused by two distinctly
different criteria:
a virus infects an executable file, while a worm is a stand-alone program.
7

8. a virus requires human action to propagate (e.g., running an infected program, booting from a disk
that has infected boot sectors) even if the human action is inadvertent, while a worm propagates
automatically.
For most viruses or worms, these two different criteria give the same result. However, there have
been a few malicious programs that might be considered a virus by some and a worm by others.
Ultimately, the taxonomy matters only to computer scientists who are doing research with these
malicious programs.
The first computer virus found "in the wild" was written in 1986 in a computer store in Lahore,
Pakistan. In the 1980s, computer viruses were generally spread by passing floppy disks from one
user to another user. In the late 1990s, computer viruses were generally spread via the Internet,
either in e-mail (e.g., a virus contained in a Microsoft Word macro, or a worm contained in an
attachment to e-mail) or in programs downloaded from a website. The distribution of viruses via
the Internet permitted a much more rapid epidemic, so that more computers could be infected in a
shorter time than when floppy disks were used to spread the infection.
The first prosecution under the Federal computer crime statute, 18 USC § 1030, was for a release
of a worm. Robert Tappan Morris, then a graduate student in computer science at Cornell
University, released his worm into the Internet on 2 Nov 1988. The worm rapidly copied itself
and effectively shut down the Internet. Morris was convicted of violating 18 USC §1030 in 1990
and the conviction was upheld in U.S. v. Morris, 928 F.2d 504 (2dCir. 1991), cert. denied, 502
U.S. 817 (1991).
My long discussion of a few famous malicious programs is in a separate essay, emphasizes the
nonexistent or weak punishment of the authors of these programs.
There is a reported case under state law for inserting a logic bomb into custom software. Wisc. v.
Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994).
"Justification" for malicious programs
Designing and releasing malicious computer programs is not only unethical, but also unlawful.
However, some people defend the authors of malicious code by offering one or more of the
following justifications:
The malicious code exposes security flaws in operating systems and applications software.
There is no doubt that the publicity surrounding an epidemic of a virus or worm increases
awareness of security flaws. However, this incidental benefit does not justify the more than US$
106 cost to clean the malicious code from more than a thousand infected computers.
Regardless of any benefits to society, a worm or virus is still an unauthorized access of a person's
computer.
A rational and socially acceptable response to discovering a security flaw is to privately notify the
software vendor that issued the flawed software. That vendor can then develop a patch and, when
the patch is ready for public distribution, the vendor can inform system administrators. In that
way, the vulnerability is not publicly disclosed for criminals to exploit before the patch is
available.
Computer viruses and worms have been widely known since 1988. Despite this awareness,
infection reports continue to show that viruses and worms that are more than one year old are
continuing to propagate. This result shows that either computer users are not routinely updating
their anti-virus software to protect against the most recent threats or computer users are
continuing to operate infected machines, which continue to spew viruses and worms via e-mail.
So, even if one accepts the reasoning that malicious code is desirable because it increases
awareness of security issues, the increased awareness is practically ineffective, hence this
"justification" fails.
Worse, the publicity about security vulnerabilities may encourage additional people to release
malicious programs. For example, a number of copycat variants appear soon after a major new
8

9. malicious program is reported in the news media. Such malicious programs, as well as tool kits
for generating new malicious programs, are easily available from many hacker websites. Only
minimal computer skills are required to produce and release a malicious program.
Low pressure in automobile tires causes tire failure, which, in turn, causes automobile accidents.
Would it be reasonable for someone to walk around in the parking lot, letting some air out of tires,
so tires are seriously under inflated, with the justification that the ensuing accidents will call
attention to the problem of under inflated tires? This justification is ludicrous in the context of
automobile tires and it is no better in the context of computer security.
It is the victim's fault if they are infected by a worm or virus that exploits a known security flaw,
for which a patch is available.
It is certainly a good idea to install patches or updates for the software that one uses. However,
failure to install such patches or updates is not an invitation to criminals to attack a victim's
computer.
Prof. Spafford said:
To attempt to blame these individuals [i.e., computer systems administrators] for the success of
the Worm is equivalent to blaming an arson victim because she didn't build her house of fireproof
metal.
Eugene H. Spafford, The Internet Worm Incident, Purdue University Computer Science
Department Technical Report TR-933, at page 15, 19 Sep 1991.
There is no legal obligation in criminal law for a victim to use the latest or best computer
hardware and software. Simply: a victim neither invites nor consents to a crime. However, if a
victim were to sue the author of malicious code in tort, then the victim's alleged negligence would
be a proper legal issue. It is important to distinguish criminal law from torts, which are part of
civil law.
It is ok if the author of the malicious code does not alter or delete any of the victim's data files.
No. The victim is still harmed by the cost of removing the malicious program, the costs of lost
productivity during the removal of the malicious program, possible exposure of confidential
information (e.g., either to a hacker who examines data files via a Trojan Horse program, or a
malicious program that sends a document on the victim's computer to potential future victims),
among other possible harms. Furthermore, the privacy and property rights of the victim have been
violated by the author of malicious code. Any unauthorized access of a computer is, or should be,
criminal, regardless of the perpetrator's intent once inside the computer.
The virus/worm was a laboratory experiment gone awry.
The Internet, including e-mail, is neither a laboratory nor a playground. Scientists, engineers,
professors, businesses, governments, etc. depend on the routine functioning of the Internet for
their work, distributing information, and for other public services. Anyone wishing to play with
viruses or worms should use a quarantined system that is not connected to the Internet.
An "experimenter" must not create a big mess that requires computer system administrators
worldwide to devote much time to remove. In considering the actions of Morris, a graduate
student at Cornell who released his worm into the Internet, a commission of five Cornell
professors said:
This was not a simple act of trespass analogous to wandering through someone's unlocked house
without permission[,] but with no intent to cause damage. A more apt analogy would be the
driving of a golf cart on a rainy day through most houses in a neighborhood. The driver may have
navigated carefully and broken no china, but it should have been obvious to the driver that the
mud on the tires would soil the carpets and that the owners would later have to clean up the mess.
Theodore Eisenberg, David Gries, Juris Hartmanis, et al., The Computer Worm, A Report to the
Provost of Cornell University ..., p. 7 (see also p. 40), Feb 1989. Summary reprinted in
Communications of the ACM, Vol. 32, pp. 706-709, June 1989. Summary also reprinted in Peter
9

10. J. Denning, editor, Computers Under Attack, Addison-Wesley Publishing Co., 1990. The above
quote is on page 258 of Denning's book.
It is self-serving to associate a criminal's actions with the prestige of a scientist who does an
experiment. Scientists follow a professional code of ethics, in addition to behaving in a lawful
way, and avoid harming other people. Scientists work together in a collegial way, with implicit
trust. As pointed out by Eisenberg, et al. in The Computer Worm, pages 7, 25, 41, releasing
malicious code is a violation of trust.
The virus/worm was "accidentally" released.
First, there is no acceptable reason to create malicious software that alters or deletes data files
from the victim's hard disk, releases confidential information from the victim's computer along
with a copy of the virus/worm to potential future victims, attempts to disable anti-virus software
on the victim's computer, or any of the other harms that have been observed in real malicious
programs. There is no rational reason to write a program that one intends never to use.
Second, if one writes such a destructive program, then one must use extraordinary care (i.e., the
same care that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to
make certain that the program is never released. Society ought to demand that those who release
malicious programs, even if the release is an "accident", be held legally responsible for the
damage caused by their malicious programs.
The author of the virus/worm did not know how rapidly the virus/worm would propagate.
In my companion essay on Examples of Malicious Computer Programs, I explained why this
excuse is bogus.
Although not a common excuse offered by defenders of an author of a malicious computer
program, the author himself often seems to believe that his virus/worm is proof of his
programming ability.
However, careful examination of famous malicious programs that have caused extensive damage
shows that these programs commonly contain many programming errors (so-called "bugs"). Such
bugs often prevent a malicious program from causing more damage; sometimes bugs make a
program worse than its author probably intended. Either way, a program full of bugs is not
evidence of programming skill. And, more importantly, someone who writes malicious programs
is a criminal, not the type of person who an ethical employer would want to hire.
Such specious excuses for authors of malicious code were fairly common from professional
programmers in the 1980s, but are less frequent now. The worm released into the Internet by
Robert Morris in Nov 1988 seems to have jolted most computer professionals into realizing that
ethics and law are essential to the computer profession. Now, specious excuses are mostly offered
by criminals and their attorneys.
3. Harassment & Stalking
In general, the harasser intends to cause emotional distress and has no legitimate purpose to his
communications. Harassment can be as simple as continuing to send e-mail to someone who has
said they want no further contact with the sender. Harassment may also include threats, sexual
remarks, pejorative labels (i.e., hate speech).
A particularly disturbing form of harassment is sending a forged e-mail that appears to be from
the victim and contains racist remarks, or other embarrassing text, that will tarnish the reputation
of the victim.
It is often difficult to get law enforcement personnel and prosecutors interested in harassment,
unless threats of death or serious bodily harm are made, simply because the resources of the
10

11. criminal justice system are strained by "more serious" criminal activities. I put "more serious" in
quotation marks, because the victim of harassment certainly is adversely affected by the
harassment, therefore it is a serious matter to the victim. But the law treats harassment as a
misdemeanor, the group of less serious crimes.
4. Weak Punishment in USA
I have a general concern about the inability of the criminal justice system to either deter criminal
conduct or protect society. This concern is particularly acute in the area of computer crime, where
immense damage is being done to corporations by computer viruses and worms. Public safety is
threatened by criminals who hack into the telephone system and crash 911 services, among other
examples.
There are many theories that justify punishment of criminals. While severe punishment may not
deter criminal conduct, punishment does express the outrage of decent society at criminal
conduct.
One of the earliest reported cases in federal courts in the USA on computer crime was that of
Robert Riggs.
U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990), 743 F.Supp. 556 (N.D.Ill. 1990), aff'd, 967 F.2d
561 (11thCir. 1992).
Riggs was first convicted in 1986 for his unauthorized use of a computer and was sentenced to a
mere 15 days of community service and placed on probation for 18 months. 967 F.2d at 562. In
1990 Riggs was indicted again for making unauthorized access to computers, during which he
stole proprietary information from a telephone company. This time he was sentenced to 21
months in prison, followed by two years of "supervised release" during which time he was
forbidden to either own or use any computer for his personal use. Riggs was allowed to use
computers in his employment, if supervised by someone. This sentence was upheld on appeal. 967
F.2d at 563.
In March 1997, a young hacker disabled the telephone service at the Worcester, Massachusetts
airport for six hours, which disabled the air-traffic control system and other critical services. This
same hacker also copied patients' records from a computer in a pharmacy on four separate
occasions in January, February, and March 1997. This hacker was the first juvenile to be
prosecuted by the U.S. Government for computer crime. He pled guilty and was placed on
probation for two years, was ordered to provide 250 hours of community service, and forfeited all
of the computer equipment used during his criminal activity.
I have a long discussion of a few famous malicious programs and the legal punishment of their
authors in a separate essay. The point made in that essay is that, out of approximately 61000
malicious programs for the Microsoft Windows operating system, there have been arrests and
convictions of the author(s) of only five malicious programs:
the author of a worm released in 1988,
the author and distributors of the MBDF virus,
the author of the Pathogen virus,
the author of the Melissa virus, and
the author of the Anna worm.
Except for the author of the Pathogen virus, each of these criminals received very light
punishment.
5. Computer Crime Statutes in USA
There are many federal statutes in the USA that can be used to prosecute computer criminals:
15 USC § 1644, prohibiting fraudulent use of credit cards
18 USC § 1029, prohibiting fraudulent acquisition of telecommunications services
11

12. 18 USC § 1030, prohibiting unauthorized access to any computer operated by the U.S.
Government, financial institution insured by the U.S. Government, federally registered securities
dealer, or foreign bank.
18 USC § 1343, prohibiting wire fraud
18 USC § 1361-2, prohibiting malicious mischief
18 USC § 1831, prohibiting stealing of trade secrets
18 USC § 2314, prohibiting interstate transport of stolen, converted, or fraudulently obtained
material; does apply to computer data files U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990).
18 USC § 2319 and 17 USC § 506(a), criminal violations of copyright law
18 USC § 2510-11, prohibiting interception of electronic communications
18 USC § 2701, prohibiting access to communications stored on a computer (i.e., privacy of e-
mail)
47 USC § 223, prohibiting interstate harassing telephone calls
State Statutes in USA
There is wide variation in state statutes on computer crime in the USA: in my opinion, most state
statutes are not adequate to punish computer criminals.
California, Minnesota, and Maine are among the few states to prohibit explicitly release of a
computer virus or other malicious program.
California Statutes, Title 13 (Penal Code), §§ 502(b)(10) and 502(c)(8).
Minnesota Statutes, §609.87(12) and §609.88(1)(c).
Maine Statutes, 17-A (Criminal Code), § 433(1)(C).
In states without an explicit statute, release of a malicious program would probably be prosecuted
as "malicious mischief".
California also provides for the forfeiture of computer systems used in the commission of a
computer crime. If the defendant is a minor, the parents' computer system can be forfeited.
California Statutes, Title 13 (Penal Code), §§ 502(g) and 502.01(a)(1)
In November 1996 and July 1997, I made comprehensive searches of the WESTLAW databases
of reported cases in both state and federal courts in the USA on computer crimes. I was surprised
to find that, in sharp contrast to most other areas of law, there was very little reported case law on
computer crimes, except obscenity cases. I have the impression that most computer criminals who
are apprehended plead guilty to a lesser offense (a so-called "plea bargain") and avoid a trial. Plea
bargains are common the U.S.A., as they dispose of cases without large investments of
prosecutorial and judicial time. In the specific area of computer crimes, prosecuting such a case
would be difficult for prosecutors, because the jury would need to learn about complex technical
matters. In addition to making life easier for prosecutors and judges, many victims (particularly
banks and other corporations) may be embarrassed to admit that some teenager defeated their
security features, thus these victims refuse to testify in court.
6. Sue in tort
12

13. In addition to any criminal penalties, victim(s) of computer crimes can sue the perpetrator in tort.
For example, unauthorized use of a computer system could be "trespass on chattels". A computer
voyeur might also be sued in tort for invasion of privacy or disclosure of a trade secret. A harasser
might be sued in tort for intentional infliction of emotional distress. There is also the possibility of
a class action by corporate and personal victims against a person who wrote and initially released
a computer virus.
The downside of such tort litigation is that the perpetrators are generally young people (often
between 12 and 25 years of age) and have little assets that could be seized immediately to satisfy
a judgment. On the other hand, judgments in the USA are generally valid for 20 years, so future
income of the wrongdoer can be used to satisfy the judgment. Moreover, the publicity
surrounding such a trial might impress potential hackers with the seriousness of such wrongful
conduct and deter other potential hackers. In addition, such trials might express the outrage of
society at the behavior of hackers.
Defendants between 7 and 14 y of age may be sued in tort, but their duty of care is generally less
than an adult's duty. There is one exception, when children engage in an adult activity (e.g., fly an
airplane), the law imposes an adult's duty of care on the child. Restatement (Second) Torts, §
283A, comment c (1965). In my opinion, there are good reasons why computer programming
(e.g., design of a virus) or hacking qualifies as an "adult activity". However, there appear to be no
reported court cases in the USA that have decided this issue.
There is another remedy in civil law, besides damages awarded in tort litigation: a victim can get
a temporary restraining order (TRO), then an injunction, that enjoins continuance of wrongs (e.g.,
disclosure of proprietary or private data) that will cause irreparable harm or for which there is no
adequate remedy at law.
Journalists
One of the functions of the criminal justice system is to deter crime by other people. Journalists
play an important role in this deterrence by reporting on the crime (and how people were harmed),
arrest, trial, and sentence of the guilty criminals. One hopes that people contemplating computer
crimes will read these reports by journalists, and say to themselves: "I should not write a
computer virus, because I don't want to be put in prison like David Lee Smith," the author of the
Melissa virus.
However, reports of computer crime by journalists are less than satisfactory:
Journalists often glorify or praise the criminal suspect, by admiring his programming "talent", or
even calling him a "genius".
In the 1980s, most hackers committed fraud to get a username and password for a computer
account, and then logged on to the computer without proper authorization, and browsed through
files, copying some, deleting or altering others. Such work does not require any knowledge of
computer programming, just a rudimentary knowledge of a few operating system commands.
Since 2000, authors of malicious programs use resources readily available on the Internet to create
a "new" computer virus or worm, or launch a denial of service attack. Again, such activities do
not demonstrate a high level of proficiency in computer programming.
It is an anti-social act for journalists to praise the exploits of hackers: hackers are criminals who
deserve scorn and ostracism. And when hackers are publicly praised as geniuses, the wrong
message is sent to serious students in computer science who behave ethically and who are ignored
by journalists, despite the fact that the students are both smarter and more ethical than hackers.
I have noticed that many online newspapers:
devote considerable space to reporting the crime when it happens,
13

14. describe the arrest of the criminal suspect in detail,
but the trial of the suspect receives less attention from journalists,
and the verdict and sentence often go unreported in the media.
If punishment is to have a deterrent effect on other people, then the coverage of the trial, verdict,
and sentence must be increased.
Aside from my main point about deterrence of future crimes, by reporting of sentencing and
punishment of computer criminals, there is another issue. The widespread reporting of the crime
and the arrest of a suspect tarnishes the name of the suspect, by linking the crime and the suspect's
name in people's minds. However, the suspect might later be found not guilty of the crime. The
lack of reporting of the trial and its outcome provides no opportunity for an innocent suspect to
rehabilitate his good name.
Part of the problem is that many journalists who write about computer crime are themselves
computer-illiterate. (Their ignorance shows in the technical mistakes made in their articles.)
From the perspective of a computer-illiterate journalist, the work of a computer criminal may
indeed be incomprehensible. Arthur C. Clarke said anything sufficiently advanced appears as
magic. That may be, but it is unprofessional for journalists to write on subjects that they do not
personally understand. News media hire journalists who understand economics and finance to
report business news, and journalists who understand sports to report on sports, so why can't the
news media hire journalists who understand computers to report on computer crime?
Conclusion
The fundamental issue in most computer crime is the criminals' lack of respect for the property or
privacy of other people. I hope that society will recognize the seriousness of computer crime and
demand more severe punishment for such criminals.
this document is at http://www.rbs2.com/ccrime.htm
My last search for case law on computer crime was in July 1997.
21 June 1999, revised 4 Sep 2002
My essay Tips for Avoiding Computer Crime, which essay includes links to websites on computer
viruses, computer crime, and related topics, plus a list of good books on computer crime.
My discussion of a few famous malicious programs and the nonexistent or lenient punishment of
their authors are contained in my separate essay.
return to my homepage
14