NYLS CRI150 (Spring 2008) [2007 Syllabus] [2006 Syllabus]
Professor K. A. Taipale (bio) (contact)
<cybercrime.advancedstudies.org>
New technologies do not determine human fates,
rather, they alter the spectrum of possibilities within which people act.
(McClintock and Taipale, 1992)
The emergence of modern information-based societies in which the exercise of economic, political, and social power increasingly depends on the opportunities to access, manipulate, and use information and information infrastructure has created opportunities for new crimes and new threats to civil society and global security, as well as for new law enforcement and national security responses.
This course explores how a "networked" world has bred new crimes and new responses, and investigates how information and communication technology (ICT) has become a tool, a target, and a place of criminal activity and national security threats, as well as a mechanism of response. This course addresses such questions as how emerging technologies challenge existing laws and criminal procedures; how nation-states regulate criminal conduct across traditional geographic and political boundaries; what reasonable expectations of privacy are in cyberspace; and how control is shifting from traditional mechanisms of law enforcement to new regulatory regimes, including technology.
The subtext of this course is how the emergence of advanced information societies challenges certain prevailing social and philosophical constructs of criminal justice, social control and individual freedom. (See Subtext below).
Specific topics covered include the information environment as crime scene; computer use in traditional crimes like financial fraud, drug trafficking, extortion, securities fraud, and political terrorism; hacking and unauthorized access; identity theft and online fraud; electronic interception, search and seizure, and surveillance; cyberterror; "hactivism"; censorship and free speech; economic espionage; and information warfare.
The required texts for this course are:
David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109).
Jack Balkin, et al. eds., CYBERCRIME: Digital Cops in a Networked World (NYU Press 2007) (ISBN:0814799833).
Registered Students login to NYLS LexisNexis Web Course
for updated Assignments.
All original material on this page is copyright the Center for Advanced Studies in Science and Technology Policy © 2003-2008. Permission is granted to reproduce this material in whole or in part for non-commercial purposes, provided it is with proper citation and attribution.
Course Outline
- Overview, What is Cybercrime?
- Computer Intrusions and Attacks
- Computer Viruses, Time Bombs, Trojans, Malicious Code
- Online Fraud and Identity Theft; Intellectual Property Theft; Virtual Crime
- Online Vice: Gambling; Pornography; Child Exploitation
- International Aspects and Jurisdiction
- Infrastructure and Information Security; Risk Management
- Investigating Cybercrime: Digital Evidence and Computer Forensics
- Interception, Search and Seizure, and Surveillance
- CALEA, VoIP: A Case Study
- PAPER RESEARCH
- Information Warfare, Cyberterrorism, and Hacktivism
- Terrorism, Radicalization, and The War of Ideas
- Trade Secret Theft and Economic Espionage
- National Security
- PAPERS DUE
- USEFUL LINKS FOR DEFINING TECHNICAL TERMS
- COURSE SUBTEXT AND OPTIONAL BACKGROUND MATERIAL
I. Overview, What is Cybercrime?
Cybercrime (cf. computer crime, electronic crime, information crime, virtual crime) is a term used broadly to describe criminal activity in which computers or computer networks are a tool, a target, or a place of criminal activity. These categories are not exclusive and many activities can be characterized as falling in one or more categories.
Additionally, although the term cybercrime is more properly restricted to describing criminal activity in which the computer or network is a necessary part of the crime, the term is also sometimes used to include traditional crimes in which computers or networks are used to facilitate the illicit activity, or where a computer or network contains stored evidence of a traditional crime.
Examples of cybercrime in which the computer or network is a tool of the criminal activity include "spamming" (see, e.g., Thomas Claburn, "Americans Ingested Too Much Holiday E-Mail Spam, Survey Finds," InformationWeek, Dec. 10, 2007) and certain intellectual property and criminal copyright crimes ("IP piracy") (see, e.g., "Microsoft Protects Consumers From Global Online Marketplace Fraud," Dec. 10, 2007), particularly those facilitated through peer-to-peer networks (see, e.g., Anne Broache, "Anti-P2P college bill advances in House," CNET News, Nov. 15, 2007).
Examples of cybercrime in which the computer or network is a target of criminal activity include unauthorized access (sometimes referred to as "computer trespass," "hacking," or "cracking") (see, e.g., Grant Gross, "Former FBI, CIA Employee Pleads Guilty to Computer Crime" IDG News Service, Nov. 13, 2007), malicious code ("malware") (see, e.g., William Jackson, "Malware outmaneuvers security," Dec. 9, 2007), and denial-of-service ("DoS" and "DDoS") attacks. (See, e.g., "FBI Arrests Bot Masters As Cyber Crime Worsens" InformationWeek, Nov. 29, 2007). Attacks on critical infrastructure (cf., CIP), including telecommunications networks and industrial control systems (SCADA), may result in significant real-world damage, implicating cyberterrorism and national security issues. (See, e.g., Michael Crawford, "Utility hack led to security overhaul," ComputerWorld, Feb. 16, 2006).
Examples of cybercrime in which the computer or network is a place of criminal activity include theft of service, in particular, telecom fraud (e.g., "phreaking") and certain financial frauds involving electronic transfers (e.g., "salami slicing"). An emerging area is "virtual crime," particularly in online gaming or immersive social network sites where avatars and virtual goods are subject to attack or theft (see, e.g., David Talbot, "The Fleecing of the Avatars," MIT Tech Review, Jan/Feb 2008, available in Course Documents).
Finally, examples of traditional crimes facilitated through the use of computers or networks include Nigerian 419 or other gullibility frauds (e.g., "phishing"), identity theft, child pornography, online gambling, securities fraud, etc. Cyberstalking is an example of a traditional crime -- harassment or stalking -- that has taken a new form when facilitated through computer networks. (See, e.g., Betsy Taylor, "Missouri prosecutor: Law doesn't allow for charges in MySpace teen suicide case," Associated Press, Dec. 3, 2007, and Scott Glover and P.J. Huffstutter, "L.A. grand jury issues subpoenas in Web suicide case." LA Times, Jan. 9 2008). Additionally, computers or networks have been used to lure victims of assault, robbery or muggings (see, e.g., "Teens charged in Craigslist robbery ring," LA Times/Newsday, Jan. 11, 2008, and "Reno Man Used Craigslist To Lure Boys," Associated Press, Nov. 11, 2007)
Additionally, certain other information crimes, including trade secret theft and economic espionage, are sometimes considered cybercrimes when computers or networks are involved. (See, e.g., Alorie Gilbert , "Former software chief admits stealing trade secrets," Cnet New, Dec. 9, 2005).
Cybercrime in the context of national security may involve hacktivism (online activity intended to influence policy), traditional espionage, or information warfare and related activities. (See GISP Program on Information and Warfare). (See, e.g., Wolfgang Hansson, "Report: Cybercrime a Threat to National Security," Daily Tech, Dec. 1, 2007).
Another way to define cybercrime is simply as criminal activity involving the information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
Unique Characteristics of Cybercrime.
The global reach of the Internet, the low marginal cost of online activity, and the relative anonymity of users have changed the balance of forces that have previously served to keep in check certain undesirable behaviors in the physical world. These characteristics of "cyberspace" have lowered the cost of perpetrating undesirable behavior by eliminating certain barriers to entry, lowering transaction costs, and reducing the probability of getting caught. (See Daniel E. Greer, "The Physics of Digital Law" in Cybercrime, Jack Balkin, et al. eds., NYU Press 2007).
Together, these characteristics make traditional law enforcement strategies, particularly strategies based on identifying and apprehending perpetrators after they commit online crime, both less effective and more expensive.
At the same time, however, other characteristics of cyberspace provide new opportunities to control illegal acts. Unlike in the physical world, in cyberspace certain readily identifiable third parties – Internet service providers, telecommunication providers, and victims themselves – have exclusive or shared technical control over the infrastructure through which most illegal online behavior is carried out. These characteristics provide new opportunities for innovative policy approaches to controlling undesirable behavior, including the use of technical architecture as a regulatory mechanism, the use of novel authorization and surveillance regimes to prevent or deter undesirable activity, and the use of data and activity logging to enhance persistence and recoverability of evidence, among others. (See, e.g., references in "OPTIONAL READING RE REGULATORY MECHANISMS," below).
These responses in turn raise new philosophical, social, and Constitutional concerns (or challenge accepted constructs) regarding the relationship between individual and the state, including issues relating to civil liberties, privacy, freedom, and collective security. (See Digital Law Enforcement). (See also, Subtext below).
Cyber-attacks and attackers.
Cyber-attacks can be malicious or accidental; can involve attacks by other nation states, organized groups, or individuals; and can be motivated by monetary gain, ill-will, political interests, or curiousity. Cyber-attacks can be directed at governments, firms, or individuals. Cyber-attacks can involve the theft or destruction of information; the theft of services or financial assets; or the destruction of hardware or software infrastructure. Cyber-attacks can result in financial loss, business or service interruption, or infrastructure destruction. Cyber-attacks can be aimed directly at disrupting business or government services or can be launched in conjunction with physical attacks in order to magnify effects or prevent effective response. Cyber-attacks for monetary gain or ill-will are generally considered cybercrime; attacks for political interests can be considered hacktivism (if in the nature of political protest) or cyberterrorism (if intended to disrupt or destroy infrastructure or control mechanisms). Cyber-attacks by (or in some cases against) nation states are generally considered a form of information warfare.
Developing effective law enforcement or national security policies, laws, and practices to deal with emerging cyber threats while still protecting traditional civil liberties values as well as technology innovation opportunities is a national priority. (See GISP Program on Law Enforcement and National Security in the Information Age "PLENSIA").
Cybercrime Law.
Another way to think about cybercrime is to distinguish the applicable substantive law, procedural law, and jurisdictional law, and to distinguish between reactive, preemptive, and preventative strategies.
There are two kinds of substantive cybercrime law: computer misuse (covered in parts II and III below) and traditional crime (covered in part IV and V). Computer misuse crimes generally involve either exceeding the user's privileges (hacking) or denying others their privileges (malware, DoS, etc.). Traditional crimes are those like fraud, threats, harassment, gambling, pornography, etc. that have a physical world analog but are facilitated through the use of a computer (parts IV and V).
Procedural cybercrime law also has two distinct aspects (part VIII and IX): search and seizure law under the Fourth Amendment, and statutory privacy law. In general, the former -- Fourth Amendment jurisprudence -- governs the retrieval of evidence from individual computers while the latter -- statutory privacy laws -- governs the surveillance of networks or third party computers.
Jurisdictional law is complicated in computer crime because activity can take place in multiple jurisdictions complicating both prosecution and investigation/evidence gathering (part VI and VIII). Further, the global nature of the information infrastructure blurs the previously clear demarcation between reactive law enforcement policies and preemptive national security strategies (and their respective legal regimes) (parts IX, XII, XIII, XIV, and XV).
Additionally, because victims themselves, or third parties (like ISPs), control much of the infrastructure in or through which cybercrime takes place, preventative strategies are sometimes in tension with traditional law enforcement approaches (part VII).
Cybercrime can also take on a political dimension, for example, when it is used as a form of warfare between nation states (or against sub-state enemies) or when it is used by individuals or groups as a form of political activism (hacktivism) (part XII).
REQUIRED READING:
* Course Introduction and Part I, Overview, What is Cybercrime? (above).
* Course Subtext (below).
* Michael Edmund O'Neill, Old Crimes in New Bottles: Sanctioning Cybercrime, 9 Geo. Mason L. Rev 237-288 (2000) (available in Course Documents).
* Daniel E. Greer, "The Physics of Digital Law" pp. 13-36 in Cybercrime, (Jack Balkin, et al. eds., NYU Press 2007).
Congressional Research Service, Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress (CRS Reports RL 32114, updated Jan. 29, 2008) (download PDF) ("Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure.")
Also, skim the PLENSIA Program Overview, Program on Law Enforcement and National Security in the Information Age, World Policy Institute (2004).
And, familiarize yourself with the Useful Links for Defining Technical Terms (below).
OPTIONAL READING RE REGULATORY MECHANISMS:
Lawrence Lessig, CODE AND OTHER LAWS OF CYBERSPACE, Chapter 7, pp. 85-99 (Basic Books 1999) (ISBN:0465039138) (discussing law, social norms, the market, and architecture as things that regulate).
Neal Kumar Katyal, Architecture as Crime Control, 111 Yale L.J. 1039, 1047 (2002).
Neal Kumar Katyal, Digital Architecture as Crime Control, 112 Yale L.J. 2261 (2003).
K. A. Taipale, Internet and Computer Crime: System Architecture as Crime Control, Center for Advanced Studies (Feb. 2003). Available at SSRN: http://ssrn.com/abstract=706161.
Lien Tien, Architectural Regulation and the Evolution of Social Norms pp. 37-58 in Cybercrime (Jack Balkin, et al. eds., NYU Press 2007).
Orin Kerr, Virtual Crime, Virtual Deterrence: A Skeptical View of Self-Help, Architecture, and Civil Liability, 1 J.L. Econ. & Pol'y 197 (Winter 2005).
Susan W. Brenner and Leo L. Clark, Distributed Security: A New Model of Law Enforcement, J. Marshall J. Computer & Info. L. (2005). Available at SSRN: http://ssrn.com/abstract=845085.
OTHER BACKGROUND TEXTS:
Orin S. Kerr, COMPUTER CRIME LAW: AMERICAN CASEBOOK SERIES (2006) (ISBN:0314144005).
Ralph D. Clifford, CYBERCRIME: THE INVESTIGATION, PROSECUTION AND DEFENSE OF A COMPUTER-RELATED CRIME (Second Edition 2006) (ISBN:0890897239).
Samuel C. McQuade, III, UNDERSTANDING AND MANAGING CYBERCRIME (2006) (ISBN:020543973X).
Peter Stephenson, INVESTIGATING COMPUTER RELATED CRIME (2000) (ISBN:0849322189).
Joel McNamara, SECRETS OF COMPUTER ESPIONAGE: TACTICS AND COUNTERMEASURES (2003) (ISBN:0764537105).
OPTIONAL BACKGROUND READING ON SOCIAL CONSTRUCTION OF LAW:
The Stanford Encyclopedia of Philosophy, entry on "Legal Positivism."
Wikipedia, entry on "Legal Positivism."
See also references in COURSE SUBTEXT, infra.
II. Computer Intrusions and Attacks
PONDERABLES:
What is "computer trespass"? Compare "unauthorized access" with "exceeding scope of authorized access." Explore the relationship between acceptable use policies ("AUP"), terms of service ("TOS"), and criminal law. What are the limits of a "computer crime"? Understand self-help strategies, honeypots, and strike-back mechanisms. When does use of a publicly-accessible system amount to an intrusion or attack? Wen does denying service by overwhelming system resources ("DoS" and "DDoS")?
REQUIRED READING:
CASEBOOK: David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109):
Chapter 2, Computer Intrusions and Attack, pp. 9-53 (CA v. Lawton ["hardware" v. "software"]; WA v. Olson [authorization not conditioned on AUP]; NM v. Rowell [is use of modern phone system to commit fraud a "computer crime"?]; NY v. Versaggi ["alter program" v. "alter function"]; NY v. Angeles [locks]; Ebay v. Bidder's Edge [exceed conditional access]).
US Department of Justice, CCIPS, Federal Computer Intrusion Laws.
National Conference of State Legislatures, State Computer Hacking and Unauthorized Access Laws
FEDERAL STATUTES:
18 U.S.C. § 1029. Fraud and related activity in connection with access devices.
COMPUTER FRAUD AND ABUSE ACT
18 U.S.C. § 1030. Fraud and related activity in connection with computers.
CAN-SPAM ACT
18 U.S.C. § 1037. Fraud and related activity in connection with electronic mail.
PROPOSED AMENDMENTS TO COMPUTER FRAUD AND ABUSE ACT (10/22/2007):
Cyber-Crime Act of 2007 (S. 2213) (THOMAS) (Would amend Sec. 1030 to add "conspiracy"; change damage threshold from $5,000 to "damage affecting 10 or more protected computers during any one-year period"; and add "cyber extortion").
STATE LAWS:
National Conference of State Legislatures, State Computer Hacking and Unauthorized Access Laws
ADDITIONAL READING:
Hacking:
"Romanian man indicted for hacking into U.S. government computers," Associated Press (Dec. 1, 2006) ("A Romanian man has been indicted on charges of hacking into more than 150 U.S. government computers, causing disruptions that cost NASA, the Energy Department and the Navy nearly $1.5 million (euro1.1 million). ... The U.S. government alleged Faur was the leader of a hacking group called ''WhiteHat Team,'' whose main goal was to break into U.S. government computers because they are some of the securest machines in the world. ... After the hacking, scientists and engineers had to manually communicate with spacecraft and the computer systems had to be rebuilt.")
Hacking for Grades:
Gregg Keizer, "Grand Jury Indicts Former Students in Grades-For-Cash Hack," PC World (Nov. 5, 2007) ("Two former Fresno State students were charged ... with hacking into the university's computer network as part of a grade-changing scheme. [They were charged] with multiple counts of conspiracy, wire fraud, identity theft and unauthorized computer access [and] face up to 20 years in prison and fines of up to US$250,000 if convicted.")
Angeline J. Taylor, "Grade-tampering probes rare for federal investigators here," Tallahassee Democrat (Nov. 29, 2007) ("The U.S. Attorney's Office considers the grade-tampering case at Florida A&M University an investigation that could involve computer hacking, spokesman Alan Sprowls said. That's what's elevated it to a federal case.")
Hacking for harrassment ("swatting"):
Robert McMillan, "Couple Swarmed by SWAT Team After 911 'Hack'," PC World (Oct. 17, 2007).
Kevin Poulsen, "Guilty Plea: Phone Phreaks Use Caller-ID Spoofing to Get Foes Raided By SWAT," WIRED (Nov. 15, 2007)
"Computer Intrusions, Swatters Plead Guilty," Tech News (Dec. 10, 2007) ("Swatting refers to falsely reporting an emergency to a police department to cause a Special Weapons and Tactics (SWAT) response to a physical address, or making a false report to elicit an emergency response by other first responders to a specific physical address").
Hacking for Harrassment (is this hacking, online fraud, or using a false identity?):
Betsy Taylor, "Missouri prosecutor: Law doesn't allow for charges in MySpace teen suicide case," Associated Press, Dec. 3, 2007
Scott Glover and P.J. Huffstutter, "L.A. grand jury issues subpoenas in Web suicide case." LA Times, Jan. 9 2008 ("A federal grand jury ... has begun issuing subpoenas in the case of a Missouri teenager who hanged herself after being rejected by the person she thought was a 16-year-old boy she met on MySpace. ... The case set off a national furor when it was revealed that the "boyfriend" was really a neighbor who was the mother of one of the girl's former friends. Local and federal authorities in Missouri looked into the circumstances ... [b]ut after months of investigation, no charges were filed against [the neighbor] for her alleged role in the hoax. Prosecutors in Missouri said they were unable to find a statute under which to pursue a criminal case. Prosecutors in the U.S. attorney's office in Los Angeles [where MySpace is HQed], however, are exploring the possibility of charging [her] with defrauding the MySpace social networking website by allegedly creating the false account ... prosecutors are looking at federal wire fraud and cyber fraud statutes as they consider the case.)
Betsy Taylor, "Task force drafts online harassment law," Associated Press (Jan. 08, 2008) ("Adults who use the Internet or other media to harass children could be charged with a felony if Missouri lawmakers agree with a proposal made today by a special state task force.")
Linda Deutsch, "Woman indicted in Missouri MySpace suicide case," Washington Post (May 15, 2008) ("Lori Drew, 49, of suburban St. Louis, who allegedly helped create a MySpace account in the name of someone who didn't exist to convince Megan Meier she was chatting with a 16-year-old boy named Josh Evans, was charged with conspiracy and fraudulently gaining access to someone else's computer.")
Anick Jesdanun, "Routine Web conduct at risk due to MySpace suicide case," USA Today (May 17, 2008) ("Federal prosecutors turned to a novel interpretation of computer hacking law to indict a Missouri mother on charges connected to the suicide of a 13-year-old MySpace user. Prosecutors alleged that by helping create a MySpace account in the name of someone who didn't exist, Lori Drew, 49, violated the News Corp.-owned site's terms of service and thus illegally accessed protected computers.")
"Woman pleads not guilty in MySpace suicide case," CNN.com (Jun. 16, 2008) ("A Missouri woman has pleaded not guilty in Los Angeles federal court to charges in an Internet hoax blamed for a 13-year-old girl's suicide. ... She pleaded not guilty to charges of conspiracy and accessing protected computers without authorization to get information used to inflict emotional distress..)
Malicious Hacking:
Jordan Robertson, "Hackers attack epilepsy forum," USA Today (May 7, 2008) ("But in a rare example of an attack apparently motivated by malice rather than money, hackers recently bombarded the Epilepsy Foundation's website with hundreds of pictures and links to pages with rapidly flashing images."
Vandalism:
"Comcast.net site is hacked briefly," Associated Press (May 29, 2008).
Kevin Poulsen, "Comcast Hijackers Say They Warned the Company First," WIRED (May 29, 2008) (interview with the hackers).
David Kravets, "FBI Agents Hunt for Comcast Hijackers," WIRED (May 30, 2008).
URL hacking:
Philip Greenspun's Weblog: "Business schools redefine hacking to "stuff that a 7-year-old could do" (Mar. 8, 2005).
Lisa Trei, "Business school hopefuls who tried to gain access to application files rejected," Stanford Report (Apr. 13, 2005).
Michele Dellio, "Rooting Around Site With Intent?" WIRED News (Oct. 30, 2002).
Here is how the Reuters/Intentia "hack" was done. [LINK]
Declan McCullagh, "Rival behind Schwarzenegger Web flap," CNET News.com (Sep. 12, 2006).
WiFi Mooching:
Eric Bangeman, "Florida man charged with felony for wardriving," Ars Technica (Jul. 7, 2005).
"Man Arrested for Hopping on to Home Wi-Fi Network," Networked World (Jul. 8, 2005).
Declan McCullagh, "FAQ: Wi-Fi Mooching and the Law," CNET News.com (Jul. 8, 2005).
Eric Bangeman, "Illinois WiFi freeloader fined US$250," Ars Technica (Mar. 23, 2006).
Peter Griffiths, "Two cautioned over wireless "piggy-backing," Reuters (Apr. 18, 2007) ("Two people have been arrested and cautioned for using someone else's wireless Internet connection without permission, known as "piggy-backing", British police said on Wednesday.")
See also, "Open Wireless Defense", below.
DoS/DDoS:
Caroline McCarthy, "Florida man charged in botnet attack on Akamai," N.Y. Times (Oct. 24, 2006).
Tom Espiner, "U.K. outlaws denial-of-service attacks," CNET News (Nov. 10, 2006).
DOI (denial of insight)
Clint Boulton, "Denial-of-Insight Lurks For Search Engines, Users," Internet News (Nov. 10, 2006).
[UR-Soros]
Hacking/Extortion:
Sharon Gaudin, "Man Sentenced to 110 Years for Hacking and Extortion," NY Times (Dec. , 2007) ("A ... man last week was sentenced to 110 years in prison after admitting that he ... hacked into computers used by young girls and used illicitly gained data to blackmail them.")
Trends (see also Trends in section III, below):
Jabulani Leffall, "Top 10 Internet Security Trends for 2007," Redmond Mag (Nov. 16, 2007).
Andy Patrizio, "Cyber Crime Grows More Dangerous And Sophisticated," InternetNews.com (Nov. 29, 2007)
Tom Espiner, "Cracking open the cybercrime economy," ZDnet.co.uk (Dec. 14, 2007) ("There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cyber-economy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.").
CSI/FBI Computer Crime Survey (2007) (download here).
OPTIONAL READING:
Orin S. Kerr, Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (Nov. 2003).
III. Computer Viruses, Time Bombs, Trojans, Malicious Code
PONDERABLES:
Putting the "mal" in malware. What is "malicious" (cf. "inadvertent harm," "knock-on effects," "collateral damage")? What are "damages" from intrusions? When is "bad software" malicious (can negligence = malicious)?
Professionalization and the online market for malware.
REQUIRED READING:
CASEBOOK: David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109):
Chapter 3, Computer Viruses, Time Bombs, Trojans, and Malicious Code," pp. 55-96 (US v. Morris (intended function test); Werner v. Lewis (contract); State v. Corcoran ("delete"); North Texas Imaging ("intent not means of transmission"); Mahru v. CA (own computer and "criminal" cannot turn on breach of contract (?)) ; Shaw v. Toshiba (distribution of bad software).
ADDITIONAL CASES:
Shurgard Storage Centers v. Safeguard Self Storage, 119 F. Supp. 1121 (WD Wash. 2000) ("agency theory")
Fugarino v. State of Georgia, 531 S.E.2d 187 (Ga. Ct. App. 2000) ("spite"/motive)
Briggs v. State of Maryland, 704 A.2d 904 (Md. 1998) (malicious password protecting; sys admin is auth; conduct over motive).
EF Cultural Travel v. Explorica, 274 F.3d 577 (1Cir. 2001) (wholesale, "reeks of abuse"; confidentiality agreement)
AOL v. LCGM, 46 F. Supp. 2d 444 (ED Va. 1998) (TOS)
Register.com v. Vario, 126 F. Supp. 2d 238 (SDNY 2000) (because P objects, D's use of robots was without authorization!)
STATUTES:
18 U.S.C. § 1029. Fraud and related activity in connection with access devices.
COMPUTER FRAUD AND ABUSE ACT
18 U.S.C. § 1030. Fraud and related activity in connection with computers.
CAN-SPAM ACT
18 U.S.C. § 1037. Fraud and related activity in connection with electronic mail.
18 U.S.C. § 875. EXTORTION and THREATS. Interstate communications.
PROPOSED AMENDMENTS TO COMPUTER FRAUD AND ABUSE ACT (10/22/2007):
Cyber-Crime Act of 2007 (S. 2213) (THOMAS) (Would amend Sec. 1030 to add "conspiracy"; change damage threshold from $5,000 to "damage affecting 10 or more protected computers during any one-year period"; and add "cyber extortion").
ADDITIONAL CASES:
NEWBERGER v. Florida, 641 So.2d 419 (1994) (what is "modifying").
US v. SABLAN, 92 F.3d 865 (1995) (relationship of "mens rea" to "damages," and how are damages calculated).
US v. MIDDLETON, 231 F.3d 1207 (2000) (Factual Background, pp. 1208-09, Part B. Damages, p. 1213, and Part C. Sufficiency of Evidence, pp. 1213-14).
ADDITIONAL READING:
Symantec, "Internet Security Threat Report," Vol. XII (Sept. 2007).
Trends: "Professionalization" and the online market for malware:
Elise Ackerman, "Hackers' infections slither onto Web sites: ONLINE SECURITY EXPERTS ISSUE WARNINGS ABOUT ORGANIZED INTERNET CRIME EFFORTS," Mercury News/SilliconValley.com (Jan. 3, 2007) ("Computer security experts said 2006 was also the year that hacking stopped being a hobby and became a lucrative profession practiced by an underground of computer developers and software sellers").
Brad Stone, A Lively Market, Legal and Not, for Software Bugs, NY Times (Jan. 30, 2007) ("software vulnerabilities — as with stolen credit-card numbers and spammable e-mail addresses — carry real financial value. They are commonly bought, sold and traded online, both by legitimate security companies, which say they are providing a service, and by nefarious hackers and thieves.").
Erik Larkin, "An Inside Look at Internet Attackers' Black Markets," PC World (Aug. 13, 2007) ("Today's underground sites use surprisingly well-developed business practices to hawk viruses, stolen data, and attack services.").
"Symantec Reports Cyber Criminals Are Becoming Increasingly Professional," FindLaw (Sep. 17, 2007) ("[report] concludes that cyber criminals are increasingly becoming more professional – even commercial – in the development, distribution and use of malicious code and services. While cybercrime continues to be driven by financial gain, cyber criminals are now utilizing more professional attack methods, tools and strategies to conduct malicious activity.").
White Paper: "The Online Shadow Economy: A Billion Dollar Market For Malware Authors," MessageLabs (Oct. 2007) (download PDF) ("In an online black market worth more than $105 billion, malware authors can produce new, unique threats targeting businesses and employees every 45 seconds. This ... white paper examines the growth of this online shadow economy. It explores the high level of sophistication with which it operates, the continuous improvement of its techniques and looks at what the future holds for Internet crime.").
Tom Espiner, "Cracking open the cybercrime economy," ZDnet.co.uk (Dec. 14, 2007) ("There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cyber-economy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.").
Brian Krebs, "Cyber Crime 2.0: In 2007, Online Fraud Got More Targeted and Sophisticated," Washington Post (Dec. 20, 2007) ("The year 2007 may go down in the annals of Internet crime as the year when organized cyber criminals finally got serious about their marketing strategies -- crafting cyber schemes that were significantly more sophisticated and stealthy. ... With more computer users than ever guarding their systems with anti-virus, firewall and other security software, Internet criminals have concentrated their efforts on tricking users into opening "backdoors" into their own systems ...[by] ... convincing users to view malicious video or audio content on a Web site that takes advantage of security holes in the user's Web browser or media player, flaws which in turn give criminals the access they need to install software to control the user's machine remotely.").
Jonathan Richards, "Number of computer viruses tops one million," Times Online (Apr. 10, 2008) ("The number of computer viruses in circulation has reached one million for the first time, according to a report by a leading security firm.") (Also: "China ... emerged as the new base of the Russian Business Network (RBN), a shadowy organisation which specialises in the distribution of malicious code, but which virtually disappeared in November last year after a campaign by police and other investigators, the report suggested. The RBN has been credited with devising approximately half of the phishing scams conducted worldwide last year.")
Vectors:
Tom Espiner, "Wikipedia used to spread malicious code," CNET News (Nov. 6, 2006)
Robert McMillan, "Google accidentally sends out Kama Sutra worm," InfoWorld (Nov. 8, 2006).
Robert McMillan, "Storm Trojan floods e-mail boxes," InfoWorld (Jan. 19, 2007) ("Malicious Trojan horse software claiming to provide information on topics like the deadly storms that have battered Europe this week has infected thousands of computers over the past 24 hours. ... These e-mails appear to have been particularly effective because they offer information on a topic that is of intense public interest in Europe right now.")
"Cyber criminals move focus to web: Cyber criminals will increasingly turn their attention to the web and away from e-mail security in 2007" BBC News (Jan. 23, 2007) ("The internet now represents the easiest way for cyber criminals to gain entry to corporate networks, as more users are accessing unregulated sites, downloading applications and streaming audio/video. ... They are also subtly changing tactics - instead of sending so-called spyware-infected e-mails, they are sending e-mails linking to websites which contain a malicious downloader [Trojan].")
Hijacked Websites:
Dan Goodin, "Mass web infection leaves researcher scratching her head," Channel Register (Jan. 11, 2008) ("... hundreds of websites that are generating an enormous amount of traffic ... sites are spreading malware ... [these] sites themselves are hosting the malware, which is then foisted on visitors. Most of the time attackers are unable to gain such a high degree of control over the sites they hack, so they redirect end users to servers under the control of bad guys and use them to drop malicious payloads.").
"Poisoned websites attack visitors," BBC News (Jan. 17, 2008) ("Thousands of small web shops have been unwittingly poisoned with malicious code that infects PC users who visit.").
Robert McMillan, "The Web is Dangerous, Google Warns: The search site's bots find that 1 in 1000 Web pages is infected with malicious drive-by download software" PC World (Feb. 16, 2008) ("In the past year the Web sites of Al Gore's "An Inconvenient Truth" movie and the Miami Dolphins were hacked, and the MySpace profile of Alicia Keys was used to attack visitors. Criminals ... have built very successful automated tools that poke and prod Web sites, looking for programming errors and then exploit these flaws to install the drive-by download software. Often this code opens an invisible iFrame page on the victim's browser that redirects it to a malicious Web server. That server then tries to install code on the victim's PC.")
Hardware Devices:
Robert Lemos, "Malware hitches a ride on digital devices," The Register (Jan. 11, 2008) ("... add digital picture frames to the group of consumer products that could carry computer viruses and Trojan horse programs. ... underscore that the proliferation of electronic devices with onboard memory means that consumers have to increasingly be aware of the danger of unwanted code hitching a ride.").
"Electronic gadgets latest sources of computer viruses," CNN.com News (Mar. 13, 20080 ("From iPods to navigation systems, some of today's hottest gadgets are landing on store shelves with some unwanted extras from the factory: pre-installed viruses that steal passwords, open doors for hackers and make computers spew spam.")
Social Engineered - Video CODEC scammers ("Download this video"):
Kelly O'Connell, "INTERNET LAW - Benazir Bhutto Assassination Websites Used to Spread Computer Viruses," IBLS (Jan. 9, 2008) ("Many websites apparently meant to mourn Pakistani Prime Minister Benazir Bhutto's murder by assassin were really designed to help spread malware for fraud and other nefarious purposes.").
John Leyden, "Scumbag malware authors exploit Virginia Tech tragedy," The Register (apr. 19, 2007) ("Pond-dwelling virus writers have crafted a malware attack that poses as camera phone footage of the shootings at Virginia Tech University that claimed 32 lives on Monday.").
"Beware Hurricane Katrina Scams," ask.com (2007) ("Hoaxes, Phishing Attacks, Malware and Other Threats In The Wake Of Katrina").
Linda Rosencrance, "FBI warns of online scams associated with tsunami disaster," ComputerWorld (Jan. 6, 2005) ("One 'relief' site can infect a visitor's computer with a virus").
"Fake media file snares PC users," BBC News (May 8, 2008) ("The fake file poses as a music track, short video or movie and has been widely seeded on file-sharing networks to snare victims.")
Extortion/Ransomware:
"Hackers Attack UK Student's Web Site," Associated Press (Jan. 18, 2006).
Jon Schwartz, "Cybercrooks hold PC data captive," USA Today (Dec. 18, 2006) ("In the latest online scam ["ransomware"], cybercrooks are breaking into the PCs of small businesses and individuals, locking up data and demanding money in return for freeing it").
Linda Deutsch, NY youths in plea deal in MySpace case, Associated Press/USA Today (Feb. 27, 2007) ("Two New York men accused of trying to extort $150,000 from MySpace.com by developing code that tracked visitors pleaded no contest Monday to illegal computer access in a bargain with the prosecution. Two counts of attempted extortion and another illegal computer access count were dropped in the deal, which gave the defendants three years probation. Each had faced up to nearly four years in prison.")
Sarah Langbein, "Man sentenced to 110 years for extorting naked photos of Florida girls," Orlando Sentinal (Nov. 30, 2007) ("A 33-year-old ... man was sentenced today in federal court to 110 years in prison for hacking into [teenage girls' MySpace pages] extorting naked photos from them.")
"CIA: Hackers demanding cash disrupted power utilities overseas," MIT Technology Review (Jan. 18, 2008) ("Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference.")
Spam:
"Man Convicted Under Antispam Law," Bloomberg News (Jan. 16, 2007) ("A ... man who defrauded users of AOL by sending e-mail messages requesting credit data became the first defendant found guilty by a jury under [the Can-Spam Act] a 2003 federal law barring Internet ”spam.” ... The statute prohibits sending unsolicited e-mail messages with falsified header, or return address, information. ... [He] operated a so-called phishing scheme that duped AOL subscribers into providing personal and credit information in the belief they were dealing with the company’s billing department. He used the credit card information to make unauthorized purchases.")
Gregg Kelzer, " Spam Volume Jumps 35% In November," Information Week (Dec. 21, 2006) (" The volume of spam surged in November to an average of 85 billion messages a day during two periods ... and the month saw spam tactics that reduced the efficiency of traditional anti-spam filters").
Jeremy Kirk, "US Indicts 11 Over Pump-and-Dump Stock Spam," IDG News Service (Jan. 4, 2008) ("Eleven people, including one of the top spammers in the world, were indicted on Thursday for allegedly sending millions of unsolicited e-mails intended to inflate the price of Chinese penny stocks.")
Larry O'dell, "Va. court upholds spammer's conviction," USA Today (Feb. 29, 2008) ("A divided Virginia Supreme Court affirmed the nation's first felony conviction for illegal spamming on Friday, ruling that Virginia's anti-spamming law does not violate free-speech rights.")
Botnets:
Ryan Naraine, "'Pump-and-Dump' Spam Surge Linked to Russian Bot Herders," eWEEK.com (Nov. 16, 2006) ("The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers. ... the gang functions with a level of sophistication rarely seen in the hacking underworld.")
John Markoff, "Attack of the Zombie Computers Is a Growing Threat, Experts Say," NY Times (Jan. , 2007) ("These systems, called botnets, are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft.")
Joris Evers, Dutch botnet hackers sentenced to time served, CNET News (Jan. 31, 2007) ("... for commandeering millions of computers last year with a Trojan ... used the hijacked systems in a network, popularly called a botnet, to steal credit card numbers and other personal data, and to blackmail online businesses by threatening to take down their Web sites.")
US DOJ Press Release, "Over 1 Million Potential Victims of Botnet Cyber Crime," (Jun. 13, 2007).
Ray Lilley, NZealand Arrests Top Cyber Suspect, Associated Press (Nov. 29, 2007) ("[p]olice detained ... suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said. ... The case is part of an international crackdown on hackers who ... assume control of thousands of computers and amass them into centrally controlled clusters known as botnets [and] then use the computers to steal credit card information, manipulate stock trades and even crash industry computers.")
Jonathan Richards, "Number of computer viruses tops one million," Times Online (Apr. 10, 2008) ("... the Russian Business Network (RBN), a shadowy organisation which specialises in the distribution of malicious code [and which controls the Storm Botnet], but which virtually disappeared in November last year after a campaign by police and other investigators, ... . The RBN has been credited with devising approximately half of the phishing scams conducted worldwide last year.") For more on the Russian Business Network, see http://rbnexploit.blogspot.com/.
Logic Bomb:
"Prosecutors: New Jersey worker put data-wrecking 'bomb' in computers of drug company," AP (Dec. 19, 2006) ("A computer administrator angry about possibly losing his job planted an electronic ''[logic] bomb'' in the systems of one of the nation's largest prescription drug management companies, prosecutors said Tuesday.")
Associated Press, "Man gets 8 years for computer sabotage," SiliconValley.com (Dec. 13, 2006) ("A former UBS ... systems administrator was sentenced ... to eight years ... for attempting to profit by detonating a "logic bomb" program that ... caused millions of dollars in damage to the brokerage's computer network ... . ... [he] was angry ... because he expected an annual bonus of $50,000 but got $32,500 ... [he] ultimately lost $23,000 he invested in a stock market bet against UBS because the ploy failed to reduce the company's share price. .... . [The day the logic bomb was to go off, he] went to a broker and bought ... "put options" for UBS stock, ... . ... the right to sell shares for a fixed per-share price, so the lower a stock falls the more valuable the option becomes.)
"U.S. man gets record sentence for computer sabotage," Reuters (Jan. 8, 2008) ("A computer systems administrator was sentenced to 30 months in prison on Tuesday for trying to sabotage his company's servers out of fear he was about to lose his job, prosecutors said.")
Rootkits:
Matt Hines, "Rootkits, Smarter Hackers Pose Growing Security Threats," eWeek.com (Apr. 17, 2006).
Dan Goodin, "Excuse me sir: there's a rootkit in your master boot record," Channel Register (Jan. 9, 2008) ("The rootkit modifies a PC's master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot after it is turned on. The result: the rootkit is running even before Windows loads. ... that allows it to persist even after removal ... can even survive reinstallation of the operating system [and, because it] lurks deep within the hard drive, well below the operating system, most antivirus programs don't detect the malware.")
"Warning on stealthy Windows virus," BBC.com (Jan. 11, 2008) ("Security experts are warning about a stealthy Windows virus [dubbed "Mebroot"] that steals login details for online bank accounts. ... Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code. ... the virus [a type known as a rootkit] is dangerous because it buries itself deep inside Windows to avoid detection. ... Once installed, the virus ... usually downloads other malicious programs, such as keyloggers, to do the work of stealing confidential information. ... Mebroot ... uses its hidden position ... so it can re-install these associated programs [keyloggers, etc.] if they are deleted by anti-virus software. Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect [Mebroot's] presence [and it] cannot be removed while a computer is running.").
OPTIONAL READING
Michael Lee, et al., Electronic Commerce, Hackers, and the Search for Legitimacy: A Regulatory Proposal, 14 Berkeley Tech. L. J. 839 (1999).
Note, "Immunizing the Internet, or: How I Learned To Stop Worrying and Love the Worm," 119 Harvard L. Rev. (Jun. 2006).
IV. Online Fraud and Identity Theft; Intellectual Property Theft; Virtual Crime
PONDERABLES:
Distinguish fraud from computer fraud.
Explore how existing practices in identity management lead to identity theft and other frauds. Understand the relationship between identity(ies), identification, identification systems, authentication, and security. Examine the "trusted system" paradigm.
Distinguish data loss as cybercrime from data loss on a lost or stolen laptop.
Drawing the line between "sharing" and "piracy" in intellectual property crime. Old paradigm, commercial gain; new paradigm, commercial harm?
When is a "virtual" crime a "real" crime?
REQUIRED READING:
CASEBOOK: David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109):
Chapter 7, Online Fraud, pp. 231-282 (NY v. Lipsitz; PA v. Murgallis; MI v. Jemison; Virgin Atlantic consent order; US v. Mullins; CA v. Gentry; SEC v. Cherif), and
Chapter 9, Identity Theft, pp. 335-344 (KS v. Vargas; WI v. Ramirez).
United States v. LaMacchia, 871 F.Supp. 535 (D. Ma. 1994) (distribution for free of pirated software neither "wire fraud" nor "criminal copyright infringement").
STATUTES:
IDENTITY THEFT AND ASSUMPTION DETERRENCE ACT of 1998
18 U.S.C. § 1028. Fraud and related activity in connection with identification documents, authentication features, and information.
18 U.S.C. § 1343. Fraud by wire, radio, or television.
NO ELECTRONIC THEFT ("NET") ACT
17 U.S.C. § 506. Criminal Offenses.
DIGITAL MILLENIUM COPYRIGHT ACT ("DMCA")
17 U.S.C. § 1201. Circumvention of copyright protection systems.
ADDITIONAL CASES:
Universal City Studios v. Corley, 273 F.3d 429 (2nd. Cir. 2001).
GOVERNMENT RESOURCES:
U.S. Department of State, International Financial Scams – Internet Dating, Inheritance, Work Permits, Overpayment, and Money- Laundering (PDF; 655 KB) ("provides full detailed descriptions of the often sophisticated scams reported to U.S. Embassies and Consulates abroad, and includes samples of email messages and offers that have been sent to potential victims. As illustrated by the brochure, the perpetrators often prey on potential victims’ goodwill by fabricating increasingly complicated but believable scenarios.”)
US DOJ, "Identity Theft and Identity Fraud," US Dept. of Justice.
ADDITIONAL READING:
Overview Fraud/Theft/Response:
Ryan Blitstein, "Part I: How online crooks put us all at risk: INERNET FRAUD EPIDEMIC COSTING BILLIONS OF DOLLARS," Mercury News (Nov. 9, 2007) (" During the past few years, a professional class bent on stealthy online fraud has transformed Internet crime, rendering obsolete the hobbyist hackers who sought fun and fame.").
Ryan Blitstein, "Part II: How well are we protecting ourselves?," Mercury News (Nov. 12, 2007) ("... highlights a crisis within America's elaborate system of sensitive data: Internet users, businesses and guardians of information alike are doing a terrible job of self-protection.")
Ryan Blitstein, "Part III: U.S. targets terrorists as online thieves run amok," Mercury News (Nov. 13, 2007) ("Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention and determination to combat the cyberthreat").
Ryan Blitstein, "Online crooks often escape prosecution: JUSTICE DEPARTMENT DECLINES NEARLY THREE OF FOUR CASES," Mercury News (Nov. 18, 2007) (" Even as online crime has mushroomed in the past few years into a multibillion-dollar problem, federal prosecution of Internet crooks nationwide has not kept pace, a Mercury News analysis shows. In nearly three of four cases, federal prosecutors are choosing not to pursue the computer-fraud allegations that investigators bring them. And whether a case is prosecuted appears to vary widely, depending upon where the crime is committed or who the victims happen to be.")
Fraud and Identity Theft:
"Consumers Lose $8 Billion to Online Fraud," consumeraffairs.com (Aug. 8, 2006)
Byron Acohido and Jon Swartz, Cybercrime flourishes in online hacker forums, USA Today (Oct. 11, 2006).
"Online brokerage account scams worry SEC," CNET News (Reuters) (Oct. 13, 2006).
Floyd Norris, "S.E.C. Says Russian Trader Used Stolen Online Passwords," N.Y. Times (Dec. 20, 2006) ("A Russian trader ... found a simpler way to pump and dump stocks. The ... the trader ... used the Internet to steal passwords of account holders at online brokerage firms. ... [He] would buy, through his own account, shares in a thinly traded company. Immediately after that, he would use the accounts of victims to buy large quantities of the stock, driving up the price. He would then sell his shares into that demand.)
Will Knight, "One in 10 snared by fake 'phishing' messages," New Scientist News Service (Oct. 20, 2006) ("One in 10 internet users may be lured into handing over sensitive personal information such as a credit card number, by fraudulent "phishing" emails, research suggests").
Ellen Nakashima, "Hackers Zero in on Online Stock Accounts," Wash. Post A:01 (Oct. 24, 2006). ("'Although these schemes cleverly combine aspects of securities fraud, identity theft and hacking, what they really boil down to is outright thievery,' said John Reed Stark, chief of the Internet enforcement office at the Securities and Exchange Commission.")
Tom Zeller, Jr., "3 Americans Arrested by F.B.I. in Identity Thefts," N.Y. Times (November 3, 2006) ("The proliferation and sale of stolen consumer data on the international black market, particularly through online forums, has been a nagging problem for law enforcement, given the restrictions in national legal systems.")
Brian Krebs, "FBI Tightens Net Around Identity Theft Operations," Wash. Post (Nov. 3, 2006) ("The FBI is cracking down on an international identity theft operation that involves the trading of social security numbers; the sale of stolen credit card account information ["carding"]; and phishing, the practice of using e-mail to trick consumers into handing over personal information").
Ellen Nakashima, "Hack, Pump, and Dump", Washington Post (Jan. 26, 2007) ("... a wave of techno-criminals who meld computer hacking with identity theft to create nightmares for legitimate investors ... hacked into four online trading accounts of unsuspecting investors, selling off their holdings in higher-valued companies to purchase shares [in penny stocks in which they owned shares, when the stock prices went up they dumped their shares] ... The SEC is not saying how [the] ring obtained the user names and passwords on the investors' accounts. Typically, authorities said, hackers use keystroke monitoring software placed on a public computer, or they purchase personal data, such as stolen Social Security and credit card numbers, from criminal enterprises.")
Dawn Kawamoto, "FBI warns of twist in extortion phishing scam," CNET News (Jan. 12, 2007) ("FBI officials are warning users of a new phishing scam that plays off a recent round of bogus extortion threats.")
Enid Burns, Consumers Open One in Six Phishing Messages, ClickZ Stats (Feb. 5, 2007) ("As many as 59 million phishing e-mail messages are sent each day, and up to 10 million of those may be opened by consumers. A study released by Iconix finds one in four phishing messages are opened. Divided into eight categories, spoofed or phished messages had open rates ranging from 1 in 4 to 1 in 10. Fake social-network-related messages maintained 24.9 percent open rates. Other categories, including as e-cards (17.1 percent); payment (16.2 percent); financial (15.5 percent); auction (14.7 percent); information (12.9 percent); retail (12.1 percent); and dating (9.5 percent), had lower open rates.")
Bob Sullivan, "THE BIGGEST DATA DISASTER EVER," Red Tape Chronicles MSNBC (Nov. 30, 2007) ("It's being called the worst data leak of the information age. Earlier this month, U.K. officials had to admit they'd lost computer disks containing personal information on almost half the country's population, including nearly all families with children. If that's not bad enough, the databases included the worst kind of information to lose -- consumer bank account numbers.")
Grant Gross, "Colombian man pleads guilty to computer fraud," InfoWorld (Jan.10, 2008) ("... man pleaded guilty ... [to] ... identity theft scheme in which he installed keylogging software on hotel business center computers and Internet lounges in order to steal passwords, account data, and other personal information").
Cybercrime or property theft?
Robert McMillan, "Nashville laptop theft may cost $1 million: With Social Security numbers at risk, county officials offer registered voters in Tennessee county a year of free identity theft protection at the cost $10 per account," InfoWorld (Jan. 14, 2008) ("County officials say that thieves broke into Davidson County Election Commission offices on the weekend before Christmas, smashing a window with a rock and then making off with a $3,000 router, a digital camera, and a pair of Dell Latitude laptops containing names and Social Security numbers of all 337,000 registered voters in the county.")
Terrorists funding through internet fraud:
Brian Krebs, "Terrorism's Hook Into Your Inbox: U.K. Case Shows Link Between Online Fraud and Jihadist Networks," Washington Post (Jul. 5, 2007) ("Much has been written about how radical Islamic groups use the Internet to distribute propaganda and recruit members. The British investigation, however, revealed a significant link between Islamic terrorist groups and cyber-crime, and experts say security officials must do more to understand and confront cyber-crime as part of any overall strategy for combating terrorism.")
TJ Maxx (Business Model Case Study):
Jenn Abelson,"TJX breach snares over 200,000 cards in region," Boston Globe (Jan. 25, 2007).
Sharon Gaudin, "T.J. Maxx Security Breach Costs Soar To 10 Times Earlier Estimate," Information Week (Aug. 15, 2007).
Ross Kerber, "Visa clashes with retailers over standards for credit card safety," Boston Globe (Oct. 4, 2007) ("... the National Retail Federation ... yesterday called on credit card [issuers] to change procedures under which [retailers] store some data, which they said creates many of the vulnerabilities").
Mark Jewell, "TJX, Visa reach $40.9M settlement for data breach," USA Today (Nov. 30, 2007).
Press Release, "The TJX Companies, Inc. Reports Third Quarter FY08 Results," TJC Companies, Inc. (Nov. 13, 2007) (See footnote 2 to Consolidated Financial Statements: "Thus for the nine months ended October 27, 2007, net income includes after-tax charges of $130 million ($216 million pre-tax), or $0.28 per share, for costs related to the Computer Intrusion.")
Fraud used to lure victims for physical robbery (is this cybercrime?):
Newsday, "Teens charged in Craigslist robbery ring," L.A. Times (Jan. 11, 2008) ("The gang placed fake ads ... offering cheap Porsches to lure cash-carrying victims ... Investigators ... used information from Craigslist and the digital trail left by [the ringleader] to trace the ad postings ... .)
Advertising on Craigslist for Hitman (Is this cybercrime?):
Aaron C. Davis, "FBI: Woman Sought Hit Man on Craigslist," Washington Post (AP) (Jan. 25, 2008) ("A woman advertised on the popular Internet site Craigslist for an assassin to kill the wife of a man with whom she'd had an affair ... It's not the first alleged crime ever solicited over the popular online bulletin board. There have been instances of ads posted by prostitutes and a Minnesota woman was killed last year after responding to an ad for a baby sitter. However, authorities and company officials say the murder-for-hire scheme appears to be the first of its kind.")
Robots harvest data for fraud:
Ina Fried, "Warning sounded over 'flirting robots'," CNet News (Dec. 7, 2007) ("A program that can mimic online flirtation and then extract personal information from its unsuspecting conversation partners is making the rounds in Russian chat forums ... The ... automated chats is good enough that victims have a tough time distinguishing the "bot" from a real potential suitor, ... "As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," ... Among CyberLover's creepy features is its ability to offer a range of different profiles from "romantic lover" to "sexual predator." It can also lead victims to a "personal" Web site, which could be used to deliver malware").
Money Laundering:
Brian Krebs, "'Money Mules' Help Haul Cyber Criminals' Loot," Washington Post (Jan 25, 2008) ("... the victim of a "money mule" scam, in which criminals make use of [sometimes unsuspecting] third parties ... to launder stolen funds. Mule recruitment is an integral part of many cyber crime operations because money transferred directly from a victim to an account controlled by criminals is easily traced by banks and law enforcement. The mules ... serve as a vital buffer, making it easier for criminals to hide their tracks.")
Intellectual Property Crime:
US DOJ, Computer Crime & Intellectual Property Section, "Prosecuting Intellectual Property Crimes" (Third Edition Sep. 2006).
Wendy Davis, "Proposed Law Stiffens Penalties For Piracy," Online Media Daily (Dec. 10, 2007).
Greg Sandoval, "Jury hands feds first guilty verdict for Web music piracy," CNet News (May 23, 2008) ("For the first time ever, the federal government has successfully won a jury verdict against someone accused of illegally downloading music ... [The] jury ... found [defendant] guilty of conspiracy to commit criminal copyright infringement ... [He] faces up to five years in prison, a fine of $250,000 and must make full restitution ...").
Virtual Crime:
F. Gregory Lastowka and Dan Hunter, Virtual Crimes, 49 N.Y.L. Sch. L. Rev. 293 (2004/2005).
Will Knight, "Computer characters mugged in virtual crime spree," New Scientist (Aug. 18, 2005) ("A man has been arrested in Japan on suspicion of carrying out a virtual mugging spree by using software "bots" to beat up and rob characters in the online computer game Lineage II. The stolen virtual possessions were then exchanged for real cash.").
Regina Lynn, "Virtual Rape Is Traumatic, but Is It a Crime?" Wired (May 4, 2007) ("Last month, two Belgian publications reported that the Brussels police have begun an investigation into a citizen's allegations of rape -- in Second Life.").
Alan Sipress, "Does Virtual Reality Need a Sheriff? Reach of Law Enforcement Is Tested When Online Fantasy Games Turn Sordid," Washington Post (June 2, 2007).
"'Virtual theft' leads to arrest," BBC News (Nov. 14, 2007) ("A Dutch teenager has been arrested for allegedly stealing virtual furniture from "rooms" in Habbo Hotel, a 3D social networking website").
STEPHEN STRAUSS, "Virtual crime and punishment vs. free thought," CBC.ca Analysis and Viewpoint (Dec. 27, 2007).
Anita Ramasastry, "Are Virtual-World Bank Robbery, Pickpocketing, and Runs on Banks Covered by Real-World Laws?," FindLaw.com (Dec. 31, 2007)
David Talbot, "The Fleecing of the Avatars," MIT Tech Review, Jan/Feb 2008. (available in Course Documents) ("Recent fraud allegations are ominous for those who see virtual worlds as future centers of e-commerce").
David Talbot, "Second Life Closes Banks: After months of scandals, virtual banks get an eviction notice," MIT Tech Review (Jan. 10, 2008) ("For months, as banking meltdowns in the virtual world Second Life cost participants steep losses of real money, corporate owner Linden Lab of San Francisco stuck to a laissez-faire line, essentially saying, We just host the software; residents should avoid deals that sound too good to be true. But this week, Linden Lab abruptly banned virtual banks that can't furnish "proof of an applicable government registration statement or financial institution charter." The requirement appears likely to shut down all of Second Life's banks.")
Alana Semuels, "Virtual bank's Second Life scheme raises real concerns," LA Times (Jan. 22, 2008).
See also, VIRTUAL CHILD EXPLOITATION, below.
OPTIONAL READING IDENTITY THEFT:
Lynn M. Lopucki, Did Privacy Cause Identity Theft? 54 Hastings L. J. 1277 (2003).
K. A. Taipale, Presentation: Science and Technology: Identity Theft: Policy Implications at The Heritage Foundation, Washington, DC, Nov. 2, 2005. [presentation slides] (arguing that privacy and existing business models enable identity theft).
K. A. Taipale, Presentation: Technical and Policy Challenges: Implications for Evolving Business Models at the 16th Annual Economic Crimes Institute Conference, Tysons Corner, VA, Oct. 24, 2005. [presentation slides] (suggesting use of identity registrars to mitigate identity theft).
K. A. Taipale, Technology, Security and Privacy: The Fear of Frankenstein, the Mythology of Privacy, and the Lessons of King Ludd, 7 Yale J. L. & Tech. 123, 154-162; 9 Intl. J. Comm. L. & Pol'y 8 (Dec. 2004) (excerpt pp. 154-162):
A. TECHNOLOGIES OF IDENTIFICATION
Identification technologies or systems serve to authenticate data attribution – that is, they provide confidence that a particular piece of data (an attribute) or collection of data (an identity) correlates with a specified entity (an individual or other object).147
Authentication generally serves as the first step in one or both of two kinds of security applications or strategies – authorization and/or accountability.148 Authorization (or permission) is the process of deciding what an identified individual is permitted (or not permitted) to do within a system (including whether they are allowed access in the first place). ... . Accountability, on the other hand, is the process of associating a consequence to the individual for any actions that they may take within the system, for example, by recording identifying information prior to entry into a system, or by monitoring, recording or logging activity within the system, to allow for subsequent tracking or sanction. Both authorization and accountability serve to ensure that rules governing behavior within a system are obeyed.149
***
In any identification system, there are generally three forms of authentication that can occur:
• Entity authentication is the process of establishing confidence that an identifier, for example, a name, number or symbol, refers to a specific entity (an individual, place or thing),151
• Identity authentication is the process of establishing confidence that an identifier refers to an identity (a collection of data related to an entity),152 and
• Attribute authentication is the process of establishing confidence that an attribute (a property associated with an entity, for example, a physical descriptor or a role, etc.) applies to a specific entity.153
***
Identity verification can be achieved through tokens (something you have), passwords (something you know), or a data match (something you are).159 The highest level of confidence combines all three, for example, a token (ID card), requiring a password (PIN), and that contains a data match (for example, a biometric identifier).160
Confidence in identification depends not only on the technologies of identification but on the integrity of the process of enrollment (the issuing and maintaining of tokens, passwords and the data to be matched), as well as the process of verification (confirming or verifying identity).161
***
Authentication (that is, identification) in a security system is only the first step and does not provide security against a particular threat on its own. After identity is authenticated it must be used for some security purpose – either by authorizing the individual to do or not do something,165 or by logging or tracking identifying data in some fashion to provide for later accountability. Thus, any identification system is only as good as the watch list or other criteria against which the authenticated identity is compared for authorization166 or the deterrent effectiveness of the sanction for accountability.167
1. IDENTIFICATION SYSTEMS AND SECURITY
Identification based security is always somewhat vulnerable because of what is known as the trusted systems problem.168 With few exceptions, “secure” systems need to be penetrated – under authorized circumstances by trusted people.169 Unfortunately, there is inherently no way to prove trust, the best that any identification system can do is confirm not-yet-proven-untrustworthy status, i.e. confirm that a particular individual is not on a watch list for example.170
***
Therefore, any system of identification needs to be part of a larger security system that recognizes, and compensates for, this problem. So, for example, a system for screening passengers ... should be combined with random searching of non-flagged passengers to provide layered security.172
Another general problem in security systems is balancing security with usability or functionality.173 Authentication imposes friction or overhead on a system and can interfere with its usefulness [and reduce degrees of freedom].
***
V. Online Vice: Gambling; Pornography; Child Exploitation
PONDERABLES:
The global reach of the Internet makes direct enforcement of local "morality" laws difficult, often leading to control strategies premised on sanctioning secondary enabling activity or third parties, in particular financial intermediaries and internet service providers.
In addition, the lack of "physicality" challenges regulatory regimes based on isolating undesirable activity to certain geographically determined areas (Las Vegas/Atlantic City, red-light/porn districts) and determining tolerance by reference to local community standards.
Easy, anonymous access to pornography, like-minded deviants, and victims has resulted in increased child exploitation activity.
Can online vice be regulated? How?
GAMBLING
WIRE WAGER ACT 18 U.S.C. §1084:
(a) Whoever being engaged in the business of betting or wagering knowingly uses a wire communication facility for the transmission in interstate or foreign commerce of bets or wagers or information assisting in the placing of bets or wagers on any sporting event or contest, or for the transmission of a wire communication which entitles the recipient to receive money or credit as a result of bets or wagers, or for information assisting in the placing of bets or wagers, shall be fined under this title or imprisoned not more than two years, or both.
UNLAWFUL INTERNET GAMBLING ENFORCEMENT ACT OF 2006
(enacted as Title VIII of the Security and Accountability For Every Port Act of 2006 or SAFE Port Act, Pub. L. 109-347):
31 USC §5363 (§802 of the SAFE Act). Prohibition on acceptance of any financial instrument for unlawful Internet gambling.
No person engaged in the business of betting or wagering may knowingly accept, in connection with the participation of another person in unlawful Internet gambling--
(1) credit, or the proceeds of credit, extended to or on behalf of such other person (including credit extended through the use of a credit card);
(2) an electronic fund transfer, or funds transmitted by or through a money transmitting business, or the proceeds of an electronic fund transfer or money transmitting service, from or on behalf of such other person;
(3) any check, draft, or similar instrument which is drawn by or on behalf of such other person and is drawn on or payable at or through any financial institution; or
(4) the proceeds of any other form of financial transaction, as the Secretary and the Board of Governors of the Federal Reserve System may jointly prescribe by regulation, which involves a financial institution as a payor or financial intermediary on behalf of or for the benefit of such other person.
AIDING AND ABETTING 18 U.S.C. §2(a):
Whoever commits an offense against the United States or aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal.
ANALYSIS/DISCUSSION OF LEGISLATION:
Unlawful Internet Gambling Funding Prohibition Act and The Internet Gambling Licensing and Regulation Commission Act (First Session On H.R. 21 And H.R. 1223), Hearing Before The Subcommittee On Crime, Terrorism, and Homeland Security of the Committee on the Judiciary, U.S. House of Representatives, 108th Congress (Apr. 29, 2003).
Nelson Rose, Professor of Law, Whittier Law School, Costa Mesa, CA “The Unlawful Internet Gambling Enforcement Act of 2006 Analyzed” (2006).
Congressional Research Service, “Internet Gambling: Two Approaches in the 109th Congress,” RS22418 (Oct. 2, 2006).
PENDING LEGISLATION (2007-2008)
H.R. 2140: Internet Gambling Study Act ("To provide for a study by the National Academy of Sciences to identify the proper response of the United States to the growth of Internet gambling.").
H.R. 2046: Internet Gambling Regulation and Enforcement Act of 2007 ("To amend title 31, United States Code, to provide for the licensing of Internet gambling facilities by the Director of the Financial Crimes Enforcement Network, and for other purposes.").
H.R. 2607: Internet Gambling Regulation and Tax Enforcement Act of 2007 ("To amend the Internal Revenue Code of 1986 to regulate internet gambling.")
CASES:
US v. COHEN, 260 F.3d 68 (2001) (operator of an Antigua-based sports betting website convicted under Wire Wager Act, 18 U.S.C. 1084).
NEWS:
Jacob Sullum, Abetting Betting: Is Talking about Online Gambling Illegal? Reason Online (Apr. 9, 2004) ("[DOJ sent] a letter to media trade groups warning that their members could be breaking the law by accepting ads for gambling sites. ... a grand jury in St. Louis that is issuing subpoenas to companies that do business with the online gambling industry.").
AP, "Internet Gambling Execs Arrested: Founders Of Online Payment Processing Company Neteller Charged With Laundering Billions Of Dollars," CBSnews.com (Jan. 16, 2007) ("[They] were charged in connection with the creation and operation of an Internet payment services company that facilitated the transfer to billions of dollars of illegal gambling proceeds from U.S. citizens to the owners of overseas Internet gambling companies. ... the company acknowledged when it went public that U.S. law prohibits people from promoting certain forms of gambling, including Internet gambling, and transmitting funds that are known to have been derived from criminal activity ... [and] conceded in the company's offering documents that they were risking prosecution by the U.S. government.").
Andrew Sorkin, "Gambling Subpoenas On Wall St.," NY Times (Jan. 22, 2007) (" The Justice Department has issued subpoenas to at least four Wall Street investment banks as part of a widening investigation into the multibillion-dollar online gambling industry .... The subpoenas were issued to firms that had underwritten the initial public offerings of some of the most popular online gambling sites that operate abroad.").
Roy Mark, "Antigua Takes Upper Gambling Hand Over U.S.," InternetNews.com (Jan. 26, 2007) ("... Antigua has won its latest long-shot effort to force the U.S. to open its market to offshore gambling, according to a confidential report issued by the World Trade Organization (WTO).").
K.C. Jones, "U.S. Reps Urge Legislative Solutions To Online Gaming Dispute," Information Week (Nov. 19, 2007) ("Earlier this year, the WTO ruled that the U.S. had violated trade rules by barring Antiguan online gaming operators from the U.S. market. Then, the U.S. withdrew its WTO obligations with regard to free trade in the gaming area. Now, Europe and other countries can demand trade concessions up the size of the entire sector on an annual basis.").
Lorraine Woellert, "WTO Online-Gambling Edict Prompts U.S. Resistance," Bloomberg News (Dec. 17, 2007) ("The U.S. refusal to comply with a World Trade Organization decision on online gambling is threatening to undermine the entire set of rules binding the international trade system.").
"EU and U.S. make deal in WTO Internet gambling dispute," International Herald Tribune (Bloomberg News) (Dec. 17, 2007) ("The European Union and the United States agreed Monday on terms to compensate the Union for the loss of trade stemming from Washington's refusal to lift restrictions on Internet gambling.").
Jonathan Lynn, "Antigua wins modest sanctions in U.S. gambling case," Reuters (Dec. 21, 2007) ("GENEVA (Reuters) - Antigua and Barbuda won compensation from the United States on Friday in a long-running trade dispute about gambling, but the amount was far lower than the tiny Caribbean nation had been seeking.").
"U.S. arrests 8 in online sports betting operation," Reuters (Jan. 7, 2008).
Cindy Skrzycki, "Internet Gaming Rules Face Long Odds," Washington Post (Mar. 8, 2008) ("It's not easy making rules for a U.S. law intended to deter illegal Internet gambling by choking off the flow of funds to offshore sites. That's because no one seems to agree on what the law covers.")
William Tripplet, "Antigua threatens to allow piracy," Variety (Mar. 18, 2008) ("The government of Antigua is likely to abrogate intellectual property treaties with the U.S. by the end of March and authorize wholesale copying of American movies, music and other "soft targets" if the Bush administration fails to respond to proposals for settling a trade dispute between the two counties, according to the lawyer representing the Caribbean island nation.")
PORNOGRAPHY
To a large extent, the legal tension between online "pornography" legislation and Constitutional challenges in court cases turns on whether there is (or the court imagines?) a viable technical "less restrictive alternative." Note that "when plaintiffs challenge a content-based speech restriction, the Government has the burden to prove that the proposed alternatives will not be as effective as the challenged statute." Ashcroft v. ACLU, 542 U.S. 656 (2004). Query: How does one decide yesterday's cases based on presumptions about tomorrow's technology?
CASES:
Ginsberg v. New York (1968) ("sale to minors"); F.C.C. v. Pacifica Foundation (1978) ("broadcast exception"); Renton v. Playtime Theaters, Inc. (1986) ("zoning").
MILLER v. CALIFORNIA, 413 U.S. 15 (1973) (Miller Test - community standards; "lacks serious literary, artistic, political, or scientific value").
NEW YORK v. FERBER, 458 U.S. 747 (1982) (child pornography can be banned even if it doesn't meet Miller test for obscene).
RENO v. ACLU, 521 U.S. 844 (1997) (see First Amendment Center resources) (Communications Decency Act of 1996 unconstitutional because it was not narrowly tailored to serve a compelling governmental interest and because less restrictive alternatives were available).
ASHCROFT v. FREE SPEECH COALITION, 535 U.S. 234 (2002) (LII) ("By prohibiting child pornography that does not depict an actual child ["virtual porn"], the statute goes beyon [Ferber], which distinguishes child pornography from other sexually explicit speech because of the State's interest in protecting the children exploited by the production process.").
ASHCROFT v ACLU, 542 U.S. 656 (2004) (LII) (upholding injunction preventing enforcement of the Child Online Protection Act (COPA), 47 U.S. C. §231, which, among other things, imposes a $50,000 fine and 6 months in prison for the knowing posting, for “commercial purposes,” of World Wide Web content that is “harmful to minors,” but provides an affirmative defense to commercial Web speakers who restrict access to prohibited materials by “requiring use of a credit card” or “any other reasonable measures that are feasible under available technology,” §231(c)(1). ... "respondents propose that blocking and filtering software is a less restrictive alternative, and the Government had not shown it would be likely to disprove that contention at trial. Filters impose selective restrictions on speech at the receiving end, not universal restrictions at the source.").
U.S. v. AMERICAN LIBRARY ASSOC., 539 U.S. 194 (2003) (LII) (upholding Children’s Internet Protection Act (CIPA), which forbids public libraries to receive federal assistance for Internet access unless they install software to block obscene or pornographic images and to prevent minors from accessing material harmful to them).
FIRST AMENDMENT, U.S. CONSTITUTION (BILL OF RIGHTS):
"Congress shall make no law ... abridging the freedom of speech, or of the press ..."
STATUTES:
Communications Decency Act of 1996 (Title V of the Telecommunications Act of 1996).
Child Online Protection Act (COPA) of 1998 (47 U.S.C. 231). (Cf. Children's Online Privacy Protection Act of 1998 (COPPA) 16 USC 6501-6506).
Children's Internet Protection Act (CIPA) of 2000 Children’s Internet Protection Act (CIPA), Pub. L. No. 106-551, Div. B., Tit. XVII, 114 Stat. 2763A-335 (2000).
Child Protection and Obscenity Enforcement Act of 1988 (Pub. L. 100–690, title VII, subtitle N (§7501 et seq.), Nov. 18, 1988, 102 Stat. 4485, 18 U.S.C. § 2251 et seq.) (enforced through "2257 Regs" guidelines, 28 CFR 75).
NEWS ARTICLES:
Brian Krebs, Substitute Teacher Faces Jail Time Over Spyware, Security Fix: Brian Krebs on Computer Security, washingtonpost.com (Jan. 25, 2007) ("A ... substitute teacher ... is facing prison time following her conviction for endangering students by exposing them to pornographic material displayed on a classroom computer ... [a] computer expert ... testified for the defense that the images were the result of incessant pop-up ads served by spyware on the classroom computer.")
Brian Krebs, Missed Software Upgrade Blamed for Conn. Porn Case, Security Fix: Brian Krebs on Computer Security, washingtonpost.com (Jan. 25, 2007) ("the school district's information technology supervisor says the whole mess [see previous article] might never have happened had he renewed the school's license for its content filtering software").
Teacher's porn conviction sparks tech debate, CNN.com (Feb. 13, 2007) ("[Teacher] convicted last month of exposing seventh-grade students to pornography on her classroom computer ... contended the images were inadvertently thrust onto the screen by pornographers' unseen spyware and adware programs. Prosecutors dispute that.").
Associated Press, Austrian Officials Uncover Major Child-Porn Ring, Wall Street Journal (Feb. 7, 2007) ("Austrian authorities ... have busted a major international child-pornography ring involving more than 2,360 suspects from 77 countries who paid to view videos depicting infants and young children being sexually abused. ... videos ... included images that showed "the worst kind of child sexual abuse. ... Girls could be seen being raped, and you could also hear screams," ... No suspects were yet in custody, but Austrian authorities said they were sharing their information with law enforcement in other countries in hopes that suspects could be investigated and charged.").
Gina Passarella, "'Text-Only' Web Obscenity Case Attracts National Attention," Law.com (Feb. 5, 2008) ("Motions to dismiss said obscenity laws should not be applied to text where no pictures were involved").
Elinor Mills, "State worker cleared on child porn charges that were due to malware," CNET (Jun. 17, 2008) ("A fired Massachusetts state worker has been exonerated of a charge of possessing child pornography after computer forensics showed that his work laptop was infected with malicious software that was surreptitiously visiting illegal Web sites.")
SOCIAL EFFECTS OF ONLINE PORNOGRAPHY:
Storm A. King, "Internet Gambling and Pornography: Illustrative Examples of the Psychological Consequences of Communication Anarchy," CyberPsychology & Behavior Vol. 2(3): 175-193 (1999).
Megan Rosenfeld, "The Trouble With Smut: An aggressive skin trade and an ethos of exhibitionism are hurting us all," Washington Post (Nov. 13, 2005).
Nick Gillespie, "Porn in the Age of Instant Access," ReasonOnline (Jan. 27, 2006) ("What are the social effects of fast, cheap & stigma-free viewing? Audio and video of the Smith Foundation debate.").
CHILD EXPLOITATION
"Four-fold increase in serious child abuse on Web," Reuters (Apr. 17, 2007) ("Images of child abuse posted and sold online are rapidly becoming more graphic and more sadistic and involving younger children").
CASES:
US v Poehlman, 217 F.3d 692 (2000) ("Mark Poehlman, a cross-dresser and foot-fetishist, sought the company of like-minded adults on the Internet. What he found, instead, were federal agents looking to catch child molesters. We consider whether the government's actions amount to entrapment.").
Carl S. Kaplan, Court Says Agents Went Too Far in Online Sting, Cyber Law Journal (2000).
OTHER:
Dru Stevenson, Entrapment by Numbers, 16 U. Fla. J.L. & Pub. Policy 1 (2005).
Martin G. Weinberg, et al., COVER STORY: INTERNET SEXUAL ENTRAPMENT: THE USES & MISUSES OF 18 U.S.C. 2423(B), 26 Champion 12 (Aug. 2002).
PROPOSED LEGISLATION:
HR 3791, Securing Adolescents From Exploitation-Online Act of 2007 ("SAFE Act") (passed US House by vote of 409-2, Dec. 5, 2007).
David Needle, "New Bill Demands ISPs Report Online Child Exploitation," Internetnews.com (Dec. 7, 2007) ("The U.S. House ... this week passed a new bill putting ISPs on notice they face big penalties for not reporting child pornography and other illegal exploitation of children online. *** Under the legislation, service providers are required to report the illegal activity ... .").
Declan McCullagh, "House vote on illegal images sweeps in Wi-Fi, Web sites," CNET News (Dec. 5, 2007) ("... the SAFE Act requires: Anyone providing an "electronic communication service" or "remote computing service" to the public who learns about the transmission or storage of information about certain illegal activities or an illegal image must (a) register their name, mailing address, phone number, and fax number with the National Center for Missing and Exploited Children's "CyberTipline" and (b) "make a report" to the CyberTipline that (c) must include any information about the person or Internet address behind the suspect activity and (d) the illegal images themselves.").
Declan McCullagh, "Wi-Fi 'illegal images' politician defends legislation," CNET News (Dec. 6, 2007) ("It is NOT the intent of the SAFE Act to target Wi-Fi providers but rather the entities that provide the internet to those conduits." ).
NEWS:
Jerry Markon, "Crackdown on Child Pornography: Federal Action, Focused on Internet, Sets Off a Debate," Washington Post (Dec. 15, 2007) ("Cybercrime, the majority of which involves child pornography, is now the FBI's third-highest priority, behind counterterrorism and counterintelligence. ... the nature of the images alarms law enforcement officials, who say Internet child pornography is increasingly sadistic and depicts young children whose victimization fuels a growing market. ... 'We're not talking about a 16-year-old who looks like she could be 19. We're seeing prepubescent children who are being raped, babies, toddlers being tied up.' ").
David Kravets, "Kazaa User Appeals Feds' Novel Use of Child Porn Law to Supreme Court," Wired (Jan. 28, 2008) ("At issue is a new interpretation of [18 USC 2251(d)] ... intended to curb child-porn advertising by imposing a mandatory 15-year prison term on anyone convicted of publishing "notice" offering to distribute kid porn across state lines. ... [Defense lawyer concedes client ] is guilty of distributing child pornography, which normally carries a five-year sentence. But ... argues that sharing such files over Kazaa shouldn't qualify as advertising under the law, and therefore shouldn't be subject to the mandatory 15 years.") (Kazaa "descriptive fields" as advertising, see also
VIRTUAL CHILD EXPLOITATION:
Daniel Terdiman, "Phony kids, virtual sex," CNET News (Apr. 12, 2006).
Kate Connolly, "Second Life in virtual child sex scandal," The Guardian (May 9, 2007) ("German prosecutors have launched an investigation to find anonymous participants of the online computer game Second Life, who are reportedly buying sex with other players posing as children, as well as offering child pornography for sale.").
NETWORK ACCESS TO VICTIMS:
"Reno Man Used Craigslist To Lure Boys," Associated Press (Nov. 11, 2007) ("... man was arrested on suspicion of using the Internet bulletin board Craigslist.org to lure two teenage boys to his home, where he was accused of sexually assaulting one of them ... the suspect met the two boys, 13 and 15, through Craigslist under the ruse he was a 20-year-old woman).
Michael Grabell, "Victim's parents sue MySpace after suicide, assault by Celina man," Dallas Morning News (Dec. 12, 2007) ("The parents of a [14 year-old] California teenager who committed suicide after being sexually assaulted by a [30 year-old] man she met through MySpace are suing the popular social-networking Web site").
INTERNET BANS:
"New Jersey law restricts some sex offenders from surfing the Web," Internationl Herald Tribune (AP) (Dec. 27, 2007) ("Convicted sex offenders who used the Internet to help them commit their crimes will be banned from using the Internet under a measure signed into law Thursday").
"NYC may ban sex predators from online social sites," Reuters (Feb. 12, 2008) ("New York City prosecutors on Tuesday endorsed the United States' first proposed law to ban registered sex offenders from social networking sites like Facebook and MySpace").
VI. International Aspects and Jurisdiction
PONDERABLES:
The emergence of a global information society facilitates and enhances opportunities for transnational cyber- and other crime. The divergence between global information flows and nation-state regulatory jurisdiction leads to "regulatory arbitrage" where inconsistent and incompatible regulatory regimes result in "flag of convenience" forum shopping that can lead to the lowest- (in the case of crime) or highest- (in the case of government control over civil liberties) common denominator regime asserting jurisdiction. Where does cybercrime take place and who can or should have jurisdiction? How can cybercrime across jurisdictional lines be prevented, controlled, mitigated, or responded to?
The cross-jurisdictional nature of computer network activity facilitates and shields criminals but complicates both prosecution and investigation of cybercrime.
REQUIRED READING:
CASEBOOK: David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109):
Chapter 17, International Aspects of Computer Crime, pp. 685-736 (Susan W. Brenner, Transnational Evidence Gathering).
Russel Smith, "Investigating Cybercrime: barriers and solutions," Australian Institute of Criminology (Sep. 11, 2003).
Susan W. brenner, "The Council of Europe's Convention on Cybercrime," pp.207-220 in Cybercrime, (Jack Balkin, et al. eds., NYU Press 2007).
Council of Europe (CoE) Convention on Cybercrime (ETS No.-185, Nov. 2001).
Council of Europe, Additional Protocol to the Convention on cybe |
