Join | Search: 
Welcome to the California Criminal Law Review

The California Criminal Law Review is a student-run law journal at Boalt Hall at the University of California, Berkeley.

Letters to the Editor

Editor's Note: The following Comments by Donn Parker and Susan Brenner were submitted after the publication of "Is There Such a Thing as 'Virtual Crime'?", 4 Cal. Crim. Law Rev. 1. They are reproduced in the spirit of "Letters to the Editor," and hence do not conform to the 17th Edition of the Blue Book. These Comments should not be considered the voice of the California Criminal Law Review, but rather the opinions of the authors.

Donn Parker is a consultant on Internet Security matters for the firm of AtomicTangerine, and has written extensively on cybersecurity issues. He was a major source for Susan Brenner in preparing "Is There Such a Thing as 'Virtual Crime'?", 4 Cal. Crim. Law Rev. 1.

Is Computer Crime Real?

Donn B. Parker, CISSP

      I.  Introduction

Descartes: A sufficient change in degree produces a change in kind.

Susan Brenner has added greatly to our concepts of crime and computer crime. We are left with the questions she posed. Should we continue to adapt criminal statutes to prosecute computer crimes or should we develop an entirely new code of law for crimes committed that involve computers as objects, subjects, and tools of wrongdoing? Do computers and electronic communication networks change the nature of crime? When and how would crimes and computer crimes be of sufficient difference in degree to produce a difference in kind? So far, states have enacted specific computer crime statutes, and they have had value as social policy to attract appropriate attention and resources. However, several prosecutors have told me that they don't need such laws to prosecute crimes involving computers.

My perspective on computer crime is different from Brenner's because she approaches the challenge from the side of the law, and I approach it from the side of information technology and information security. However, we seem to reach much the same conclusions. The ways in which we differ may offer further insights and understanding.

      II.  The Problems with Technical Jargon

Information systems technologists and information systems security practitioners have inadvertently caused some serious problems for the law. We use jargon effectively among ourselves as efficient ways of communication, and we understand what we mean in our contexts even though the jargon terms are often ambiguous and incorrectly defined according to dictionaries. Unfortunately this jargon has been adopted by experts in other fields without the depth of understanding of the jargon terms afforded by information technology expertise, and this causes problems especially in the law where precise terminology is so important. The jargon creeps into the statutes and causes fuzzy and incorrect concepts and especially when the statutes are translated into different languages, as they must to reflect the international nature of computer crime.

Brenner cites existing computer crime laws in support of some of her positions and conclusions. However, many computer crime statutes are ill-conceived, and written by those not expert in information technology and should not be used as models or justification for additional poorly created statutes.

The practitioners of information systems technology and information systems security use jargon terms such as software and cyber and accessing, intruding upon, breaking into, and entering a computer. This leads to great confusion and error.

Software is an ambiguous term and different meanings to different technologists. Software may be defined as computer programs alone or computer programs (both source code and object code), computer scripts, manuals, and attendant data taken altogether, singly, or in combinations. Using the term, "information and software," is redundant. Software is information and may be treated and processed like any other information. Some computer programs, such as program compilers, when executed in a computer, act upon information that consists of computer programs. A computer program is a special kind of information when a computer executes small segments of it as instructions.

The term cyber comes from cybernetics, the study of robots, and many people are using cyber incorrectly to name anything having to do with computers or electronic communication. Brenner conceives of Cyberspace as a different realm that humans may enter by leaving the real world. Computer system technologists know this is an exaggeration and incorrect.

Brenner has used the terms, "perpetrator entered the computer" and "breaking into a computer" implying trespass. Even more of a problem, some statutes describe unauthorized computer access. These are jargon that means that a perpetrator uses the services of a computer without the owner's explicit or implicit permission and is correctly theft of services and resources. In attacking a computer the perpetrator causes the computer to execute instructions in programs stored in the memory of the computer and accept new instructions for execution. No trespass occurs, only stealing services and resources (electricity, storage, and possibly paper and ink). Calling this trespass, as Brenner has suggested, is not applicable to a computer unless a person crawls inside of it. This may become a profound jargon problem in the law, because it confuses trespass with theft of services.

A person does not enter cyberspace any more than a person enters printed information space. A person uses the services and resources of computers and electronic communication networks. Brenner states,

"When I 'go' into cyberspace, I leave behind both Newton's and Einstein's laws . . . Traveling from Web site to Web site . . ."

This is confusing because there is no going into cyberspace and no traveling from Web site to Web site. Users enter instructions into computers. They cause the images of Web sites and their pages to be sent from host computers to their computers and displayed on screens. Then they view the displayed information, enter new information into computers guided by the display, and interact with the content through execution of computer programs in both the users' and host computers.

Brenner says,

'Cyberspace is a domain that exists along with but apart from the real world.  It is a shared conceptual reality, a virtual world, not a shared physical reality . . . Since it is not a physical domain, some question whether the principles of criminal law we employ for the real world are adequate to address crimes the commission of which exploits the unique advantages of cyberspace . . . It is a "new" space, a space that has its origins in physical reality but which transcends that reality . . .'

I don't think we should get so carried away by cyberspace concepts. We can avoid this by understanding the nature of information and what computer programs are and how they function in computers. Computer crimes like any crimes occur in the real world.

      III.  Hackers and Crackers

The news media have given a high visibility to computer hacking and have made it a pejorative term. However, for the purposes of the law, it is important to distinguish between benign hackers and malicious hackers. Hacking is a common practice of computer programming technologists and causes no harm in its benign form of authorized use of computers and networks to learn from and explore their capabilities and push them to their extremes of performance. Malicious hacking, called cracking by some information security specialists and Brenner, is similar except that it is unauthorized and unintended by the victims and done in the victims' computers where it causes harm and may be criminal.

Brenner writes:

'. . . the term "cracking" denotes the process of illegally gaining entry to a computer or computer system for the purpose of damaging or destroying property residing therein;'

This is not true. First, malicious hacking does not gain entry to a computer; it causes computer programs to be executed by the computer that may favor or achieve the perpetrators' objectives. Secondly, the purpose is not limited to damaging or destroying property therein. The purposes are legion including engagement in fraud, theft, violation of privacy, impersonation, extortion, espionage, voyeurism, terrorism, or other crimes and engaging in jokes and put-downs. Only in the context of vandalism is malicious hacking possibly limited to damaging or destroying property.

How far would a perpetrator have to go to achieve entering a computer? This is not easily determined if at all. However, if use is the act, then it is clear that any program that is executed in the computer, as a response to the perpetrator's action, constitutes use as a theft of services. The law must also treat impersonation of an authorized user as a means of illegal use.

      IV. Need for Computer Crime Statutes

I have claimed for many years that we can ultimately do away with computer crime laws because most crimes will involve computers in some way, and all crime will be computer crime, but I added "(not really, but almost). " Distinguishing a computer crime from any other crime ultimately will be unnecessary for social policy and successful prosecution purposes after social policy is well-established in recognizing and dealing with computer crime. Most computer crimes, as Brenner has so effectively pointed out, are addressed by existing statutes or can be with minor modification and precedents. Then why have computer crime statutes? We developed a body of computer crime law starting in the mid 1970s primarily as social policy and not necessarily to successfully prosecute computer criminals. We needed to bring attention to the dangers of crimes involving computers to alert legislators, the criminal justice community, and potential victims. We needed to make it obvious that computer criminals were being convicted for crimes they committed and not for obscurely created charges such as stealing electricity when actually stealing computer services. We needed to establish law enforcement budgets and officers specializing in high-tech crime. And we needed to create deterrents against computer crime by making clear and obvious especially to young people that wrongdoing against computer owners is as unlawful as equivalent wrongdoing against any property owners or custodians.

      V. Evolution of Computer Crime

It would be dangerous to limit our concepts of computer crime to current technology to the detriment of not anticipating future problems. Contrary to what Brenner has stated, it may soon become possible for bigamy to be perpetrated as a computer crime. As digital signatures become valid, a marriage ceremony could be conducted with the two parties and the official in three different places. Marriage using the Web could be great TV fare, and fraudulent marriages could soon follow.

As another example of future crimes, hackers are producing increasingly sophisticated computer programs that will perform complete crimes including selection of victims, illegal acts, conversion to gain, and erasure of all evidence. The creators could sell, trade, or give copies to others the same as with commercial programs. Others may willfully or inadvertently execute them causing crimes to occur where they don't know who the victim may be, if there was a victim, what crime was committed, what method was used and where it occurred. What is the culpability of the designers, developers, marketers, distributors, and perpetrators of automated crimes? How are we to fight these crimes that can be refined and perfected endlessly? Evidence that this problem is fast approaching goes beyond our experience with simple computer viruses and worms. Combining the existing hacker tools that gain control of computer systems with fraud and theft attacks on computer applications such as accounts payable and receivable, payroll, or banking demand deposit accounting systems is just around the corner. Fortunately, we have forward-looking law researchers such as Susan Brenner anticipating these future problems.

Editor's Note: Susan W. Brenner is Associate Dean and Professor of Law at the University of Dayton School of Law. She was the author of "Is There Such a Thing as 'Virtual Crime'?", 4 Cal. Crim. Law Rev. 1.

Afterword: Comments on "Crime in Cyberspace" by Donn B. Parker

By Susan Brenner

I agree with most everything Mr. Parker says in his excellent piece on "Crime in Cyberspace." I write this therefore not to disagree with anything he says, but to note how existing criminal law could be used to address one of the evolutionary "cybercrimes" he addresses, i.e., the commercial sale of "cybercrimes."

Mr. Parker notes that some hackers are already producing programs that can be used to commit "crimes" and suggests the not so distant future will likely see the commercial sales of these and other "crimes in a box." I think this is a good point, one with which I quite agree. And while I am certainly willing to entertain the notion that we may need to enact new "cybercrime" statutes to address this type of behavior, I would like to point out how it could be dealt with by using extant principles of criminal law.

One option is accomplice liability: If the programs are used to commit extant "crimes"--such as theft, forgery, fraud or trespass--we can treat the design, manufacture and distribution of those programs as acts aiding and abetting the commission of the thefts, forgeries, frauds and/or trespasses that are perpetrated by using them. Since accomplice liability results in the aider and abettor's being held liable for the "crimes" he or she facilitates, the designers, manufacturers and distributors of these programs could be prosecuted as perpetrators of all the "crimes" that result from their use. Since we directly impute liability for consummated substantive "crimes" to those who facilitated their commission-to the programs' designers, manufacturers and distributors--this seems an adequate means of imposing liablility for the "harms" caused by their conduct. Alternatively, we could also treat the design, manufacture and distribution of such programs as acts soliciting the commission of the "crimes" they can be used to commit. Or we could hold those involved in the design, manufacture and distribution of the programs liable as members of a conspiracy the object of which was to facilitate the commission of the "crimes" which the programs could be used to commit. Finally, if the programs could be used to commit "crimes" but the designers, manufacturers and/or distributors are all apprehended before they are actually used for this purpose, they can each be held liable for an attempt to commit the "crimes" the programs were designed to implement.

    2001 by California Criminal Law Review. All Rights Reserved. Use by Permission.
Letters to the Editor are not the voice of the California Criminal Law Review.
Current Issue | Past Issues | Current Masthead | Letters | Submissions | Subscribe | Training | Mail Us!