Security optimize

Taking cybercrime seriously: Rapidly changing laws could trip up the unwary

Deb Shinder offers a word of caution to those who might not think some types of cybercrime are "serious." Not understanding the tangle of computer-related laws is no defense, and the laws vary widely by location.

Crime is serious business - for society, for individual victims, and for the offender. Being arrested for a criminal offense is something that can stay on your record and haunt you forever, even if you aren't convicted. Being convicted of a crime can cost you money (in fines, restitution and legal fees), deprive you of your liberty for a short or long time, and result in a loss of some of your legal rights even after you serve your time. The stigma of being a convicted felon can cripple your chances in the job market and impact your personal relationships for the rest of your life.

Despite all this, many in the tech world don't take cybercrime seriously. This is likely due, at least in part, to the fact that it's a relatively new variety of offense. Many of us can remember when computer-related activities that are prohibited by law today weren't illegal. It's always difficult for people to accept that, with a wave of the legislative wand, a group of elected officials can turn you into a criminal for doing what you did in the past without consequences.

Most would probably agree that stealing personal data, bringing down a network for hours or days, luring children into sexual situations, or sending threatening messages online are crimes that should be taken seriously. Those acts do real, tangible harm to individuals or businesses. Many would add things like filling up mailboxes with spam or disseminating a virus that does nothing but pop up a message box that says, "Ha, ha, you're hacked." But it gets more controversial when you start talking about cybercrimes that don't have a clear cut victim.

Where's the harm?

Many people have a hard time with the concept of a "victimless crime." Every police officer who's ever worked a traffic detail has been asked at least once, "Why are you wasting taxpayer money stopping me for speeding? You should be out there catching the real criminals." Of course, very few folks classify themselves as "real criminals," even when the crimes they commit are felonies.

When it comes to cybercrime, many techies don't see hacking into someone else's network, system, or web site as a serious matter, as long as they don't do any "real harm" (such as erasing data, defacing the site, stealing personal information and using it for identity theft, bringing down the systems for a long period of time, etc.). They claim that taking a stroll through your network is no different than walking across your yard - sure, it's your property but there was no fence (or it was a low one that was easy to hop over) and they didn't do any lasting damage to anything. They argue that the lack of stronger security controls served as implied consent for them to enter.

The law, however, treats such seemingly innocuous intrusions more like walking into a stranger's house and making yourself at home just because the door was unlocked (or the lock was easy to pick). Even if a trespasser doesn't steal or vandalize, he's still in violation of the law because property owners (rightly, in my opinion) have the right to expect others to respect the sanctity of their homes. In the U.S., criminal trespass falls under the jurisdiction of the state, so the classification, elements of the offense and penalties vary.

Unauthorized access to a computer or network is also a state offense in many states, and again, the details and penalties vary. Unauthorized access can also be a federal offense under the Computer Fraud and Abuse Act, depending on what systems are breached and what type of information is accessed.

A brief history of criminal copyright statutes in the U.S.

Another computer-related crime that's seen by many as just innocent fun is sharing music or movies in violation of copyright laws. In fact, in some countries this is not illegal as long as no profit is involved. File-sharers would argue that those who get the content for free would not have paid for it anyway, and that consequently, the music and movie industries' claims of lost revenues are bogus. U.S. legislators, however, don't seem to share that view. In a relatively short period of time, the status of copyright violation has gone from no crime at all to a misdemeanor to a felony. One has to wonder if it won't eventually become a capital crime, as horse thievery was in the frontier days.

In the United States, copyright infringement that didn't involve a profit, commercial advantage or financial gain was a civil matter only until pretty recently. That meant a copyright holder could file a lawsuit, take the violator to court and collect monetary damages.

Beginning in the late 1800s, unlawful representation of copyrighted works was a criminal violation only if the conduct was "willful and for profit." In 1976, the Copyright Revision Act changed the wording to include "commercial advantage or private financial gain" and set the penalties for copyright violation in the case of music and movies at up to $25,000, one year in prison, or both. The offense was considered a misdemeanor.

In 1982, the powerful lobbies of the recording industry and movie studios were successful in getting another amendment passed, making the offense a felony. Then in the 1990s, Congress amended Section 2319(b) of Title 18 of the U.S. Code to cover all copyrighted works in the felony provisions. The penalty threshold was set at up to $250,000 and up to five years in prison (ten years for repeat offenders).

The federal law has been further expanded to criminalize copyright violation not only in cases of commercial advantage or financial gain, but also by copying or distributing any work with a retail value of $1000 or more even if not done for profit. In addition, it applies to distributing "a work being prepared for commercial distribution" (regardless of value and whether or not for profit) by making it available on a publicly accessible computer network.

It's important to understand that those penalties are per incidence so that if, for example, you pirated three different songs, you could theoretically be fined $750,000 and receive three five-year prison sentences. How likely is that to happen? Not very. The FBI is charged with enforcing the criminal copyright statutes and in an age of terrorism, pedophilia and other crimes that place human life in danger, they rarely bring charges against individuals sharing small numbers of digital files at no profit.

The message sent by the legal system is obviously mixed. The severity of the penalties indicate that the government takes copyright violation very seriously indeed - but the fact that the laws usually go unenforced causes people to ignore the law and not take it seriously.

Ignorance of the law

Federal, state, and even local legislators are scrambling to keep ahead of the technological curve being thrown at them by a tech industry where new developments occur rapidly. They're passing record numbers of new laws every year, and more and more of those relate in some way to computer and Internet usage. What was legal last year might be illegal today. Even if you do take breaking the law seriously, you might not always know you're doing it because it can be so difficult to keep up with all the changes.

In many states, statutes prohibiting unauthorized access apply to accessing the network, even if you don't access any files on the computers on that network. Connecting to an open, unsecured Wi-Fi network to use its Internet connection is a felony in some jurisdictions.

We've all heard that "ignorance of the law is no excuse" and most states even codify that in the law. For example, Texas Penal Code section 8.03 says "it is no defense to prosecution that the actor was ignorant of the provisions of any law after the law has taken effect." This is called a mistake of law. On the other hand, depending on how the statute you're charged with violating is written, ignorance of the facts may get you off the hook (but the burden will be on you to prove your ignorance).

So what's the difference? It's all about the culpable mental state. Most criminal offenses require that the offender have a specific level of knowledge or intent to do whatever action constitutes the crime. That means if you intentionally connect to someone else's wireless network knowing that it's not your network, you're committing an offense, even if you don't know that connecting to someone else's network is illegal. However, if your computer automatically connects to the network without your knowledge, or if the other network has the same network name as your own so you think you're connecting to your own network, you don't have the knowledge or intent that is a required element of the offense.

Remember that you need to check your own state laws but as an example, under Texas law, this is called a mistake of fact, and Penal Code section 8.02 says "It is a defense to prosecution that the actor through mistake formed a reasonable belief about a matter of fact if his mistaken belief negated the kind of culpability required for commission of the offense."

Now, a defense to prosecution is just that: an issue that you can raise in court if you're arrested and brought to trial which, if you can prove, will result in acquittal. A defense to prosecution does not mean the arrest wasn't lawful. The police are within the law to arrest and charge you as long as they have probable cause that you did, in fact, connect to someone else's network. And under most statutes, they do not have to show that you did any damage or even used any Internet bandwidth. Simply connecting to a network without authorization is enough to make you a criminal.

Above the law

Just as police officers sometimes act as if the traffic laws don't apply to them - even when they're off-duty, driving their personal vehicles - some IT professionals seem to believe they're above the law when it comes to things like unauthorized access by virtue of their positions, expertise, or good intentions. We've all heard of the hackers who break into supposedly secure networks just to demonstrate that it can be done, ostensibly for the purpose of motivating the owners to increase their security.

Some might argue that this is the only way to get the attention of those in charge of the network's security. However, just as you can't expect to carry a bomb (even a fake bomb) onto a plane to "help" the airline understand its vulnerabilities and not get thrown in jail, doing penetration testing of a network or system without its owner's permission is likely to result in criminal charges if you're caught.

The bottom line

If you're the typical techie, you probably take some cybercrimes very seriously and others, not so much. There is a danger that when some laws are seen as silly, or penalties are out of proportion to the seriousness of the crime, or the laws are on the books but blatantly disregarded by a large portion of the population and not enforced, there will be an overall erosion of respect for all law. That's why we need to support a policy of carefully thinking through any new legislation before enacting it. It's easy to say "there oughta be a law," but legal restrictions on how you can use a tool such as a computer or the Internet should not be knee-jerk, feel-good reactions that end up doing nothing to solve the real problems and, instead, penalizing people who are doing no harm to anyone.

What do you think of the computer-related laws we have now? Are there too many with penalties that are too severe? Or do you think we need more laws and harsher punishments? Should the cybercrime laws be standardized across the country to eliminate the confusion caused by different state statutes, or should jurisdiction for all cybercrime be relegated to the federal government only? Or should the Internet be a virtual "wild west" where anything goes?

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

20 comments
dayen
dayen

Laws pass by people who don't even know what a good password is let alone a right mouse click who take advice from people who claim to know computers and don't but afraid to admit it or their ego won't let them. I know my limitations when it comes to computers and networks I know when to call for help they can't even admit they need help. We can't fight cybercrime with these fools in office let alone a full blown cyberwar! who fooling who ? the law says we can only defend (tech) goverment can attack I hope we have some good covert hackers in the goverment ! the chinese have 10,000 or more I hear and we have a little over 3000 in Infoguard Volunteers who can only defend .

Rodo1
Rodo1

...Poorly thought out and written and unevenly enforced. Sadly, our "officials" are a bunch of morons and it's getting worse all the time.

mystictj
mystictj

When I paid for my house I am allowed to do what I want with it. If I want to give it away to someone I can. The same is true with my car, bed, everything that I own. If I buy film and take a picture I can give it away. When a movie or music is sold the person buying it should be allowed to do whatever they want with it. They bought and paid for it.

Spitfire_Sysop
Spitfire_Sysop

I have always wondered: How am I supposed to know what the laws are today? I will not take legal advice from this blog. They could outlaw the display of poodle skin tomorrow and thousands of dog walkers would be behind bars. How is this information officially diseminated? How can you expect people to follow arbitrary laws if they don't have a valid source of the details? Legality is not really taught in school. Fresh graduates from high school are deemed an adult at 18 and could be tried in the courts without ever being told what laws exist. All I know of law is hearsay which is not admissable in the court.

Neon Samurai
Neon Samurai

I'd like to see some figures on that one includig a breakdown by age of the indaviduals polled. You may get a majority of stupid highschool aged kids thinking break-ins are ok but that can't possibly be the situation among techs above the age of maturity. Personally, I'd say that taking a walk through someone's network without permission is very much unacceptable and akin to strolling through the person's home to fix a snack from the fridge.

gcorbo
gcorbo

Ms. Shinder - Have read much of your material over the years, and agree with the majority of your blog here except about the sharing (pilfering ?) of music. The copyright laws were strengthed in the 1980's by a truly greedy group of record companies. Their avarice has been their downfall - one by one. Why - because the laws on this subject are wrong - plain and simple. And people know it - and they willfully disobeyed because they NEVER should have been law in the first place, and all legitimate attempts to repeal those laws continuously failed. Why - because sometimes in our country it appears that the will "of the few" can overcome and rule of the will of the majority. Make no mistake here. I would guarantee that if we could take a country wide vote today of a good sample size of the American public (say, at least 20 million) - they would vote that music they purchased was OWNED - not "rented" and that they should have the right to share their owned item with another. Want to say "the law is the law" and only can be changed via the process of the law (legislation, hearings, etc.) when the people know that the other side has all the power and the odds are stacked against them even though they KNOW they are right and in the majority... Well, that is about what happened with the British tax laws and the the U.S. colonies until a little thing called the Boston Tea Party changed things for the will of the majority... Point of all of this: We know that not all laws are fair - that is fact of life. But when a law is unfair, ridiculous, and can't seem to get changed - even with the majority of citizens against it - then we have a problem.

santeewelding
santeewelding

And abundant value, override those few parts where you yourself, Deb, trespass.

Alpha_Dog
Alpha_Dog

Did the home owner invite you in? No? Then why try the doorknob? Connect only to WAPs with direct approval. Did you pay for it or was it a gift? Neither? Then it's not yours. Pay for what you take and make sure the rest is free or a gift. Do you lock the doors to your house? Then why not lock down your network? Whether or not you have valuables isn't the issue. Do you leave the keys in the ignition and engine running when you walk away from a car? Then why would you do this on a computer? Log out or power down.

lshanahan
lshanahan

???It is a defense to prosecution that the actor through mistake formed a reasonable belief about a matter of fact if his mistaken belief negated the kind of culpability required for commission of the offense.??? My brain just did a double full-twisting half-nelson quadruple axel with a cherry on top parsing that sentence.

pgit
pgit

way too many so-called "laws." The intent is they can always find you in violation of something. This makes it a "nation of people," where powerful types decide whether to go after you or not in the first place, based not on any standard of law but rather more a subjective measure of your worth to them.

VBJackson
VBJackson

Yes, you can give it away, but then you no longer have it. And no, you can't to ANYTHING you want with it. If you make changes, then they have to meet code to prevent it from being a hazard to youself and others, for example. If you take a picture, then the image IS yours, so yes you can give it away, share it, make copies, whatever. Do you think that the company that processed your film should also have that right? So if you buy a copy of a movie, then you CAN give it away - to one other person. Bit that means that YOU no longer have ownership of that copy.

draco vulgaris
draco vulgaris

Can you buy a four bedroom house, install four prostitutes, and allow them to ply their trade for a percentage? You may think so but don't try it unless you are prepared to pay fines, spend time in jail, etc. I expect that there are places where prostitution is winked at. I also expect that when there is a epidemic of "social diseases", the winks stop!

just1opinion
just1opinion

I am still amazed at the number of people who, I presume, want to be paid for their efforts but don???t think others should be. I had this argument with computer programmers all through college. They expect to be paid but it???s OK to steal the work of others. Also, a house or a car is a single, unique, non-duplicable physical item. An electronic copy of a song, movie, or anything else, is not. Buying a CD does not give you unrestricted ownership of the artistic work and copyright.

draco vulgaris
draco vulgaris

This has been part of our law for almost as long as we have had law.

Charles Bundy
Charles Bundy

Mandates we be both legal and financial savvy. Otherwise chances of success are greatly diminished. If you can show that you have tried to understand the law, but were hampered (access, language barrier, et al) then "ignorance" is mitigated at a judicial level. Otherwise anyone caught with their hand in the cookie jar could claim exculpating circumstance.

santeewelding
santeewelding

Had the same complaint thousands of years ago. Upheaval and revolution followed.

n.gurr
n.gurr

He came up with my favorite quote that can easily be applied to this.... "If a law is unjust, a man is not only right to disobey it, he is obligated to do so." The music industry has never stopped to ask the most important question, is this doing us any harm? In fact, a few years ago I did my dissertation on this and came to the conclusion that there was a net gain in sales due to piracy. The issues have always been music becoming a commodity and thus being worth less, one expert I recall stated that a track was worth only 25 cents! Manufacturing artists, I believe, rather than picking up acts that earn their way in pubs and clubs is reducing the demand for artists - although this is just my opinion. I believe that the music industries view on piracy is best summed up by another quote, this time from Oscar Wilde "A cynic is a man who knows the price of everything, and the value of nothing."

pgit
pgit

You raise a good, often overlooked point. According to some arcane threads that run through constitutions and supreme court decisions, "laws" (including regulations) have to be readable and comprehensible to someone of "average intelligence," in plain wording that does not require a lawyer to understand. The reason this is never seen as a part of any defense is because the concept is negated the instant you hire a lawyer. Believe it or not, you will never 'get off' if you have a lawyer. Your only hope of getting at the truth (assuming the truth is you are innocent, or at minimum ignorant) is without a lawyer. The courts and anyone who watches TV will try to warn you off of handling your affairs without a lawyer. But the people have been intentionally blinded to a simple fact: the BAR has made a private facsimile of the constitutional courts and you are not compelled to use them to obtain justice. If you are being prosecuted the ONLY matter to bring up is to demand proof of the court's claim of jurisdiction. Where did I agree to have this BAR and it's pseudo-governmental 'authority' deal and dispense MY law? Not much you have to know, and you have to be able to work through some rather scary threats, like orders for arrest for contempt. But stick to it and they have to either let you walk or continue illegally (by their own laws and court decisions) in error, which is reversible almost immediately via a writ to a higher court. They also try to deny your right to such petition, but then you just reassert the same question... "and where did I agree to that?!"

VBJackson
VBJackson

Excuse me, but by continuing to live within a jurisdiction you do in fact an in law agree to the laws of that jurisdiction. The Bar only governs who is allowed to practice as a representitive for someone else in court. In most states, judges are actually elected officials, and do NOT have to be lawyers. The fact that they usually ARE reflects the reality that a non-lawyer would have a hard time determining the correct response in cases where the judge is required to rule on motions and objections, i.e. most of them. You sound like on of those "Soverign Citizen" people that have been popping up lately. In case you haven't heard, that defense had been ruled a legal fiction, and the people ARE serving time for thier crimes.

pgit
pgit

I am most certainly not one of those "sovereign citizen" types, far from it, although several of the points some of them make are on the target. A jurisdiction is NOT a physical place or a presence therein, it's as much part of the legal fiction the system deals in as is a corporation. Read Oliver Wendell Holmes' inappropriately named "the common law" for a snapshot of how "law" has been subverted by lawyers, for lawyers. I have never made any arguments, only asked basically one question. In this framework (common law and default) I took my question all the way through the system to the supreme court, which upon reading my 80+ pages of their own writings graciously halted government attempts to apply common law sanctions on me 'because we say so,' stopped precisely due to lack of any demonstrable jurisdiction. You could say I know what I'm talking about, though out of common courtesy I choose to reciprocate the honorable behavior 'they' have displayed toward me since, and don't really talk about it. The "sovereign citizens" have NOT (mostly, who knows what else some may have done) committed any "crimes," unless you consider ignorance to be a criminal condition. In fact it's entirely the other way around, there is just about the largest body of legal evidence to be had proving the fact that it is a most fundamental no-no to ever just assume jurisdiction exists. But that's exactly what governments do at every level. The American revolution was largely a rebuke of a government assuming whatever jurisdiction it saw fit and unilaterally apply common law sanctions thereto. Here we are again... history repeats. I don't care what anyone else does, as long as they don't do me any harm. That includes insulting me. I know what the ultimate authority of government is, and I am going to insist upon it's observing it's self-proclaimed limits in it's dealings with me. (i.e. please don't insult my intelligence) I could care less if it takes everyone else to the cleaners, in fact, more power to 'em. Just leave me out of it. I am more in compliance with the actual Law than any other I've ever encountered. I've had very high power attorneys, with decades of experience in trial, tell me as much. I can't tell you how many times I've heard "you're too honest." One lawyer in Manhattan told me I obviously know more about the Law than any judge he'd faced... that's the real Law, not the corporate bylaws you call "code" and "regulations." Nobody's flesh, blood or property are automatically subject to that "jurisdiction." In the job I had where I was responsible for maintaining regulatory compliance, I did the job so well the federal agency overseeing my operations would send callers asking them for 'official' interpretations, clarifications and advice to me. They told me I apparently understood their requirements better than any of them did, and also that they were astonished at my unbending compliance with the regulations, which was often much to the financial or operational detriment of my employers. Jurisdiction is an intentionally muddied concept, it doesn't have to be that way but there are people with agendas. (and they own the media) The idea of "anchor babies" is as much a farce as the idea that Hiroshima was necessary to end the war with Japan. What passes for "truth" is most often merely common myth. That's a historically borne-out fact, a consequence of the fact that throughout history roughly 80% of the people are totally clueless, willingly ignorant, even. BTW no "court rules," procedures, any codes, regs or prior decisions enter into anything unless and until jurisdiction can be established from solid evidence in the public record. To say that judges should be, or even must be lawyers, as New York is attempting to do, proves my point; that can't be "the law." If one MUST be "represented" then this one is admitting to being non compos mentis. TS for them if they don't know where they are and how they got there.