Taking cybercrime seriously: Rapidly changing laws could trip up the unwary

Deb Shinder offers a word of caution to those who might not think some types of cybercrime are "serious." Not understanding the tangle of computer-related laws is no defense, and the laws vary widely by location.

Crime is serious business - for society, for individual victims, and for the offender. Being arrested for a criminal offense is something that can stay on your record and haunt you forever, even if you aren't convicted. Being convicted of a crime can cost you money (in fines, restitution and legal fees), deprive you of your liberty for a short or long time, and result in a loss of some of your legal rights even after you serve your time. The stigma of being a convicted felon can cripple your chances in the job market and impact your personal relationships for the rest of your life.

Despite all this, many in the tech world don't take cybercrime seriously. This is likely due, at least in part, to the fact that it's a relatively new variety of offense. Many of us can remember when computer-related activities that are prohibited by law today weren't illegal. It's always difficult for people to accept that, with a wave of the legislative wand, a group of elected officials can turn you into a criminal for doing what you did in the past without consequences.

Most would probably agree that stealing personal data, bringing down a network for hours or days, luring children into sexual situations, or sending threatening messages online are crimes that should be taken seriously. Those acts do real, tangible harm to individuals or businesses. Many would add things like filling up mailboxes with spam or disseminating a virus that does nothing but pop up a message box that says, "Ha, ha, you're hacked." But it gets more controversial when you start talking about cybercrimes that don't have a clear cut victim.

Where's the harm?

Many people have a hard time with the concept of a "victimless crime." Every police officer who's ever worked a traffic detail has been asked at least once, "Why are you wasting taxpayer money stopping me for speeding? You should be out there catching the real criminals." Of course, very few folks classify themselves as "real criminals," even when the crimes they commit are felonies.

When it comes to cybercrime, many techies don't see hacking into someone else's network, system, or web site as a serious matter, as long as they don't do any "real harm" (such as erasing data, defacing the site, stealing personal information and using it for identity theft, bringing down the systems for a long period of time, etc.). They claim that taking a stroll through your network is no different than walking across your yard - sure, it's your property but there was no fence (or it was a low one that was easy to hop over) and they didn't do any lasting damage to anything. They argue that the lack of stronger security controls served as implied consent for them to enter.

The law, however, treats such seemingly innocuous intrusions more like walking into a stranger's house and making yourself at home just because the door was unlocked (or the lock was easy to pick). Even if a trespasser doesn't steal or vandalize, he's still in violation of the law because property owners (rightly, in my opinion) have the right to expect others to respect the sanctity of their homes. In the U.S., criminal trespass falls under the jurisdiction of the state, so the classification, elements of the offense and penalties vary.

Unauthorized access to a computer or network is also a state offense in many states, and again, the details and penalties vary. Unauthorized access can also be a federal offense under the Computer Fraud and Abuse Act, depending on what systems are breached and what type of information is accessed.

A brief history of criminal copyright statutes in the U.S.

Another computer-related crime that's seen by many as just innocent fun is sharing music or movies in violation of copyright laws. In fact, in some countries this is not illegal as long as no profit is involved. File-sharers would argue that those who get the content for free would not have paid for it anyway, and that consequently, the music and movie industries' claims of lost revenues are bogus. U.S. legislators, however, don't seem to share that view. In a relatively short period of time, the status of copyright violation has gone from no crime at all to a misdemeanor to a felony. One has to wonder if it won't eventually become a capital crime, as horse thievery was in the frontier days.

In the United States, copyright infringement that didn't involve a profit, commercial advantage or financial gain was a civil matter only until pretty recently. That meant a copyright holder could file a lawsuit, take the violator to court and collect monetary damages.

Beginning in the late 1800s, unlawful representation of copyrighted works was a criminal violation only if the conduct was "willful and for profit." In 1976, the Copyright Revision Act changed the wording to include "commercial advantage or private financial gain" and set the penalties for copyright violation in the case of music and movies at up to $25,000, one year in prison, or both. The offense was considered a misdemeanor.

In 1982, the powerful lobbies of the recording industry and movie studios were successful in getting another amendment passed, making the offense a felony. Then in the 1990s, Congress amended Section 2319(b) of Title 18 of the U.S. Code to cover all copyrighted works in the felony provisions. The penalty threshold was set at up to $250,000 and up to five years in prison (ten years for repeat offenders).

The federal law has been further expanded to criminalize copyright violation not only in cases of commercial advantage or financial gain, but also by copying or distributing any work with a retail value of $1000 or more even if not done for profit. In addition, it applies to distributing "a work being prepared for commercial distribution" (regardless of value and whether or not for profit) by making it available on a publicly accessible computer network.

It's important to understand that those penalties are per incidence so that if, for example, you pirated three different songs, you could theoretically be fined $750,000 and receive three five-year prison sentences. How likely is that to happen? Not very. The FBI is charged with enforcing the criminal copyright statutes and in an age of terrorism, pedophilia and other crimes that place human life in danger, they rarely bring charges against individuals sharing small numbers of digital files at no profit.

The message sent by the legal system is obviously mixed. The severity of the penalties indicate that the government takes copyright violation very seriously indeed - but the fact that the laws usually go unenforced causes people to ignore the law and not take it seriously.

Ignorance of the law

Federal, state, and even local legislators are scrambling to keep ahead of the technological curve being thrown at them by a tech industry where new developments occur rapidly. They're passing record numbers of new laws every year, and more and more of those relate in some way to computer and Internet usage. What was legal last year might be illegal today. Even if you do take breaking the law seriously, you might not always know you're doing it because it can be so difficult to keep up with all the changes.

In many states, statutes prohibiting unauthorized access apply to accessing the network, even if you don't access any files on the computers on that network. Connecting to an open, unsecured Wi-Fi network to use its Internet connection is a felony in some jurisdictions.

We've all heard that "ignorance of the law is no excuse" and most states even codify that in the law. For example, Texas Penal Code section 8.03 says "it is no defense to prosecution that the actor was ignorant of the provisions of any law after the law has taken effect." This is called a mistake of law. On the other hand, depending on how the statute you're charged with violating is written, ignorance of the facts may get you off the hook (but the burden will be on you to prove your ignorance).

So what's the difference? It's all about the culpable mental state. Most criminal offenses require that the offender have a specific level of knowledge or intent to do whatever action constitutes the crime. That means if you intentionally connect to someone else's wireless network knowing that it's not your network, you're committing an offense, even if you don't know that connecting to someone else's network is illegal. However, if your computer automatically connects to the network without your knowledge, or if the other network has the same network name as your own so you think you're connecting to your own network, you don't have the knowledge or intent that is a required element of the offense.

Remember that you need to check your own state laws but as an example, under Texas law, this is called a mistake of fact, and Penal Code section 8.02 says "It is a defense to prosecution that the actor through mistake formed a reasonable belief about a matter of fact if his mistaken belief negated the kind of culpability required for commission of the offense."

Now, a defense to prosecution is just that: an issue that you can raise in court if you're arrested and brought to trial which, if you can prove, will result in acquittal. A defense to prosecution does not mean the arrest wasn't lawful. The police are within the law to arrest and charge you as long as they have probable cause that you did, in fact, connect to someone else's network. And under most statutes, they do not have to show that you did any damage or even used any Internet bandwidth. Simply connecting to a network without authorization is enough to make you a criminal.

Above the law

Just as police officers sometimes act as if the traffic laws don't apply to them - even when they're off-duty, driving their personal vehicles - some IT professionals seem to believe they're above the law when it comes to things like unauthorized access by virtue of their positions, expertise, or good intentions. We've all heard of the hackers who break into supposedly secure networks just to demonstrate that it can be done, ostensibly for the purpose of motivating the owners to increase their security.

Some might argue that this is the only way to get the attention of those in charge of the network's security. However, just as you can't expect to carry a bomb (even a fake bomb) onto a plane to "help" the airline understand its vulnerabilities and not get thrown in jail, doing penetration testing of a network or system without its owner's permission is likely to result in criminal charges if you're caught.

The bottom line

If you're the typical techie, you probably take some cybercrimes very seriously and others, not so much. There is a danger that when some laws are seen as silly, or penalties are out of proportion to the seriousness of the crime, or the laws are on the books but blatantly disregarded by a large portion of the population and not enforced, there will be an overall erosion of respect for all law. That's why we need to support a policy of carefully thinking through any new legislation before enacting it. It's easy to say "there oughta be a law," but legal restrictions on how you can use a tool such as a computer or the Internet should not be knee-jerk, feel-good reactions that end up doing nothing to solve the real problems and, instead, penalizing people who are doing no harm to anyone.

What do you think of the computer-related laws we have now? Are there too many with penalties that are too severe? Or do you think we need more laws and harsher punishments? Should the cybercrime laws be standardized across the country to eliminate the confusion caused by different state statutes, or should jurisdiction for all cybercrime be relegated to the federal government only? Or should the Internet be a virtual "wild west" where anything goes?

By Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...