Cybercrime is an international pandemic, as the global cost of cybercrime reached $600 billion in 2017. Some analysts estimate that by 2021, cybercrime damage will cost countries, companies, and people $6 trillion.
A cybercrime is a crime using a computer, such as using it to sabotage or steal electronically-stored data. The Department of Justice broadly defines computer-related crime to include crimes that use or target computer networks. Defining a “computer crime” is difficult because it can include traditional crimes committed with the use of a computer and technology-specific criminal behaviors, such as fraud involving electronic devices and email.
In this module, we’ll look at cybercrimes. We’ll learn how the Department of Justice classifies such crimes, discuss constitutional concerns with prosecuting cybercrimes and survey state and federal statutory responses to the global escalation of cybercrimes.
Prosecutors and law enforcement officials rely on traditional criminal laws as well as technology-specific federal legislation, such as the Computer Fraud and Abuse Act, to address cybercrimes and pursue criminals.
The Department of Justice divides computer-related crimes into three categories according to the computer’s role in the crime in question:
- crimes where a computer is the “object” of a crime;
- crimes where a computer is the “subject” of a crime; and
- crimes where a computer is an “instrument” used to commit traditional crimes.
Crimes where the computer is the object include traditional crimes, such as the theft of computer hardware or software. The federal government can prosecute a computer hardware thief under the federal statute that regulates the interstate transportation of stolen or fraudulently obtained goods.
Second, a computer may be the “subject” of a crime, which means the computer is the physical site of the crime, or the source of, or reason for, the asset loss. Over the last twenty years, computer programmers and criminals have become increasingly sophisticated in developing new ways in which computers are the crimes’ subjects. This category includes:
- spam: or unsolicited bulk commercial email from a party with no preexisting business relationship, which may be illegal in some contexts;
- sending computer viruses;
- Trojan horses: programs with legitimate functions that have malicious code;
- sniffers: programs that log all activity across a network, including the exchange of passwords, credit card numbers, and other personal information;
- denial of service attacks: where hackers bombard the target website with an overwhelming number of simple requests for connection and render the site unable to respond to legitimate users; and
Cyberterrorism is the use of computer technology to make unlawful attacks and threats of attack against computers, networks, and electronically stored information, to cause the target to fear or experience harm. One of the most devastating episodes occurred in April 2007, when spammers hit Estonia with major cyberattacks that disabled and shut down banks, media outlets, and government agencies throughout the country for weeks on end. Cyberterrorism threatens the privacy and economic security of people and multinational companies and the national security of countries. In 2016, a 20-year old citizen of Kosovo pled guilty to providing material support to the Islamic State of Iraq and the Levant, a designated foreign terrorist organization, after accessing a protected computer without authorization and launching a cyberattack to gain access to the identities of U.S. military personnel. He then shared the information with ISIL members in an attempt to incite terror attacks.
A third category of cybercrimes is when a computer may be used as an “instrument” to commit crimes such as identity theft, money laundering, narcotics trafficking, cyber-stalking, copyright infringement and wire fraud.
Cybercrimes and Freedom of Speech
Several constitutional issues arise in the context of computer crimes. Some concern the First Amendment while others involve the Fourth Amendment.
Let’s start by looking at the First Amendment. Courts protect the same forms of speech in cyberspace that they do in the non-cyberspace world. Hate and racist speech in the form of tweets, Facebook posts, and other online communication receive the same protection on the Internet as they have always received under traditional First Amendment analyses. At the same time, courts have carved out exceptions for threats, spam, and child pornography.
One federal statute makes it a federal crime to transmit, through interstate commerce, a threat to kidnap or injure anyone. This law makes it illegal for a person to send threatening e-mail messages to a victim, publicly announce an intention to commit an act that is racially motivated on the Internet or send persistent and malicious emails motivated by a desire to cause substantial emotional or physical harm to another. Still, this law is very narrowly construed. In Elonis v. United States, a lower court convicted Anthony Elonis under this statute for posting threats on Facebook to injure coworkers, the police, his wife, and a kindergarten class. The Supreme Court overturned his conviction, holding that to convict someone who threatens another, there must be proof of subjective intent to threaten. It’s insufficient to merely show that a reasonable person would have recognized the communication as a genuine threat.
With Elonis as guidance, in 2016, a federal appeals court affirmed the conviction and a seven-year sentence of a person for transmitting threats via email for an extortion scheme. The court reasoned that there was enough evidence to establish that the defendant made a “true threat” against the victim because the defendant sent numerous e-mails, saying “pay up, or else,” threatening his former wife with “probably being hospitalized” and threatening “something violent potentially happening to her around her baby.”
The First Amendment doesn’t protect the online dissemination of child pornography. Congressional attempts to combat child pornography may, however, violate the First Amendment if the statute limits other forms of protected speech. In Reno v. American Civil Liberties Union, the Supreme Court struck down parts of the Communications Decency Act of 1996. It held that legislation violated freedom of speech when it required Internet content providers to estimate the age of those who communicate online and to tag their communications as potentially indecent or offensive prior to engaging in “cyberspeech.”
On the other hand, the Court has upheld the constitutionality of the Prosecutorial Remedies and Other Tools to end the Exploitation of Children Today Act aimed at child pornography, including its prohibition against advertisement, distribution, and solicitation of pornography that reflects a belief or induces others to believe that the material depicts real children. It reasoned that the First Amendment does not prohibit a ban on “virtual child pornography” that appears to depict minors but were produced by means other than using real children, such as using youthful-looking adults or computer-imaging technology. The government may prosecute someone who possesses virtual child pornography and advertises it as actual child pornography.
Finally, spam e-mail is not a protected form of speech under the First Amendment. The Controlling the Assault of Non-Solicited Pornography and Marketing Act and many state laws have addressed spam or unsolicited email. The Court of Appeals for the Fifth Circuit held that a law prohibiting the transmission of the spam targeted and punished only unprotected, intentionally misleading commercial speech, and thus was not too vague or overbroad to be enforceable. The federal act excluded commercial speech that was not misleading and all political or charitable speech, which are protected forms of speech.
Cybercrimes and The Fourth Amendment
Now, let’s move to the crossroads of cybercrimes and the Fourth Amendment, which prohibits “unreasonable searches and seizures” by the government. With the ever-expanding nature of the Internet and technology in people’s lives, courts have analyzed the limits of privacy and computer crime prosecutions. The Fourth Amendment protects legitimate expectations of privacy. In the landmark case, Katz v. United States, the Supreme Court established the general test for determining whether government activity rises to the level of a search: government conduct must offend the person’s subjective expectation of privacy, and that privacy interest must “be one that society is prepared to recognize as “reasonable.”
Courts then need to apply this reasonable expectation of privacy rule in cybercrimes cases. In 2014, the Supreme Court issued a landmark decision holding that warrantless searches of a suspects’ cell phones were not allowed, even when the owners were being arrested. The contents of the phone fell outside of normal rule allowing a “search incident to a lawful arrest” because modern cells phones are like mini-computers with large storage capacities. Smart phones contain many details of a person’s private life through photographs, emails, and other content.
The issue of privacy and email has emerged in other contexts, as well. In 2014, a New York federal court held that a defendant had a reasonable expectation of privacy in the content of emails and private online chat sessions, even though his Internet Service Provider facilitating the communications warned the defendant, through its policies, that it might be monitoring his activity.
There is also a reasonable expectation of privacy in the content of one’s emails. In a 2010 case, the government prosecuted the founder and CEO of an herbal supplement company for conspiracy to commit mail and wire fraud and money laundering. The Sixth Circuit ruled that a defendant enjoyed a reasonable expectation of privacy in his e-mails and that government agents violated the defendant’s Fourth Amendment rights by compelling his company’s Internet Service Provider to turn over emails without first obtaining a search warrant based on probable cause. Still in that case, the emails were properly admitted because the agents relied in good faith on the provisions of the Stored Communications Act to obtain the emails.
Statutes Targeting Cybercrimes
The federal and state governments have enacted laws to address cybercrimes. The Computer Fraud and Abuse Act of 1986 sets forth specific computer-related crimes. The main prohibitions are:
- knowingly accessing computer files without authorization;
- intentionally accessing a nonpublic computer belonging to a U.S. department or agency without authorization;
- knowingly accessing a protected computer with the intent to defraud and obtain something of value;
- computer hacking; and
- knowingly trafficking passwords, or information that similarly facilitates unauthorized access, with intent to defraud.
In 2010, a federal appeals court upheld the conviction of a former Social Security Administration employee who accessed agency records for nonbusiness reasons. The former employee had accessed personal identifying information, such as birthdates and home addresses, of seventeen people for non-business reasons, including women in whom he had romantic interest. The appeals court held that the district court properly imposed a 12-month prison sentence.
Another relevant Act is the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, sometimes known as the CAN-SPAM Act, which addresses spam e-mail. Unsolicited emails are often the initial means for a criminal to contact and solicit a prospective victim or to commit identity theft by deceiving a victim into sharing personal information. This act covers all commercial messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service,” including emails that promote content on commercial websites. The law makes no exception for business-to-business email.
This Act imposes several requirements on email marketing, the most powerful of which is that an email must include an “opt out” requirement, meaning the email must show a recipient, clearly and conspicuously, how to opt out of receiving future emails. The sender must honor a recipient’s opt-out request within ten business days.
The Federal Trade Commission enforces act violations as unfair and deceptive trade practices. The FTC can seek civil penalties of up to $16,000 per e-mail that violates CAN-SPAM, with no maximum penalty. The federal government can also bring criminal actions. One federal appeals court upheld convictions for two people who were sentenced to 78 months and 63 months, respectively, for violating the act by sending unsolicited bulk e-mails and spam advertising adult websites.
Third, Congress enacted the Undertaking Spam, Spyware, and Fraud with Enforcers Beyond Borders Act of 2006, known as the SAFE WEB Act, to strengthen the FTC’s ability to enforce federal laws outside of the United States. The SAFE WEB Act provides for international cooperation, but enforcement overseas remains a challenge for law enforcement officials.
Finally, let’s consider the Electronic Communications Privacy Act of 1986. Congress passed this law to “update our legal privacy protections and bring them in line with modern telecommunications and computer technology.” This act makes it illegal to intentionally intercept electronic transmissions and regulates crimes with no close “traditional crime” analog, such as hacking. The act curbs hacking activities by fortifying computers users’ privacy rights and by allowing law enforcement to conduct electronic surveillance to investigate computer crimes. However, the Act hasn’t been significantly reformed since 1986, so it doesn’t offer meaningful electronic privacy protections for new technologies such as mobile phones and cloud computing.
 Lynette Lau, Cybercrime ‘pandemic’ may have cost the world $600 billion last year (Feb. 22, 2018), https://www.cnbc.com/2018/02/22/cybercrime-pandemic-may-have-cost-the-world-600-billion-last-year.html.
 Steve Morgan, Top 5 Cybersecurity Facts, Figures, and Statistics for 2018, CSO (Jan. 23, 2018), https://www.csoonline.com/article/3153707/security/top-5-cybersecurity-facts-figures-and-statistics.html.
 Black’s Law Dictionary (10th ed. 2014).
 Criminal Division’s Computer Crime and Intellectual Property Section Celebrates 20 Years, Dep’t of Justice, Off. of Public Affairs (Oct. 31, 2016), https://www.justice.gov/opa/pr/criminal-division-s-computer-crime-and-intellectual-property-section-celebrates-20-years.
 Reporting Computer, Inter-Related, or Intellectual Property Crime, Dep’t of Justice, Computer Crime & Intellectual Property Section, https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime.
 Computer Fraud and Abuse Act, 18 U.S.C. 1030.
 Caroline Fehr, Computer Crimes, 53 Am. Crim. L. Rev. 977, 979 (2016).
 Nat’l Inst. ofJust., Dep’t of Justice, Computer Crime: Criminal Justice Resource Manual 2(1989)
 Michael Hatcher, et al., Computer Crimes, 36 Am. Crim. L. Rev. 397, 401 (1999).
 18 U.S.C. §2314.
 Michael Hatcher, et al., Computer Crimes, 36 Am. Crim. L. Rev. 397, 401 (1999).
 Matthew B. Prince & Patricia A. Shea, After CAN-SPAM, How States Can Stay Relevant in the Fight Against Unwanted Messages:How a Children’s Protection Registry Can be Effective, and is Not Preempted,Under the New Federal Anti-Spam Law, 22 J. Marshall J. Computer & Info. L. 29, 31-32 (2003).
 Richard Esposito & Jason Ryan, FBI: Crime Ring Stole $70 Million Using Computer Virus, ABC News (Oct. 1, 2010), https://abcnews.go.com/Blotter/fbi-crime-ring-stole-70-million-computer-virus/story?id=11777873.
 Troy Denkinger, The Basics of Sniffing, the Sysadmin’s Eye Inside the Network, Chi. Trib. (Apr. 6, 2000), http://articles.chicagotribune.com/2000-04-06/news/0005260051_1_configuration-ethernet-local-area-network.
 Neal KumarKatyal, Criminal Law in Cyberspace,149 U. Pa. L. Rev. 1003, 1026-27 (2001)
 Warwick Ashford, Ransomware Was Most Popular Cyber Crime Tool in 2017, ComputerWeekly.com (Jan. 25, 2018), https://www.computerweekly.com/news/252433761/Ransomware-was-most-popular-cyber-crime-tool-in-2017.
 Michael L. Gross, et al., Cyberterrorism: Its Effects on Psychological Well-being, Public Confidence and Political Attitudes, 3 J. Cybersecurity 49, 50 (2017), https://academic.oup.com/cybersecurity/article/3/1/49/2999135.
 Damien McGuinness, How a Cyber Attack Transformed Estonia, BBC News (April 27, 2017), http://www.bbc.com/news/39655415.
 ISIL-Linked Hacker Pleads Guilty to Providing Material Support, U.S. Department of Justice, Office of Public Affairs (June 15, 2016), https://www.justice.gov/opa/pr/isil-linked-hacker-pleads-guilty-providing-material-support.
 Joseph Audal, et al., Computer Crimes, 45 Am. Crim. L. Rev. 233, 239 (2008).
 Christine Licalzi, Computer Crimes, 54 Am. Crim. L. Rev. 1025, 1038 (2017).
 18 U.S.C. §875.
 Elonis v. United States, 135 S. Ct. 2001, 2005-06 (2015).
 Id. at 2017-18.
 United States v. White, 810 F.3d 212, 216 (4th Cir. 2016).
 Id. at 228.
 Communications Decency Act of 1996, Pub. L. No. 104-104, 110 Stat. 56 (Feb. 8, 1996).
 Reno v. ACLU, 521 U.S. 844, 878-84 (1997).
 ProsecutorialRemedies and Other Tools to end the Exploitation of Children Today Act, Pub. L. 108-21, 117 Stat. 650 (April 30, 2003).
United States v. Williams, 553 U.S. 285, 293 (2008).
 Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, Pub. L. 108-187, 117 Sat. 2699 (Dec. 16, 2003).
 United States v. Simpson, 741 F.3d 539, 550-51 (5th Cir. 2014).
 U.S. Const. amend. IV.
 Katz v. United States, 389 U.S. 347, 361 (1967).
 Riley v. California, 134 S. Ct. 2473, 2484-85 (2014).
 United States v. DiTomasso, 56 F. Supp. 3d 584, 592-93 (S.D.N.Y. 2014)
 United States v. Warshak, 631 F.3d 266, 274 (6th Cir. 2010).
 Computer Fraudand Abuse Act of 1986, Pub. L. 99-474, 100 Stat. 1213 (Oct. 16, 1986).
 Caroline Fehr, Computer Crimes, 53 Am. Crim. L. Rev. 977, 1011-12 (2016).
United States v. Rodriguez, 628 F.3d 1258, 1260 (11th Cir. 2010).
 Controllingthe Assault of Non-Solicited Pornography and Marketing Act of 2003, Pub. L. 108-187, 117 Stat. 2699 (Dec. 16, 2003).
 Mark W. Brennan, Complying with the CAN-SPAM Act, Lexis Practice Advisor Journal (Nov. 8, 2016), https://www.lexisnexis.com/lexis-practice-advisor/the-journal/b/lpa/archive/2016/11/08/complying-with-the-can-spam-act.aspx.
 United States v. Kilbride, 584 F.3d 1240, 1245 (9th Cir. 2009).
 Undertaking Spam, Spyware, and Fraud with Enforcers Beyond Borders Act of 2006, Pub L. 109-455, 120 Stat. 3372 (Dec. 22, 2006).
 Electronic Communication Privacy Act of 1986, Pub. L. 99-508, 100 Stat. 1848 (Oct. 21, 1986).
Statements on Introduced Bills and Joint Resolutions,132 Cong. Rec. S7991 (June 19, 1986).
 Alan Wehler, The Feds Need To Stop Using a 30-Year-Old Law To Access User Data Online, The Hill (Oct. 23, 2017), http://thehill.com/opinion/technology/356668-the-feds-need-to-stop-using-a-30-year-old-law-to-spy-on-users-online.