Adapting the Law to the Online Environment
Formulating unique conception of the Web in “Weaving the Web” Berners-Lee emphasized that the intention was to create a system with “one fundamental property: it had to be completely decentralized.” In the vision of Berners-Lee: “That would be the only way a new person somewhere could start to use it [the Web] without asking for access from anyone else”. In the initial years of the Web’s functioning, Berner-Lee’s ideal of a highly decentralized universal system has been shared by tens of millions of people around the
world who have appreciated and marveled at an invention that makes it unexpectedly easy for anyone with a computer to connect with anyone else with a computer, anywhere in the world, and to store and send information almost at will. But the Internet and the Web have also moved to the center of attention for governments, business leaders, lawyers and judges, police forces and military establishments, and anyone else dependent on the rule of law and authority structures in modern society.
This is a result of the ability and tendency of Internet users to simply skirt or leap over many of the rules and institutions designed to maintain order in the pre- Internet world. Previously designed rules and legal structures enacted for slower-paced, relatively public tangible transactions in a world rimmed everywhere with borders (local, provincial, national) suddenly were challenged as never before when the Internet made it physically conceivable to carry out transactions of almost any kind in a manner simultaneously immediate, anonymous, inexpensive, and seemingly borderless.
However, the process of certain democratization, overcriminalization and simply lazier-affair went beyond predictable limits – internet identity theft, credit card fraud, controversies with gambling and online porn reveal significant need to adapt the law to online environment, to analyze the specifics of cyber crimes and to create effective regulatory norms.
Traditional Crime and Cyber Crime: Defining Boundaries
From the primary perspective, the Internet imitates and, in most cases, runs parallel to what is often happening in normal life, therefore, it is no wonder that the law had to take account of this new parallel of real life. Hence the frequent appeals for “cyberlaw” or “cyberspace law.” Simultaneously, the imitation of life by the Internet does not completely transcend existing forms of activities in their entirety. Thus while electronic forms of information are the hallmark of the Internet and tend to undermine tangible media, or even render them obsolete, prior forms of information may coexist alongside them, albeit uneasily and suffering permanent corrosion. In so far as it is not possible to divine the extent to which the Net will generate parallel or independent forms of activity, the development of the appropriate law cannot be predictable.
One has to determine in each specific sphere of activity how far the parallels go and how big or small the change over the normal may have been before working out the legal response. Consequently, the lack of time or resources cannot be the main reasons for the non-development of Internet law, as Edwards and Waelde suggest, although they recognize, somewhat indirectly that the Internet is still developing and so must the Internet law. Edwards and Waelde view “Internet Law” as being a result of (the usual) adaptation process that the law undergoes to catch up with new technological phenomena.
They regard Internet Law as a necessity, contrary to the “core pragmatic” perception of those they refer to as looking upon the Internet as law-free. And although the regulation of Internet content, transactions and activities seems to be logical and self-evident, the problems start appearing from the very definition of cyber crime.
Black’s Law Dictionary defines a “crime” as a “social harm that the law makes punishable; the breach of a legal duty treated as the subject-matter of a criminal proceeding.” Anglo-American criminal law has for centuries possessed a set of definitions of “crimes” that encompass the varied categories of social harms humans can inflict on one another, for instance homicide, rape, robbery, arson, vandalism, fraud, child abuse, etc. According to Susan Brenner, criminal law does not typically differentiate offenses based upon the instrumentalities that are used in their commission; we generally do not, for example, divide homicide into “murder by gun,” “murder by poison,” “murder by strangulation” and so on.
As Brenner points out, criminal law does treat the use of certain instrumentalities as “aggravating factors,” the use of which can result in an enhanced sentence upon conviction; this is how criminal law generally deals with using a firearm or other dangerous instrumentality in the commission of a crime. This approach could, perhaps, have been taken with regard to cyber crime; we could simply define hacking as a type of trespass, analogous to real-world trespass. The “crime” of real-world trespass is gaining access to a physical space – a building or a parcel of land – without authorization. We could have pursued hacking in an analogous fashion, perhaps prosecuting it as trespass and then characterizing the use of computer technology as an aggravating factor.
However, that is not the approach the law has taken and is taking to the use of computer technology to inflict social harms. What is emerging is a division between traditional crimes (trespass, burglary, theft, stalking, etc.) and cyber crimes. The latter encompass the use of computer technology to commit either (a) social harms that have already been identified and outlawed generically (trespass, burglary, theft, stalking, etc.) or (b) new types of social harm that do not fall into traditional “crime” categories.
It is necessary to adopt cyber crime-specific laws for the first category of conduct because, as Brennan’s hacking-trespass example illustrates, computer technology can be used to commit social harms in ways that do not fit comfortably into our existing offense categories. Another Brennan’s example of a denial of service attack simply eludes conventional criminal law: it is not theft; it is not extortion; it is not blackmail; it is not vandalism or trespassing or any other “crime” that has so far been defined. We must, therefore, define new “cyber crimes” to encompass denial of service attacks and other “new” varieties of criminal activity.
In conceptualizing the varieties of cyber crime, it is helpful to divide them into three categories offered by Marc Goodman: crimes in which the computer is the target of the criminal activity, crimes in which the computer is a tool used to commit the crime, and crimes in which the use of the computer is an incidental aspect of the commission of the crime. When a computer is the target of criminal activity, the perpetrator attacks an innocent user’s computer or computer system either by gaining unlawful access to it or by bombarding it from outside.
Cybercrimes that fall into this category include simple hacking (gaining access to a computer system or part of a computer system without authorization) and aggravated hacking (gaining access to a computer system or part of a computer system without authorization for the purpose of committing a crime such as copying or altering information in the system). The target cybercrimes also include denial of service attacks and the dissemination of viruses, worms and other types of malware. The cyber crimes in this category tend to be “new” crimes and therefore generally require new legislation.
A computer or computer system can also be the instrument that is used to commit what is essentially a traditional crime. Cybercrimes in which a computer is the tool used to carry out criminal activity include online fraud, theft, embezzlement, stalking and harassment, forgery, obstruction of justice and the creation or dissemination of child pornography. These are conventional crimes, but it may be difficult to prosecute online versions of these crimes using existing substantive law; a jurisdiction’s theft statute may not, for example, encompass a “theft” of intangible property when the theft consists of copying the property, instead of appropriating it entirely. In State v. Schwartz, Oregon State of Appeal held that “…by copying the passwords, defendant stripped them of their value.” Jurisdictions may therefore find it necessary to amend their existing substantive criminal law to ensure that it can be used against these cyber crime variants of traditional crimes.
The last category consists of cyber crimes in which the use of a computer or computer system is incidental to the commission of the crime. This category includes, for example, instances in which a murderer uses a computer to plan a murder or lure the victim to the murder scene; it can also include a blackmailer’s using a computer to write extortion letters to his victim or a drug dealer’s using a computer to monitor his sales, inventory and profits. Here, the computer is merely a source of evidence and new substantive criminal legislation is generally not needed. The cases in this category can, however, require new law to resolve procedural issues such as the processes used in gathering evidence of cyber crimes.
The basic federal cyber crime provision is 18 U.S. Code § 1030; among other things, it criminalizes hacking, cracking, computer fraud and the dissemination of viruses, worms and other types of malware. The statute accomplishes this by directing its prohibitions at conduct that targets a “protected computer” and then defining “protected computer” as a computer encompassed by federal jurisdiction. Section 1030 defined a “protected computer” as either (a) a computer used exclusively by a financial institution or the federal government or used nonexclusively by a financial institution or the federal government if the conduct constituting the crime affects its use by the financial institution or federal government; or (b) a computer used in interstate or foreign commerce or communication. The notion of basing the statute’s prohibitions on conduct directed at a “protected computer” was introduced when § 1030 was amended in 1996; until then, it criminalized conduct that was directed at “federal interest computers,” i.e., computers used by the federal government or located in more than one state.
The 1996 amendment broadened § 1030’s reach; it now encompasses conduct directed at any computer connected to the Internet. In 2001, the Patriot Act amended § 1030 to make it clear that the statute can be used to prosecute criminal conduct which occurred outside the United States, a position the Department of Justice had long taken, for instance in case United States v. Ivanov. The Patriot Act expanded the definition of a protected computer to include computers used in interstate or foreign commerce that are located outside the United States if they are “used in a manner that affects interstate or foreign commerce or communication of the United States.”
Problematic Aspects: Copyright, Child Pornography, Identity Fraud in Internet
In order to address the problems in regulation of online environment more effectively, this paper aims to focus on several most problematic aspects of the issue – copyright violations, child pornography and identity theft or credit card fraud. Defined by Culberg, copyright is “a legal device giving the author (or holder of the copyright) the exclusive right to control the reproduction of his or her intellectual creation” for a specific period of time. Copyright law in the United States derives from the U.S. Constitution and is therefore exclusively federal; states do not have the authority to legislate in this area. Defenses to a charge of criminal copyright infringement are, first, that the offense cannot be prosecuted because the five year statute of limitations has run.
Other defenses are the “first sale” doctrine and an argument that the defendant did not act “willfully.” The first sale doctrine lets one who purchased a copyrighted work freely distribute the copy she bought. Under the doctrine, however, the purchaser can only distribute the copy she bought; she cannot copy the purchased item and distribute the copies. Since most computer software is distributed through licensing agreements, the first sale doctrine typically does not apply when someone is charged with software piracy. With regard to the claim that a defendant did not act “willfully,” there is some ambiguity as what is required to show “willfulness.” Courts disagree as to whether it requires an “intent to copy or intent to infringe.”
The newest weapon in the federal arsenal of copyright statutes is the Digital Millennium Copyright Act, which added two sections to title 17 of the U.S. Code. Section 1201 makes it unlawful to circumvent measures used to protect copyrighted works, while § 1202 makes it unlawful to tamper with copyright management information. Another new section, 17 U.S. Code § 1204, creates criminal penalties for violating either sections 1201 or 1202 of the DMCA. The first criminal prosecution under the DMCA was filed in 2001 against Dmitry Sklyarov, a Russian citizen, and his employer, Elcomsoft, Ltd. They were charged with violating 17 U.S. Code § 1201(b) (l) (A), by trafficking in technology designed to circumvent the rights of a copyright owner, and with violating 17 U.S. Code § 1201(b) (l) (C), by trafficking in technology marketed for use in circumventing technology that protects the rights of a copyright owner.
Another area that is a high priority in federal computer crime prosecutions is child pornography. To understand the current state of the law outlawing child pornography, it is necessary to understand the First Amendment, which states, in part, that Congress is to make “no law …abridging the freedom of speech.” The U.S. Supreme Court has interpreted this part of the First Amendment as prohibiting the criminalization of any but a very few limited categories of speech: “[T]he First Amendment bars the government from dictating what we see or read or speak or hear. The freedom of speech has its limits; it does not embrace certain categories of speech, including defamation, incitement, obscenity, and pornography produced with real children.”
From the critical as well statistical perspective, child pornography appears a relatively recent addition to the list. However, the rise of computer technology raised concerns about “virtual” child pornography, i.e., pornography created using morphed or other artificial images of children, and in 1996 Congress adopted the Child Pornography Prevention Act, codified as 18 U.S. Code § 2251. This Act extended the prohibitions on manufacturing, possessing and distributing child pornography to encompass pornography that featured not only “real” children but what “appeared” to be a real child. In 2001, a coalition of free speech advocates challenged these provisions of the federal child pornography statutes; they argued that because no “real” children are harmed in the creation of “virtual” child pornography, it does not fall under a category of speech that cannot constitutionally be criminalized.
When the case was before the Supreme Court, the Department of Justice argued that virtual child pornography can be criminalized because (a) pedophiles use it to seduce children into sexual acts and (b) it stimulates pedophiles into molesting children. The Supreme Court rejected these arguments and held that the prohibition of virtual child pornography violated the First Amendment, so the statutory provisions at issue were unconstitutional and unenforceable.