Computer Crime:                  Current Practices, Problems and Proposed Solutions          Second Draft          Brian J. Peretti               It would have been surprising if there had been satisfactory          road traffic legislation before  the invention of the  wheel, but          it would also have been surprising  if the law on the passage  of          laden  donkeys  proved  entirely  satisfactory  when  applied  to          vehicles.1          I.  Introduction               Within   recent   years,   computer  crime   has   become  a          preoccupation with law  enforcement officials.  In  California, a          group of  West German  hackers2 using  phone lines  and satellite          hookups, gained  unauthorized access into  civilian and  military          computers and  stole sensitive documents  that were  sold to  the          Soviet  Union.3    A  young  New York  programmer  broke  into  a          Washington computer to  run a program that he could  not run from          his personal  computer.4  After  Southeastern Bell Stated  that a          document  published in an  electronic publication5 was  valued at          more than $75,000 the publisher was arrested and brought to trial          before the discovery that  the document could be publicly  bought          from the company  for $12.6  The Chaos Computer  Club, a Hamburg,          Germany,  club,  went   into  government  computers   and  access          information and gave it to reporters.7  In May,  1988, the United          States government launched Operation Sun Devil, which lead to the          seizure  of  23,000   computer  disks  and  40  computers.8    In          addition,  poor police  performance9  has  also  been  blamed  on          computers.               Since  its  creation,  the computer  has  become  increasing          important in society.10   The law, as  in the past, has  not been          able   to  evolve   as   quickly   as   the   rapidly   expanding          technology.11  This  lack of movement on the  part of governments          shows a lack  of understanding with the area.  The need to create          a  comprehensive  regulation   or  code  of  ethics   has  become          increasing necessary.               Due   to  the   nature  of   computer   systems  and   their          transnational   connections   through   telephone   lines12,   an          individual  state's action will only stop the problems associated          with computer crime if many  states join together.  The patchwork          of  legislation that  exists  covers  only a  small  part of  the          problem.  To  adequately address computer crime,  greater efforts          must   be  made  within  the  computer  community  to  discourage          unauthorized computer access, countries must strengthen and             co-ordinated  their computer related  laws, as well  as proper          enforcement mechanism created, computer program copyright laws be          enhanced  and computer systems  should be created  to allow those          who wish to  explore computer systems which will  not disrupt the          users of computer systems.               This paper will first set out a definition of computer crime          and  why laws  or regulation  by the  computer community  must be          created.   Section  II will  then discuss  the United  States law          concerning  computer crime and  why it needs  to be strengthened.          Section  III will  discuss the  proposed  Israeli computer  crime          bill, Britain's  Computer Misuse  Act and  Ghana's proposed  law.          Section IV will  discuss what can be done by  both the government          and  computer  owners  and  users  to  make  computer  crime less          possible.          II.  Computer crime               The definition of what constitutes a computer crime has been          the  subject of  much controversy.    A computer  crime has  been          defined as  "any  illegal act  for  which knowledge  of  computer          technology  is  used  to  commit  an  offense."13    The  typical          computer criminal has  been described as between 15  and 45 years          old, usually male, no previous contact with law enforcement, goes          after both government and business, bright, motivated, fears loss          of status  in computer community  and views his acts  as games.14          For the  purposes of  this article, this  will be  the definition          used because of its broad reach.               Estimates regarding how much is lost to computer  crime very          widely15.   In  the only  authoritative  study, the  loss due  to          computer crime  was given  at $555,000,000,  930 personnel  years          lost  and 153 computer  time years lost.16   The  amount of total          incidents for  1988 was 485  resulting in 31 prosecutions17.   In          1987,  there were 335  incidents with 8  prosecutions.18 Security          spent   on  prevention  of   computer  crime  is   becoming  more          commonplace19.               The   most  publicized   danger  to  computer   systems  are          viruses20  and worms.    A virus  is a  code segment  which, when          executed,  replicates  itself   and  infects  another  program.21          These  viruses may  be created  anywhere in  the world22  and may          attack anything.23   A virus may be transmitted  through a trojan          horse24  program.  A  worm exists as  a program in  its own right          and  may spread over  a network via  electronic mail25.   A virus          attacks a program while  a worm attacks the computer's  operating          system.26      The  most  notorious  computer  worm  brought  the          Internet computer network to a halt.27               Computer  virus attacks  may  be overrated.28    It is  said          that the  biggest threat  to computing includes  "not backing  up          your  data, not  learning the  ins and  outs of  your application          programs,  not  putting  enough  memory  in  your  computer,  not          organizing your  hard  disk, [and]  not upgrading  to the  latest          version of  your applications.29   These  computer programs  have          been compared  to the AIDS virus.30   One author has  stated that          the  viruses are used  to both increase the  amount of profits of          computer program producers and anti-virus computer programs.31               Computer  viruses may  also  be  used  to  benefit  computer          systems,  by either  detecting  flaws  in  security  measures  or          detecting other  viruses.32   Virus are  very dangerous,  though.          The effects of a virus called Datacrime, activated on October 13,          1989, brought  down 35,000  personal computers  within the  Swiss          government and several companies in Holland.33               With the opening up of  Eastern Europe, the virus problem is          expected to  increase.34  In  Bulgaria, a country which  does not          have any laws  against computer  viruses, one  new virus  appears          week.35   Computer  viruses  are created  in  countries like  the          Soviet Union  as a way to punish  computer pirates because of the          lack of copyright laws.36               Perhaps  the most dangerous  threat to information contained          in a  computer is  the "leakage" of  radiation from  the computer          monitors.37   With inexpensive  equipment38 a  person can  "read"          the information  off the computer  screen and then  replicate the          information  from the screen in a readable manner.39               The threat of attack on a computer system can also come from          a  hacker.   A  hacker  is  a  person  who breaks  into,  whether          maliciously  or not, computers  or computer systems.40   A hacker          can, if the system is not adequately secured, cause havoc  in the          computer  by either  deleting  or altering  programs  or data  or          planting  logic  bombs  or  viruses  in  the  computer  system.41          Threats  from hackers  to plant  viruses  have been  made in  the          past.42  The  threat from computer hackers, as  with viruses, has          been said to be overrated.43               The issues surrounding computers still have not been decided          by those within  the computer community.  Whether  or not persons          should  be   allowed   to   access   computer   systems   without          authorization  is still a subject  of debate within the computing          community.    A West  German  Computing  Club, called  The  Chaos          Computing Club, holds the belief that it is not improper to enter          any system  which they can  gain access to  and to "look"  around          inside of  the  system as  much as  they wish.44    They do  not,          however,  condone destroying or  altering any of  the information          within  the  system.45      On the  other  side,  represented  by          Clifford Stoll, when individuals break into computer systems they          disrupt the trust  that the computer system is  based on.46  This          breach of trust  not only makes operating the  system tougher for          the manager in control  of the system, but also will decrease the          amount  of  use  of  the  system  so  less  information  will  be          transferred within the system.47               There is also conflicting views as to whether the authors of          computer  viruses should  be punished.    Marc Rotenberg48  holds          the  belief  that  a  virus  should be  granted  first  amendment          protection  in some  instances.49   In  response to  the Internet          worm, there were 21 editorials that stated that the attack showed          the  need for  more security  in  computers while  there were  10          letters  to  editors  that  stated that  the  creator  should  be          applauded rather  then punished.50   They argue  that this  was a          good way to  raise consciousness concerning computer  security.51          Alan Solomon, a consultant who specializes in virus detection and          eradication,   believes   that   viruses   are,   at   most,   an          inconvenience.52          III.United States Computer Legislation               The  United  States  government53  and  most  states54  have          computer crime laws.   In 1979, only six states had  such laws.55          Almost every  computer  crime will,  in addition  to violating  a          state and/or  federal law,  can  also be  prosecuted under  other          laws.56               A.   Computer Fraud and Abuse Act.               Congress originally  enacted the  Counterfeit Access  Device          and  Computer Fraud and  Abuse Act57   to address  the problem of          computer crime.  Understanding that the scope of the original law          was  too narrow,58  in 1986  Congress enacted  amendments  to the          Computer Fraud  and Misuse  Act of 1984.59   The  Act essentially          lists  acts that if  done with a  computer are illegal.   The Act          also  makes individuals  culpable  for  attempting  to  commit  a          computer crime.60               In order to commit any  of the crimes mentioned in  the act,          the actor must  have acted either "intentionally"  or "knowingly"          when committing  the act.   The law  addresses national  security          issues  by making a  crime of anyone  using a  computer to obtain          information and  giving the  information to  foreign countries.61          The penalty  for this crime  or its attempt  is 10 years  for the          first offense62  and 20  years for subsequent  offenses63.   If a          person   intentionally   accesses  a   computer   either  without          authorization or in excess  of his authorization and obtains  and          acquires information in  a financial record of  an institution or          information contained in  a financial record of  an individual64,          the person  will  have  committed  a misdemeanor  for  the  first          offense65 and  a  felony for  subsequent  offenses66.   A  person          intentionally   accessing    a   government    computer   without          authorization  which  affects  the   government's  use  of   that          computer67  will have  committed  a  misdemeanor  for  the  first          offense68 and  a felony  for the second  offense.69   Accessing a          computer with  knowledge and  intent to  defraud  and without  or          exceeding authority is a crime  if the person obtains anything of          value  other  than  use  is  a felony70.    Accessing  a  federal          interest computer  without  authorization  and  either  modifying          medical records or causing $1,000  or more worth of damage within          a one year  period71 is  punishable with  up to 5  years for  the          first offense72 and 10 years for any subsequent offense.73               The Act  also criminalizes  trafficking in  passwords.74   A          person  who knowingly  and with intent  to defraud  traffics75 in          passwords or similar  information may be sentenced for  up to one          year  for the first offense76  and up to  10 years for subsequent          offenses77 if the  computer is used by  or for the  Government of          the   United   States78   or   affects   interstate  or   foreign          commerce.79               B.   Criticisms               It is  important to note  that this statute only  applies to          "Federal interest computers"  as defined by  this section.80   If          a computer is  not this type of  computer, then any of  the above          mentioned crimes  will not  be prosecutable  under this  section.          Congress  intentionally  made the  scope  of the  law  narrow.81          This  section  has  been criticized  as  not  inclusive enough.82          Individual and  corporate computers  which do not  fall into  the          restrictive  definition83 may not  receive the protection  of the          statute.               The  problem  of  computer  viruses  are  not  addressed  by          Act.84  The act  does not punish  those who add information  into          a computer, even though this may do more harm then just accessing          information.   The Congress has  attempted to address  this issue          under two bills85, but neither one has been enacted.               Unauthorized access where there is no theft or damage to the          system  is  not  covered.86    For example,  a  person  access  a          computer  system and looks  at information contained  therein, he          has not committed a punishable crime under the Act.87               Questions have also been brought  up concerning many of  the          undefined terms  within the Act.88  Terms  such as "intentionally          access" and "affects interstate commerce" are among the terms not          defined.89   The  need to  clarify  these terms  is important  so          that an individual will know what action will constitute a crime.          IV.  Legislation From Around The World               A.   Israel Proposed Computer Law               In March 1987, the Israeli Ministry of Justice distributed a          draft of  a comprehensive  computer bill.90   This bill  covers a          wide range of  areas concerning computers91.  The  Act first sets          out  a  list  of  proposed  definitions  for  computer,  program,          software,  information,  thing and  act.   Each  of  these, while          short, are concise and attempt  to give a brief but comprehensive          definition.92               Chapter 2 sets  out a list of offenses  which, if committed,          are punishable.93   A authorized  person commits an act  upon any          computer and knows that the  act will prevent or cause disruption          of   the   proper   operation   is   subject   to   seven   years          imprisonment.94   A  person who,  without  authority, commits  an          act  which precludes  a person  from using  a computer  system or          deprives a person  of using that  system is  punishable by up  to          seven years  imprisonment.95  If  a person  prepares or  delivers          or  operates  software  knowing that  the  software  will produce          faulty results  and "having  reasonable grounds  to assume",  the          person  is punishable  for up  to seven  years.96   The  Act also          addresses those who supply, deliver  or  operates a computer with          faulty data.97               Section 5 applies to those who use a computer to  attempt to          obtain  some "thing"98  or  with  intent  prevents  another  from          obtaining some "thing".99   A  person who  prevents another  from          obtaining  a  "thing"  by  the   use  of  software  may  also  be          punished.100  A  person who deprives a  person of an object  that          contains  software, data or  information and obtaining  a benefit          for himself.101   All of  these crimes contain a  prison sentence          of five years.               A professional who relies on computer outputs that they know          which  are false  is also  subject to  punishment.102   The crime          carries a sentence of five years.103               This chapter does not apply to  all computers, software data          or  information.104   It  only applies  to those  computers, data          or information which  are used, designated to  be used by  or for          (1) the state  or a corporation that is supplying  service to the          public105  or   (2)  "business,  industry,   agriculture,  health          services, or for scientific purposes."106               Perhaps the most novel provision of this proposed law is the          section governing the reporting of  the offenses.  Any person who          is  in  charge  of another  and  has  reason to  believe  that an