II. Criminal Liability: The Real World
¶14 As the previous section explains,
we have come to implicitly assume that there are two kinds of offenses: those
crimes that occur in the real world, and those that occur in the virtual world
of cyberspace.[22] This section describes the legal principles
we use to impose criminal liability for the commission of traditional crimes
committed in the physical world. The
next section considers whether these principles are readily transposable to
cyberspace.
¶15 As an aside, it may surprise some
to learn that the notion of a virtual crime long antedates the rise of
cyberspace. The English Treason Act of
1351, for example, made it a crime to “compass or imagine the death of our lord
the King, or of our lady his Queen or of their eldest son and heir.”[23] This is an example of a “thought crime,” the
commission of which does not require that the perpetrator commit a volitional
act in our shared, external reality which actually causes, attempts to cause,
or threatens to cause harm to someone or something.[24] The Treason Act of 1351 sought to punish
people for their thoughts alone. It is,
however, an historical aberration: Anglo-American law has long rejected the use
of thought crimes, for various reasons.[25]
¶16 Anglo-American law bases criminal
liability on the coincidence of four elements: a culpable mental state (the
mens rea);[26] an
act or a failure to act when one is under a duty to do so (the actus reus); the
existence of certain necessary conditions or “attendant circumstances”; and a
prohibited result or harm.[27] The crime of bigamy illustrates how all
these elements must combine for the imposition of liability. To commit bigamy,
someone must enter into a marriage knowing either that she is already married
or that the person whom she is marrying is already married.[28]
The prohibited act is the redundant marriage, the culpable mental state is the
perpetrator’s knowledge that she is entering into a redundant marriage, the
attendant circumstance is the existence of a pre-existing, valid marriage, and
the harm is the threat bigamous marriages pose to the stability of family life.[29]
¶17 Bigamy does not appear to be a
crime that can become a cybercrime. It does not seem that bigamy can be
committed in cyberspace; for various reasons, including the fact that
marriage—at least as heretofore constituted—is an intrinsically real world
endeavor,[30]
bigamy seems inevitably relegated to the confines of the physical world.[31] But it does appear that other crimes can
make this transition into the virtual world and become cybercrimes.[32] The next section of this article
explores that possibility, examining the structural and functional similarities
between certain crimes and various cybercrimes. To set the stage for that discussion, it is helpful to outline
the essential elements of some of the crimes that can move into the virtual
world of cyberspace.
(1) Burglary
and Criminal Trespass
¶18 Burglary is generally defined as
entering “a building or occupied structure, or separately secured or occupied
portion thereof, with purpose to commit a offense therein, unless the premises
are at the time open to the public or the actor is licensed or privileged to
enter.”[33] The essence of the offense is an unlawful
entry into an area for the purpose of committing an offense, such as theft,
once the entry is complete.[34]
Parsing the offense into its four constituent elements yields this result: the
actus reus is the perpetrator’s entering a building or occupied structure; the
mens rea is his or her doing so with the purpose of committing an offense inside;
the attendant circumstances are that the perpetrator is not legally entitled to
enter the premises in question; and the harm is that he or she unlawfully
enters premises intending to commit a crime inside.[35] One commits criminal trespass, on the other
hand, when, “knowing that he is not licensed or privileged to do so, he enters
or surreptitiously remains in any building or occupied structure, or separately
secured or occupied portion thereof.”[36] The offense of criminal trespass is
completed when the offender enters into or remains in an area to which he or
she does not have a lawful right of access; there is no requirement that the
person intend to commit an offense once the intrusion is complete.[37] Parsing this offense into its constituent
elements yields the following result: the actus reus is the perpetrator’s
entering a building or occupied structure; the mens rea is the perpetrator’s
knowing he or she is not legally entitled to enter the premises; the attendant
circumstances are that the perpetrator is not legally entitled to enter the
premises; and the harm is his or her unlawfully entering the premises.[38]
(2) Forgery
¶19 An offender commits forgery if,
acting with the purpose of defrauding or injuring someone or with the knowledge
that she is facilitating a fraud or injury to be perpetrated by anyone, she
does any of the following: (a) alters a writing of another without the owner’s
authorization; (b) makes, completes, executes, authenticates, issues or
transfers any writing so that it purports to be the act of another who did not
authorize that act, or to have been executed at a time or place or in a
numbered sequence other than was in fact the case, or to be a copy of an
original when no such original existed; or (c) utters any writing which he
knows to be forged in a manner specified in paragraphs (a) or (b).[39]
A “writing” includes “printing or any other method of recording information,
money, coins, tokens, stamps, seals, credit cards, badges, trade-marks, and
other symbols of value, right, privilege, or identification.”[40]
Parsing this offense into its constituent elements produces the following
result: the actus reus is the perpetrator’s altering, making, completing,
executing, authenticating, issuing, transferring or uttering a forged writing;
the mens rea is the perpetrator’s intending to defraud someone or knowing he or
she is facilitating a fraud being perpetrated by someone else; the attendant
circumstances are that the writing was altered; and the harm is that the
perpetrator employs a forged writing to defraud or help defraud someone.[41]
(3) Fraud
¶20 The offense of fraud, or false
pretenses, consists of an offender’s knowingly making “a false representation
of a material present or past fact” to a victim, with the purpose of defrauding
the victim, and thereby causing the victim to transfer property or something of
value to the offender.[42] Fraud differs from theft in that the victim
of fraud voluntarily parts with his or her property, but does so because she
has been deceived by material false representations made by the perpetrator of
the fraud.[43] Parsing this offense into its constituent
elements produces the following result: the actus reus is the perpetrator’s
making a false representation to the victim; the mens rea is the perpetrator’s
making what he or she knows to be a false representation with the purpose of
defrauding the victim; the attendant circumstance is that the representation is
false; and the harm is that the victim is defrauded.[44]
(4) Pornography and Obscenity
¶21 Most states, and the federal
government, outlaw the possession or distribution of pornography, especially
child pornography.[45] The pornography, or obscenity, statutes
essentially make it an offense, often a minor offense, knowingly to display
obscene materials, which will be statutorily defined.[46] Parsing this offense into its constituent
elements yields the following result: the actus reus is displaying obscene
materials; the mens rea is doing so knowingly; the attendant circumstances are
that the material is obscene; and the harm is the dissemination of obscenity.[47]
Child pornography statutes generally make it an offense either to “knowingly
possess” material that “visually or aurally depicts” a child under the age of
eighteen engaged in sexual activity or to bring or cause such material to be
brought into the state or distributes it in the state or publishes or otherwise
issues such material with the purpose of distributing it in the state.[48] Parsing this offense into its constituent
elements yields the following result: the actus reus is possessing, importing,
distributing, publishing or otherwise issuing child pornography; the mens rea
is the knowing possession or the purposeful importing, distributing, publishing
or issuing of child pornography; the attendant circumstances are that the
material is indeed child pornography; and the harms are that children are used
to create child pornography and that child pornography is disseminated to those
who find it appealing.[49] Statutes targeting pornography which do not
include children have a similar structure.[50]
(5) Stalking
¶22 Stalking is a relatively new
offense,[51]
but one that is defined with a fair amount of consistency. Generally, it consists of “on more than one
occasion follow[ing] or [being] in the presence of another person” for no
lawful reason with the purpose of causing death or bodily injury or causing
“emotional distress by placing that person in reasonable fear of death or
bodily injury.”[52] Most statutes do require that the offender’s
conduct have been sufficient to cause a “reasonable person” to fear the
infliction of death or bodily injury on the victim or on one or more members of
the victim’s family.[53] This is known as the “credible threat”
requirement.[54]
Parsing this offense into its constituent elements yields the following result:
the actus reus is the perpetrator’s following the victim or being in the
victim’s presence on more than one occasion for no lawful reason and thereby
communicating a credible threat to harm the victim or the victim’s family; the
mens rea is the perpetrator’s purpose of causing death or bodily injury to the
victim or causing the victim emotional distress by putting him or her in fear
of death or bodily injury; the attendant circumstances are the perpetrator’s
lack of legal justification for what he or she did; and the harm is the fear
and apprehension the victim experiences.[55]
(6) Theft and Embezzlement
¶23 Generally, one commits theft if he
or she unlawfully “takes, or exercises unlawful control over, movable property
of another with purpose to deprive him thereof.”[56] Parsing this offense into its constituent
elements yields the following result: the actus reus is the perpetrator’s
unlawfully taking or exercising unlawful control over the property of another;
the mens rea is the perpetrator’s intention to deprive the lawful owner of his
or her property; the attendant circumstances are that the perpetrator does not
have any legal right to take or exercise control over the property; and the
harm is that the victim is deprived of his or her property.[57]
¶24 Embezzlement, on the other hand,
lies in exploiting a relationship with another to unlawfully take that person’s
property. To prove embezzlement, the
prosecution has to show that the defendant was the victim’s agent and, as such,
was authorized to receive property belonging to the victim, that the defendant
received property in the course of her employment, office, or other fiduciary
relationship with the victim and that the defendant then, knowing the property
was not her own, appropriated it or “fraudulently misapplied it”.[58] Parsing this offense into its constituent
elements yields the following result: the actus reus is the perpetrator’s
appropriating or fraudulently misapplying the victim’s property; the mens rea
is the perpetrator’s knowing that the property was not lawfully his or her own;
the attendant circumstances are that the perpetrator was the victim’s agent
and, as such, authorized to receive property belonging to the victim; the harm
is that the perpetrator deprives the victim of his or her property.[59]
(7) Vandalism
¶25 Vandalism is generally defined as
knowingly causing “damage to or the destruction of any real or personal
property of another” when the actor “does not have the owner's effective
consent” to do so.[60] Parsing this offense into its constituent
elements yields the following result: the actus reus is the perpetrator’s
causing damage to or the destruction of another’s property; the mens rea is the
perpetrator’s acting knowingly; the attendant circumstances are that the
property belongs to someone other than the perpetrator and he or she does not
have consent to inflict damage upon it; and the harm is that an innocent
person’s property is damaged or destroyed.[61]
(8) Inchoate Offenses
¶26 The four elements of a crime also
govern the special category of crimes known as inchoate offenses. The inchoate offenses are attempt,
conspiracy and solicitation.[62] They address conduct that is designed to
result in the commission of a regular, substantive[63]
offense, such as robbery or homicide, but for some reason fails to do so.[64] The failure can occur because the would-be
perpetrator is discovered and apprehended before she can carry out the
contemplated substantive offense (which is often called the “target” offense),
or because intervening circumstances make the commission of the target offense
impossible.[65] The law imposes liability for these
preparatory, incomplete offenses because in each the perpetrator, acting with
the requisite mens rea, engages in conduct that is designed to lead to the
commission of a completed crime. In attempt, the perpetrator has taken steps
such as buying a murder weapon to prepare for committing the target offense;[66]
in conspiracy, the perpetrator has agreed with others that the target offense,
such as murder, will be committed;[67]
and in solicitation, the perpetrator has sought out someone and asked them to
commit the target offense.[68] The law imposes criminal liability even
though the perpetrator did not succeed in carrying out the target offense on
the premise that the inchoate offender’s conduct demonstrates that she is
sufficiently dangerous to warrant the imposition of sanctions.
(9) Non-Offenses: Vigilantism and Terrorism
¶27 It is important to note, at this
point, two activities which, while they often give rise to criminal
prosecutions, do not themselves constitute “crimes.” It is important because both are postulated as the basis for
recognizing new cybercrimes, as is discussed in the next section of this
article.
¶28 The first activity is
“vigilantism,” which is the act of conducting oneself as a “vigilante.” A vigilante is someone who enforces or
attempts to enforce “obedience to the law without [having the] legal authority
to do so.”[69] The law has never recognized a separate
crime of “vigilantism”; instead, vigilantes are prosecuted for the offenses
they commit in the course of their efforts to enforce obedience to the law, for
example homicide or assault.[70]
¶29 The second is terrorism, which is
not a distinct offense because, like vigilantism, it consists of engaging in already-defined
criminal activity—homicide, assault and property destruction being the most
popular forms—to advance a specific political agenda.[71] As one federal statute explains, terrorism
is
¶30 an
activity that involves a violent act or an act dangerous to human life that is
a violation of the criminal laws of the United States or of any State, or that
would be a criminal violation if committed within the jurisdiction of the
United States or of any State; and appears to be intended-(i) to intimidate or
coerce a civilian population; (ii) to influence the policy of a government by
intimidation or coercion, or (iii) to affect the conduct of a government by
assassination or kidnapping.[72]
¶31 Like
vigilantes, terrorists are charged with the underlying offenses they commit in
an attempt to promote their political agenda.[73]
III. Criminal Liability: The Virtual World
¶32 For virtual crimes to exist,
cybercrimes must differ from crimes in some material respect.[74] Both cybercrimes and crimes involve socially
unacceptable conduct for which we impose criminal liability, so the most likely
source of material differences between them is the principles needed to impose
this liability. If cybercrimes differ
in one or more material respects from crimes, the principles used to impose liability
for crimes should not suffice to impose liability for cybercrimes. If, on the other hand, the principles we use
for crimes can be used to impose liability for cybercrimes, they cannot be
discrete entities: cybercrimes would be simply a subset of crimes.
¶33 As the previous section explained,
we define crimes as consisting of four elements: prohibited conduct, culpable
mental state, specified attendant circumstances and a forbidden result or harm.[75] These elements are the method we use to
impose liability for the commission of crimes.[76] To convict someone of a crime, the
prosecution must prove all of these elements beyond a reasonable doubt.[77]
¶34 These elements, and the related
principles we use to operationalize them, were developed to deal with prohibited
conduct occurring in the physical world.[78] The premise that cybercrimes represent a new
legal phenomenon derives from the empirically undeniable fact that they involve
conduct that is committed wholly or partially in a different venue: the virtual
world of cyberspace. And depending on
the offense at issue, cybercrimes may also involve attendant circumstances or
harms that are located in cyberspace.
For the premise that cybercrimes are a new legal phenomenon to be valid,
the locus of criminal conduct (plus attendant circumstances or results) must
constitute a material difference between crime and cybercrime. The premise fails unless making cyberspace
the venue for criminal conduct means we cannot use these elements and
principles to impose criminal liability on cyber-perpetrators. The virtual
situs of the crime must, in other words, put it outside the scope of the
principles we use to impose liability in the real world.
¶35 The only way to determine whether
this is true is to analyze the conduct involved in various cybercrimes to see
if it can be addressed by using traditional principles of criminal
liability. For the above-noted premise
to be valid, one or more of the elements we employ to impose liability on those
who commit crimes in the physical world cannot be applied to him or her because
the element(s) cannot be transposed to encompass conduct occurring in
cyberspace, or, at least, cannot be transposed without undergoing significant
revisions.
¶36 The sections below undertake this
analysis: The first examines seven substantive cybercrimes, each of which
appears to be analogous to a crime that occurs in the real world, plus the
inchoate offenses and two non-offenses.[79] This section analyzes whether these putative
cybercrimes are merely the commission of extant crimes in a new venue, or
whether they are, in fact, entirely new varieties of unlawful conduct.
¶37 The second section goes a step
further: It considers whether there are offenses that are not analogues of
extant offenses but are new, truly virtual crimes. To the extent such offenses exist, they are the most likely
candidates to be true cybercrimes, that is, a new variety of criminal activity,
one outside the ambit of traditional principles of criminal liability.
Cybercrimes:
Crime Analogues?
¶38 The crimes considered below are
discussed in the previous section of this article.[80] This discussion considers whether their
postulated cybercrime analogues actually represent a new variety of criminal
activity: virtual crime. It is ordered,
roughly, on the extent to which each cybercrime occurs outside the confines of
the physical world; it begins with offenses in which the use of cyberspace is
minimal, if not peripheral, and proceeds to those in which it plays a more
central role.
(1) Theft and
Embezzlement
¶39 Theft cybercrimes can involve the
theft of information, the theft of money or property (including computer
hardware or software) and the theft of services (including computer services).[81] Each of these alternatives is conceptually
indistinguishable from the theft one encounters in the real world.
¶40 In the physical world, theft is
someone’s unlawfully taking or exercising unlawful control over property
belonging to another with the purpose of depriving the lawful owner of that
property.[82] In
modern law, “property” encompasses both tangible property (for example, money,
jewels, clothing, and furniture) and intangible property (for example, written
agreements and electricity).[83]
To convict someone of theft under the extant law of crimes, the state must
prove each of these four elements beyond a reasonable doubt:
actus
reus: The perpetrator unlawfully took or exercised unlawful
control over the property of another.
mens
rea: The perpetrator acted with the purpose of depriving the
lawful owner of property.
attendant
circumstances: The perpetrator had no legal
right to take or exercise control over the property.
harm: The
victim is deprived of property.
¶41 These elements can be used to
impose liability for theft cybercrimes: the most obvious example of this is the
use of cyberspace to perpetrate a theft of money or property (excluding
computer hardware or software). Assume
a cybercriminal uses her computer to break into a financial institution’s
computer system; having done so, the cybercriminal transfers funds from the
financial institution’s accounts to her own, offshore account. The cybercriminal has purposely and
unlawfully taken money belonging to someone else, and thereby deprived the
victim of money that is lawfully theirs; this is a traditional, zero-sum theft
in the sense that the victim suffers a loss of property and the thief gains the
property. The only difference between
this theft and a theft occurring in the physical world is that one criminal
uses a computer and cyberspace to achieve the unlawful taking while another
uses physical effort in the physical world to do so.[84] The perpetrators may use different methods
to accomplish their thefts, but their conduct, their mental states, the
pertinent circumstances and the ultimate result are conceptually
indistinguishable.
¶42 The same is true for theft of
computer hardware; computer hardware being simply a form of property.[85] A cybercriminal might or might not use a
computer and cyberspace to facilitate her theft of computer hardware, but the
hardware itself, and its transfer to the cybercriminal, all occur in the
physical world. In these scenarios, the
only role cyberspace plays is as the method used to perpetrate the underlying
theft offense.
¶43 And the same is also true for a
theft of services. The Model Penal
Code, which dates back to the early 1960's and has influenced many state
criminal codes,[86]
defines the offense of theft of services.[87]
Under the Model Penal Code, a person commits theft of services if he or she
obtains services “which he knows are available only for compensation” without
paying for them.[88] Services include “labor, professional
service, transportation, telephone or other public service, accommodation in
hotels, restaurants or elsewhere, admission to exhibitions, use of vehicles or
other movable property”.[89] If this definition of services is revised to
add “Internet server time, computer time [and] computer service time,”[90]
the Model Penal Code provision and statutes based upon it can address thefts of
computer services. This is true even
though the commodity that is stolen exists only in cyberspace, and even though
the theft is perpetrated via cyberspace.
The traditional element analysis still applies, though in a slightly
different form: The perpetrator, having no legal right to do so and acting with
the purpose of depriving the lawful owner of his or her property, took computer
services that belonged to the victim and thereby deprived the victim of that
property.[91] The fact that the theft is perpetrated via
cyberspace is irrelevant to this analysis; the use of cyberspace is merely the
method by which the crime is carried out.
It is true that the theft of computer services differ slightly from
traditional theft offenses: Theft of tangible property offenses are zero-sum[92]
offenses in which the possession and use of property is transferred from one
person to another; if the thief succeeds, the victim is totally deprived of his
or her property. In theft of services
offenses, the victim’s property is the ability to offer services in exchange
for pay.[93] When a theft of services occurs, the victim
is totally deprived of some quantum of the services she offers or, more
accurately, of the remuneration she should have been paid for those services,[94]
but is not deprived of the ability to offer such services. This difference is irrelevant to the
applicability of traditional principles of criminal liability because the
victim has still been deprived of a commodity that lawfully belonged to her.
¶44 Theft of information and theft of
computer software are somewhat more challenging analyses, because they can
deviate even further from the zero-sum model of theft that deals with the
misappropriation of traditional property.
Both information and computer software constitute property,[95]
but they can raise unique issues regarding theft offenses. As noted above, theft of property has
traditionally been a zero-sum offense, in which the victim is totally deprived of the possession and use of his or
her tangible property; to some extent, at least, the same can be said of theft
of services, in which the victim is totally deprived of the remuneration that
should have been paid for the stolen services.
¶45 Theft of information and theft of
computer software can involve this same result, for example when the victim is totally
deprived of the information or the stolen software. This alternative presents a zero-sum offense in which sole
possession of the information or software is transferred from the rightful
owner to the thief.[96] This is a variant of traditional property
theft and, therefore, liability can be imposed by using the traditional
elements:
actus
reus: The perpetrator unlawfully took or exercised unlawful
control over the property (for example, information or software) of another.
mens
rea: The perpetrator acted with the purpose of depriving the
lawful owner of software or information.
attendant
circumstances: The perpetrator had no legal
right to take or exercise control over the software or information.
harm: The
victim is deprived of his or her software or information.
¶46 If the state proves each of these
elements beyond a reasonable doubt, and if the defendant raises no viable
defenses, the defendant will be convicted of theft.
¶47 Theft of information and theft of
software can also involve a different result, one in which the perpetrator
copies the victim’s property
(information or software) and takes the copy away, leaving the original version
of the information or software in the victim’s possession.[97] This scenario does not involve a zero-sum
offense because the victim still has the possession and use of his or her
property; indeed, the victim may be quite unaware that there has been a
theft. But the victim has still
suffered a loss, the nature of which depends on the type of property at issue:
When a perpetrator copies information belonging to the victim, it is most
likely that the victim had compiled that information for his or her own use,
rather than to sell it (or sell copies of it) to someone else. We cannot, therefore, analogize this
scenario to a theft of services, because the victim did not intend to exchange
the information for remuneration. We
can still identify a loss to the victim, though it is more of a dilution than a
loss: By copying the victim’s information and absconding with the copy, the
perpetrator has gained access to information which, until that point in time,
belonged solely to the victim.[98] The victim still possesses the information,
but its value has been diluted by the fact that the victim is no longer the
sole possessor of that information.
Indeed, in some cases the value may be destroyed by this. We have therefore identified a deprivation
which the victim has suffered, a deprivation of the value of the information,
and, if all the other elements are met, this is sufficient to allow us to
impose liability on the perpetrator, using the following analysis:
actus
reus: The perpetrator unlawfully copied property (information)
of another.
mens
rea: The perpetrator acted with the purpose of depriving the
lawful owner of the exclusive use of information.
attendant
circumstances: The perpetrator had no legal
right to copy the information.
harm: The
victim is deprived of the exclusive use of information.
¶48 Of course, if the victim was in
the business of selling information, the perpetrator’s actions would support an
analogy to theft of services. The perpetrator would have deprived the victim of
the remuneration she would have received by selling the information as a single
commodity or by selling some quantum of it. Since we can identify a deprivation
that the perpetrator inflicted on the victim, we can impose liability using the
same, traditional analysis:
actus
reus: The perpetrator unlawfully copied property (information)
of another.
mens
rea: The perpetrator acted with the purpose of depriving the
lawful owner of ability to sell the copied information.
attendant
circumstances: The perpetrator had no legal
right to copy the information.
harm: The
victim is deprived of ability to sell the copied information.
¶49 Precisely the same analysis can be
applied to perpetrators who copy software.[99]
¶50 Except for theft of computer
hardware, the theft cybercrimes involve the use of cyberspace to commit a theft
offense. It is true that unlike other
crimes such as forgery,[100]
theft crimes are differentiated according to the method used to commit
them. Most jurisdictions make it a
distinct crime (armed robbery) to use a weapon to commit theft.[101]
Most also make “theft by deception” a separate crime.[102] The recognition of these varieties of theft
does not, however, militate for the adoption of theft cybercrimes. The crime of armed robbery is simply
aggravated theft, that is, the “misappropriation of property under
circumstances involving a danger to persons . . . and thus deserving of greater
punishment” than that imposed for simple theft.[103] The crime of theft by deception—which is
closely related to but differs from fraud—arose from the need to impose
criminal liability when, instead of simply taking property away from the
victim, the perpetrator used lies to induce the victim to hand over the
property voluntarily.[104] A perpetrator’s use of cyberspace, on the
other hand, does not transform the conduct at issue into a new type of criminal
activity. As is demonstrated above,
traditional criminal law principles can be used to impose liability for each of
these varieties of theft, which means there is no need to develop new law for
theft cybercrimes.
(2) Fraud
¶51 In theft offenses, the perpetrator
takes someone’s property without the victim’s permission (or even knowledge);
in fraud offenses, the perpetrator uses false statements and misrepresentations
to persuade the victim to part with property or other “things of value”
voluntarily.[105] To convict someone of fraud under the extant
law of crimes, the state must prove each of these four elements beyond a
reasonable doubt:
actus
reus: The perpetrator communicates false statements to the
victim.
mens
rea: The perpetrator communicates what she knows are false
statements with the purpose of
defrauding the victim.
attendant
circumstances: The perpetrator’s statements are
false.
harm: The
victim is defrauded out of property or something of value.[106]
¶52 Fraudulent schemes are very common
in cyberspace.[107] According to one source, reports of
fraudulent schemes increased 600% from 1997 to 1998.[108] This source says the top ten online frauds
are as follows: “auctions, general merchandise sales, computer
equipment/software, Internet services, work-at-home, business
opportunities/franchises, multilevel marketing/pyramids, credit card offers,
advance fee loans, and employment offers.”[109] Ninety-three per cent of the victims
defrauded by these online schemes parted with their money off-line, by sending
checks or money orders to the perpetrators of the scheme.[110]
¶53 In these schemes, the perpetrators
use the Internet to communicate their false statements to the victims; the
statements can be transmitted via a web site or e-mailed directly to potential
victims.[111] The perpetrators make the false statements,
of course, for the purpose of persuading potential victims to send them money
in exchange for products, services or benefits which the victims will never
receive or which will prove to be valueless or of little value if and when the
victims do receive them. For now, it
appears that most victims are sending their payments to the perpetrators
offline, but this is of little import in analyzing whether extant legal
principles can be used to impose liability on those who are perpetrating these
online scams.
¶54 Online fraudulent schemes are simply
a variant of traditional fraudulent schemes and, therefore, liability can be
imposed by using the traditional elements:[112]
actus
reus: The perpetrator communicates false statements to the
victim.
mens
rea: The perpetrator communicates what she knows are false
statements with the purpose of
defrauding the victim.
attendant
circumstances: The perpetrator’s statements are
false.
harm: The
victim is defrauded out of property or something of value.[113]
¶55 The use of cyberspace to
communicate the false statements and even as the vehicle by which the victim
transmits funds to the perpetrators does not affect the application of these
principles. True, much of the
offender’s conduct occurs in cyberspace, but this is because cyberspace simply
becomes the method perpetrators use to effectuate their schemes.[114]
If the state proves each of these elements beyond a reasonable doubt, and if
the defendant raises no viable defenses, the defendant will be convicted of
fraud. There is no need for a separate
law addressing cyber-fraud,[115]
as was demonstrated by a California case in which an 1872 statute apparently
directed at livestock auction fraud was used to prosecute the perpetrator of
online auction fraud.[116]
(3) Forgery
¶56 Essentially, forgery consists of
knowingly altering a document and/or knowingly using an altered document for
the purpose of defrauding someone.[117]
To convict someone of forgery under the extant law of crimes, the state must
prove each of these four elements beyond a reasonable doubt:
actus
reus: The perpetrator knowingly altered, made, completed,
executed, authenticated, issued, transferred or uttered a forged writing.
mens
rea: The perpetrator’s purpose was to defraud someone or
facilitate a fraud being perpetrated by someone else.
attendant
circumstances: The writing was altered.
harm: The
perpetrator used a forged writing to defraud or help defraud someone.
¶57 Like theft cybercrimes, forgery
cybercrimes can assume several different forms. A computer can, for example, be used to alter or create a false
written or electronic document;[118]
this conduct can be addressed by using the elements set out above:
actus
reus: The perpetrator used a computer to knowingly alter, make,
complete, execute, authenticate, issue, transfer or utter a forged writing.
mens
rea: The perpetrator’s purpose was to defraud someone or
facilitate a fraud being perpetrated by someone else.
attendant
circumstances: The writing was altered.
harm: The
perpetrator used a forged writing to defraud or help defraud someone.
¶58 Here, the computer is simply the
method by which the forgery is carried out; the instrument that is used to
alter or otherwise falsify the document.[119] Since we do not create separate offenses
for “forgery by pen” or “forgery by computer” or “forgery by copying machine,”
there is no reason to create a “forgery by computer” offense.[120] This conclusion holds even when the forgery
consists of altering, creating or even deleting a computer document such as a
data file stored on a computer.[121] All that is needed is to revise the
statutory definition of forgery so that it encompasses computer data and
computer programs.[122]
(4) Pornography
and Obscenity
¶59 Pornography and obscenity statutes
make it an offense to possess, create, import, display, publish or distribute
pornography (especially child pornography) or other obscene materials.[123] To convict someone of one of these offenses
under the extant law of crimes, the state must prove each of these four
elements beyond a reasonable doubt:
actus
reus: The offender possessed, created, imported, displayed,
published or distributed pornography.
mens
rea: The knowing possession or the purposeful creating,
importing, displaying, publishing, or distributing of child pornography.
attendant
circumstances: The material is indeed pornography;
harm: Pornography is created or
disseminated.[124]
¶60 Traditional pornography and
obscenity statutes target pornography that is depicted via older media, such as
books, magazines, films, and videotapes.[125] Computers and cyberspace are merely
additional media by which existing offenses can be committed. They can be
addressed by simply revising the existing statutes to encompass the use of
computers or cyberspace to create or disseminate this type of material.[126]
(5) Stalking
¶61 In the physical world, stalking
consists of repeatedly following or being in another person’s presence for no
lawful reason and with the purpose of causing death or bodily injury to that
person or causing that person emotional distress by placing him or her in
reasonable fear of death or bodily injury.[127] To convict someone of the crime of stalking,
the prosecution has to prove each of the following elements beyond a reasonable
doubt:
actus
reus: The perpetrator repeatedly follows the victim or is in
the victim’s presence for no lawful reason, thereby communicating a credible
threat to harm the victim or the victim’s family.
mens
rea: The purpose of causing death or bodily injury to the
victim or causing the victim emotional distress by putting her in fear of death
or bodily injury.
attendant
circumstances: The perpetrator’s lack of legal
justification for what she did.
harm: The
fear and apprehension the victim experiences.[128]
¶62 In the virtual world,
cyber-stalkers use cyberspace to achieve a result analogous to that set out
above, such as to threaten and intimidate their victims.[129] But cyber-stalking differs from stalking in
the physical world in two respects, both of which make it difficult to apply
real world stalking laws to cyber-stalkers.[130]
¶63 One difference is the existence of
a threat: Traditional stalking laws frequently require that a stalker have made
at least one “credible threat” to injure his or her victim.[131] Cyber-stalkers often do not threaten their
victims, at least not directly;[132]
they are more likely to use tactics that harass and threaten their victims,
such as posting the victim’s name and address on the Internet along with false
claims that she wants to be raped by strangers.[133] And even if a cyber-stalker does directly
threaten his or her victim online, a court may not find a threat from someone
who is physically located hundreds of miles away to be a “credible” one.[134]
¶64 The other difference is the
physical world requirement that a stalker physically follow his or her victim
or be in the victim’s presence.[135] As long as they confine their efforts to
cyberspace,[136]
cyber-stalkers are never in their victim’s presence or even in their victim’s
vicinity, and this can make it difficult, if not impossible, to apply existing
stalking laws to them.[137]
¶65 In an effort to address the problem
of cyber-stalking, some states have amended their stalking laws so they include
threats transmitted via the Internet.[138] This approach is inadequate; this is not an
area in which amendments incorporating the use of cyberspace as the method of
committing an existing offense are sufficient to deal with how cyberspace is
being exploited in the commission of that offense. That becomes apparent when we try to apply the traditional
elements to cyber-stalking:
actus
reus: The perpetrator’s repeatedly following the victim or
being in the victim’s presence for no lawful reason and thereby communicating a
credible threat to harm the victim or the victim’s family: Neither of these
occurs in “pure” cyber-stalking (stalking conducted totally via cyberspace)
because the cyber-stalker uses information (messages, data, or graphics) posted
on or transmitted over the Internet to harass and terrorize her victim; a
cyber-stalker therefore does not have to follow the victim or be in her
presence. And because cyberspace lets stalkers
employ more subtle means of terrorizing their victims, the cyber-stalker may
never engage in conduct that rises to the level of a credible threat.[139]
mens
rea: The perpetrator’s purpose of causing death or bodily
injury to the victim or causing the victim emotional distress by putting him or
her in fear of death or bodily injury: The cyber-stalker may or may not have
this purpose. Some may want to
terrorize their victims by communicating specific threats to harm them or
someone they love, while others may be playing a more subtle game of control.[140]
attendant
circumstances: The perpetrator’s lack of legal
justification for what she did: This can be problematic because cyber-stalkers
tend to rely on the use of communications to harass their victims. Consequently, unlike “real world” stalkers,
cyber-stalkers may therefore be able to invoke the free speech protections of
the First Amendment as a defense if they are prosecuted for their actions.[141]
harm: The
fear and apprehension the victim experiences: This, unfortunately, is a
constant in both “real world” and cyber-stalking.
¶66 Unlike the offenses heretofore
discussed, cyber-stalking cannot be addressed simply by tweaking the principles
we use to impose liability for stalking in the physical world. Does this mean cyber-stalking is a true
cybercrime, that is, does it mean we will have to devise new principles to
impose liability for cyber-stalking?
¶67 It does not. It means we have to create a new crime, one
that encompasses the actus reus, mens rea and attendant circumstances
characteristic of the activity we now call cyber-stalking. We can do this in two different ways: One is
to revise the elements we use to impose liability for traditional stalking so
that they remedy the deficiencies noted above and identify the result as a new
crime: cyber-stalking. A better
approach is to study the components of this activity as it exists and as we
think it may come to exist, and parse these components into the constitutive
elements (actus reus, mens rea, attendant circumstances and harm) of one or
more new crimes. To see how this can be
done, review Article II of the 1998 Model State Computer Crimes Code[142]
and the 1999 Revision of the Model State Computer Crimes Code.[143]
¶68 In dealing with cyber-stalking, we
find ourselves in a position analogous to that which existed after telephones
had been invented and were being widely disseminated for popular use. Until then, there had been no need to define
the “crime” of “making obscene telephone calls.”[144] As the technology to engage in this activity
became available, some began to engage in that activity, and this necessitated
the articulation of a new “crime.” And
even though the rise of the telephone also produced other novel forms of
anti-social behavior, no one suggested it was necessary to create new,
“tele-crimes.”
(6) Vandalism
¶69 In the physical world, vandalism
consists of knowingly damaging or destroying real or personal property owned by
someone else without having that person’s consent to do so.[145] To convict someone of the crime of
vandalism, the state has to prove each of the following elements beyond a
reasonable doubt:
actus
reus: The perpetrator damaged or destroyed another’s property.
mens
rea: The perpetrator acted knowingly.
attendant
circumstances:
The damaged or destroyed property belonged to someone other than the
perpetrator and she did not have the owner’s permission to damage it.
harm: An innocent person’s property is
damaged or destroyed.[146]
¶70 Destructive conduct in cyberspace
is often characterized as cyber-vandalism, but most of this conduct is more
properly analyzed as cracking (discussed in the section immediately
below). The reason for this is as
follows: In the physical world, vandalism does not involve the additional step
of illegally gaining entry in order to damage or destroy property; vandalism
consists of damaging or destroying property that is readily accessible.[147] If someone illegally gains entry to premises
for the purpose of damaging or destroying property inside, this is the offense of
burglary,[148] not
the lesser offense of vandalism. As
explained below, in the virtual world, the term “cracking” denotes the process
of illegally gaining entry to a computer or computer system for the purpose of
damaging or destroying property;[149]
conduct which couples illegal access with property damage or destruction must,
therefore, be treated as cracking, not as cyber-vandalism.
¶71 So far, the most common type of
cyber-vandalism is the creation and dissemination of viruses and other harmful
programs.[150] Once
unleashed, these programs spread via e-mail and other means and can inflict
various kinds of damage on computers and computer systems, including the
deletion or alteration of data and programs stored on a computer or computer
system.[151] If the author of the harmful program knew it
would damage the computers and computer systems it infected, then her conduct
is directly analogous to that of a vandal in the physical world. We have all of the elements needed to impose
liability for vandalism:
actus
reus: The perpetrator damaged or destroyed another’s property.
mens
rea: The perpetrator acted knowingly.
attendant
circumstances:
The damaged or destroyed property belonged to someone other than the
perpetrator and she did not have the owner’s permission to damage it.
harm: An
innocent person’s property is damaged or destroyed.
¶72 If the author of the program did
not know it would cause damage, but sent it out as a prank or to amuse, we do
not have conduct which would sustain the imposition of liability under the
scheme set forth above. Depending on
the circumstances at issue, however, we can probably analogize the
perpetrator’s conduct to that of someone who applies graffiti to private or
public property;[152]
and since the practice of defacing property with graffiti is often treated as a
form of vandalism,[153]
we could reach the conduct by defining cyber-vandalism to include both knowing
efforts to destroy property and efforts designed to result in the dissemination
of cyber-graffiti, such as viruses. We
can do this by modifying the elements set out above, so that to impose
liability for cyber-vandalism the state must prove each of the following beyond
a reasonable doubt:
actus
reus: The perpetrator damaged or destroyed another’s property.
mens
rea: The perpetrator acted knowingly or recklessly (the
perpetrator consciously disregarded a substantial risk that her conduct would
cause damage to or destruction of property);
attendant
circumstances:
The damaged or destroyed property belonged to someone other than the perpetrator
and she did not have the owner’s permission to damage it;
harm: An
innocent person’s property is damaged or destroyed.[154]
¶73 Another activity that has been
described as cyber-vandalism is a “denial of service” attack. In a denial of service attack, the
perpetrator’s goal
is not to gain
unauthorized access to machines or data, but to prevent legitimate users of a
service from using it. A denial-of-service attack can come in many forms.
Attackers may `flood’ a network with large volumes of data or deliberately
consume a scarce or limited resource, such as process control blocks or pending
network connections. They may also
disrupt physical components of the network or manipulate data in transit,
including encrypted data.[155]
¶74 A denial of service attack does
not constitute a theft of services or of information because the perpetrator’s
goal is not to obtain services or information without providing proper
remuneration;[156]
rather, it is to prevent the operator of a web site from being able to provide
services or information to those who wish to visit the site to obtain either.[157]
¶75 One can analogize a denial of
service attack to vandalism because the attack does inflict a kind of damage on
the web site owner’s property. True,
the perpetrator of a denial of service attack does not, like the malicious
hackers discussed in the next section, cause structural damage to the victim’s
web site. But the perpetrator of such
an attack does damage the victimized web site’s functionality, impairing its
ability to provide the services or information it offers to the public. This functionality is an essential element
of such a site and, as such, is an integral component of the site owner’s
property because the site’s value is diminished if its functionality is
interrupted.[158] In the physical world, property is for the
most part a static concept, so traditional vandalism consists of conduct
designed to inflict damage on static property, such as conduct such as starting
fires, breaking windows, or painting graffiti.
In the virtual world, property can be a dynamic concept, as in the case
of a web site which offers services or information to the public; in this
context, vandalism also encompasses conduct that is designed to damage or
destroy the dynamic, functional aspect of web property.
¶76 Imposing criminal liability for
cyber-vandalism can be accomplished by doing two things: (1) Expanding the
definition of property used in vandalism statutes to incorporate the nuances of
web property; and (2) revising the description of the conduct that constitutes
vandalism to ensure it encompasses acts designed to damage or destroy these
nuances. If these two steps are taken,
the elements set forth above can be used to impose liability on those who perpetrate
denial of service attacks.
(7) Burglary
and Criminal Trespass
¶77 As section II explains,[159]
burglary and criminal trespass are related offenses. Criminal trespass is usually considered to be a lesser-included
offense of burglary. Both burglary and criminal trespass require that an
offender engage in the same conduct, but to commit burglary the offender must
intend to go farther, to commit a greater harm than is involved in criminal
trespass.[160]
¶78 In the physical world, criminal
trespass consists of entering in a building when one knows he or she is not
legally authorized to do so.[161] To convict someone of criminal trespass, the
state must prove each of the following elements beyond a reasonable doubt:
actus
reus: The perpetrator entered a building.
mens
rea: The perpetrator knew she was not legally entitled to
enter the premises.
attendant
circumstances: The perpetrator was not legally
entitled to enter the premises.
harm: The
perpetrator unlawfully entered private premises.
¶79 In the physical world, burglary
consists of entering a building with the purpose of committing an offense (such
as theft or arson) inside unless the person’s entry is lawful, either because
the building is open to the public or because she is authorized to enter it.[162] To convict someone of burglary, the state
must prove each of these elements beyond a reasonable doubt:
actus
reus: The perpetrator entered a building.
mens
rea: The perpetrator entered with the purpose of committing an
offense inside.
attendant
circumstances:
The perpetrator was not legally entitled to enter the premises in
question.
harm: She
unlawfully entered premises to commit an offense inside.
¶80 The obvious cyber-analogies to
these offenses are hacking and cracking, respectively.[163] Generally speaking, one must be a hacker to
engage in hacking or in cracking, a hacker being a person “who enjoys exploring
the details of programmable systems and . . . the intellectual challenge of
creatively overcoming or circumventing limitations.”[164]
In popular parlance, a “hacker” is someone who is able to, and does, break into
computers or computer systems to which she does not have lawful access, often
simply for the intellectual challenge involved.[165] Strictly speaking, a hacker does not intend
to commit an offense or cause damage once inside a computer or computer system,
though she may do so inadvertently. A
cracker, on the other hand, is a hacker who breaks into a computer or computer
system with the purpose of committing an offense once inside, an offense that
can consist of damaging or destroying the system or of using information in the
system to commit another offense, such as fraud or theft.[166]
¶81 Hacking is obviously analogous to
physical criminal trespass. In both, the offender gains access to an area—a
physical location in trespass and a virtual location in hacking—to which she
does not lawfully have access. Indeed,
it is very simple to modify the four elements the state must prove to convict
someone of traditional criminal trespass so that they encompass hacking:
actus
reus: The perpetrator entered a computer or computer system.
mens
rea: The perpetrator knew she is not legally entitled to enter
the computer/computer system.
attendant
circumstances: The perpetrator was not legally
entitled to enter the computer or computer system.
harm: The
perpetrator unlawfully entered a computer or computer system.
¶82 The
offender is physically situated in the physical world, so her mens rea and the
physical acts she uses to carry out the hacking are real-world phenomena, as is
the illegality of the intrusion. The
actual entry into the computer or computer system presumably occurs in the
virtual world, but this fact is not enough to prevent the principles set forth
above from being used to impose liability for the intrusion because there is
still a legally cognizable harm. The
harm of criminal trespass is a person’s entering into an area to which she does
not have lawful access; the evil to be prevented is the violation of the owner
of that area’s lawful right to exclude those to whom she has not granted
access. Conceptually, it makes no
difference whether the area that is unlawfully accessed exists in the physical
world or in the virtual world; the harm to the owner of that area is logically
indistinguishable.
¶83 States have used this approach to
criminalize hacking, though they tend to create a new offense, ”computer
trespass,”rather than simply modifying their criminal trespass statutes to
encompass unlawful entries into computers or computer systems.[167] Some have incorporated this new offense into
the section of their criminal code that outlaws burglary and trespass, thereby
implicitly acknowledging the functional and analytical similarities between the
conduct at issue in both traditional and virtual trespass.[168]
¶84 Cracking is obviously analogous to
the crime of burglary: In both, the offender gains access to an area—again, a
physical location in burglary and a virtual location in cracking—to which she
does not lawfully have access and does so for the purpose of committing an
offense, such as fraud or theft, once inside. As with hacking, it is easy to
modify the four elements the state must prove to convict someone of traditional
criminal trespass so that they encompass cracking:
actus
reus: The perpetrator entered a computer or computer system.
mens
rea: The perpetrator entered with the purpose of committing an
offense inside.
attendant
circumstances:
The perpetrator was not legally entitled to enter the computer or
computer system in question;
harm: She
unlawfully entered the computer or computer system to commit an offense inside.
¶85 As with
hacking, the cracker is physically situated in the physical world, so her mens
rea and the physical acts she uses to carry out the cracking are real-world
phenomena, as is the illegality of the intrusion. The actual entry into the computer or computer system presumably
occurs in the “virtual world,” as would the steps he/she intends to take in
order to commit an offense. These facts
are not enough to prevent the principles set forth above from being used to
impose liability for the cracker’s conduct.
As with hacking, there is still a legally cognizable harm, such as the
offender’s entering an area to which she does not have lawful access and
thereby violating the owner of that area’s right to exclude those to whom she
has not granted access. As to this
fact, it is conceptually irrelevant whether the location that is unlawfully
accessed exists in the physical world or in the virtual world; the harm to the
owner of that area is logically indistinguishable.
¶86 As with hacking, states have used
this approach to outlaw hacking, though none have so far chosen to incorporate
hacking into their burglary offenses.
For the most part, states have created what is in reality a “computer
burglary” offense but have chosen either to make it a new offense or to define
it as an aggravated form of computer trespass.[169] Again, as with hacking, some include this
new offense in the section of their criminal code that outlaws burglary and
trespass, thereby implicitly acknowledging the functional and analytical
similarities between the conduct at issue in both the physical and the virtual
worlds.[170]
(8) Inchoate
offenses
¶87 As section II explains, there are
three inchoate offenses: attempt, conspiracy and solicitation.[171] Inchoate offenses address conduct that is designed
to result in the commission of a regular, substantive offense such as robbery
or homicide but for some reason fails to do so.[172] The law imposes criminal liability on the
inchoate offender even though she failed to carry out the contemplated substantive
offense (the “target” offense) on the theory that this person’s conduct
demonstrates that she is sufficiently dangerous to warrant the imposition of
sanctions.[173]
¶88 We do not need to develop new
“cyber-inchoate offenses” to deal with unsuccessful efforts to perpetrate
offenses in or directed at cyberspace.
The existing inchoate offenses are perfectly adequate for this purpose.
¶89 Take hacking as an example: If
someone successfully breaks into a computer system to which she does not have
lawful access, this is the completed offense of hacking, or computer trespass.[174]
If someone tries, unsuccessfully, to break into such a system, this would be
attempted hacking or attempted computer trespass. To convict someone of this offense, the state would have to prove
the following elements beyond a reasonable doubt:
actus
reus: The perpetrator attempted to enter a computer or
computer system.
mens
rea: The perpetrator knew she was not legally entitled to
enter the computer or computer system.
attendant
circumstances: The perpetrator was not legally
entitled to enter the computer or computer system.
harm: The
perpetrator unlawfully attempted to enter a computer or computer system.
¶90 The mens rea of the perpetrator of
the attempt and the perpetrator herself will be located in the physical world,
but the actus reus of the offense (the unsuccessful effort to break into a
computer or computer system) will almost certainly occur in the virtual
world. As explained above, this fact is
conceptually irrelevant to the imposition of criminal liability for the
substantive offense of computer trespass because the same harm occurs
regardless of whether an intrusion occurs in the physical world or in the
virtual world.[175]
¶91 If someone agrees with another
that one or both of them will break into a computer system to which they do not
have lawful access, this is the offense of conspiring to commit hacking or
computer trespass. To convict someone
of this offense, the state would have to prove the following elements beyond a
reasonable doubt:
actus
reus: The perpetrators agreed that either or both of them
would enter a computer or computer system.
mens
rea: The perpetrators knew they were not legally entitled to
enter the computer or computer system.
attendant
circumstances: The perpetrators were not
legally entitled to enter the computer or computer system.
harm: The
perpetrator conspired to enter a computer or computer system.
¶92 Both the mens rea of the
conspirators and the conspirators themselves will be located in the physical
world, but the actus reus of the offense (the formation of the criminal
agreement) can occur wholly in the physical world,[176]
wholly in the virtual world,[177]
or partially in both worlds.[178]
The locus of the actus reus is conceptually irrelevant for the imposition of
criminal liability, just as it would be if two people used email to form a
conspiracy to commit murder. The
gravamen of the offense is the formation of the agreement; the method used to
form it agreement is unimportant.[179]
¶93 If someone asks another person, X, to break into a computer system to
which neither has lawful access, this would be the offense of soliciting
computer trespass. To convict someone
of this offense, the state would have to prove the following elements beyond a
reasonable doubt:
actus
reus: The perpetrator asked X
to enter a computer or computer system.
mens
rea: The perpetrator knew X
was not legally entitled to enter the computer or computer system.
attendant
circumstances: X
was not legally entitled to enter the computer or computer system.
harm: The
perpetrator solicited X to enter
a computer or computer system.
¶94 Here, too, both the mens rea of
the conspirators and the conspirators themselves will be located in the
physical world, but the actus reus of the offense can occur wholly in the
physical world,[180]
wholly in the virtual world,[181]
or partially in both worlds.[182]
The locus of the actus reus is conceptually irrelevant for the imposition of
criminal liability, just as it would be if someone used email to make an offer
to a contract killer.[183]
The gravamen of this offense is the perpetrator’s solicitation of the target
offense; how she solicits the commission of the offense is unimportant.[184]
(9)
Non-offenses: cybervigilantism and cyberterrorism
¶95 Section II noted that two
almost-universally condemned activities, vigilantism and terrorism, are not
crimes in and of themselves.[185] As that section explained, the law finds it
sufficient to prosecute those who engage in either type of activity for the
crimes they commit in so doing.[186] This section argues that the same should be
true for their cyber-counterparts.
¶96 Cybervigilantism has become a
growing phenonmenon, sparked, like its real-world counterpart, by the belief
that law enforcement is not doing an effective job of apprehending and
punishing criminals.[187] One group of cybervigilantes, for example,
has announced that they will hack into child pornography sites and wipe out
hard drives containing the material they are determined to eradicate.[188] Like real world vigilantes, cybervigilantes
should be prosecuted, if at all, for the crimes they commit while pursuing
their goal of assisting law enforcement in the pursuit and sanctioning of
criminals.[189] As this section demonstrates, the tactics
they are likely to use against those whom they believe to have violated the law
can be prosecuted under our existing law of crimes.[190]
¶97 Terrorism in cyberspace has, so
far, taken two different forms: hacktivism and cyberterrorism. Hacktivism can
encompass hacking, but it is not the same thing: Hacktivism consists of using
cyberspace to harass or sabotage sites that conduct activities or advocate
philosophies that hacktivists find unacceptable.[191] And while hacktivists vehemently reject the
notion that they are cyberterrorists,[192]
their conduct falls within the definition of terrorism: committing crimes to
further a political agenda.[193] The crimes hacktivists commit tend to be
nonviolent, such as vandalizing a web site, shutting it down by bombarding it
with messages or diverting its traffic to another site.[194] As is explained above, these activities can
be prosecuted as crimes; consequently, there is no need to define hacktivism as
a unique cybercrime.
¶98 Cyberterrorism is the
transposition of terrorist activities to cyberspace. It consists of using
computer technology or cyberspace to commit crimes that usually involve death,
personal injury or injury to property in order to advance a political agenda.[195] Just as traditional terrorists are
prosecuted for the crimes they commit,[196]
so cyberterrorists can be prosecuted for the crimes they commit by exploiting
cyberspace; there is, again, no need to devise a new “cybercrime” to sanction
their conduct.[197]
(10) Summary:
Crime Analogues
¶99 The cybercrimes examined above are
simply versions of existing offenses the commission of which involves the use
of a computer or cyberspace. They can,
therefore, be adequately addressed by applying extant principles of criminal
liability; as to these offenses, there is no need to create a new, distinct law
of cybercrimes. The next section
considers whether there are, or can be, truly virtual crimes (offenses that are
not analogous to any traditional offenses) and that therefore do require the
articulation of such law.
Cybercrimes:
Virtual Crimes?
¶100 As section II explains, the
principles we have so far used to impose criminal liability were developed to
deal with offenses the commission of which involves elements that manifest
themselves exclusively in the physical world.[198] As section III demonstrates, these
principles can also be used to impose liability when the commission of these
offenses, or analogues of these offenses, involves one or more elements which
manifest themselves to some extent in the virtual world of cyberspace.
¶101 This section considers whether
there can be truly virtual crimes (offenses the constituent elements of which
manifest themselves exclusively or almost exclusively in cyberspace). If such offenses exist, it follows that they
are the most likely candidates for the development of a law of cybercrimes,
since they would be the most significant deviation from the empirical model for
which extant principles of criminal liability were derived.
¶102 Events that occurred in a
text-based online virtual community, LambdaMOO,[199]
some years ago prompted much discussion about whether “virtual rape”[200]
is or should be an offense, a bona fide virtual crime.[201]
The offender was a LambdaMOO participant known as “Mr. Bungle,” who had
equipped himself with a “voodoo doll,” “a program, a piece of code” which lets
its user
spoof other players. Spoofing is .
. . a . . . term denoting the appropriation of a user's identity by other
users; and in the context of the MOO this meant that by typing actions into the
voodoo doll, its owner could make it appear as if another player were
performing those actions.[202]
¶103 Mr. Bungle logged into LambdaMOO
one evening and used his voodoo doll to make it appear that a number of the
female participants were
engaged in various forms of
sexually humiliating activities. Thus, just to pick one example out of the
swamp of Mr. Bungle's imaginings, the player who went by the name of Moonfire
was obliged to see on her screen the words As
if against her will, Moonfire jabs a steak knife up her ass, causing immense
joy. You hear Mr. Bungle laughing evilly in the distance.[203]
¶104 Given the emotional commitment
LambdaMOO participants tended to invest in their online personas, the victims
of Mr. Bungle’s attentions were shocked and traumatized by how he had
manipulated their characters and by how powerless they had been to stop him.[204] Outraged by their suffering, some LambdaMOO
participants demanded capital punishment for Mr. Bungle, insisting that his
character be annihilated.[205] Others disagreed, which led to heated
debates as to what should be done about Mr. Bungle.[206] Before the issue reached any formal
resolution, one member of the community took matters into his own hands and
eliminated Mr. Bungle’s persona and user account from the system, thereby
terminating Mr. Bungle’s LambdaMOO existence.[207]
¶105 The LambdaMOO incident generated
much debate over whether conduct like Mr. Bungle’s should be handled by the
criminal justice system or handled internally, by the virtual community in
which the conduct occurred.[208] Essentially, those who argued for the
imposition of criminal liability pointed to the trauma virtual rape inflicts on
the victims, analogizing it to the trauma suffered by victims of traditional
rape; those who argued against imposing such liability contended that incidents
like this do not rise to the level of crimes because they occur only in the
victims’ minds and do not involve the infliction of any physical injury.[209]
¶106 It was clear, at any rate, that
what Mr. Bungle did could not be prosecuted under extant rape laws: He did not
commit the crime of rape, because that requires a physical assault.[210] He did not commit the crime of
pornography because what happened to those people that night in LambdaMOO
differs from pornography in that rather than observing others engaging in (or
depictions of others having engaged in) sexual activity[211]
the victims themselves (their virtual selves) were forced to engage in sexual
activity against their will. Nor did
Mr. Bungle commit the crime of stalking. Stalking consists of a persistent
pattern of conduct which puts the victim in fear of death or a physical
assault;[212] Mr.
Bungle’s victims were actually forced to engage in sexual activity against
their will, sexual activity which they found abhorrent. For all these reasons, the events in
LambdaMOO are currently the only reported instance of an essentially virtual
crime, one in which all the elements of the offense except the suffering of the
victims and the keystrokes Mr. Bungle used to inflict that suffering occurred
in cyberspace.
¶107 Let us assume, for the sake of
argument, that what Mr. Bungle did should require the imposition of some type
of criminal liability.[213]
His conduct cannot constitute the crime of rape as it is currently defined
because that crime consists of a perpetrator’s having nonconsensual sexual
intercourse with a victim, often by using physical force.[214]
Since rape requires an actual physical assault on the victim, it necessarily
occurs in the physical world.[215] Mr. Bungle’s conduct, on the other hand,
occurs only in cyberspace,[216]
and the victim’s physical being is not the object of the assault; the assault targets
the victim’s mind and emotions, not her body.[217]
¶108 Can we impose criminal liability
on Mr. Bungle by simply revising our definition of the crime of rape? Or is this an instance in which the locus of
an activity has moved so substantially into cyberspace that the activity evades
traditional principles of criminal liability and must, therefore, be treated as
a cybercrime?
¶109 The first step in answering these
questions is determining whether Mr. Bungle’s conduct can be brought within our
definition of the crime of rape. As
noted above, rape currently consists of having nonconsensual sexual intercourse
with a victim, generally as the result of using physical force.[218] To prove this crime, therefore, the state
must prove each of these elements beyond a reasonable doubt:
actus
reus: The perpetrator used force to have sexual intercourse
with the victim.
mens
rea: The perpetrator purposely used force to have sexual
intercourse with the victim, knowing she did not consent to the act.
attendant
circumstances: The victim did not consent to the
sexual intercourse.
harm: The
victim is subject to a physical assault such as nonconsensual sexual
intercourse.
¶110 It is simply not possible to
redefine this crime so it encompasses physical rapes and also encompasses Mr.
Bungle’s conduct and similar acts; this crime is too grounded in the physical
world to survive such a revision. How,
for example, would one redefine the actus reus? “Force” could be redefined to include the “use of physical force
or the use of any non-corporeal means of overcoming the volition of an
individual.” And instead of being
limited to “sexual intercourse,” the actus reus could be expanded to encompass
“compelling someone to engage in and/or submit to acts, whether real or
simulated, which they find objectionable.”
The offender’s mens rea would still be the purposeful use of compulsion
to carry out the rape, the attendant circumstances would still be that the
victim did not consent to the assault, and the harm would be the nonconsensual
nature of the encounter.
¶111 Technically, rape could be
redefined in this fashion, but the result is unacceptably flawed. It is so broad it could encompass encounters
in cyberspace, at least, that fall far outside notions of virtual rape. What if, for example, a participant in an
online chat room used language another participant found offensive? Would that
not fall within the definition of this crime?
By typing in the message, would the perpetrator-participant not be using
non-corporeal means to overcome another’s volition and thereby subject the
victim to acts which she found objectionable?
The new crime of rape might also encompass actions taken by those
playing online games; one player might be found to have used non-corporeal
means to overcome another’s volition and thereby subject the latter to
simulated acts which the victim found objectionable. And the same could be true in the physical world, as well. What
if one person cut ahead of another in a line waiting to buy movie tickets? Could not one characterize the act of
“cutting in” line as a use of corporeal force which overcame the victim’s
volition (her desire to remain at that particular point in line) and subjected
her to an action he or she finds objectionable, in the sense of losing their
place in line? Because the redefined
rape crime would have such a broad application, it would almost certainly be
struck down as unconstitutionally void for vagueness.[219]
¶112 Does this mean, then, that extant
principles of criminal liability are inadequate to address cyberspace phenomena
such as virtual rape? It does and it
does not. As this example demonstrates,
we will not be able to impose criminal liability for all the varieties of
misconduct that will erupt in cyberspace simply by broadening our definitions
of extant offenses so they encompass both physical and virtual activity. We can, as section III demonstrates,[220]
use this technique to address certain kinds of misconduct that will manifest
itself in cyberspace; when the misconduct involves acts, intent, circumstances
and harms that are empirically and functionally analogous to the acts, intent,
circumstances and harms addressed by an extant offense, we can probably use
this approach to impose criminal liability on those who engage in that
misconduct. The more closely analogous
cyber-situated misconduct is to misconduct traditionally understood as
criminal, the easier it will be to utilize this approach. But as we move more and more of our
activities into cyberspace, we will certainly see new kinds of misconduct emerging,
misconduct that may have little in common with the behaviors or harms our
current repertoire of traditional crimes were devised to address. For these emerging types of misbehavior, we
will almost certainly have to develop a new approach to imposing criminal
liability.
¶113 There are at least two different
ways we can go about developing a new approach to imposing criminal liability
for cyber-situated misconduct: (1) we
can use existing principles to define new crimes that encompass this kind of
misconduct; or (2) we can devise new principles for imposing liability such as
a distinct law of cybercrimes. If our goal is to ensure that miscreants cannot
exploit cyberspace and engage in socially unacceptable conduct with impunity,
and if we can achieve that goal by using existing principles, there seems to be
no reason to devise new principles of criminal liability. If this is not our only goal or if the
tactic of devising new crimes is inadequate to achieve that goal, then we may
have to devise a new law of cybercrimes.
¶114 Let us begin with the possibility
of defining new crimes to address cyber-situated misconduct. We can deal with Mr. Bungle’s conduct by
creating a new crime that targets the distinctive aspects of his conduct and the
harm it produced. Instead of trying to
adapt a crime that was created to address the use of physical force and the
resulting infliction of physical injury, we can start over and create a new
crime that addresses the use of other, non-physical means to inflict psychic or
emotional injury. We could, for
example, make it a crime to use a computer-generated communication to
“maliciously inflict emotional distress” on someone.[221] In so doing, we implicitly recognize that
the new domain of cyberspace can be used to engage in types of socially
unacceptable conduct that have not been encountered before, just as the
drafters of the first obscene telephone call statutes implicitly recognized
that new technology’s potential for misuse.[222]
¶115 Cyberspace, however, offers a much
broader venue for misconduct than did the telephone or other twentieth-century
technologies. Indeed, cyberspace may
force us to rethink certain of our views about the permissibility of
predicating criminal liability on actions, and results, which occur elsewhere
than in the physical world. As the
preceding section of this article explained, Anglo-American criminal law has
generally been loath to impose liability unless certain elements, most notably
an outlawed act or omission and a resulting harm, manifest themselves in the
physical world.[223] This accounts for our refusal to impose
liability for “thought crimes,” a hesitance based in part on the empirical
difficulty of establishing liability for crimes such as imagining the king’s
death,[224] and
also on the notion that we should be free to entertain whatever thoughts we
like, as long as we make no effort to translate them into action that could
harm our fellow citizens.[225] Those who will oppose the invention of new
crimes targeting misconduct peculiar to cyberspace are likely to cite thought
crimes as the proper analogy for what occurs in cyberspace, and argue that
because this is a domain that exists outside of and apart from the physical we
should not impose criminal liability for what occurs there.
¶116 This argument fails because
thought crimes are not the proper analogy for the kinds of misbehavior that
will occur in cyberspace. Thought
crimes are one of two kinds of virtual crime to emerge before the invention of
cyberspace. The other virtual crime is
witchcraft. Unlike the thought crime of
imagining the king’s death, a crime no constituent element of which manifested
itself in the real world,[226]
the crime of witchcraft incorporated both virtual and physical elements. Until
1951, English law made it a crime to engage in witchcraft, which was defined to
include, among other things, “invoking any evil spirit, or consulting,
covenanting with, entertaining, employing . . . or rewarding any evil spirit .
. . or killing or otherwise hurting any person by such infernal arts” or using
them to enrich oneself.[227] This crime really targeted two distinct
harms: (1) using one’s power over the virtual world to summon evil spirits to
injure other persons, to injure their property or to enrich oneself, and (2)
the perpetrator of witchcraft was consorting with evil spirits in violation of
God’s law.[228] The
first harm was often emphasized in witchcraft prosecutions, such as the Salem
trials.[229]
¶117 In the Western world, we no longer
maintain the virtual crime of witchcraft because we no longer believe one can
manipulate forces in the spectral world to have effects here in the physical
world.[230] For
the sake of argument, though, let us assume we do entertain such a belief and,
consequently, have resuscitated the above-described crime of witchcraft. That crime would consist of the following
elements:
actus
reus: The perpetrator used evil spirits to harm another person,
|
