I. INTRODUCTION A. Defining Computer Crime B. Types of Computer-Related Offenses 1. Object of Crime 2. Subject of Crime a. Spam b. Viruses c. Worms d. Trojan Horses e. Logic Bombs f. Sniffers g. Denial of Service Attacks h. Web Bots & Spiders 3. Instrument of Crime II. GENERAL ISSUES A. Constitutional Issues 1. First Amendment 2. Fourth Amendment B. Jurisdiction 1. Federal Jurisdiction 2. State Jurisdiction C. Other Issues III. FEDERAL APPROACHES A. Sentencing Guidelines B. Federal Statutes 1. Child Pornography Statutes a. Communications Decency Act of 1996 b. Child Pornography Prevention Act of 1996 2. Computer Fraud and Abuse Act a. Offenses Under the Statute b. Jurisdiction c. Defenses d. Penalties 3. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 4. Copyright Statutes a. Criminal Copyright Infringement in the Copyright Act i. Defenses ii. Penalties b. Digital Millennium Copyright Act 5. Electronic Communications Privacy Act a. Stored Communications Act b. Title III (Wiretap Act) i. Defenses ii. Penalties c. Statutory Issues 6. Identity Theft a. Penalties 7. Wire Fraud Statute C. Enforcement IV. STATE APPROACHES A. Overview of State Criminal Codes B. Enforcement V. INTERNATIONAL APPROACHES A. Issues B. Solutions
This Article discusses federal, state, and international developments in computer-related criminal law. Section I defines computer crimes, Section II covers the constitutional and jurisdictional issues concerning computer crimes, Section III describes the federal approaches used for prosecuting computer crime and analyzes enforcement strategies, Section IV examines state approaches to battling computer crimes, and Section V addresses international approaches to regulating computer crimes.
A. Defining Computer Crime
The U.S. Department of Justice ("DOJ") broadly defines computer crime as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." (1) Because of the diversity of computer-related offenses, a narrower definition would be inadequate. While the term "computer crime" includes traditional crimes committed with the use of a computer, (2) the rapid emergence of computer technologies and the exponential expansion of the Internet (3) spawned a variety of new, technology-specific criminal behaviors that must also be included in the category of "computer crimes." (4) To combat these new criminal behaviors, Congress passed specialized legislation. (5)
Experts have had difficulty calculating the damage caused by computer crimes due to: (1) the difficulty of adequately defining "computer crime;" (6) (2) victims' reluctance to report incidents for fear of losing customer confidence; (7) (3) the dual system of prosecution; (8) and (4) the lack of detection. (9) In 2006, DOJ's Bureau of Justice Statistics and the Department of Homeland Security's National Cyber Security Division conducted a joint effort to estimate the number of cyber attacks and the number of incidents of fraud and theft of information. (10) It found that nearly 67 percent of businesses reported at least one incident of computer crime the past year. (11)
B. Types of Computer-Related Offenses
1. Object of Crime
DOJ divides computer-related crimes into three categories according to the computer's role in the particular crime. (12) First, a computer may be the "object" of a crime. (13) This category primarily refers to theft of computer hardware or software. Under state law, computer hardware theft is generally prosecuted under theft or burglary statutes. (14) Under federal law, computer hardware theft may be prosecuted under 18 U.S.C. [section] 2314, which regulates the interstate transportation of stolen or fraudulently obtained goods. (15) Computer software theft is only included in this category if it is located on a tangible piece of hardware because the theft of intangible software is not prosecutable under 18 U.S.C. [section] 2314.
2. Subject of Crime
Second, a computer may be the "subject" of a crime. (16) In this category, the computer is akin to the pedestrian who is mugged or the house that is robbed; it is the subject of the attack and the site of any damage caused. These are computer crimes for which there is generally no analogous traditional crime so special legislation is needed. This category encompasses spam, viruses, worms, Trojan horses, logic bombs, sniffers, distributed denial of service attacks, and unauthorized web buts or spiders. Each of these subcategories is defined and discussed below.
In the past, malice or mischief rather than financial gain motivated most offenders in this category. (17) These types of crimes were frequently committed by juveniles, disgruntled employees, and professional hackers as a means of showing off their skills. (18) Disgruntled employees were once widely thought to pose the biggest threat to company computer systems. (19) In sentencing juvenile offenders, courts had a particularly difficult time finding appropriate penalties. (20) However, in recent years these crimes have been committed by an increasingly diverse group of individuals, many of whom are motivated by financial gain. (21)
Spam is unsolicited bulk commercial email from a party with no preexisting business relationship. (22) Spam is so common that in 2009, over 97 percent of all emails sent over the Internet were unwanted. (23) Additionally, hackers often use spam as a way of distributing viruses, spyware, and other malicious software. (24)
A virus is a program that modifies other computer programs, causing them to perform the task for which the virus was designed. (25) It usually spreads from one host to another when a user transmits an infected file by e-mail, over the Internet, across a company's network, or by disk. (26) c. Worms
Worms are like viruses, but they use computer networks or the Internet to self-replicate and "send themselves" to other users, generally via e-mail, while viruses require human action to spread from one computer to the next. (27) Worms have far more destructive potential than viruses because they can spread much faster. (28)
d. Trojan Horses
Trojan horses are programs with legitimate functions that also contain hidden malicious code. (29) Like its namesake, a Trojan horse dupes a user into installing the seemingly innocent program on his or her computer system and then activates the hidden code, which may release a virus or allow an unauthorized user access to the system. (30) Hackers use Trojan horses as the primary means to transmit viruses. (31)
e. Logic Bombs
Logic bombs are programs that activate when a specific event occurs, such as the arrival of a particular date or time. (32) They can be destructive, but software companies also commonly use them to protect against violation of licensing agreements by disabling the program upon detection of a violation. (33)
Sniffers, also known as network analyzers, can read electronic data as it travels through a network. (34) Network administrators use them to monitor networks and troubleshoot network connections. (35) Sniffers can help network administrators find and resolve network problems. (36) However, a hacker can break into a network and install a sniffer that logs all activity across a network, including the exchange of passwords, credit card numbers, and other personal information. (37)
g. Denial of Service Attacks
In a denial of service attack, hackers bombard the target website with an overwhelming number of simple requests for connection, thus rendering the site unable to respond to legitimate users. (38) In distributed denial of service attacks, hackers use the networks of innocent third parties to overwhelm websites and prevent them from communicating with other computers. (39) After breaking into several network systems, the individual makes one system the "Master" system and turns the others into agent systems. (40) Once activated, the Master directs the agents to launch a denial of service attack. (41) The use of third party "agents" makes it particularly difficult to identify the culprit. (42)
h. Web Bots & Spiders
"Web bots" or "spiders" are data search and collection programs that can create searchable databases that catalogue a website's activities. (43) Although seemingly innocuous, too many spiders on the same website can effectively operate as a denial of service attack. In addition, they can steal data from the websites that they search. (44)
3. Instrument of Crime
Third, a computer may be an "instrument" used to commit traditional crimes. (45) These traditional crimes include identity theft, (46) child pornography, (47) copyright infringement, (48) and mail or wire fraud. (49)
II. GENERAL ISSUES
A. Constitutional Issues
This Part addresses general constitutional issues with computer crimes. Specific constitutional issues with federal and state statutes are discussed in the relevant Sections of this Article. Constitutional issues related to computer crimes usually fall under either the First Amendment or the Fourth Amendment. There are also some federalism issues. In particular, there is a question as to how much the federal government can regulate intrastate behavior under the Commerce Clause. This is discussed in the following Part on federal jurisdiction.
1. First Amendment
The First Amendment (50) protects the same forms of speech in cyberspace that it does in the real world. Hate speech and other forms of racist speech receive the same protection on the Internet as they have always received under traditional First Amendment analysis. (51) The guarantee of the First Amendment extends well beyond personally held beliefs to include speech that advocates conduct, even when that conduct is illegal. (52) Racist speech is also probably protected on the Internet, as it is not likely to fit within the "fighting words" exception to the First Amendment. (53)
There is an exception to this general free speech principle for "true threats," (54) such as sending a victim a threatening e-mail messages, or even making a public announcement on the Internet of an intention to commit an act that is racially motivated. (55) A similar exception exists for harassment by e-mail or on the Internet, as long as it is sufficiently persistent and malicious to inflict, or is motivated by a desire to cause substantial emotional or physical harm (56) and is directed at a specific person. (57) Child pornography is not protected either, but finding a sufficiently narrow description to prevent dissemination on the Internet has proven difficult. (58)
In 2008, the Virginia Supreme Court struck down a Virginia statute, which criminalized the falsification of identifying transmission information in unsolicited bulk e-mail messages (spare), as overly broad and infringing on the First Amendment right to engage in anonymous speech. (59) The court emphasized that the statute in question did not distinguish between commercial and non-commercial unsolicited e-mails, including those expressing political and religious messages. (60) Therefore, the statute could not survive strict scrutiny because it was not narrowly tailored to the compelling state interests, as laid out in the federal CAN-SPAM Act, (61) of preserving the efficiency and convenience of e-mail. (62)
2. Fourth Amendment
A number of difficult Fourth Amendment (63) issues inhere in computer crimes. The Fourth Amendment prohibits unreasonable searches and seizures by the government. (64) However, what constitutes a search or seizure with respect to computers is not always clear. There is disagreement as to whether there should be a special approach created for computer-related searches and seizures, or whether it is adequate to draw comparisons from traditional Fourth Amendment analysis. (65)
The Supreme Court has held that a search occurs within the meaning of the Fourth Amendment when government actions violate an individual's legitimate or "reasonable" expectations of privacy. (66) Generally, a person has a reasonable expectation of privacy in a computer she owns in her home, but this is less clear-cut in the workplace. (67) Fourth Amendment issues may also arise when law enforcement intercepts address information on the Internet, such as e-mail addresses and website addresses. Before 2001, the FBI routinely searched similar information on Internet communications without much mention of constitutional issues. (68) The Ninth Circuit has held that obtaining Internet address information by installing a surveillance program at the Internet Service Provider's ("ISP") facility is "constitutionally indistinguishable" from the use of a pen register and, therefore, Internet users have no expectation of privacy in such information. (69) The Fourth Circuit has similarly held that a criminal defendant has no reasonable expectation of privacy in the information he provides to his ISP. (70)
The use of investigative tools devised for eavesdropping on Internet communications may present additional Fourth Amendment questions. (71) The use of a keystroke logger system appears to be constitutional. (72) The constitutionality of other techniques, however, will likely be tested as the government discloses more information about both the nature of its capabilities and the frequency of their application.
Although the Fourth Amendment generally requires specificity in search warrants, broad search warrants have been upheld when addressed to computer crimes. (73) Broad searches have been justified as "about the narrowest definable search and seizure reasonably likely to obtain the [evidence]." (74) There is a circuit split as to whether law enforcement agents with a warrant may search and seize computer files even though doing so might cause seizure of contents having no relation to the crime being investigated. (75) There is also a split as to how the plain view exception (76) should apply to computer files. (77)
Another relevant Fourth Amendment issue is the doctrine of staleness, (78) which "applies when information proffered in support of a warrant application is so old that it casts doubt on whether the fruits or evidence of a crime will still be found at a particular location." (79) The durability of data and graphics stored on computer hardware has drastically extended the period after which the staleness doctrine applies. For example, the Ninth Circuit upheld the validity of a search warrant even though ten-month-old information supported it. (80)
In executing a warrant, agents may seize and search a disk, even if its label indicates that it is not within the scope of the warrant. (81) They may seize an entire computer if they have ample evidence that documents authorized in a warrant could be found on it. (82) Agents may also search computer hardware and software when they have reason to believe that those items contain records covered by the warrant. (83) They may even remove the hardware and software from the owner's premises to conduct their examination.84 They may not, however, seize peripheral items, such as printers, to assist them in their review of the seized items. (85) State courts have split on extending this principle to their search and seizure jurisprudence. (86)
1. Federal Jurisdiction
The majority of federal computer crimes statutes have been enacted under Congress's power "[t]o regulate Commerce ... among the several States...." (87) As the Internet is considered to be both a channel and instrumentality of interstate commerce, it falls under the Commerce Clause's broad power. (88) In the past, most courts treated jurisdictional components of federal statutes as meaningful restrictions, (89) necessitating a case-by-case analysis of a given activity's effect on interstate commerce. (90) However, this line of reasoning has been superseded by the Supreme Court's decision in Gonzales v. Raich. (91) Under Raich, once it has been determined that the federal government has the broad power to regulate a class of activity--such as the possession or production of child pornography--courts cannot excise individual acts of the class simply because they appear economically insignificant. (92) Courts following Raich have ruled that the statute's reach extends to purely intrastate activity. (93)
2. State Jurisdiction
A significant challenge to state officials in prosecuting computer crimes is one of jurisdiction. (94) Jurisdictional problems arise for state prosecutors when the acts are committed out of state (95) because the jurisdictional rules of criminal law require the prosecutor to prove that the defendant intended to cause harm within his state. (96) As a result, many states have broadened their jurisdictional rules to address the new concerns that arise from the global nature of the Internet. (97) For example, Wisconsin's criminal statute permits jurisdiction even when no result occurs in the state. (98) Alabama, California, and South Dakota have statutes providing for jurisdiction where an offense begins outside the state and "consummates" within the state. (99)
C. Other Issues
In addition to constitutional obstacles, federal laws may interfere with computer crime statutes at both the federal and state level. Several laws intended to protect privacy have implications for computer crimes as well. For example, Title III applies to both the government and civilians in situations in which there are Fourth Amendment issues. (100) Title III applies to state actors as well and states may not legislate lower standards for interception, although they may set higher ones. (101)
Another complication arises as a result of additional protection for computer records provided by the Privacy Protection Act of 1980. (102) The statute requires police to obtain a subpoena prior to searching or seizing work product or other materials reasonably believed to pertain to public communications such as newspapers. (103) This protection does not include child pornography. (104) The Privacy Protection Act still applies to other material that may be public communications.
III. FEDERAL APPROACHES
This Section explores the major federal statutes, enforcement strategies, and constitutional issues regarding computer related crimes. The government can charge computer-related crimes under at least forty different federal statutes. (105) There are also a number of traditional criminal statutes whose application to computer crime is unclear. (106) In addition, the federal government has sometimes used the United States Sentencing Guidelines ("Guidelines") to enhance sentences for traditional crimes committed with the aid of computers. (107) This Section discusses the role of the Guidelines in general, key federal statutes in the prosecution of computer crimes, and relevant enforcement efforts. Although the focus of this Article is the federal government's approach to prosecuting criminal computer offenses, past litigation has also sought civil remedies. (108)
A. Sentencing Guidelines
The Guidelines supplement the federal computer crime statutes and help determine how much of the maximum sentence a perpetrator should serve. (109) The Guidelines treat most computer crimes as economic crimes sentenced under section 2B1.1. (110) The Guidelines also dictate "special skills" enhancements for particular crimes including computer crimes. (111)
B. Federal Statutes
Since 1984, Congress has pursued a dual approach to combating computer crime. The Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (112) and subsequent amending acts (113) address crimes in which the computer is the "subject." This line of statutes culminated in the Computer Fraud and Abuse Act ("CFAA"), (114) which is discussed in detail in Section 2. The Federal Government's other approach to regulating computer crime has been to update traditional criminal statutes to reach similar crimes involving computers. (115)
1. Child Pornography Statutes
Federal child pornography statutes have not fared well under the First Amendment. In Reno v. American Civil Liberties Union, (116) the Supreme Court gave an unqualified level of First Amendment protection to Internet communications. (117) Under Reno, legislation will not withstand scrutiny if it requires web surfers or Internet content providers to estimate the age of those with whom they communicate or to tag their communications as potentially indecent or offensive, prior to engaging in "cyberspeech." (118) The Court found that less regulation is necessary to protect children on the Internet compared to television or radio because users rarely come across content on the Internet accidentally and warnings often precede sexually explicit images. (119) The global nature of the Internet also renders it difficult, if not impossible, for users to predict when their potentially offensive communications will reach a minor. (120) Consequently, Reno requires courts to apply unqualified First Amendment scrutiny to speech restrictions affecting the Internet. (121) Note that "unqualified" protection does not cover obscenity or child pornography, which the government may ban. (122) Under this standard, parts of several federal child pornography laws discussed below and all of the Child Online Protection Act of 1998 ("COPA") (123) have been found unconstitutional. (124)
a. Communications Decency Act of 1996
The Communications Decency Act of 1996 ("CDA"), or Title V of the Telecommunications Act of 1996, (125) originally prohibited the transmission of "indecent," (126) "patently offensive," (127) or "obscene" (128) material to minors over the Internet. In Reno v. American Civil Liberties Union, (129) the Supreme Court struck down those portions of the statute that banned "indecent" (130) and "patently offensive" (131) images as being unconstitutionally vague and overbroad. (132) The rest of [section] 223(a), banning transmission of obscene speech to minors, remains in effect. (133)
Under [section] 223(a), knowing transmission of obscene speech or images to minors is punishable by a fine, imprisonment of up to two years, or both. (134) The Guidelines set a base offense level of ten for transportation of obscene matter, which is automatically increased by five levels if the obscene matter is transmitted to a minor. (135) A seven-level upward adjustment is provided if the distribution was intended to convince a minor to engage in prohibited sexual conduct. (136) The base level of the offense can be raised no less than five levels if the offense is related to distribution of material for pecuniary gain. (137) If the material involved in the offense portrays sadistic, masochistic conduct, or other depictions of violence, the offense level increases by four. (138)
b. Child Pornography Prevention Act of 1996
In 1996, Congress passed the Child Pornography Prevention Act (139) ("CPPA"), which criminalized the production, distribution, and reception of computer- generated, sexual images of children. (140) The CPPA sought to prohibit computer transmission of erotic photographs of adults doctored to resemble children. (141) However, in April 2002, the Supreme Court held that two provisions of the statute, which prohibited pornography that appeared to depict minors but actually depicted young-looking adults or virtual child pornography, were unconstitutionally vague and overbroad. (142)
In response, Congress passed the Prosecutorial Remedies and Other Tools to End the Exploitation of Children Today Act of 2003 ("PROTECT Act"). (143) The PROTECT Act includes a prohibition against advertisement, distribution, and solicitation of pornography that reflects a belief or induces others to believe that the material depicts real children. (144) After a number of circuit courts questioned the constitutionality of this provision under the reasoning of Ashcroft v. Free Speech Coalition, (145) the Supreme Court upheld the statute. (146)
2. Computer Fraud and Abuse Act
18 U.S.C. [section] 1030, (147) referred to as the Computer Fraud and Abuse Act ("CFAA"), (148) protects against various crimes involving "protected computers." Because "protected computers" include those used in interstate commerce or communications, the statute covers any computer attached to the Internet, even if all the computers involved are located in the same state. (149)
a. Offenses Under the Statute
The CFAA prohibits seven specific acts of computer-related crime. (150) First, it is a crime to access computer files without authorization and to subsequently transmit, or attempt to transmit, classified government information if the information "could be used" to injure the United States. (151) Second, the CFAA prohibits obtaining, (152) without authorization, information from financial institutions, (153) any department or agency of the United States, or private computers that are used in interstate commerce. (154) Third, it proscribes intentionally accessing a United States department or agency nonpublic computer without authorization. (155) If the government or a government agency does not use the computer exclusively, the illegal access must affect the government's use. (156) Fourth, accessing a protected computer, without authorization, with the intent to defraud and obtain something of value is prohibited. (157)
The fifth prohibition, which addresses computer hacking, has two categories of offenses depending on whether there is intent to cause damage. The first category criminalizes knowingly causing the transmission of a program, code, or command, and intentionally causing damage to a protected computer. (158) This subsection applies regardless of whether the user had authorization to access the protected computer. Thus, company insiders and authorized users can be culpable for intentional damage to a protected computer.
The second category of offenses prohibits intentional access without authorization that results in damage but does not require intent to damage. (159) The statute does not define either "access" or "authorization." (160) However, some courts interpret "access" to mean, at the least, more than passive receipt of information. (161) The culpability for damage caused can be either reckless (162) or negligent. (163) Damage under the statute is "any impairment to the integrity or availability of data, a program, a system, or information." (164)
Sixth, the CFAA prohibits someone from trafficking in passwords knowingly and with intent to defraud. (165) The passwords must either permit unauthorized access to a government computer or the trafficking must affect interstate or foreign commerce. (166) Finally, the CFAA makes it illegal to transmit in interstate or foreign commerce any threat to cause damage to a protected computer with intent to extort something of value. (167) Threats against protected computers only violate the CFAA if they are intended to extort from individuals. (168)
The United States Secret Service has investigatory authority for all violations of the CFAA. (169) The FBI has authority to investigate offenses under (a)(1) that involve espionage, foreign counterintelligence information protected against unauthorized disclosure, or restricted data. (170) Certain offenses for obtaining national security information (171) and damaging a protected computer (172) are also included in the definition of "federal crime of terrorism," bringing them under the express jurisdiction of the Attorney General. (173)
One defense to charges of accessing a protected computer without authorization is that the defendant simply did not "obtain anything of value." (174) The First Circuit interpreted the statutory language "obtain anything of value" to require something more than simply viewing information. (175) Instead, prosecutors must prove that the information was valuable to the defendant in conducting his fraudulent scheme. (176)
In order for the CFAA to apply, a defendant must not only access a protected computer and cause damage, but that damage must cause some additional injury. (177) The damage must be at least $5000 over a one-year period, (178) or lead to potential injury or a threat to public health or safety. (179)
The CFAA punishes attempts to commit an offense as if the offense had been successfully carried out. (180) Additionally, the CFAA has lesser penalties for first-time offenders of the Act than for repeat offenders. The CFAA includes as a repeat offense a subsequent violation of any of the subsections of the act. (181) Thus, a repeat offender can receive an enhanced sentence even if she commits a different type of computer fraud than she committed before. Conviction includes any conviction under state law with a punishment of more than one year if the elements include unauthorized access to a computer. (182)
First-time offenders who obtain national security information or intentionally damage a protected computer are subject to a fine, imprisonment of not more than ten years, or both. (183) Subsections (a)(2), (a)(3), (a)(5)(A)(iii), and (a)(6) have penalties of a fine, imprisonment of not more than one year, or both, for first offenses. (184) First time offenders under [section][section] (a)(4), (a)(5)(A)(ii), and (a)(7) are subject to a fine, imprisonment of not more than five years, or both. (185)
CFAA also differentiates between conduct that involves improper access and conduct in which the defendant uses access for pernicious purposes. It does so by increasing the maximum prison sentence for first time violations of [section] (a)(2) to five years if the crime was committed for financial gain or commercial advantage, in furtherance of a criminal or tortious act, or if the value of the obtained information exceeds $5000. (186) This is the same as the sentencing for first time offenders under [section][section] (a)(4), (a)(5)(A)(ii), and (a)(7). (187)
Repeat offenders may receive much tougher sentences. Maximum sentences under [section][section] (a)(2), (a)(3), (a)(4), (a)(5)(A)(ii), (a)(6), and (a)(7) rise to ten years for recidivists. (188) The maximum sentence goes up to twenty years for repeat offenders who obtain national security information or intentionally or recklessly damage a protected computer. (189)
Sentences also go up considerably if serious injury or death results from the violation. The maximum sentence is twenty years for anyone who "knowingly or recklessly causes or attempts to cause serious bodily injury" by intentionally damaging a protected computer. (190) The maximum sentence is life in prison for anyone who "knowingly or recklessly causes or attempts to cause death" by intentionally damaging a protected computer. (191)
The Guidelines set the base offense level for obtaining national security information at thirty-five if unlawfully accessed national defense information is top secret, and at thirty otherwise. (192) The offense levels for violations of the rest of the CFAA, except subsection (a)(3), are largely dependent on the value of the loss suffered. Subsections (a)(2), (a)(4), (a)(5), and (a)(6) are covered by the Guidelines' section on theft, stolen property, property damage, fraud, forgery, and counterfeiting. (193) The section on trespass covers [section] 1030(a)(3), (194) and the section on extortion covers [section] 1030(a)(7). (195) Attempts to violate the CFAA, a crime under the statute, are also covered by the Guidelines. (196)
3. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
Unsolicited commercial email or "spam" has been a growing problem in the
United States for many years. (197) Congress has considered many proposed federal anti-spam bills since 1995, but did not enact a comprehensive statute until December of 2003. (198) The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (199) ("CAN-SPAM") was enacted to establish a national standard for email solicitations. (200) The CAN-SPAM Act has several key provisions that affect persons or companies sending commercial solicitations via email. Section 1037 of Title 18 prohibits a number of well-known deceptive and/or fraudulent practices commonly used in commercial emails. (201) These techniques include using deceptive subject lines, providing false or misleading header information, and using another computer to relay email messages without authorization to prevent anyone from tracing the email back to its sender. (202) Section 7704 of Title 15 further prohibits similar deceptive practices, requiring that a commercial email include a method for the recipient to "opt-out" of future solicitations and that the subject line contain a warning if the email contains sexually oriented material. (203)
The CAN-SPAM Act has provisions for both fines and criminal penalties enforced by the FTC and the DOJ. (204) A violator of the act is subject to a fine of up to $16,000 for each email in violation of the law. (205) An individual may be subject to criminal penalties, including imprisonment, for using someone else's computer to send spam, using false information to create multiple email addresses, sending multiple spam messages and deceiving the recipient about the origin of the messages, generating email addresses through dictionary attacks, and using open relays and proxies. (206)
4. Copyright Statutes
Copyright violations are particularly harmful to computer software developers. (207) Software piracy presents unique challenges to law enforcement because of the various ways the crime can be committed, (208) the ease (209) and minimal cost of reproduction, (210) and the minimal degradation (if any) in the quality of pirated software. (211) The difficulty of detection also exacerbates the problem of electronic infringement. (212) Many of these issues also apply to other media in digital form. (213)
a. Criminal Copyright Infringement in the Copyright Act
Persons who unlawfully copy and distribute copyrighted material by computer may be subject to punishment for criminal copyright infringement. (214) The criminal copyright infringement statute has four elements: (215) (i) existence of a valid copyright; (216) (ii) that the defendant willfully; (217) (iii) infringed; (218) and (iv) either (1) for commercial advantage or private financial gain, (219) (2) by reproducing or distributing infringing copies of works with a total retail value of more than $1000 over a 180-day period, or (3) by distributing "a work being prepared for commercial distribution" by making it available on a publicly-accessible computer network. (220)
Under the first sale doctrine, one who legally purchases a copy of a copyrighted work may freely distribute that particular copy. (221) The alleged copyright infringer bears the burden of proving that the first sale doctrine applies. (222) This defense does not apply to computer software copyright infringement if the software is distributed by licensing agreement. (223)
The fair use doctrine permits non-copyright holders to make use of copyrighted works for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. (224) The "fair use" defense requires consideration of four factors: (225) (i) the purpose and character of the use; (226) (ii) the nature of the copyrighted work; (227) (iii) the amount and substantiality of the portion used in relation to the work as a whole; (228) and (iv) the effect of the use upon the potential market or value of the work. (229) The factors are not to be considered in isolation, but "are to be explored, and the results weighed together, in light of the purposes of copyright." (230) The fourth factor is often emphasized as the most important element in determining fair use. (231)
Section 2319 of Title 18 sets forth the punishment for criminal copyright infringement. (232) Section 2319(c) provides variable prison terms and fines for copyright infringements through the reproduction or distribution of one or more copies or phonorecords with a total retail value of more than $1000: (i) first- time offenders who reproduce or distribute more than ten copies or phonorecords of one or more copyrighted works that have a total retail value of $2500 or more face up to three years in prison; (ii) subsequent offenders face up to six years imprisonment; and (iii) those who reproduce or distribute one or more copies or phonorecords of one or more copyrighted works that have a total retail value of $1000 or more face up to one year's imprisonment. (233)
Sentences for defendants convicted of criminal copyright infringement are determined by considering [section] 2B5.3 of the Guidelines. (234) The base offense level is eight. (235) If the retail value of the infringing items (236) exceeds $2000, then the offense level is increased by the corresponding number of levels from the table in [section] 2B 1.1 (237)
b. Digital Millennium Copyright Act
The Digital Millennium Copyright Act of 1998 ("DMCA") (238) generally prohibits tampering with any access control or copy control measures applied to digital copies of copyrighted works. (239) Section 1201 prohibits circumvention of technological measures used to protect copyrighted works. (240) "[A] technological measure 'effectively controls access to a work' if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work." (241) "[To] 'circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." (242) No person may manufacture, import, offer to the public, provide, or otherwise traffic (243) in a technology, (244) product, service, or device (245) that is used to circumvent (246) such technological measures, if one of the following conditions is met: (i) the technology, product, service, or device is primarily designed or produced to circumvent; (ii) it has only limited commercial use other than that prohibited by the statute; or (iii) it is marketed for use in circumventing. (247) A number of exceptions are available for research and other purposes. (248)
In Universal Cir. Studios, Inc. v. Reimerdes, (249) the United States District Court for the Southern District of New York acknowledged that [section] 1201 is in tension with the fair use doctrine in [section] 107 of the Copyright Act. (250) Despite this tension, the court held that DMCA does not unduly frustrate the purpose of the fair use doctrine because DMCA provides exceptions for those uses it considers fair. (251) The court ruled that the fair use doctrine is unavailable as a defense under [section] 1201 because production of a technology circumvention measure does not qualify as a use of a copyrighted work; furthermore, the prohibition on circumvention does not extend to an individual who has already obtained an authorized copy of a copyrighted work. (252)
Section 1202 prohibits interference with the integrity of copyright management information. (253) "Copyright management information" includes: (i) the name of the work; (ii) the name of the author; (iii) the name of the copyright owner; (iv) the name and other identifying information about the author of a performance fixed, for example, on audio CD; (v) the name and other identifying information about the writer, performer, or director of a fixed audio-visual work; and (vi) terms and conditions of use. (254) Finally, "copyright management information" includes any information that the Register of Copyrights may require by regulation. (255)
Section 1202(a) prohibits knowing dissemination of false copyright management information, if done with the intent to induce, enable, facilitate, or conceal copyright infringement, while [section] 1202(b) prohibits the intentional removal of copyright management information and the dissemination of works from which the copyright management information has been removed. (256) The statute also prohibits tampering with the symbols that refer to this information, including Internet hypertext links to web pages containing copyright management information. (257)
The "safe harbor defense" provides a defense against contributory liability for ISPs whose services are used to violate the DMCA. (258) An ISP is exempt from liability if it: (i) did not know of the infringement or the facts making infringement apparent; (ii) received no material benefit from the infringement; and (iii) acted expeditiously to remove the offending sites once it was made aware of them. (259)
Violation of either of these sections is subject to a maximum fine of $500,000 or up to five years imprisonment, or both, for a first offense, and a maximum fine of $1,000,000 or up to ten years imprisonment, or both, for repeat offenses. (260)
5. Electronic Communications Privacy Act
The Electronic Communications Privacy Act of 1986 ("ECPA") (261) regulates crimes with no close "traditional crime" analog, such as hacking. Unlike CFAA, ECPA approaches such crimes by updating existing federal prohibitions against intercepting wire and electronic communications. (262) ECPA updated Title III and also created the Stored Communications Act ("SCA"). (263) ECPA attempts to curb hacking activities by fortifying the privacy rights of computer users (264) and enabling law enforcement officers to employ electronic surveillance in the course of investigating computer crimes. (265) The government has used ECPA to prosecute hackers, (266) although they generally rely on CFAA for such prosecutions. (267) Prosecutors have invoked ECPA, however, against piracy of electronically encrypted, satellite-transmitted television broadcasts. (268) Devices used to intercept cable television signals likewise fall within ECPA's purview. (269)
a. Stored Communications Act
Congress intended for the SCA to protect stored email and voicemail. The SCA prohibits any person from (1) intentionally accessing, without authorization, a facility through which an electronic communication service is provided or (2) intentionally exceeding authorization to access that facility and obtains, alters, or prevents authorized access to a communication in electronic storage. (270)
There is a good faith defense available for parties who reasonably relied on a warrant, grand jury subpoena, or other exception to the SCA. (271) In addition, the SCA does not apply to ISPs reading stored communications on their own systems, (272) nor does it apply if one of the parties to the stored communication gives permission to access. (273)
For violations of the SCA a first-time offender shall be fined under Title 18, imprisoned for not more than one year, or both. If the SCA is violated for purposes of private financial gain or malicious destruction or damage, a first-time offender shall be fined under Title 18, imprisoned for not more than five years, or both. (274) A repeat offender shall be fined under Title 18, imprisoned for not more than ten years, or both. (275) In a case not involving private financial gain or malicious destruction or damage, a repeat offender shall be fined under Title 18, imprisoned for not more than five years, or both. (276) Additionally, the SCA's provisions for money damages can address governmental as well as private transgressions. (277)
b. Title III (Wiretap Act)
ECPA extended the prohibitions in Title III of the Omnibus Crime Control and Safe Streets Act of 1968 ("Title III") (278) on intercepting oral and wire communication to include electronic communications intercepted during transmission. (279) Title III was originally intended to protect the privacy of communications by codifying the Fourth Amendment standards for wiretapping and applying them to civilians. (280) Now, Title III prohibits any person from intercepting or attempting to intercept any "wire, oral, or electronic communication." (281)
Under Title III, the government needs a court order for a wiretap. (282) Before issuing such an order, the court will require a showing that normal investigative techniques for obtaining the information have failed, are reasonably likely to fail, or are too dangerous to attempt. (283) It may also require the government minimize the intrusion of any interception. (284) The application to the court must provide additional detail, including: whether there have been previous interceptions of the target's communications; the identity of the target (if known); the nature and location of the communication facilities; and a description of the type of communications sought and the offenses to which the communications relate. (285)
Senior DOJ staff, the principal prosecuting attorney of a state, or an attorney for the government must approve the Title III application, depending on the circumstances. (286) The interception can last no longer than thirty days without an extension by the court. (287) Courts may also require that they receive reports detailing the progress made toward the authorized objective and the need for continued interception. (288) In addition, the DOJ has other procedures governing the use of Title III surveillance, including requiring approval from the Office of Enforcement Operations ("OEO") in the Criminal Division of the DOJ. (289)
There is a good faith defense available for parties who reasonably relied on a warrant, grand jury subpoena, statutory authorization, or other exception to Title 111. (290) Title III also allows computer service providers who are victims of attacks by computer trespassers to authorize persons acting under color of law to monitor trespassers on their computer systems in a narrow class of cases without a court order. (291) A computer trespasser is a person "who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communications transmitted to, through, or from the protected computer." (292) This definition does not encompass those persons known to have an existing contractual relationship with the owner or operator for access to all or part of the protected computer. (293) Interception of an unscrambled satellite communication intended for retransmission to the public is also not punishable under this section. (294) Keystroke loggers may also be exempt under Title III. (295)
Remedies for violating Title III include criminal sanctions, civil suits, and adverse employment actions for law enforcement officials. (296) For repeat offenders, a violation of Title III can result in a fine, imprisonment for not more than five years, or both. (297) If offenders violate the statute for purposes other than private financial gain and the illegally received communication is not scrambled or part of a cellular telephone communication, punishment is limited to injunctive relief and, for repeat offenders, a civil fine. (298)
Under the Guidelines, defendants convicted of intercepting communications or eavesdropping generally receive a base offense level of nine; defendants will receive a level of six if the offense carries a statutory maximum term of imprisonment of more than six months and less than one year. (299) If the purpose of the conduct was to obtain direct or indirect commercial advantage or economic gain, the offense level is increased by three. (300) Additionally, if the purpose of the conduct was to facilitate another offense with a higher offense level, the guideline applicable to an attempt to commit that offense applies. (301)
Moreover, evidence seized in violation of Title III or the Fourth Amendment may be suppressed. (302) Additionally, Title III's provisions for money damages can address governmental as well as private transgressions. (303)
c. Statutory Issues
Effectively, Title III governs communications in transit, while the SCA governs communications in storage. However, while it is clear that the Wiretap Act governs stored wire communications, courts have struggled to define the status of electronic communications such as e-mail, which may be stored temporarily during transmission. In determining whether an activity falls under the SCA or Title III, courts have been primarily concerned by the definition of the statutory term "intercept." Many decisions have adhered to the view that an "intercept" is a data acquisition that occurs contemporaneously with transmission of the data. (304) In Steve Jackson Games, Inc. v. U.S. Secret Service, (305) the Fifth Circuit reasoned that, because Congress explicitly included stored communications in the statutory definition of "wire communication," (306) its failure to include stored communications in the definition of "electronic communications" (307) indicated that Congress intended to exclude stored communications from the Wiretap Act. (308) In 2002, the Ninth Circuit adopted this analysis, relying in part on the USA PATRIOT Act. (309) The Eleventh and Third Circuits have also chosen to follow this analysis. (310)
In contrast, the First Circuit espoused a different view in United States v. Councilman. (311) In Councilman, the court implicitly rejected the "contemporaneous acquisition" theory by holding that interception of electronic communications took place even though the intercepted e-mails had been stored periodically during transmission, finding temporary storage during transmission to be intrinsic to the e-mail process. (312) The Court interpreted the legislative history of the ECPA to indicate that Congress did not intend to remove electronic communications from the scope of the Wiretap Act while they are in temporary storage en route to their destinations. (313)
It is possible to distinguish the facts in Councilman from similar cases in the other circuits, although the logical extension of the legal reasoning remains in conflict. For example, in Steve Jackson, (314) the Fifth Circuit found that unread e-mail in the recipient's mailbox is stored and therefore was not intercepted even though the recipient had not read it yet. (315) However, the interception in Councilman took place before the file reached the user's mailbox. (316) The two cases can be reconciled by assuming that e-mail transmission ends at the user's mailbox, not when the user opens the e-mail. (317)
6. Identity Theft
Section 1028 of Title 18 prohibits the knowing transfer, possession, or use of a means of identification of another person, such as name, social security number, and date of birth, to commit a crime. (318) It prohibits the production, (319) transfer, (320) or possession, in certain circumstances, (321) of false (322) or illegally issued identification documents. It further prohibits production, transfer, or possession of a "document-making implement," (323) with the intent to use it in the production of a false identification document. (324) The term "transfer" includes making available online either a false identification document or a document-making implement. (325)
The illegal production, transfer, or use of any means of identification is punishable by a fine, a maximum sentence of five years imprisonment, or both; (326) the maximum term of imprisonment increases to fifteen years if the production or transfer involves an identification document issued under the authority of the United States, or if it involves more than five fraudulent documents. (327) If the offense nets the perpetrator more than $1000 in a year, the maximum term of imprisonment is fifteen years, regardless of the number of means of identification involved. (328) Up to twenty years imprisonment is prescribed for these crimes for repeat offenders, if the crime is intended to aid drug trafficking, or is committed in connection with a violent crime. (329) There is a maximum sentence of thirty years if the crime is committed to "facilitate an act ... of terrorism." (330)
The Guidelines ordinarily apply a baseline of six with upward departures based on the size of the monetary loss. (331) Where the primary purpose of the offense is to violate, or assist in violating, immigration laws, different sections apply. (332) Furthermore, where the established schedule does not fully capture the harmfulness and seriousness of the conduct, an upward departure beyond that which the Guidelines recommend is permissible. (333)
7. Wire Fraud Statute
The Federal Wire Fraud Statute (334) prohibits the use of interstate wire communications to further a fraudulent scheme to obtain money or property. (335) Several cases have held that the Wire Fraud Statute applies to computer crimes. (336) District courts have taken divergent positions as to whether the wire fraud statute reaches copyright infringement. (337) Partly as a response to these decisions, Congress amended the Copyright Act to criminalize the willful infringement of a copyright, by electronic means, "if the infringement was committed by the reproduction or distribution ... during any 180-day period of 1 or more copies ... of one or more copyrights works, which have a total retail value of more than $1000." (338)
Penalties for violation of the wire fraud statute can be severe. Violations of the Wire Fraud Statute are punishable by fines, imprisonment of up to twenty years, or both. (339) If the violation affects a financial institution, the punishment is a fine of not more than $1,000,000, imprisonment of not more than thirty years, or both. (340) Violation of the Wire Fraud Statute is also a predicate offense for RICO and money-laundering charges. (341)
Defendants convicted of wire fraud are subject to punishment for deprivation of the intangible right to the honest services. (342) In a recent case, the Supreme Court limited such criminal penalties to cases involving bribes and kickbacks. (343) The base offense level is fourteen, and is increased if the loss to the government or the value gained by a public official exceeds $5000. (344) If the offense involves an elected official or one holding a decision-making or sensitive position, the offense level increases by tour. (345) Otherwise, the base offense level is six and increases according to the table in that provision if the gain or loss exceeds $5000. (346)
Computer crimes are notoriously difficult to prosecute due to both the nature of the technology itself and the relative unfamiliarity of law enforcement with the technology. For example, people may encrypt data so that even if law enforcement seizes or intercepts the data, they will be unable to understand its contents or use it as evidence. The nature of the Internet allows people to engage in criminal conduct online with virtual anonymity. (347) With respect to computer crimes such as hacking, a victim may never realize that anyone attacked her. Further impeding law enforcement, many private and commercial entities that do detect an intrusion are afraid to report offenses due to the potential for negative publicity. (348)
In 2003, Congress took steps to combat identity theft by passing the Fair and Accurate Credit Transactions Act. (349) This Act directed the FTC and other agencies to develop regulations requiring financial institutions and creditors to address the risk of identity theft. (350) The FTC in turn issued the "Red Flags Rules", which requires all such institutions to develop and implement written identity theft prevention programs. (351) Due to ambiguity of which institutions are covered under the Rule, the FTC has delayed enforcement of the Rule several times. (352)
The FBI and DOJ have created numerous programs and deployed new technologies to aid in the investigation and prosecution of computer crime. In 2002, the FBI launched its Cyber Division, dedicated to investigating computer crimes. (353) The Cyber Division is designed to act as a central coordinator for the FBI divisions that address computer crimes. (354) Specifically, the Cyber Division is responsible for criminal investigations of intellectual property, high-tech, and computer crimes. (355) The Cyber Division also has jurisdiction over investigations of online child pornography through the Innocent Images National Initiative ("IINI"). (356) Between fiscal years 1996 and 2007, there was a 2062 percent increase in the number of IINI cases opened. (357) The FBI also investigates computer crimes through its Internet Crime Complaint Center ("IC3"), (358) which acts as an intermediary between law enforcement agencies and victims of computer fraud. In 2009, the IC3 received 336,655 complaints of Internet-based fraud and other crimes, a 22.3 percent increase over the previous year. (359)
DOJ's efforts to combat computer crime are centralized in its Computer Crime and Intellectual Property Section ("CCIPS"). (360) The CCIPS is responsible for prosecuting computer crimes, lobbying for strengthened penalties, and pushing for expanded coverage of the federal computer crime statutes. (361)
In March of 2004, the DOJ launched a Task Force on Intellectual Property to signal a renewed emphasis on combating intellectual property crime. (362) This became part of a multi-agency Strategy Targeting Organized Piracy ("STOP") initiative involving the Department of Commerce, Department of Homeland Security, and the Office of the United States Trade Representative. (363) The Task Force has called for an expansion of the Computer Hacking and Intellectual Property ("CHIP") program. (364) CHIP units within U.S. Attorney's offices work closely with the FBI and other agencies to establish relationships with the high-tech community and encourage them to refer cases to law enforcement. (365) In addition to investigating and prosecuting computer crimes, CHIP provides specialized training for law enforcement and businesses on preventing, detecting, and investigating breaches in cyber security. (366) DOJ has continued this focus on intellectual property crime by forming a new DOJ Task Force on Intellectual Property in 20 10. (367)
DOJ has also stepped up its enforcement of child pornography laws. Through its Child Exploitation and Obscenity Section ("CEOS"), DOJ provides training and assistance to law enforcement officers throughout the country. (368) In 2002, DOJ formed the High Tech Investigative Unit ("HTIU") within CEOS. (369) The HTIU is a multi-agency computer forensic and investigatory unit targeting child pornography and offenses against children that occur or are facilitated by the Internet. Prosecution of child pornographers appears to be increasing, despite the constitutional challenges to the various Federal Child Pornography statutes. (370) In 2010, the DOJ continued these efforts through the adoption of its National Strategy for Child Exploitation Prevention and Interdiction. (371)
Given the global nature of Internet-related crimes, CCIPS and CEOS must work with many other countries to achieve effective prosecution of cases involving organized Internet piracy and Internet-related child exploitation. (372) Even so, the proliferation of computer bulletin boards, peer-to-peer networking, and other online services has created an ongoing qualitative and quantitative challenge. (373)
IV. STATE APPROACHES
A. Overview of State Criminal Codes
In 1978, state legislatures began enacting computer crime statutes, beginning with Arizona (374) and Florida. (375) Since then, every state has enacted some form of computer-specific criminal legislation. (376) Approximately half of the states modeled their statutes on the 1977 or 1979 versions of the proposed Federal Computer Systems Protection Act, (377) while the remainder enacted comprehensive computer-assisted crime statutes less closely related to the proposed federal legislation. (378) The precise definitions and penalties in these specialized provisions offer significant advantages over general criminal codes by explicitly addressing the unique issues posed by computer crimes, thereby promoting computer security, enhancing deterrence, and facilitating prosecution. (379)
Like the federal statutes, many of the state statutes divide computer crimes into the same three categories: "crimes where a computer is the target, crimes where a computer is a tool of the crime, and crimes where a computer is incidental." (380)
Reforms in state computer crime statutes have included provisions expanding forfeiture of computer equipment used in crimes, allowing state authorities to seize property involved in computer crimes. (381) Some states have begun to respond to the growing concerns of online harassment by criminalizing online threats by including electronic communications under "unconsented contact" in anti-stalking statutes, (382) and incorporating computers and electronic communications devices into general telephone harassment statutes. (383) Other state statutes specifically address the problem of offenders whose target victims are minors. (384) These statutes, however, may face significant constitutional challenges on First Amendment grounds. (385)
One particularly widespread initiative among the states is the effort to thwart unsolicited commercial or bulk e-mail ("spam"). Thirty-seven states have enacted anti-spam laws regulating the use of Internet communications to send unsolicited advertisements for the purpose of promoting real property, goods, or services for sale or lease. (386)
Other states have recognized that prevention may be less difficult than apprehending and prosecuting computer criminals. Several states have enacted statutes that provide a civil cause of action for compensatory damages, (387) thereby encouraging victims of computer crimes to come forward.
In order to prevent the proliferation of "spyware," a type of software usually unknowingly installed that collects a computer user's private information or displays unsolicited advertisements to the user, several states have enacted "anti-spyware" laws, often with criminal penalties. (388) In those states that do not have laws specifically directed to spyware, moreover, those provisions that address computer crime, fraudulent practices, and identity theft will often apply to spyware practices. (389) However, spyware companies are rarely criminally prosecuted. (390)
In the absence of federal legislation, twenty-three states (391) have passed legislation protecting private personal information and setting requirements for the use and storage of such data. (392) Most of these statutes closely follow the provisions of the landmark statute passed by California in 2002. (393)
In the wake of high-profile cases such as that of Megan Meier, (394) many states are beginning to address the issue of "cyber-bullying". (395) These state statutes are being enacted in order to cover perceived lack of legislative coverage at both the state and federal levels. (396) Cyber-bullying legislation has recently been proposed at the federal level as well. (397)
Prosecution of computer crimes under state law has been increasing. (398) In 2005, 60 percent of prosecutors' offices reported prosecuting either felony or misdemeanor computer-related crimes under their state's computer statutes. (399) In addition, 89 percent of offices serving populations of one million or more reported conducting such prosecutions. (400) While the prosecution of child pornography was the most popular charge, state prosecutors have also charged computer crimes ranging from credit card fraud, to unauthorized access to computers, to cyber stalking. (401)
V. INTERNATIONAL APPROACHES
Developing an international paradigm for addressing computer crime is difficult, given the global nature of the technology. This Section covers issues in international computer crime law and addresses solutions to these problems, as well as areas of convergence and cooperation among nations, international organizations, and private corporations.
All nations continue to struggle to define computer crimes and develop computer crime legislation applicable to both domestic and international audiences. (402) Purely domestic solutions are inadequate because cyberspace has no geographic or political boundaries, (403) and because many computer systems can be easily and surreptitiously accessed from anywhere in the world. (404) International financial institutions are common targets for computer fraud and embezzlement schemes. (405) In addition, the development of sophisticated computer technology has enabled organized crime and terrorist groups to bypass government detection and carry out destructive acts of violence. (406) Even when computer-specific criminal statutes are in place, however, the rules of evidence in several industrialized countries could continue to hinder prosecutions until they adapt them to computer crimes. (407)
Countries that restrict their political discourse face the problem that the Internet provides a source of "illegal" information that is difficult to regulate. (408) Moreover, what constitutes "acceptable" speech in the various countries on the information super-highway differs greatly. In Germany and France, the dissemination of Nazi propaganda and paraphernalia is illegal. (409) Such material, however, is easily accessible via the Internet. Countries observing strict Islamic law have similar problems. (410)
Solutions to freedom of expression issues on the Internet have varied widely. France and Germany initially tried to target ISPs. (411) Germany has since decided not to hold ISPs "liable for content they merely transmit." (412) China, on the other hand, has implemented regulations that criminalize the "distribution or consumption via the Internet of ... 'harmful information." (413) Cuba has addressed the problem by limiting Internet access, allowing only 200,000 of its some eleven million citizens to have access. (414)
Intellectual property crimes are also a serious problem in the international arena. International software piracy remains endemic. (415) Software piracy remains at around 43 percent worldwide. (416) In practical terms, this means that approximately 43 percent of all business software applications existing on PCs around the world continue to be unpaid-for, illegal copies. (417)
While "computer crime" remains loosely defined, most industrialized countries have amended their law to address four needs created by computer crimes: (i) protection of privacy; (ii) prosecution of economic crimes; (iii) protection of intellectual property; (418) and (iv) procedural provisions to aid in the prosecution of computer crimes. (419) Worldwide, national governments are adopting computer- specific criminal codes that address unauthorized access and manipulation of data similar to the CFAA. (420)
While a number of differences remain, there are significant areas of convergence in nations' legislation. (421) By defining specific new offenses and penalties, these codes avoid analytical difficulties that arise when general criminal laws are applied to computer crimes. There have also been two significant steps towards achieving a uniform transnational legal framework for addressing multinational computer-related crimes. First, forty-six countries have signed the Council of Europe's Treaty on Cybercrime. (422) The Treaty requires parties to: (i) establish substantive laws against cybercrime; (ii) ensure that their law enforcement officials have the necessary procedural authorities to investigate and prosecute cybercrime effectively; and (iii) provide international cooperation to other parties in the fight against computer-related crime. (423) The Convention entered into force for the United States on January 1, 2007. (424) Second, the United States participates in the Subgroup on High-Tech Crime at G-8's Lyon Group. (425) One accomplishment of the Subgroup is the development of a network that allows law enforcement authorities of member nations to contact each other for rapid assistance in investigating computer crime and preserving electronic evidence. (426)
In addition to increased multinational governmental cooperation, international organizations and private corporations are also working to combat international computer crimes by contributing to the drive to harmonize national legislation. (427) For example, the Business Software Alliance, a software industry trade group, has an international copyright enforcement program involving national software trade associations and law enforcement agencies. (428) Nonetheless, international efforts have been mixed.
(1.) NAT'L INST. OF JUSTICE & DEPT. OF JUSTICE, COMPUTER CRIME: CRIMINAL JUSTICE RESOURCE MANUAL 2 (1989) [hereinafter DOJ COMPUTER CRIME MANUAL]; see also BLACK'S LAW DICTIONARY (9th ed. 2009) (defining computer crime as "[a] crime involving the use of a computer"); Jo-Ann M. Adams, Comment, Controlling Cyberspace: Applying the Computer Fraud and Abuse Act to the Internet, 12 SANTA CLARA COMPUTER & HIGH TECH. L.J. 403,409 (1996) (defining computer crime as "those crimes where knowledge of a computer system is essential to commit the crime").
(2.) See, e.g., United States v. Saxena, 229 F.3d 1, 4 (1st Cir. 2000) (finding Internet distribution of financial information constituted fraud against investors); eBay, Inc. v. Bidder's Edge, Inc., 100 F.Supp. 2d 1058, 1065-67 (N.D. Cal. 2000) (analyzing a traditional trespass claim brought as a result of actions occurring on the Internet); see also infra Part III.B.I (discussing Internet distribution of child pornography); infra Part III.B.4 (discussing copyright infringement).
(3.) See Reno v. ACLU, 52l U.S. 844, 849, 852-53 (1997) (characterizing the Internet as "an international network of interconnected computers ... [with] content ... as diverse as human thought ... comparable ... to both a vast library including millions of readily available and indexed publications and a sprawling mall offering goods and services.").
(4.) See Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REV. 1003, 1013 (2001) (describing different types of computer crimes with no real-world analogue); Eric J. Sinrod & William P. Reilly, Cyber-Crimes: A Practical Approach to the Application of Federal Computer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH TECH. L.J. 177, 181-87 (2000) (discussing "hacking," which involves unauthorized access to computer files, programs, or websites).
(5.) See Stephen P. Heymann, Legislating Computer Crime, 34 HARV. J. ON LEGIS. 373, 373-91 (1997) (analyzing technological advances that require new criminal legislation).
(6.) See Joseph M. Olivenbaum, Ctrl-Alt-Delete: Rethinking Federal Computer Crime Legislation, 27 SETON HALL L. REV. 574, 575 n.4 (1997) (arguing there exists a "protean difficulty [in] defining a computer crime"). Compare Int'l Ass'n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F.Supp. 2d 479, 499 (D. Md. 2005) (noting that 18 U.S.C. [section] 2701 is directed against unauthorized users gaining access to protected computers rather than against authorized users gaining access for larcenous acts), with Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006) ("[18 U.S.C. [section] 1030] is concerned with ... attacks by virus and worm writers ... from the outside, and attacks by disgruntled programmers.").
(7.) See Shannon L. Hopkins, Cybercrime Convention: A Positive Beginning to a Long Road Ahead, 2003 J. HIGH TECH. L. 101, 108; see also Chris J. Hoofnagle, Identity Theft: Making the Known Unknowns Known, 21 HARV. J.L. & TECH. 97, 107 (2007) (arguing that victim reluctance to report computer crimes make statistics suspect); Bob Tedeschi, E-Commerce Report; Crime is Soaring in Cyberspace, but Many Companies Keep it Quiet, N.Y. TIMES, Jan. 27, 2003, at C4, available at http://www.nytimes.com/2003/01/27/business/e-commerce-report- crime-soaring-cyberspace-but-many-companies-keep-it-quiet.html (listing not only loss of consumer confidence, but also "fear of attracting other cyberattacks" and "inviting the ridicule of their competitors" as reasons companies fail to report computer crime).
(8.) See Olivenbaum, supra note 6, at 575 n.4 (arguing that the dual system of prosecution renders statistics suspect).
(9.) U.S. GEN. ACCOUNTING OFFICE, INFORMATION SECURITY; COMPUTER ATTACKS AT DEPARTMENT OF DEFENSE POSE INCREASING RISKS, GAO/AIMD 96-84, at 3 (1996) (revealing the Defense Information Systems Agency intentionally "attacked" 38,000 DOD computers to test security and of the 24,700 penetrations only 4% were detected, and only 27% of those were reported).
(10.) Ramona R. Rantala, Cybercrime Against Businesses, 2005, BUREAU OF JUSTICE STATISTICS, http:// bjs.ojp.usdoj.gov/content/pub/pdf/cb05.pdf (last updated Oct. 27, 2008).
(12.) See DOJ COMPUTER CRIME MANUAL, supra note 1.
(13.) See id.
(14.) See, e.g., Commonwealth v. Sullivan, 768 N.E.2d 529, 532 (Mass. 2002) (affirming a burglary conviction for theft of computers); State v. Geer, 799 So. 2d 698 (La. Ct. App. 2001) (upholding sentencing of a man who pled guilty to state burglary charges for stealing a computer and other items).
(15.) See, e.g., United States v. Coviello, 225 F.3d 54, 62 (1st Cir. 2000) (stating that, where defendant is convicted for conspiracy to transport stolen computer disks in interstate commerce, a sentence enhancement is warranted based on the value of the intellectual property located on the disks).
(16.) See DOJ COMPUTER CRIME MANUAL, supra note 1, at 2.
(17.) See Reid Skibell, Cybercrimes & Misdemeanors: A Reevaluation of the Computer Fraud and Abuse Act, 18 BERKELEY TECH. L.J. 909, 919-21 (2003) (contrasting older studies of hackers motivated by curiosity, voyeurism, or a sense of power with modern observations of computer "crackers" primarily interested in profit).
(18.) See Julie Tamaki, Famed Hacker Is Indicted by U.S. Grand Jury, L.A. TIMES, Sept. 27, 1996, at B1, available at http://articles.latimes.com/1996-09-27/local/me-48189_l_grand_jury (stating notorious hacker became
an "anti-authority hero in the world of renegade hackers" when he caused millions of dollars in damage); see also Sinrod & Reilly, supra note 4, at 183-85 (discussing motives of hackers, such as sending a political message, being a disaffected employee, or thrill-seeking).
(19.) See Bob Drogin, U.S. Scurries to Erect Cyber-Defenses Security: As Threat Rises, Government Task Force Prepares for Internet Combat, L.A. TIMES, Oct. 31, 1999, at Al (mentioning that most computer crimes pending at the FBI involve disgruntled employees who sabotage computers for revenge); Donna Howell, Network Security Hackers, Security Firms Wage Code War, INVESTOR'S BUS. DAILY, May 2, 2000, at A8 (discussing how an employee launched an attack against a bank's computers from inside the system, even though the bank's computer network was secure from external hackers).
(20.) See, e.g., Boucher v. Sch. Bd., 134 F.3d 821, 825-29 (7th Cir. 1998) (allowing student to be expelled after he wrote an article about how to hack into the school's computer, which was published in an underground newspaper); Thrifty-Tel, Inc. v. Bezenek, 54 Cal. Rptr. 2d 468, 476-77 (Cal. Ct. App. 1996) (allowing parents to be held civilly liable for charges when their sons hacked the phone company's authorization and access codes).
(21.) See, e.g., Cassell Bryan-Low, Virus for Hire: Growing Number of Hackers Attack Web Sites for Cash Entrepreneur Asked a Team to Mastermind Strikes Against Rivals, U.S. Says--WeaKnees on Its Knees, WALL ST. J., Nov. 30, 2004, at A1 (describing the indictment of a businessman who paid someone to launch a virus attack against WeaKnees over a proposed business deal); see also Skibell, supra note 17; Bob Sullivan, Consumers Still Falling for Phish: FTC, DOJ Announce Prosecution of Teen-ager, MSNBC, Mar. 22, 2004, http://www.msnbc.msn.com/id/4580909 (discussing case of nineteen-year-old college student who pleaded guilty to stealing identities by using a "phishing" scam); Skibell, supra note 17.
(22.) See Matthew B. Prince, After CAN-SPAM, How States Can Stay Relevant in the Fight Against Unwanted Messages: How a Children's Protection Registry Can be Effective, and Is Not Preempted, Under the New Federal Anti-Spare Law, 22 J. MARSHALL J. COMPUTER & INFO. L. 29, 45 (2003).
(23.) Darren Waters, Spare Overwhelms E-mail Messages, BBC NEWS (Apr. 8, 2009), http://news.bbc.co.uk/2/ hi/technology/7988579.stm.
(24.) S. REP. No. 108-102, at 6 (2003); see Thomas Claburn, Spare Costs Billions, INFO. WK. (Feb. 3, 2005), http://www.informationweek.com/news/security/vulnerabilities/ showArticle.jhtml?articleID=59300834&queryText=claborn%20spam %20costs%20billions (reporting a study found that spam costs U.S. companies $21.58 billion annually in lost productivity).
(25.) Katyal, supra note 4, at 1023.
(26.) Id. at 1024.
(27.) Id. at 1024 n.57.
(28.) Id. at 1024.
(29.) Id. at 1026.
(32.) Id. at 1025.
(33.) See generally Robbin Rahman, Comment, Electronic Self-Help Repossession and You: A Computer Software Vendor's Guide to Staying Out of Jail, 48 EMORY L.J. 1477 (1999) (suggesting ways that software vendors can restrict their use of logic bombs to avoid legal difficulties).
(34.) Geoffrey A. North, Carnivore in Cyberspace: Extending the Electronic Communications Privacy Act's Framework to Carnivore Surveillance, 28 RUTGERS COMPUTER & TECH. L.J. 155, 163 (2002).
(35.) Rutrell Yasin, Sniffers Overhauled for E-Biz, INTERNET WK., May 5, 2000, at 1.
(36.) Troy Denkinger, The Basics of Sniffing, the Sysadmin's Eye Inside the Network, CHI. TRIB., Apr. 6, 2000, at 1.
(38.) Katyal, supra note 4, at 1027.
(39.) Id. at 1026.
(41.) Id. at 1027.
(42.) Id. at 1026.
(43.) See Intel Corp. v. Hamidi, 71 P.3d 296, 305 n.4 (Cal. 2003) (citing eBay, Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058, 1060-6l (N.D. Cal. 2000)); Laura Quilter, The Continuing Expansion of Cyberspace Trespass to Chattels, 17 BERKELEY TECH. L.J. 421,423-24 (2002); Maureen A. O'Rourke, Property Rights and Competition on the Internet: In Search of an Appropriate Analogy, 16 BERKELEY TECH. L.J. 561,570-71 (2001).
(44.) See generally EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).
(45.) DOJ COMPUTER CRIME MANUAL, supra note 1, at 2.
(46.) See, e.g., United States v. Prochner, 417 F.3d 54, 57 (1st Cir. 2005) (affirming conviction of defendant who obtained credit card numbers by hacking into secure websites and computer networks).
(47.) See, e.g., United States v. Brown, 237 F.3d 625,628-29 (6th Cir. 2001) (upholding enhanced sentence because of computer use in violating non-computer-dependent child pornography statute).
(48.) See, e.g., Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005) (holding software distributors who promote the software's use to infringe copyright liable for the infringement carried out by third parties using the software, even if the software has other lawful uses).
(49.) See, e.g., United States v. Pirello, 255 F.3d 728, 729 (9th Cir. 2001) (affirming sentence for violation of federal wire fraud statute where defendant posted a fraudulent solicitation for money on a classified-ads website).
(50.) U.S. CONST. amend. I.
(51.) See, e.g., Simon & Schuster, Inc. v. Members of N.Y. State Crime Victims Bd., 502 U.S. 105, 118 (1991) ("[T]he fact that society may find speech offensive is not a sufficient reason for suppressing it.").
(52.) See Brandenburg v. Ohio, 395 U.S. 444, 447 (1969) ("[T]he constitutional guarantees of free speech and free press do not permit a State to forbid or proscribe advocacy of the use of force or of law violation.").
(53.) See Fallin v. City of Huntsville, 865 So. 2d 473,475 (Ala. Crim. App. 2003) (stating that the government may punish a limited class of speech "made with the intent to carry out the threat, that would cause a reasonable person who is the target of the threat to fear for his or her safety"). But see COMPUTER CRIME & INTELL. PROP. SEC., DO J, LEGAL ASPECTS OF GOVERNMENT-SPONSORED PROHIBITIONS AGAINST RACIST PROPAGANDA ON THE INTERNET: THE U.S. PERSPECTIVE, PRESENTED AT: HATE SPEECH AND THE INTERNET (Nov. 1997), available at http:// www.usdoj.gov/criminal/cybercrime/racismun.htm [hereinafter HATE SPEECH], (explaining that words on the Internet are unlikely to breach the peace because of the lack of immediate proximity).
(54.) See Watts v. United States, 394 U.S. 705, 707-08 (1969) (holding that threats that imply action at an uncertain and future remote time are not true threats and therefore are protected under the First Amendment). But see United States v. Hardy, 640 F.Supp. 2d 75, 80-81 (D. Me. 2009) (holding that threats that are "meant to communicate a serious expression of ... intent to [perform] an act of unlawful violence ... cannot reasonably be construed as 'political hyperbole'" and are therefore not protected speech).
(55.) See HATE SPEECH, supra note 53 (stating that threats of harm receive no First Amendment protection and threatening e-mails or statements via Internet could in many cases be punished); see also United States v. Morales, 272 F.3d 284, 288 (Sth Cir. 2001) (rejecting defendant's claim that his threat to kill people at his school could not constitute a "true threat" because it was made over the Internet to a third party). But see United States v. Baker, 890 F. Supp. 1375, 1390 (E.D. Mich. 1995) (granting defendant's motion to quash indictment against him for statements he made over the Internet because they were not true threats).
(56.) See HATE SPEECH, supra note 53 (explaining that harassing speech must do more than simply anger or distress to lose constitutional protection).
(57.) See id. ("U.S. law does not recognize the notion of 'harassment' directed at a general class of persons.").
(58.) See infra Part III.B. 1 (describing the constitutional challenges to federal child pornography statutes).
(59.) Jaynes v. Commonwealth, 666 S.E.2d 303,313 (Va. 2008); see also McIntyre v. Ohio, 514 U.S. 334, 342 (1995) ("[A]n author's decision to remain anonymous, like other decisions concerning omissions or additions to the content of the publication, is an aspect of freedom of speech protected by the First Amendment.").
(60.) Jaynes, 666 S.E.2d at 313.
(61.) Pub. L. No. 108-187, 117 Star 2699 (2003) (codified at 15 U.S.C. [section][section] 7701-7713 (2006) and 18 U.S.C. [section] 1037 (2006)); see discussion infra Part III.B.3.
(62.) Jaynes, 666 S.E.2d at 313.
(63.) U.S. CONST. amend. IV ("The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.").
(64.) See, e.g., United States v. Jacobsen, 466 U.S. 109 (1984).
(65.) See Orin S. Kerr, Searches and Seizures in a Digital World, 119 HARV. L. REV. 531, 537-38 (2005) (analyzing the differences between the processes of searching a computer and of searching physical spaces); see also G. Robert McLain, Jr., United States v. Hill: A New Rule, but No Clarity for the Rules Governing Computer Searches and Seizures, 14 GEO. MASON L. REV. 1071, 1090-91 (2007) (describing the two camps: those who think computers can be governed by the rules concerning containers and those who think computers are fundamentally distinct).
(66.) Katz v. United States, 389 U.S. 347, 360 (1967) (Harlan, J., concurring).
(67.) See Guest v. Leis, 255 F.3d 325,333 (6th Cir. 2001) ("Home owners would of course have a reasonable expectation of privacy in their homes and in their belongings--including computers--inside the home."). Compare Leventhal v. Knapek, 266 F.3d 64 (2d Cir. 2001) (finding a reasonable expectation of privacy for a computer in a private office), with United States v. Angeyine, 281 F.3d 1130, 1134-35 (10th Cir. 2002) (rejecting professor's claim of a reasonable expectation of privacy in a university computer), and United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) (finding government employee lacked a reasonable expectation of privacy in his office computer in light of his employer's stated policy that Internet use would be monitored). But see United States v. Caymen, 404 F.3d 1196, 1200-01 (9th Cir. 2005) (finding no reasonable expectation of privacy in the contents of a computer obtained through theft or fraud).
(68.) See COMPUTER CRIME & INTELL. PROP. SEC., DOJ, FIELD GUIDANCE ON NEW AUTHORITIES THAT RELATE TO COMPUTER CRIME AND ELECTRONIC EVIDENCE ENACTED IN THE USA PATRIOT ACT OF 2001, http://www.usdoj.gov/ criminal/cybercrime/PatriotAct.htm (last visited Nov. 5, 2010).
(69.) United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (holding that the warrantless use of computer surveillance techniques revealing the to and from addresses of e-mail messages, the addresses of websites visited by defendant, and the total amount of data transmitted on defendant's internet account did not constitute a "search" under the Fourth Amendment).
(70.) See United States v. Hambrick, No. 99-4793, 2000 WL 1062039, at *4 (4th Cir. Aug. 3, 2000) (holding that the defendant did not have reasonable expectation of privacy in information provided to his ISP, including his IP address, name, and billing address).
(71.) See Amitai Etzioni, Implications of Select New Technologies for Individual Rights and Public Safety, 15 HARV. J.L. & TECH. 257, 277-78 (2002) (stating that skeptics believe the FBI is acquiring more information when it uses its Internet surveillance software, "Carnivore," than it should be entitled to under the Constitution).
(72.) See United States v. Scarfo, 180 F. Supp. 2d 572, 581 (D.N.J. 2001) (holding that the use of a keystroke logger did not violate the defendant's Fourth Amendment rights); Ted Bridis, FBI Develops Eavesdropping Tools, Assoc. PRESS, Nov. 22, 2001.
(73.) See United States v. Grimmett, 439 F.3d 1263, 1269 (10th Cir. 2006) (adopting a "forgiving stance" when faced with a challenge regarding the particularity requirement for computer- related warrants); United States v. Upham, 168 F.3d 532, 537 (1st Cir. 1999) (upholding a search warrant authorizing the seizure of "[a]ny and all computer software and hardware, ... computer disks, disk drives" and "[a]ny and all visual depictions, in any format or media, of minors engaging in sexually explicit conduct [as defined by the statute]"). But see United States v. Clough, 246 F.Supp. 2d 84, 87-88 (D.Me. 2003) (holding a search warrant authorizing the seizure of all text and images contained on a computer as unconstitutionally broad because it contained "no restrictions on the search, no references to statutes, and no references to crimes or illegality").
(74.) Upham, 168 F.3d at 535.
(75.) Compare id. at 532 (upholding warrant allowing seizure of computer equipment because it is "no easy task to search a well-laden hard drive" on the premises), with United States v. Hill, 459 F.3d 966, 974 (9th Cir. 2006) (requiring the government to show that seizure was made necessary by the impracticality of on-site searching).
(76.) See Horton v. California, 496 U.S. 128 (1990).
(77.) Compare United States v. Highbarger, 380 Fed. App'x. 127 (3d Cir. 2010) (allowing search and seizure of child pornography files found on a computer while looking for images of drug- related activity under the plain view exception), United States v. Williams, 592 F.3d 511,521-24 (4th Cir. 2010) (allowing search and seizure of child pornography images found while looking for evidence of email threats and harassment under the plain view exception), United States v. Burgess, 576 F.3d 1078, 1096 (10th Cir. 2009) (allowing search and seizure of child pornography images found on a hard drive while looking for computer evidence of drug trafficking under the good faith exception), and United States v. Wong, 334 F.3d 831,838 (9th Cir. 2003) (allowing search and seizure of child pornography found while looking for graphic files related to a homicide case under the plain view exception), with United States v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999) (invalidating the seizure of child pornography on the defendant's computer, when the search warrant only authorized search for "documentary evidence pertaining to the sale and distribution of controlled substances"), and United States v. Comprehensive Drug Testing, Inc., 621 F.3d 1162, 1178 (9th Cir. 2010) (Kozinski, C.J., concurring) ("[W]hen the government wishes to obtain a warrant to examine a computer hard drive or electronic storage medium to search for certain incriminating files, or when a search for evidence could result in the seizure of a computer, magistrate judges should insist that the government forswear reliance on the plain view doctrine."). The Third Circuit occupies the middle ground. See United States v. Stabile, 633 F.3d 219, 240-42 (3d Cir. 2011) (holding that investigators searching for evidence of financial crimes had properly examined the "lurid" names of files containing child pornography under the plain view doctrine, without ruling on whether it would have been proper to view the files themselves).
(78.) See United States v. Lamb, 945 F.Supp. 441 (N.D.N.Y. 1996).
(79.) Id. at 459.
(80.) See United States v. Lacy, 119 F.3d 742, 746 (9th Cir. 1997) ("[T]he nature of the crime, as set forth in this affidavit, provided 'good reason[ ]' to believe the computerized visual depictions ... would be present ... ten months later."); United States v. Irving, 452 F.3d 110 (2d Cir. 2006). But see United States v. Zimmerman, 277 F.3d 426, 435 (3d Cir. 2002) (finding probable cause based on stale, six-month-old information).
(81.) See United States v. Gray, 78 F. Supp. 2d 524, 529 (E.D. Va. 1999) ("[The] Agent... was not required to accept as accurate any file name or suffix and limit his search accordingly."); United States v. Sissler, No. 1:90-CR-12, 1991 WL 239000, at *4 (W.D. Mich. Aug. 30, 1991) (reaching same conclusion that agent was not required to accept file names' accuracy and to limit search accordingly).
(82.) See United States v. Giberson, 527 F.3d 882, 887 (9th Cir. 2008) (holding that police did not exceed the scope of a warrant authorizing search for financial documents when they seized a computer based on evidence that defendant used it to store his financial records).
(83.) See, e.g., United States v. Hall, 142 F.3d 988, 994-95 (7th Cir. 1998) (articulating constitutional validity of searches that extend into hardware and software).
(84.) See id. at 994-95 (upholding a warrant allowing officers to seize defendant's computer from a computer repair shop); United States v. Gawrysiak, 972 F.Supp. 853, 866 (D.N.J. 1997) (approving seizure of computer files for off-site search because the Fourth Amendment "does not require the agent to spend days at the site viewing the computer screens").
(85.) See Sissler, 1991 WL 239000, at * 5 n.7 (declining to uphold seizure of printer on grounds of practicality because they contain no internal memory and can be used with a variety of computers).
(86.) Compare State v. Lehman, 736 A.2d 256, 260451 (Me. 1999) (holding that a warrant "was not unconstitutionally overbroad when it authorized the seizure of all computer- related equipment" in suspect's house), with Burnett v. State, 848 So. 2d 1170, 1173-74 (Fla. Dist. Ct. App. 2003) (holding that a warrant failed when it did not show a likelihood that child pornography would be found on the suspect's computer).
(87.) U.S. CONST. art. I, [section] 8, cl. 3.
(88.) See United States v. Mitra, 405 F.3d 492, 496 (7th Cir. 2005); United States v. Homaday, 392 F.3d 1306, 1311 (11th Cir. 2004); United States v. Carnes, 309 F.3d 950 (6th Cir. 2002); United States v. Gilbert, 181 F.3d 152 (1st Cir. 1999).
(89.) See United States v. Robinson, 137 F.3d 652, 656 (1st Cir. 1998); see also United States v. Corp, 236 F.3d 325, 332 (6th Cir. 2001) ("[J]urisdictional components of constitutional statutes are to be read as meaningful restrictions."). But see United States v. McCoy, 323 F.3d 1114, 1125 (9th Cir. 2003) ("[T]he limiting jurisdictional factor is almost useless here, since all but the most self-sufficient child pornographers will rely on film, cameras, or chemicals that traveled in interstate commerce.").
(90.) See Robinson, 137 F.3d at 656 ("The jurisdictional element in [section] 2252(a)(4)(B) requires an answer on a case-by-case basis.").
(91.) 545 U.S. 1, 24-33 (2005) (reconciling United States v. Lopez, 514 U.S. 549 (1995), and United States v. Morrison, 529 U.S. 598 (2000), with Wickard v. Filburn, 317 U.S. 111, 127-28 (1942) (permitting federal regulation of local activity if there is a "rational basis" for concluding that such activity in the aggregate can substantially affect interstate commerce)).
(92.) See United States v. Bowers, 594 F.3d 522, 524, 527-530 (6th Cir. 2010) ("We cannot envision, after Raich, a circumstance under which an as-applied Commerce Clause challenge to a charge of child-pornography possession or production would be successful."); United States v. McCalla, 545 F.3d 750, 755-56 (9th Cir. 2008) (upholding the criminalization of producing "homegrown" child pornography as constitutional under Raich because it was within the statute's comprehensive goal of exterminating the entire child pornography market).
(93.) See United States v. Maxwell, 446 F.3d 1210 (11th Cir. 2006) (holding [section] 2252A(a) constitutional as applied to intrastate possession of child pornography); United States v. Forrest, 429 F.3d 73 (4th Cir. 2005) (same); United States v. Jeronimo-Bautista, 425 F.3d 1266 (10th Cir. 2005) (holding [section] 2251(a) constitutional for the same reasons).
(94.) See Strassheim v. Daily, 221 U.S. 280, 285 (1911) (holding that, for criminal jurisdiction over out-of-state conduct, there must be: (i) an act occurring outside the state; (ii) which is intended to produce detrimental effects within the state; and (iii) is the cause of detrimental effects within the state).
(95.) See Terrence Berg, State Criminal Jurisdiction in Cyberspace: Is There a Sheriff on the Electronic Frontier?, 79 MICH. Bus. L.J. 659, 660 (2000) (explaining that although a resident of one state is affected by a computer crime, the website may have "a real-world address" in another state, and may be hosted by an ISP in yet another state).
(96.) See id. at 659 (explaining that in criminal cases, "the 'minimum contacts' analysis does not apply when determining criminal jurisdiction ... [instead] the analysis focuses on the intent of the defendant and the effects within the forum state").
(97.) See id. at 661 ("States that have broadened the ... approach by also allowing jurisdiction where a result of the offense, whether an element or not, occurs in the forum state, are: Arizona, Kansas, New York, and Missouri.").
(98.) See Wis. STAT. ANN. [section] 939.03(1)(C) (West 2010) (extending jurisdiction where the out-of-state person "does an act with intent that it cause in this state a consequence set forth in a section defining a crime").
(99.) See Berg, supra note 95, at 661 (citing CAL. PENAL CODE [section] 778 (Deering 1998); S.D. CODIFIED LAWS [section] 23A-16-2 (1998)).
(100.) See discussion infra Part III.B.5.b.
(101.) United States v. Mora, 821 F.2d 860, 863 n.3 (1st Cir. 1987).
(102.) Pub. L. No. 96-440, 94 Stat. 1879 (1980) (codified at 42 U.S.C. [section] 2000aa).
(103.) 42 U.S.C. [section] 2000aa(a)(l), (b)(l) (2006).
(104.) Id.; see DePugh v. Sutton, 917 F. Supp. 690, 696-97 (W.D. Mo. 1996) (interpreting the unamended Privacy Protection Act as not protecting materials used in dissemination of child pornography).
(105.) See U.S. SENTENCING COMM'N, COMPUTER FRAUD WORKING GROUP, REPORT SUMMARY OF FINDINGS 3 (1993).
(106.) Compare United States v. Farraj, 142 F. Supp. 2d 484 (S.D.N.Y. 2001) (upholding application of National Stolen Property Act, 18 U.S.C. [section] 2314, to the email transfer of stolen electronic data), and United States v. Kwan, No. 02 CR. 241(DAB), 2003 WL 21180401, at *3 (S.D.N.Y. May 20, 2003) (approving of Farraj), with United States v. Wang, 898 F. Supp. 758, 760 (D. Colo. 1995) (holding that a computer program does not qualify as "goods, wares, merchandise, securities or money" for purposes of NSPA).
(107.) See, e.g., United States v. Brown, 237 F.3d 625, 628-29 (6th Cir. 2001) (upholding increased sentence due to computer use in violating child pornography statute).
(108.) See, e.g., AOL v. Nat'l Health Care Disc., Inc., 174 F. Supp. 2d 890, 898-99 (N.D. Iowa 2002) (holding defendant liable under statute for damage caused by unsolicited bulk e-mail); eBay, Inc. v. Bidder's Edge, Inc., 100 F. Supp. 2d 1058, 1069 (N.D. Cal. 2000) (considering whether violation of statute created potential for irreparable harm warranting issuance of a preliminary injunction).
(109.) See U.S. SENTENCING GUIDELINES MANUAL app. A (2011) [hereinafter U.S.S.G. MANUAL] (indexing the Guidelines applicable to each statutory violation). Sentences for violations of federal criminal laws are determined with reference to the United States Sentencing Guidelines ("Guidelines"). See 18 U.S.C. [section] 3553(a)(4) (2006). In 2005, the Supreme Court severed the provision that made the Guidelines mandatory, rendering them "effectively advisory." See United States v. Booker, 543 U.S. 220, 245 (2005); see also Kimbrough v. United States, 552 U.S. 85, 101 (2007) ("[W]hile [the federal sentencing statute] still requires a court to give respectful consideration to the Guidelines, see Gall v. United States, [552 U.S. 38, 50-51] (2007), Booker 'permits the court to tailor the sentence in light of other statutory concerns as well.' Booker, 543 U.S. at 245-46."). District court sentences are reviewed for reasonableness, and a sentence within the applicable Guidelines range is presumptively reasonable. Rita v. United States, 551 U.S. 338, 347 (2007).
(110.) OFFICE OF LEGAL EDUC., DOJ, PROSECUTING COMPUTER CRIMES 109 (2010), available at http://www. usdoj.gov/criminal/cybercrime/ccmanual/ccmanual.pdf [hereinafter PROSECUTING COMPUTER CRIMES].
(111.) United States v. Petersen, 98 F.3d 502, 506-07 (9th Cir. 1996) (finding defendant's computer programming was a "special skill" and thus permitting enhancement under the Guidelines where defendant did not possess formal computer training but demonstrated knowledge of computers not shared by the general public). But see United States v. Lee, 296 F.3d 792, 796-99 (9th Cir. 2002) (holding that developing a basic website does not require "special skills" as established in Petersen); United States v. Godman, 223 F.3d 320, 323 (6th Cir. 2000) (holding defendant's computer skills were not "particularly sophisticated" as required in Petersen, and therefore finding upward departure to be unwarranted).
(112.) Pub. L. No. 98-473, Title II, Chapter XXI, [section] 2102(a), 98 Stat. 1837, 2190 (1984); see also H.R. REP. No. 98-894, at 9 (1984) (discussing legislative history of Pub. L. No. 98-473 and the need for computer specific criminal laws).
(113.) Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474, [section] 2, 100 Star. 1213: Pub. L. No. 100-690, Title VII, [section] 7065, 102 Stat. 4404 (1986); USA Patriot Act of 2001, Pub. L. No. 107-56, [section] 814, 115 Stat. 272, 382-84; Cyber Security Enhancement Act of 2002, Pub. L. No. 107-296, [section] 225, 116 Stat. 2135, 2156; 21st Century Department of Justice Appropriations Authorization Act, Pub. L. No. 107- 273, 116 Stat. 1758 (2002).
(114.) 18 U.S.C. [section] 1030 (2006 & Supp. 2008); see Jo-Ann M. Adams, Comment, Controlling Cyberspace: Applying the Computer Fraud and Abuse Act to the Internet, 12 SANTA CLARA COMPUTER & HIGH TECH. L.J. 403, 424 (1996) (highlighting changes made by 1988, 1989, and 1990 amendments). But see United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009) (holding that the CFAA is unconstitutionally vague).
(115.) For example, the 109th Congress considered several amendments to Title 18, including H.R. 5318, which would add specific provisions to [section] 1030 regarding remote access, remove some cyber-crime stipulations regarding foreign contact, and mandate increased interagency cooperation, and [section] 1789, the Personal Data Privacy and Security Act of 2005, which would specify the criminal penalties under [section] 1039.
(116.) 521 U.S. 844(1997).
(117.) Id. at 870-72.
(118.) Id. at 878-84.
(119.) Id. at 868-69.
(120.) See id. at 880.
(121.) Reno v. American Civil Liberties Union, 521 U.S. 844, 870 (1997).
(122.) Id. at 872-73.
(123.) 47 U.S.C. [section] 231 (2006).
(124.) ACLU v. Gonzales, 478 F. Supp. 2d 775 (E.D. Pa. 2007).
(125.) Telecommunications Act of 1996, Pub. L. No. 104-104, Title V, [section] [section] 501-561, 110 Stat. 56, 133-43 (1996) (codified at 18 U.S.C. [section][section] 1462, 1465, 2422 (2006) and at scattered sections of 47 U.S.C.).
(126.) 47 U.S.C. [section] 223(a)(1)(B).
(127.) Id. [section] 223(d).
(128.) Id. [section] 223(a)(1)(B).
(129.) 521 U.S. 844 (1997).
(130.) See id. at 863-64 (affirming a district court finding that the statute "sweeps more broadly than necessary and thereby chills the expression of adults").
(131.) See id. at 864-66 (distinguishing [section] 223(d) from similar, constitutionally permissible enactments because it did not require that patently offensive material lack serious literary, artistic, political, or scientific value (citing Ginsberg v. New York, 390 U.S. 629 (1968) (banning certain magazine sales to persons under age seventeen even though magazines were not necessarily obscene to adults))).
(132.) Id. (holding that the CDA violated the First Amendment because it: (a) chilled free speech; (b) criminalized legitimate protected speech; (c) must be narrowly tailored since it regulated a fundamental freedom; (d) regulated the content of speech so time, place, and manner analysis was inapplicable; and (e) was unconstitutionally overbroad).
(133.) See id. at 872-73 (citing Miller v. California, 413 U.S. 15, 18 (1973) (permitting states to ban obscene speech in order to ensure the general welfare of their citizens)).
(134.) 47 U.S.C. [section] 223(a) (2006).
(135.) U.S.S.G. MANUAL [section] 2G3.1(b)(1)(C).
(136.) Id. [section] 2G3.1(b)(1)(E).
(137.) Id. [section] 2G3.1(b)(l)(A).
(138.) Id. [section] 2G3.1(b)(4).
(139.) Pub. L. No. 104-208, [section] 121, 110 Stat. 3009, 3009-26 (1996) (amending 18 U.S.C. [section][section] 2241, 2243, 2251, 2252, 2256, 42 U S C [section] 2000aa. and adding 18 U.S.C. [section] 2252A).
(140.) 18 U.S.C. [section][section] 2252A, 2256 (2006 & Supp. 2009).
(141.) See id. [section] 2256(8)(C).
(142.) Ashcroft v. Free Speech Coalition, 535 U.S. 234 (2002).
(143.) Pub. L. No. 108-21, 117 Stat. 650 (2003).
(144.) See id. [section] 503, 117 Stat. 680 (codified as amended at 18 U.S.C. [section] 2252A(a)(3)(B)).
(145.) 53 U.S. 234 (2002) (striking down provisions of the CPPA as overbroad in abridging a significant amount of lawful speech); see also United States v. Rodriguez-Pacheco, 474 F.3d 434, 436 (1st Cir. 2007); United States v. Williams, 444 F.3d 1286 (11th Cir. 2006).
(146.) United States v. Williams, 553 U.S. 285, 303 (2008) (stating that virtual child pornography is permissible as long as it is not offered up as actual child pornography).
(147.) 18 U.S.C. [section] 1030 (2006 & Supp. 2008). This Article refers to [section] 1030 as "CFAA" when discussing its provisions generally, and as the "1996 Act" when distinguishing between the statute embodied in the 1996 amendments and its predecessors and successors.
(148.) See, e.g., Othentec Ltd. v. Phelan, 526 F.3d 135, 139 (4th Cir. 2008); AOL v. Nat'l Health Care Disc., Inc., 174 F. Supp. 2d 890, 898 (N.D. Iowa 2001).
(149.) 18 U.S.C. [section] 1030(e)(2).
(150.) PROSECUTING COMPUTER CRIMES, at 3. DOJ, available at http://www.usdoj.gov/criminal/cybercrime/ ccmanual/ccmanual.pdf.
(151.) 18 U.S.C. [section] 1030(a)(1).
(152.) See S. REP. No. 99-432, at 6 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2484 (obtaining includes reading); see also AOL v. Nat'l Health Care Disc., Inc., 121 F. Supp. 2d 1255, 1276 (N.D. Iowa 2000) (same); PROSECUTING COMPUTER CRIMES, supra note 150, at 18 ("[T]he term 'obtaining information' is an expansive one that includes merely viewing information without downloading or copying a file.").
(153.) "Financial institution" is defined as: (A) an institution with deposits insured by the Federal Deposit Insurance Corporation; (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank; (C) a credit union with accounts insured by the National Credit Union Administration; (D) a member of the Federal home loan bank system and any home loan bank; (E) any institution of the Farm Credit System under the Farm Credit Act of 1971; (F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934; (G) the Securities Investor Protection Corporation: (H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and (I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act. 18 U.S.C. [section] 1030(e)(4)(A)-(I) (2006).
(154.) Id. [section] 1030(a)(2); see AOL v. LCGM, Inc., 46 F. Supp. 2d 444, 450 (E.D. Va. 1998) (finding that defendants' use of AOL membership to harvest e-mail addresses of other AOL members in order to send bulk e-mail advertisements ("spam"), in violation of AOL's terms of service, violated [section] 1030(a)(2)(C) by exceeding authorized access and obtaining information).
(155.) 18 U.S.C. [section] 1030(a)(3).
(157.) Id. [section] 1030(a)(4). There is an exception if the defendant obtained only computer use and value of such use is less than $5000 per year. Id.
(158.) Id. [section] 1030(a)(5)(A)(i).
(159.) 18 U.S.C. [section] 1030(a)(5)(A)(ii)-(iii) (2006).
(160.) EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582 n.10 (1st Cir. 2001); SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d 593, 608 (E.D. Va. 2005); see Orin Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1624-42 (2003) (highlighting the courts' struggle with interpreting "access" and "authorization"). But see Hewlett-Packard Co. v. Byd:sign, Inc., No. 6:05-CV-456, 2007 U.S. Dist. LEXIS 5323, at *37 (E.D. Tex. Jan. 25, 2007) ("The CFAA does not define 'authorization' or 'authorized access.' It does, however, define 'exceeds authorized access' as 'to authorize a computer with authorization and use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.'" (citing 18 U.S.C. [section] 1030(e)(6))).
(161.) See, e.g., Role Models Am., Inc. v. Jones, 305 F. Supp. 2d 564, 566-67 (D. Md. 2004) (granting defendant's motion to dismiss because plaintiff had no claim for intentional access based on defendant passively receiving information due to co-defendant's using it in dissertation for degree from defendant); AOL, Inc. v. Nat'l Health Care Disc., Inc., 121 F. Supp. 2d 1255, 1272-73 (N.D. Iowa 2000) (finding that "access" under the CFAA means to exercise the ability to make use of information).
(162.) 18 U.S.C. [section] 1030(a)(5)(A)(ii).
(163.) Id. [section] 1030(a)(5)(A)(iii); see AOL v. LCGM, Inc., 46 F. Supp. 2d 444, 450-51 (E.D. Va. 1998) (finding defendants violated [section] 1030(a)(5)(C) of the 1996 Act by accessing computers within AOL's network without authorization and causing damage to its computer network, reputation, and goodwill).
(164.) 18 U.S.C. [section] 1030(e)(8); see also In re AOL Version 5.0 Software Litig., 168 F. Supp. 2d 1359, 1372-74 (S.D. Fla. 2001 ) (analyzing the ambiguity of pre-Patriot Act assessment of damages under [section] 1030(a)(5)).
(165.) 18 U.S.C. [section] 1030(a)(6) (2006).
(167.) Id. [section] 1030(a)(7).
(169.) Id. [section] 1030(d)(l).
(170.) Id. [section] 1030(d)(2), (a)(1).
(171.) 18 U.S.C. [section] 1030(a)(1).
(172.) Id. [section] 1030(a)(5).
(173.) Id. [section] 2332b(g)(5)(B)(i).
(174.) Id. [section] 1030(a)(4).
(175.) United States v. Czubinski, 106 F.3d 1069, 1078-79 (1st Cir. 1997) (reversing conviction because nothing of value was obtained by defendant's mere browsing of IRS files); see also P.C. Yonkers, Inc. v. Celebrations The Party & Seasonal Superstore, LLC, 428 F.3d 504, 508-09 (3d Cir. 2005) (declining to find intent to defraud and obtain something of value despite proven unauthorized access because there was "absolutely no evidence as to what, if any, information was actually viewed").
(176.) See Czubinski, 106 F.3d at 1078 (finding that prosecutors failed to show anything more than Cubinski's intent to merely "satisfy idle curiosity" about friends and political rivals when viewing IRS files).
(177.) 18 U.S.C. [section] 1030(a)(5)(B) (2006).
(178.) Id. [section] 1030(a)(5)(B)(i).
(179.) Id. [section] 1030(a)(5)(B)(ii)-(v).
(180.) Id. [section] 1030(b).
(181.) Id. [section] 1030(c).
(182.) 18 U.S.C. [section] 1030(e)(10) (2006).
(183.) Id. [section] 1030(c)(1)(A), (c)(4)(A) (violating [section] 1030(a)(1) and (a)(5)(A)(i) respectively).
(184.) Id. [section] 1030(c)(2)(A).
(185.) Id. [section] 1030(c)(3)(A), (c)(4)(B).
(186.) Id. [section] 1030(c)(2)(B).
(187.) Id. [section] 1030(c)(3)(A), (c)(4)(B).
(188.) 18 U.S.C. [section] 1030(c)(2)(C), (c)(3)(B) (2006).
(189.) Id. [section] 1030(c)(1)(B), (c)(4)(C) (violating [section] 1030 (a)(5)(A)(i) and (a)(5)(A)(ii) respectively).
(190.) Id. [section] 1030(c)(5)(A).
(191.) Id. [section] 1030(c)(5)(B).
(192.) U.S.S.G. MANUAL [section] 2M3.2(a).
(193.) Id. [section] 2B1.1. For a complete explanation of the application of section 2B1.1 and its loss table, see the Mail and Wire Fraud article in this issue.
(194.) Id. [section] 2B2.3.
(195.) Id. [section] 2B3.2.
(196.) Id. [section] 2X1.1 (setting base offense levels identical to those assigned to respective completed offenses, but reducing levels by three points if acts necessary to commit the offense were not completed or nearly completed). See generally United States v. Abu Ali, 528 F.3d 210, 264-65 (4th Cir. 2008) (discussing the three-point deduction for conspiracies that "were not on the verge of completion").
(197.) Jay Lyman, Spare Costs $20 Billion Each Year in Lost Productivity, E- COMMERCE TIMES, (Dec. 29, 2003, 8:30 AM), http://www.ecommercetimes.com/perl/story/32478.html (reporting a study finding the cost to businesses from spare is increasing at a rate of more than 100% per year).
(198.) See Jeffrey D. Sullivan & Michael B. De Leeuw, Spam After CAN-SPAM: How Inconsistent Thinking Has Made a Hash Out of Unsolicited Commercial E-Mail Policy, 20 SANTA CLARA COMPUTER & HIGH TECH. L.J. 887, 891-93 (2004) (discussing the history of anti-spam legislation in the United States).
(199.) Pub. L. No. 108-187, 117 Stat 2699 (2003) (codified at 15 U.S.C. [section][section] 7701-7713 and 18 U.S.C. [section] 1037 (2006)).
(200.) Sullivan & De Leeuw, supra note 198, at 888.
(201.) 18 U.S.C. [section] 1037 (2006).
(202.) Id. [section] 1037 (a)(2)-(3).
(203.) 15 U.S.C. [section] 7704 (a)(5), (d)(1) (2006).
(204.) See The CAN-SPAM Act: A Compliance Guide for Business, FEDERAL TRADE COMMISSION, 5 (Sept. 2009), http://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide- business.pdf [hereinafter Compliance Guide] (explaining the range of fines and criminal penalties for violations of the CAN-SPAM Act).
(207.) See Seventh Annual BSA and IDC Global Software Piracy Study, BUS. SOFTWARE ALLIANCE & INT'L DATA CORP., 8 (May 2010), http://portal.bsa.org/globalpiracy2009/studies/ 09_Piracy_Study_Report_A4_final_111010.pdf (finding that the U.S. software makers lost $8.39 billion to pirated software in 2009).
(208.) Types of Software Piracy, FILEMAKER INC., http://www.filemaker.com/company/legal/software_piracy_ types.html (last visited Oct. 23, 2011) (describing ten types of software piracy). This is up from the six kinds of piracy common in 1999. Report on Global Software Piracy, SOFTWARE & INFO. INDUS. ASS'N, 7 (2000), http://www.siia.net/estore/GPR-00.pdf.
(209.) See Fifth Annual BSA and IDC Global Software Piracy Study, Bus. SOFTWARE ALLIANCE & INT'L DATA CORP., 7 (2007), http://global.bsa.org/idcglobalstudy2007/studies/ 2007_global_piracy_study.pdf (stating programs that took years and millions of dollars to develop can be "duplicated or illegally distributed in minutes with the touch of a button").
(210.) Id. (claiming a computer user can duplicate an otherwise expensive product in bulk for no more than the cost of a blank compact disc).
(211.) Id. (noting the quality of pirated software is only slightly inferior to the original).
(212.) See Kenneth Cohen, No Electronic Theft Act: Policy Development Team Report, U.S. SENTENCING COMM'N, 19 (Feb. 1999), http://www.ussc.gov/Research/Working_Group Reports[Intellectual Property_and_Tech/199902_NET_Act_Report.pdf (noting that investigators may have trouble tracking down the creators of infringing websites, since the creators often change their ISPs to avoid detection).
(213.) Peter Brown & Richard Raysman, Napster Threatens Copyright Law, 224 N.Y.L.J. 3, 3 (2000) (discussing the ease with which copyrighted music can be distributed via the Internet with little or no degradation in quality and exploring the potential for massive copyright infringement because of technological advances).
(214.) Copyright Act, 17 U.S.C. [section] 506(a) (2006); Criminal Penalties for Copyright Infringement, Pub. L. No. 102-561, 106 Stat. 4233 (1992) (codified at 18 U.S.C. [section] 2319 (2006)).
(215.) 17 U.S.C. [section] 506(a).
(216.) Id. An enforceable copyright must be registered with the Register of Copyrights, be original, and be fixed in a tangible medium of expression. Id. [section][section] 102(a), 411(a); Schrock v. Learning Curve Int'l, Inc. 586 F.3d 513, 517 (7th Cir. 2009).
(217.) 17 U.S.C. [section] 506(a)(1)-(2) ("Evidence of reproduction or distribution of a copyrighted work, by itself, shall not be sufficient to establish willful infringement."). Courts are split as to whether "willful" refers to intent to copy or intent to infringe. Compare Repp v. Webber, 132 F.3d 882, 889 (2d Cir. 1997) (noting violators are liable for unconscious copyright infringement of musical compositions), with United States v. Moran, 757 F. Supp. 1046, 1052 (D. Neb. 1991) (finding no willful intent to infringe even where there was evidence of intentional copying).
(218.) 17 U.S.C. [section] 506(a)(2).
(219.) The actual realization of commercial advantage or financial gain is not required under [section] 506(a), just that infringement was done for such a purpose. United States v. Cross. 816 F.2d 297, 301 (7th Cir. 1987).
(220.) 17 U.S.C. [section] 506(a)(1)(A)-(C).
(221.) 17 U.S.C. [section] 109(a) (2006). See Quality King Distribs, Inc. v. L'anza Research Int'l, Inc., 523 U.S. 135, 152 (1998) ("[O]nce the copyright owner places a copyrighted item in the stream of commerce by selling it, he has exhausted his exclusive statutory right to control its distribution."); Bourne v. Walt Disney Co., 68 F.3d 621, 632-33 (2d Cir. 1995) (applying the first sale doctrine to challenged conduct).
(222.) Microsoft Corp. v. Harmony Computers & Elec., Inc., 846 F. Supp. 208, 212 (E.D.N.Y. 1994) (holding that defendants' failure to meet their burden of proving a chain of title precluded applicability of first sale doctrine).
(223.) 17 U.S.C. [section] 109(d) (noting the first sale doctrine does not apply to "any person who has acquired possession of the copy or phonorecord from the copyright owner, by rental, lease, loan, or otherwise, without acquiring ownership of it"); Adobe Sys., Inc. v. One Stop Micro, Inc., 84 F. Supp. 2d 1086, 1089 (N.D. Cal. 2000) (stating a copyright owner "does not forfeit his right of distribution by entering into a licensing agreement").
(224.) 17 U.S.C. [section] 107 (2006).
(226.) Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569, 591 (1994) (noting that transformative uses are more likely to be fair); Sony Corp. v. Universal City Studios, 464 U.S. 417, 449 (1984) (noting that commercial uses are presumptively unfair, and noncommercial and nonprofit activity is presumptively fair).
(227.) See, e.g., Stewart v. Abend, 495 U.S. 207, 237 (1990) (noting that factual works are more likely to be fair than fictional works); A.V. v. iParadigms, LLC, 562 F.3d 630, 640 (4th Cir. 2009) (stating that a use is less likely to be fair when it is a creative product).
(228.) See, e.g., Harper & Row, Publishers, Inc. v. Nation Enters., 471 U.S. 539, 564-66 (1985) (holding that the greater the size or importance of the portion of the work that is used the less likely the use falls under the "fair use" defense).
(229.) See id. at 568 ("To negate fair use one need only show that if the challenged use 'should become widespread, it would adversely affect the potential market for the copyrighted work.'" (quoting Sony, 464 U.S. at 468)).
(230.) Campbell, 510 U.S. at 578.
(231.) See, e.g., Stewart, 495 U.S. at 238 (noting that the fourth factor is the main fair use factor); Harper & Row, 471 U.S. at 566 (stating that the fourth factor is "the single most important element of fair use").
(232.) 18 U.S.C. [section] 2319 (2006 & Supp. 2008).
(233.) Id. [section] 2319(c)(1).
(234.) U.S.S.G. MANUAL [section] 2B5.3 (2011).
(235.) Id. [section] 2B5.3(a).
(236.) Id. [section] 2B5.3 cmt. n.2.
(237.) Id. [section] 2B5.3(b)(1).
(238.) Pub. L. No. 105-304, 112 Star. 2863 (1998) (codified as amended at 17 U.S.C. [section][section] 1201-1205 (2006)).
(239.) 17 U.S.C. [section][section] 1201-1205 (2006 & Supp. 2010).
(240.) Id. [section] 1201(a)(1)(A). See, e.g., CoxCom, Inc. v. Chaffee, 536 F.3d 101, 104 (1st Cir. 2008) (describing how defendants' digital cable filter blocked pay-per-view purchase data from being transmitted to cable company).
(241.) 17 U.S.C. [section] 1201 (a)(3)(B); see also The Digital Millennium Copyright Act of 1998: U.S. Copyright Office Summary, U.S. COPYRIGHT OFFICE, 3-4 (Dec. 1998), http://lcweb.loc.gov/copyright/legislation/dmca.pdf.
(242.) Id. [section] 1201(a)(3)(A).
(243.) See Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294, 325 (S.D.N.Y. 2000) (stating that it is a violation of [section] 1201 to place a hypertext link to another site that offers technology circumvention measures on one's website, where the purpose of the hypertext link is to provide the user with access to a technology circumvention measure).
(244.) This category includes computer code designed to circumvent encryption software protecting a digital work. See id. In Reimerdes, the court declined to extend First Amendment protection to computer code because although it is "expressive," it is also functional, and the court may legitimately regulate the undesirable consequences of its functions. See id. at 304 (stating that the expressive element of computer code "no more immunizes its functional aspects from regulation than the expressive motives of an assassin immunize the assassin's action").
(245.) See, e.g., Sony Computer Entm't Am., Inc. v. GameMasters, 87 F. Supp. 2d 976, 985 (N.D. Cal. 1999) (granting preliminary injunction based on evidence that the sale of "game enhancers," devices that circumvented a mechanism on the game console that ensured console would operate only when encrypted data was read from authorized CD-ROMs, likely violated [section] 1201); see also Davidson & Assoc. v. Jung, 422 F.3d 630, 641 (8th Cir. 2005) (holding that the computer game purchasers' development of an alternative to the sellers" online gaming service, which allowed other purchasers to access the service without an encoded identification key, is "circumvention").
(246.) See RealNetworks, Inc. v. Streambox, Inc., No. 2:99CV02070, 2000 WL 127311, at *9 (W.D. Wash. Jan. 18, 2000) (holding that the circumvention does not have to act directly against the technology protection measure itself). But see MGE UPS Sys., Inc. v. GE Consumer and Industrial, Inc., 622 F.3d 361, 366 (5th Cir. 2010) (declining to construe "bypass" or "avoid" to include use of a copyrighted work after circumvention simply because access to the work would have been controlled except for the circumvention as such a construction extends DMCA beyond its intended reach); see also Universal City Studios. Inc. v. Corley, 273 F.3d 429, 443 (2d Cir. 2001) (finding that the DMCA "does not concern itself with the use of ... materials after circumvention has occurred") (emphasis in original).
(247.) 17 U.S.C. [section] 1201(a)(2) (2006). With the exception of manufacturers of a certain type of VCR, manufacturers of devices that could be used to illegally copy or access copyrighted works are not mandated to implement technological measures preventing consumers from using it in that manner. See id. [section] 1201(c)(3) ("Nothing in this section shall require that the design of ... a consumer electronics, telecommunications, or computing product provide for a response to any particular technological measure....").
(248.) Id. [section] 1201(d) (excepting non-profit library, archive, and educational institutions), (e) (excepting governmental law enforcement and intelligence activities), (f) (excepting reverse engineering in cases where a person has lawfully obtained a copy of a computer program in order to make it interoperable with other programs), (g) (excepting encryption research); [section] 1201(h) (providing an exception for protection of minors), (i) (providing exception for personal privacy, where t he technological measure or the work it protects invades that privacy), (j) (excepting security testing).
(249.) 111 F. Supp. 2d 294 (S.D.N.Y. 2000).
(250.) Id. at 322 ("The use of technological means of controlling access to a copyrighted work may affect the ability to make fair uses of the work.").
(251.) Id. at 323 (stating Congress expressly considered this problem and included the exceptions listed in [section] 1201(d)-(j) in direct response).
(252.) See id. (reiterating Congress's conviction that this limitation preserves legitimate uses of the fair use defense).
(253.) 17 U.S.C. [section] 1202 (2006).
(254.) Id. [section] 1202(c)(1)-(6).
(255.) Id. [section] 1202(c)(8).
(256.) Id. [section] 1202(a)-(b). But see Kelly v. Aribba Soft Corp., 336 F.3d 811, 822 (9th Cir. 2003) (holding an Internet search engine that stores and displays "thumbnail" versions of visual images without their copyright management information would be a prima facie violation of [section] 1202, but it is justified under the "fair use" doctrine).
(257.) 17 U.S.C. [section] 1202(c)(7).
(258.) 17 U.S.C. [section] 512 (2006 & Supp. 2010). But see A&M Records, Inc. v. Napster, Inc., 284 F.3d 1091, 1099 (9th Cir. 2002) (affirming that a file sharing service is not an ISP eligible for the safe harbor defense because it is not a "passive conduit" for information transmission).
(259.) 17 U.S.C. [section] 512(c)(1)(A)-(C); see also ALS Scan, Inc. v. RemarQ Cmtys., Inc., 239 F.3d 619, 625 (4th Cir. 2001) (discussing notification requirements under DMCA and noting that, with respect to multiple works, it is not required to identify all of the works--a representative list is sufficient).
(260.) 17 U.S.C. [section] 1204 (2006 & Supp. 2010).
(261.) Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended at 18 U.S.C. [section][section] 2510-2521, 2701- 2710, 3121-3126 (2006)).
(262.) Pub. L. No. 99-508 [section][section] 101-303. The Fifth Circuit interpreted ECPA as supplementing the Communications Act of 1934 (codified as amended at scattered sections of 47 U.S.C.). Accordingly, the court held that concurrent prosecution under both acts does not violate the Double Jeopardy Clause of the Fifth Amendment. United States v. Crawford, 52 F.3d 1303, 1306-07 (5th Cir. 1995).
(263.) Pub. L. No. 99-508, 100 Stat. 1848 (1986) (dividing the Act into Title I, the Wiretap Act, Title II, the Stored Communications Act, and Title III, the Pen Register Act).
(264.) Pub. L. No. 99-508 [section] 101(a) (amending [section] 2510(1)) (broadening statutory definition of communications covered to include those "affecting interstate or foreign commerce").
(265.) Id. [section] 105(b) (amending 47 U.S.C. [section] 2516) (granting law enforcement officers the power to file an application to a Federal judge to get authorization to intercept electronic communications where such interception may provide evidence of any Federal felony).
(266.) See United States v. Petersen, 98 F.3d 502, 504-05 (9th Cir. 1996) (upholding ECPA conviction for hacking into telephone system).
(267.) See supra Section III.B.2 (discussing CFAA).
(268.) Compare United States v. Chick, 61 F.3d 682, 687-88 (9th Cir. 1995) (permitting government to use ECPA to prosecute defendant for pirating modified satellite descramblers), and United States v. Harrell, 983 F.2d 36, 37-38 (5th Cir. 1993) (acknowledging ECPA's proper application to modified satellite descramblers), with United States v. Shriver, 989 F.2d 898, 904-07 (7th Cir. 1992) (concluding [section] 2512 covers sale or ownership of satellite descramblers only if descramblers are designed primarily to pirate satellite-transmitted broadcasts).
(269.) 18 U.S.C. [section] 2701(a) (2006).
(270.) Id. See generally Orin Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending it, 72 GEO. WASH. L. REV. 1208 (2004) (stating that author's goal is to present the statute's reasonable effectiveness as well as its imperfections).
(271.) 18 U.S.C. [section] 2707(e) (2006); McCready v. eBay, Inc., 453 F.3d 882, 892 (7th Cir. 2006).
(272.) 18 U.S.C. [section] 2701(c)(1).
(273.) Id. [section] 2701(c)(2).
(274.) Id. [section] 2701(b)(1)(A).
(275.) Id. [section] 2701(b)(1)(B).
(276.) Id. [section] 2701(b)(2)(B).
(277.) 18 U.S.C. [section] 2707(a) (2006) (authorizing civil suits against any "person or entity" other than the United States in violation of ECPA's substantive provisions); see also Organizacion JD Ltda. v. DOJ, 18 F.3d 91, 94-95 (2d Cir. 1994) (per curiam) (holding that governmental "entities" can be subject to liability under [section] 2707(a) where appellants were intended recipients of electronic fund transfers seized by DEA agents); Konop v. Hawaiian Airlines, Inc. (In re Hawaiian Airlines, Inc.), 355 B.R. 225, 232 (D. Haw. 2006) (holding that damages may be assessed at $1000 per violation).
(278.) 18 U.S.C. [section][section] 2510-2521 (2006 & Supp. 2010).
(279.) Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, [section][section] 101-111, 100 Stat. 1848, 1848-59 (1986); see United States v. Suarez, 906 F.2d 977, 980 (4th Cir. 1990) (discussing relevant legislative history).
(280.) See S. REP. No. 90-1097, at 28 (1968), reprinted in 1968 U.S.C.C.A.N. 2112, 2113 (explaining that Title III codifies Katz v. United States, 389 U.S. 347 (1967) and Berger v. New York, 388 U.S. 41 (1967)).
(281.) 18 U.S.C. [section] 2511(1)(a).
(282.) Id. [section] 2511(2)(a)(ii)(A).
(283.) Id. [section] 2518(3)(c).
(284.) Id. [section][section] 2518(4)-(5)
(285.) Id. [section][section] 2518(4)(a)-(c).
(286.) 18 U.S.C. [section] 2516(2006).
(287.) Id. [section] 2518(5).
(288.) Id. [section] 2518(6).
(289.) See "Carnivore" and the Fourth Amendment: Hearing Before the Subcomm. on the Constitution of the H. Comm. on the Judicial, 106th Cong. (2000) (statement of Kevin V. DiGregory, Deputy Assistant Att'y Gen., DO J) [hereinafter DiGregory Statement] (explaining OEO reviews each proposed Title III application to ensure that the interception satisfies Fourth Amendment requirements, and is in compliance with applicable statutes and regulations).
(290.) 18 U.S.C. [section] 2520(d) (2006); McCready v. eBay, Inc., 453 F.3d 882,892 (7th Cir. 2006).
(291.) 18 U.S.C. [section] 2511(2) (2006).
(292.) 18 U.S.C. [section] 2510(21) (2006).
(294.) 18 U.S.C. [section] 2511(4)(b) (2006).
(295.) See United States v. Ropp, 347 F. Supp. 3d 831, 838 (C.D. Cal. 2004); United States v. Scarfo, 180 F. Supp. 2d 572, 581 (D.NJ. 2001) (holding that the use of a keystroke logger did not violate [section] 2510 because it did not capture keystrokes while the computer's modern was active).
(296.) 18 U.S.C. [section][section] 2511, 2513, 2520, 2521 (2006 & Supp. 2010); see DiGregory Statement, supra note 289 (listing remedies for violating Title III by improperly intercepting electronic communications).
(297.) 18 U.S.C. [section] 2511(4)(a).
(298.) Id. [section] 2511(5)(a)(ii).
(299.) U.S.S.G. MANUAL [section] 2H3.1(a).
(300.) Id. [section] 2H3.1(b)(l).
(301.) Id. [section] 2H3.1(c)(1).
(302.) See 18 U.S.C. [section] 2515 (2006); United States v. Giordano, 416 U.S. 505 (1974) (holding that, with regards to wiretap interception, statutory exclusionary rule of Title III provides protection beyond the judicially created exclusionary rule under the United States Constitution); Alderman v. United States, 394 U.S. 165, 176 (1969); Simmons v. United States, 390 U.S. 377, 389 (1968).
(303.) See 18 U.S.C. [section] 2520(a) (2006) (authorizing civil suits against any "person or entity" other than the United States, in violation of ECPA's substantive provisions); see also Smoot v. United Transp. Union, 246 F.3d 633 (6th Cir. 2001) (holding a private individual liable); Brown v. Waddell, 50 F.3d 285, 294 (4th Cir. 1995) (holding that law enforcement use of "clone pagers" to intercept numeric transmissions received on digital display pagers violated [section] 2511 and thus subjected state officials to civil liability).
(304.) E.g., In re Pharmatrak, Inc., 329 F.3d 9, 22 (1st Cir. 2003); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113 (3d Cir. 2003) ("[A]n 'intercept' ... must occur contemporaneously with transmission.").
(305.) 36 F.3d 457 (5th Cir. 1994).
(306.) 18 U.S.C. [section] 2510(1) (2006).
(307.) Id. [section] 2510(12).
(308.) Steve Jackson Games, Inc. v. U.S. Secret Serv., 36 F.3d 457, 462-63 (5th Cir. 1994).
(309.) Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876-78 (9th Cir. 2002).
(310.) United States v. Steiger, 318 F.3d 1039, 1048-49 (11th Cir. 2003); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113-14 (3d Cir. 2003).
(311.) 418 F.3d 67 (1st Cir. 2005) (en banc).
(312.) Id. at 80; see also United States v. Szymuszkiewicz, 622 F.3d 701, 706 (7th Cir. 2010) as amended, (Nov. 29, 2010). But see ORIN S. KERR, COMPUTER CRIME LAW 457 (2006) (noting that the court did not decide whether there was an interception but suggested in dicta that there was).
(313.) Councilman, 418 F.3d at 76-78.
(314.) 36 F.3d 457 (5th Cir. 1994).
(315.) Id. at 458.
(316.) 418 F.3d at 70.
(317.) The court in Councilman implied that the transmission ends when the recipient opens the e-mail, id. at 71, but this language may be dicta because the e-mail was intercepted before being placed in the recipient's mail box.
(318.) 18 U.S.C. [section] 1028(a)(7), (d)(7) (2006).
(319.) Id. [section] 1028(a)(1); see, e.g., United States v. Rashwan, 328 F.3d 160, 165 (4th Cir. 2003) (holding that aiding and abetting the production of fraudulent documents is also covered).
(320.) 18 U.S.C. [section] 1028(a)(2).
(321.) E.g., id. [section] 1028(a)(3) (prohibiting possession of five or more false or stolen identification documents with the intent to use them unlawfully or to transfer them).
(322.) Id. [section] 1028(d)(4) ("[A] document of a type intended or commonly accepted for the purposes of identification of individuals that is not issued by or under the authority of a governmental entity; and appears to be issued by or under [such] authority.").
(323.) Id. [section] 1028(d)(2) ("[D]ocument-making implement means any ... computer file, computer disc, electronic device, or computer hardware or software, that is specifically configured or primarily used for making an identification document, a false identification document, or another document- making implement."); see United States v. Cabrera, 208 F.3d 309, 314-15 (1st Cir. 2000) (defining "primarily used" as referring to "the particular use to which the defendant put the device, not its 'general' use within society").
(324.) Id. [section] 1028(a)(5).
(325.) Id. [section] 1028(d)(10).
(326.) Id. [section] 1028(b)(2).
(327.) Id. [section] 1028(b)(1).
(329.) Id. [section] 1028(b)(3).
(330.) Id. [section] 1028(b)(4).
(331.) U.S.S.G. MANUAL Table 2B1.l.
(332.) Id. [section][section] 2L2.1, 2L2.2, 2B1.1
(333.) Id. [section] 2B1.1 cmt. n. 19; see United States v. Khalil, 214 F.3d 111, 124 (2d Cir. 2000) (applying a three- part test to find an upward departure appropriate: whether the reasons articulated by the court are of a kind that may be appropriately relied upon to justify the departure, whether the findings of fact underlying the court's reasoning are clearly erroneous, and whether, giving considerable deference to the lower court, the departure is reasonable).
(334.) 18 U.S.C. [section] 1343 (2006 & Supp. 2008). See generally the Mail and Wire Fraud article in this issue.
(335.) Id. [section] 1343.
(336.) See United States v. Pirello, 255 F.3d 728,732 (9th Cir. 2001) (holding that fraudulently soliciting money on a website violated wire fraud statute); United States v. Briscoe, 65 F.3d 576, 580-81 (7th Cir. 1995) (holding that fraudulent transfer of funds through a computer system violates wire fraud statute).
(337.) Compare United States v. Wang, 898 F. Supp. 758, 759 (D. Colo. 1995) (holding that computer programs are property and infringement thereof may be prosecuted under both the Copyright Act and the Wire Fraud Statute), with United States v. LaMacchia, 871 F. Supp. 535, 540-44 (D. Mass. 1994) (dismissing wire fraud charge because infringement is not criminal).
(338.) 17 U.S.C. [section] 506(a)(1) (2006); see United States v. Rothberg, 222 F. Supp. 2d 1009, 1018 (N.D. Ill. 2002) (discussing the amendment to the statute).
(339.) 18 U.S.C. [section] 1343.
(341.) 18 U.S.C. [section] 1961 (2006).
(342.) 18 U.S.C. [section] 1346 (2006); United States v. Rybicki, 354 F.3d 124, 142 (2d Cir. 2003) (upholding a statute that extended the coverage of wire fraud to deprivation of right of honest services in the case of insurance fraud).
(343.) Skilling v. United States, 130 S. Ct. 2896, 2931 (2010) (construing [section] 1346 narrowly so as to avoid a finding of vagueness).
(344.) U.S.S.G. MANUAL [section] 2C1.1(a)(1),(b)(2).
(345.) Id. [section] 2C1.7(b)(1)(A); see, e.g., United States v. Mack, 159 F.3d 208, 220 (6th Cir. 1998) (applying [section] 2C1.7(b)(1)(B) to a prison security chief); United States v. ReBrook, 58 F.3d 961, 969 (4th Cir. 1995) (upholding increase in offense level pursuant to [section] 2C1.7(b)(1)(B) for wire fraud conviction based on video lottery systems because defendant was a public official holding high-level decision-making or sensitive position).
(346.) U.S.S.G. MANUAL [section] 2B1.1; see, e.g., United States v. Catalfo. 64 F.3d 1070, 1082-83 (7th Cir. 1995) (upholding sentencing enhancement for wire fraud by illegal computerized futures trading because defendant could have foreseen possible loss from his conduct and was therefore accountable for monetary loss under former [section] 2F1.1)..
(347.) See Pornography, Technology, and Process: Problems and Solutions on Peer- to-Peer Networks: Hearing Before the S. Judiciary Comm., 108th Cong. (2003) (statement of John Malcohn, Deputy Assistant Attorney General, Criminal Division, DOJ) [hereinafter Malcolm Statement].
(348.) See supra note 7 and accompanying text (discussing victims' reluctance to report computer crimes).
(349.) Pub. L. No. 108-159, [section] 114 (codified at 15 U.S.C. [section] 1681m (2006)).
(351.) Press Release, FTC, FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule (May 5, 2010), available at http://www.ftc.gov/opa/2010/05/redflags.shtm.
(352.) Id. (delaying enforcement until Dec. 31, 2010).
(353.) E.g., Piracy Deterrence and Education Act of 2003: Hearing on H.R. 2517 Before the Subcomm. on Courts, the Internet, and Intellectual Property of the H. Comm. on the Judiciary, 108th Cong. 23 (2003) (statement of Jana Monroe, Assistant Director, FBI Cyber Division).
(354.) See id.
(355.) See FBI, Cyber Crime, http://www.fbi.gov/about-us/investigate/ cyber/cyber (last visited Feb. 5, 2011).
(356.) See FBI, Innocent Images, http://www.fbi.gov/about- us/investigate/cyber/innocent/innocent (last visited Feb. 5, 2011).
(357.) See FBI, Innocent Images National Initiative, http://www.fbi.gov/stats-services/publications/innocentimages-1 (last visited Feb. 5, 2011).
(358.) See NAT'L WHITE COLLAR CRIME CTR. & FBI, THE INTERNET CRIME COMPLAINT CENTER INTERNET CRIME REPORT: 2009, http://www.ic3.gov/media/annualreport/2009_IC3Report.pdf (last visited Feb. 5, 2011).
(359.) See id. at 3.
(360.) See generally DOJ, Computer Crime & Intellectual Property Section, http://www.usdoj.gov/criminal/ cybercrime/index.html (providing cases, recent law, reports, and other documents related to computer crime) (last visited Feb. 5, 2011).
(361.) See Prosecution of Intellectual Property Crimes and the 'STOP!' Initiative: Hearing Before the Subcomm. on Oversight of Government Management, the Fed. Workforce, and the District of Columbia of the S. Comm. on Homeland Security and Governmental Affairs, 109th Cong. (2005) (statement of Laura H. Parsky, Deputy Assistant Att'y Gen., Criminal Division, DOJ) (describing recent initiatives of CCIPS targeting online piracy, fraud and illicit peer-to-peer network file sharing) [hereinafter Parsky I.P. Crime Statement].
(362.) Press Release, DOJ, Attorney General Alberto R. Gonzales Renews Commitment to Justice Department's Intellectual Property Task Force (Mar. 9, 2005), http://www.usdoj.gov/opa/pr/2005/March/05_ag_111.htm (last visited Feb. 5, 2011).
(363.) See id.
(364.) See id.
(365.) See id.; see also Parsky I.P. Crime Statement, supra note 361 (describing the CHIP program in detail).
(366.) See Parsky I.P. Crime Statement, supra note 361.
(367.) Press Release, DOJ, Justice Department Announces New Intellectual Property Task Force as Part of Broad IP Enforcement Initiative (Feb. 12, 2010), http://www.justice.gov/opa/pr/2010/February/10-ag-137.html (last visited Feb. 5, 2011).
(368.) See generally DOJ, Child Exploitation and Obscenity Section, http://www.usdoj.gov/criminal/ceos/ index.html (providing cases, recent law, testimony, reports, and other documents related to child pornography) (last visited Feb. 5, 2011).
(369.) See Sexual Crimes Against Children: Hearing on H.R. 2388 and H.R. 2318 Before the H. Comm. on the Judiciary, 109th Cong. (2005) (statement of Laura H. Parsky, Deputy Assistant Att'y Gen., Criminal Division, DOJ) [hereinafter Parsky Sex Crimes Statement].
(370.) See id. (stating that in 1997, 352 defendants were charged with child pornography crimes and 299 convicted and in 2004, 1486 cases were filed and 1066 convicted); Eric Holder, Deputy Attorney Gen., DOJ, Remarks at the International Conference on Combating Child Pornography on the Internet (Sept. 29, 1999) (stating that federal prosecutions of Internet child pornographers have increased 10% every year since 1995, and approximately 400 Internet child pornographers are prosecuted each year), http://www.usdoj.gov/criminal/ cybercrime/dagceos.html. But see supra Part III.B.1. (describing the constitutional challenges to federal child pornography statutes).
(371.) Press Release, DOJ, Department of Justice Releases First National Strategy for Child Exploitation Prevention and Interdiction (Aug. 2, 2010), available at http://www.justice.gov/opa/pr/2010/August/10-opa887.html.
(372.) See, e.g., Press Release, DOJ, Justice Department Announces Eight Charged in Internet Piracy Crackdown (July 28, 2005) ("Operations ... resulted in a total of more than 200 search warrants executed in 15 countries; [one operation] alone has yielded a total of 30 U.S. felony convictions and another 10 convictions overseas."); Press Release, U.S. Customs Serv., 45 Children Rescued, 20 Arrests in U.S. Customs, Danish Police Investigation of Global Child-Molesting, Pornography Ring (Aug. 9, 2002); Press Release, U.S. Customs Serv., U.S. Customs, 10 Foreign Countries, Serve Multiple Search Warrants on Internet Child Pornography Ring (Mar. 20, 2002).
(373.) See Parsky I.P. Crime Statement, supra note 361 (describing the growth of online piracy); id. (describing the burgeoning problem of child pornography and the ease, speed, and anonymity of distribution over the Internet).
(374.) ARIZ. REV. STAT. ANN [section] 13-2316 (2000).
(375.) FLA. STAT. [section][section] 815.01-815.07 (1996 & Supp. 1999).
(376.) ALA. CODE [section][section] 13A-8-100 to 13A-8-103 (1994); ALASKA STAT. [section][section] 11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985, 11.46.990 (2000); ARIZ. REV. STAT. ANN. [section][section] 13-2301 (E), 13-2316 (2000); ARK. CODE ANN. [section][section] 5-41-101 to 5-41-108 (1997); CAL. PENAL CODE [section][section] 502, 1203.047 (West 1998 & Supp. 2004); COLO. REV. STAT. [section][section] 18-5.5-101 to 5-102 (2000); CONN. GEN. STAT. [section][section] 53a-250 to 53a-261 (1999 & Supp. 2001); DEL. CODE ANN. tit. 11, [section][section] 931-939 (1995 & Supp. 2000); FLA. STAT. [section][section] 815.01-.07 (2000): GA. CODE ANN. [section][section] 16-9-90 to 16-9-94 (1998); HAW. REV. STAT. [section][section] 708-890 to 708-893 (1999); IDAHO CODE ANN. [section][section] 18- 2201 to -2202, 26-1220 (1997); 720 ILL. COMP. STAT. 5/16D-1 to -7 (1998 & Supp. 1999); IND. CODE [section][section] 35-41-2-3, 35-43-1-4 (1998); IOWA CODE ANN. [section][section] 716A.1-.16 (West 1993 & Supp. 2000); KAN. STAT. ANN. [section] 21-3755 (1995 & Supp. 1999); KY. REV. STAT. ANN. [section][section] 434.840-.860 (1999); LA. REV. STAT. ANN. [section][section] 14:73.1-.5 (1997 & Supp. 2001); ME. REV. STAT. ANN. tit. 17-A, [section][section] 431-433 (West Supp. 2000); MD. COOE ANN., CRIM. LAW [section] 7-302 (West 2004); MASS. GEN. LAWS ch. 266, [section][section] 30, 33A. 120F (1992 & Supp. 2000); MICH. COMP. LAWS [section][section] 752.791 to .797 (1991 & Supp. 2000); MINN. STAT. [section][section] 609.87-.894 (1998); MISS. CODE ANN. [section][section] 97-45-1 to -13 (2000); MO. REV. STAT. [section] 569.095 (1994) (amended by Stolen Property--Services--Penalty Provisions, 2002 Mo. Legis. Serv. 194 (West)); MONT. CODE ANN. [section][section] 45-6-310, -311 (1999): NEB. REV. STAT. [section][section] 28-1343 to -1348 (1995); NEV. REV. STAT. [section][section] 205.473-.491 (2007); N.H. REV. STAT. ANN. [section][section] 638:16-19 (1996 & Supp. 2005); N.J. STAT. ANN. [section][section] 2A:38A-1 to -6 (West 2000), 2C:20-23 to -34 (West 1995 & Supp. 2000); N.M. STAT. [section][section] 30-45-1 to -7 (2006); N.Y. PENAL LAW [section][section] 156.00-.50 (McKinney 2006); N.C. GEN. STAT. [section][section] 14-453 to -457 (2005); N.D. CENT. CODE [section] 12.1-06.1-08 (1997 & Supp. 2003); OHIO REV. CODE ANN. [section] 2913.04 (West 20071; OKLA. STAT. ANN. tit. 21, [section][section] 1951-1958 (West Supp. 2001); OR. REV. STAT. [section][section] 164.125, 164.377 (1999); 18 PA. CONS. STAT. ANN. [section] 7601, 7603, 7611, 7615, 7616 (West Supp. 2003); R.I. GEN. LAWS [section][section] 11-52-1 to -8 (2000); S.C. CODE ANN. [section][section] 16-16-10 to -40 (Law. 1985 & Supp. 2000) (amended by Computer Abuse Act of 2002, 2002 S.C. Acts 169); S.D. CODIFIED LAWS [section][section] 43-43B-1 to -8 (1997); TENN. CODE ANN. [section][section] 39- 14-601 to -603 (1997 & Supp. 2000): TEX. PENAL CODE ANN. [section][section] 33.01 to .04 (Vernon 1994 & Supp. 2001); UTAH CODE ANN. [section][section] 76-6-701 to -705 (1999 & Supp. 2000); VT. STAT. ANN., tit. 13, [section][section] 4101-4107 (Supp. 1999); VA. CODE ANN. [section][section] 18.2-152.1 to .15 (1996 & Supp. 2000); WASH. REV. CODE [section][section] 9A.52.110-.130 (1998); W. VA. CODE. [section][section] 61-3C-1 to -21 (2000): WIS. STAT. [section] 943.70(1998); WYO. STAT. ANN. [section][section] 6-3-501 to -505 (1999 and Supp. 2000).
(377.) S. 240, 96th Cong. [section] 1 (1979); S. 1766, 95th Cong. [section] 1 (1977); see also Federal Computer Systems Protection Act: Hearings on S. 1766 Before the Subcomm. on Criminal Laws and Procedures of the S. Comm. on the Judicial, 95th Cong. 170-71 (1978) (setting forth proposed 1977 legislation).
(378.) See Robin K. Kutz, Note, Computer Crime in Virginia: A Critical Examination of the Criminal Offenses in the Virginia Computer Crimes Act, 27 WM. & MARY L. REV. 783, 789-90 (1986) (stating that Ohio and Massachusetts took a third approach, choosing only to "redefine certain terms in their criminal codes to ensure that their statutes covered computers and computer-related intangible property").
(379.) See Jerome Y. Roache, Computer Crime Deterrence, 13 AM. J. CRIM. L. 391, 392 (1986) (explaining how prosecution is aided by eliminating the need for prosecutors, attorneys, and judges to rationalize the application of a traditional criminal law in a technical, computer-related context).
(380.) See. e.g., Computer Crime and Intellectual Property Section--United States Dep't of Justice, The National Information Infrastructure Protection Act of 1996: Legislative Analysis, http:Hwww.cybercrime.gov/1030analysis.html (last visited Feb. 5, 2011); see also Marc D. Goodman, Why the Police Don't Care About Computer Crime, 10 HARV. J. L. & TECH. 465, 468-69 (1997).
(381.) See CAL. PENAL CODE [section] 502.01 (West 1998 & Supp. 2004); N.J. STAT. ANN. [section] 2C:64-1 (West 1995 & Supp. 2000); N.M. STAT. ANN. [section] 30-45-7 (1997). Illinois distributes half the forfeited proceeds to the local government agency that investigated the computer fraud for training and enforcement purposes, and half to the county in which the prosecution was brought, where it is placed in a special fund and appropriated to the State's Attorney for use in training and enforcement. 720 ILL. COMP. STAT. 5/16D-6 (1998 & Supp. 1999).
(382.) See ALASKA STAT. [section] 11.41.270 (2000); MICH. COMP. LAWS ANN. [section] 750.411(h)(e)(vi) (West Supp. 2000); OKLA. STAT. ANN. tit. 21, [section] 1173 (West Supp. 2001); WIS. STAT. [section] 947.0125 (2001); WYO. STAT. ANN. [section] 6-2-506 (1999).
(383.) ALA. CODE [section] 13A-11-8(b)(1)(a) (1994 & Supp. 2000); CONN. GEN. STAT. [section] 53a-183 (2001); IDAHO CODE ANN. [section] 18-6710(3) (1997); N.Y. PENAL LAW [section] 240.30 (McKinney 1989 & Supp. 2001).
(384.) E.g., MICH. COMP. LAWS ANN. [section] 750.145(d) (West Supp. 2004).
(385.) See Am. Booksellers Found. for Free Expression v. Strickland, 601 F.3d 622 (6th Cir. 2010) (overturning a district court's finding that an Ohio statute prohibiting dissemination over the internet of materials harmful to minors was unconstitutional); Vives v. City of New York, 405 F.3d 115 (2d Cir. 2005) (challenging a New York statute criminalizing sending non-threatening materials with "the intent to alarm"); ACLU v. Johnson, 194 F.3d 1149 (10th Cir. 1999) (finding a New Mexico statute criminalizing dissemination by computer of material harmful to minors violated First Amendment); Southeast Booksellers Ass'n v. McMaster, 371 F. Supp. 2d 773 (D.S.C. 2005) (invalidating on First Amendment grounds a state statute providing criminal sanctions for disseminating harmful material to minors as applied to digital electronic files sent or received via Internet).
(386.) Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Missouri, Nevada, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming all have enacted some permutation of anti-spam legislation. See State Spam Laws (Feb. 10, 2010), http://www.ncsl.org/default.aspx?tabid=13449.
(387.) See ARK. CODE ANN. [section] 5-41-106 (1997); CONN. GEN. STAT. [section] 52-570b (Supp. 1999); DEL CODE ANN. tit. 11, [section] 939 (1995 & Supp. 2000); GA. CODE ANN. [section] 16-9-93 (1998); 720 ILL. COMP. STAT. 5/16D-3(4)(c) (1998 & Supp. 1999); MO. REV. STAT. [section] 537.525 (1994); N.J. REV. STAT. [section][section] 2A:38A-1 to 2A:38A-6 (2000); OKLA. STAT. ANN tit. 21, [section] 1955 (West Supp. 2001); R.I. GEN. LAWS [section] 11-52-6 (2000); W. VA. CODE [section] 61-3C-16 (2000).
(388.) See State Spyware Laws (Dec. 29, 2009), http://www.ncsl.org/default.aspx?tabid=13452.
(390.) See Benjamin Edelman, "Spyware"--Research, Testing, Legislation and Suits, http://www.benedelman.org/ spyware/#suits (last visited Feb. 5, 2011).
(391.) Arkansas, California, Connecticut. Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, and Washington.
(392.) See, e.g., CAL. CIV. CODE [section] 1798.29(a), [section] 1798.82 (West 2007); ARK. CODE ANN. [section][section] 4-110-10l to 108 (2007).
(393.) See, e.g., CAL. CIV. CODE [section] 1798.29(a), [section] 1798.82 (West 2007): ARK. CODE ANN. [section][section] 4-110-101 to 4-110-108 (2007) (requiring individuals, businesses and state agencies that acquire, own or license personal information of Arkansas residents provide reasonable security measures to protect that information).
(394.) See, e.g., Jennifer Steinhauer, Verdict in MySpace Suicide Case, N.Y. TIMES, Nov. 26, 2008. available at http://www.nytimes.com/2008/11/27/us/27myspace.html?_r=1&hp (last visited Feb. 5, 2011) (discussing a teenage girl who committed suicide after being bullied via MySpace by the mother of one of her classmates).
(395.) E.g., NEV. REV. STAT. [section] 388.123 (2009); MASS. GEN. LAW ANN. ch. 71, [section] 370 (West 2010) (effective May 3, 2010).
(396.) In the Meier case, for example, the defendant could only be charged under the Computer Fraud and Abuse Act (18 U.S.C. [section] 1030 (2006)), which is intended to prevent unauthorized access to computer systems, and was eventually acquitted. See Cyberbullying: Responses, NATIONAL COALITION AGAINST CENSORSHIP http://www.ncac.org/Cyberbullying-Responses (last visited Feb. 5, 2011).
(397.) E.g., Megan Meier Cyberbullying Prevention Act, H.R. 3224, 111th Cong. (2009); SAFE Internet Act of 2009, S. 1047, 111th Cong. (2009).
(398.) BUREAU OF JUSTICE STATISTICS, DOJ, NATIONAL SURVEY OF PROSECUTORS: PROSECUTORS IN STATE COURTS, 2005, 5 (2006), available at http://bjs.ojp.usdoj.gov/index.cfm?ty=pbdetail&iid=1124 (last visited Feb. 5, 2011).
(402.) See generally Kate Reder, Ashcroft v. ACLU: Should Congress Try, Try, and Try Again, or Does the International Problem of Regulating Internet Pornography Require an International Solution ? 6 N.C. J.L. & TECH. 139 (2004); Computer Crime & Intellectual Prop. Section, DOJ, International Aspects of Computer Crime (providing cases, laws, testimony, reports, and other documents related to international efforts to combat cybercrime), http://www.usdoj.gov/criminal/cybercrime/intl.html (last visited Feb. 5, 2011).
(403.) See Reno v. ACLU, 521 U.S. 844, 851 (1997) (defining cyberspace as a "unique medium ... located in no particular geographical location but available to anyone, anywhere in the world, with access to the Internet").
(404.) See Walter Gary Sharp, Sr., Note, Redefining National Security in Today's World of Information Technology and Emergent Threats, 9 DUKE J. COMP. & INT'L L. 383, 384 (1999); see also Steve Shackelford, Note, Computer-Related Crime: An International Problem in Need of an International Solution, 27 TEX. INT'L L.J. 479, 494 (1992).
(405.) See generally the Financial Institutions Fraud, Mail and Wire Fraud, and Securities Fraud articles in this issue.
(406.) See, e.g., Katyal, supra note 4, at 1048-49 (describing how Ramsi Yousef, who masterminded the 1993 World Trade Center bombing, used encryption to store details of scheme on his laptop computer).
(407.) See Chris Reed, The Admissibility and Authentication of Computer Evidence--A Confusion of Issues, 5th BILETA Conference (2005); see also JOHN ANDREWS & MICHAEL HIRST, ANDREWS & HIRST ON CRIMINAL EVIDENCE 380-85 (3d ed. 1997) (describing problems with current English evidentiary regime, and agreeing with proposed changes); THE LAW COMMISSION, CONSULTATION PAPER NO. 138, CRIMINAL LAW; EVIDENCE IN CRIMINAL PROCEEDINGS: HEARSAY AND RELATED TOPICS 207 (1995).
(408.) See Amy Knoll, Any Which Way But Loose: Nations Regulate the Internet, 4 TUL. J. INT'L & COME L. 275 (1996) (describing and evaluating legislation in Belarus, China, Croatia, the European Union, France, Germany, Russia, Singapore, and the United States).
(409.) The German Penal Code (Strafgesetzbuch) proscribes distributing any fascist or other related literature. STRAFGESETZBUCH [StGB] [PENAL CODE], May 15, 1871, Federal Law Gazette I, 945, as amended, [section] 86 (Ger.); Code penal [C. pen.] R. 645-1 (Fr.).
(410.) See Ahmad Mardini, Gulf-Culture: Officials Worry About Smuton Internet, INTER PRESS SERV (1996).
(411.) See Yahoo! Inc. v. La Ligue Contre le Racisme et L'Antisemitisme, 433 F.3d 1199 (9th Cir. 2006) (en banc) (dismissing suit where three judges held that there was no jurisdiction and three held that the suit is not ripe); see also Elissa A. Okoniewski, Yahoo!, Inc. v. LICRA: The French Challenge to Free Expression on the Internet, 18 AM. U. INT'L L. REV. 295 (2002) (showing the legal tensions between nations as cultural and constitutional norms come into conflict); Silvia Ascarelli & Kimberley A. Strassel, Two German Cases Show How Europe Still Is Struggling to Regulate Internet, WALL ST. J., Apr. 21, 1997, at B9; Silvia Ascarelli, Two On-Line Services Companies Investigated in Racial Hatred Case, WALL ST. J., Jan. 26, 1996, at B2.
(412.) See Silvia Ascarelli, Technology & Takeovers: Politician Is Acquitted in Internet Case in Berlin, WALL ST. J. EUR., July 1, 1997, at 11.
(413.) Michael Laris, Beijing Launches a New Offensive to Squelch Dissent on Internet, WASH. POST, Dec. 31, 1997, at A 16 (describing regulations).
(414.) See Ray Sanchez, Cuba Cutting Internet Access, SUN SENTINEL, May 7, 2009. available at http://www.sunsentinel.com/news/nationworld/sfl-cuba- internet_cutoff_050709,0,4376220.story.
(415.) See BUS. SOFTWARE ALLIANCE & INT'L DATA CORP., SEVENTH ANNUAL BSA/IDC GLOBAL SOFTWARE PIRACY STUDY (2010), available at http://portal.bsa.org/globalpiracy2009/index.html (last visited Nov. 5, 2010).
(416.) Id. (up from forty-one percent in the previous year).
(418.) Laura H. Parsky, Deputy Assistant Attorney Gen., DOJ, Remarks at International Conference on Intellectual Property Protection (Oct. 14, 2004) (describing international cooperation in combating intellectual property crime), http://www.usdoj.gov/criminal/cybercrime/parskySpeech.htm (last visited Nov. 5, 2010).
(419.) See Ulrich Sieber, Computer Crimes and Other Crimes Against Information Technology: Commentary and Preparatory Questions for the Colloquium of the AIDP in Wuerzburg, 64 REV. INT'L DE DROIT PENAL 67, 69-70 (1993) (discussing adoption of computer crime legislation).
(420.) See, e.g., Computer Misuse Act, 1990, c. 18 (U.K.).
(421.) See Cybercrimes--Coordinated Effort to Attack Cybercrimes, 3 No. 1 CYBERSPACE L. 32, 32 (1998) (discussing cooperative effort to coordinate Internet legislation between Britain, Canada, France, Germany, Italy, Japan, Russia, and the United States); Cole Durham, The Emerging Structures of Criminal Information Law: Tracing the Contours of a New Paradigm: General Report for the AIDP Colloquium, 64 REV. INT'L DE DROIT PENAL 79, 97-109 (1993) (discussing patterns of convergence in computer crime legislation with regard to unauthorized access, unauthorized interception, unauthorized use of computer, alteration of data or programs, computer sabotage, computer espionage, unauthorized use or reproduction of computer programs, unauthorized reproduction of topography, computer forgery, and computer fraud).
(422.) Council of Europe, Chart of Signatures and Ratifications, available at http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp ?NT=185&CM=1&DF=08/11/2010&CL=ENG (last visited Feb. 5. 2011) (noting that forty-six countries have signed the treaty including four parties outside of the Council of Europe).
(423.) Council of Europe, Convention on Cybercrime, opened for signature Nov. 23, 2001, C.E.T.S. No. 185, http://conventions.coe.int/Treaty/en/Treaties/Word/185.doc (last visited Feb. 5, 2011).
(424.) See International Aspects of Computer Crime, U.S. DEP'T. OF JUSTICE, COMPUTER CRIME AND INTELLECTUAL PROP. SECTION, http://www.justice.gov/criminal/cybercrime/intl.html#Vb (last visited Feb. 5, 2011).
(425.) Fighting Cybercrime: Hearing Before the Subcomm. on Crime of the H. Comm. on the Judiciary, 107th Cong. 1 (2001) (statement of Michael Chertoff, Assistant Att'y Gen. Criminal Division), http://judiciary.house.gov/ legacy/72616.pdf (last visited Feb. 5, 2011).
(427.) See Durham, supra note 421, at 97 n.51 (citing efforts by Council of Europe, OECD, and United Nations).
(428.) See generally BUSINESS SOFTWARE ALLIANCE, http://www.bsa.org (last visited Feb. 5, 2011).…