This Lawful Land
There are lots of fraud investigators, special agents, Secret Service people, FBI guys and all manner of local, state and federal enforcement officials roaming around cyberspace, waiting to trip you up. There are also private citizens who love hacking but don't love the idea of being criminals, so they hack the hackers, building up dossiers, which they then turn over to the authorities.
Getting caught can make you famous, maybe even throw some money your way. It can also take away a good part of your life, your money, your reputation, your computing equipment, and your hopes for the future. Let's take a look at the laws that cause this state of affairs.
State Computer Crime Laws
Every state except Vermont has explicit laws forbidding computer crime. They are all pretty much alike in that they start out by defining what a computer is, and defining various terms relating to computers and computer crime. Then they list the specific offenses the law prohibits, and the penal-ties associated with those illegal activities.
You can easily find out what the situation is for your state. just so you know what kind of things cops and lawyers are talking about when they talk about state computer crime laws, let's take a look at a typical anti-hack statute.
The Wisconsin statute on computer crimes ("Chapter 293, Laws of 1981, 943.70" for you law-book gurus) lists eight possible naughty things a person can do with a computer. The first six have to do with "computer data and programs," the sixth being the willful, knowing, and unauthorized disclosing of "restricted access codes or other restricted access information to unauthorized person[s]." The first five bits of software naughtiness detail the willful, knowing, and unauthorized modification, destruction, accession, possession, or copying of computer data, computer programs, or "supporting documentation."
The final offenses have to do with the hardware aspect. "Whoever willingly, knowingly and with-out authorization," either modifies, destroys, uses, takes or damages a computer, computer system, network, equipment or supplies related tocomput-ers, is guilty under this statute.
There are eight different penalties listed, depending on whether the act in question is considered a misdemeanor or a felony under the law. The magnitude of the crime is based on how much damage was caused money-wise, how much threat to others there was, and whether the hacker did the deed with intent to defraud or obtain property. Penalties range from life imprisonment (sheesh!) to various fines in the
$500410,000 range.
Traditional State Crime Laws
just because your state doesn't have a law that specifically forbids snooping around in someone else's computer, doesn't mean what you're doing is completely legal. Prosecutors will try to convict hackers on violations of any law, even if there's a large void between the hacker's actions and the original intent of the law. In some circumstances, the prosecutors may feel there is not a good enough case against a hacker using the computer laws. For other reasons - such as a rural jury - prosecutors will press the issue of guilt, but try to sidestep the technical aspect of it. They will charge a hacker with infractions of traditional crime laws, such as
malicious mischief, burglary, larceny, and what-ever other nasties they can squeeze into play.
There are problems applying traditional laws to modern "crimes," and the focus changes from whether Hacker X is guilty or innocent, to whether Hacker X is guilty of that particular crime. Can hacking be considered a kind of burglary? In a blue collar computer crime, such as the theft of the ac-tual hardware, there is no
question whether or not a law has been broken. On the other hand, if a hacker steals records from a database, do the bur-glary statutes still apply? What if the hacker didn't actually deprive anyone of their information, but only made a copy of it for him or herself? Is this a different issue?
These topics have been addressed differently in different court cases. If you are ever unfortunate enough to be tried for hacking-related offenses, the judge's decision will be based on the exact defini-tions of "software," 'burglary," and other key words for your particular state. If the state has no com-puter crime statutes,
then "software" may not be defined; in that case it is up to the judge entirely to decide what these terms mean.
Since we do have 50 states worth of laws to consider, in addition to federal laws, space constraints dictate that we not list every single statute and definition that might apply to a hacker's trial. For the specifics you will have to do your own research into your state's laws. Here is a generalized overview of traditional crimes, and how they can be applied to convict you of computer hacking. I want to stress this point of "generalizations." All the definitions of law to fol-low are simplifications of the laws throughout the land. Individual states add their own personal quirks and nuances to these laws - minutiae on which both surprise verdicts and legal loopholes are based.
Criminal Mischief
Also called malicious mischief, this is the will-ful destruction of someone else's property. You may say to yourself, "Gosh, as long as I don't pur-posely go around acting like a jerk, how can they convict me on that one?" Good question. To be able to say that malicious mischief has occurred, three things must be present: a real hu-man action, evidence that the action has caused damage to someone else's property, and that the damage is observable to a bystander. That's the traditional definition. Well, any bystander can see a smashed storefront window, but how many "average bystanders" can easily see how an algo-rithm has been changed in a program to allow ac-cess to anyone named "Borges"?
The thing is, a hacker may change software or password files to gain entry to a system, but it is often hard to determine whether or not such an action has caused "willful destruction" of that file. Indeed, the software may not actually have been altered to any detectable degree, and the hacker him-self may not have done any
noticeable actions at all. Can one then honestly say that criminal mischief has occurred? And yet, the hacker may have left the software in an altered, "destroyed" state.
The answers to such questions remain to be adequately determined.
Burglary
For most states, burglary is the unauthorized breaking and entering of the real property of an-other with intent to commit a crime. Again there is a problem, in that we have to decide whether or not to accept an operating
computer network as prop-erty. The act of entering one's usemame/password is often metaphorically associated with that of un-locking and opening a door to one's house, but does that analogy exist to such a degree that the unauthorized entry into a computer directory is committing a burglary?
It is generally conceded that the attempt to prosecute such an act under traditional burglary statutes becomes futile. It may become slightly less futile if there is a clear intent on the hacker's part to commit a crime. Again, make sure the world knows your intentions are benign, and be sure to follow that path. Of course, the physical breaking and entering of a building, with the intention of using the comput-ers there to hack, is a more clear-cut matter. Don't expect to wiggle out of that one on as many techni-calities.
Fraud
Fraud is easy to define: any sort of deception, cheating or unfair behavior that is used to cause injury to another person. Using someone else's password is fraud, since you are falsely represent-ing yourself, and the "injured person" (computer) reasonably believes you to be that person to the ex-tent that you are given
privileges you should not have received.
But to be convicted of fraud it must be shown that because of the deception, the victim had dam-age done to him or her. What happens in the case where a computer manager knows it's a hacker on the line, and yet the manager is unable to prevent damage from occurring? Since there is no deception, there is no fraud.
That may be intent to defraud, and perhaps not fraud itself.
Social engineering is clearly fraud if informa-tion gained from the exchange is used to enter a computer, and some injury can be proven. Actu-ally, fraud is universally cited in any instance of computer crime, no matter what methods were used or what the outcome of the "crime." You can see then the importance of not causing
"injury" to a computer. In all of these cases, it is essential that it can be established that no damage (or alteration) was done, and none was intended.
Larceny
Larceny occurs when two conditions hold true: A piece of property has been criminally taken and carried away from another person, and the inten-tion of so doing was to permanently deprive the owner of his or her property.
Again, problems arise when applying this to computer hacking. Think about a case where a hacker inserts a GOTO statement in a program to bypass the section where the program asks for login information. Has the hacker effectively deprived the administrators on that system of that section of code - that piece of property?
Addi-tionally there is the problem of determining if the intent was to leave the GOTO in permanently, and not only that, whether or not such an action consti-tutes "taking" away of property. After all, the in-termittent code is still there, only the access to it has been temporarily eliminated.
Larceny may be applied to the stealing of time on a computer, to stolen telephone service or elec-trical power. In these cases it would seem the law-yers are doing their best in a trying situation - a situation in which they realize the hacker has not done any harm, and yet they want to symbolically punish the hacker for invading their computers.
Theft Of Trade Secrets
Theft of trade secrets - also called "misappropriation" of trade secrets - may be contained in the larceny laws of the state if a trade se-cret is defined as a kind of property, or it may be the principal construct of its own statute. Misap-propriation of trade secrets might be the better of the two names, as it more accurately reflects
the na-ture of the law: either the physical taking of secrets, or the unauthorized copying of them, may be viewed as a violation.
So if a hacker has printouts of some top secret laboratory reports, that information has been misappropriated, copied by an individual unauthor-ized to do so. If this law is subsumed into the general larceny statute, a prosecuting complication might arise. We are then back to the question of whether or not it can be shown that the hacker intended to perma-nently deprive the owner of his property. We both know that computer hackers generally don't have any intention of deprivation - just learning. We know that, but we can't expect judges and juries to understand.
Finally, let's end this section on a good note. If the accused hacker leaves no trace of his or her entering a system, then it is typically the case that theft of trade secrets can not be seriously considered as having taken place. Thus, hackers should make certain that all files and printouts which contain data that one might
regard as trade secrets, are either purged, burned or hidden very well.
Receipt Of Stolen Property
Let's describe this one by mentioning its three parts: (1) The stolen property must have been re-ceived by (2) someone who knows or should rea-sonably suspect that the property was stolen, and (3) the receiving has been done with the intent of permanently depriving the owner of his property.
As with trade secret theft, ROSP may be in-cluded in the larceny laws, or it may have its very own statute to call its own. Regardless, ROSP is a good crime to catch hackers by. Here's w :
ROSP is applicable for almost any stolen prop-erty or "property," including trade secrets, infor-mation, goods and services, high credit ratings (been hacking TRW lately?), computer time, pass-words, and files. If you've got any of these, or anything else for that matter, you've got ROSP to deal with.
Theft Of Services Or Labor Under False Pretenses
Theft of Services Under... Boy, I thought I had to abbreviate when discussing Receipt of Stolen Property! TOSOLUFP is basically a form of larceny whereby you trick someone into letting you have something. For instance, TOSOLUFP might occur when a hacker gets access to an on-site computer by showing a guard a fake ID badge.
Similarly, any false representation of a fact with the intention of obtaining the property of another is TOSOLUFP. Additionally it must be shown that the victim's judgment relied on acceptance of that false representation and because of that reliance, suf-fered some injury - such as loss of computer time or monies which would be paid by a legal user of the system.
Interference With Use Statutes
If someone does something so another person can't use his or her property (with a resulting loss to the property owner) then it is said that an "interference with use" statute has been broken. In the hacking sense, if a cracker were to change password files so others couldn't log on, or tamper with a piece of source code, or
use another person's usemame and password, an IWUS may be said to have occurred. Sometimes these are called anti-tampering laws.
As we have seen with the other traditional laws as they apply to hacking, there are of course no clear ways to overlay centuries old terminology onto modem situations. An IWUS can apply even if there is no visible damage as a result of tampering. Even the installation of a back door may be pun-ishable, regardless of whether other users know this illegal mode of entry exists.
Traditional Federal Crime Laws
A crime may become a federal crime if it takes place on or involves federal property, or if there is a vested federal interest in the crime. There are federal laws which don't necessarily refer to computers, yet are acceptable for use in the prosecution (persecution?) of computer hackers. Note that these laws, as well as
the laws described in following sections, are applicable only when the computers you hack are related to the federal government in some way.
Conspiracy
Conspiracy (aka 18 USC #371, if you like numbers) takes place when two or more individuals combine to agree upon or plot an unlawful act, or to commit a lawful act in an unlawful manner. The law goes on to state it is unlawful for these two or more people to plan to defraud the US government, or any federal agency.
This means that a bunch of criminals who use hacker's techniques to make money appear in their checking accounts will be accused of conspiracy if the bank or financial institution involved is a mem-ber of the Federal Deposit Insurance Corporation.
In any case, if you are a member of any sort of group which discusses hacking, or if you've ever discussed hacking or other illegal activities with anyone, you are a potential victim of this law.
661, 2113, 641, 912, 1343, 1361, Etc.
Other federal laws may also apply in select cases of computer hacking. Applicability of these laws depends on the nature of the "crime," what computers were being hacked, where the hacking took place, and how the hacker went about break-ing in. For example, laws 18 USC 661 & 2113 have to do with thefts committed within a special maritime jurisdiction and burglary of a bank respectively. Other laws deal with post offices, fortifications, harbor-defense areas, and federal property in general. These are special laws that will apply only if you have, let's say, "burglarized" the information in a post office database, or committed some other special-area offense.
United States Code 641 applies to the theft of federal property (is information property?) or re-cords. USC 912 makes it unlawful to obtain "a thing of value" by impersonating a federal officer or employee. I would guess entering a federal employee's password is considered impersonation.
Number 1343 on the books says you can't use wire communications to execute or attempt to de-fraud or scheme to obtain property under false pre-tenses, when the message crosses state lines. 1361 prohibits malicious injury to federal property, and 2071 disallows the concealment, mutilation or re-moval of public records. All of which a computer cracker is likely to do, if on a federal computer.
There is law after statute after law, all dealing with specific issues like these. It doesn't seem worthwhile to go through every last one of them. Suffice it to say, if you get caught by the feds, they have a lot of legalese they can use to say why what you were doing was wrong. I'm not saying you should go out and memorize
every bill that's ever been passed that might have some remote connection to computer law. I'm saying you should realize that computer hacking can be a risky business. Use your head. Don't make the mistakes that others have made. If you're lucky, you'll be hacking with-out harm for as long as you want.
Federal Computer Crime Laws, Or:
It's 10:30, Do They Know
Where The Hackers Are?
Finally, there are the federal laws which specifi-cally relate to computer crime that one must be wary of. The Counterfeit Access Device and Com-puter Fraud Act of 1984 (18 USC 1030) was the first law that explicitly talked about computer crime. As you might expect, it is a law that can be applied to just about any government hack. It prohibits un-authorized access to data stored on any "federal in-terest computer," and specifically mentions finan-cial records and national secrets as info not to mess around with. This law allows for fines up to $10,000 or up to 10 years imprisonment if it's a first offense.
Two years later, two computer crime acts were passed by Congress. The Computer Fraud and Abuse Act of 1986 defined more situations in which hackers could be prosecuted, by talking more about financial houses and medical records, targeting computers involved with interstate crimes, com-puters belonging to certain financial institutions, and other federally owned computers. There are also provisions for the trafficking in passwords with intent to defraud computer owners. Most in-teresting to the hacker, I believe, is that The Com-puter Fraud and Abuse Act of 1986 makes it illegal to use other people's passwords, or even to use one's own password improperly - that's where the "fraud" part of the title comes from.
One sort of strange requirement that this law makes is that it can only be applied to crimes where the victim has lost $1,000 or more due to the crime. Since you are going to be hacking under a set of ethical constraints, this law doesn't apply to you at all then (i.e., no computer you hack will lose any-thing from your explorations).
This facet of the Act is made even more interesting when you realize that the Senate Judiciary Committee, in their report on the Act, explained that a cracker doesn't have to actually steal data to be prosecuted under the law he or she only has to read the data. Makes you wonder what they're thinking since it's beyond my comprehension how anyone can prove that reading some data caused $1,000 worth of damage. But then, I'm no lawyer. The Computer Security Act of 1987 is a do-nothing law that requires security standards to be developed for classified and unclassified federal data, and requires that security plans and periodic security training be implemented on federal computer systems containing sensitive information.
Conclusion
I was going to apologize to all the lawyers out there, for the way I've manhandled these descrip-tions of all the above laws. But really, why should I apologize to lawyers?
Now let's talk about what we as hackers can do to protect ourselves; then we won't have to worry about any of the above.
