Articles TheScopeandtheNatureofComputerCrimesStatutesA CriticalComparativeStudy

RizgarMohammedKadir Abstract Whencomputercrimestatuteshadyettobeenacted,computercrimesweresubjectedto traditional criminal laws. This policy resulted in greater expense and other considerable difficulties. These problems and difficulties paved the way for the emergence of a consensuscallingforlegislatorstointerveneandenactspecificcomputercrimelegislation suited to confronting this new type of criminal activity. Many countries in the world respondedbyenactingnewcriminallegislationandmanyothersareontheirwaytotake similarlegislativesteps. Forthelegislativeinterventiontobesoundandsuccessfultwomajorquestionsshouldbe adequately addressed; the scope of legislative intervention and the nature of computer crimelegislationenacted.Regardingthefirstquestion,newcriminalprovisionsareneeded onlytocoverthosecrimesthatareuniquetocomputersthemselves,othercrimesinwhich acomputerisusedsimplyasaninstrumentforperpetrationareeithercoveredbyexisting criminal provisions or can be covered by simple amendments of said provisions. Another stepthatshouldbetakenbylegislatorsistheamendmentofexistingcriminallawswithan aim to cover some special cases such as the cases in which the computer is used as an instrument for committing known traditional crimes, making the perpetration of such crimes easier or resulting in more dangerous consequences compared to their more traditionalformsandcasesinwhichintangibledigitizedpropertycomesunderthreatfrom criminalactivities. While many countries in the world have soundly followed such a method in dealing with computerrelatedmisconductslegislatively,othershavefailedtodoso.Insomecountries, the legislator has criminalized some criminal conducts that have long since been criminalized by that countrys penal code. This creates conflict between criminal provisions,posingproblemstoprosecutorsandcourtsalike. Regarding the nature of computer crime statutes, the legislator is presented with two options.Thefirstistheinclusionoftheaforementionedcriminalprovisionsinoneseparate
*

AssistantProfessorofCriminalLaw,CollegeofLawandPoliticsDepartmentofLaw,SalahaddinUniversity,Erbil KurdistanRegion,Iraq.Email:rizgar70m@yahoo.com.

610

GermanLawJournal

[Vol.11No.06

codeasonespecificcomputercrimestatute.Thesecondisinsertingsubstantivecriminal provisionsrelatedtocomputercrimesintotheexistingpenallawofthecountry.Whilethe firstmethodpreservestheunityofsubstantivecriminallawofthecountryinonecodeand prevents the dispersion of criminal provisions into many separate laws, the second one would,bycontrast,createmuchneededpublicawarenessofcomputercrime.

A.Introduction Criminal law plays a prominent role in the life of society and performs several functions: deterring people from committing acts that harm others or society; determining the conditions under which people who have performed such acts will be punished; and providing some guidance on the kinds of behavior that are regarded by society as 1 acceptable. Sinceoneofthemainfunctionsofthecriminallawistodeterminewhichhumanconducts are regarded as crimes, and given that the advance of society might bring new harmful conducts, the list of conducts prohibited and punished by the legislator through the criminal law is neither fixed nor unchanged forever. Although almost all nations in the world have recognized many forms of conduct, such as murder or theft, as crimes since antiquity,theformsofconductcriminalizedbyagivencriminallawofacertaincountryare not exactly the same as those criminalized by the criminal law of the same country fifty yearsago. Forthefactsandreasonsmentionedabove,thelegislatorisalwaysobligedtoreviewthe criminal law from time to time whenever a new type of harmful conducts emerges. This wasexactlywhathappenedwhencomputersenteredthelivesofindividualsandsocieties. Althoughthenewtechnologyprovidedmanynewbenefits,itled,atthesametime,tothe emergenceofnewcriminalactivitiesandenhancedthecapabilitiesofcriminalstoagreat 2 extent. WiththeemergenceofComputerMisuseActivities,aconsensusthatsuchactivitiesmust be prevented and punished emerged. As a result of this, a crucial question arose 3 concerning the best legislative way of accomplishing this . While many scholars saw that
1

JonathanHerring,CriminalLaw45(2002).

DoddS.Griffith,TheComputerFraudandAbuseActof1986:AMeasuredResponsetoAGrowingProblem,43 VanderbiltLawReview(Vand.L.Rev.)453(1990),454.
3

AmaliaM.Wagner,TheChallengeofComputerCrimelegislation:HowShouldNewYorkRespond,33Buffalo LawReview(BuffL.Rev.)777(1984),795.

2010] TheScopeandtheNatureofComputerCrimesStatutes

611

the traditional existing criminal statutes were sufficient for successfully prosecuting any type of computer abuses, many others presented strong legal, technical and practical arguments,andstronglybelievedthattheexistingcriminalstatuteswerenotsuitablefor 4 the digital era; the nature of computer crime necessitates specialized legislation. However, this dispute did not last long and was settled in favor of those demanding legislative action. Consequently, many countries around the world began to enact new legislation addressing criminal activities brought by computer technology (computer crimes). This Article will deal with the question of computer crime statutes: how they should be designedandwhattheyshouldinclude?Here,theaimofthisstudybecomesapparent;it intendstoseekoutthesoundestmethodtobefollowedinformulatingcomputercrimes statues.Toachievethisgoal,wearegoingtoshedlightoncomputercrimesinSectionBof this Article. Awareness of their types and natures is an indispensable step towards determining the sound legal treatment of such crimes. Section C of this Article will be devoted to computer crimes statutes. We will discuss the basic characteristics of such statutesandhowthelegislatormustdealwithcomputercrimeslegislatively.Thefocusof SectionDwillbeontheoffencesthatareuniquetothecomputer,astheseshouldbethe subjectofthelegislatorsattention.Giventhatthisstudyisacomparativeone,itexamines theexperimentsofmanycountriesthathavedealtwiththequestionofcomputercrimes legislatively, particularly those of European nations. The study of the European experimentswillincludebothnationalandcollectiveeffortsindealingwiththeproblem. B.UnderstandingComputerCrime 5 In this Section we will shed light on some general aspects of computer crimes , as these clarificationsarenecessaryforasoundunderstandingofcomputercrimes.Theseinclude thedefinitionsofcomputercrimes,theirtypesandcategoriesandthecomputercriminals themselves.Eachofthesesubjectswillbetreatedinseparatesubsections.

Douglas H. Hancock, To What Extent Should Computer Related Crimes Be the Subject of Specific Legislative Attention?,12AlbanyLawJournalofScience&Technology(Alb.L.J.Sci.&Tech.)97(2001),97;CarlaOttaviano, ComputerCrime,26IDEA:TheJournalofLawandTechnology(IDEA)163(19851986),167.
5

At present, several terms are used for naming misconducts relating computer and Internet including 'cybercrime', 'ecrime', 'digital crime' etc. See, RUSSEL G. SMITH ET AL, CYBER CRIMINALS ON TRIAL 5 (2004). For the purposeofthisArticle,Iwillmainlyusetheterm'computercrime'.

612
I.DefiningComputerCrimes

GermanLawJournal

[Vol.11No.06

The definition of any subject matter is an indispensable step towards any proper legal treatment of that subject. However, the problem of properly identifying and defining a 6 crimepresentsitselfeachtimeanewfieldoflawemerges. Whenacademicsfirstbeganto discuss the question of computer misuses, they soon found themselves face to face with this problem. As the United Nations Manual on the Prevention and Control of Computer Crimehasprescribed,[t]herehasbeenagreatdealofdebateamongexpertsonjustwhat constitutesacomputercrimeoracomputerrelatedcrime.Evenafterseveralyears,there 7 isnointernationallyrecognizeddefinitionofthoseterms. In 1989, expanding on work undertaken by the Organization for Economic Cooperation andDevelopment(OECD),theEuropeanCommitteeonCrimeProblemsoftheCouncilof Europe laid down a body of guidelines for national legislators concerning activities that should be criminalized. The Committee, however, simply discussed the functional characteristicsoftargetactivitieswithoutprovidingaformaldefinitionofcomputercrime, allowingindividualcountriestoadaptthefunctionalclassificationtotheirparticularlegal 8 systemsandhistoricaltraditions. Agreement upon a uniform definition of computer crime is helpful for both law 9 enforcementandindustryalike. Theresultsofasurveysenttoseveralstateprosecutorsin the United States on the subject of computer crime indicated significant disparities in 10 termsofwhatconstitutescomputercrime. Thesedisparitiesappeartoariseforseveralreasons.Foremostistheabsenceofanagreed upondefinitionofthecomputer,adefinitionalproblemattheforefrontoflegalscholars searchforaproperdefinitionofcomputercrime.WhentheUnitedStatesCongresspassed

See,supra,note3,782.

UNITED NATIONS COMMISSION ON CRIME PREVENTION AND CRIMINAL JUSTICE, INTERNATIONAL REVIEW OF CRIMINAL POLICY UNITED NATIONS MANUAL ON THE PREVENTIONAND CONTROLOF COMPUTER CRIME. ,8thCong.21(Vienna,April27May 6,1999),availableat:http://www.uncjin.org/Documents/irpc4344.pdf(lastaccessed12June2010).
8

Id,23.

CarolC.McCall,ComputerCrimeStatutes:AreTheyBringingtheGapbetweenLawandTechnology,11CRIMINAL JUSTICEJOURNAL(CRIM.JUST.J.)203(19881989),208.
10

Id,2089,citingD.PARKER,FIGHTINGCOMPUTERCRIME(1988),23644(1988).

2010] TheScopeandtheNatureofComputerCrimesStatutes
11

613

the first piece of federal legislation focusing directly on computer abuses , it defined a computerasanelectronic,magnetic,optical,electrochemical,orotherhighspeeddata processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunctionwithsuchdevice,butsuchtermdoesnotincludeanautomatedtypewriteror 12 typesetter, a portable hand held calculator, or other similar device. The definition, however, has been criticized by some computer experts in that [t]his limited definition failstorecognizethesubstantialchangesintechnologythathaveevolvedfrommainframe 13 to handheld computers. The United Kingdom legislation, the Computer Misuse Act 14 1990 , failed to define a computer at all; the Law Commission stated that all the attempted definitions that we have seen are so complex, in an endeavor to be all embracing, that they are likely to produce extensive arguments, and thus confusion for 15 magistrates,juriesandjudgesinvolvedintryingourproposedoffences. Anotherfactormightbethelackofcomprehensiveknowledgeabouttheproblemtogether with the legal and technical dimensions necessary to establish a proper definition. One commentatorhasaptlydescribedthisproblemassuch:[c]omputercrimewasanalogous totheproverbialemperorsclothes:everybodyproclaimeditwasthere,butnoonecould seeit.Thelittleextantdataestablishedthatsomesortofproblemexisted,butnoonehad 16 aclearideaofitsnatureorextent. Somelegalscholarshaveattemptedtoavoidaprecisedefinition.Inlieuofprovidingeven ageneraldefinition,theyhaveinsteaddependedonreferringasmuchaspossibletothe misusesattachedtothecomputerandInternet.Onesuchscholarwrites:[t]hisumbrella
11

CounterfeitAccessDeviceandComputerFraudandAbuseActof1984,Pub.L.No.98473,ch.21,98Stat.2190 (1984)(codifiedasamendedat18U.S.C.section1030(1988)).
12

Id,section1030(e).

13

See,supra,note9,208citingD. PARKER, FIGHTING COMPUTER CRIME 242(1988).See,however,supra,note2,461: "[t]headopteddefinitionof'computer''wasintendedtolimitthetypeofactivityprohibitedunderthe1984Act byexplicitlyexcludingautomatedtypewriters,typesetters,handheldcalculators,andothersimilardevices.This exclusion helped to ensure that the legislation did not prohibit conduct which Congress did not intend to proscribe."
14

Computer Misuse Act (1990), ch. 18, the full text of it is available http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm(lastaccessed14June2010).
15

at:

SteveShackelford,ComputerRelatedCrime:AnInternationalProbleminNeedofanInternationalSolution,27 TEXAS INTERNATIONAL LAW JOURNAL(TEX. INTL L.J.) 479(1992),491(citingTheLawCommission,WorkingPaperNo. 186,CriminalLawComputerMisuse23(1989)).

16

See,supra,note2,483.

614

GermanLawJournal

[Vol.11No.06

termcoversallsortsofcrimescommittedwithcomputersfromvirusestoTrojanhorses; from hacking into private email to undermining defense and intelligence systems; from 17 electronic thefts of bank accounts to disrupting web sites. In a similar vein, another commentator notes that [i]n general, computer crime consists of volitional, nonviolent 18 acts involving a computer. Yet another claims that the term computer crime usually means nothing more than the use of a computer to embezzle or steal money or other 19 property. Other legal scholars have argued that a broad definition should be adopted: because of thediversityofcomputerrelatedoffences,anarrowerdefinitionwouldnotbeadequate. Whilethetermcomputercrimeincludestraditionalcrimescommittedwiththeuseofa computer,therapidemergenceofcomputertechnologiesandtheexponentialexpansion oftheInternethavespawnedavarietyofnew,technologyspecificcriminalbehaviorsthat 20 mustalsobeincludedinthecategoryofcomputercrimes. TheUnitedStatesDepartmentofJusticehasdefinedcomputercrimeasanyviolationof criminal law that involves a knowledge of computer technology for their perpetration, 21 investigation, or prosecution. Of course, this definition is a broad one; it is indeed derived from the definition provided by Parker and Nycum, the authors of the first comprehensivestudyonthecomputercrimein1979.Accordingtothem,computercrime is any illegal act where a special knowledge of computer technology is essential for its 22 perpetration,investigation,orprosecution. Otherlaterandmoreobscuredefinitionsare 23 basicallydependentonthisseminaldefinition. However,thedefinitionintroducedbyJ.
17

NealKumarKatyal,CriminalLawinCyberspace,149UNIVERSITYOF PENNSYLVANIA LAW REVIEW(U. PA. L. REV.) 1003 (2001),1004.

18

RobertM.Couch,ASuggestedLegislativeApproachtotheProblemofComputerCrime,38WASHINGTONAND LEE LAWREVIEW(WASH.&LEEL.REV.)1194(1981),1175.

19

GaryJ.Valeriano,PitfallsinInsuranceCoveragefor"ComputerCrimes",59DEFENSECOUNSELJOURNAL(DEF.COUNS. J.)511(1992),511.
20

RobertDitzionetal.,ComputerCrimes,40AMERICANCRIMINALLAWREVIEW(AM.CRIM.L.REV.)285(2003),286.

21

Julie A. Tower, Hacking Vermont's Computer Crimes Statute, 25 VERMONT LAW REVIEW 945 (2001), 950 (citing National Institute of Justice, U.S. Department of Justice, Computer Crime: Criminal Justice Resource Manual 2 (1989)).
22

See,supra,note9,208citingS.NYCUM&D.PARKER,PROSECUTORIALEXPERIENCEWITHSTATECOMPUTERCRIMELAWS34 (1986).
23

See,JoAnnM.Adams,Comment,ControllingCyberspace:ApplyingtheComputerFraudandAbuseActtothe Internet, 12 SANTA CLARA COMPUTER & HIGH TECHNOLOGY LAW JOURNAL (SANTA CLARA COMPUTER & HIGH TECH L.J.) 403 (1996), 409 (defining computer crime as "those crimes where knowledge of a computer system is essential to committhecrime");BarryJ.Hurewitz&AllenM.Lo,ComputerRelatedCrimes,30AMERICAN CRIMINAL LAW REVIEW

2010] TheScopeandtheNatureofComputerCrimesStatutes

615

Soma in 1983 might be seen as one that is more welldeveloped. According to Soma, computercrimeistheuseofcomputeroritstechnologyasatargetoforatoolforillegal 24 purposes. The existing computer crime legal literatures produced in the last three decades indicate thatthegeneraltendency,forbothclarifyingthemeaningofcomputercrimeontheone handanddeterminingthebehaviorsthatconstitutecomputeroffencesontheother,was, and still is, the dependence on the categorization of computer related misuses more so thananyonespecificdefinition.Preciselythispredominanttendencywillformthesubject matterofthenextsubsection. II.TypesofComputerCrime Determining the types of unacceptable activities related to the computer is relevant because,aswillbeseeninsubsequentsectionsofthisarticle,thequalityoftheirlegislative treatment can only be as good as the original determination and classification of such activities. Abuses, misuses or crimes attached to computers take different and various forms. They are,however,classifiedinseveralwaysandaccordingtomorethanonecriterion.Onesuch classificationmakesuseoftwocategories:(1)crimeswhereacomputersystemitselfisthe target such as hacking, dissemination of viruses, and denial of service attacks; (2) traditionalcrimeslikefraud,theft,andchildpornographythatarefacilitatedandenabled 25 byacomputer. Thesecondclassificationsystemcategorizescomputercrimesintofourtypes;(1)theftof money,financialinstruments,property,services,orvaluabledata;(2)unauthorizedaccess tocomputertime;(3)illegaluseofcomputerprograms;and(4)unauthorizedacquisitionof 26 storeddata.
(AM. CRIM. L. REV.) 495(1993),496(definingcomputercrimeas"anyillegalactforwhichknowledgeofcomputer technologyisessentialforprosecution").
24

J. SOMA, COMPUTER TECHNOLOGY AND THE LAW 265 (1983). Cited by William S. Allred, Criminal Law Connecticut Adopts Comprehensive Computer Crime Legislation: Public Act 84206, 7 WESTERN NEW ENGLAND LAW REVIEW (W. NEWENG.L.REV.)807(19841985),810.
25

BrianC.Lewis,PreventionofComputerCrimeAmidstInternationalAnarchy,AMERICAN CRIMINAL LAW REVIEW(AM. CRIM. L. REV.) 1353(2004(,1355("Ingeneral,computercrimesarecrimeswhereacomputersystemitselfisthe target,whilecomputerenabledcrimeisatraditionalcrimelikefraudortheftthatisfacilitatedbyacomputer").

26

ElizabethA.Glynn,ComputerAbuse:TheEmergingCrimeandtheNeedforLegislation,12FORDHAM URBAN LAW JOURNAL(FORDHAMURB.L.J.)73(1984),745.

616

GermanLawJournal

[Vol.11No.06

Accordingtoonecommentator,therearefourbasictypesofcomputerrelatedcrimes:(1) theft of computer time and services; (2) theft of computer software or data; (3) theft of computerhardware,includingcomponentsthatmayconstitutetradesecrets;and(4)theft 27 ofpropertybytheuseofacomputer. AnotherclassificationsystemadoptedbytheUnitedStatesDepartmentofJusticeseemsto be particularly reliable and effective. This system separates computer crimes into three categoriesaccordingtothecomputersroleinaparticularcrime;first,thecomputermay be the object of a crime. This happens when the criminal launches an attack upon an individual computer or a network: [s]uch attacks may include unauthorized access to informationstoredonthecomputerorthetargetednetwork;theunauthorizedcorruption 28 ofthatinformation;ortheftofanelectronicidentity. Second,thecomputermaybethe subjectofacrime;thishappenswhenthecomputeristhephysicalsiteofthecrime,or 29 the source of, or reason for, unique forms of asset loss. Hacking and dissemination of viruses, worms, logic bombs and Trojan horses are some of the more common threats 30 posed when a computer is the subject of an attack. Finally, a computer could be the instrumentforperpetratingtraditionaloffences.Forexample,acomputercanbeusedto 31 steal credit card information, store and distribute obscenity , or distribute child pornography and other types of obscene materials through computers linked to the 32 Internet. Thecomputercanevenbeusedasaninstrumenttocommittraditionalviolent crimessuchashomicide.InNewZealand,forexample,twoprogrammerswereconvicted in 1980 of involuntary manslaughter when they caused an airliner crash that resulted in 33 257deathsthroughcriminalnegligenceinprogrammingflightnavigation.

27

See,supra,note19,512.

28

MichaelEdmundO'Neill,OldCrimesinNewBottles:SanctioningCybercrime,9GEORGE MASON LAW REVIEW(GEO. MASONL.REV.)237(2000),243.

29

LauraJ.Nicholsonetal,Comment,ComputerCrimes,37AM.CRIM.L.REV.207(2000),211. See,supra,note28,246249. Id.,242. Id.,249. See,supra,note9,204citingCausesofDC10CrashonErebus,ANTARCTIC(June1981),186.

30

31

32

33

2010] TheScopeandtheNatureofComputerCrimesStatutes
III.ComputerCriminals

617

34 Thereisnotypicalcomputercrimeandnotypicalmotiveforcommittingsuchcrimes. TheUNManualhasindicatedthatcomputercriminalscanvaryintermsofbothageand 35 skill level. They can be teenage hackers, disgruntled or fired employees, mischievous 36 technicians, or international terrorists. Some argue that computer offenders have morphed from mischievous, thrillseeking teenagers to criminals intent on making large 37 profits. Regarding possible motives, one commentator has identified six motives for committingcomputerrelatedcrimeswherecomputersaresubjectsorobjectsofcrime:(1) toexhibittechnicalprowess;(2)tohighlightvulnerabilitiesincomputersecuritysystems; (3)topunishorretaliate;(4)toengageincomputervoyeurism;(5)toassertaphilosophy 38 ofopenaccesstocomputersystems;and(6)tosabotage. Another topic of controversy is related to the typical skill level of the computer criminal; whilesomeadheretotheopinionthatskilllevelisnotanindicatorofacomputercriminal, others believe that potential computer criminals are bright, eager, highly motivated 39 subjectswillingtochallengethetechnology. Althoughthetypesofcrimesthatarerelatedtothecomputerinonewayoranotherare limitless, the perpetrators of computer crime form two distinct classes: insiders and 40 outsiders. The insider is anyone who has the same or similar access rights into a network, system, or application. Therefore, a trusted insider can be a current or former 41 employee, a contractor, consultant, service provider, software vendor, and so on. The
34

MichaelHatcher,ComputerCrimes,36AM.CRIM.L.REV.397(1999),400. See,supra,note7,34.

35

36

AdamG.Ciongoli,NinthSurveyofWhiteCollarCrime,ComputerRelatedCrimes,31AM.CRIM.L.REV.425(1994), 427.
37

XanRaskin&JeannieSchaldachPaiva,EleventhSurveyofWhiteCollarCrime,ComputerCrimes,33AM. CRIM. L. REV. 541(1996),n.7citingWilliamC.Flanagan&BrigidMcMenamin,ThePlaygroundBulliesareLearningHowto Type,Forbes(Dec.21,1992),184.

38

Anne W. Branscomb, Rogue Computer Programs and Computer Rogues: Tailoring the Punishment to Fit the Crime,16RUTGERSCOMPUTER&TECHNOLOGYLAWJOURNAL(RUTGERSCOMPUTER&TECH.L.J.)1(1990),2426.
39

See,supra,note7,33. See,supra,note15,482.

40

41

KENNETH C. BRANCIK, INSIDER COMPUTER FRAUD: AN INDEPTH FRAMEWORK FOR DETECTING AND DEFENDING AGAINST INSIDER ATTACKS1,4(2008).

618

GermanLawJournal

[Vol.11No.06

insiderwhothreatensthecompanyorthegovernmentagencyisbasicallyanyonewhohas accesstohightechnology,intellectualproperty,andothersensitiveinformationstoredin hightechnology equipments as well as input documents or output documents. They include, but are not limited to, auditors, security personnel, marketing personnel, accountants and financial personnel, managers, inventory and warehouse personnel, and 42 humanresourcestaff. By contrast, the list of outsider offenders includes hackers, vendors, exemployees, employeesofassociatedbusinesses,statesponsoredsuchasforeigngovernmentagents, customers, subcontractors, terrorists, contractors, external auditors, consultants, political 43 activists,criminalsingeneral,pressuregroupsandcommercialgroups. In the earlier days of the computer and prior to the internet, insider computer crimes predominated and perpetrators were generally computer specialists: programmers, 44 computer operators, data entry personnel, systems analysts, and computer managers. The advent of the Internet, however, soon made it possible to commit such crimes from outside a victimized computer. However, insider abuses of network access by employees 45 stillfaroutnumberabusesperpetratedbytheoutsider; onestudyindicatesthat90per cent of economic computer crimes are committed by employees of the victimized company. A recent survey in North America and Europe indicated that 73 per cent computer security risks are from internal sources and only 23 per cent can be traced to 46 external criminal activities. Some commentators, however, argue that the split is more even,rangingaround50percentforeach:[w]iththeintegrationoftelecommunications andcomputers,alongwiththeintegrationofgovernmentagenciesandbusinessesintothe Internet,threatsnowrepresentatleastanequalsplitbetweeninternalandexternalthreat agents50%internaland50%external.Theremayevenbeaslightedgetowardexternal threat agents because of todays reliance on the Internet and other corporate and 47 externallyconnectednetworks.
42

GERALDL.KOVACICH&ANDYJONES,HIGHTECHNOLOGYCRIMEINVESTIGATORSHANDBOOK28,9(2006).

43

Id.,31(indicatingthatoutsiderssharethesamemotivationsasinsidersinadditiontothefollowingmotivations: revengeofaformeremployee,competitorswantinginsideinformation,newemployeeswhoprovideinformation relativetotheirpreviousemployer,formeremployeecuriosityabouttheirpreviousaccessIDandpasswordstill being valid, political agenda, environmental activists attacking corporations who they believe are harming the environment,nationalisticeconomicpressures,espionageandinformationwarfare).Id.,32.
44

Id.,24. See,BERNADETTEH.SCHNELL&CLEMENSMARTIN,CYBERCRIMEAREFERENCEHANDBOOKXII(2004) See,supra,note7,35. See,supra,note42,26.

45

46

47

2010] TheScopeandtheNatureofComputerCrimesStatutes

619

Asonecommentatorhaspointedout,theinsider/outsiderdistinctionisrelevantbecause the method of entry followed by the person and type of misuse will often determine whether the law will come into play. For example, an insider who is an accountant with highlevel computer access can embezzle funds from his company more easily than an 48 outsider. Becauseinsidershavephysicalaccess,theycancopydatatoremovablemedia or to a portable computer, or perhaps even print it to paper and remove it from the 49 premises.Theycanchangetheformatofthedatatodisguiseit. Thesecapabilitiesarenot available to an outsider. An outsider may gain access to the system, but only in an unauthorized manner; he will draw attention to himself more quickly than will the 50 insider. To this we can add another legal consequence of the insider/outsider distinction. The traditional criminal laws always deal more severely with those who are on the same or similar footing as the insider in the realm of computer and electronic networks. Thus, criminalrecognitionofinsidercrimeisnothingnew;thetraditionalcriminallawregardedit as an aggravating circumstance even before the emergence of insider computer and Internetoffences.Thisisreflectedinsomeoftheoffencesrecognizedinsometraditional criminallawsystems.Forexample,facilitatingescapeofprisonersinGermanCriminalLaw isimprisonmentofnotmorethanthreeyearsorafine,butiftheoffenderisunderdutyas apublicofficialorapersonentrustedwithspecialpublicservicefunctionstopreventthe escapeoftheprisoner,thepenaltyshallbeimprisonmentofnotmorethanfiveyearsora 51 fine. Another example can be seen in the treatment of theft in Iraqi Penal Code; if the person perpetrating the offence is the servant of the master against whom the crime is committed,hewillreceiveamoreseverepunishmentthanwhathemightreceiveifhewas not a servant. The same rule applies to a worker in a factory, shop or a place where she 52 normally works. In light of these facts, when the legislator begins to lay down punishmentsfordifferenttypesofcomputerabuses,itisnecessarytoregardanyinsider crimeasanaggravatingcircumstancedeservingamoreseverepunishment.

48

See,supra,note15,482. DEBRALITTLEJOHNSHINDER,SCENEOFTHECYBERCRIME:COMPUTERFORENSICSHANDBOOK289(2002). See,supra,note15,482. See,GermanCriminalLaw(StGB),Section120. See,IraqiPenalCode(1969),article444(6).

49

50

51

52

620
C.ComputerCrimesStatutes

GermanLawJournal

[Vol.11No.06

Prior to the existence of computer crime statutes, traditional criminal laws were manipulated to accommodate new technology. Applying traditional criminal law to computercrimeresultedingreaterexpenseintheprosecutionofoffencesonlyremotely 53 related to the real nature of the acts committed , and prosecutors faced difficulties in 54 submitting computer related misconducts to traditional criminal provisions. These problems and difficulties led to a consensus on the need for legislative intervention providing specific computer crimes legislation suited to confronting this new type of 55 criminal activity. At this point, the crucial questions revolved around the scope of such interventionontheonehand,andthenatureofsuchcomputercrimeslegislationonthe 56 other. These questions will be subjected to a more detailed discussion in following the subsections. I.TheScopeofLegislativeInterference The scope of legislative intervention in any field depends mainly upon the nature of the problemsarisingfromthesubjectinquestion.Legislativeinterventionmaynotachievethe desiredresultifnotbasedonawellgroundedunderstandingofthesocial,economicand technicalaspectsofthesubjectinwhichthelegislatorintervenes. AsseeninSectionBofthisArticle,crimeslinkedtocomputersaremultitudinousandcan beclassifiedintoseveralcategories.Themostacceptableclassificationdistinguishescrimes accordingtotherolethatacomputermightplayinaparticularcrime.Accordingtothese criteria, computer crimes are divided into three categories; first, crimes where the computer is the object; second, crimes where the computer is the subject of a crime; andthirdly,crimesinwhichthecomputerisbutaninstrumentforperpetratingtraditional
53

See,supra,note9,223. See,supra,note4,163.

54

55

See,supra,note26,99100;ShannonL.Hopkins,CybercrimeConvention:APositiveBeginningtoaLongRoad Ahead,2JOURNALOF HIGH TECHNOLOGY LAW(JHTL)101(2003),1023("Currentcriminallawsareunabletorespond quicklytotherapidchangesinInternettechnology").

56

See,supra,note3,795("Becauseofalackofpreviousexperienceindealingwithcomputercrimeandadearth of reliable statistics upon which to base informed opinions, legislators, computer crime experts, and computer technologistsfindthemselvesdifferingsharplyonthebestlegislativeapproachtotheproblem.Theydisagreeon whether to enact completely new legislation or to amend existing laws, and whether support federal or state legislation,orboth").

2010] TheScopeandtheNatureofComputerCrimesStatutes
57

621

offences. Thequestionhereiswhetheritisnecessaryforthelegislatortocriminalizeall kindsofsuchcrimes? The majority of legal scholars confirm that new criminal provisions are needed to cover only those crimes that are unique to computers themselves. Other crimes in which the computer is used solely as the instrument of perpetration are either covered by existing 58 criminal provisions or can be covered by simple amendments of such provisions. According to one commentator writing on Michigans computer crime laws: [w]hile the Internet presents new problems for fighting crime, prosecutors should not be deterred fromchargingtraditionalcrimescommittedthroughtheuseofacomputerusingexisting Michigan laws. Laws on communications offences, obscenity, solicitation of minors and childpornography,salesofcontrolledsubstances,fraud,andothercrimes,areavailableto 59 prosecutecrimescommittedovertheInternet. Inthelightofthesefacts,thefirstandmostcrucialtaskforlawmakersistodetermineand identifywhichcrimesaretrulyuniquetothecomputer.Theprecisedeterminationofthese crimes will be explored further in Section D of this Article, but at this point it is only necessary to point out some examples of computer crime statutes in jurisdictions where thelegislatorshavenotbeensuccessfulintheirintervention. Looking at the United Arab Emirates (UAE) Law on The Prevention of Information TechnologyCrimes(2006),wediscoverthatratherthanapplyingthecriteriadevelopedby legalscholars,manyactsthatarenotuniquetothecomputerhavebeencriminalizedand subjectedtoexistingcriminalprovisionsstipulatedintheFederalPenalLaw.Forexample, Article 8 of the law criminalizes the act of eavesdropping communications transmitted 60 across the Internet or through an information technology device , despite the fact that eavesdropping is not unique to computers nor its related devices and could feasibly be submittedtoArticle380oftheFederalPenalLawNo.3of1987.Further,Article9ofthe law criminalizes blackmail and the issuance of threats through the Internet or an
57

See,supra,notes2533,andaccompanyingtext.

58

See, e.g., supra, note 15, 500 ("The proper focus of computerrelated crime statutes should be those crimes that are unique to computers themselves, not crimes that are facilitated or furthered through the use of a computer."); Stephen P. Heymann, Legislating Computer Crime, 34 HARVARD JOURNAL ON LEGISLATION (HARV. J. ON LEGIS.) 373(1997),380("Forthemostpart,thefederalcriminalcourtalreadyadequatelycoverscrimes,suchas thebankteller'sembezzlement,inwhichacriminalusesacomputermerelyasatool").
59

PatrickCorbett,Michigan'sArsenalForFightingCybercrime:AnOverviewofStateLawsRelatingtoComputer Crimes,79MICHIGANBARJOURNAL(MICH.B.J.)656(2000),657.
60

Article8ofLawonThePreventionofInformationTechnologyCrimesstipulatesthat"anyonewhointentionally and unlawfully eavesdrops, receives or intercepts communication transmitted across the Internet or an informationtechnologydeviceshallbeliabletoimprisonment,afineorboth".

622

GermanLawJournal
61

[Vol.11No.06

information technology device even though Articles 351 and 352 of UAE Penal Law are quitesuitableforprosecutingsuchcriminalacts.TheseexamplesindicatethattheLawon The Prevention of Information Technology Crimes has created many cases of conflicting criminal provisions. The same is true of the Law on Preventing Misuse of the CommunicationEquipmentsNo.6of2006,promulgatedintheIraqiKurdistanRegion.Ina comprehensivestudyconductedbytheauthorofthisArticle,ithasbeenfoundthatalmost allactsthathavebeencriminalizedbythislawwerealreadycriminalizedbytheIraqiPenal 62 Code (1969) nearly forty years ago. For example, the law criminalizes the act of intentionally disturbing others through the exploitation of a cellular phone, any kind of cable or wireless communications equipment, or the Internet or electronic mail, even 63 thoughtheseactshavebeencriminalizedbyarticle363ofIraqiPenalCodesince1969. However,thelegislatorsmissiondoesnotcometoanendsimplybycreatingnewcriminal provisions criminalizing offences unique to the computer. Any intervention must also amend existing criminal laws. This is necessary for addressing two kinds of cases: firstly, thoseinwhichthecomputermakestheperpetrationoftraditionalcrimeseasier,ormore dangerous, compared to traditional perpetrations. Secondly, criminal laws should be amended where intangible properties related to the computer come under threat by criminalactivities. Regardingthefirstclassofcases,theexperienceofthepastthreedecadesdemonstrates thatthecomputerhasenhancedtheabilityofcriminalsinimplementingcriminalprojects in many ways. For instance some traditional crimes, originally only possible through the cooperationofseveralindividuals,arenow,inthecomputerera,easilyundertakenbya 64 single person who is capable of completing his criminal project from inside a home or 65 work office possibly located thousands of miles away from the victims location. Experience also demonstrates that the utilization of the computer in the perpetration of sometraditionalcrimesresultsinmoredangerousconsequences.Forexample,spreading
61

This article provides that "anyone who uses the Internet or an information technology device to threaten or blackmailanothertoactornotactshallbeliabletoimprisonmentforupto2yearsandafinenotexceedingAED 50,000oreither.Ifthreatisusedtoinducethecommissionofafelonyorcausedefamation,thepenaltyshallbe imprisonmentforupto10years".
62

See, Rizgar M. Kadir, Remarks on the Law on Preventing Misuse of the Communication Equipments No. 6 of 2006,35TARAZUACADEMICJOURNAL,105(2008).
63

Article363ofIraqiPenalCode(1969)providesthat"Anypersonwhointentionallydisturbsotherbytheabuse ofcableorwirelesscommunicationsequipmentispunishablebyaperiodofimprisonmentnotexceeding1year plusafinenotexceeding100dinarsorbyoneofthosepenalties".

64

See,supra,note17,1006. See,supra,note5,48.

65

2010] TheScopeandtheNatureofComputerCrimesStatutes

623

onecomputervirusmighthitmillionsofcomputersaroundtheworldandcausebillionsof 66 dollars in damages. As such, legislators must intervene and consider the use of the computer in such crimes as an aggravating circumstance and increase the penalties 67 attached. The notion of increasing punishment in some kinds of situations, known in the field of criminallawasaggravatingcircumstances,isnotanewoneandhasbeenadoptedbythe penal codes in most countries around the world. One example of this is provided by the offenceoftheftintheGermanCriminalCode;thepunishmentprescribedforsimpletheftis atermofimprisonmentnotexceedingfiveyearswiththepossibilityofsubstitutingitfora 68 fine , while the punishment for a theft in which the perpetrator uses counterfeit keys 69 mightbeatermofimprisonmentnotexceedingtenyears. Inthesamecontext,German legislatorshavelaiddownmoreseverepunishmentforrobberywhentheoffendercarries aninstrument,weaponormeansforovercomingtheresistanceofanotherpersonbyforce 70 orthethreatofforce. There are also examples in which the legislator has increased the punishment where the criminalactresultsinmoredangerousconsequences.Theoffenceofsexualassaultbyuse offorceorthreatsintheGermanCriminalCodeisjustonesuchexample;itispunishedby 71 atermofimprisonmentnotlessthanoneyear ,butthepenaltyshallbeimprisonmentfor life or not less than ten years if the offender, through sexual assault or rape, causes the 72 deathofthevictimbygrossnegligenceatminimum. Asforthesecondclassofcases,itisapparentthatthecomputerhasusheredinanewtype of private property taking the form of intangible objects or electronic impulses such as computerdataandprograms.Giventhattheprovisionsoftraditionalsubstantivecriminal
66

SeeEricJ.Sinrod&WilliamP.Reilly,CyberCrime:APracticalapproachtotheApplicationofFederalComputer CrimesLaw,16SANTACLARACOMPUTER&HIGHTECH.L.J.177(2000),218.
67

See also, supra, note 21, 974 ("[T]he legislature might consider tying sentences to the gravity of the offense, using the value of data lost, stolen, or damaged as one factor, rather than as the sole factor in determining punishment"); Katyal, supra, note 17, 1076 ("Penalties would need to be revised as well, insofar as they were designedforanageinwhichcrimesweretoughertosolve").
68

See,supra,note51,Section242(1). Id.,Section243(1). SeeId.,Sections249(1)and250(1)(b). Id.,Section177(1). Id.,Section178.

69

70

71

72

624

GermanLawJournal

[Vol.11No.06

lawweredraftedlongbeforetheinventionofcomputers,thelanguageofsuchprovisions was too narrow to encompass violations directed at the new types of property that 73 emerged with the computer. When computer crimes statutes had yet to be enacted, prosecutorsinmanycountries,whendealingwiththedestruction,sabotagingorcopying ofacomputerprogram,facedrealdifficultiesinsubmittingviolationstoexistingtraditional 74 criminal provisions related to theft, extortion or larceny. The earlier prosecutions of computercrimedemonstratejusthowfarprosecutorstriedtostretchthelawtomeetnew circumstances. In the United Kingdom where Computer Misuse Act 1990 was not yet in force, the accused gained unauthorized access to a computer network and altered data contained on disks in the system. He was charged with damaging property under the CriminalDamageAct1971.Theprosecutionfacedaformidablechallenge,astheCriminal DamageActrequiredproofofdamagetotangibleproperty.Theprosecutionclaimedthat thedisksanditsmagneticparticlescontentswereoneentity,andbyalteringthestateof the magnetic particles, the perpetrator damaged the disks themselves. The accused was convictedattrial,andappealed.Theappealscourtaffirmedtheconviction,holdingthatit was sufficient to prove that tangible property had been damaged, not that the damage itselfwastangible.Damagewasdefinedbroadlytoembracethetemporaryimpairmentof 75 value or usefulness. Similarly, in the United States some courts have broadened the statutesreachbyincludingcomputerdataasathingofvalue,thusbringingthecommon 76 crimeofdatatheftwithinthe[federaltheft]statutesscope. Inlightofallthesefacts,thesecondareaoflawthatmustbeamendedbylegislatorsisthat relatedtotheintangibleanduniquenatureofcomputerizedproperties. II.TheNatureofComputerCrimeStatutes Wewillnowturnourattentiontothenatureofcomputercrimestatutesandthemethods that legislators might adopt in providing the legal system of their countries with new substantivecriminalprovisionsenactedspecificallyforcombatingcomputercrimes. The experience of countries where computer criminal provisions have been enacted indicatesthatthelegislatorpossessestwooptionsindealingwiththesubjectinquestion.
73

See,supra,note4,163.

74

See Id., 163 ("An overview of the case law dealing with crimes involving computers indicates that the courts havehaddifficultyidentifyinganddefiningthe"res"elementinthesecases").
75

See,supra,note5,41.

76

JohnMontgomery,ComputerCrime,WhiteCollarCrime:FourthSurveyofLaw,24AM. CRIM. L. REV.429(1987), 43031.

2010] TheScopeandtheNatureofComputerCrimesStatutes

625

First, legislators might include the aforementioned criminal provisions in one separate codeasonespecificcomputercrimestatute.Someleadingindustrializedcountriesinthe world, such as the United Kingdom and United States, have pursued this strategy by adoptingComputerMisuseActin1990andCounterfeitAccessDeviceandComputerFraud and Abuse Act of 1984 respectively. A similar method has also been adopted by other countriesintheworldincludingMalaysia,whichenactedComputerCrimesActin1997,and The United Arab Emirates, which enacted The Federal Law on The Prevention of InformationTechnologyCrimesin2006. The second option is inserting the substantive criminal provisions related to computer crimesintotheexistingpenallawofthecountry.Thisstrategyhasbeenadoptedbymany 77 78 79 80 countries in the world such as Germany , Denmark , France , Switzerland and 81 Canada. Each method has its own advantages and disadvantages: inserting the new criminal provisionsintotheexistingpenallawpreservestheunityofsubstantivecriminallawofthe countryinonecodeandpreventsthedispersionofcriminalprovisionsintomanyseparate laws. This method is also more useful for courts, prosecutors, legal scholars and even ordinary people as they keep the substantive criminal provisions related to computer crimeseasilyaccessible.Ontheotherhand,theinclusionoftheaforementionedcriminal provisionsinoneseparatecodeasaspecificcomputercrimestatuteprovidesatleastone important benefit, in that it would create public awareness of computer crime, a factor oftenrecognizedasoneofthekeymeansfordeterringcomputercrime.

77

SeeStGB,Sections202a,202band202c.Section202chasbeenimplementedbythe41stamendmenttoStGB andcameintoeffecton11August2007.The41stamendmentalsoamendedSections202a,202b,303aand303b ofStGB,whichinsubstancecriminalizeillegalaccessto,andinterceptionandinterferenceofdataandsabotageof computersystemsandsomakeupthecorecomputercrimes.DennisJlussi,HandlewithCareButDontPanic, Criminalisation of Hacker Tools in German Criminal Law and Its Effect on IT Security Professionals, has been implementedbythe41stamendmenttoStGBandisineffectasofAugust11,2007.The41stamendmentalso amended Sections 202a, 202b, 303a and 303b of StGB, which in substance criminalize illegal access to, and interceptionandinterferenceofdataandsabotageofcomputersystems.DennisJlussi,HandleWithCareBut Dont Panic, Criminalisation of Hacker Tools In German Criminal Law and Its Effect on IT Security Professionals, EICARNewsletter, (May 2008), 3, available at: http://www.eicar.org/press/infomaterial/Eicarnews_Mai_2008_fnl.pdf(lastaccessed14June2010).
78

See,DanishPenalCode,Section263.

79

See,FrenchPenalCode(1994),articles3231to3233.Thesearticleshavebeeninsertedtothecodeduringthe periodof20002004.
80

See,SwissPenalCode,article143bis. See,CriminalCodeofCanada,article342.1.

81

626

GermanLawJournal

[Vol.11No.06

D.SubstantiveComputerOffences This section will be devoted primarily to the determination and identification of those crimesthatareuniquetothecomputer.Thisstepisnecessaryforlegislatorsbecauseitwill pave the way for successfully enacting specific computer crime legislation in the field of substantivecriminallaw. Theexperienceofbothcountriesthathaveenactedspecificcomputercrimelegislationand international conventions related to computer crimes indicates four basic substantive computeroffences:unauthorizedaccess,unauthorizedaccesswithintentiontocommita furtheroffence,intentionalunauthorizedmodificationoffence,andmisuseofdevices.To this effect, the United Nations Information Economy Report states that [t]he computer integrityactivitiesaddressedintheinternationalinstrumentscanbebroadlyclassifiedinto four categories: offences concerning access to data and systems; offences relating to interference with data and systems; offences concerning the interception of data in the courseoftheirtransmission;offencesconcerningtheuseoftoolsordevicestocarryout 82 anyoftheaboveacts. The discussion of the above mentioned offences and determining their precise elements are beyond the scope of this Article. However, we will examine a general description of eachofthembelow. I.TheUnauthorizedAccessOffence The most common illegal conduct and the one most unique to the computer is unauthorized access. It occurs whenever an actor achieves entry into a targets files or programswithoutpermission.Theactormaybeapersonoranothercomputer,andthe access may be achieved electronically (through passwords and other mechanisms) or physically (by, for example, breaking into a file cabinet and stealing a personal 83 identificationnumber(PIN)). AstheUNManualhasstated,theentryortheaccessis oftenaccomplishedfromaremotelocationalongatelecommunicationnetwork,byoneof severalmeans.Theperpetratormaybeabletotakeadvantageoflaxsecuritymeasuresto 84 gainaccessormayfindloopholesinexistingsecuritymeasuresorsystemprocedures.

82

UNITED NATIONS CONFERENCE ON TRADE AND DEVELOPMENT (UNCTAD), INFORMATION ECONOMY REPORT, 235 (2005), availableat:http://www.unctad.org/en/docs/sdteedc20051_en.pdf(lastaccessed12June2010).
83

See,supra,note17,1021. See,supra,note7,75.

84

2010] TheScopeandtheNatureofComputerCrimesStatutes

627

In some countries where specific legislation on computer crimes has been enacted, the mere unauthorized access to a computer has been regarded as a crime in and of itself regardlessofthemotivetheintrudermayhaveortheamountofdamagetothecomputer oritscontents.Accordingly,apersonwhoknowinglyandintentionally,andwithoutlawful authority, accesses any computer, computer system, computer network, computer software, computer program, or data contained in such a computer, computer system, computer program, or computer network shall be subjected to criminal liability. For example, Section One of the United Kingdoms legislation deems a person knowingly causingacomputertofunctionwiththeintentofgainingunauthorizedaccesstoprograms or data on the computer as criminal behaviour, regardless of whether the intent was 85 directed at any specific data or program contained on any particular computer. The 86 United States Computer Fraud and Abuse Act of 1986 similarly makes it a felony to knowingly access a computer without authorization and with intent or reason to believe that the information obtained would be used to injure the United States or to benefit a 87 foreign country. Malaysias Computer Crimes Act (1997) criminalizes any intentional accesstoacomputerwithoutauthorizationregardlessofwhetherthesecuritymeasures, suchaspasswordprotections,areinfringedinordertogainaccesstothecomputer.One commentator regards this as a bold and decisive statement of Malaysias intolerance of 88 hackingandwillundoubtedlyreassurepotentialinvestors. Inothercountries,themereunauthorizedaccessinandofitselfisnotconsideredacrime; theGermanCriminalCodepunishesunauthorizedaccessonlyincaseswheretheaccessed 89 dataareprotectedbysecuritymeasures .Similarly,insomejurisdictionstheperpetrator 90 91 hastohaveharmfulintentions,asisthecaseinFrance andCanada.

85

See,supra,note14. Pub.L.No.99474,100Stat.1213(codifiedasamendedat18U.S.C.1030(1988)) See,Subsection1030(a)(1)ofComputerFraudandAbuseActof1986,18U.S.C.

86

87

88

Donna L. Beatty, Malaysia's "Computer Crimes Act 1997" Gets Tough on Cybercrime But Fails to Advance the DevelopmentofCyberlaws,7PACIFICRIMLAW&POLICYJOURNAL(PAC.RIML.&POLYJ.)351(1998),359.
89

See, supra, note 51, Section 202a(1) which reads in full: "[w]hosoever unlawfully obtains data for himself or another that were not intended for him and were especially protected against unauthorised access, if he has circumventedtheprotection,shallbeliabletoimprisonmentofnotmorethanthreeyearsorafine".TheEnglish version is from Prof. Dr. Michael Bohlanders translation of StGB. Full text of this version is available at: http://www.gesetzeiminternet.de/englisch_stgb/index.html(lastaccessed12June2010).
90

See,FrenchPenalCode,article323(1). See,CriminalCodeofCanada,article342.1(1).

91

628

GermanLawJournal

[Vol.11No.06
92

On the international level, Article 2 of the EC Convention on Cybercrime , labels this offenceasillegalaccess,andobligatesitspartiestocriminalizeaccesstothewholeorany partofacomputersystemwithoutright,leavingittothenationallegislaturestorequire, asanelementofthecrime,thatthecrimebecommittedbyinfringingsecuritymeasures with the intent of obtaining computer data or other dishonest intent either directly or 93 throughacomputersystemconnectedtoanothercomputersystem. Unauthorized access should be recognized as a standalone criminal offence for many strong justifiable reasons. On this point, the Explanatory Report to the Convention on Cybercrime states that [i]t may lead to impediments to legitimate users of systems and data and may cause alteration or destruction with high costs for reconstruction. Such intrusionsmaygiveaccesstoconfidentialdata(includingpasswords,informationaboutthe targetedsystem)andsecrets,totheuseofthesystemwithoutpaymentorevenencourage hackers to commit more dangerous forms of computerrelated offences, like computer 94 relatedfraudorforgery. II.UnauthorizedAccesswithIntentiontoCommitaFurtherOffence 95 This offence is more serious than the former . Accordingly, it deserves more severe punishment. This offence occurs whenever an actor facilitates the commission of certain offences or commits unauthorized access in order to commit certain offences. Since this offenceismoreserious,thepenaltyuponconvictioninBritishlegislationisuptofiveyears 96 inprison,afine,orboth.

92

CouncilofEuropeConventiononCybercrime,23November2001,C.E.T.S.No.185,concludedandopenedfor signature, entered into force Jul. 1, 2004, available at: http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm(lastaccessed14June2010).
93

Article 2 reads in full: "[e]ach Party shall adopt such legislative and other measures as may be necessary to establishascriminaloffencesunderitsdomesticlaw,whencommittedintentionally,theaccesstothewholeor any part of a computer system without right. A Party may require that the offence be committed by infringing security measures, with the intent of obtaining computer data or other dishonest intent, or in relation to a computersystemthatisconnectedtoanothercomputersystem".
94

Explanatory Report to the Convention on Cybercrime, no. 44, http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm(lastaccessed14June2010).

95

available

at:

See,supra,note15,498.

96

See,supranote17,section2(5)(b).ThepenaltyfortheUnauthorizedAccessOffenseisafine,uptosixmonths prison,afine,orboth.Id.,section1(3).

2010] TheScopeandtheNatureofComputerCrimesStatutes
III.TheIntentionalUnauthorizedModificationOffence

629

This crime occurs whenever an actor does any act that he or she knows will cause the unauthorizedmodificationofaprogramordata.Thisconductislabeleddatainterference and regarded as another standalone offence by Article 4 of Convention on Cybercrime. Paragraph1oftheArticleprovidesthat[e]achPartyshalladoptsuchlegislativeandother measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally, the damaging, deletion, deterioration, alteration or suppressionofcomputerdatawithoutright. Theaimofcriminalizingthisconductistoprovidecomputerdataandcomputerprograms withprotectionsimilartothatenjoyedbycorporealobjectsagainstintentionalinflictionof 97 damage , and the legal interest to be protected is the integrity and the proper 98 functioningoruseofstoredcomputerdataorcomputerprograms. Paragraph2ofthe same Article allows States party to the Convention to enter a reservation concerning the 99 offenceandtheoptionforrequiringthattheconductresultinseriousharm. AccordingtotheComputerMisuseAct(1990),itisacrimetoundertakeanyactthatwill knowinglycausethemodificationofaprogram,eveniftheactordoesnottargetaspecific 100 computer,setofdata,orprogram. However,theactorsintentneednotbedirectedat anyparticularcomputer,program,ordata,norconcernedwithanyparticularmodification 101 thereof. IV.MisuseofDevices Despitethefactthatthethreeoffencesdiscussedabovearethebasicsubstantiveoffences and, taken in combination, cover the vast majority of crimes specific to computers and 102 computer technology , it is nevertheless a prudent preventative measure to criminalize
97

See,supra,note94,no.60. Id.

98

99

Paragraph2providesthat"aPartymayreservetherighttorequirethattheconductdescribedinparagraph1 resultinseriousharm".
100

See,supra,note14,Section3.

101

Id.,Section3(3). See,supra,note15,499.

102

630

GermanLawJournal

[Vol.11No.06

misuses of devices usually used in the perpetration of most computer crimes. These criminalizations are intended to address those who supply or possess tools used to 103 interceptcommunicationsoraccessorinterferewithdataorsystems. TheExplanatory Report has aptly described the purpose of such criminalization in stating that the commission of these offences often requires the possession of means of access (hacker tools) or other tools, there is a strong incentive to acquire them for criminal purposes which may then lead to the creation of a kind of black market in their production and distribution. To combat such dangers more effectively, the criminal law should prohibit specific potentially dangerous acts at the source, preceding the commission of offences 104 underArticles25. Such criminalization might include the production, sale, procurement for use, import, distribution and making available of any of such devices including computer programs 105 designedoradaptedprimarilyforthepurposeofcommittinganycomputercrime. The wording of criminal provisions related to the misuse of devices mentioned above presents a real challenge to lawmakers as they face the traditional problem of dualuse, whichoccursfrequentlyincriminallaw.Dualuseoccurswhenbroadcategoriesofaction are neither inherently bad nor inherently good, or whenever a technology can be used both for legitimate ends and for criminal purposes. The difficulty in dealing with such actions and technologies legislatively lies in the need of encouraging technological 106 innovationwhilesimultaneouslydiscouragingitsmisapplication. The drafters of the Convention on Cybercrime faced the same problem when wording ArticleSixoftheconventiondevotedtocriminalizationofmisusedevices.Theydebatedat length and considered four alternatives in dealing with the problem; first, restricting the devices to those which are designed exclusively or specifically for committing offences, thereby excluding dualuse devices. This alternative, however, was considered to be too narrow: it could lead to insurmountable difficulties of proof in criminal proceedings, rendering the provision practically inapplicable or only applicable in rare instances. The second alternative was the inclusion of all devices even if they are legally produced and distributed, but this was also rejected. The third alternative was the reliance on the subjective element of the intent of committing a computer offence, but this was also rejectedgiventhatithadnotbeenadoptedinotherareassuchasmoneycounterfeiting.
103

See,supra,note82,236. See,supra,note94,no.71. See,e.g.,supra,note51,Section202centitledActspreparatorytodataespionageandphishing. See,supra,note28,266;supra,note17,1050.

104

105

106

2010] TheScopeandtheNatureofComputerCrimesStatutes

631

The fourth alternative, which was lastly adopted as a reasonable compromise, was restricting the scope of the Convention to cases where the devices are objectively designed, or adapted, primarily for the purpose of committing an offence. The drafters 107 believedthatthisalonewouldservebesttoexcludedualusedevices. E.Conclusion Computer related misconduct began to appear shortly after the beginning of the widespread use of computer technology in Western societies. When computer crime statutes had yet to be enacted, computer crimes were subjected to traditional criminal laws, a policy that resulted in greater expense and other considerable difficulties. These problems and difficulties paved the way for the emergence of a consensus calling for legislatorstointerveneandenactspecificcomputercrimelegislationsuitedtoconfronting thisnewtypeofcriminalactivity.Manycountriesintheworldrespondedbyenactingnew criminallegislationandmanyothersareontheirwaytotakesimilarlegislativesteps. Inorderforthelegislativeinterventiontobesoundandsuccessfulthereshouldbe,onthe part of those preparing and discussing legislative proposals and drafts, a solid understanding of the social, economic and technical aspects of the problems and misconducts attached to the computer and the Internet. Without this foundational understanding,thenewcriminalprovisionsmightresultinnegativeconsequences. Particularly,twomajorquestionsshouldbeadequatelyaddressedbylegislators;thescope oflegislativeinterventionandthenatureofcomputercrimelegislationenacted.Regarding thefirstquestion,newcriminalprovisionsareneededonlytocoverthosecrimesthatare uniquetocomputersthemselves.Theseincludeunauthorizedaccess,unauthorizedaccess with intention to commit a further offence, intentional unauthorized modification offences, and misuse of devices. Other crimes in which a computer is used simply as an instrument for perpetration are either covered by existing criminal provisions or can be coveredbysimpleamendmentsofsaidprovisions.
107

See,supra,note94,no.73.Paragraph(1)ofthearticle6oftheConventionhasbeenformulatedasfollowing "EachPartyshalladoptsuchlegislativeandothermeasuresasmaybenecessarytoestablishascriminaloffences underitsdomesticlaw,whencommittedintentionallyandwithoutright:a.theproduction,sale,procurementfor use,import,distributionorotherwisemakingavailableof:(i)adevice,includingacomputerprogram,designedor adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through5;(ii)acomputerpassword,accesscode,orsimilardatabywhichthewholeoranypartofacomputer systemiscapableofbeingaccessed,withintentthatitbeusedforthepurposeofcommittinganyoftheoffences establishedinArticles2through5;andb.thepossessionofanitemreferredtoinparagraphsa.ioriiabove,with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Partymayrequirebylawthatanumberofsuchitemsbepossessedbeforecriminalliabilityattaches".

632

GermanLawJournal

[Vol.11No.06

Thesecondstepthatshouldbetakenbylegislatorsistheamendmentofexistingcriminal lawswithanaimtocovertwokindsofcases:firstly,casesinwhichthecomputerisusedas an instrument for committing known traditional crimes, making the perpetration of such crimes easier or resulting in more dangerous consequences compared to their more traditional forms. Secondly, cases in which intangible digitized property comes under threatfromcriminalactivities. While many countries in the world have soundly followed such a method in dealing with computerrelatedmisconductslegislatively,othershavefailedtodoso.Insomecountries, the legislator has criminalized some criminal conducts that have long since been criminalized by that countrys penal code. This creates conflict between criminal provisions,posingproblemstoprosecutorsandcourtsalike. Regarding the nature of computer crime statutes, the legislator is presented with two options.Thefirstistheinclusionoftheaforementionedcriminalprovisionsinoneseparate codeasonespecificcomputercrimestatute.Thesecondisinsertingsubstantivecriminal provisionsrelatedtocomputercrimesintotheexistingpenallawofthecountry.Whilethe firstmethodpreservestheunityofsubstantivecriminallawofthecountryinonecodeand prevents the dispersion of criminal provisions into many separate laws, the second one would,bycontrast,createmuchneededpublicawarenessofcomputercrime.