Computer Chrime - Current Practices, Problems and Proposed So

8/6/2019 Computer Chrime - Current Practices, Problems and Proposed So

1/53

Computer Crime:

Current Practices, Problems and Proposed Solutions

Second DraftBrian J. Peretti

It would have been surprising if there had been satisfactoryroad traffic legislation before the invention of the wheel, butit would also have been surprising if the law on the passage ofladen donkeys proved entirely satisfactory when applied tovehicles.1

I. IntroductionWithin recent years, computer crime has become a

preoccupation with law enforcement officials. In California, agroup of West German hackers2 using phone lines and satellitehookups, gained unauthorized access into civilian and military

computers and stole sensitive documents that were sold to theSoviet Union.3 A young New York programmer broke into aWashington computer to run a program that he could not run fromhis personal computer.4 After Southeastern Bell Stated that adocument published in an electronic publication5 was valued atmore than $75,000 the publisher was arrested and brought to trialbefore the discovery that the document could be publicly boughtfrom the company for $12.6 The Chaos Computer Club, a Hamburg,Germany, club, went into government computers and accessinformation and gave it to reporters.7 In May, 1988, the UnitedStates government launched Operation Sun Devil, which lead to theseizure of 23,000 computer disks and 40 computers.8 Inaddition, poor police performance9 has also been blamed on

computers.Since its creation, the computer has become increasing

important in society.10 The law, as in the past, has not beenable to evolve as quickly as the rapidly expandingtechnology.11 This lack of movement on the part of governmentsshows a lack of understanding with the area. The need to createa comprehensive regulation or code of ethics has becomeincreasing necessary.

Due to the nature of computer systems and theirtransnational connections through telephone lines12, anindividual state's action will only stop the problems associatedwith computer crime if many states join together. The patchwork

of legislation that exists covers only a small part of theproblem. To adequately address computer crime, greater effortsmust be made within the computer community to discourageunauthorized computer access, countries must strengthen and

co-ordinated their computer related laws, as well as properenforcement mechanism created, computer program copyright laws beenhanced and computer systems should be created to allow thosewho wish to explore computer systems which will not disrupt theusers of computer systems.

This paper will first set out a definition of computer crimeand why laws or regulation by the computer community must becreated. Section II will then discuss the United States lawconcerning computer crime and why it needs to be strengthened.

Section III will discuss the proposed Israeli computer crimebill, Britain's Computer Misuse Act and Ghana's proposed law.Section IV will discuss what can be done by both the government


2/53

and computer owners and users to make computer crime lesspossible.

II. Computer crimeThe definition of what constitutes a computer crime has been

the subject of much controversy. A computer crime has been

defined as "any illegal act for which knowledge of computertechnology is used to commit an offense."13 The typicalcomputer criminal has been described as between 15 and 45 yearsold, usually male, no previous contact with law enforcement, goesafter both government and business, bright, motivated, fears lossof status in computer community and views his acts as games.14For the purposes of this article, this will be the definitionused because of its broad reach.

Estimates regarding how much is lost to computer crime verywidely15. In the only authoritative study, the loss due tocomputer crime was given at $555,000,000, 930 personnel yearslost and 153 computer time years lost.16 The amount of totalincidents for 1988 was 485 resulting in 31 prosecutions17. In

1987, there were 335 incidents with 8 prosecutions.18 Securityspent on prevention of computer crime is becoming morecommonplace19.

The most publicized danger to computer systems areviruses20 and worms. A virus is a code segment which, whenexecuted, replicates itself and infects another program.21These viruses may be created anywhere in the world22 and mayattack anything.23 A virus may be transmitted through a trojanhorse24 program. A worm exists as a program in its own rightand may spread over a network via electronic mail25. A virusattacks a program while a worm attacks the computer's operatingsystem.26 The most notorious computer worm brought theInternet computer network to a halt.27

Computer virus attacks may be overrated.28 It is saidthat the biggest threat to computing includes "not backing upyour data, not learning the ins and outs of your applicationprograms, not putting enough memory in your computer, notorganizing your hard disk, [and] not upgrading to the latestversion of your applications.29 These computer programs havebeen compared to the AIDS virus.30 One author has stated thatthe viruses are used to both increase the amount of profits ofcomputer program producers and anti-virus computer programs.31

Computer viruses may also be used to benefit computersystems, by either detecting flaws in security measures ordetecting other viruses.32 Virus are very dangerous, though.

The effects of a virus called Datacrime, activated on October 13,1989, brought down 35,000 personal computers within the Swissgovernment and several companies in Holland.33


3/53

With the opening up of Eastern Europe, the virus problem isexpected to increase.34 In Bulgaria, a country which does nothave any laws against computer viruses, one new virus appearsweek.35 Computer viruses are created in countries like theSoviet Union as a way to punish computer pirates because of thelack of copyright laws.36

Perhaps the most dangerous threat to information contained

in a computer is the "leakage" of radiation from the computermonitors.37 With inexpensive equipment38 a person can "read"the information off the computer screen and then replicate the

information from the screen in a readable manner.39The threat of attack on a computer system can also come from

a hacker. A hacker is a person who breaks into, whethermaliciously or not, computers or computer systems.40 A hackercan, if the system is not adequately secured, cause havoc in thecomputer by either deleting or altering programs or data orplanting logic bombs or viruses in the computer system.41Threats from hackers to plant viruses have been made in the

past.42 The threat from computer hackers, as with viruses, hasbeen said to be overrated.43

The issues surrounding computers still have not been decidedby those within the computer community. Whether or not personsshould be allowed to access computer systems withoutauthorization is still a subject of debate within the computingcommunity. A West German Computing Club, called The ChaosComputing Club, holds the belief that it is not improper to enterany system which they can gain access to and to "look" aroundinside of the system as much as they wish.44 They do not,however, condone destroying or altering any of the informationwithin the system.45 On the other side, represented byClifford Stoll, when individuals break into computer systems theydisrupt the trust that the computer system is based on.46 Thisbreach of trust not only makes operating the system tougher forthe manager in control of the system, but also will decrease theamount of use of the system so less information will betransferred within the system.47

There is also conflicting views as to whether the authors ofcomputer viruses should be punished. Marc Rotenberg48 holdsthe belief that a virus should be granted first amendmentprotection in some instances.49 In response to the Internetworm, there were 21 editorials that stated that the attack showedthe need for more security in computers while there were 10letters to editors that stated that the creator should be

applauded rather then punished.50 They argue that this was agood way to raise consciousness concerning computer security.51Alan Solomon, a consultant who specializes in virus detection and


4/53

eradication, believes that viruses are, at most, aninconvenience.52

III.United States Computer LegislationThe United States government53 and most states54 have

computer crime laws. In 1979, only six states had such laws.55Almost every computer crime will, in addition to violating a

state and/or federal law, can also be prosecuted under otherlaws.56

A. Computer Fraud and Abuse Act.Congress originally enacted the Counterfeit Access Device

and Computer Fraud and Abuse Act57 to address the problem ofcomputer crime. Understanding that the scope of the original lawwas too narrow,58 in 1986 Congress enacted amendments to theComputer Fraud and Misuse Act of 1984.59 The Act essentiallylists acts that if done with a computer are illegal. The Actalso makes individuals culpable for attempting to commit acomputer crime.60

In order to commit any of the crimes mentioned in the act,the actor must have acted either "intentionally" or "knowingly"when committing the act. The law addresses national securityissues by making a crime of anyone using a computer to obtaininformation and giving the information to foreign countries.61The penalty for this crime or its attempt is 10 years for thefirst offense62 and 20 years for subsequent offenses63. If aperson intentionally accesses a computer either withoutauthorization or in excess of his authorization and obtains andacquires information in a financial record of an institution orinformation contained in a financial record of an individual64,the person will have committed a misdemeanor for the firstoffense65 and a felony for subsequent offenses66. A personintentionally accessing a government computer withoutauthorization which affects the government's use of thatcomputer67 will have committed a misdemeanor for the firstoffense68 and a felony for the second offense.69 Accessing acomputer with knowledge and intent to defraud and without orexceeding authority is a crime if the person obtains anything ofvalue other than use is a felony70. Accessing a federalinterest computer without authorization and either modifyingmedical records or causing $1,000 or more worth of damage withina one year period71 is punishable with up to 5 years for thefirst offense72 and 10 years for any subsequent offense.73

The Act also criminalizes trafficking in passwords.74 A

person who knowingly and with intent to defraud traffics75 inpasswords or similar information may be sentenced for up to oneyear for the first offense76 and up to 10 years for subsequent


5/53

offenses77 if the computer is used by or for the Government ofthe United States78 or affects interstate or foreigncommerce.79

B. CriticismsIt is important to note that this statute only applies to

"Federal interest computers" as defined by this section.80 If

a computer is not this type of computer, then any of the abovementioned crimes will not be prosecutable under this section.Congress intentionally made the scope of the law narrow.81This section has been criticized as not inclusive enough.82Individual and corporate computers which do not fall into therestrictive definition83 may not receive the protection of thestatute.

The problem of computer viruses are not addressed byAct.84 The act does not punish those who add information intoa computer, even though this may do more harm then just accessinginformation. The Congress has attempted to address this issueunder two bills85, but neither one has been enacted.

Unauthorized access where there is no theft or damage to thesystem is not covered.86 For example, a person access acomputer system and looks at information contained therein, hehas not committed a punishable crime under the Act.87

Questions have also been brought up concerning many of theundefined terms within the Act.88 Terms such as "intentionallyaccess" and "affects interstate commerce" are among the terms not

defined.89 The need to clarify these terms is important sothat an individual will know what action will constitute a crime.

IV. Legislation From Around The WorldA. Israel Proposed Computer LawIn March 1987, the Israeli Ministry of Justice distributed a

draft of a comprehensive computer bill.90 This bill covers awide range of areas concerning computers91. The Act first setsout a list of proposed definitions for computer, program,software, information, thing and act. Each of these, whileshort, are concise and attempt to give a brief but comprehensivedefinition.92

Chapter 2 sets out a list of offenses which, if committed,are punishable.93 A authorized person commits an act upon anycomputer and knows that the act will prevent or cause disruptionof the proper operation is subject to seven years

imprisonment.94 A person who, without authority, commits anact which precludes a person from using a computer system ordeprives a person of using that system is punishable by up to


6/53


7/53

The most controversial provision in the act is the proposalrequiring that individuals that may know of computer crime mustreport the crime or face fines themself. As Levenfeld pointsout112, this will mean that employers will have to imposeinternal spy rings to be able to tract down the "reasonablesuspicions" that individuals have concerning illegal activity.Shalgi, however, believes that this is a good provision in that

it will allow computer crime to come more to the forefront sothat the crime can be more easily combatted.113

This provision is necessary for the government to understandexactly how large of a problem computer crime is. At present,statistics on computer crime are difficult to determine becauseof the lack of reporting.114 By making all persons who wouldbe responsible for computer security, i.e. all persons who usecomputer systems, the problem will be brought into the open andcan be addressed.

The proposed law also sets out a defense for those whoviolate the law. Under 11, if a person who violates the lawmakes another know that he did disrupt or alter the data, he will

not be convicted of the crime. This will allow those who performsuch acts to avoid the punishment of the law. Individuals whowish to destroy or alter such information will have an incentiveto bring forth their mischievous acts so that when brought beforethe court they could say that they took precautions so thatindividuals would not rely on the information. This provisionwill encourage those who do such activity to come forth withoutfear of conviction.

The ability of a court to not impose a punishment on aperson is contained in section 12.115 This allows the courtto abstain from punishment if the offense is not grave and wasnot committed with malice. This section, in effect, will allowthose who commit computer crime to be able to forgo punishment if

their acts were not serious. This will be beneficial to thosewho are hackers in the original sense of the word,116 yetstill allow for punishment of those individuals who enter systemsto do harm to it.

The law also creates standards for how a computer may beseized. Neither a computer, nor any part of it, may be seizedwithout a court order.117 Although this seems to be a goodprovision in its effects on individual rights118, the sectionis not focused enough. The law does not address the issue ofwhether a floppy, as opposed to a hard disk, is part of a

computer. The hard disk is located inside of a computer, while

floppy disks may be removed from the computer. This law shouldaddress this issue by stating that the floppy disk is also a partof a computer in its definitions.119


8/53

This section also does not address what standard may be usedfor the court order. Must the officer only have a reasonablesuspicion or probable cause to seize the computer? By statingexplicitly in the statute that the officer must have probablecause to seize the computer, an overzealous police officer willnot be able to as easily seize the computer.

C. The Great Britain Computer Misuse Act

In response to computer program concerning AIDS that wasdistributed to doctors in Great Britain and Europe that containeda virus,120 Michael Colvin, a British MP introduced theComputer Misuse Bill.121 On August 29, 1990, the ComputerMisuse Act122 came into effect.123 It was estimated thatthe losses to British industry and government were one billionpounds.124 This Act is designed to not to create aconfidential information right, but to rather protect computersystem integrity125.

Prior to enactment, the English Law Commission studied theproblem and laws regarding computer crime. It stated that thereshould be three new offenses to deal with computer misuse: (1)

Unauthorized access to a computer, (2) Hacking with intent tocommit a serious crime, and (3) Intentional destruction of oralteration to computer programs or data.126 The ComputerMisuse Act states that unauthorized access occurs if the personis unauthorized to access the computer, he causes the computer toperform any function with intent to gain access to a program ordata in the computer and he knows that this is the case.127He does not have to be directed to any particular program or datain the computer he attempted to get on or the data or program hewishes to access.128 If a person commits unauthorized accesswith the intent to commit129 or help another offense,130the person can be sentenced on summary conviction, up to sixmonths in prison and a fine,131 or if convicted after

indictment, to imprisonment of up to five years, a fine orboth.132

If a person modifies computer material,133 the person issubject to a fine of up to 5 years, an unlimited fine orboth.134 The person must knowingly modify a program withoutauthorization and must have done so with the intent to impair theoperation of the computer, to prevent or hinder access, or impairthe operation of the program or resulting data.135 Themodification does not have to be permanent.136 A modificationmay be done by either altering, erasing or adding onto a programor data. By stating modification broadly, the act attempts tocombat the placing of viruses, worms and logic bombs oncomputers.137

The Act also extends the scope of jurisdiction.138 Aperson does not have to actually be in Great Britain at thecommission of the crime. The crime itself must have somerelation to Great Britain.139 The link must be"significant".140


9/53

D. AnalysisAs opposed to the other statutes, the Computer Misuse Act

does not attempt to define computer. This was done because of

the fear that any definition given for a computer may become outof date in a short period of time.141 Program and data arealso not defined within the Act.

Great Britain's courts are granted large jurisdiction. Theact allows for anyone who attempt to commit a crime under the actto be punished in Great Britain. The act, although setting outthat the link must be significant,142 does not attempt todefine this word. By this omission, the Great Britain's courtscan expand this to any act that occurs in a foreign country thatuses a British computer for even a short period of time. Thedefining of the word would clear up some misconceptions that mayresult from the act.

Of interest to note, the Act would not punish a person whodistributes disks tat contain viruses on them. Although thedrafter of the bill said that this was his goal, the law ignoresthis possibility. An amendment should be added to the law whichwill punish those who damage data even if they do not access thesystem.

E. GhanaIn response to the belief that their existing laws were not

adequate, a draft law was proposed by the Ghana Law ReformCommission.143 The bill is rather simple as opposed to theother laws. It has definitions for access, computer, computernetwork, computer program and data.144 To commit computerrelated fraud, the person must have an intent to defraud and

either alters, damages destroys data or program stored in or usedby the computer or obtains information to his own advantage or tothe disadvantage of another or uses a computer commits andoffense.145 The Act Also sets out alternatives for somesections that may be adopted. The alternative states that anyperson who obtains access to a computer program or data andattempts to erase or alter the program or data with intent tohelp his own interests or damage other person's interest commitsa crime.146

Damaging computer data occurs if any person, by any means,without authority, willfully does damage to data commits acrime.147 The crime of unauthorized use of a computer issimply defined as anyone who knowingly without authority commitsan offence.148 Similarly, unauthorized access is anyone whoknowingly gains access to a computer, network or any part thereof, without authority to do so.149 The Ghana law also createsa crime for the knowingly and dishonestly introduction of falsedata and the omission to introduce, record or store data.150An authorized person who willfully or intentionally allowsinformation to get into the hands of an unauthorized person andthat person uses the information to his advantage also commits acrime.151

The penalties for the crimes are similar to those of theGreat Britain law.152 On summary convictions, a jail term maybe given of up to two years or the statutory maximum fine or

both.153 On conviction on indictment, a prison term of no


10/53

more then ten years or an unlimited fine, or both may begiven.154

The jurisdiction that the Ghana courts have in accord withthis jurisdiction is as large as their British counterpart.155The courts can hear any case if the accused person was in Ghanaat the time of the act.156 Also, if the program or data wasstored in or used with a computer or computer network in Ghana

the person may be tried under the law.157F. AnalysisThe Ghana proposed Computer Crime Law is in accord with the

United States, Great Britain and the proposed Israeli laws. Bysetting out definitions for the various terms used in thelaw158, the law clearly defines which acts may be subject toprosecution under the law. Although simple, the definitionsattempt to capture within the law's grasp the various differentacts which could be done with a computer that should be outlawed.

The most original section of the act concerns the newlycreated crime of omission to introduce, record or storedata.159 This section, however, will end up punishing thosewho work in corporations that are at the lowest level skill-wise.

The government should, if the law is enacted, force companies togive each employee a sufficient amount of training on a computerso that the person will be able to act in accordance with thelaw. The act does provide a safeguard by making the mens rea ofthe crime "negligently or dishonestly"160

The act also sets out a crime for an individual who allowsinformation to get into the hands of another.161 As opposedto the other laws, this section specifically address the problemof where an authorized individual gives information to anoutsider. By specifically regulating this behavior, anyone whowishes to act according will know that the act is illegal.

The crime of computer-related fraud is definedbroadly.162 This law effectively makes any type of fraudcommitted either with a computer or information within a computera crime. The law adequately addresses the problems that mightoccur with a computer in fraud. A broad definition, however, maystill let some act seem as though they are not covered since theact is not specific in the area of what constitutes a crime.

Most significantly, the act does not state which types ofcomputers are covered by the act.163 By not giving a limit onwhich computers are covered, the act extends its jurisdiction toall "computer"164 and "computer network"165 in the country.If the definition of computer changes, due in part to advancetechnology, the law may have to change this section.V. Proposed Solutions

Computer Crime laws have come a long way in addressing theproblem of computer crime.166 The ability to regulate theactivity will decrease the amount of crime that is committed.


11/53

Those who use the computers of the world, however, must not relytotally on there respective governments to combat thisproblem.167

The best way to combat computer crime is to not let it occurat all. Many computer systems have not been given enoughsecurity by their system managers.168 It is possible to have

a totally secure computer system169, but it is impractical andslows the free flow of information.170 By creating laws thatwill protect the integrity of computer systems while alsoallowing for the ability of our best and brightest to develop andlearn about computer systems will the nation be able to keep ourtechnological lead in the world.

In order to combat the problem of unauthorized access, usersof computer systems must be taught to respect each others privacywithin the various systems. Creating an standard of ethics forthose who are users of computers will be the best way since itwill hold the users to standards that must be met. Although someorganizations have attempted to promogate standards regarding the

ethical use of computer systems171 no one standard hasemerged. Proposed rules of ethics should balance the need ofindividuals to be able to learn and discover about the varioustypes of computer systems, while at the same time allowing forthose who use those systems to be secure in the knowledge thatthe information stored on the computer will not be read by thoseother then person who should have access to it.

If computer crime laws are enacted, industries that usecomputers should not use the new laws as a replacement for usingadequate security measures.172 Individuals or corporationsthat use computer have several ways to protect themselves fromunauthorized access. If the computer can be accessed by a modem,the computer can have a dial back feature placed on the phoneline so that one a computer is accessed, the computer will thencall back to make sure that the call is coming from a line whichis supposed to access the computer.173 The proper use ofpasswords174 are also an effective way to address the problemof unauthorized access. A recent study has shown that out of 100passwords files, approximately 30 percent were guessed by eitherusing the account name or a variation of it.175 A programhas recently been developed that will not allow a user to selectan obvious password.176 Encryption programs, similar to theprogram used on Unix operating system, can scramble a password ina non reversible manner so that if the encrypted password fallsinto the hands of an individual who is not supposed to access the

system, the person will not be able to get into the system.These systems can also be used so that if a hacker does get intoa computer system and attempts to get information, the


12/53

information will not be readable.177A problem that must be address is the lack of laws

concerning copyright protection of computer programs in foreigncountries. The Pakistan Brain178 was written to discouragecopying of a program without authorization. By creating piratingpenalties a reason for the creation of computer viruses will beremoved and less viruses will be created.179

Many in the field argue that computer programs should not becopyrighted.180 Copyright protection should not be affordedto computer programs since they are only mathematicalequations.181 Copyright protection should be given to themaker of a computer programmer only for a short period oftime.182

A novel concept which will both satisfy the computer hackers

quest for knowledge through examining computer systems andprotect the integrity of computer systems is to create a computersystems for the use of hackers alone.183 This computer wouldnot be connected to other computer systems, but can be accessed

through a modem.184 If created, accounts would be given toall interested computer enthusiasts. Those participating willnot be prosecuted for exploring unauthorized areas of thesystem.185 Since other computer systems will not beaccessible through this system, any activity on this system willnot endanger the information on other systems.186 By allowingthis to be done, a major problem will be solved, the inability toafford to buy a mainframe system, while a person will still beable to learn about different types of systems.

If any laws are to be made, they should make "knowing"187or "intentionally"188 unauthorized access into a computer acrime. By making the intent of the crime be knowing, it willallow those who accidently connect to a computer system that theythink is theirs but is not to be excused from punishment.

The law must also be done in a way that will allow it to beenforced across national boundaries. A computer hacker canaccess computers from across the world without ever leaving hishome country.189 If these laws can only be enforced withinthe home country, then a person can, in theory, go into a countryof whose computers that he would never want to access and accessinto other computers without fear of punishment.190

An international convention should be convened to addressthis problem. Since the problem is of international concern andthe crimes do occur across the boarders of countries, by settingstandards by the international community concerning the conduct

of computer users, the hodgepodge of computer crime laws will beeradicated in favor of a common international standard. As theboundaries in Western Europe disappear in anticipation of 1992,


13/53

international access is sure to accelerate.Colleges, Universities and high schools must institute

programs designed to address proper computer use.191 Althoughnot all computer users are not trained in school, teaching theethical use of computers will allow users to understand the needfor security on systems. These programs will also show usersthat computer crime is dangerous to society.192 Problems

concerning computer crime should be publicized so as not tomystify the crime.193

The United States and other countries must create moreComputer Emergency Response Teams (CERT). These teams are tocoordinate community responses to emergency situations,coordinate responsibility for fixing hole in computer systems andserve as a focal point for discussions concerning computersystems.194 These groups regularly post notices concerningcomputer viruses or other dangers in the Internet computersystem. The scope of these groups should be expanded so they maybe a focal point of the needs and desires of those who usecomputers. If they are used to gather information as a clearing

house type operation, the spread of information concerningcomputer systems and problems with the systems will be moreadequately addressed.

IV. ConclusionComputer crime is a growing problem. With the advent of the

computer and a more computer literate public, crimes committed bycomputers will increase. To effectively address the problem,laws must be created to outlaw activity which is designed tofurther illegitimate ends. These laws have moved in the rightdirection concerning what should be outlaws so as to balance theneeds of computer users against those of the computer owners. Toenforce these laws, governments must realize that the problem ofcomputer crime is not only of local concern.

Educational programs and standards of ethics must be createdfrom within the computer users community. Corporations which usecomputers must educate their employees to reduce the fear thatone might have when addressing a computer security issue.Copyright laws must be strengthened in countries that either donot have or have weak copyright laws so that the need to createviruses to protect an individual's or corporation's work will nolonger be necessary.

To satisfy users curiosity with computers, a non-securecomputer system should be created. This system will allow thosewho wish to explore a system in order to understand the system

may. Those individuals can do so without the fear ofprosecution.

Only by directly addressing the causes of computer crime and


14/53

drafting standards and laws to address the unique area will theproblem of computer crime be adequately addressed. Light must beshined on the area so individuals will realize that fear of themachines is not justified. Only by doing so may we enter the21st century realizing the full potential of computers.

Appendix AGhana Computer Crime Law (Proposed)Computer Crime LawComputer Crime LawIn pursuance of the Provisional National Defense Council(Establishment) Proclamation 1981, this Law is hereby made:1. Any person who, with intent to defraud,

(a) alters, damages, destroys or otherwise manipulates dataor program stored in or used in connection with a computer, or

(b) obtains by any means, information stored in a computerand uses it to his advantage or to another person's advantage tothe disadvantage of any other person, or

(c) uses a computer

commits an offense.Charge: Computer-related fraud.ALTERNATIVE:


15/53

(1) A person commits an offense if that person obtainsaccess to a computer program or data, whether stored inor used in connection with a computer or to a part ofsuch program or data to erase or otherwise alter theprogram or data with the intention-1. (a) of procuring an advantage for himself or

another person: or

(b) of damaging another person's interests.

2. Any person who, by any means, without authority, wilfullydestroys, damages, injures, alters or renders ineffectivedata stored in or used in connection with a computer commitsan offense.

Charge: Damaging Computer data.

3. Any person who, without authority, knowingly uses a computercommits and offense.

Charge: Unauthorized use of a computer.

4. Any person who, without authority, knowingly gains access toa computer, computer network, or any part thereof commits anoffense.

Charge: Unauthorized access to a computer.

5. Any person who, knowingly and dishonestly introduces,records or stores, or causes to be recorded, stored orintroduced into a computer or computer network by any means,false or misleading information as data commits an offense.

Charge: Insertion of false information as data.

ALTERNATIVE:(5) A person commits an offense if, not having authority to

obtain access to a computer program or data, whetherstored in or used in connection with a computer, or toa part of such program or data, he obtains suchunauthorized access and damages another person'sinterests by recklessly adding to, erasing or otherwisealtering the program or the data.

6. Any person under a contractual or other duty to introduce,record or store authorised data into a computer network, whonegligently or dishonestly fails to introduce, record orstore, commits an offense.

Charge: Omission to introduce, record or store data.

ALTERNATIVE


16/53

(6) Any person under a contractual or other duty tointroduce, record or store data into a computer orcomputer network who negligently or dishonestly failsto introduce, record or store, commits an offense.

7. Any authorised person who willfully or intentionally allowsinformation from a computer to get into the hands of an

unauthorised person who uses such information to hisadvantage commits an offense.

Charge: Allowing unauthorised person to use computer data.

8. A person guilty of an offense under this Law shall beliable:-(a) on summary conviction, to imprisonment for a term not

exceeding two years or to a fine not exceeding thestatutory maximum or both; or

(b) on conviction on indictment, to imprisonment for a termnot exceeding ten years or to an unlimited fine, orboth.

9. A court in Ghana shall have jurisdiction to entertainproceedings for an offense under this Law, if at the timethe offense was committed:-(a) the accused was in Ghana; or(b) the program or the data in relation to which the

offence was committed was stored in or used with aor used with

computer or computer network in Ghana.computer network in Ghana.

10. In this Law, unless the context otherwise requires:-"access" includes to log unto, instruct, store data or

programs in, retrieve data or programs from, or otherwisecommunicate with a computer, or gain access to (whetherdirectly or with the aid of any device) any data or program."computer" includes any device which is capable ofperforming logical, arithmetical, classifactory, mnemonic,storage or other like functions by means of optical,electronic or magnetic signals."Computer network" includes the interconnection of two ormore computers, whether geographically separated or in closeproximity or the interconnection of communication systemswith a computer through terminals, whether remote or local."Computer program" includes an instruction or statement orseries of instructions or statements capable of causing acomputer to indicate, perform, or achieve any function."data" includes a representation in any form whethertangible or intangible that is capable of being stored in orretrieved by a computer.


17/53

ENDNOTESENDNOTES

1. Financial Times Limited (London) April, 1990.

2. See, infra, endnote 36 and accompanying text.infra

3. Stoll, The Cuckoo's Egg (1990). [hereinafter Stoll].The Cuckoo's Egg

4. Lyons, 13 Are Charged in Theft of Data from Computers, New

York Times, August 17, 1990, B2, col. 3.

5. Although there is no set definition of a computer

publication, it is created and published solely on a computer.

Peretti, Computer Publications and the First Amendment (1990)

(available at Princeton University FTP site and The American

University Journal of International Law and Policy Office).

6. Dorothy Denning, The United States v. Craig Neidorf

(available at The American University Journal of International

Law and Policy office).

7. Schares, A German Hackers' Club that Promotes Creative

Chaos, Business Week, Aug. 1, 1988, 71.

8. Barlow, Crime and Puzzlement: In advance of the Law on the

Electronic Frontier, Whole Earth Review, Sept. 22, 1990, 44.

9. Kopetman, Computer Gave Them Bum Rap, Los Angeles Times,Los Angeles Times

Jan. 10, 1991, at B1, col. 2.

10. See, J. Thomas McEwen, Dedicated Computer Crime Units (19--)

See,


18/53

(stating how important computers have become to society). In

1978 there were 5,000 desktop computers in the United States. S.

Rep. No. 432, 99th Cong., 2d Sess. 2, reprinted in, 1986 U.S.reprinted in

Code Cong. & Admin. News 2479, 2479. By 1986, this number had

increased to about 5 million. Id.Id.

11. See, S. 2476, Floor Statement by Senator Patrick Leahy.

12. See, Stoll at ___ (stating that all countries, except

Albania, are connected via computer systems).

13. McEwen, Dedicated Computer Crime Units 1 (19--). Another_______________________________

definition used is the definition of computer crime was "any

illegal act for which knowledge of computer technology is

essential for successful investigation and prosecution". Parker,

Computer Crime: Criminal Justice Resource Manual, (1989)._________________________________________________

14. Conly, Organizing for Computer Crime Investigation and

Prosecution, 6-7 (19--).


19/53

15. For instance, the estimated cost of the Internet Worm, a

computer program created by Robert Morris, Jr. which shut down

the Internet computer system, varies from $97,000,000 (John

McAfee, Chairman, Computer Virus Industry Association) to

$100,000 (Clifford Stoll's low bound estimate). Commitment to

Security, 34 (1989). It is difficult to determine exactly the

cost of such crime because it is difficult to determine what

should be included. The estimated downtime of a computer due to

such activity could be used to determine the cost. This may be

flawed, however, since it will not take into account how much of

the down time actually would have been used. Electronic Mail

Letter from Richard Stallman to Brian J. Peretti (Dec. 3, 1990)

(concerning computer crime).

16. Commitment to Security, 34. The average facility,

consisting of 1,224 microcomputers, 96 minicomputers and 10


20/53

mainframe computers, lost $109,000, 365 personnel hours and 26

hours computer time loss per year. Id.Id.

17. Id. at 23. 6 percent of incidents resulted in prosecutions.

Id.

Id.Id.

18. Id.Id.

19. Only 1.5 percent of respondents to a National Center for

Computer Crime Data used Anti-virus products in 1985. By 1988

this figure rose to 22 percent. By 1991, 53 percent of the

respondents stated that they would be using anti-virus software

by 1991. According to a Price Waterhouse survey in Great

Britain, in 1985 26 percent installations spent nothing on

security. Authers, Crime as a Business Risk- Security/ ACrime as a Business Risk- Security/ A

Management as Well as a Technical Problem, Financial TimesManagement as Well as a Technical Problem

(London), November 7, 1990. By 1990 this figure had shrunk to 4


21/53

percent and is expected to decline to 0 by 1995. Id. The amountId.

spent on security for new systems has increased from 5 percent in

1985 to 9 percent by 1990. Id.Id.

In Japan, less than 10 percent of groups that rely heavily

on computers have taken measures to prevent virus attacks.

Computer Users Fail to Protected Against Viruses. Although JapanComputer Users Fail to Protected Against Viruses.

does not have a computer crime law, there is a movement to make

such a law. Computer Body Calls for Jail Sentences for Hackers,Computer Body Calls for Jail Sentences for Hackers

Kyodo News Service, Nov. 15, 1990 (available from the Nexis

library). The Japan Information Processing Development

Association has stated that the new law should make the crime

punishable of either one year of hard labor or a fine. Id.Id.

20. The terms was first applied in 1984. Commitment to Security,

34 (1989).


22/53

21. Ring, Computer Viruses; Once Revered as Hackers, Technopaths

Threaten Security of Computer-Dependant Society, Computergram,

July 7, 1989. Some of these viruses are extremely small, e.g.

Tiny, which is 163 bytes, may be the smallest. Friday 13th Virus

Alert, The Times (London), July 12, 1990.

22. Graggs, Foreign Virus Strains Emerge as Latest Threat toForeign Virus Strains Emerge as Latest Threat to

U.S. PCs, Infoworld, Feb. 4, 1991, 18. Viruses have appeared

U.S. PCs

from Bulgaria, Germany, Australia, China and Taiwan. Id. Some newId.

viruses include Armageddon, from Greece which attacks through

modems and then dials to a talking clock in Crete, Liberty, from

Indonesia, Bulgaria 50, which is thought to have come from a

"laboratory" in Sofia, Victor, thought to originate in the

U.S.S.R., the Joker, from Poland, which tells the user that the

computer needs a hamburger, and Saturday the 14th, presumed to

have been developed in South Africa, which destroys a computer's

file allocation table. Id.Id.


23/53

Some viruses also carry a message when they are activated.

A virus that is though to have been developed by students at

Wellington, New Zealand, tells the user that they have been

"stoned" and requests that marijuana should be legalized. Id.Id.

Approximately 80 or 90 of the 300 viruses counted for the

IBM personal computer originated in Bulgaria according to Morton

Swimmer of Germany's Hamburg University Virus Test Center.

23. A report in La Liberation, a French newspaper, stated that

La Liberation

computer viruses could be planted in French EXOCET missiles to

misguide them when fired. La Liberation, Jan. 10, 1991,

reprinted in Klaus Brunnstein, Risks-Forum, vol. 10, iss. 78,reprinted in

Jan. 22 1991 (available at American Journal of International Law

and Policy Office).

24. A "trojan horse" is a program that does not seem to be

infected, however, when used in a computer, the virus is then

transferred the uninfected machine. On trojan horse destroyed

168,000 files in Texas. Commitment to Security, 34 (1989).


24/53

25. Ring, Computer Viruses; Once Revered as Hackers, TechnopathsComputer Viruses; Once Revered as Hackers, Technopaths

Threaten Security of Computer-Dependent Society, ComputerGram,Threaten Security of Computer-Dependent Society

July 7, 1989.

26. Highland, One Wild Computer "Worm" Really Isn't a FederalOne Wild Computer "Worm" Really Isn't a Federal

Case, Newsday, Jan. 23, 1990, 51.Case

27. Stoll, at 346. The amount of computers that were actually

infected by the worm is still the subject of debate. Mr. Stoll

estimates that 2,000 computers where infected, while the most

commonly cited number is 6,000. Commitment to Security, 34

(1989). The 6,000 estimate was based on an Massachusetts

Institute of Technology estimate that 10 percent of the machines

at the school were infected and was then inferred to the total

number of machines across the country that were affected.

General Accounting Office, Computer Security: Virus Highlights

Need for Improved Internet Management, 17 (1989). This number


25/53

may be inaccurate because not all locations had the same amount

of vulnerable machines. Id.Id.

28. For the first eight months of 1988, there were 800

incidents concerning computer viruses. Commitment to Security,

34. The Computer Virus Industry Association reported that 96

percent of these reported infections were incorrectly identified

as viruses. Id.Id.

29. Robinson, Virus Protection for Network Users, Washington

Post, Washington Business, p.44, Feb. 11, 1991.

30. Ross, Hacking Away at the Counterculture, 3 (1990)

(available at the American University Journal of International

Law and Policy). On Saturday Night Live, during the news update

segment, Dennis Miller stated, in comparing a computer viruses to

the AIDS virus, "Remember, when you connect with another

computer, you're connecting to every computer that computer has


26/53

ever been connected to." Id.Id.

31. Id. at 8-9.Id.

32. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287

before the Subcomm. on Criminal Justice of the House Comm. on the

Judiciary, 100th Cong., 1st Sess. 49 (1989) (statement of Marc

Rotenberg, Director, Computer Professionals for Social

Responsibility). In Israel, Hebrew University used a computer

virus to detect and destroy a virus that would have destroyed

data files. Id.Id.

33. Computergram International, October 14, 1990.

34.

35. Watts, Fears of Computer Virus Attack from East Europe grow,Fears of Computer Virus Attack from East Europe grow

The Independent, November 24, 1990, p.6. On a trip to Bulgaria,

a British computer consultant returned with 100 viruses that do

not exist in the West. Id.Id.


27/53

36. Id.

37. McGourty, When a Hacker Cracks the Code, The Daily TelegraphWhen a Hacker Cracks the Code

(London), October 22, 1990, p. 31.

38. The equipment would cost about 50 (British) pounds. Id.Id.

39. Id. A British company, has stated that they have developedId.

a glass that will reduce this problem. Tieman, Spy-Proof Glass

to Beat the Hackers, The (London) Times, Jan 17, 1991.

A more recent problem concerns the ability of computer

hackers to access into fax machines and either change or reroute

information from the machine. Becket, Espionage fears mounting asEspionage fears mounting as

hackers tap into faxes, The Daily Telegraph (London), December 1,

hackers tap into faxes

1990, p. 23. This problem can be circumvented by the use of

encryption devices or passwords on the machine. Id.Id.

40. Stoll at 9. The word itself originally had two meanings.

People originally called themselves hackers were software wizards


28/53

who thoroughly knew computer systems. Id. In U.S. v. Riggs, 739U.S. v. Riggs

F. Supp. 414, 423 (N.D. Ill. 1990) the court defined hackers as

"individuals involved with the unauthorized access of computer

systems by various means." The New Hacker's Dictionary defines

hackers as "A person who enjoys learning the details of

programming systems and how to stretch their capabilities, as

opposed to most users who prefer to learn only the minimum

necessary." New Hacker's Dictionary, to be published Spring,

1991.

Hacker has also been used in a non-evil sense with the word

"cracker" taking the disreputable part of the word. In this

light, hacker means "computer enthusiasts who `take delight in

experimenting with system hardware, software and communication

systems." and cracker meaning "a hacker who specializes in

gaining illegal access to a system." One Wild Computer `Worm'One Wild Computer `Worm'

Really Isn't a Federal Case, Newsday, January 23, 1990, p.51.Really Isn't a Federal Case

The typical hacker has been described as "a juvenile with a home


29/53

computer who uses computerized bulletin board systems for a

variety of illegal purposes. Conly, Organizing for Computer

Crime Investigation and Prosecution, 8 (19--).

41. Sulski, How to Thwart Potential Saboteur, Chicago Tribune,How to Thwart Potential Saboteur

November 18, 1990, p.18.

42. Computerworld, December 3, 1990, p. 122. Kryptik, a hacker

group, was stated as having planned to plant a virus in a

telephone network on December 5, 1990. Id. It is unclear,Id.

however, if the virus actually was planted. Id.Id.

43. Sulski, How to Thwart Potential Saboteur, Chicago Tribune,How to Thwart Potential Saboteur

November 18, 1990, p.18. Computer security experts state that

the risk of having hacker break into your system is less than

being burglarized or having a power outage due to lightning. Id.Id.

Errant opinion poll results have also been blamed on the work of

hackers. Holdsworth, Hackers May Have Attacked TV PollHackers May Have Attacked TV Poll


30/53

Computers-MP, Press Association Newsfile, May 4, 1990.Computers-MP

44. Stoll, 312.

45. Id. This view is also shared by the editors of 2600, The

Id.

Hackers Quarterly. It is also held by these persons that a

service is done to the computing community because those who

break in to computer systems show the operators that their system

is not strong enough and that it should be made stronger.

46. Stoll, at 354.

47. Mr. Stoll's computer was broken into by an Australian

hacker who said he did so to show that Mr. Stoll's security was

not good and that hackers are good because they show where

security problems are in computer networks. Id. at 353-54. HeId.

rejected such arguments. Id.Id.

48. Director, Computer Professionals for Social Responsibility

49. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287


31/53

before the Subcomm. on Criminal Justice of the House Comm. on the

Judiciary, 100th Cong., 1st Sess. 26-27 (1989) (statement of Marc

Rotenberg, Director, Computer Professionals for Social

Responsibility). The Aldus peace virus, which displayed a message

calling for peace and then disappeared without damaging the

system itself, is an example of a virus which he believes should

be protected. Id.

Id.

50. Commitment to Security, 34.

51. Stoll, 349.

52. "I can never understand why people think it is all right to

run out of computer paper but not all right to be infected with a

virus. The disruption is the same and it takes about the same

amount of time to put matters right." Cane, Hygiene See OffHygiene See Off

Computer Viruses, Financial Times (London) October 14, 1989,Computer Viruses

Section I, p. 24.


32/53

53. 18 U.S.C. 1030 (1988).

54. Ala. Code 13A-8-100 et.seq. (1990); Alaska Stat.Ala. Code Alaska Stat.

11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985, 11.46.990

(1990); Ariz. Rev. Stat. Ann. 13-2301(E), 13-2316 (1990); Cal.Ariz. Rev. Stat. Ann. Cal.

Penal Code 502 (West 1990); Colo. Rev. Stat. 18-5.5-101 et.Penal Code Colo. Rev. Stat.

seq. (1990); Conn. Gen. Stat 53a-250 et. seq., 52-570b (1990);Conn. Gen. Stat

Del. Code Ann. tit. 11, 931 et seq. (1990); Fla. Stat.Del. Code Ann. Fla. Stat.

815.01 et seq. (1990); Ga. Code Ann. 16-9-90 et seq (1990);Ga. Code Ann.

Haw. Rev. Stat. 708-890 et seq. (1990); Idaho Code 18-2201,Haw. Rev. Stat. Idaho Code

2202 (1990); Ill. Ann. Stat. 15-1, 16-9 (1990); Ind. CodeIll. Ann. Stat Ind. Code

35-43-1-4, 35-43-2-3 (1990); Iowa Code 716A.1 et. seq.Iowa Code

(1990); Kan. Stat. Ann. 21-3755 (1990); Ky. Rev. Stat. Ann.

Kan. Stat. Ann. Ky. Rev. Stat. Ann.


33/53

434.840 et. seq. (1990); La. Rev. Stat. Ann. 14(D) 71.1 etLa. Rev. Stat. Ann

seq. (1990); Me. Rev. Stat. Ann. chap. 15, tit. 17-A, 357Me. Rev. Stat. Ann.

(1990); Md. Crim. Law Code Ann. Article 27 45A, 146 (1990);Md. Crim. Law Code Ann.

Mass. Gen. L. ch 266, 30 (1990) see infra; Mich. Comp. LawsMass. Gen. L. Mich. Comp. Laws

28.529(1) et seq. (1990); Minn. Stat. 609.87 et seq. (1990);Minn. Stat.

Miss. Code Ann. 97-45-1 et seq (1990); Mo. Rev. Stat. 569.093Miss. Code Ann. Mo. Rev. Stat.

et seq. (1990); Mont. Code Ann. 45-2-101, 45-6-310,45-6-311Mont. Code Ann.

(1990); Neb. Rev. Stat. art. 13(p), 28-1343 et seq (1990); Nev.Neb. Rev. Stat. Nev.

Rev. Stat. 205.473 et seq. (1990); N.H. Rev. Stat. Ann.Rev. Stat. N.H. Rev. Stat. Ann.

638.16 et seq. (1990); N.J. Rev. Stat. 2C:20-1, 2C:20-23 et.N.J. Rev. Stat.

seq., 2A:38A-1 et seq. (1990); N.M. Stat. Ann. 30-16A-1 etN.M. Stat. Ann.

seq. (1990); N.Y. Penal Law 155.00, 156.00 et seq, 165.15(10),N.Y. Penal Law

170.00, 175.00 (1990); N.C. Gen. Stat. 14-453 et seq (1990);N.C. Gen. Stat.

N.D. Cent. Code 12.1-06.1.01(3), 12.1-06.1-08 (1990); Ohio Rev.N.D. Cent. Code Ohio Rev.

Code Ann. 2901.01, 2913.01, 1913.04, 1913.81 (Anderson 1990);

Code Ann.


34/53

Okla. Stat. tit. 21, 1951 et seq. (1990); Or. Rev. Stat.Okla. Stat Or. Rev. Stat.

164.125, 164.377 (1990); Pa. Cons. Stat. 1933 (1990); R.I.Pa. Cons. Stat. R.I.

Gen. Laws 11-52-1 et seq (1990); S.C. Code Ann. 16-16-10 etGen. Laws S.C. Code Ann.

seq (Law. Co-op 1990); S.D. Codified Laws Ann. 43-43B-1 et seq.S.D. Codified Laws Ann.

(1990); Tenn. Code Ann. 39-3-1401 et seq (1990); Texas CodeTenn. Code Ann. Texas Code

Ann. tit 7 33.01 et seq. (Vernon 1990); 19 Utah Laws 76-6-Ann. Utah Laws

701 et seq.; Va. Code Ann. 18.2-152.1 et seq. (1990); Wash.Va. Code Ann. Wash.

Rev. Code Ann. 9A.48.100, 9A.52.010, 9A.52.110 et seq. (1990);Rev. Code Ann.

Wis. Stat. 943.70 (1990); Wyo. Stat. 6-3-501 et seq. (1990).Wis. Stat. Wyo. Stat.

55. Parker, Computer Crime: Criminal Justice Resource Manual,

129 (1979).

56. McEwen, Dedicated Computer Crime Units, 60 (1989). These

other laws include embezzlement, larceny, fraud, wire fraud and


35/53

mail fraud. Id. at 60.___

57. Pub. L. No. 98-473, 2102(a), 98 Stat. 1837, 2190 (codified

at 18 U.S.C. 1030).

58. S. Rep. No. 432, 99th Cong., 2d Sess., 1986 U.S. 2,

reprinted in, 1986 Cong. & Admin. News 2479, 2479.reprinted in

59. Pub. L. No. 99-474, 2, 100 Stat. 1213 (amending 18 U.S.C.

1030).

60. 18 U.S.C. 1030(b).

61. 18 U.S.C. 1030(a)(1). The person must act knowingly to

access a computer either without authorization or exceeding the

authorization given and obtain information with the intent or

reason to believe that the information will either injure the

United States of American or give an advantage to a foreign

nation. As seen by the placement of this section, it is clear

that the Congress was particularity aware of the dangers that

computer might have to the national security of the United


36/53

States. This section parallels 18 U.S.C. 793, the federal

espionage statute.

62. 1030(c)(1)(A).

63. 1030(c)(1)(B).

64. As defined by the Fair Credit Reporting Act, 15 U.S.C. 1681

et seq.

65. 1030(c)(2)(A).

66. 1030(c)(2)(B). The penalty is up to 10 years in prison.

67. 18 U.S.C. 1030(a)(2).

68. 18 U.S.C. 1030(c)(2)(B).

69. 18 U.S.C. 1030(c)(2)(B).

70. The punishments that may be handed out are up to 5 years for

the first offense and 10 years for any subsequent offense.

71. 18 U.S.C. 1030(a)(5).

72. 18 U.S.C. 1030(c)(3)(A).

73. 18 U.S.C. 1030(c)(3)(B).

74. 18 U.S.C. 1030(a)(6).

75. As defined by 18 U.S.C. 1029.

76. 18 U.S.C. 1030(c)(2)(A).

77. 18 U.S.C. 1030(c)(2)(B).

78. 18 U.S.C. 1030(a)(6)(B).


37/53

79. 18 U.S.C. 1030(a)(6)(B).

80. These computers include computers used exclusively for the

United States government or a financial institution or if not

exclusively by the government one which the conduct of the

computer affects the government's or the institution's operation,

18 U.S.C. 1030(e)(2)(A), the computer is one of two or more

computers that commit the offense, 18 U.S.C. 1030(e)(2)(A).

Financial institution is defined in 18 U.S.C. 1030(e)(4) and

includes and institution whose deposits are insured by the

Federal Deposit Insurance Corporation, 1030(e)(4)(A), the Federal

Reserve or one of its members, 1030(e)(4)(B), a credit union

insured by the National Credit Union Administration,

1030(e)(4)(C), a Federal home loan bank system member,

1030(e)(4)(D), institutions under the Farm Credit Act of 1971,

1030(e)(4)(F), a broker-dealer registered pursuant to 15 of the


38/53

Securities Exchange Act of 1934, 1030(e)(4)(F), or a Securities

Investor Protection Corporation, 1030(e)(4)(G).

81. S. Rep. No. 432, 99th Cong., 2d Sess. 4, reprinted in, 1986

reprinted in

U.S. Code Cong. & Admin. News 2479, 2481.

82. Note, Computer Crime and The Computer Fraud and Abuse Act of

1986, X Computer/Law Journal 71, 79, (1990).

83. 18 U.S.C. 1030 (e)(2) states:

As used in this section-

(2) The term "Federal interest computer" means a computer-

(A) exclusively for the use of a financial institution

or the United States Government, or, in the case of a computer

not exclusively for such use, used by or for a financial

institution or the United States Government and the conduct

constituting the offense affects the use of the financial

institution's operation or the Government's operation of such

computer; or

(B) which is one of two or more computer used in the


39/53

committing the offense, not all of which are located in the same

state.

84. "[T]here is not statute specifically addressing viruses."

135 Cong. Rec. E2124 (daily ed. June 14, 1989) (letter of Rep.Cong. Rec. E2124

Herger (quoting FBI Director William Sessions)).

85. H.R. 287 and H.R. 55.

86. "Existing criminal statues are not specific on the question

of whether unauthorized access is a crime where no theft or

damage occurs . . ." 135 Cong. Rec. E2124 (daily ed. June 14,Cong. Rec.

1989) (letter of Rep. Herger (quoting FBI Director William

Sessions)).

87. Prosecution could occur under a trespass law. It may not be

applicable, however, since trespass is a property based crime and

courts have not recognized information in the same manner as real

property.

88. Note, Computer Crime and The Computer Fraud and Abuse Act of

1986, X Computer/Law Journal 71, 80 (1990).

89. Id.Id.

90. Shalgi, Computer-ware: Protection and Evidence, An IsraeliComputer-ware: Protection and Evidence, An Israeli

Draft Bill, IX Computer/Law J. 299, 299 (1989) [hereinafterDraft Bill Computer/Law J.


40/53

Shalgi]. This proposed bill has not progressed much since it was

proposed and is at the stage prior to an official "bill". Letter

from Barry Levenfeld to Brian J. Peretti (December 13, 1990)

(concerning Israel's legislature progress on the comprehensive

computer law). This paper will use the Shalgi English

translation of the law.

91. Chapter 2 concerns Offenses and Accessing Computers, Chapter

3, Damages, Chapter 4, Rights of Software Creators and Chapter 5,

Evidence. Levenfeld, Israel Considers Comprehensive Computer Law,Israel Considers Comprehensive Computer Law,

Int'l Computer L Advisor 4 (March 1988). The topics covered inInt'l Computer L Advisor

Chapters 2 through 5 are beyond the scope of this paper.

92.

93. Shagli, at 311.

94. Chapter 2, 2, Shagli at 311.

95. Chapter 2, 3(a), Shagli at 311. An employee is exempt if

he commits this act when it was due to a strike concerning a


41/53

labor dispute. Chapter 2, 3(b), Shagli at 311.

96. Chapter 2, 4(a).

97. Chapter 2, 4(b), Shagli at 311.

98. As defined by Chapter 1, 1.





103. Id.Id.


105. By not stating that this also applies to individuals or

others (non-corporations) who are attempting to supply services

to the public, some important services that may be offered to the

public may not be done. Levenfeld, 8, translates the word

corporation as entities which may solve the problem.

106. Shalgi, 312. Levenfeld, 5, states that since this section

is so broad the only possible areas that are not covered are

personal and academic uses.


42/53


108. Section 5.

109. Levenfeld, 4-5. Perhaps the only computers not covered

would be those used for personal or academic uses exclusively.

Id. at 5.Id.

110. Section 5.

111. Levenfeld, 4-5. Perhaps the only computers not covered

would be those used for personal or academic uses exclusively.

Id. at 5.Id.

112. Levenfeld at 4.

113. Shalgi, 305.

114. See, Computers at Risk, Safe Computing in the Information

Age, 36 (1991) (discussing the need for a repository to gather

computer crime information).


116. New Hacker's Dictionary.

117. Chapter 2, 13, Shagli at 313. The law states that if the

owner of the computer is not given in his presence, the order is


43/53


44/53

124. Id.Id.

125. Davies, Cracking down on the computer hackers, Fin. TimesCracking down on the computer hackers

(London), October 4, 1990.

126. Law Commission No. 186, Cm 819.

127. Computer Misuse Act, 1990, ch. 18, 1.

128. The penalty for this type of behavior is up to six months in

prison, 2000 pounds or both.

129. Computer Misuse Act, 1990, ch. 18, 2(1)(a).

130. Computer Misuse Act, 1990, ch. 18, 2(1)(b).

131. Computer Misuse Act, 1990, ch. 18, 2(5)(a).

132. Computer Misuse Act, 1990, ch. 18, 2(5)(b).

133. Computer Misuse Act, 1990, ch. 18, 3(1).




137. Id. Colvin, Lock up the Keyboard Criminal ,Id.

Telecommunications PLC (England), June 1990.

138. Computer Misuse Act, 1990, ch. 18, 4.



45/53


46/53

their proposed law from the Scottish Law Commission and the Law

Reform Commission of Tasmania, Australia reports on computer

crime.

153. Appendix A, 9(a).

154. Appendix A, 8(b).

155. See, infra, endnote __ and accompanying text.infra

156. Appendix A, 9(a).

157. Appendix A, 9(b).

158. Appendix A, 10.

159. Appendix A, 6.

160. Id.Id.

161. Appendix A, 7.

162. Appendix A, 1.

163. Appendix A, 10.

164. Id.Id.

165. Id.Id.

166. The first computer crime law in the United States was

enacted in 1979.

167. S. Rep. No. 432, 99th Cong., 2d Sess. 3, reprinted in 1986reprinted in


168. By increasing security, the ease with which one can enter


47/53

the system will become more difficult. Some systems, believing

that if such unauthorized access does occur that no sensitive

information will be stolen, opt to have less security then other

systems. In actuality, by one system not having enough security,

the entire network can be put at danger when a mischievous user

wishes to break into a users account which may be accessed by

that system. See Stoll, 353-54 (stating an Australian hacker

broke into Mr. Stoll's computer account because a connected

computer's system manager did not wish to have a high level of

security.

169. Stoll, 32. Many military computers and sensitive

scientific computers operate in a secure environment. This is

created by not allowing the computer system to have any telephone

links to the outside world (i.e. outside of the building.

170. By having a secure system, information at the computer site


48/53


49/53

the bill should not be looked at that the computer owner should

not have security measures on their computers. Id. The bill, heId.

states, was made only to compliment, not substitute, the users

security measures. Id. In West Germany, the severity of theId.

punishment for hacking depends on the effort that was required to

commit the offense. Fagan, Technology: EC urged to StrengthenTechnology: EC urged to Strengthen

Laws on Computer Crime, The Independent, Feb. 13, 1990, 19.Laws on Computer Crime

173. McGourty, When a hacker cracks the code, The DailyWhen a hacker cracks the code

Telegraph, October 22, 1990, p. 31.

174. A Password is a word that is either given to the user by

the system or selected by the user to prevent others from

accessing his computer or account within the computer. This

words, groups of letters or symbols are supposed to be kept

secret so as to not let other who are not authorized to access


50/53


51/53

General Public License, (Feb. 11, 1988) (available at American

University Journal of International Law and Policy).

181. The GNU Manifesto (available at the American University

Journal of International Law and Policy).

182. The author proposes that such copyright protection last for

only two years. By granting the creator such protection for a

short period of time, he will be able to recover the expenses

that he put into the writing of the program.

If this type of protection is granted, it should be

understood that the creator of the program has a copyright to the

sourcecode of the program for that period. If he updates the

program after the two year period, the updated code will be

protected, but the original code will not be granted theprotection. In this manner, an author cannot attempt to give

copyright protection to a program after the copyright has

expired.

183. Electronic letter from Brian J. Peretti to Dorothy Denning

(Nov. 13, 1990) (concerning computer crime).

184. This will be a semi-secure system.

185. The system, of course, will have a system manager who will

create the accounts for the users. His account will be off

limits to those who wish to use the system. At the same time,


52/53

individuals will be encouraged to attempt to break into the

manager's account and tell him how it was done in order to

improve security for this and other systems.

186. The problem still exists that information learned through

the use of this system may allow those who use the system to

break into other computer systems. This problem can be corrected

by having the system manager and the users communicate problems

with the system so that they may be corrected on other systems.

187. United States v. United States Gypsum Co., 438 U.S. 422, 425

(1978).



189. Stoll, The Cuckoo's Egg.

190. The countries which a person can go to could be any country

in the world, except Albania, since they are the only country

whose computers are not connected to outside computers. Stoll.

191. A school in Red Bank, New Jersey, has instituted a "computer

responsibility training". Weintraub, Teaching Computer Ethics inTeaching Computer Ethics in

the Schools, The School Administrator 8, 9 (apr. 1986).the Schools, ________________________



193. Electronic Mail Letter from Rop Gonggrijp to Brian J.


53/53

Peretti (Jan. 25, 1991) (concerning computer viruses). "We have

to watch that we keep telling people how virusses work, because

that is the only solution to the problem: mystifying the whole

thing ans just hunting down "computer terrorists" is useless and

(as proven in the US and Germany) leads to a questionable style

of government in the field of information technology..." Id.Id.

194. General Accounting Office, Computer Security: Virus

Highlights Need for Improved Internet Management, 25 (1989).

Documents

Computer Chrime - Current Practices, Problems and Proposed So