2,000 Greater & Lesser Mysteries

home *** CD-ROM | disk | FTP | other *** search

/ 2,000 Greater & Lesser Mysteries / 2,000 Greater and Lesser Mysteries.iso / legal / mys01157.txt < prev next >

Wrap

Text File | 1994-06-10 | 96.5 KB | 3,144 lines

Computer Crime: Current Practices, Problems and Proposed Solutions Second Draft Brian J. Peretti It would have been surprising if there had been satisfactory road traffic legislation before the invention of the wheel, but it would also have been surprising if the law on the passage of laden donkeys proved entirely satisfactory when applied to vehicles.1 I. Introduction Within recent years, computer crime has become a preoccupation with law enforcement officials. In California, a group of West German hackers2 using phone lines and satellite hookups, gained unauthorized access into civilian and military computers and stole sensitive documents that were sold to the Soviet Union.3 A young New York programmer broke into a Washington computer to run a program that he could not run from his personal computer.4 After Southeastern Bell Stated that a document published in an electronic publication5 was valued at more than $75,000 the publisher was arrested and brought to trial before the discovery that the document could be publicly bought from the company for $12.6 The Chaos Computer Club, a Hamburg, Germany, club, went into government computers and access information and gave it to reporters.7 In May, 1988, the United States government launched Operation Sun Devil, which lead to the seizure of 23,000 computer disks and 40 computers.8 In addition, poor police performance9 has also been blamed on computers. Since its creation, the computer has become increasing important in society.10 The law, as in the past, has not been able to evolve as quickly as the rapidly expanding technology.11 This lack of movement on the part of governments shows a lack of understanding with the area. The need to create a comprehensive regulation or code of ethics has become increasing necessary. Due to the nature of computer systems and their transnational connections through telephone lines12, an individual state's action will only stop the problems associated with computer crime if many states join together. The patchwork of legislation that exists covers only a small part of the problem. To adequately address computer crime, greater efforts must be made within the computer community to discourage unauthorized computer access, countries must strengthen and co-ordinated their computer related laws, as well as proper enforcement mechanism created, computer program copyright laws be enhanced and computer systems should be created to allow those who wish to explore computer systems which will not disrupt the users of computer systems. This paper will first set out a definition of computer crime and why laws or regulation by the computer community must be created. Section II will then discuss the United States law concerning computer crime and why it needs to be strengthened. Section III will discuss the proposed Israeli computer crime bill, Britain's Computer Misuse Act and Ghana's proposed law. Section IV will discuss what can be done by both the government and computer owners and users to make computer crime less possible. II. Computer crime The definition of what constitutes a computer crime has been the subject of much controversy. A computer crime has been defined as "any illegal act for which knowledge of computer technology is used to commit an offense."13 The typical computer criminal has been described as between 15 and 45 years old, usually male, no previous contact with law enforcement, goes after both government and business, bright, motivated, fears loss of status in computer community and views his acts as games.14 For the purposes of this article, this will be the definition used because of its broad reach. Estimates regarding how much is lost to computer crime very widely15. In the only authoritative study, the loss due to computer crime was given at $555,000,000, 930 personnel years lost and 153 computer time years lost.16 The amount of total incidents for 1988 was 485 resulting in 31 prosecutions17. In 1987, there were 335 incidents with 8 prosecutions.18 Security spent on prevention of computer crime is becoming more commonplace19. The most publicized danger to computer systems are viruses20 and worms. A virus is a code segment which, when executed, replicates itself and infects another program.21 These viruses may be created anywhere in the world22 and may attack anything.23 A virus may be transmitted through a trojan horse24 program. A worm exists as a program in its own right and may spread over a network via electronic mail25. A virus attacks a program while a worm attacks the computer's operating system.26 The most notorious computer worm brought the Internet computer network to a halt.27 Computer virus attacks may be overrated.28 It is said that the biggest threat to computing includes "not backing up your data, not learning the ins and outs of your application programs, not putting enough memory in your computer, not organizing your hard disk, [and] not upgrading to the latest version of your applications.29 These computer programs have been compared to the AIDS virus.30 One author has stated that the viruses are used to both increase the amount of profits of computer program producers and anti-virus computer programs.31 Computer viruses may also be used to benefit computer systems, by either detecting flaws in security measures or detecting other viruses.32 Virus are very dangerous, though. The effects of a virus called Datacrime, activated on October 13, 1989, brought down 35,000 personal computers within the Swiss government and several companies in Holland.33 With the opening up of Eastern Europe, the virus problem is expected to increase.34 In Bulgaria, a country which does not have any laws against computer viruses, one new virus appears week.35 Computer viruses are created in countries like the Soviet Union as a way to punish computer pirates because of the lack of copyright laws.36 Perhaps the most dangerous threat to information contained in a computer is the "leakage" of radiation from the computer monitors.37 With inexpensive equipment38 a person can "read" the information off the computer screen and then replicate the information from the screen in a readable manner.39 The threat of attack on a computer system can also come from a hacker. A hacker is a person who breaks into, whether maliciously or not, computers or computer systems.40 A hacker can, if the system is not adequately secured, cause havoc in the computer by either deleting or altering programs or data or planting logic bombs or viruses in the computer system.41 Threats from hackers to plant viruses have been made in the past.42 The threat from computer hackers, as with viruses, has been said to be overrated.43 The issues surrounding computers still have not been decided by those within the computer community. Whether or not persons should be allowed to access computer systems without authorization is still a subject of debate within the computing community. A West German Computing Club, called The Chaos Computing Club, holds the belief that it is not improper to enter any system which they can gain access to and to "look" around inside of the system as much as they wish.44 They do not, however, condone destroying or altering any of the information within the system.45 On the other side, represented by Clifford Stoll, when individuals break into computer systems they disrupt the trust that the computer system is based on.46 This breach of trust not only makes operating the system tougher for the manager in control of the system, but also will decrease the amount of use of the system so less information will be transferred within the system.47 There is also conflicting views as to whether the authors of computer viruses should be punished. Marc Rotenberg48 holds the belief that a virus should be granted first amendment protection in some instances.49 In response to the Internet worm, there were 21 editorials that stated that the attack showed the need for more security in computers while there were 10 letters to editors that stated that the creator should be applauded rather then punished.50 They argue that this was a good way to raise consciousness concerning computer security.51 Alan Solomon, a consultant who specializes in virus detection and eradication, believes that viruses are, at most, an inconvenience.52 III.United States Computer Legislation The United States government53 and most states54 have computer crime laws. In 1979, only six states had such laws.55 Almost every computer crime will, in addition to violating a state and/or federal law, can also be prosecuted under other laws.56 A. Computer Fraud and Abuse Act. Congress originally enacted the Counterfeit Access Device and Computer Fraud and Abuse Act57 to address the problem of computer crime. Understanding that the scope of the original law was too narrow,58 in 1986 Congress enacted amendments to the Computer Fraud and Misuse Act of 1984.59 The Act essentially lists acts that if done with a computer are illegal. The Act also makes individuals culpable for attempting to commit a computer crime.60 In order to commit any of the crimes mentioned in the act, the actor must have acted either "intentionally" or "knowingly" when committing the act. The law addresses national security issues by making a crime of anyone using a computer to obtain information and giving the information to foreign countries.61 The penalty for this crime or its attempt is 10 years for the first offense62 and 20 years for subsequent offenses63. If a person intentionally accesses a computer either without authorization or in excess of his authorization and obtains and acquires information in a financial record of an institution or information contained in a financial record of an individual64, the person will have committed a misdemeanor for the first offense65 and a felony for subsequent offenses66. A person intentionally accessing a government computer without authorization which affects the government's use of that computer67 will have committed a misdemeanor for the first offense68 and a felony for the second offense.69 Accessing a computer with knowledge and intent to defraud and without or exceeding authority is a crime if the person obtains anything of value other than use is a felony70. Accessing a federal interest computer without authorization and either modifying medical records or causing $1,000 or more worth of damage within a one year period71 is punishable with up to 5 years for the first offense72 and 10 years for any subsequent offense.73 The Act also criminalizes trafficking in passwords.74 A person who knowingly and with intent to defraud traffics75 in passwords or similar information may be sentenced for up to one year for the first offense76 and up to 10 years for subsequent offenses77 if the computer is used by or for the Government of the United States78 or affects interstate or foreign commerce.79 B. Criticisms It is important to note that this statute only applies to "Federal interest computers" as defined by this section.80 If a computer is not this type of computer, then any of the above mentioned crimes will not be prosecutable under this section. Congress intentionally made the scope of the law narrow.81 This section has been criticized as not inclusive enough.82 Individual and corporate computers which do not fall into the restrictive definition83 may not receive the protection of the statute. The problem of computer viruses are not addressed by Act.84 The act does not punish those who add information into a computer, even though this may do more harm then just accessing information. The Congress has attempted to address this issue under two bills85, but neither one has been enacted. Unauthorized access where there is no theft or damage to the system is not covered.86 For example, a person access a computer system and looks at information contained therein, he has not committed a punishable crime under the Act.87 Questions have also been brought up concerning many of the undefined terms within the Act.88 Terms such as "intentionally access" and "affects interstate commerce" are among the terms not defined.89 The need to clarify these terms is important so that an individual will know what action will constitute a crime. IV. Legislation From Around The World A. Israel Proposed Computer Law In March 1987, the Israeli Ministry of Justice distributed a draft of a comprehensive computer bill.90 This bill covers a wide range of areas concerning computers91. The Act first sets out a list of proposed definitions for computer, program, software, information, thing and act. Each of these, while short, are concise and attempt to give a brief but comprehensive definition.92 Chapter 2 sets out a list of offenses which, if committed, are punishable.93 A authorized person commits an act upon any computer and knows that the act will prevent or cause disruption of the proper operation is subject to seven years imprisonment.94 A person who, without authority, commits an act which precludes a person from using a computer system or deprives a person of using that system is punishable by up to seven years imprisonment.95 If a person prepares or delivers or operates software knowing that the software will produce faulty results and "having reasonable grounds to assume", the person is punishable for up to seven years.96 The Act also addresses those who supply, deliver or operates a computer with faulty data.97 Section 5 applies to those who use a computer to attempt to obtain some "thing"98 or with intent prevents another from obtaining some "thing".99 A person who prevents another from obtaining a "thing" by the use of software may also be punished.100 A person who deprives a person of an object that contains software, data or information and obtaining a benefit for himself.101 All of these crimes contain a prison sentence of five years. A professional who relies on computer outputs that they know which are false is also subject to punishment.102 The crime carries a sentence of five years.103 This chapter does not apply to all computers, software data or information.104 It only applies to those computers, data or information which are used, designated to be used by or for (1) the state or a corporation that is supplying service to the public105 or (2) "business, industry, agriculture, health services, or for scientific purposes."106 Perhaps the most novel provision of this proposed law is the section governing the reporting of the offenses. Any person who is in charge of another and has reason to believe that an individual has committed an offense under the Act, he must report this to police as soon as possible.107 If the person does not do so, he may be imprisoned for up to one year. B. Analysis The Israeli computer crime bill is more comprehensive then the America bill. By creating a law which will apply not only to government computers, but also to those of "business, industry, agriculture, health services or for scientific purposes,"108 the law essentially covers all computers in the country.109 By creating such broad coverage, the law will be able to make the users of computers in Israel more secure in their knowledge that their systems are safe. B. Analysis The Israeli computer crime bill is more comprehensive then the America bill. By creating a law which will apply not only to government computers, but also to those of "business, industry, agriculture, health services or for scientific purposes,"110 the law essentially covers all computers in the country.111 By creating such broad coverage, the law will be able to make the users of computers in Israel more secure in their knowledge that their systems are safe. The most controversial provision in the act is the proposal requiring that individuals that may know of computer crime must report the crime or face fines themself. As Levenfeld points out112, this will mean that employers will have to impose internal spy rings to be able to tract down the "reasonable suspicions" that individuals have concerning illegal activity. Shalgi, however, believes that this is a good provision in that it will allow computer crime to come more to the forefront so that the crime can be more easily combatted.113 This provision is necessary for the government to understand exactly how large of a problem computer crime is. At present, statistics on computer crime are difficult to determine because of the lack of reporting.114 By making all persons who would be responsible for computer security, i.e. all persons who use computer systems, the problem will be brought into the open and can be addressed. The proposed law also sets out a defense for those who violate the law. Under 11, if a person who violates the law makes another know that he did disrupt or alter the data, he will not be convicted of the crime. This will allow those who perform such acts to avoid the punishment of the law. Individuals who wish to destroy or alter such information will have an incentive to bring forth their mischievous acts so that when brought before the court they could say that they took precautions so that individuals would not rely on the information. This provision will encourage those who do such activity to come forth without fear of conviction. The ability of a court to not impose a punishment on a person is contained in section 12.115 This allows the court to abstain from punishment if the offense is not grave and was not committed with malice. This section, in effect, will allow those who commit computer crime to be able to forgo punishment if their acts were not serious. This will be beneficial to those who are hackers in the original sense of the word,116 yet still allow for punishment of those individuals who enter systems to do harm to it. The law also creates standards for how a computer may be seized. Neither a computer, nor any part of it, may be seized without a court order.117 Although this seems to be a good provision in its effects on individual rights118, the section is not focused enough. The law does not address the issue of whether a floppy, as opposed to a hard disk, is part of a computer. The hard disk is located inside of a computer, while floppy disks may be removed from the computer. This law should address this issue by stating that the floppy disk is also a part of a computer in its definitions.119 This section also does not address what standard may be used for the court order. Must the officer only have a reasonable suspicion or probable cause to seize the computer? By stating explicitly in the statute that the officer must have probable cause to seize the computer, an overzealous police officer will not be able to as easily seize the computer. C. The Great Britain Computer Misuse Act In response to computer program concerning AIDS that was distributed to doctors in Great Britain and Europe that contained a virus,120 Michael Colvin, a British MP introduced the Computer Misuse Bill.121 On August 29, 1990, the Computer Misuse Act122 came into effect.123 It was estimated that the losses to British industry and government were one billion pounds.124 This Act is designed to not to create a confidential information right, but to rather protect computer system integrity125. Prior to enactment, the English Law Commission studied the problem and laws regarding computer crime. It stated that there should be three new offenses to deal with computer misuse: (1) Unauthorized access to a computer, (2) Hacking with intent to commit a serious crime, and (3) Intentional destruction of or alteration to computer programs or data.126 The Computer Misuse Act states that unauthorized access occurs if the person is unauthorized to access the computer, he causes the computer to perform any function with intent to gain access to a program or data in the computer and he knows that this is the case.127 He does not have to be directed to any particular program or data in the computer he attempted to get on or the data or program he wishes to access.128 If a person commits unauthorized access with the intent to commit129 or help another offense,130 the person can be sentenced on summary conviction, up to six months in prison and a fine,131 or if convicted after indictment, to imprisonment of up to five years, a fine or both.132 If a person modifies computer material,133 the person is subject to a fine of up to 5 years, an unlimited fine or both.134 The person must knowingly modify a program without authorization and must have done so with the intent to impair the operation of the computer, to prevent or hinder access, or impair the operation of the program or resulting data.135 The modification does not have to be permanent.136 A modification may be done by either altering, erasing or adding onto a program or data. By stating modification broadly, the act attempts to combat the placing of viruses, worms and logic bombs on computers.137 The Act also extends the scope of jurisdiction.138 A person does not have to actually be in Great Britain at the commission of the crime. The crime itself must have some relation to Great Britain.139 The link must be "significant".140 D. Analysis As opposed to the other statutes, the Computer Misuse Act does not attempt to define computer. This was done because of the fear that any definition given for a computer may become out of date in a short period of time.141 Program and data are also not defined within the Act. Great Britain's courts are granted large jurisdiction. The act allows for anyone who attempt to commit a crime under the act to be punished in Great Britain. The act, although setting out that the link must be significant,142 does not attempt to define this word. By this omission, the Great Britain's courts can expand this to any act that occurs in a foreign country that uses a British computer for even a short period of time. The defining of the word would clear up some misconceptions that may result from the act. Of interest to note, the Act would not punish a person who distributes disks tat contain viruses on them. Although the drafter of the bill said that this was his goal, the law ignores this possibility. An amendment should be added to the law which will punish those who damage data even if they do not access the system. E. Ghana In response to the belief that their existing laws were not adequate, a draft law was proposed by the Ghana Law Reform Commission.143 The bill is rather simple as opposed to the other laws. It has definitions for access, computer, computer network, computer program and data.144 To commit computer related fraud, the person must have an intent to defraud and either alters, damages destroys data or program stored in or used by the computer or obtains information to his own advantage or to the disadvantage of another or uses a computer commits and offense.145 The Act Also sets out alternatives for some sections that may be adopted. The alternative states that any person who obtains access to a computer program or data and attempts to erase or alter the program or data with intent to help his own interests or damage other person's interest commits a crime.146 Damaging computer data occurs if any person, by any means, without authority, willfully does damage to data commits a crime.147 The crime of unauthorized use of a computer is simply defined as anyone who knowingly without authority commits an offence.148 Similarly, unauthorized access is anyone who knowingly gains access to a computer, network or any part there of, without authority to do so.149 The Ghana law also creates a crime for the knowingly and dishonestly introduction of false data and the omission to introduce, record or store data.150 An authorized person who willfully or intentionally allows information to get into the hands of an unauthorized person and that person uses the information to his advantage also commits a crime.151 The penalties for the crimes are similar to those of the Great Britain law.152 On summary convictions, a jail term may be given of up to two years or the statutory maximum fine or both.153 On conviction on indictment, a prison term of no more then ten years or an unlimited fine, or both may be given.154 The jurisdiction that the Ghana courts have in accord with this jurisdiction is as large as their British counterpart.155 The courts can hear any case if the accused person was in Ghana at the time of the act.156 Also, if the program or data was stored in or used with a computer or computer network in Ghana the person may be tried under the law.157 F. Analysis The Ghana proposed Computer Crime Law is in accord with the United States, Great Britain and the proposed Israeli laws. By setting out definitions for the various terms used in the law158, the law clearly defines which acts may be subject to prosecution under the law. Although simple, the definitions attempt to capture within the law's grasp the various different acts which could be done with a computer that should be outlawed. The most original section of the act concerns the newly created crime of omission to introduce, record or store data.159 This section, however, will end up punishing those who work in corporations that are at the lowest level skill-wise. The government should, if the law is enacted, force companies to give each employee a sufficient amount of training on a computer so that the person will be able to act in accordance with the law. The act does provide a safeguard by making the mens rea of the crime "negligently or dishonestly"160 The act also sets out a crime for an individual who allows information to get into the hands of another.161 As opposed to the other laws, this section specifically address the problem of where an authorized individual gives information to an outsider. By specifically regulating this behavior, anyone who wishes to act according will know that the act is illegal. The crime of computer-related fraud is defined broadly.162 This law effectively makes any type of fraud committed either with a computer or information within a computer a crime. The law adequately addresses the problems that might occur with a computer in fraud. A broad definition, however, may still let some act seem as though they are not covered since the act is not specific in the area of what constitutes a crime. Most significantly, the act does not state which types of computers are covered by the act.163 By not giving a limit on which computers are covered, the act extends its jurisdiction to all "computer"164 and "computer network"165 in the country. If the definition of computer changes, due in part to advance technology, the law may have to change this section. V. Proposed Solutions Computer Crime laws have come a long way in addressing the problem of computer crime.166 The ability to regulate the activity will decrease the amount of crime that is committed. Those who use the computers of the world, however, must not rely totally on there respective governments to combat this problem.167 The best way to combat computer crime is to not let it occur at all. Many computer systems have not been given enough security by their system managers.168 It is possible to have a totally secure computer system169, but it is impractical and slows the free flow of information.170 By creating laws that will protect the integrity of computer systems while also allowing for the ability of our best and brightest to develop and learn about computer systems will the nation be able to keep our technological lead in the world. In order to combat the problem of unauthorized access, users of computer systems must be taught to respect each others privacy within the various systems. Creating an standard of ethics for those who are users of computers will be the best way since it will hold the users to standards that must be met. Although some organizations have attempted to promogate standards regarding the ethical use of computer systems171 no one standard has emerged. Proposed rules of ethics should balance the need of individuals to be able to learn and discover about the various types of computer systems, while at the same time allowing for those who use those systems to be secure in the knowledge that the information stored on the computer will not be read by those other then person who should have access to it. If computer crime laws are enacted, industries that use computers should not use the new laws as a replacement for using adequate security measures.172 Individuals or corporations that use computer have several ways to protect themselves from unauthorized access. If the computer can be accessed by a modem, the computer can have a dial back feature placed on the phone line so that one a computer is accessed, the computer will then call back to make sure that the call is coming from a line which is supposed to access the computer.173 The proper use of passwords174 are also an effective way to address the problem of unauthorized access. A recent study has shown that out of 100 passwords files, approximately 30 percent were guessed by either using the account name or a variation of it.175 A program has recently been developed that will not allow a user to select an obvious password.176 Encryption programs, similar to the program used on Unix operating system, can scramble a password in a non reversible manner so that if the encrypted password falls into the hands of an individual who is not supposed to access the system, the person will not be able to get into the system. These systems can also be used so that if a hacker does get into a computer system and attempts to get information, the information will not be readable.177 A problem that must be address is the lack of laws concerning copyright protection of computer programs in foreign countries. The Pakistan Brain178 was written to discourage copying of a program without authorization. By creating pirating penalties a reason for the creation of computer viruses will be removed and less viruses will be created.179 Many in the field argue that computer programs should not be copyrighted.180 Copyright protection should not be afforded to computer programs since they are only mathematical equations.181 Copyright protection should be given to the maker of a computer programmer only for a short period of time.182 A novel concept which will both satisfy the computer hackers quest for knowledge through examining computer systems and protect the integrity of computer systems is to create a computer systems for the use of hackers alone.183 This computer would not be connected to other computer systems, but can be accessed through a modem.184 If created, accounts would be given to all interested computer enthusiasts. Those participating will not be prosecuted for exploring unauthorized areas of the system.185 Since other computer systems will not be accessible through this system, any activity on this system will not endanger the information on other systems.186 By allowing this to be done, a major problem will be solved, the inability to afford to buy a mainframe system, while a person will still be able to learn about different types of systems. If any laws are to be made, they should make "knowing"187 or "intentionally"188 unauthorized access into a computer a crime. By making the intent of the crime be knowing, it will allow those who accidently connect to a computer system that they think is theirs but is not to be excused from punishment. The law must also be done in a way that will allow it to be enforced across national boundaries. A computer hacker can access computers from across the world without ever leaving his home country.189 If these laws can only be enforced within the home country, then a person can, in theory, go into a country of whose computers that he would never want to access and access into other computers without fear of punishment.190 An international convention should be convened to address this problem. Since the problem is of international concern and the crimes do occur across the boarders of countries, by setting standards by the international community concerning the conduct of computer users, the hodgepodge of computer crime laws will be eradicated in favor of a common international standard. As the boundaries in Western Europe disappear in anticipation of 1992, international access is sure to accelerate. Colleges, Universities and high schools must institute programs designed to address proper computer use.191 Although not all computer users are not trained in school, teaching the ethical use of computers will allow users to understand the need for security on systems. These programs will also show users that computer crime is dangerous to society.192 Problems concerning computer crime should be publicized so as not to mystify the crime.193 The United States and other countries must create more Computer Emergency Response Teams (CERT). These teams are to coordinate community responses to emergency situations, coordinate responsibility for fixing hole in computer systems and serve as a focal point for discussions concerning computer systems.194 These groups regularly post notices concerning computer viruses or other dangers in the Internet computer system. The scope of these groups should be expanded so they may be a focal point of the needs and desires of those who use computers. If they are used to gather information as a clearing house type operation, the spread of information concerning computer systems and problems with the systems will be more adequately addressed. IV. Conclusion Computer crime is a growing problem. With the advent of the computer and a more computer literate public, crimes committed by computers will increase. To effectively address the problem, laws must be created to outlaw activity which is designed to further illegitimate ends. These laws have moved in the right direction concerning what should be outlaws so as to balance the needs of computer users against those of the computer owners. To enforce these laws, governments must realize that the problem of computer crime is not only of local concern. Educational programs and standards of ethics must be created from within the computer users community. Corporations which use computers must educate their employees to reduce the fear that one might have when addressing a computer security issue. Copyright laws must be strengthened in countries that either do not have or have weak copyright laws so that the need to create viruses to protect an individual's or corporation's work will no longer be necessary. To satisfy users curiosity with computers, a non-secure computer system should be created. This system will allow those who wish to explore a system in order to understand the system may. Those individuals can do so without the fear of prosecution. Only by directly addressing the causes of computer crime and drafting standards and laws to address the unique area will the problem of computer crime be adequately addressed. Light must be shined on the area so individuals will realize that fear of the machines is not justified. Only by doing so may we enter the 21st century realizing the full potential of computers. Appendix A Ghana Computer Crime Law (Proposed) Computer Crime Law Computer Crime Law In pursuance of the Provisional National Defense Council (Establishment) Proclamation 1981, this Law is hereby made: 1. Any person who, with intent to defraud, (a) alters, damages, destroys or otherwise manipulates data or program stored in or used in connection with a computer, or (b) obtains by any means, information stored in a computer and uses it to his advantage or to another person's advantage to the disadvantage of any other person, or (c) uses a computer commits an offense. Charge: Computer-related fraud. ALTERNATIVE: (1) A person commits an offense if that person obtains access to a computer program or data, whether stored in or used in connection with a computer or to a part of such program or data to erase or otherwise alter the program or data with the intention- 1. (a) of procuring an advantage for himself or another person: or (b) of damaging another person's interests. 2. Any person who, by any means, without authority, wilfully destroys, damages, injures, alters or renders ineffective data stored in or used in connection with a computer commits an offense. Charge: Damaging Computer data. 3. Any person who, without authority, knowingly uses a computer commits and offense. Charge: Unauthorized use of a computer. 4. Any person who, without authority, knowingly gains access to a computer, computer network, or any part thereof commits an offense. Charge: Unauthorized access to a computer. 5. Any person who, knowingly and dishonestly introduces, records or stores, or causes to be recorded, stored or introduced into a computer or computer network by any means, false or misleading information as data commits an offense. Charge: Insertion of false information as data. ALTERNATIVE: (5) A person commits an offense if, not having authority to obtain access to a computer program or data, whether stored in or used in connection with a computer, or to a part of such program or data, he obtains such unauthorized access and damages another person's interests by recklessly adding to, erasing or otherwise altering the program or the data. 6. Any person under a contractual or other duty to introduce, record or store authorised data into a computer network, who negligently or dishonestly fails to introduce, record or store, commits an offense. Charge: Omission to introduce, record or store data. ALTERNATIVE (6) Any person under a contractual or other duty to introduce, record or store data into a computer or computer network who negligently or dishonestly fails to introduce, record or store, commits an offense. 7. Any authorised person who willfully or intentionally allows information from a computer to get into the hands of an unauthorised person who uses such information to his advantage commits an offense. Charge: Allowing unauthorised person to use computer data. 8. A person guilty of an offense under this Law shall be liable:- (a) on summary conviction, to imprisonment for a term not exceeding two years or to a fine not exceeding the statutory maximum or both; or (b) on conviction on indictment, to imprisonment for a term not exceeding ten years or to an unlimited fine, or both. 9. A court in Ghana shall have jurisdiction to entertain proceedings for an offense under this Law, if at the time the offense was committed:- (a) the accused was in Ghana; or (b) the program or the data in relation to which the offence was committed was stored in or used with a or used with computer or computer network in Ghana. computer network in Ghana. 10. In this Law, unless the context otherwise requires:- "access" includes to log unto, instruct, store data or programs in, retrieve data or programs from, or otherwise communicate with a computer, or gain access to (whether directly or with the aid of any device) any data or program. "computer" includes any device which is capable of performing logical, arithmetical, classifactory, mnemonic, storage or other like functions by means of optical, electronic or magnetic signals. "Computer network" includes the interconnection of two or more computers, whether geographically separated or in close proximity or the interconnection of communication systems with a computer through terminals, whether remote or local. "Computer program" includes an instruction or statement or series of instructions or statements capable of causing a computer to indicate, perform, or achieve any function. "data" includes a representation in any form whether tangible or intangible that is capable of being stored in or retrieved by a computer. ENDNOTES ENDNOTES 1. Financial Times Limited (London) April, 1990. 2. See, infra, endnote 36 and accompanying text. infra 3. Stoll, The Cuckoo's Egg (1990). [hereinafter Stoll]. The Cuckoo's Egg 4. Lyons, 13 Are Charged in Theft of Data from Computers, New York Times, August 17, 1990, B2, col. 3. 5. Although there is no set definition of a computer publication, it is created and published solely on a computer. Peretti, Computer Publications and the First Amendment (1990) (available at Princeton University FTP site and The American University Journal of International Law and Policy Office). 6. Dorothy Denning, The United States v. Craig Neidorf (available at The American University Journal of International Law and Policy office). 7. Schares, A German Hackers' Club that Promotes Creative Chaos, Business Week, Aug. 1, 1988, 71. 8. Barlow, Crime and Puzzlement: In advance of the Law on the Electronic Frontier, Whole Earth Review, Sept. 22, 1990, 44. 9. Kopetman, Computer Gave Them Bum Rap, Los Angeles Times, Los Angeles Times Jan. 10, 1991, at B1, col. 2. 10. See, J. Thomas McEwen, Dedicated Computer Crime Units (19--) See, (stating how important computers have become to society). In 1978 there were 5,000 desktop computers in the United States. S. Rep. No. 432, 99th Cong., 2d Sess. 2, reprinted in, 1986 U.S. reprinted in Code Cong. & Admin. News 2479, 2479. By 1986, this number had increased to about 5 million. Id. Id. 11. See, S. 2476, Floor Statement by Senator Patrick Leahy. 12. See, Stoll at ___ (stating that all countries, except Albania, are connected via computer systems). 13. McEwen, Dedicated Computer Crime Units 1 (19--). Another _______________________________ definition used is the definition of computer crime was "any illegal act for which knowledge of computer technology is essential for successful investigation and prosecution". Parker, Computer Crime: Criminal Justice Resource Manual, (1989). _________________________________________________ 14. Conly, Organizing for Computer Crime Investigation and Prosecution, 6-7 (19--). 15. For instance, the estimated cost of the Internet Worm, a computer program created by Robert Morris, Jr. which shut down the Internet computer system, varies from $97,000,000 (John McAfee, Chairman, Computer Virus Industry Association) to $100,000 (Clifford Stoll's low bound estimate). Commitment to Security, 34 (1989). It is difficult to determine exactly the cost of such crime because it is difficult to determine what should be included. The estimated downtime of a computer due to such activity could be used to determine the cost. This may be flawed, however, since it will not take into account how much of the down time actually would have been used. Electronic Mail Letter from Richard Stallman to Brian J. Peretti (Dec. 3, 1990) (concerning computer crime). 16. Commitment to Security, 34. The average facility, consisting of 1,224 microcomputers, 96 minicomputers and 10 mainframe computers, lost $109,000, 365 personnel hours and 26 hours computer time loss per year. Id. Id. 17. Id. at 23. 6 percent of incidents resulted in prosecutions. Id. Id. Id. 18. Id. Id. 19. Only 1.5 percent of respondents to a National Center for Computer Crime Data used Anti-virus products in 1985. By 1988 this figure rose to 22 percent. By 1991, 53 percent of the respondents stated that they would be using anti-virus software by 1991. According to a Price Waterhouse survey in Great Britain, in 1985 26 percent installations spent nothing on security. Authers, Crime as a Business Risk- Security/ A Crime as a Business Risk- Security/ A Management as Well as a Technical Problem, Financial Times Management as Well as a Technical Problem (London), November 7, 1990. By 1990 this figure had shrunk to 4 percent and is expected to decline to 0 by 1995. Id. The amount Id. spent on security for new systems has increased from 5 percent in 1985 to 9 percent by 1990. Id. Id. In Japan, less than 10 percent of groups that rely heavily on computers have taken measures to prevent virus attacks. Computer Users Fail to Protected Against Viruses. Although Japan Computer Users Fail to Protected Against Viruses. does not have a computer crime law, there is a movement to make such a law. Computer Body Calls for Jail Sentences for Hackers, Computer Body Calls for Jail Sentences for Hackers Kyodo News Service, Nov. 15, 1990 (available from the Nexis library). The Japan Information Processing Development Association has stated that the new law should make the crime punishable of either one year of hard labor or a fine. Id. Id. 20. The terms was first applied in 1984. Commitment to Security, 34 (1989). 21. Ring, Computer Viruses; Once Revered as Hackers, Technopaths Threaten Security of Computer-Dependant Society, Computergram, July 7, 1989. Some of these viruses are extremely small, e.g. Tiny, which is 163 bytes, may be the smallest. Friday 13th Virus Alert, The Times (London), July 12, 1990. 22. Graggs, Foreign Virus Strains Emerge as Latest Threat to Foreign Virus Strains Emerge as Latest Threat to U.S. PCs, Infoworld, Feb. 4, 1991, 18. Viruses have appeared U.S. PCs from Bulgaria, Germany, Australia, China and Taiwan. Id. Some new Id. viruses include Armageddon, from Greece which attacks through modems and then dials to a talking clock in Crete, Liberty, from Indonesia, Bulgaria 50, which is thought to have come from a "laboratory" in Sofia, Victor, thought to originate in the U.S.S.R., the Joker, from Poland, which tells the user that the computer needs a hamburger, and Saturday the 14th, presumed to have been developed in South Africa, which destroys a computer's file allocation table. Id. Id. Some viruses also carry a message when they are activated. A virus that is though to have been developed by students at Wellington, New Zealand, tells the user that they have been "stoned" and requests that marijuana should be legalized. Id. Id. Approximately 80 or 90 of the 300 viruses counted for the IBM personal computer originated in Bulgaria according to Morton Swimmer of Germany's Hamburg University Virus Test Center. 23. A report in La Liberation, a French newspaper, stated that La Liberation computer viruses could be planted in French EXOCET missiles to misguide them when fired. La Liberation, Jan. 10, 1991, reprinted in Klaus Brunnstein, Risks-Forum, vol. 10, iss. 78, reprinted in Jan. 22 1991 (available at American Journal of International Law and Policy Office). 24. A "trojan horse" is a program that does not seem to be infected, however, when used in a computer, the virus is then transferred the uninfected machine. On trojan horse destroyed 168,000 files in Texas. Commitment to Security, 34 (1989). 25. Ring, Computer Viruses; Once Revered as Hackers, Technopaths Computer Viruses; Once Revered as Hackers, Technopaths Threaten Security of Computer-Dependent Society, ComputerGram, Threaten Security of Computer-Dependent Society July 7, 1989. 26. Highland, One Wild Computer "Worm" Really Isn't a Federal One Wild Computer "Worm" Really Isn't a Federal Case, Newsday, Jan. 23, 1990, 51. Case 27. Stoll, at 346. The amount of computers that were actually infected by the worm is still the subject of debate. Mr. Stoll estimates that 2,000 computers where infected, while the most commonly cited number is 6,000. Commitment to Security, 34 (1989). The 6,000 estimate was based on an Massachusetts Institute of Technology estimate that 10 percent of the machines at the school were infected and was then inferred to the total number of machines across the country that were affected. General Accounting Office, Computer Security: Virus Highlights Need for Improved Internet Management, 17 (1989). This number may be inaccurate because not all locations had the same amount of vulnerable machines. Id. Id. 28. For the first eight months of 1988, there were 800 incidents concerning computer viruses. Commitment to Security, 34. The Computer Virus Industry Association reported that 96 percent of these reported infections were incorrectly identified as viruses. Id. Id. 29. Robinson, Virus Protection for Network Users, Washington Post, Washington Business, p.44, Feb. 11, 1991. 30. Ross, Hacking Away at the Counterculture, 3 (1990) (available at the American University Journal of International Law and Policy). On Saturday Night Live, during the news update segment, Dennis Miller stated, in comparing a computer viruses to the AIDS virus, "Remember, when you connect with another computer, you're connecting to every computer that computer has ever been connected to." Id. Id. 31. Id. at 8-9. Id. 32. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287 before the Subcomm. on Criminal Justice of the House Comm. on the Judiciary, 100th Cong., 1st Sess. 49 (1989) (statement of Marc Rotenberg, Director, Computer Professionals for Social Responsibility). In Israel, Hebrew University used a computer virus to detect and destroy a virus that would have destroyed data files. Id. Id. 33. Computergram International, October 14, 1990. 34. 35. Watts, Fears of Computer Virus Attack from East Europe grow, Fears of Computer Virus Attack from East Europe grow The Independent, November 24, 1990, p.6. On a trip to Bulgaria, a British computer consultant returned with 100 viruses that do not exist in the West. Id. Id. 36. Id. 37. McGourty, When a Hacker Cracks the Code, The Daily Telegraph When a Hacker Cracks the Code (London), October 22, 1990, p. 31. 38. The equipment would cost about 50 (British) pounds. Id. Id. 39. Id. A British company, has stated that they have developed Id. a glass that will reduce this problem. Tieman, Spy-Proof Glass to Beat the Hackers, The (London) Times, Jan 17, 1991. A more recent problem concerns the ability of computer hackers to access into fax machines and either change or reroute information from the machine. Becket, Espionage fears mounting as Espionage fears mounting as hackers tap into faxes, The Daily Telegraph (London), December 1, hackers tap into faxes 1990, p. 23. This problem can be circumvented by the use of encryption devices or passwords on the machine. Id. Id. 40. Stoll at 9. The word itself originally had two meanings. People originally called themselves hackers were software wizards who thoroughly knew computer systems. Id. In U.S. v. Riggs, 739 U.S. v. Riggs F. Supp. 414, 423 (N.D. Ill. 1990) the court defined hackers as "individuals involved with the unauthorized access of computer systems by various means." The New Hacker's Dictionary defines hackers as "A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn only the minimum necessary." New Hacker's Dictionary, to be published Spring, 1991. Hacker has also been used in a non-evil sense with the word "cracker" taking the disreputable part of the word. In this light, hacker means "computer enthusiasts who `take delight in experimenting with system hardware, software and communication systems." and cracker meaning "a hacker who specializes in gaining illegal access to a system." One Wild Computer `Worm' One Wild Computer `Worm' Really Isn't a Federal Case, Newsday, January 23, 1990, p.51. Really Isn't a Federal Case The typical hacker has been described as "a juvenile with a home computer who uses computerized bulletin board systems for a variety of illegal purposes. Conly, Organizing for Computer Crime Investigation and Prosecution, 8 (19--). 41. Sulski, How to Thwart Potential Saboteur, Chicago Tribune, How to Thwart Potential Saboteur November 18, 1990, p.18. 42. Computerworld, December 3, 1990, p. 122. Kryptik, a hacker group, was stated as having planned to plant a virus in a telephone network on December 5, 1990. Id. It is unclear, Id. however, if the virus actually was planted. Id. Id. 43. Sulski, How to Thwart Potential Saboteur, Chicago Tribune, How to Thwart Potential Saboteur November 18, 1990, p.18. Computer security experts state that the risk of having hacker break into your system is less than being burglarized or having a power outage due to lightning. Id. Id. Errant opinion poll results have also been blamed on the work of hackers. Holdsworth, Hackers May Have Attacked TV Poll Hackers May Have Attacked TV Poll Computers-MP, Press Association Newsfile, May 4, 1990. Computers-MP 44. Stoll, 312. 45. Id. This view is also shared by the editors of 2600, The Id. Hackers Quarterly. It is also held by these persons that a service is done to the computing community because those who break in to computer systems show the operators that their system is not strong enough and that it should be made stronger. 46. Stoll, at 354. 47. Mr. Stoll's computer was broken into by an Australian hacker who said he did so to show that Mr. Stoll's security was not good and that hackers are good because they show where security problems are in computer networks. Id. at 353-54. He Id. rejected such arguments. Id. Id. 48. Director, Computer Professionals for Social Responsibility 49. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287 before the Subcomm. on Criminal Justice of the House Comm. on the Judiciary, 100th Cong., 1st Sess. 26-27 (1989) (statement of Marc Rotenberg, Director, Computer Professionals for Social Responsibility). The Aldus peace virus, which displayed a message calling for peace and then disappeared without damaging the system itself, is an example of a virus which he believes should be protected. Id. Id. 50. Commitment to Security, 34. 51. Stoll, 349. 52. "I can never understand why people think it is all right to run out of computer paper but not all right to be infected with a virus. The disruption is the same and it takes about the same amount of time to put matters right." Cane, Hygiene See Off Hygiene See Off Computer Viruses, Financial Times (London) October 14, 1989, Computer Viruses Section I, p. 24. 53. 18 U.S.C. 1030 (1988). 54. Ala. Code 13A-8-100 et.seq. (1990); Alaska Stat. Ala. Code Alaska Stat. 11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985, 11.46.990 (1990); Ariz. Rev. Stat. Ann. 13-2301(E), 13-2316 (1990); Cal. Ariz. Rev. Stat. Ann. Cal. Penal Code 502 (West 1990); Colo. Rev. Stat. 18-5.5-101 et. Penal Code Colo. Rev. Stat. seq. (1990); Conn. Gen. Stat 53a-250 et. seq., 52-570b (1990); Conn. Gen. Stat Del. Code Ann. tit. 11, 931 et seq. (1990); Fla. Stat. Del. Code Ann. Fla. Stat. 815.01 et seq. (1990); Ga. Code Ann. 16-9-90 et seq (1990); Ga. Code Ann. Haw. Rev. Stat. 708-890 et seq. (1990); Idaho Code 18-2201, Haw. Rev. Stat. Idaho Code 2202 (1990); Ill. Ann. Stat. 15-1, 16-9 (1990); Ind. Code Ill. Ann. Stat Ind. Code 35-43-1-4, 35-43-2-3 (1990); Iowa Code 716A.1 et. seq. Iowa Code (1990); Kan. Stat. Ann. 21-3755 (1990); Ky. Rev. Stat. Ann. Kan. Stat. Ann. Ky. Rev. Stat. Ann. 434.840 et. seq. (1990); La. Rev. Stat. Ann. 14(D) 71.1 et La. Rev. Stat. Ann seq. (1990); Me. Rev. Stat. Ann. chap. 15, tit. 17-A, 357 Me. Rev. Stat. Ann. (1990); Md. Crim. Law Code Ann. Article 27 45A, 146 (1990); Md. Crim. Law Code Ann. Mass. Gen. L. ch 266, 30 (1990) see infra; Mich. Comp. Laws Mass. Gen. L. Mich. Comp. Laws 28.529(1) et seq. (1990); Minn. Stat. 609.87 et seq. (1990); Minn. Stat. Miss. Code Ann. 97-45-1 et seq (1990); Mo. Rev. Stat. 569.093 Miss. Code Ann. Mo. Rev. Stat. et seq. (1990); Mont. Code Ann. 45-2-101, 45-6-310,45-6-311 Mont. Code Ann. (1990); Neb. Rev. Stat. art. 13(p), 28-1343 et seq (1990); Nev. Neb. Rev. Stat. Nev. Rev. Stat. 205.473 et seq. (1990); N.H. Rev. Stat. Ann. Rev. Stat. N.H. Rev. Stat. Ann. 638.16 et seq. (1990); N.J. Rev. Stat. 2C:20-1, 2C:20-23 et. N.J. Rev. Stat. seq., 2A:38A-1 et seq. (1990); N.M. Stat. Ann. 30-16A-1 et N.M. Stat. Ann. seq. (1990); N.Y. Penal Law 155.00, 156.00 et seq, 165.15(10), N.Y. Penal Law 170.00, 175.00 (1990); N.C. Gen. Stat. 14-453 et seq (1990); N.C. Gen. Stat. N.D. Cent. Code 12.1-06.1.01(3), 12.1-06.1-08 (1990); Ohio Rev. N.D. Cent. Code Ohio Rev. Code Ann. 2901.01, 2913.01, 1913.04, 1913.81 (Anderson 1990); Code Ann. Okla. Stat. tit. 21, 1951 et seq. (1990); Or. Rev. Stat. Okla. Stat Or. Rev. Stat. 164.125, 164.377 (1990); Pa. Cons. Stat. 1933 (1990); R.I. Pa. Cons. Stat. R.I. Gen. Laws 11-52-1 et seq (1990); S.C. Code Ann. 16-16-10 et Gen. Laws S.C. Code Ann. seq (Law. Co-op 1990); S.D. Codified Laws Ann. 43-43B-1 et seq. S.D. Codified Laws Ann. (1990); Tenn. Code Ann. 39-3-1401 et seq (1990); Texas Code Tenn. Code Ann. Texas Code Ann. tit 7 33.01 et seq. (Vernon 1990); 19 Utah Laws 76-6- Ann. Utah Laws 701 et seq.; Va. Code Ann. 18.2-152.1 et seq. (1990); Wash. Va. Code Ann. Wash. Rev. Code Ann. 9A.48.100, 9A.52.010, 9A.52.110 et seq. (1990); Rev. Code Ann. Wis. Stat. 943.70 (1990); Wyo. Stat. 6-3-501 et seq. (1990). Wis. Stat. Wyo. Stat. 55. Parker, Computer Crime: Criminal Justice Resource Manual, 129 (1979). 56. McEwen, Dedicated Computer Crime Units, 60 (1989). These other laws include embezzlement, larceny, fraud, wire fraud and mail fraud. Id. at 60. ___ 57. Pub. L. No. 98-473, 2102(a), 98 Stat. 1837, 2190 (codified at 18 U.S.C. 1030). 58. S. Rep. No. 432, 99th Cong., 2d Sess., 1986 U.S. 2, reprinted in, 1986 Cong. & Admin. News 2479, 2479. reprinted in 59. Pub. L. No. 99-474, 2, 100 Stat. 1213 (amending 18 U.S.C. 1030). 60. 18 U.S.C. 1030(b). 61. 18 U.S.C. 1030(a)(1). The person must act knowingly to access a computer either without authorization or exceeding the authorization given and obtain information with the intent or reason to believe that the information will either injure the United States of American or give an advantage to a foreign nation. As seen by the placement of this section, it is clear that the Congress was particularity aware of the dangers that computer might have to the national security of the United States. This section parallels 18 U.S.C. 793, the federal espionage statute. 62. 1030(c)(1)(A). 63. 1030(c)(1)(B). 64. As defined by the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. 65. 1030(c)(2)(A). 66. 1030(c)(2)(B). The penalty is up to 10 years in prison. 67. 18 U.S.C. 1030(a)(2). 68. 18 U.S.C. 1030(c)(2)(B). 69. 18 U.S.C. 1030(c)(2)(B). 70. The punishments that may be handed out are up to 5 years for the first offense and 10 years for any subsequent offense. 71. 18 U.S.C. 1030(a)(5). 72. 18 U.S.C. 1030(c)(3)(A). 73. 18 U.S.C. 1030(c)(3)(B). 74. 18 U.S.C. 1030(a)(6). 75. As defined by 18 U.S.C. 1029. 76. 18 U.S.C. 1030(c)(2)(A). 77. 18 U.S.C. 1030(c)(2)(B). 78. 18 U.S.C. 1030(a)(6)(B). 79. 18 U.S.C. 1030(a)(6)(B). 80. These computers include computers used exclusively for the United States government or a financial institution or if not exclusively by the government one which the conduct of the computer affects the government's or the institution's operation, 18 U.S.C. 1030(e)(2)(A), the computer is one of two or more computers that commit the offense, 18 U.S.C. 1030(e)(2)(A). Financial institution is defined in 18 U.S.C. 1030(e)(4) and includes and institution whose deposits are insured by the Federal Deposit Insurance Corporation, 1030(e)(4)(A), the Federal Reserve or one of its members, 1030(e)(4)(B), a credit union insured by the National Credit Union Administration, 1030(e)(4)(C), a Federal home loan bank system member, 1030(e)(4)(D), institutions under the Farm Credit Act of 1971, 1030(e)(4)(F), a broker-dealer registered pursuant to 15 of the Securities Exchange Act of 1934, 1030(e)(4)(F), or a Securities Investor Protection Corporation, 1030(e)(4)(G). 81. S. Rep. No. 432, 99th Cong., 2d Sess. 4, reprinted in, 1986 reprinted in U.S. Code Cong. & Admin. News 2479, 2481. 82. Note, Computer Crime and The Computer Fraud and Abuse Act of 1986, X Computer/Law Journal 71, 79, (1990). 83. 18 U.S.C. 1030 (e)(2) states: As used in this section- (2) The term "Federal interest computer" means a computer- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution's operation or the Government's operation of such computer; or (B) which is one of two or more computer used in the committing the offense, not all of which are located in the same state. 84. "[T]here is not statute specifically addressing viruses." 135 Cong. Rec. E2124 (daily ed. June 14, 1989) (letter of Rep. Cong. Rec. E2124 Herger (quoting FBI Director William Sessions)). 85. H.R. 287 and H.R. 55. 86. "Existing criminal statues are not specific on the question of whether unauthorized access is a crime where no theft or damage occurs . . ." 135 Cong. Rec. E2124 (daily ed. June 14, Cong. Rec. 1989) (letter of Rep. Herger (quoting FBI Director William Sessions)). 87. Prosecution could occur under a trespass law. It may not be applicable, however, since trespass is a property based crime and courts have not recognized information in the same manner as real property. 88. Note, Computer Crime and The Computer Fraud and Abuse Act of 1986, X Computer/Law Journal 71, 80 (1990). 89. Id. Id. 90. Shalgi, Computer-ware: Protection and Evidence, An Israeli Computer-ware: Protection and Evidence, An Israeli Draft Bill, IX Computer/Law J. 299, 299 (1989) [hereinafter Draft Bill Computer/Law J. Shalgi]. This proposed bill has not progressed much since it was proposed and is at the stage prior to an official "bill". Letter from Barry Levenfeld to Brian J. Peretti (December 13, 1990) (concerning Israel's legislature progress on the comprehensive computer law). This paper will use the Shalgi English translation of the law. 91. Chapter 2 concerns Offenses and Accessing Computers, Chapter 3, Damages, Chapter 4, Rights of Software Creators and Chapter 5, Evidence. Levenfeld, Israel Considers Comprehensive Computer Law, Israel Considers Comprehensive Computer Law, Int'l Computer L Advisor 4 (March 1988). The topics covered in Int'l Computer L Advisor Chapters 2 through 5 are beyond the scope of this paper. 92. 93. Shagli, at 311. 94. Chapter 2, 2, Shagli at 311. 95. Chapter 2, 3(a), Shagli at 311. An employee is exempt if he commits this act when it was due to a strike concerning a labor dispute. Chapter 2, 3(b), Shagli at 311. 96. Chapter 2, 4(a). 97. Chapter 2, 4(b), Shagli at 311. 98. As defined by Chapter 1, 1. 99. Chapter 2, 5, Shagli at 311. 100. Chapter 2, 6, Shagli at 312. 101. Chapter 2, 7, Shagli at 312. 102. Chapter 2, 9, Shagli at 312. 103. Id. Id. 104. Chapter 2, 10, Shagli at 312. 105. By not stating that this also applies to individuals or others (non-corporations) who are attempting to supply services to the public, some important services that may be offered to the public may not be done. Levenfeld, 8, translates the word corporation as entities which may solve the problem. 106. Shalgi, 312. Levenfeld, 5, states that since this section is so broad the only possible areas that are not covered are personal and academic uses. 107. Chapter 2, 14, Shagli at 313. 108. Section 5. 109. Levenfeld, 4-5. Perhaps the only computers not covered would be those used for personal or academic uses exclusively. Id. at 5. Id. 110. Section 5. 111. Levenfeld, 4-5. Perhaps the only computers not covered would be those used for personal or academic uses exclusively. Id. at 5. Id. 112. Levenfeld at 4. 113. Shalgi, 305. 114. See, Computers at Risk, Safe Computing in the Information Age, 36 (1991) (discussing the need for a repository to gather computer crime information). 115. Chapter 2, 12, Shagli at 313. 116. New Hacker's Dictionary. 117. Chapter 2, 13, Shagli at 313. The law states that if the owner of the computer is not given in his presence, the order is only good for twenty-four hours. Id. Id. 118. Shagli, at 304. Under Israeli law, an object that may be proof of an offense may be seized without a court order. Id. The Id. law will bring the seizure of computers in accord with the United States Constitution's sixth Amendment. 119. Chapter 1, 1, Shagli at 310. 120. Alexander, Suspect Arrested in AIDS Disk Fraud Case, Suspect Arrested in AIDS Disk Fraud Case Computerworld, Feb. 5, 1990, 8. 121. Colvin, Lock up the Keyboard Criminal, Telecommunications PLC (England), June 1990. 122. Computer Misuse Act, 1990, ch. 18. 123. In the five years prior to the adoption of the Act, there were 270 cases of computer misuse in Britain of which only six were brought to court and only 3 resulting convictions. Fagan, Technology: EC urged to strengthen laws on computer crime, The Technology: EC urged to strengthen laws on computer crime Independent (London), February 13, 1990, p. 19. 124. Id. Id. 125. Davies, Cracking down on the computer hackers, Fin. Times Cracking down on the computer hackers (London), October 4, 1990. 126. Law Commission No. 186, Cm 819. 127. Computer Misuse Act, 1990, ch. 18, 1. 128. The penalty for this type of behavior is up to six months in prison, 2000 pounds or both. 129. Computer Misuse Act, 1990, ch. 18, 2(1)(a). 130. Computer Misuse Act, 1990, ch. 18, 2(1)(b). 131. Computer Misuse Act, 1990, ch. 18, 2(5)(a). 132. Computer Misuse Act, 1990, ch. 18, 2(5)(b). 133. Computer Misuse Act, 1990, ch. 18, 3(1). 134. Computer Misuse Act, 1990, ch. 18, 3(7). 135. Computer Misuse Act, 1990, ch. 18, 3(2). 136. Computer Misuse Act, 1990, ch. 18, 3(5). 137. Id. Colvin, Lock up the Keyboard Criminal , Id. Telecommunications PLC (England), June 1990. 138. Computer Misuse Act, 1990, ch. 18, 4. 139. Computer Misuse Act, 1990, ch. 18, 4(1). 140. 5(2) states that a significant link under 1 can be (a) the person was in Great Britain at the time in which he caused the computer to act in a certain way or (b) the computer he attempted to get access to was in Great Britain. 5(3) states that a significant link under 3 can be (a) that the person was Great Britain at the time when he did the act or (b) the modification took place in Great Britain. However, this may not an exhaustive list. 141. Davies, Cracking down on the computer hackers, Fin. Times Cracking down on the computer hackers (London), October 4, 1990. 142. Computer Misuse Act, 1990, ch. 18, 5. 143. Although proposed on February 14, 1989, the proposed bill has not yet become law. 144. Appendix A, 10. 145. Appendix A, 1. 146. Appendix A, 1, alternative. 147. Appendix A, 2. 148. Appendix A, 3. 149. Appendix A, 4. 150. Appendix A, 5. 151. Appendix A, 7. 152. The Ghana Law Reform Commission states that they created their proposed law from the Scottish Law Commission and the Law Reform Commission of Tasmania, Australia reports on computer crime. 153. Appendix A, 9(a). 154. Appendix A, 8(b). 155. See, infra, endnote __ and accompanying text. infra 156. Appendix A, 9(a). 157. Appendix A, 9(b). 158. Appendix A, 10. 159. Appendix A, 6. 160. Id. Id. 161. Appendix A, 7. 162. Appendix A, 1. 163. Appendix A, 10. 164. Id. Id. 165. Id. Id. 166. The first computer crime law in the United States was enacted in 1979. 167. S. Rep. No. 432, 99th Cong., 2d Sess. 3, reprinted in 1986 reprinted in U.S. Code Cong. & Admin. News 2479, 2481. 168. By increasing security, the ease with which one can enter the system will become more difficult. Some systems, believing that if such unauthorized access does occur that no sensitive information will be stolen, opt to have less security then other systems. In actuality, by one system not having enough security, the entire network can be put at danger when a mischievous user wishes to break into a users account which may be accessed by that system. See Stoll, 353-54 (stating an Australian hacker broke into Mr. Stoll's computer account because a connected computer's system manager did not wish to have a high level of security. 169. Stoll, 32. Many military computers and sensitive scientific computers operate in a secure environment. This is created by not allowing the computer system to have any telephone links to the outside world (i.e. outside of the building. 170. By having a secure system, information at the computer site can only be removed by a person walking into the computer center, copying the information and then walking out with it. This is both burdensome (it is much easier to access the computer from one's home or office) and cumbersome (since a person will have to walk around with reels of data that will later be put back into the system. 171. Computer Virus Legislation, Hearing on H.R. 55 and H.R. 287 before the Subcomm. on Criminal Justice of the House Comm. on the Judiciary, 100th Cong., 1st Sess. 44, n. 27 (1989) (statement of Marc Rotenberg, Director, Computer Professionals for Social Responsibility). 172. Colvin, Lock up the Keyboard Criminal, Telecommunications Lock up the Keyboard Criminal PLC (England), June 1990, p. 38. Michael Colvin, the author of Great Britain's Computer Misuse Act stated that the passage of the bill should not be looked at that the computer owner should not have security measures on their computers. Id. The bill, he Id. states, was made only to compliment, not substitute, the users security measures. Id. In West Germany, the severity of the Id. punishment for hacking depends on the effort that was required to commit the offense. Fagan, Technology: EC urged to Strengthen Technology: EC urged to Strengthen Laws on Computer Crime, The Independent, Feb. 13, 1990, 19. Laws on Computer Crime 173. McGourty, When a hacker cracks the code, The Daily When a hacker cracks the code Telegraph, October 22, 1990, p. 31. 174. A Password is a word that is either given to the user by the system or selected by the user to prevent others from accessing his computer or account within the computer. This words, groups of letters or symbols are supposed to be kept secret so as to not let other who are not authorized to access the system have access to it. 175. Donn Seeley, A Tour of the Worm, Department of Computer _____________________ Science, University of Utah, Nov. 1988, reprinted in General reprinted in Accounting Office, Computer Security: Virus Highlights Need for Improved Internet Management, 20 (1989). 176. Authers, Armed with a secret weapon, Financial (London) Times, Feb. 5, 1991, Section I, 16. 177. Id. 178. For a discussion of this virus, see, Branscomb, Rogue see Rogue Computer Programs and Computer Rogues: Tailoring the Punishment Computer Programs and Computer Rogues: Tailoring the Punishment to Fit the Crime, 16 Rutgers Computer & Tech. L.J. 1, 14-16 to Fit the Crime _______________________________ (1990) (discussing the applicability of state and federal law to computer viruses). 179. Jim Thomas, publisher of the Computer Underground digest argues that computer pirates actually buy more programs then the average computer program buyer. Letter from Jim Thomas to Brian J. Peretti ( (discussing computer pirating of software) 180. See, GNU Manifesto (available at American University Journal of International Law and Policy). See also, Stallman, GNU EMACS See also, General Public License, (Feb. 11, 1988) (available at American University Journal of International Law and Policy). 181. The GNU Manifesto (available at the American University Journal of International Law and Policy). 182. The author proposes that such copyright protection last for only two years. By granting the creator such protection for a short period of time, he will be able to recover the expenses that he put into the writing of the program. If this type of protection is granted, it should be understood that the creator of the program has a copyright to the sourcecode of the program for that period. If he updates the program after the two year period, the updated code will be protected, but the original code will not be granted the protection. In this manner, an author cannot attempt to give copyright protection to a program after the copyright has expired. 183. Electronic letter from Brian J. Peretti to Dorothy Denning (Nov. 13, 1990) (concerning computer crime). 184. This will be a semi-secure system. 185. The system, of course, will have a system manager who will create the accounts for the users. His account will be off limits to those who wish to use the system. At the same time, individuals will be encouraged to attempt to break into the manager's account and tell him how it was done in order to improve security for this and other systems. 186. The problem still exists that information learned through the use of this system may allow those who use the system to break into other computer systems. This problem can be corrected by having the system manager and the users communicate problems with the system so that they may be corrected on other systems. 187. United States v. United States Gypsum Co., 438 U.S. 422, 425 (1978). 188. S. Rep. No. 432, 99th Cong., 2d Sess. 6, reprinted in 1986 reprinted in U.S. Code Cong. & Admin. News 2479, 2484. 189. Stoll, The Cuckoo's Egg. 190. The countries which a person can go to could be any country in the world, except Albania, since they are the only country whose computers are not connected to outside computers. Stoll. 191. A school in Red Bank, New Jersey, has instituted a "computer responsibility training". Weintraub, Teaching Computer Ethics in Teaching Computer Ethics in the Schools, The School Administrator 8, 9 (apr. 1986). the Schools, ________________________ 192. S. Rep. No. 432, 99th Cong., 2d Sess. 3, reprinted in 1986 reprinted in U.S. Code Cong. & Admin. News 2479, 2481. 193. Electronic Mail Letter from Rop Gonggrijp to Brian J. Peretti (Jan. 25, 1991) (concerning computer viruses). "We have to watch that we keep telling people how virusses work, because that is the only solution to the problem: mystifying the whole thing ans just hunting down "computer terrorists" is useless and (as proven in the US and Germany) leads to a questionable style of government in the field of information technology..." Id. Id. 194. General Accounting Office, Computer Security: Virus Highlights Need for Improved Internet Management, 25 (1989).