Comparing the various statutes of competing jurisdictions is the usual method of making such a determination and is often sufficient. However, with the advent of elaborate schemes utilizing complex computational technologies and criminal acts evolving in lockstep with technology, it is increasingly difficult to determine whether an act is criminal and if so, under what statutes it may be prosecuted.

The following tables assist in making that determination. We have analyzed the most pressing computer-related offenses and detailed exactly what can be prosecuted, where such activities may be prosecuted, and the varying penalties associated therewith.

Each table contains a number of relevant table headings. Each table heading is intended to cover a range of computer-related criminal activities. The following descriptions of each table heading are intended to assist in determining under what heading particular instances of computer-related criminal activities belong.

DESCRIPTION OF TABLE ELEMENTS

Computer Trespass / Intrusion [Back to referring page] [Top]

Computer intrusion statutes chiefly concern unauthorized access, and such statutes are generally directed towards computer hackers. There is considerable overlap between computer trespass / intrusion statutes and computer tampering statutes. Indeed, some states prohibit both offenses under the computer trespass / intrusion statute, while others provide a separate offense for each act.

Key elements for all computer trespass / intrusion offenses are lack of authorization and intentional access of a computer or computer system. The proscribed acts performed after the initial unauthorized access vary from state to state, and range from tampering or altering a computer system to using it specifically to defraud.

Exploratory computer hacking is prosecutable under most statutes even if the offender does not intend to use the authorization to commit a further crime. Accessing a computer by way of a back-door program is also considered computer trespass, even if the program was not initially installed by the offender.¹

Computer trespass can occur even if a computer user is authorized to access a certain part of a computer or computer network and then exceeds authorization. Often an offender will do so by introducing a computer contaminant into the computer system, thereby also bringing their actions under the purview of computer tampering statutes. Depending upon an offender's motivations, it may be possible to charge an offender with the additional crime of computer fraud.

Computer Tampering [Back to referring page] [Top]

Often computer tampering statutes are broadly interpreted. Computer tampering statutes general prohibit altering or damaging a computer program, computer system, or computer network. In addition, many states also prohibit the introduction of any computer contaminant into a computer or computer system.

On account of their broad scope, computer tampering statutes can be used as a catchall offense when a state lacks other statutes expressly punishing particular computer-related criminal activities. Computer tampering charges can often be brought together with other charges, and because of their often lenient penalties should only brought without other offenses where a state lacks alternative substantial means to prosecute an offender.

It is worth noting that computer tampering statutes should not be limited to prosecuting criminal acts accomplished with a computer. Rather, the statute also covers a very broad range of physical activities. For instance, physically destroying a computer with a sledgehammer may be considered computer tampering; along the same lines, destroying computer programs (or they media they reside upon) by running magnets over the diskettes or the hard drives may also be considered computer tampering.

Additional computer-related activities proscribed by computer tampering statutes include altering computer source code, creation of “back-door” programs, infecting a computer with a virus, release of a self-replicating worm.

Programs which are installed on a computer users’ system which attempts to use a computer’s resources to send spam mail are arguably prosecutable under computer tampering statutes. Along similar lines, spyware programs reporting a computer users’ activities that drain a computer’s resources are also arguably prosecutable.


Computer Fraud [Back to referring page] [Top]

Many states have statutes that relate directly to computer fraud most of which are entitled "computer fraud," or often the statute will generally proscribe fraudulent activity, electronic or not, by way of a theft of services statute.

While theft of services statutes remain applicable to general phone fraud,² computer fraud statutes target crimes in which one uses a computer to perpetuate the fraud. As a general rule, computer fraud involves access, either authorized or unauthorized, together with the specific intent to use the computer to perpetuate a fraud. Often the offense of computer fraud may be brought against an offender together with a computer trespass or intrusion charge. Moreover, computer fraud can sometimes include attempts of an offender to send malicious attachments through email or to execute unauthorized computer code. In this sense, computer fraud offenses can often be related to DoS and DDoS attacks and therefore be brought in conjunction with computer tampering and interruption of computer services charges.

Generally, computer fraud statutes target computer-related criminal activity which utilizes or relies upon a computer to obtain money or property. Broadly constructed computer fraud statutes allow charges to be brought for a great deal of commonplace physical crimes. For instance, counterfeit documents, be it currency, records, reports, or coupons, are primarily created with the assistance of a computer, and when a property or monetary benefit is gained through the fraudulent activity, computer fraud is a viable charge.

The National White Collar Crime Center (NW3C) has identified Internet Fraud as one of the fastest growing types of fraud. Auction fraud is of particular concern recently. Auction fraud occurs by using various methods of establishing credibility on online auction websites, most notably eBay, and then using the established credibility to sell high-priced items that the seller never intended to ship to the buyer.

Computer fraud can also occur by the creation of websites designed to deceive users into believing that they are actually using the website of a corporation or business. Often, emails soliciting a user to visit a website and log in for an important message are fraudulent and designed as a method to obtain the username and passwords of legitimate users’ bank or stock trading accounts. If an offender has forged email header information in order to send the email, additional spam-related and computer tampering charges may be brought together with a charge of computer fraud.

Unauthorized use of a computer [Back to referring page] [Top]

Unauthorized use of a computer statutes are related to computer trespass. Because unauthorized use of a computer is often the result of computer trespass, it is quite common that both offenses may be brought against an offender for a single criminal act.

Unauthorized use statutes are fairly popular and they may be found in 12 states. Such statutes seek to punish those who without authorization use a computer or computer services. Generally, there is not a great deal of divergence among the states and the two elements which must be present are the user's knowledge that access is not authorized and actual access.

Unauthorized use of a computer can take many different forms. Unauthorized use can occur by way of accessing a computer terminal, computer network, sensitive data, exceeding one’s authorization, or accessing a computer program. To the extent that the unauthorized use involves computer programs, an additional charge of computer piracy may be brought.

Unauthorized access may also occur when a user knowingly connects to a wireless network without authority to do so. A common computer hacker pastime is War-driving, whereby an individual equipped with a laptop, wireless access card, together with a GPS device, drives around businesses or neighborhoods in order to note the presence of wireless networks. An offender may then return to the location of the network and utilize network resources without authority, thereby bringing the activity under the purview of unauthorized use statutes.

Interruption of computer services [Back to referring page] [Top]

While individual computer intrusions may be troublesome and a nuisance for government agencies and companies, the threat to a network's infrastructure from mere intrusion is slight, unless the intruder has the malicious intent to disrupt network services. By far, the greatest threat to the nation's information infrastructure is malicious minded individuals set on seriously disrupting computer services on a broad scale.

Disrupting computer services usually takes the form of a Denial of Service (hereinafter “DoS”) attack or a Distributed Denial of Service Attack (hereinafter “DDoS”). DoS attacks attempt to deny a user or users of a network the resources normally available.³ The most common methods of DoS and DDoS attacks are carried out by way of undue bandwidth consumption, computer resource theft, exploiting flawed programming, and traffic redirection.⁴ In order to carry out such attacks, one need not be a technical wizard -- there are easy to use programs which facilitate DoS and DDoS attacks.⁵

Interruption of computer services statutes thus seek to proscribe conduct that intentionally or recklessly disrupts or degrades computer services or denies computer services to an authorized user. Thus, interruption of computer services statutes may be used to specifically prosecute those responsible for DoS and DDoS attacks. However, notwithstanding the highly publicized DDoS attacks of February 2000, not every state has statutes specifically directed towards the interruption of computer services.

To the extent that a DoS or DDoS attack utilizes computer resources to interrupt services without authorization, it may be brought together with computer tampering and unauthorized use charges. Furthermore, DoS attacks are often carried out by way a back door program (e.g., Sub7) that allows an offender to access and use the resources of a remote computer or an array of remote computers. In these instances, the additional charge of computer trespass or intrusion may be brought together with computer tampering, unauthorized use, and interruption of services charges.

Piracy [Back to referring page] [Top]

Piracy offenses are not listed as its own table in the report because there are very few states that have statutes dealing expressly with computer piracy. Rather, most states deal with the problem of computer piracy with unauthorized use or computer tampering statutes. Therefore, piracy is listed as a table heading within the appropriate statutory analyses.

Generally, piracy occurs when an individual obtains computer data or a computer program without pay or otherwise unlawfully. Computer software piracy is a recurring problem at many levels for most software companies. The most dangerous operations involve elaborate enterprises designed to facilitate the copying and subsequent sale or pirated computer data or programs on large scales. Such operations are not uncommon and often their actions are sufficient to bring many charges against the offenders, including computer fraud, computer tampering, unauthorized use. Such operations may be sufficient to also warrant a federal RICO prosecution.

Privacy invasion [Back to referring page] [Top]

Much like piracy, privacy invasion offenses are not listed as its own table in the report because there are very few states that have statutes dealing expressly with privacy invasions. However, some states approach the problem of privacy invasions within their computer tampering or unauthorized use statutes.

Computer-related invasions of privacy occur when an individual intentionally uses a computer or computer network to access, without authority, personal or financial information about an individual. Examples of such information are employment, salary, credit or customer billing information.

Privacy invasions facilitated by computers are increasingly common in the context of cyber-stalking and physical stalking cases where an offender may have obtained a victim’s credit report or employment information without authority. Such actions warrant a charge of privacy invasion and may warrant the additional charges of computer tampering, unauthorized use or computer trespass, depending upon the nature of the information illegally accessed.


Transmission of spam [Back to referring page] [Top]

Generally, the transmission of spam involves the sending of vast amounts of unsolicited bulk emails. The frequency of spam emails has become a major inconvenience for computer users and major technical problem for internet service providers. Some states have reacted to the problem by criminalizing the sending of spam emails.

It is important to note that often the severity of the punishment available is directly proportional to the amount of unsolicited e-mail sent.

It is also worth noting that spam-related statutes do not seek to prohibit the transmission of vast amounts e-mail in all circumstances. Often there are specific exemptions for mailing lists or instances in which a user voluntarily requested to be added to a mass distribution list.

Distribution of spam software [Back to referring page] [Top]

Software used to send spam is often prohibited within the same statute that prohibits the transmission of spam. Spam e-mails are often sent by falsifying certain email routing information called the header, and spam software is designed primarily for the purpose of falsifying such routing information. The sale or distribution of spam software is generally prohibited in jurisdictions which have passed anti-spam laws.

However, spam software can be elusive and difficult to track as it is often the case that ordinary computer users have unknowingly downloaded and installed spam distribution software on their personal computers. Consequently such users have unknowingly been sending massive amounts of spam emails. Such software scans the internet for vulnerable computers and uses various methods to falsify email routing information that are computer resource intensive. Even in jurisdictions that do not have anti-spam statutes, it may be possible to bring charges of computer tampering, unauthorized use, computer trespass, or even interruption of computer services, against a particular offender depending upon the nature of the software used or distributed and the volume of spam emails an offender has sent.

Cyberstalking [Back to referring page] [Top]

Cyberstalking statutes criminalize using e-mail or electronic means of communicating language threatening to inflict harm to persons or property, or for the purpose of extorting money or property. Cyberstalking statutes generally criminalize repeated communications for the purpose of terrorizing or harassing another person.

Often when cyberstalking occurs for the purpose of harassing, threatening or extorting it is usually preceded by some form of privacy invasion. Therefore, if the jurisdiction permits, a privacy invasion charge may often be included added to the offense of cyberstalking.

Recently, there have been a number of reported cases of malicious computer hackers sending threatening emails to businesses claiming that if a sum of money is not paid, they will publicly hack their networks or destroy data. Under many cyberstalking statutes, such extortion constitutes a cyberstalking offense.