Copyright © 1997 Keith A. Carsten. All Rights Reserved.

Bringing the Cyber-Criminal to Justice

An Essay for the Technologically Impaired

Keith A.Carsten

In an era of politically correctness, the author hesitates to call himself computer illiterate. The author, in his vanity, prefers the term "technologically impaired" to describe his lack of proficiency on the tool single handedly changing the way society operates. With this change in society has come a shift on how those on the fringes of society, i.e. criminals, conduct their illicit trade. This essay is intended to give a brief overview on how the criminal justice system is dealing with a relatively new threat to citizen's rights and property. For the most part, the author has declined from incorporating acronym laden techno-babble. However, by examining the players, the process of bringing cyber-criminals to justice, and the penalties being handed down for violations of law, the author hopes that even the most technologically impaired will become aware of problems in combating this growing cyber-crime wave.

THE PLAYERS: The Cyber-Criminals

A recent study found that 58 percent of responding corporations suffered some kind of computer break-in within the last year.⁽¹⁾ 18 percent of the resulting thefts exceeded one million dollars, while 66 percent exceeded $50,000. ⁽²⁾ A CIA agent has used his laptop to send Top Secret information to Russia.⁽³⁾ 40 percent of the software used in the United states is pirated.⁽⁴⁾ These are only a few examples of violations classified as computer crimes. The list is growing. This section will outline a few of the more common types of computer crime and give a profile of a notorious cyber-criminal.

Computer Fraud: Computer fraud is limited only by the cyber-criminal's imagination. One example of a new computer fraud is a scam where potential scholarship students are contacted via the internet, whereby they are guaranteed scholarship money for a finder's fee.⁽⁵⁾ Naturally, the cyber-criminal does not deliver the scholarship money promised, and by the time the victim realizes the scam, the cyber-criminal has moved on to other ventures. Other frauds include convincing on-line citizens to e-mail credit card numbers for bogus prizes or vacations, and securities scams where great news about a inexpensive company are spread through the internet.⁽⁶⁾ When the stock price rises, the cyber-criminal reaps his illegal reward.

Theft: As indicated by the above survey, theft of software is becoming increasingly popular and costly. One notorious cyber-criminal that will be discussed later, thieved millions of dollars worth of operating codes, passwords, and software from agencies as diverse as Apple, Pacific Bell and various universities for years before he was caught.⁽⁷⁾

Copyright infringement and counterfeiting: Piracy is an enormous problem on the internet. Once copyrighted material is on the internet, be it software, writings, music, or video, there is no limit to its distribution.⁽⁸⁾ In financial terms, copyright infringement is the most serious cyber-crime, with estimates of damages in the billions and possible the tens of billions of dollars.⁽⁹⁾

Espionage: In addition to the above example of military espionage, economic espionage is a growing cyber-crime. It is extremely profitable for a cyber-criminal to use his computer skills to steal U.S. companies' trade secrets and sell them overseas.⁽¹⁰⁾

Transmitting child pornography: Because of the encrypting capability of the computer, the internet provides an effective way to transmit child pornography.⁽¹¹⁾ The cyber-cop's investigation of child pornography promises to be expensive and time consuming.⁽¹²⁾

Profile of the cyber-criminal: The profile of the cyber-criminal can be as diverse as a 15 year old Utah boy who defrauded customers for non-existent computer parts he advertised on the internet, to career cyber-criminal's causing millions of dollars worth of havoc in cyberspace.⁽¹³⁾ One such career cyber-criminal is Kevin Mitnick. Mitnick's exploits will be discussed later in greater detail. However, Mitnick's personality seemed to be that of a loner and underachiever who enjoyed the power he could obtain using his computer.⁽¹⁴⁾ Mitnick gravitated into a circle of other self-proclaimed "phone phreaks" because of their prowess of electronically manipulating phone switching stations to mask their computer crimes.⁽¹⁵⁾ This society of criminals evolved from pranksters to accomplished criminals quickly, and Mitnick seemed to relish the challenge of defeating new computer security systems his crimes were making a necessity.⁽¹⁶⁾ We will discuss his fate later.

The Cyber-Cops

Since the dawn of a written code of law, two diametrically opposed forces have butted heads. The criminals who find holes in, or ignore the law, and a police force whose duty is to enforce the laws. As criminals have gotten smarter, the police force has been involved in an evolution of techniques to keep up with the criminals. The cyber-criminal and the developing cyber-cop are a clear illustration of this increasingly complex game of measure/countermeasure.

Unfortunately, it seems that the police are losing the battle and computer crimes are on the rise.⁽¹⁷⁾ Marc D. Goodman, a senior Sergeant and Investigator for the Los Angeles Police Department explored the reasons for this in his article "Why the Police Don't Care About Computer Crime."⁽¹⁸⁾ His five reasons for the rise of uncontested computer crime expose a lack of knowledge, funding and support form both the police forces across the country as well as from the citizens they are sworn to protect.

The first reason Goodman outlines is the notion that spending hours in a virtual world is not why most officers became cops in the first place.⁽¹⁹⁾ He argues that a common response to why a person became a police officer in the first place is that they "wanted to help people" or that they "wanted to arrest bad guys".⁽²⁰⁾ In an environment where machismo and valor are still rewarded, it is difficult for there to be much of an attraction to become a cyber-cop.⁽²¹⁾ There are no gun battles or speeding hot pursuits on the internet. Goodman also identifies a rash of "techniphobia" in every level of the police force.⁽²²⁾ The increasing complexity of internet crime combined with a lack of glory are preventing newer police men and women from becoming cyber-cops.

Goodman next identifies that the internet is difficult to police. ⁽²³⁾ Police are used to following a paper-trail and most often on the internet, they will not find one.⁽²⁴⁾ Criminals on the internet often cover their tracks by "looping and weaving" through several systems world-wide and posing as legitimate computer users.⁽²⁵⁾ Police are also hindered by a lack of evidence, and are bound by changing laws on search and seizure of computers⁽²⁶⁾. Therefore, police are pursuing the more traditional criminals such as the drug dealer or rapist because convicting these criminals requires less resources and simpler investigations.⁽²⁷⁾

According to Goodman, compared to street crime, computer crime goes mostly unreported. Therefore at the annual budget review, a particular police budget is not likely to see any increase in a funds for combating cyber-crime.⁽²⁸⁾ Because of this lack of funding, police will not receive training on the vast number of complex systems cyber-criminals are using.⁽²⁹⁾ Also, the hardware for tracking cyber-criminals itself is very expensive and may require both Apple and PC technology to successfully track cyber-criminals.⁽³⁰⁾ This lack of resources has created a market for private computer security firms to combat cyber-criminals.⁽³¹⁾ However, Goodman points out that this creates a vicious cycle because the public will become convinced that police are technically incapable of punishing cyber-crime. This distrust causes the public to oppose needed tax increases to update their police stations cyber-crime policing capability.⁽³²⁾

Beyond the police themselves are the other officials needed to investigate and pursue a conviction of the cyber-criminal.⁽³³⁾ The mayors, district attorneys, counsel persons, and grand jury members must also be educated and instilled with the importance of punishing cyber-crime.⁽³⁴⁾ In a time where a main thrust of police forces is to get back to the basics of high visibility patrol, it may be a tough sell to the politicians to expend scarce resources on combating cyber-crime.⁽³⁵⁾

The police and officials are not solely to blame. Many police chiefs around the country have never received a complaint about computer crime. ⁽³⁶⁾ In fact, it is likely that the first time they will hear about cyber-crime is when another department is being attacked for allegedly overstepping its boundary in its effort to protect against cyber-crime. ⁽³⁷⁾ Through ignorance or the silent nature of the cyber-crime, there is simply no public outcry for the protection against cyber-crime.⁽³⁸⁾

As Goodman puts it, "[t]he race is on and the bad guys have a significant head start".⁽³⁹⁾ What lies in the future for the cyber-cop? Obviously, funding for police officer computer training and hardware must be increased to keep up with the cyber-criminals. Although federal law enforcement comparatively has a higher budget in this regard, they do not have the resources to handle matters less than those threatening national security.⁽⁴⁰⁾ This leaves the legions of cyber-criminals in the ever expanding categories discussed above immune until cyber-crime can be controlled on a local level. Goodman suggests both a short and long term approach.⁽⁴¹⁾ The short term approach is a front loaded financial plan to catch the police up to speed, perhaps buying computers on an regional scale to help pool costs.⁽⁴²⁾ The long term approach includes educating police executives about computer crime and motivating them to allocate the educational, recruitment, training, and equipment funds necessary to combat cyber-crime.⁽⁴³⁾

THE PROCESS: Building the case--Search and Seizure

Imagine that a cyber-criminal has, despite his or her favorable odds to the contrary, attracted the attention of a well funded police department or a private computer security company. How does one begin building a case against the cyber-criminal? This question is logically dominated by the Constitutions 4th Amendment limitation on searches and seizures and localized statutes which may or may not provide increased protection.⁽⁴⁴⁾

The search for illegal activities on the internet has many facets. First, there must be some kind of monitoring of the information that indicates that there may be some kind of illegal activity taking place.⁽⁴⁵⁾ Then, a search warrant must be issued to gather whatever "physical" evidence, in the form of hard copy or stored data, may be available.⁽⁴⁶⁾ Finally, a search or a confiscation of the offenders computer property must take place, in order to gather evidence to form a charge, and begin prosecution of the cyber-criminal. ⁽⁴⁷⁾

The rules change depending on who is doing the monitoring or searching, the common law is conflicting, and the penalties for making a mistake can result in the release of a known cyber-criminal.

The Fourth Amendment protects unreasonable governmental intrusions into a citizen's privacy. Therefore, private computer security companies are exempt from Fourth Amendment restrictions, except in cases where the company is encouraged or assisted by police.⁽⁴⁸⁾ This exemption stands even when privately obtained material is eventually turned over to the authorities.⁽⁴⁹⁾ However, if a cyber-cop wishes to monitor a cyber-criminal's computer activities, he or she must be well versed and current with their Fourth Amendment and local statute obligations. In Katz v. United States, the U.S. Supreme Court said any means of electronic eavesdropping was subject to Fourth Amendment protection even though there is no physical violation of privacy.⁽⁵⁰⁾ However, a cyber-criminal can lose this expectation of privacy if his electronic information is made accessible to others or discloses the information to another who is then lawfully searched or volunteers the information to the authorities.⁽⁵¹⁾ The Fourth Amendment seems to be the sole protection for the "stand alone" system you would find in a user's home or a closed office network.

For an "electronic communications system" which is defined as a inter-company network, on-line system,⁽⁵²⁾ or bulletin board system (BBS),⁽⁵³⁾ there are other protections. ⁽⁵⁴⁾ In addition to the protection of the Fourth Amendment, a potential cyber-criminal may enjoy the protection of the Electronic Communications Privacy Act of 1986 (ECPA) or the seldom used Privacy Protection Act of 1980 (PPA).⁽⁵⁵⁾ ECPA was enacted to protect electronic communications "transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce. ⁽⁵⁶⁾

Title I of ECPA deals with the interception of electronic messages and limits both police and private eavesdropping of a potential cyber-criminal. ⁽⁵⁷⁾ Courts have interpreted the "affecting commerce" requirement to simply mean "on a system which affects interstate commerce", and the internet obviously fits in this category.⁽⁵⁸⁾ Once categorized as ECPA protected, the cyber-cop or private security company must get judicial approval, demonstrate probable cause that a felony is being committed, demonstrate that this is the only means of gathering evidence available, and limit the communications intercepted to only pertinent information, to conduct a lawful search.⁽⁵⁹⁾

These sweeping protections do not extend to the system operators who are operating the users electronic on-ramp to the information superhighway. System operators or "Sysops" may monitor communications on its system if it suspects the system is being misused, and may divulge any criminal activity it inadvertently stumbles upon or intercepts in it's ordinary course of business to authorities.⁽⁶⁰⁾

Title II of ECPA addresses the search of stored messages already received by a potential cyber-criminal.⁽⁶¹⁾ Title II mandates law enforcement officials can only access an electronic communication that has been stored less than 180 days when authorized by a warrant.⁽⁶²⁾ Electronic messages stored longer than 180 days may be accessed by grand jury, court order with notice to the user, or valid warrant with no notice required.⁽⁶³⁾ Again, a Sysop has broad powers in monitoring stored transmissions, and may turn over these transmissions provided that the criminal activity is ongoing.⁽⁶⁴⁾

A less used protection for the potential cyber-criminal is the Privacy Protection Act of 1980. The PPA requires that law enforcement officers validate searches using a subpoena rather than a search warrant for those engaged in First Amendment speech⁽⁶⁵⁾. The PPA protects only "documentary documents", however, and not the information itself. A violation of the PPA will subject the violator to civil penalties, but not the suppression of the evidence.⁽⁶⁶⁾

Finally, the Fourth Amendment provides only a minimum level of protection against unlawful searches and seizures. A cyber-cop must also be aware of any local state constitution or statute protection which may grant the potential cyber-criminal more protection than the U.S. Constitution.⁽⁶⁷⁾

As mentioned above, "stand alone" machines in a person's home do not enjoy ECPA protection because they are not "electronic communication systems".⁽⁶⁸⁾So stand alone systems rely on Fourth Amendment protections and any more stringent protections in the state in which they are located. The cyber-cop risks violating the "overbredth" doctrine of the Fourth Amendment, because if he or she is not exactly sure of what they are looking for, their search of an entire hard drive may be impermissibly broad.

In 1982, a Ninth Circuit court addressed the overbredth problem as it applied to physical documents in United States v. Tamura.⁽⁶⁹⁾ That court held that if the relevant documents were so intermingled with irrelevant documents, the officers may seal or hold the documents pending judicial approval, and no other practical alternative exists. ⁽⁷⁰⁾ In his article "Searches and Seizures of Computer Data", Raphael Winick argues that the same standard should be applied to stored data on a stand alone system. ⁽⁷¹⁾ Winick argues that in an age where a bit by bit copy of a potential cyber-criminal's hard drive can be made quickly, no physical confiscation of equipment should be made, provide that copy satisfies the Tamura test.⁽⁷²⁾ This author feels this potentially leaves the cyber-cop no alternative during the long and perhaps encryption laden examination of data but to leave the cyber-criminal his or her computing weapon of choice. For egregious cases, physical confiscation must take place.

Jurisdiction and Venue Issues

Now imagine that our well funded police department either found or were alerted to criminal activity occurring in cyber-space, and played by all the rules in their search and/or seizure of the offenders equipment. Also imagine a charge has been filed in a state far from where the cyber-criminal lives, where someone has suffered as a result of the cyber-criminal's activities. How does the judicial system of that state establish jurisdiction over that criminal?

Two important factors intertwine to form the prevailing standards for internet criminal jurisdiction. The first of which is the extradition clause of the constitution which will discussed in the next section.⁽⁷³⁾ The other factor in bringing a cyber-criminal to justice is the issue of venue. In the traditional real world scenario, venue lies where a material element of the crime was initiated or took place within the forum.⁽⁷⁴⁾ In the world of cyber-space, this can be a difficult evaluation. The Internet's purpose is to link many jurisdictions together.⁽⁷⁵⁾ Because of this overlap, material elements of the crime may be committed in more than one jurisdiction at the same time.⁽⁷⁶⁾ An early case that dealt with this dilemma was United States v. Thomas.⁽⁷⁷⁾

In United States v. Thomas, Robert Thomas and his wife Carleen Thomas began operating the Amateur Action Computer Bulletin Board System ("AABBS") from their personal computer in their home in Milpitas California.⁽⁷⁸⁾ The main function of the bulletin board system was to provide a service to other computer users to download sexually explicit pictures that Robert Thomas had scanned into the computer from various adult sources.⁽⁷⁹⁾ Access to these photographs was limited to members who had paid a membership fee to the service and submitted a signed application. ⁽⁸⁰⁾The members were then furnished with a password.⁽⁸¹⁾ In July 1993, a United States Postal Inspector, Agent David Dirmeyer, received a complaint from a computer user who lived in western Tennessee.⁽⁸²⁾ The agent then sent the Thomas' an application under an assumed name, and an application fee. Using his password, the agent downloaded pictures featuring bestiality, oral sex, incest, sado-masochistic abuse, and sex scenes involving urination. ⁽⁸³⁾ On January 12, 1994, a search warrant was issued by a California Magistrate Judge and the Thomas' computer system was seized.⁽⁸⁴⁾ Shortly after, a federal grand jury for the Western District of Tennessee charged the couple with violating obscenity laws for knowingly using and causing to be used a facility and means of interstate commerce.⁽⁸⁵⁾ The Thomas' were convicted of these charges in Tennessee.

Although a BBS case and not a true internet case, technology and traditional principles of law had collided. Was it reasonable that the Thomas' had a reasonable expectation of being haled into court in a part of the country not renowned for its sexual open-mindedness?

The Thomas' argued in their appeal that it was not. The appeal, United States v. Thomas,⁽⁸⁶⁾ challenged the venue of several of the counts. The court wrote:

"Substantial evidence introduced at trial demonstrated that the AABBS was set up so members located in other jurisdictions could access and order [picture] files which would then be instantaneously transmitted in interstate commerce. Moreover, AABBS materials were distributed to an approved AABBS member known to reside in the Western District of Tennessee. Specifically, Defendant Robert Thomas know of, approved and had conversed with an AABBS member in that judicial district who had his permission to access and copy [picture] files that ultimately ended up there.

Some of these [picture] files were clearly marked "Distribute Freely." In light of the above, the effects of the Defendants' criminal conduct reached the Western District of Tennessee, and that district was suitable for accurate fact-finding. Accordingly we conclude venue was proper in that judicial district." (Emphasis added).⁽⁸⁷⁾

Although a dial up bulletin board and the internet are technically different concepts, the threshold of personal jurisdiction seems to be the same. This broad governmental discretion on prosecuting cyberspace criminals seems to extend to all jurisdictions where the criminal's actions touch.⁽⁸⁸⁾ Every citizen is presumed to know the law.⁽⁸⁹⁾

The seemingly unfair nature of the Thomas ruling has not been lost on all courts. In Lambert v. California, a violation of a felon registration ordinance was ruled to only be a violation if the violator "knew" about the local ordinance. ⁽⁹⁰⁾ However this is the exception and not the rule. For the internet user, it seems that the standard is where the criminal act is violates a law outlining common sense morality and not a legislative code, citizens will be presumed to know what that law is.⁽⁹¹⁾

Extradition

Now that the cyber-criminal has been noticed, searched, charged, and the court is confident that it has jurisdiction over the matter, how do you physically bring the cyber-criminal to court. The United States confrontation clause requires that a criminal defendant physically be present at his or her trial. ⁽⁹²⁾ In the intertwining global nature of the internet, the cyber-criminal may be in the next state or half way around the world.

Exercising jurisdiction over international cyber-criminals requires authority obtain the physical presence of the criminal either through extradition, or by methods outside of the legal boundaries.⁽⁹³⁾

Extradition began in the mid 1800's in order to prevent any one country from granting asylum to all fugitives.⁽⁹⁴⁾ However, countries were wary to turn over some fugitives for fear that they would be politically or religiously persecuted in the state they were to be extradited.⁽⁹⁵⁾ This led to the formation of extradition treaties with countries that outlined specific crimes in which extradition would be acceptable.⁽⁹⁶⁾ This list of crimes has evolved into the principle that extradition may take place if the criminal's action is a crime in both countries.⁽⁹⁷⁾

The United States has extradition treaties with over 100 nations.⁽⁹⁸⁾ The procedure is that the requesting state makes a formal request to the criminal to be extradited. The court of the requested state issues an arrest warrant, and the potential criminal is arrested. Then he or she is entitled to a hearing which will decide two things: first, that the potential criminal is indeed the person named in the warrant, and second there exists probable cause to believe the person committed the crime.⁽⁹⁹⁾

The domestic cyber-criminal will most likely be governed by the widely accepted Uniform Criminal Extradition Act.⁽¹⁰⁰⁾ Under the act, demands for a potential criminal must be in writing, and allege that the potential criminal was "present" in the demanding state at the time of the crime but has subsequently "fled".⁽¹⁰¹⁾ Apparently, this requirement does not require physical presence in a forum state, but merely some kind of effect in the state seeking extradition.⁽¹⁰²⁾

In addition to legal extradition are governmental methods are, for a lack of a better word, illegal kidnappings. In 1992, a criminal in Mexico was abducted by U.S. agents and brought against his will into the United States.⁽¹⁰³⁾ Strangely, the Supreme Court ruled that U.S. jurisdiction was not lost even though it had been obtained illegally. The United States has granted itself wide powers in bringing what it feels are dangerous criminals to justice in its courts.

THE PUNISHMENT: Charges and Sentencing

Assume against the odds, the cyber-cop has prevailed and noticed, investigated, charged, transported, and the cyber-criminal is facing trial. What penalties are the cyber-criminal subject to? The answer is that the cyber-criminal is subject to penalties outlined in the particular section of United States code violated. Cyber-criminals can be prosecuted under over 40 federal laws. ⁽¹⁰⁴⁾ States also have begun putting cyber-crime legislation in their statutes. However, early case law⁽¹⁰⁵⁾ has highlighted that where federal and state cyber-crime legislation conflict, federal statutes will be ruled controlling. Here are some of the more common federal violations and the penalties associated with each.

Violation of the Computer Fraud and Abuse Act: Located at 18 U.S.C.§1030, this statute prohibits six kinds of computer activity: I. Obtaining information relating to national defense or foreign relations, II. Obtaining financial records of a financial institution or credit reporting agency, III. Manipulating information on a computer that adversely affects the U.S. Governments operation of the computer, IV. Accessing a "governmental computer" to obtain or defraud anything of value, V. Altering, damaging, destroying or preventing the use of information on the government's computer (i.e. a virus) either knowingly or recklessly , VI. Knowingly trafficking in passwords that will permit unauthorized access to government interest computers.⁽¹⁰⁶⁾ Violators of these provisions are sentenced according to the Federal Sentencing Guidelines, with varying degrees of severity, according to value of the loss suffered and security designation of the material illegally obtained.⁽¹⁰⁷⁾ An example of a typical sentence can be found in United States v. Sykes, where the court of appeals upheld a 27 month prison sentence for a computer fraud violation involving a bank teller machine.⁽¹⁰⁸⁾

Violation of the Mail and Wire Fraud Act: 18 U.S.C.§1341, 1343, outlaws using the postal system or interstate wire communications for the fraudulent purposes of obtaining money or property.⁽¹⁰⁹⁾ Violations of this statute are punishable by imprisonment up to five years, fines, or both. If the crime violates a financial institution, the fine can be as high as one million dollars accompanied by a prison sentence of up to 30 years.⁽¹¹⁰⁾ The severity can be raised according to the amount defrauded and the decision-making, or employment position of the offender.⁽¹¹¹⁾

Violation of the National Stolen Property Act: Located in 18 U.S.C.§2314, this statute criminalizes the transportation of "any goods, wares, securities, or money" known to be illegally obtained.⁽¹¹²⁾ Courts have interpreted that software in intangible form does not meet the "goods" or "wares" requirement, so this act is only effective for the theft of computer hardware.⁽¹¹³⁾ Punishments for violating the National Stolen Property Act may include imprisonment for up to ten years, and/or a fine. Again punishment is according to federal guidelines, and severity increases with value of loss, amount of planning required, and whether the person accused is in the business of obtaining stolen property.⁽¹¹⁴⁾

Violating the Copyright Act: a cyber-criminal violates 17 U.S.C. § 506 if he or she infringes a copyright willfully for commercial advantage or private financial gain.⁽¹¹⁵⁾ Although difficult to prove all elements for infringing software, the penalties are severe. A first time offender who sells more than ten copies of the pirated software could face up top five years in prison. Repeat offenders can face up to ten years in prison as well as substantial fines.⁽¹¹⁶⁾

Violating the Electronic Communications Privacy Act: Violating ECPA as detailed in the search and seizure discussion above, may result in a fine, and up to five years in prison.⁽¹¹⁷⁾

Violating the Anti-Counterfeiting Consumer Protection Act: 15 U.S.C. §1117 (ACPA) is directed towards the distribution of copyrighted software.⁽¹¹⁸⁾ The 1996 act increased penalties for the pirating of copyrighted software and allowed U.S. Customs Service to access civil penalties for the import of counterfeit goods. ⁽¹¹⁹⁾ It also gives a victim of copyright infringement the right to elect actual damages or fixed statutory damages which are determined on a sliding severity scale.⁽¹²⁰⁾

Violating the Economic Espionage Act: In 1996, the Economic Espionage Act was signed into law. This act, 18 U.S.C.1831 makes it a federal crime to steal, appropriate, take, carry away, conceal, copy, duplicate, sketch, draw, download, upload, or otherwise convey a trade secret that benefits a foreign government, foreign instrumentality, or foreign agent.⁽¹²¹⁾ Violators of this statute subject themselves to the possibility of fines up to $500,000 and 15 years in prison.⁽¹²²⁾

The Now Defunct Communications Decency Act of 1995: In 1995, congress the Senate introduced a bill that criminalized the obscene or harassing communications made through a computer.⁽¹²³⁾The penalties included fines up to $100,000 or imprisonment up to two years, or both.⁽¹²⁴⁾ The bill immediately came under attack by the ACLU and others concerned that the law was impermissibly vague, and would create a chilling effect on freedom of speech over the internet.⁽¹²⁵⁾ On June 27, 1997, Reno v. ACLU was decided. ⁽¹²⁶⁾ In siding with the ACLU, the supreme court wrote:

"The Government apparently assumes that the unregulated availability of

"indecent" and "patently offensive" material on the Internet is driving countless citizens away from the medium because of the risk of exposing themselves or their children to harmful material. We find this argument singularly unpersuasive. The dramatic expansion of this new marketplace of ideas contradicts the factual basis of this contention. The record demonstrates that the growth of the Internet has been and continues to be phenomenal. As a matter of constitutional tradition, in the absence of evidence to the contrary, we presume that governmental regulation of the content of speech is more likely to interfere with the free exchange of ideas than to encourage it. The interest in encouraging freedom of expression in a democratic society outweighs any theoretical but unproven benefit of censorship."⁽¹²⁷⁾

Many cyber-cops had been using physical mail-fraud, theft and copyright infringement statutes to prosecute the cyber-criminals⁽¹²⁸⁾. It was a case of forcing new round pegs into old square legal holes, which required a significant amount of manipulation. However, as these federal statutes gain acceptance, cyber-cops and the justice system will most likely begin relying on these more aptly suited statutes exclusively.

PUTTING IT ALL TOGETHER: The Prosecution of Kevin Mitnick

On Christmas day, 1994 a young programmer was getting ready for his vacation when he received a call from colleagues at the San Diego Supercomputer Center.⁽¹²⁹⁾They informed him that his home computer which was connected to the supercomputer had been electronically broken into. The programmer returned to his house to find that hundreds of software programs and files had been remotely stolen. These programs were tools for breaching security systems in many computer networks and cellular phone systems.⁽¹³⁰⁾ This occurrence touched off a high tech who-dunnit that would eventually lead to the FBI's number one cyber-criminal: Kevin Mitnick.

The Players:

Cyber-criminal: At his eventual arrest, Kevin Mitnick was a thirty one year old computer programmer with an appetite for theft, fraud, and destruction in cyberspace.⁽¹³¹⁾ A underachiever growing up in Los Angeles in the 1970's, Mitnick had gravitated towards the growing culture of digital theft using computers and modems.⁽¹³²⁾ These self-proclaimed "phone-phreaks" began as pranksters, but soon graduated to controlling telephone companies remotely to mask their own modems tracks. ⁽¹³³⁾ Mitnick was first arrested in 1981 after a successful physical break in at Pacific Bell's phone center in Los Angeles, where he stole lists of the phone companies passwords.⁽¹³⁴⁾ Because he was a juvenile, he served a short sentence in a juvenile detention center and was released.⁽¹³⁵⁾ He was subsequently arrested in 1983 for gaining illegal access to the governments ARPAnet system, in 1987 for stealing software from a California software company, and in 1988 for stealing Digital Equipment Company's minicomputer operating system.⁽¹³⁶⁾Yet for all of these convictions and possibly millions of dollars worth of software stolen, Mitnick served less than a year in jail.⁽¹³⁷⁾Mitnick again became the focus of an FBI investigation when he violated his probation by resuming his electronic break-ins. By the time the FBI came to arrest him, he was gone.⁽¹³⁸⁾ He next surfaced in 1992 in Sacramento attempting to have the driver's license photo of a police informer faxed to him under an assumed name. However, Mitnick eluded the DMV security and fled on foot.⁽¹³⁹⁾ Mitnick would not be physically seen again until his arrest in Raleigh, N.C. in early 1995.

Cyber-cop: Unfortunately for Kevin Mitnick, he decided to break into the home computer of Tsutomu Shimomura. Although not a government cyber-cop, he had been a consultant to the FBI and the military on computer security.⁽¹⁴⁰⁾ Shimomura was, at the time of the electronic break-in, a senior fellow at the San Diego Supercomputer Center, and a research scientist of physics at the University of California S.D. ⁽¹⁴¹⁾

His expertise included everything from creating models for the movements of fluids, to computer security.⁽¹⁴²⁾

The Process:

Building the case-Search and Seizure: From the time of the electronic break-in to the time of Mitnick's arrest, Shimomura concentrated on the capture of the cyber-criminal.⁽¹⁴³⁾ Aiding the FBI, Shimomura set up undetectable listening posts on some of the cyber-criminal's favorite targets, monitoring the criminal's internet traffic.⁽¹⁴⁴⁾ While Shimomura and the FBI watched the internet, the cyber-criminal took over telephone switching companies, stole files from Motorola and Apple companies, and copied over 20,000 credit card numbers from a national on-line service provider.⁽¹⁴⁵⁾

It was at this on-line service provider, Netcom, that Shimomura began tightening the net around Kevin Mitnick. Using laptop computers hooked into the network, Shimomura and associates listened for the inevitable electronic break-ins. ⁽¹⁴⁶⁾ The FBI requested a subpoena for phone records, and records showed that the electronic break-in had either come to Netcom from Colorado, Minnesota, or Raleigh, North Carolina, via cellular phone.⁽¹⁴⁷⁾

Shimomura had a hunch that the cyber-criminal was Mitnick, and that the calls were coming from North Carolina.⁽¹⁴⁸⁾ However, a trace of the origin of the cell phone call would be futile because Mitnick was rerouting the calls through several different phone companies switching facilities.⁽¹⁴⁹⁾ So, Shimomura flew to North Carolina. With the help of a cellular phone expert, Shimomura drove around the hills of Raleigh, North Carolina with a signal direction finder looking for the cyber-criminal's cellular phone signature.⁽¹⁵⁰⁾ Within a half hour, Shimomura had pinpointed the location to a cluster of apartments near the airport.⁽¹⁵¹⁾

Shimomura then turned over his investigation to the FBI. The FBI brought in its own equipment, so it could pinpoint the exact room the cellphone traffic was coming from.⁽¹⁵²⁾ Armed with this information, it obtained a search warrant from the Federal court in North Carolina for room 202 of the Players Court apartments.⁽¹⁵³⁾ At 2:00 A.M. on February 7, 1995, Mitnick was arrested.

Jurisdiction/venue:

The federal court in Los Angeles, California decided it had jurisdiction over this case because the damage caused by of Mitnick's most recent electronic break-ins and thefts had occurred in California.⁽¹⁵⁴⁾

Extradition:

Mitnick waived extradition and agreed to return to California voluntarily to stand trial.⁽¹⁵⁵⁾ Mitnick agreed to waive the legal formalities of extradition because he wanted to be tried in California to be closer to family, friends, and his defense lawyer John Yzurdiaga.⁽¹⁵⁶⁾

The Punishment:

Charge: Kevin Mitnick was charged with 25 counts of computer and wire fraud, possessing unlawful access devices, damaging computers, and intercepting electronic messages.⁽¹⁵⁷⁾ Federal prosecutors estimate the damage Mitnick caused in the millions of dollars.⁽¹⁵⁸⁾

Sentence: Cyber-criminal Kevin Mitnick's trial has tentatively been set for April 14, 1998, but may be pushed back by his own defense attorneys so they can analyze the mountain of computer data evidence⁽¹⁵⁹⁾. Prosecutor Assistant U.S. Attorney David Schindler says he will seek a multiple year jail sentence if Mitnick is convicted.⁽¹⁶⁰⁾

Conclusion:

The arrest of Kevin Mitnick is a success story for the Cyber-cop where all of the technical and legal aspects of cyber-criminal justice fell into place to obtain an arrest. We will have to wait and see how the justice systems handles it's first high publicity computer-criminal case. The truth is that for the moment, many less notorious cyber-criminals are currently doing the same kind of damage Kevin Mitnick was doing in 1994. With Cyber-criminals getting more adept at their trade, cyber-cops are going to need expanded resources and training to keep up with the onslaught of computer crime. More specialized rules of search and seizure need to be adapted to cover the various types of computer activity taking place. Traditional notions of jurisdiction and venue need to be updated for computer crime and codified to put the potential cyber-criminal on notice that he or she will be subject to the laws of distant states. The cyber criminal must also know that they will be extradited to those to stand trial. Finally, state and federal prosecutors need to become more familiar with the growing problem of cyber-crime, and become more comfortable with the specialized statutes available to them to punish cyber-criminals. The "technologically challenged" are being force to learn about the changing technology that is becoming more and more a part of their lives. Perhaps in the future, the Cyber-criminal and the Cyber-cop will meet on a level electronic battleground.

ENDNOTES:

1. Bissinger, Kristin and Friedman, Marc, "'Infojacking':Crimes on the Information Super

Highway",Journal of Proprietary Rights Vol. 9, No.5 1997.

2. Id. at 1

3. Id.

4. Id.

5. Macavinta, Courtney, "New Scam :Scholarship Money",

(http://www.news.com/News/Item/0,4,6711,00.00.html)

6. Bissinger et. al. at 6.

7. See (http://www.takedown.com)

8. Bissinger et. al. at 6

9. Id.

10. Id. at5

11. Id. at 9

12. Id. at 9

13. Id. at 6

14. Shimomura, Tsutomu, Takedown: The Pursuit and capture of Kevin Mitnick, McNaughton Press, N.Y.

1996. See (http://www.takedown.com)

15. Id.

16. Id.

17. CNET Special Report: Crime on the net (http://www.news.com/News/Item/0,4,7754,00.html)

18. Goodman, Marc, "Why the police don't care About Computer Crime", Harvard Journal of Law and

Technology, Vol. 10, No. 3, Pages 465-494.

19. Id. at 478.

20. Id.

21. Id.

22. Id. at 480

23. Id.

24. Id.

25. Id at 483

26. Id.

27. Id. at 484

28. Id.

29. Id.

30. Id.

31. Id. at 488.

32. Id.

33. Id

34. Id. at 489

35. Id.

36. Id.

37. Id.

38. Id.

39. Id.

40. Id. at 491

41. Id.

42. Id.

43. Id. at 493

44. Winick, Raphael, "Searches and Seizures of Computers and Computer Data", Harvard Journal of Law

and Technology, Vol. 8, No. 1, Pages 75-128

45. Id. at 75-78

46. Id.

47. Id.

48. Id.

49. United States v. McAllister, 18 F.3d 1412, 1417 (7th Cir, 1994) as cited in Winick

50. Katz v. United States, 389 U.S. 347, 352 (1967) as cited to in Winick

51. Id. at 85

52. An online system is a service a computer user would access via modem, which would then allow them

through the system to access the internet and the world wide web.

53. A bulletin board system or (BBS) is a operated by a private citizen where in users access this bulletin

board via modem to post messages. This "one to many" transfer of information receives its content

entirely through other members of that particular bulletin board.

54. Winick at 96

55. Id. at 83

56. Id. at 90

57. Id.

58. Id. at 91

59. Id. at 92

60. Id. at 94

61. Id. at 96

62. Id.

63. Id.

64. Id. at 98

65. Id. at 100

66. Id. at 101

67. Id. at 102

68. See infra note 61.

69. United States v. Tamura, 694 F. 2d 591 (9th Cir, 1982)

70. Tamura

71. Winick at 112

72. Id. at 114.

73. Burk, Dan l., "Jurisdiction in a World Without Borders", Virginia Journal of Law and Technology,

Vol. 1 No. 3 (http://www.student.virginia.edu/˜vjolt/vol1/BURK.htm)

74. Id. at 5

75. Id.

76. Id.

77. United States v. Thomas, 74^th F.3d 701 (6^th Cir.1996) as cited in Burk

78. Thomas: (http://www.leepfrog.com/E-Law/Cases/US_v_Thomas2.html) at 2.

79. Id.

80. Id.

81.¹ Id.

82. Id.

83. Id.

84. Id.

85. Id.

86. See infra note 78

87. United States v. Thomas, 74^th F.3d 701 (6^th Cir.1996)

88. Burk at 6

89. Id.

90. Lambert v. California, 355 U.S. 225 (1957)

91. Burk at 5

92. Id.

93. Perritt, Henry, "Jurisdiction in Cyberspace", Villanova Law Review, Vol.41, No.1, 1996, pg 1

94. Id. at 36

95. Id.

96. Id.

97. Id.

98. Id.

99. Id. at 37

100. Id. at 39

101. Id.

102. see infra note 87

103. United States v, Alvarez-Machain, 504 US 655, 669 (1992) as cited in Perritt

104. supra 418

105. Rosciszewski v. Arete Assoc., Inc. 1 F 3d 225 (4th Cir. 1993)as cited in Peritt

106. Benson et. al., "Computer Crimes", American Criminal Law Review, Vol 34, No. 2, pgs. 409-443

107. Id. at 425

108. United States v. Sykes, 4 F.3d 697

109. Benson at 419

110. Id. at 427

111. Id.

112. Id. at 419

113. Id.

114. Id. at 427

115. Id. at 420

116. Id.

117. Id. at 427

118. Bissinger, Kristin and Friedman, Marc, "'Infojacking':Crimes on the Information Super Highway",

Journal of Proprietary Rights, Vol. 9, No. 5, 1997.

119. Id. at 5

120. Id.

121. Id.

122. Id.

123. Id. at 4

124. S. 314 104th Cong., 1st sess. (1995) (http://www.acm.org/usacm/speech/comm_decency_act.html)

125. ACLU v. Reno, 929 F. Supp. 824, (E.D. Pa. 1996) (http://www.bna.com/e-law/cases/aclureno.html)

126. Reno v. ACLU ___ U.S. ___, 117 S. Ct. 2501, 65 U.S.L.W. 4715 (No. 96-511 June 26, 1997)

(http://www.bna.com/e-law/cases/reno0627.html)

127. Id.

128. Benson at 419

129. Markoff, John, "How Shimomura Snared the Prince of Hackers", 2/28/95 NY Times

(http://www.takedown.com/coverage/prince-hackers.html)

130. Id.

131. Shimomura, Tsutomu, Takedown: The Pursuit and capture of Kevin Mitnick, McNaughton Press, N.Y.

1996. See (http://www.takedown.com/bio/mitnick1.html)

132. Id.

133. Id.

134. Id.

135. Id.

136. Id..

137. Id.

138. Id.

139. Id.

140. Markoff at 1

141. Shimomura, Tsutomu, Takedown: The Pursuit and capture of Kevin Mitnick, McNaughton Press, N.Y.

1996. See (http://www.takedown.com/bio/tsutomu1.html)

142. Id.

143. Markoff, John, "How a Computer Sleuth Traced a Digital Trail" 2/15/95, N.Y. Times

(http://www.takedown.coverage/digital-trail1.html)

144. Id.

145. Id.

146. Id.

147. Id.

148. Id.

149. Id.

150. Id.

151. Id.

152. Id.

153. Id.

154. Meyer, Josh, "L.A. Hacker to Waive Extradition" 2/17/95 L.A. Times

(http://underground.org/newswire/latimes-021795.html)

155. Id.

156. Id.

157. Unknown author, "Sentencing of Computer Hacker Mitnick Delayed Before New Trial Opens"

10/7/96 Associated Press

(http://www.sddt.com/files/librarywire/96w…ines/10_96/DN96_10_07/DN96_10_07_caa.html)

158. Houston, David, "Mitnick Trial Date Set", 10/8/97, City News Service

(http://209.81.0.27/10-08-97.html)

159. Id.

160. Id.

Copyright © 1997 Keith A. Carsten. All Rights Reserved.