This article has been written by Sagnik Mukherjee pursuing a Diploma in Business Laws for In-House Counsels. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho).
Every scenario has two sides, it is only judicious to look at both and decide if you want to see yourself as a victim or a learner. Borrowing this analogy, COVID has been a disastrous event that will forever be a blotch in our history. However, it has pointed out various vulnerabilities and the need for development in our daily life ranging as far and wide as medical care to government responsibilities and others that need immediate attention to prevent future hazards.
One such sector would be cyberspace. We may have been physically restricted to step outside, but the doors of cyberspace were kept wide open. The global cyber community witnessed a sporadic expansion with much traditional physical work moving online, something that was previously unimaginable. As it is, our reliance on the internet is more than what it has ever been before. A little under two decades ago, having access to the internet was similar to owning a piece of fancy furniture, which you may or may not have the most use for. Yet today basic internet services are critical to earning your bread and butter for a large portion of the population. With the addition of corporations, schools, recreational institutions making a paradigm shift to the online sphere, we are swimming much deeper than ever before and from where it stands the Internet is the first and last resort for most of us. It is therefore extremely important to take a good look at the cyber laws protecting the people today from various cyber-crimes.
Developments in the cybersphere
It would be naive to not acknowledge the impossible possibilities that the internet has actually materialized in this period that has helped propel humankind’s competence to uncharted levels. Nevertheless, it would be equally naive to not talk about the lurking danger in the vast and mostly unexplored meadows of cyberspace.
Continuing with the same analogy of COVID, the determined reproductive rate of the virus is anywhere between two to three times without the practice of social distancing. Thus factoring in a rough population estimate of a state like New York which has approximately eight million people, the infection would double every three days before lockdown.
On the contrary, the reproductive rate of cyber-attacks is twenty-seven times or more once a machine is infected. A devastating computer worm from 2003 known as the Sapphire worm doubled in size in around 8.5 seconds thereby affecting a population of 10 million in or about twenty-four hours.
In 2018, cases of online identity theft were to the tune of 16,128, and non-delivery fraud of objects sold or bought through e-commerce was about 65,116. Considering how most of us were addicted to social media especially during this period of never-ending boredom and feeling of doom, it is quite natural that a large population tends to seek escape and solace in searching for romantic relationships online. The reported losses of victims of romance scams and confidence fraud sit at 92.5 million USD during the peak COVID period in the US. Irrespective of whether you are an individual or a Fortune 500 corporation, cyber victimization does not discriminate.
Although the United States of America has some of the most established and robust laws and security frameworks for cyberspace, every day it faces thousands of crimes committed through the means of computers and its related networks. Through this article, we take the opportunity to glance at the USA’s laws for crimes related to cyberspace.
What constitutes Cybercrime
The term Cybercrime is used as a genus under which, there thrive various species of illegal activities. The end means of which are achieved via unauthorized access and use of computers and computer networks.
For instance, with the advent of social media, a common incident is people commenting with rude or unsavoury words toward public figures or normal individuals for a variety of reasons. Such action over cyberspace can be termed harassment and is classified as a cybercrime. It entails various patterns of online behaviour which are deliberately done to inflict considerable emotional distress to any person who might talk about an unpopular opinion or against the self-determined rights and beliefs of the harasser. Cyber harassment can have an acute impact on a victim’s life too. It leads to psychological and emotional harm, disrupts the victim’s career and reputation along with causing defamation and consequential anxiety. If the victim is a student, it can interfere with their education to a great extent as well. In addition to psychological and social damage, cyber harassment has been found to have led to sexual assaults as well and driven up the suicide rates.
The 1980’s brought with it the dawn of criminal activities that were assisted by computers. The law enforcement agencies quickly felt the heat and found an empty arsenal to fight such crimes.
The wire and mail fraud provisions of the Federal Criminal Code had limited operability and did not provide the full range of tools needed. Congress quickly stepped in and started off by making it a felony to access classified information and financial or credit histories on computers either belonging to governments or institutions without proper authorization.
However, with the passage of time and more sophistication in methods of attack by cybercriminals, Congress made further clarifications and additions to the provisions of laws. It laid down the same in a cumulative form and named it as Computer Fraud and Abuse Act (CFAA) which helped deal with both criminal and civil penalties to perpetrators.
New additions included:-
- Penalty for theft of property via computer as a method of defrauding.
- Penalty for intentionally destroying data belonging to others.
- Expanded the provisions to penalize publicly disclosing stolen information.
- Recognizing the act of conspiring to commit computer hacking as illegal.
- Broadening the definition of protected computers.
The most recent update to the CFAA includes further seven types of criminal activity
|Obtaining National Security Information|
|Accessing a Computer and Obtaining Information|
|Trespassing in a Government Computer|
|Accessing a Computer to Defraud & Obtain Value|
|Intentionally Damaging by Knowing Transmission|
|Recklessly Damaging by Intentional Access|
|Negligently Causing Damage & Loss by Intentional Access|
|Trafficking in Passwords|
|Extortion Involving Computers|
Further, the much more regular variety of cybercrimes include hacking, DDOS attack, phishing, distribution of malware, electronic theft, etc.
Therefore, reiterating what we previously stated, encompassing cybercrime within a handful of possible variations is infeasible. Any criminal activities committed with aid of computer or computer networks qualify as cybercrimes.
Is Cyber terrorism an identical twin or a distant cousin of Cyber Crime
Considering how we have till now hammered at the idea that any criminal activity conducted via the means of the cyber domain can be loosely categorized as a species of cybercrime, it is pertinent to mention to the reader that the road does bifurcate into two at a certain juncture.
Cyber terrorism is a different breed altogether. Yes, it is once again achieved via the aid of the cyber domain, however, the mens rea active in this scenario vastly differs from the one present in cybercrime and quite naturally so are some of the tools provided by law to tackle it.
To elucidate the difference further, we shall try to determine the basic accepted idea behind the two terms, i.e. crime and terrorism. In my opinion, “crime” is a more personal complication whereas “terrorism” is a political complication. Terrorism often ends with inflicting widespread damage. The United State statutes define terrorism as “an act to coerce a civilian population, to influence government policy by intimidation or coercion or to affect the conduct of a government by mass destruction, assassination or kidnapping”. Therefore for an act to qualify as cyber terrorism the mens rea behind it has to be represented by that of a specific group’s political, religious, or ideological interests. For instance, in 1998, a Srilankan guerrilla faction sent about 800 emails a day to one of its government organs for a straight period of two weeks. The contents of the email read “We are the Internet Black Tigers and we’re doing this to interrupt your communications”. Cyber security experts recall this as the first known case of a terrorist organization utilizing cyberspace to disrupt governmental activities for self-gain.
Development of the law
Unlike the law enforcement agencies from and before the early 1980’s, the development of laws to curtail criminal activities in cyberspace has developed manifold, all the more considering how cyberspace is a fundamental aspect of America, entwining both its economy and defence. In the aftermath of the Cold War, analysts from the various security agencies of the US started to research and propose the next possible attack on the US and draw attention to various exposures in the defense of its homeland. Hence, as a result of years of investment and meticulous planning, the rules and regulations in effect today are some of the most robust in the world.
The US being a federal structure of governance, chose to tackle these concerns of cyber security and laws at the federal level and through sector-specific rules and regulations.
For instance, crimes related to the healthcare sector are dealt with by the Health Insurance Portability and Accountability Act (HIPAA). The financial sectors are dealt with by the Gramm Leach Bliley Act (GLBA) and the Federal Information Security Act (FISMA).
However, as mentioned earlier the go-to statute for prosecuting cyber crimes remains to be CFAA, and for very good reasons. It encompasses mostly all aspects of typical cybercrimes and provides both a civil and criminal remedy to the aggrieved. Another relevant law would be the Electronic Communications Act (ECPA) which protects communications in storage or while in transit e.g. email services. Again being a federal structure the advantage lies with the states to pass and enact laws that they think can be beneficial for the population of their state. E.g. New York prohibits the use of computers with the specific intention to gain access to its materials and deals out severe penalties such as prison time varying from 4-15 years depending on the severity of the crime.
Overreaching effects of the law
As much as it is there to protect and serve the innocent, sometimes a loose framing, ill-defined, or expansively wide interpretation can have a boomerang effect. Having state-backed law enforcement agencies throwing your liberty and freedom out of the window based on their own set of paranoid allegations is just as bad as being a victim of a crime. The following are an example of the same:
Van Burne vs United States
Former Georgia police sergeant Nathnan Van Burne was convicted under the CFAA for accessing the law enforcement database to search for information regarding a license plate in exchange for money. Unknown to Mr. Van Burne he was in the crosshairs of an FBI sting operation. The charges brought against him were for “intentionally accessing a computer without authorization or exceeding authorized access”. Mr. Van Buren was found guilty by the jury and was sentenced to 18 months in prison. Fortunately, the decision was reviewed and overturned by a 5 judge bench that believed the interpretation used was draconian and stated that if violating terms of service is labelled as a crime without investigating the situation through and through, private companies would put half the nation behind bars by now.
Aaron Swartz was an Internet activist who was indicted in 2011 for allegedly connecting to a network and downloading 2.7M academic copies that were anyway freely available to be downloaded from JSTOR. Although JSTOR did not press any charges for the same, the Justice Department took it upon themselves and charged Swartz with 13 counts of felonies as he faced 50 years in prison and a potential fine of 50M USD.
This indictment could be validated because of the loose framing of the CFAA for a crime that should have at the most attracted a decision of misdemeanour.
Lori Drew was a middle-aged mother charged with hacking in 2008 for violating the terms of MySpace after she conspired with three other people to open a fake account and bully a girl who had a fallout with Drew’s daughter. The girl subjected to the bullying later went on to commit suicide. Under public pressure, the statutes of CFAA were again interpreted at will, and Lori Drew in absence of any law against cyberbullying was charged with unauthorized access to MySpace’s computers. Although the jury found her guilty, the judge refused the conviction and stated the CFAA was constitutionally vague and would open multiple innocent internet users into criminal charges if this was allowed.
The above article was a brief attempt to differentiate and understand the state of Cybercrime and Cyber laws in the US. Along With an increase in the usage and power of cyberspace, there needs to be commensurate protection via laws against all forms of cyber-crime. Hopefully, through this article, the reader will have an opportunity to grasp some material information regarding the laws in the USA protecting people from cybercrimes and leave with a better picture of the current state of affairs in the matter.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: