Wednesday, February 01, 2006


This is a blog about “cybercrime.”

It seems appropriate, then, to begin by defining what we’ll
be talking about – by trying to define what “cybercrime” is.

I checked an online dictionary and found that it defines “cybercrime” as “a crime committed on a computer network”. I think that’s a good definition, as far as it goes.

The problem I have with this definition is that, as an American lawyer, I have to be able to fit the concept of “cybercrime” into the specific legal framework we use in the United States . . . and into the more general legal framework that ties together legal systems around the world.

And that leads me to ask several questions: What, precisely, is “cybercrime?” Is “cybercrime” different from plain old “crime?” If so, how? If not, if “cybercrime” is really just a boutique version of “crime,” then why do we need a new term for it?

Let’s start by trying to parse out what “cybercrime” is and what it is not. The perfectly logical definition quoted above says “cybercrime” is “a crime” that is committed on a computer network. I’d revise that a bit . . . for a couple of reasons.

One is that this definition assumes that every “cybercrime” constitutes nothing more than the commission of a traditional “crime,” albeit by different means (by using a computer network). As I’ve argued elsewhere, that is true for much of the cybercrime we have seen so far. For example, online fraud such as the 419 scam is nothing new, as far as law is concerned; it’s simply “old wine in new bottles,” old crime in a slightly new guise.

Until the twentieth century, people had only two ways of defrauding others: They could do it face to face by, say, offering to sell someone the Brooklyn Bridge for a very good price; or they could do the same thing by using snail mail. The proliferation of telephones in the twentieth century made it possible for scam artists to use the telephone to sell the Bridge, again at a very good price. And now we see twenty-first century versions of the same thing migrating online.

As I’ve explained
elsewhere, the same thing is happening with other traditional crimes, such as theft, extortion, harassment, vandalism and trespassing. So far, it seems that a few traditional crimes -- like rape and bigamy -- probably will not migrate online because the commission of these particular crimes requires physical activity that cannot occur online, at least not unless and until we revise our definitions of these crimes.

The same cannot be said of homicide: While we have no documented instances in which computer technology was used to take human life, this is certainly conceivable, and will no doubt occur. Those who speculate on such things have postulated instances in which, say, someone hacks into the database of a hospital and kills people by altering the dosage of their medication. The killer would probably find this a particularly clever way to commit murder, since the crime might never be discovered. The deaths might be erroneously put down to negligence on the part of hospital staff; and even if they were discovered, it might be very difficult to determine which of the victims was the intended target of the unknown killer.

But I digress. My point is that while most of the cybercrime we have seen to date is simply the commission of traditional crimes by new means, this is not true of all cybercrime. As I explain
elsewhere, we clearly have one completely new cybercrime: a distributed denial of service (DDoS) attack. A DDoS attack overloads computer servers and effectively shuts down a website. In February of 2000, someone launched DDoS attacks that effectively shut down and eBay, among other sites.

DDoS attacks are increasingly used for extortion; someone launches an attack on a website, then stops the attack and explains to the owner of the website that attacks will continue unless and until the owner pays a sum for “protection” against such attacks. This simply represents the commission of an old crime (extortion) by new means. It is a tactic the Mafia was using over half a century ago, though they relied on arson instead of DDoS attacks.

But a “pure” DDoS attack such as the 2000 attacks on and eBay is not a traditional crime. It’s not theft, or fraud, or extortion or vandalism or burglary or any crime that was within a pre-twentieth century prosecutor’s repertoire. It is an example of a new type of crime, a “pure” cybercrime. As such, it requires that we create new law, which makes it a crime to launch such an attack. Otherwise, there is no crime, which is currently the situation in Britain; the UK’s 1990 Computer Misuse Act outlawed hacking and other online variants of traditional crime, but did not address DDoS attacks.

So, one reason I find the definition above unsatisfactoryis that it does not encompass the proposition that cybercrime can consist of committing “new” crimes – crimes we have not seen before, and that we may not have outlawed yet – as well as “old” crimes.

The other reason I take issue with the definition I quoted above is that it links the commission of cybercrime with the use of a “computer network.” This is usually true; in fact, the use of computer networks is probably the default model of cybercrime. But it is also possible that computer technology, but not network technology, can be used for illegal purposes. A non-networked computer can, for example, be used to counterfeit currency or to forge documents. In either instance, a computer, but not a computer network, is being used to commit an “old” crime.

This post has gone on too long, I suspect, so I shall stop . . . for now.

No comments: