Saturday, May 24, 2008

"Crime" vs. "Cybercrime"

This is a follow-up to Atis’ comments on my last post, the one about the woman who was prosecuted for “computer crime” after she allegedly called into an automated unemployment office system and falsely indicated that she wasn’t working when, in fact, she was. The result was that she, apparently, got unemployment benefits when she should not have.

She was charged with computer crime, as I explained in that last post, to “access” a computer or computer system to commit theft.

I called the post “Computer Crime?” because while I can certainly see that what she did fit within the language of the statute, I don’t see why it was charged as computer crime, instead of plain old, garden variety crime.

As I noted in that post, and as I’ve said before, we have a well-developed repertoire of crimes because we, as a species, have had a lot of experience with crime. Crime, as I’ve explained in a number of law review articles, is an internal threat to social order and, as such, is something societies have to control if they are to survive and prosper.

They control crime – we cannot now, or in the foreseeable future, eliminate it, given human intelligence and the ability it creates to contumaciously refuse to follow rules – by defining certain behaviors and/or results as proscribed – “crimes” – and by defining other behaviors as acceptable. They do the latter through a process of socializing their members into the values and norms of that particular culture, which usually works well enough that only a subset of the populace will commit “crimes.”

Societies control the commission of crimes, as we all know, by having a dedicated, professional force that tracks down people who commit crimes and send them through the justice system, where they are tried, convicted or plead guilty and are then given certain sanctions. I’ve written in recent posts about the varied purposes of imposing those sanctions, so I’m not going to get into that here.

Here I want to elaborate on what I said in response to Atis’ first comment: As I noted above, and in response to Atis, what the defendant in the Colorado case allegedly did clearly fit within the state’s “computer crime” statute: If we accept the facts outlined in the opinion I cited in that last post, we see that the defendant called into the automated system for the purpose of obtaining money to which she was not lawfully entitled. The statute makes it a crime to “access” a computer system to commit theft. Since theft consists of purposely obtaining money or property that doesn’t rightfully belong to you, her alleged conduct qualifies and we have a literal violation of the statute.

My question, though, is “why computer crime?” Why not theft or fraud? Theft I defined above. Fraud is obtaining property from someone by tricking them into giving it to you. It seems to me her alleged conduct fits very nicely into fraud – she used the system to trick the state unemployment agency into giving her money to which she was not lawfully entitled (allegedly). It is true that she did not directly deceive an individual; she instead indirectly deceived the individuals who run the agency, but I don’t really see why that makes a difference.

As I noted in my last post, there was a British case in which the court found that it is not possible to “defraud a machine,” but I don’t think that issue comes up in the U.S. under a basic fraud statute. The reason I don’t think it comes up is, as I noted in my post on the British case, U.S. fraud statutes are “result” statutes, that is, they focus on the result, which is that someone uses deceit to get money or property to which they are not lawfully entitled. If our statutes focused on the “conduct” element of defrauding a human being, then the machine issue might be a problem . . . though I still think it should not, because it is humans who are ultimately defrauded out of their property. (Now, if and when we start dealing with sentient non-biological entities, it might be a problem.)

As I noted in my comments to Atis and in my last post, I also think there are good reasons to go with the generic, fraud charge rather than the computer crime charge.

One is that the computer’s role in a case like this is peripheral. This is not a case – like a denial of service or malware or hacking case – in which the computer plays a central role. The “harm” in the latter cases directly implicates the computer or computer system; the “harm” in the case above is the wrongful acquisition of property from a human-run agency.

Another reason is, I submit, that using the generic, traditional charge is less likely to cause problems at trial and on appeal. The appeal in this case dealt with whether she had “accessed” the computer system, and the conviction was reversed and the case was sent back for a new trial because of a disconnect between the language used in the charging document and the jury instructions . . . which, I submit, could probably have been avoided if she’d simply been charged with fraud.

Yet another reason is that I don’t think we need to keep creating new “crimes” when we have crimes defined that encompass the “harm” inflicted in a particular situation. As I explained above, we have two generic crimes – theft and fraud – either of which encompasses the “harm” allegedly inflicted in this case. So why not use them?

As I’ve argued in law review articles and in my latest book, I think the law has, for some very basic reasons, become distracted by the effects of technology . . . with the result that we tend to adopt technologically-specific crime laws (and other laws, as well). I think that distorts our proper focus. The focus of criminal law is discouraging and sanctioning the infliction of particular, socially-intolerable “harms.” It has not been on the method used to inflict “harm.”

So we have, for example, outlawed homicide – the killing of another human being. We have not outlawed homicide by gun, homicide by knife, homicide by poison, homicide by strangulation, homicide by beating, and so on. There’s no reason to – our concern is the “harm,” not the method.

Now, method is a legitimate concern in certain instances, such as when deadly force is used. That’s why we have the distinct offenses of “theft” (I take your laptop when you’re not looking) and “robbery” (I use a gun and forcibly take your laptop away from you). One encompasses the distinct “harm” inflicted or risked by the use of deadly force in committing an otherwise lesser crime. I can see the argument that computers play a similar role in certain kinds of cases, have, indeed, made a similar argument in a slightly different context. You can commit a lot more fraud with a computer and a 419 email than you can in person on by calling victims.

But the better way to do that, I think, is the way many systems deal with the use of deadly force – guns – in the commission of crimes: make it an aggravating factor at sentencing. That way you keep the focus of your criminal offense laws on the proper thing – the “harm” being inflicted – but you still encompass the heightened risk or heightened injury the perpetrator was able to inflict because he or she used a gun or a computer.

1 comment:

Anonymous said...

Here is the link to an article that was posted today (August 26th, 2010) titled; "Cyber War and the Emergence of the Borderless Criminal: Why the Melchert-Dinkel Serial Killer Case Should Be a Slam Dunk . . . For the Prosecution" in which I refer to one of your articles.

I look forward to your feedback Ms. Brenner on this as well as similar cases.