Friday, February 13, 2009

"Damage"

This is not a post that's going to resolve an issue of law or policy related to computer crime. It's a post in which I'm trying to work through an issue that came to my attention recently.

More precisely, it’s a rumination on the notion of “damage” to computers; more precisely, it’s a rumination on the notion of “damage” to computers as the term is used in cybercrime statutes.


The post (and rumination) was prompted by a conversation I had with a European cybercrime expert who’s a visiting scholar at my law school this term. We were talking about cybercrime and “damage” and he said that some, at least, European countries criminalize the infliction of (i) damage to data and (ii) damage to a computer, as such.

I found that an intriguing idea, since our cybercrime cases (and those I’ve seen from abroad) usually focus on damage to data. Maybe that’s just a function of the motives that prompt people to commit cybercrimes: They commit cybercrime to steal, to extort money or other property, to alter data for some criminal purpose, and to delete data for the same purpose. So maybe my implicit assumption that “damage” in the context of target cybercrimes – cybercrimes that target a computer or computer data, rather than a person – refers to the alteration, deletion or copying of data, not to actually damaging a computer, as such.

My conversation with our visiting scholar made me think about two issues: One is whether it is possible to use cyberspace to physically damage computer hardware; the other issue arises only if we decide that it is, in fact, possible to use cyberspace to damage computer hardware. This issue is whether, given that possibility, we need specific cybercrime statutes that make it a crime to damage computer hardware, since arguably such damage could be prosecuted under a general criminal property damage statute.

I did find statutes that seem to incorporate the distinction our visiting scholar noted. The German Penal Code has different statutes dealing with damage to data and damage to a computer. Section 303a of the German Penal Code makes it a crime to delete, suppress, render unusable or alter data. Section 303b makes it a crime to interfere “with data processing which is of substantial significance to the business or enterprise of another or a public authority by” doing either of two things: The first is violating § 303a of the German Penal Code. The second is “destroying, damaging, rendering unusable, removing or altering a data processing system or a data carrier”. So it looks like § 303b criminalizes the act of damaging a computer system which, I assume, encompasses causing physical damage to the system.

That brings me back to the first issue I noted above: Is it possible to use signals transmitted via cyberspace to cause physical damage to computer hardware? The general federal cybercrime statute – 18 U.S. Code § 1030 – seems to encompass physical damage to a computer. Section 1030(e)(8) defines the term “damage” as used in the statute as “any impairment to the integrity or availability of data, a program, a system, or information”. That definition obviously encompasses damage to data, but the reference to impairing the integrity of a system might be construed as criminalizing the act of causing physical damage to a computer or computer system.

I can’t find any reported U.S. cases that specifically address this issue. (That doesn't mean cases don't exist; it means they haven't been published by a law reporting service like Westlaw or Lexis.) The issue of physical damage to a computer arises in a few civil cases involving insurance claims for physical damage to a computer or computer system.

In a case from 2000, a federal court held that a company’s computer system sustained direct physical damage because “`physical damage” is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.” American Guarantee & Liability Insurance Co. v. Ingram Micro, Inc., 2000 WL 726789 (U.S. District Court for the District of Arizona 2000). Another court dealing with a similar issue found that “one cannot suffer direct physical loss to computer data without corresponding physical damage to a computer system.” Greco & Trafficante V. Fidelity & Guaranty Insurance Co., 2009 WL 162068 (California Court of Appeals 2009).


I also found a Washington state statute that defines “physical damage” in the context of computers. Here’s what it says:
`Physical damage" in addition to its ordinary meaning, shall include the total or partial alteration, damage, obliteration, or erasure of records, information, data, computer programs, or their computer representations, which are recorded for use in computers or the impairment, interruption, or interference with the use of such records, information, data, or computer programs, or the impairment, interruption, or interference with the use of any computer or services provided by computers.
Washington Revised Code § 9A.48.100(1). I found a Washington Court of Appeals case that cites this statute and then notes that the “ordinary meaning of `damage’ is injury or harm to property.” State v. Norng, 2007 WL 743245 (Washington Court of Appeals 2007). So I guess under this statute, “physical damage” to computer hardware means “injury or harm” to the property, not that this really gets us anywhere.

Finally, I found an article in an ABA journal which quotes a lawyer “who specializes in technology issues” as saying that in “criminal law, . . . individuals who are hackers or install malicious code on computers `damage’ the physical computer because the hard drive is changed.” Hope Viner Samborn, AOL's Insurance Company is Off the Hook for Version 5.0 Damages, ABA Journal EReport (2002). Maybe that answers the question; maybe, as the Greco & Trafficante court said, you can’t have damage to data without also having physical damage to computer hardware.

That brings me to the second issue I noted much earlier in this post: If it is possible to use signals/data transmitted via cyberspace to cause damage to computer hardware, do we really need computer-specific damage statutes?

Assuming this is possible, couldn’t we simply prosecute someone who did this under a general criminal property damage statute? The Kansas criminal damage to property statute, for example, makes it a crime to intentionally injure, damage, mutilate, deface, destroy, or substantially impair “the use of any property in which another has an interest without the consent of” that person. Kansas Statutes § 21-3720(a)(1).


As I said, this post is inconclusive. I’ll think about these issues some more, do some more research and see if I can come up with any answers. Maybe the answer is very simply: Maybe I’m completely off base and there really aren’t any live issues here.

1 comment:

Unknown said...

These split hairs are like saying that using a gate on a property without permission also damages the gate. The friction that is a natural consequence of using the gate damages it to some degree. The state of the gate has changed. So do you add property damage to a trespass charge?

The intended proper use of any object will probably cause some wear and tear to that object. Do we charge people with property damage when they use something without permission?

Any use of a harddrive will cause a normal wear and tear damage. It is being used as intended.

Having said that, I have caused damage to my own computers CPUs and NICs and Harddrives using malicious software tools. These tools could have been used over the Interweb. An easy example of this is flashing hardware with a bad firmware revision. Damage to routers or other equipment could easily be done if access is already aquired.