In 2001, I published an article on “virtual crime.” It analyzed the extent to which we needed to create a new vocabulary – and a new law – of “cybercrimes.” The article consequently focused on whether there is a difference between “crime” and “cybercrime.”
It’s been a long time, and cybercrime has come a long way, since I wrote that article. I thought I’d use this post to look at what I said then and see how it’s held up, i.e., see if we have any additional perspective on the relationship between crime and cybercrime.
In the article, I began by noting that in the Anglo-American common law tradition crimes have 3 elements: conduct (actus reus), intent (mens rea) and a forbidden result or “harm.”
Historically, crimes were committed in the real world, which means all 3 elements occur – more or less simultaneously – in the physical world. The law of crimes is has therefore been concerned with imposing liability and sanctions (e.g., death, incarceration, fines) for conduct that results in the infliction of corporeal harms, such as injury to persons or property or the unauthorized taking of another person’s property.
As I wrote in an earlier post, we tend to conceptualize cyberspace as if it were a “place,” probably because we lack a better analogy. For the purposes of this discussion, though, I’ll assume the analogy is apt. If we assume cyberspace is a domain that exists along with but apart from the real world, the question arises as whether the principles of criminal law we apply in the real world are adequate to address crimes the commission of which exploits the unique advantages of cyberspace. To answer this question in the negative (real world criminal law is not adequate for cybercrime), we have to conclude that crime and cybercrime differ as to the conduct used to inflict harm and/or as to the harms inflicted. Criminal law is, after all, about preventing the infliction of harm.
We should not simply assume criminal conduct vectored through cyberspace represents an entirely new phenomenon, i.e., cybercrime. It may represent nothing more than perpetrators’ using cyberspace to engage in conduct that has long been outlawed. The development of the telephone, for example, made it possible to perpetrate fraud in new and different ways, but fraud itself has been outlawed for centuries. If cyberspace is simply an implement that is being used to commit traditional crimes, then there probably is no need to recognize a separate category of “cybercrimes” and develop specialized legislation to deal with them; existing laws should be adequate to do so.
Law has, for example, long made it a crime intentionally to cause the death of another human being. For the most part, law defines this generically as homicide, rather than differentiating types of homicide depending on the method used to cause death. That is, we do not have method-specific crimes like “homicide by firearm,” “homicide by poison,” “homicide by stabbing,” etc. Instead, we focus on the harm that results from specific conduct -- conduct which is intended to cause the death of another person- -- and define a crime that encompasses that harm.
In analyzing whether cybercrime is distinct from crime, it is useful to consider whether law has confronted other situations in which the infliction of a harm sufficiently severe to warrant the imposition of criminal liability has been predicated on conduct that did not occur entirely in the real, physical world. I’ve found two instances in which this occurred.
The English Treason Act of 1351 made it a crime to “compass or imagine the death of our lord the King, or of our lady his Queen or of their eldest son and heir”. This is an example of a “thought crime,” i.e., a crime which does not require that the perpetrator commit a volitional act in our shared, external reality which causes, attempts to cause or threatens to cause harm to someone or something. The Treason Act of 1351 punished people for their thoughts alone. (Please don’t ask me how often it was used; I’d like to know that myself, but haven’t found any data on the topic.)
The Treason Act of 1351 is an historical aberration: Anglo-American law has for a long time rejected the use of thought crimes, for various reasons. One is that as long as I do nothing more than think bad things, I have not caused harm in the real-world; criminal law is concerned with controlling harmful behavior, not internal malice. Another reason is that laws like this are obviously subject to abuse; when I read this statute, I imagine Lord A, who’d like to get Lord B out of the way as a potential rival, accusing Lord B of imagining the death of the King; I’ve no idea what, if any evidence Lord A had to produce to get the King to act on that claim. I fear it wasn’t much, which is yet another reason why Anglo-American law, anyway, doesn’t criminalize thoughts: There’s too much room for such a law to be abused. And then there is the matter of freedom -- of letting people think what they choose as long as they don’t act on it.
The first instance in which Anglo-American law departed from predicating criminal liability on conduct that did not occur in the real-world is therefore not helpful in thinking about cybercrime. If may have been simply a symbolic gesture, a way of underlining the extent to which subjects should respect the Royal Family.
The other instance was definitely not symbolic; it resulted in thousands of prosecutions and executions in Europe in the 15th, 16th and 17th centuries. I refer, of course, to witchcraft.
Unlike imagining the king’s death, a crime no element of which manifested itself in the real world, witchcraft incorporated both virtual world and real world elements. Until 1951, English law made it a crime to engage in witchcraft, which was defined to include “invoking any evil spirit, or consulting, covenanting with, . . . or rewarding any evil spirit . . . or killing or otherwise hurting any person by such infernal arts” or using them to enrich oneself. United Kingdom - Witchcraft Act 1735. This crime targeted the harm of using one’s power over the virtual world to summon evil spirits to injure others, harm their property and/or enrich oneself. As I said, thousands and thousands of people were convicted of witchcraft.
We no longer have the virtual crime of witchcraft because we no longer believe one can manipulate forces in the “spectral world” to influence things in the real world. For the purposes of argument, though, let’s assume we still entertain such a belief and therefore still have the crime of witchcraft. That crime would consist of using evil spirits for any of the purposes noted above, i.e., hurt someone, damage property and/or reap a profit.
If we believe it is possible to manipulate evil spirits to this end, then it is reasonable to use this crime to impose liability on those who do this; unlike those who committed the thought crime of imagining the king’s death, those who commit this crime are using virtual world forces to have an effect on persons and property in the real world. In that regard, I can see an analogy between witchcraft and cybercrime: In both instances, the perpetrator is physically situated in the physical world, which means that at least a portion of the actus reus plus the offender’s mens rea are real world phenomena. In both, the perpetrator manipulates virtual world forces to harm someone or some thing in the real world.
So what?, you ask. In the article I argued that even though cybercrime – like witchcraft – departs from the traditional model of crime insofar as it involves the use of “otherworldly” forces, this, alone, does not justify creating specific cybercrime offenses. In other words, I argued that even though it involves conduct vectored though a non-corporeal reality, cybercrime is merely a method crime, i.e., crime the commission of which is distinct due to the tool the perpetrator uses. So I argued that we do not need a “law of cybercrimes;” we can address cybercrime by using traditional offenses that are revised, as necessary, to encompass the digital versions of these crimes.
And I haven’t changed my mind. I have been thinking about the witchcraft trials a bit, but not because of the crime-cybercrime issue. I’ve been thinking of an issue that came up during the Salem witchcraft trials: spectral evidence. In the Salem trials, as in earlier witchcraft trials held in England, the judges had to decide if it was permissible to admit spectral evidence, i.e., evidence that (allegedly) came from evil spirits and other denizens of the non-corporeal reality that (allegedly) supported witchcraft. The concern was whether or not the evidence was reliable because, of course, only the person who’d “conversed” with the evil spirit could verify what it said.
There was quite a debate about that. Cotton Mather, a prominent minister involved in the Salem trials, wrote a book – Wonders of the Invisible World -- defending the use of spectral evidence. He also cautioned that a conviction should not be based purely on spectral evidence because of its innate uncertainty. Cotton’s father – Increase Mather – disagreed; he said spectral evidence should not be used in witch trials. Increase Mather famously said “It were better that Ten Suspected Witches should escape, than that one Innocent Person should be Condemned."
And does that have to do with cybercrime, you ask? I’m not sure. I find myself thinking of the spectral evidence issue because I wonder if there are any analogies to digital evidence. I spoke at a conference recently where I was on a panel with a prosecutor; the prosecutor said, at one point, that defense attorneys are not, as yet, doing a good job of challenging prosecutors when it comes to digital evidence. He seemed to think they’re not as conversant with the technology and the issues it raises (can be used to raise) as they could be, and certainly will be. When I have conversations like that, I for some reason think of the old debate over spectral evidence. Maybe because it’s the only previous instance I know of in which courts had to consider the admissibility of “otherworldly” evidence.