36 Am. Crim. L. Rev. 397

American Criminal Law Review

Summer 1999

COMPUTER CRIMES

Michael Hatcher

Jay McDannell

Stacy Ostfeld

Copyright © 1999 by the Georgetown University Law Center; Michael Hatcher,

Jay McDannell and Stacy Ostfeld

I.  INTRODUCTION ...................................................... 397

      A. Defining Computer Crime ........................................ 398

      B. Types of Computer-Related Offenses ............................. 400

 II.  FEDERAL APPROACHES ............................................... 401

      A. Federal Criminal Code .......................................... 402

         1. National Information Infrastructure  Protection Act of 1996 .. 403

a. Offenses Under the Statute ............................... 403

            b. Defenses ................................................. 406

            c. Sentencing ............................................... 408

         2. Other Statutes .............................................. 410

            a. Copyright Act ............................................ 410

            b. National Stolen Property Act ............................. 412

            c. Mail and Wire Fraud Statutes ............................. 413

            d. Electronic Communications Privacy Act ................. 414

            e. Telecommunications Act of 1996 ......................... 416

            f. Child Pornography Prevention Act of 1996 ............. 418

      B. Enforcement Strategies ......................................... 419

      C. Ancillary Issues ............................................... 422

         1. Searches of Computer Records .............................. 422

         2. First Amendment Issues ...................................... 424

III.  STATE APPROACHES .................................................. 425

      A. Overview of State Criminal Codes ............................. 425

      B. Conflict Between State and Federal Laws ................... 430

      C. Prosecution of Computer-Related Crimes ......................... 431

      D. State Personal Jurisdiction and Venue Issues ............. 434

 IV.  INTERNATIONAL APPROACHES ................................... 435

      A. Internet-Related Regulation .................................... 437

B. International Convergence and Cooperation ..................... 438

      C. Encryption Regulation .......................................... 440

  V.  RECENT DEVELOPMENTS ............................................ 443

I. INTRODUCTION

This Article tracks developments in computer related criminal law and legal literature, analyzes federal, state, and international approaches to computer crime legislation and enforcement, and reviews recent developments in these areas. Section I defines computer crime, discusses the different forms it can take, and explores the extent of this problem. Section II describes the federal statutes used for prosecuting computer crimes and analyzes their defenses, sentencing, and *398 enforcement strategies. Section III treats state approaches to combatting computer crime and the resulting federalism issues. Section IV addresses international approaches. Finally, Section V tracks emerging issues, including data encryption.

A. Defining Computer Crime

The rapid emergence of computer technologies and the Internet's [FN1] exponential expansion have spawned a variety of new criminal behaviors and an explosion in specialized legislation to combat them. [FN2] While the term "computer crime" includes traditional crimes committed with a computer, [FN3] it also includes novel, technologically specific offenses that are arguably not analogous to any non-computer crimes. [FN4] The diversity of computer-related offenses, however, renders *399 any narrow definition untenable. The Department of Justice ("DOJ") broadly defines computer crimes as "any violations of criminal law that involve a knowledge of computer technology for their perpetration, investigation, or prosecution." [FN5]

Accurate statistics on the extent of this phenomenon have proved elusive [FN6] because of the difficulty in adequately defining computer crimes. [FN7] The statistics are also untrustworthy due to victims' failures to report incidents because of (1) fear of losing customer confidence; [FN8] and (2) lack of detection. [FN9] The aggregate annual losses to businesses and governments, however, are estimated to be in the billions of dollars. [FN10]

*400 B. Types of Computer-Related Offenses

There is no "typical" computer-related crime and no "typical" motive for committing such crimes, although common motives include exhibiting technical expertise, highlighting weaknesses in computer security systems, punishment or retaliation, computer voyeurism, asserting a belief in open access to computer systems, or sabotage. [FN11] Computer criminals can be youthful hackers, [FN12] disgruntled employees and company insiders, [FN13] or international terrorists and spies. [FN14] Because *401 of the vast variety of computer-related crimes and motives, computer-related crimes are classified according to the computer's role in the particular crime. [FN15]

First, a computer may be the "object" of a crime: the offender targets the computer itself. This encompasses theft of computer processor time and computerized services. Second, a computer may be the "subject" of a crime: a computer is the physical site of the crime, or the source of, or reason for, unique forms of asset loss. This includes the use of "viruses," [FN16] "Trojan horses," [FN17] "logic bombs," [FN18] and "sniffers." [FN19] Third, a computer may be an "instrument" used to commit traditional crimes in a more complex manner. For example, a computer might be used to collect credit card information to make fraudulent purchases. [FN20]

II. FEDERAL APPROACHES

This Section examines the major federal statutes directed at computer- related crimes and describes some of their practical shortcomings. Part A discusses the federal criminal code (Title 18), including the National Information Infrastructure Protection Act of 1996 ("NIIPA"). [FN21] Part B describes enforcement strategies. Part C examines sentencing under federal computer crime legislation, and Part D treats search and seizure and First Amendment issues.

*402 A. Federal Criminal Code

Rather than attempting to deal with computer crime by amending every traditional statute to encompass new technologies, [FN22] Congress has treated computer-related crimes as distinct federal offenses since the passage of the Counterfeit Access Device and Computer Fraud and Abuse Law in 1984. [FN23] The 1984 Act was intentionally narrowly tailored to protect classified United States' defense and foreign relations information, financial institution and consumer reporting agency files, and access to computers operated for the government. [FN24] Subsequently, the volume of such legislation greatly expanded to address the many types of computer-related crimes. [FN25] As new computer crime issues have arisen and more statistics have become available, the law has attempted to adapt. In the Computer Fraud and Abuse Act of 1986, [FN26] Congress expanded the scope of the law and attempted to define its terms more clearly. [FN27] Congress continued to expand the scope of the computer crime law in 1988, [FN28] 1989, [FN29] and 1990. [FN30] In 1994, Congress rewrote part of the Act again, [FN31] and it has also recently passed the National Information Infrastructure Protection Act of 1996 (NIIPA). [FN32]

*403 1. National Information Infrastructure Protection Act of 1996

The 1996 Act contains the most recent amendments to the Counterfeit Access Device and Computer Fraud and Abuse Law, and also includes several significant modifications. [FN33]

a. Offenses Under the Statute

One important change the 1996 Act effectuated was the substitution of the term "protected computers," for "federal interest computers," throughout the statute. [FN34] Previously, the 1994 Act only covered crimes involving computers located in more than one state. [FN35] Because "protected computers" includes those used in interstate commerce or communications, the statute now protects any computer attached to the Internet, even if all the computers involved are located in one state. [FN36] Section 1030(a) contains seven major subsections, each aimed at specific acts of computer-related crime:

Subsection 1030(a)(1) makes it a crime to access computer files without *404 authorization or in excess of authorization, [FN37] and subsequently to transmit classified government information. [FN38]

Subsection 1030(a)(2) prohibits obtaining, [FN39] without access or in excess of authorized access, information from financial institutions, [FN40] the U.S. government, or private sector computers used in interstate commerce. [FN41]

While Subsection 1030(a)(2) prohibits obtaining information, Subsection 1030(a)(3) proscribes intentionally accessing a U.S. department or agency nonpublic computer without authorization. [FN42] It states that if the government or a government agency does not use the computer exclusively, the illegal access must affect the government's use. The prior requirement of 1030(a)(3)--that the access "adversely" affect the government's use--was removed by the 1996 Act, eliminating the possible defense that the access was benign. [FN43]

Section 1030(a)(4) prohibits accessing a protected computer, without or beyond authorization, with the intent to defraud and obtain something of value. There is an exception if the defendant only obtained computer time with a value less than $5,000 per year.

The 1996 Act solved many problems created by the 1994 Act revisions to § 1030(a)(5), which addresses computer hacking. First, by applying the section only to computers used in interstate commerce or communication, § 1030(a)(5) under the 1994 Act may have inadvertently decriminalized hacker attacks on *405 intrastate government and financial institution computers. The 1996 Act solved this problem by including interstate, government, and financial institution computers as "protected computers." [FN44] Second, the 1986 Act required that damage be done by those without authorized access, so insiders who intentionally damaged computers that they were authorized to access were not covered. The 1994 Act corrected that by removing the trespass requirement and adding an intent or recklessness element while leaving negligent trespassers uncovered. The 1996 Act resolved this discrepancy. [FN45]

Under the current statute, it is always a crime to cause damage intentionally [FN46] to a protected computer by "transmission of a program, information, code, or command," regardless of authorization to access the computer. [FN47] It is also a crime to cause damage (recklessly, negligently, or otherwise) if the protected computer was intentionally accessed without authorization. [FN48] Thus, company insiders and authorized users are culpable for only intentional damage, while unauthorized users, such as hackers who cause the transmission of malevolent software, including viruses, are responsible even if the transmission was only reckless [FN49] or negligent. [FN50]

Section 1030(a)(6) prohibits one from "knowingly" and with intent to defraud trafficking in passwords that either would permit unauthorized access to a government computer, or affect interstate or foreign commerce. [FN51]

Finally, § 1030(a)(7), added in 1996, makes it illegal to transmit in interstate or foreign commerce any threat to cause damage to a protected computer with intent to extort something of value. [FN52] This section would cover such offenses as hackers *406 threatening to crash a system if not given system privileges, [FN53] or encrypting someone's data and demanding money for the key. [FN54]

The 1996 Act differentiates between conduct that involves improper access or compromising of privacy and conduct in which the defendant uses such access for pernicious purposes by transforming misdemeanor sections (a)(2), (a)(3), (a)(5)(c), and (a)(6) into felonies if such violation is committed for financial gain, in furtherance of any criminal or tortious act, or if the value of the obtained information exceeds $5,000. [FN55] Section 1030(g) provides an incentive for victims to report [FN56] computer related crimes by allowing civil remedies for victims of intentional computer crime. [FN57] This section punishes an attempt to commit an offense as if the offense actually occurred. [FN58] The Act expressly grants investigatory authority to the United States Secret Service, in addition to any other agency having such authority. [FN59]

b. Defenses

The 1996 Act affected many of the defenses available under § 1030, including defenses related to jurisdiction, statutory interpretation, especially as it relates to intent, and the amount of damages. Remaining defenses include the claim that the hacker did not "obtain anything of value," or did not cause losses of over $5,000.

The 1996 Act eliminated jurisdictional defenses formerly available under the statute. The 1994 Act required a "federal interest" computer be accessed in order to convict under § 1030(a)(4). Thus, accessing a private-sector, non- financial computer for the purposes of fraud from within the same state was not covered by the Act. [FN60] This was not true of § 1030(a)(5), which protected computers used in interstate commerce or communications, but damage caused to intrastate government or financial institution computers may have been beyond the scope of the Act. The 1996 Act removed both loopholes. [FN61]

The 1996 Act also eliminated several defenses arising from ambiguities in statutory language, such as defenses based on intent, implied authorization, or value of access. Section 1030(5)(c) now clearly requires only an intent to access, not an intent to cause damage. Even under the 1986 Act, the language was judicially interpreted by the Second Circuit in United States v. Morris [FN62] as *407 requiring intent merely to access, not intent to cause damage. The Ninth Circuit also held that the lack of a mens rea requirement for causing damage was constitutional. [FN63] Thus, once a prosecutor proves intentional access, courts will reject a defense claiming that the effects of a program exceeded the programmer's intentions. The removal of the word "adversely" from § 1030(a)(3) [FN64] eliminated any possible benign access defense that might have existed under the 1994 Act. Also, the insertion of the word "nonpublic" in the same section destroyed any viable argument under the 1994 Act that the existence of a government agency World Wide Web page provides authorization to access the agency's computers. [FN65]

Under the 1996 Act, a defendant may use statutory interpretation to argue that they did not violate § 1030(a)(4), accessing a protected computer without or beyond authorization, by claiming they did not "obtain[] anything of value." Rather, the violator may claim that he/she only viewed the protected information, but did not take anything. The First Circuit interpreted the statutory language "obtain[] anything of value" to require more than simply viewing information, such as printing, recording, or using the information. [FN66]

Another defense remaining under the 1996 Act is to deny that there was an aggregate loss of more than $5,000. [FN67] Section 1030(e)(8) defines the term damage as "any impairment to the integrity or availability of data, a program, a system or information" that results in at least $5,000 aggregate losses in one year; potentially interferes or interferes with medical treatment; causes physical injury; or threatens public health or safety. [FN68] The statute fails to define how to calculate the $5,000 aggregate losses. The courts use different approaches. [FN69] In United States v. *408 Sablan, [FN70] the Ninth Circuit only considered losses resulting directly from the defendant's criminal activity. The Sablan court measured the direct losses, which amounted to over $20,000, by a "reasonable estimate" based on the "available information," and utilized a valuation based on the damaged business' normal business charges. [FN71]

c. Sentencing

The 1996 Act amended 18 U.S.C. § 1030(c), the sentencing provision governing computer fraud. Under the old sentencing scheme, repeat offenders received enhanced sentences only if they violated the same subsection of § 1030 as before. For instance, those previously sentenced for obtaining financial records from a bank's computer network were not sentenced as recidivists when they subsequently accessed classified files stored in a government computer. Section 1030(c) now defines recidivism as a subsequent violation of any of the § 1030 subsections. [FN72]

The Federal Sentencing Guidelines supplement § 1030(c)'s statutory sentencing constraints and help determine how much of the possible sentence a perpetrator should serve. [FN73] The Guidelines determine the base offense level for violations of § 1030(a)(1) [FN74] and § 1030(a)(2)-(7). [FN75] Subsection 1030(b) makes it a crime to attempt to violate Subsection 1030(a) and is likewise supplemented by the Guidelines. [FN76] Subsection 1030(a)(7), which makes extortionist threats by computer a crime, correlates to U.S.S.G. § 2B3.2, [FN77] which governs "Extortion by Force or Threat of Injury or Serious Damage." [FN78] Section 2B3.2 provides a base *409 offense level of 18. [FN79]

The Guidelines also dictate "special skills" enhancements for particular crimes. The Ninth Circuit held that a defendant's computer skills supported a two-level "special skills" enhancement permitted by U.S.S.G § 3B1.3 upon conviction for computer fraud. [FN80]

This ruling merits attention because although the defendant did not possess formal computer training, the court affirmed the upward adjustment because the defendant's crimes demonstrated a knowledge of computers not shared by the general public. [FN81]

In § 805 of the "Antiterrorism and Effective Death Penalty Act of 1996," Congress directed the U.S. Sentencing Commission ("U.S.S.C.") to assess the deterrent effect of the penalties set forth at 18 U.S.C. §§ 1030(a)(4)-(5). [FN82] Specifically, Congress directed the U.S.S.C. to amend the Guidelines so that individuals convicted of these code violations would serve a minimum prison sentence of six months. [FN83] Accordingly, the U.S.S.C. attempted to analyze relevant data and presented its preliminary findings in its June 1996 Report to the Congress. [FN84] Unfortunately, the U.S.S.C. determined that limitations of the available data prevented it from drawing firm conclusions about either the efficacy of the Guidelines at issue or methods for improving them. [FN85]

Nevertheless, the U.S.S.C. proposed amendments to the Guidelines, which were approved by Congress effective Nov. 1, 1997, to establish six month minimum sentences for violations falling under §§ 1030(a)(4) and (5). [FN86] Moreover, the U.S.S.C. made several findings, including: (1) computer crime defendants receive downward departures from guideline ranges more frequently than do other white collar crime defendants; (2) no person sentenced under the Guidelines whose primary offense fell under § 1030(a)(4) or (5) has received an upward departure; and (3) person sentenced under the fraud guideline for violating § 1030(a)(4) or (5) has been sentenced for a subsequent federal offense. [FN87] The U.S.S.C. did acknowledge that one method of facilitating stiffer sentences would be assigning the relevant sections of § 1030 to the Guideline provision governing trespass, rather than their current designation to fraud. [FN88] Ultimately, however, the U.S.S.C. *410 report deferred recommendations regarding further Guideline amendments until more data is available. [FN89]

2. Other Statutes

A June 1996 report by the U.S.S.C. determined that there have been only 174 convictions under 18 U.S.C. § 1030, [FN90] leading to the inference that crimes that could have been prosecuted under § 1030 are instead being prosecuted under other statutes. Computer-related crimes can be charged under at least forty different federal statutes. [FN91] The following discussion briefly describes federal statutes, other than the Computer Fraud and Abuse Act, that are commonly used to prosecute computer-related crimes. These federal statutes include the Copyright Act, the National Stolen Property Act, mail and wire fraud statutes, the Electronic Communications Privacy Act, the Telecommunications Act of 1996, and the Child Pornography Prevention Act of 1996.

a. Copyright Act

Copyright violations are particularly deleterious to computer software developers: "of the 574 new business software applications installed globally during 1997, 228 million applications--or four in every ten--were pirated." [FN92] Persons who unlawfully copy and distribute software or other material by computer may be subject to punishment for criminal copyright infringement. [FN93] The criminal copyright infringement statute has three elements: (1) infringement of a copyright, (2) done willfully and (3) for commercial advantage or private financial gain, or by reproducing or distributing, within any 180-day period, one or more copies or phonorecords of one or more copyrighted works with a total retail value of more than $1,000. [FN94] The first element may be satisfied by mere unauthorized copying of *411 computer software. [FN95] In the past, the large-scale reproduction and dissemination of a work usually involved tremendous resources and probably would not have been done without the promise of some commercial or financial benefit. However, it is now possible to upload copyrighted software to Internet or modem accessible computers, making it available to the world with the click of a mouse. Prior to December 1997, the third element had required commercial advantage or private financial gain, which was frequently absent or hard to prove. The December 1997 amendments to the criminal copyright statute now allow either proof of the foregoing, or merely that the defendant reproduced or distributed copyrighted works of a certain market value, without regard to whether the defendant obtained financial gain. [FN96]

Defenses under the criminal copyright infringement statute include the "first sale" doctrine [FN97] and lack of intent to infringe. Under the first sale doctrine, if someone legally purchases a copy of a copyrighted work he may freely distribute that particular copy. [FN98] This defense does not apply to computer software copyright *412 infringement if the software is distributed by licensing agreement. [FN99] Courts are split on whether "willful" mens rea refers to an intent to copy or an intent to infringe. [FN100]

Section 2319 of Title 18 sets forth the punishment for criminal copyright infringement. Section 2319(b) provides variable prison terms and fines for copyright infringements through the reproduction or distribution of one or more copies or phonorecords with a total retail value of more than $1,000: (1) first-time offenders who reproduce or distribute more than ten copies or phonorecords of one or more copyrighted works that have a total retail value of $2,500 or more, within an 180-day period, face up to three years in prison; (2) subsequent offenders face up to six years imprisonment; and (3) those who reproduce or distribute one or more copies or phonorecords of one or more copyrighted works that have a total retail value of $1,000 or more face up to one year's imprisonment. [FN101]

Defendants convicted of criminal copyright infringement are sentenced under U.S.S.G. § 2B5.3. [FN102] The base offense level is six. [FN103] If the retail value of the infringing items exceeds $2,000, then the offense level is increased by the corresponding number of levels from the table in § 2F1.1. [FN104]

b. National Stolen Property Act

The National Stolen Property Act ("NSPA") [FN105] prohibits the transportation in interstate commerce of "any goods, wares, securities or money" valued at $5,000 or more and known to be stolen or fraudulently obtained. [FN106] This statute has been *413 applied to various computer- related crimes, including fraudulent computerized transfers of funds. [FN107] Courts have held that computer software does not constitute "goods" or "wares" under the NSPA if the software was solely in an intangible form. [FN108] However, courts have distinguished theft of software alone from theft of tangible hardware, determining that the latter constitutes "goods" and "wares" and is protected by the NSPA. [FN109]

Punishment for a violation of the NSPA may include fines, imprisonment of not more than ten years, or both. [FN110] Specific sentences are calculated under § 2B1.1 of the Federal Sentencing Guidelines. [FN111] The base offense level of four is based upon a total loss to the victim of $100. [FN112] The Guidelines raise the offense level as the financial loss to the victim increases, up to a maximum increase of twenty offense levels for a loss exceeding $80,000,000. [FN113] If the offense involves more than minimal planning, the offense level is increased by two levels. [FN114] Additionally, if the defendant is in the business of receiving and selling stolen property, the offense level is increased by four levels. [FN115]

c. Mail and Wire Fraud Statutes

The federal mail and wire fraud statutes [FN116] prohibit using interstate wire communications or the mails to further a fraudulent scheme to obtain money or property. [FN117] One commentator suggests that these statutes would seem to apply to "any computer-aided theft involving the use of interstate wire, the mails or a federally insured bank." [FN118] Several cases have held that the federal mail and wire fraud statutes apply to computer crimes. [FN119] Furthermore, any attempt to obtain an *414 unauthorized copy of a computer program in an intangible form may be covered by the mail and wire fraud statutes. [FN120] However, district courts have taken divergent positions on the issue of whether the wire fraud statute reaches copyrighted material. [FN121]

Violations of the mail and wire fraud statutes are punishable by fines, imprisonment of up to five years, or both. [FN122] If the violation affects a financial institution, the punishment is a fine of not more than $1,000,000, imprisonment of not more than thirty years, or both. [FN123]

Defendants convicted of mail and wire fraud are subject to sentencing provisions under § 2C1.7, for deprivation of intangible right to the honest services of government officials, or § 2F1.1, for all other defendants, of the Federal Sentencing Guidelines. [FN124] For § 2C1.1, the base offense level is ten, and is increased according to the § 2F1.1 table if the loss to the government or the value gained by a public official exceeds $2,000. [FN125] If the offense involves an elected official or one holding a decision-making or sensitive position, the offense level increases by eight. [FN126] For § 2F1.1, the base offense level is six, and is increased according to the table in that provision if the gain or loss exceeds $2,000. [FN127]

d. Electronic Communications Privacy Act

To account for advances in computer technology, the Electronic Communications *415 Privacy Act of 1986 [FN128] ("ECPA") updated existing federal prohibitions against intercepting wire and electronic communications. [FN129] The ECPA also criminalizes obtaining, altering, or preventing authorized access to electronic storage. [FN130] It is not always obvious which ECPA provisions cover communications, such as electronic mail, that are both transmitted and stored. [FN131]

The ECPA can be used in response to computer hacking, which has increased dramatically in recent years. [FN132] The ECPA addresses hacking by fortifying the privacy of computer users [FN133] and enabling law enforcement to employ electronic surveillance in the course of investigating computer crimes. [FN134] Nevertheless, prosecutors have generally relied on the older, better developed Computer Fraud and Abuse Act [FN135] instead of using the ECPA against hackers for such actions. Prosecutors have invoked the ECPA, however, against persons who pirated electronically encrypted, satellite- transmitted television broadcasts. [FN136] Devices used to intercept cable television signals likewise fall within the ECPA's purview. [*416 FN137]

Violations of the Electronic Communications Privacy Act are punished under 18 U.S.C. §§ 2511 and 2703. A violation of § 2511(1) can result in a fine, imprisonment for not more than five years, or both. [FN138] For first- time offenders under § 2511(4)(a), when the statute is violated for purposes other than for financial gain and the illegally received communication is not scrambled or part of a cellular telephone communication, punishment is limited to imprisonment of not more than one year, and a fine. [FN139] Additionally, the ECPA's provisions for money damages can address governmental as well as private transgressions. [FN140]

If violation of § 2701(a) is for financial gain, a first time offender shall be fined under Title 18, imprisoned for not more than one year, or both. [FN141] A repeat offender shall be fined under Title 18, imprisoned for not more than two years, or both. [FN142] Other violations of § 2701(a) could result in fines under Title 18, a maximum prison sentence of six months, or both. [FN143]

e. Telecommunications Act of 1996

The Communications Decency Act of 1996 ("CDA"), or Title V of the *417 Telecommunications Act of 1996, [FN144] has recently been the subject of a constitutional challenge. In Reno v. American Civil Liberties Union, [FN145] the Supreme Court held that certain provisions of the CDA violated the First Amendment's protection of free speech. First, the Court partially invalidated the CDA provision codified at 47 U.S.C. § 223(a), which prohibited the transmission of "indecent" telecommunications to minors. [FN146] The Court severed the indecency restriction from the statute because such a ban against undefined indecency would unduly chill the speech of Internet users. [FN147] However, the rest of this statute continues to criminalize the transmission of obscene materials to minors, since obscene speech may be banned completely. [FN148]

Reno also invalidated § 223(d), which had criminalized interstate and foreign telecommunications displayed to minors that were "patently offensive as measured by contemporary community standards" and depicted or described "sexual or excretory activities or organs." [FN149] The Court distinguished § 223(d) from similar, constitutionally permissible enactments since § 223(d) did not require the patently offensive material lack serious literary, artistic, political, or scientific value. [FN150] Furthermore, the Reno majority distinguished the Internet from other, more regulated media containing potentially indecent expression by noting that web surfers usually seek out the materials they encounter. [FN151] The global nature of the Internet also renders it difficult, if not impossible, for users to predict when their potentially offensive communications will reach a minor. [FN152] Consequently, Reno requires courts to apply unqualified First Amendment scrutiny to speech restrictions affecting the Internet. [FN153]

Violations of the remaining portions Telecommunications Act constitute a base offense level of ten. [FN154] A first offense will result in a fine or imprisonment of no more than five years, or both. [FN155] Later offenses are subject to a fine or imprisonment of no more than ten years, or both. [FN156] The base level of the offense can be *418 adjusted no less than five levels if the offense related to distribution of material for pecuniary gain. [FN157] If the material involved in the offense is sadistic, masochistic or other violent in nature the offense level will increase by five. [FN158]

f. Child Pornography Prevention Act of 1996

In 1996 Congress passed the Child Pornography Prevention Act [FN159] ("CPPA") to prevent the production and distribution of computer-generated, sexual images of children. [FN160] The CPPA criminalizes the production, distribution, and reception of images that are electronically or mechanically created or altered to render sexual depictions of minors. [FN161] Thus, the CPPA prohibits computer transmission of erotic photographs of adults doctored to resemble children. [FN162] The constitutionality of the CPPA is an open question and currently in dispute in the district courts. [FN163]

First-time offenders may be fined, sentenced to a maximum of fifteen years in prison, or both. [FN164] However, violators with a criminal record involving sexual abuse or child pornography shall be fined under title 18 and sentenced to not more than thirty years and not less than five years. [FN165] Those charged with possession of three or more images of transmitted child pornography, as well as those possessing child pornography while on federally controlled lands and territories (including Indian reservations), shall be fined under Title 18, imprisoned for a maximum of five years, or both, [FN166] with imprisonment of not less than two nor more than ten years for those with criminal records for sexual crimes. [FN167]

*419 B. Enforcement Strategies

Although federal computer crime laws were drafted to aid prosecutors, there have been relatively few indictments under these laws. The unamended version of the 1984 Computer Abuse Act resulted in only one prosecution. [FN168] Between January 1989 and April 1993, there were only seventy-six convictions under 18 U.S.C. § 1030. [FN169] A study of fifty such cases revealed that more than half were convictions for general fraud under § 1030(a)(4). [FN170] The number of such prosecutions had reached 174 as of June 1996. [FN171] Courts have, however, recently expanded the interpretation of computer crimes laws to cover crimes not previously thought to violate these provisions. [FN172]

The reason for the apparent scarcity of prosecutions under the 1984 and 1986 Acts is unclear, but several possible causes warrant consideration. First, the reported numbers themselves may be in question. Statistics on computer crimes and their prosecution have not been centralized. [FN173] DOJ has neither consistently tallied prosecutions brought under computer crime statutes nor disaggregated total numbers of computer crime by the statutes under which such prosecutions were brought. Hence, statements about the efficacy of any one statute might underestimate the actual effect of the enforcement efforts. [FN174]

Second, the potentially ambiguous restriction of the Computer Fraud and Abuse Act to actions affecting "federal interest computers" [FN175] might also have influenced the low number of prosecutions. [FN176] To clarify the Act's jurisdictional requirements, Congress recently changed "federal interest computers" to "protected computers," [*420 FN177] and redefined such computers to include any "used in interstate or foreign commerce or communication." [FN178]

Third, owners of statutorily protected computers often prefer to handle security problems themselves, avoiding the embarrassment of publicity focused on the vulnerability of their computers. [FN179] Some companies have forged partnerships with the FBI to counter the appearance of risk that their networks might be hacked. [FN180]

Fourth, computer crimes potentially falling under federal statutes are sometimes prosecuted under state laws. [FN181] Moreover, some laws designed to target conventional illegality are difficult to apply to the full array of today's computer technology. [FN182] Finally, law enforcement agents who lack specialized training and experience with rapidly advancing technology might find it difficult to undertake investigations of complex computer crimes. [FN183]

While the volume of computer-crime prosecution has been low, federal authorities are taking steps to raise the profile of prosecution. The FBI's "Innocent Images" probe, begun in 1995, has allowed agents to undertake investigations of transmitted child pornography, posing as both children and sexual predators in on-line environments. [FN184] As of March 10, 1998, this probe had generated 328 search warrants, 161 arrests, and 184 convictions. [FN185] The FBI has assembled computer crime teams at each of its 56 field offices. [FN186] The FBI has also organized a National Computer Crime Squad ("NCCS") based in its Washington Field *421 Office. [FN187] The NCCS is designed to be an investigative body as well as a national resource on computer crime issues. [FN188]

In addition, federal prosecutors are securing indictments for computer crimes using a broad reading of wire fraud and criminal copyright infringement laws, [FN189] and even murder-for-hire statutes. [FN190] Enforcement has also grown through the proliferation of computer bulletin boards and other on-line services that implicate laws addressing the distribution of computerized pornographic materials [FN191] and sexual assault on minors. [FN192]

The Department of Justice's efforts to combat computer crime are centralized in its Computer Crime and Intellectual Property Section ("CCIPS"). [FN193] The CCIPS *422 has responsibility for prosecuting computer crimes, lobbying for strengthened penalties, and pushing for expanded coverage of the federal computer crime statutes. [FN194] The efforts of CCIPS include Operation Counter Copy, [FN195] a joint operation with the FBI, and support and enforcement of the No Electronic Theft Act ("NET"). [FN196]

A new manifestation of enforcement efforts is the National Infrastructure Protection Center ("NIPC"). [FN197] The NIPC is a joint effort of the Justice Department, the FBI, the Defense Department, and members of the business sector to assess and investigate threats to the information infrastructure. [FN198] The NIPC was created by Presidential directive in February 1998, and is expected to contribute to the enforcement of existing laws preventing illegal intrusion in critical information systems. [FN199]

C. Ancillary Issues

1. Searches of Computer Records

In 1994, DOJ issued unofficial guidelines to help federal agents and attorneys confront novel Fourth Amendment [FN200] issues arising from computer crimes. [FN201] The "Federal Guidelines for Searching and Seizing Computers" categorize searches and seizures by types of evidence (hardware, software, printouts, etc.), statutes, and parties implicated. [FN202] The Guidelines alert readers to problems associated with *423 the permutations of these factors and present procedures judged likely to prevent the ultimate exclusion of computer evidence. [FN203]

In United States v. Sawyer, [FN204] a search warrant listing general categories of business records, including "computer records or printouts relating to customer accounts, which are evidence and fruits of, and the means of commission of violations of [certain U.S. statutes]," withstood Fourth Amendment scrutiny. [FN205] The Eleventh Circuit stated that the Fourth Amendment's particularity requirement must be applied flexibly, and in cases involving a "pervasive scheme to defraud, all the business records of the enterprise may properly be seized." [FN206] The seizure of computer disks is allowed even when the warrant refers only to records and documents. [FN207] Similarly, police with a warrant may seize a computer even though doing so might detain innocent contents on the computer. [FN208] Police may also search computer hardware and software so long as they have reason to believe that these items contain records covered by the warrant. [FN209] When police conduct such a search, they may seize and examine a disk, even if its label indicates that it does not contain information within the scope of the warrant. [FN210] The police may remove the hardware and software from the owner's premises to conduct their examination. [FN211] They may not, however, seize peripheral items, such as printers, to assist them in their review of the seized items. [FN212]

*424 The durability of data and graphics stored on computer hardware implicates the Fourth Amendment staleness doctrine. Information supporting a warrant application becomes "stale" with the passage of time and the concomitant diminished probability that the evidence sought will be found at the location named in the warrant. [FN213] In United States v. Lamb, the district court concluded that the five and one half months time lag between the last suspected modem transmission of child pornography and the issuing of the warrant did not invalidate the warrant as stale. [FN214] The court reasoned that the warrant remained valid because pornography stored on computer hardware and software was likely to be preserved intact over extended periods. [FN215]

Another source of protection for computer records is the Privacy Protection Act of 1980. Congress recently amended the Privacy Protection Act to ensure that it does not protect persons disseminating child pornography. [FN216] The old statute required police to obtain a subpoena prior to searching or seizing work product or other materials reasonably believed to pertain to public communications. [FN217] Although the old statute arguably excepted the dissemination of child pornography from its purview, [FN218] the revised statute precludes such an exception. [FN219] Section 2000aa now permits officers to search and seize computer equipment and files intended for public dissemination upon probable cause that the offense under investigation "involves the production, possession, receipt, mailing, sale, distribution, shipment, or transportation of child pornography." [FN220]

2. First Amendment Issues

The Supreme Court's 1997 Reno v. American Civil Liberties Union decision conferred an unqualified level of First Amendment protection upon Internet communications. [FN221] It remains to be seen whether Congress will again attempt to regulate computer transmissions containing potentially indecent or offensive material. Under Reno, however, legislation will not withstand scrutiny if it requires web surfers or Internet content providers to estimate the age of those with whom they communicate, or tag their communications as potentially indecent or offensive, *425 prior to engaging in "cyberspeech." [FN222]

III. STATE APPROACHES

A. Overview of State Criminal Codes

In 1978, state legislatures began enacting computer crime statutes, beginning with Arizona [FN223] and Florida. [FN224] Since then, every state has enacted some form of computer-specific legislation [FN225] except Vermont. [FN226] Approximately half of the states modeled their statues primarily on the 1977 or 1979 versions of the proposed "Federal Computer Systems Protection Act," [FN227] while the remainder enacted comprehensive computer-assisted crime statutes less closely related to the proposed federal legislation. [FN228] The precise definitions and penalties in these specialized provisions offer significant advantages over general criminal codes by explicitly addressing the unique issues posed by computer crimes, thereby promoting *426 computer security, enhancing deterrence, and facilitating prosecution. [FN229] Recent reforms in state computer crime statutes have included provisions expanding forfeiture of computer equipment used in crimes, with several states enacting provisions allowing state authorities to seize property involved in computer crimes. [FN230] While federal law does not yet define any crime specifically relating to the transmission of electronic mail, [FN231] some states have begun to respond to the growing concerns of on-line harassment by criminalizing on-line threats through including electronic communications under "unconsented contact" in antistalking statutes, [FN232] and incorporating computers and electronic communications devices into general telephone harassment statutes. [FN233] These statutes, however, may face significant constitutional challenges on First Amendment grounds. [FN234]

Other states have recognized that apprehending and prosecuting computer criminals may be much more difficult than preventing computer crimes. For instance, Nebraska's computer crime statute permits potential victims to implement their own security measures. [FN235] Several states, including Arkansas, Georgia, *427 Oklahoma, and Rhode Island, have statutes providing a civil cause of action for compensatory damages, [FN236] thereby encouraging victims of computer crimes to come forward.

One description divides computer crimes into three general categories: "crimes where a computer is the target, crimes where a computer is a tool of the crime, and crimes where a computer is incidental." [FN237] Where a computer is the target, the criminal's goal is to steal information from, [FN238] or cause damage to, a computer. Where a computer is a tool, it is used to commit a traditional crime, such as fraud, money laundering, or harassment. [FN239] Where a computer is incidental to the offense, it is used in some way connected to the criminal activity. [FN240] For example, evidentiary information such as financial records may be stored on a drug dealer's computer. [FN241]

One commentator has delineated the following ten areas addressed by state computer crime statutes. [FN242]

1. Expansion of the traditional concept of property. These statutes attack computer-related crimes by expanding the traditional notion of "property" to include electronic and computer technologies. [FN243]

2. Destruction. Many states criminalize acts which "alter, damage, delete or destroy computer programs or files." [FN244]

3. Aiding and abetting. Some statutes prohibit use of a computer to facilitate the commission of a crime such as embezzlement or fraud. [FN245]

*428 4. Crimes against intellectual property. This type of statute defines new offenses in terms that are analogous to trespassing (unauthorized computer access), vandalism (maliciously altering or deleting data), and theft (copying programs or data). No actual damage is required to prosecute under such a statute. [FN246]

5. Knowing, unauthorized use. These statutes prohibit the act of "accessing" or "using" computer systems beyond the consent of the owner. [FN247]

6. Unauthorized copying. This unusual approach appears to be a close cousin of federal criminal copyright infringement. [FN248] Few states have defined copying programs and data as a distinct state offense, [FN249] presumably because Congress has exclusive authority to enact copyright legislation. [FN250]

7. Prevention of authorized use. This approach, taken by approximately one- fourth of the states, outlaws any activity which impairs the ability of authorized users to obtain the full utility of their computer systems. For example, unauthorized execution of programs that slow down the computer's ability to process *429 information falls under such statutes. [FN251]

8. Unlawful insertion or contamination. These statutes criminalize the highly-publicized "viruses," "worms," and "logic bombs" [FN252] that may be planted in computers or transmitted over telephone lines or through floppy disks. Unlawful insertion provisions do not require actual "access" to computers by the offenders, because the offending programs may be communicated indirectly over networks or on floppy disks by offenders who never use the affected computer. [FN253]

9. Computer voyeurism. Computers contain a wide range of confidential personal information. To protect the public's right to privacy in this information, several states have enacted laws criminalizing unauthorized access to a computer system, even if only to examine its contents without making any changes or extracting any data. [FN254]

10. "Taking possession." These provisions prohibit the act of assuming control over a computer system and its contents without authorization. [FN255]

Virginia's experience with computer crimes legislation is representative of the multitude of issues that computer crimes embody. The Virginia General Assembly first dealt with computer crimes in a 1978 Act that defined computer time and services as property which may be the subject of larceny, embezzlement or false pretenses. [FN256] Virginia passed this Act in response to a state supreme court decision that held that the unauthorized use of computer time and services did not form the basis of a conviction for larceny, because computer time and services were not "goods or chattels" as defined in the Virginia Code. [FN257] In 1983, the Virginia *430 legislature revisited the topic of computer crimes in order to expand the coverage of the 1978 Act. [FN258] This led to new legislation, the Virginia Computer Crimes Act, a comprehensive statute (with fourteen sections), which defined computer crimes as new crimes rather than expanding definitions of crime currently found in the Virginia Code. [FN259] The Act identifies five new computer crimes: computer fraud, computer trespass, computer invasion of privacy, theft of computer services, and personal trespass by computer. [FN260] Other sections are procedural, covering limitations of the Act, venue, and non-exclusivity. [FN261] The Act also provides civil relief, [FN262] as well as addresses the use of a computer as an instrument of forgery. [FN263]

B. Conflict Between State and Federal Laws

The growth of state computer crime legislation has created conflicts between federal and state authorities prosecuting computer criminals. States have criminalized a broad range of conduct, including: unauthorized access, computer fraud, and theft or misuse of computer programs and user time on shared networks. [FN264] Those state statutes dealing with theft or misuse of copyrightable material, such as computer programs, raise an immediate federalism issue, because copyright law remains the exclusive domain of the federal government. [FN265]

The Federal Copyright Act expressly preempts state laws that govern "legal or equitable rights that are equivalent to any of the exclusive rights ... in works ... within the subject matter of copyright as specified by [the Act]." [FN266] Therefore, whether a state law claim is preempted by the Federal Copyright Act requires a two-part test: (1) whether the work is within the subject matter of copyright, and (2) whether the state law contains an "extra element" which "change[s] the state law so that it is 'qualitatively different"' from the Federal Copyright Act. [FN267]

Only three reported cases have dealt with federal preemption of state criminal copyright statutes. One of those cases found that the materials that the defendant *431 misused were not within the subject matter of copyright [FN268] and two cases found the state statute to be preempted because of the lack of an "extra element." [FN269]

In Rosciszewski v. Arete Associates, [FN270] the Fourth Circuit ruled that the section of Virginia's Computer Crimes Act [FN271] covering the reproduction of copyrighted computer programs was preempted by the Federal Copyright Act; [FN272] thus, only the federal government could prosecute the illegal copying of computer software. In ruling for federal preemption of the Virginia Act, the court held that the state law's mens rea requirement "does not add an element qualitatively changing the state claim from one of unauthorized copying." [FN273]

Various cases have upheld state civil claims arising under state statutes dealing with misuse of copyrighted material; [FN274] however, the only two reported cases dealing with criminal prosecution under state copyright statutes have held the state statutes, on which the criminal charges were based, to be preempted by federal copyright laws. [FN275] Perhaps other courts will rule differently on state statutes criminalizing misuse of copyrighted material, but, for now, it appears that criminal charges dealing with copyrighted material must be brought under the federal copyright laws. [FN276]

C. Prosecution of Computer-Related Crimes

No longer are computer crimes only the work of pranksters. They are often committed by malicious intruders motivated by greed or pecuniary gain. [FN277] *432 Computer crime costs United States businesses billions of dollars each year. The greatest losses come from software piracy, representing an estimated $2.7 billion annual loss in the United States alone. [FN278] Other industries are suffering large losses as well. The Permanent Subcommittee on Investigations of the U.S. Senate Committee on Governmental Affairs estimated that banking, insurance, and securities firms collectively lost more than $800 million in 1996. [FN279] The 1994 on-line bank robbery of $10 million dollars from Citibank is one example of such a loss. [FN280] A recent Computer Security Institute (CSI) and Federal Bureau of Investigation (FBI) survey of corporations and government agencies revealed that for the 241 respondents who reported financial losses due to computer crimes, the total dollar amount came to $137 million. [FN281]

Coupling these huge financial losses with the comprehensive computer crimes laws enacted in most states, [FN282] one would expect to find large numbers of computer crime prosecutions and reported decisions at the state level. There are, however, few reported decisions. [FN283] The major reason for this is found in the CSI/FBI survey that reveals that only 17% of the organizations that suffered financial losses from computer crimes reported the crime to law enforcement officials. [FN284] Other reasons for this dearth of prosecutorial activity at the state level include: jurisdictional concerns related to venue; lack of interest or ability of police; [FN285] underreporting by *433 victims; [FN286] and evidentiary difficulties. [FN287] Alternatively, it is posited that there actually is not a dearth of activity, because computer crimes are being prosecuted under other broader, traditional criminal laws, [FN288] which cover, but are not limited to, computer crimes.

Despite the extremely limited body of direct precedent, several courts have recently handed down decisions applying and interpreting the computer crime statutes of their respective states. [FN289] These decisions reflect the mixture of judicial and policy concerns judges face in tackling the unique technical, definitional, and evidentiary problems posed by computer crimes. These problems may lead courts to place greater emphasis on the net results of a defendant's actions when determining the scope of impermissible access to computer programs and data under computer crime statutes. [FN290]

*434 D. State Personal Jurisdiction and Venue Issues

The first two cases to mount in personam jurisdictional challenges to charges of Internet computer crimes were recently decided. Both New York [FN291] and Minnesota [FN292] sustained personal jurisdiction in Internet computer crimes cases based on a traditional analysis of in personam jurisdiction.

While only two decisions have been reported in criminal cases, courts have also decided a number of civil cases, both sustaining personal jurisdiction and dismissing the case for a lack thereof. [FN293] Several guidelines for use in analyzing challenges to personal jurisdiction materialize from an analysis of the civil and criminal cases:

1. Traditional jurisdictional rules apply...

Among the types of cases likely to be relied upon are those involving:

a. telephone calls and mail sent to the forum (e-mail);

b. the physical distribution of goods within the forum (electronic distribution of goods);

c. national print or broadcast advertisements, and 1-800 telephone numbers (Web pages); and

d. contracts executed in the forum or entered into with residents ("point and click" contracts).

2. General jurisdiction is extremely unlikely based on Internet presence alone...

3. Provision of goods and services or transaction of business through the Internet may lead to specific jurisdiction...

4. The fact of access, not the potential for access, is the key...

5. The more non-Internet contacts, the more jurisdiction is likely [FN294]

Venue provisions encompassing computer-related crimes are included in the laws of several states. [FN295] Some states consider the location of the crime to be where *435 any act performed in furtherance of the offense occurred, [FN296] where the victim's residence or principal place of business is located, [FN297] where an unlawfully accessed computer system is located, [FN298] and/or where any violator has control or possession of any proceeds from said violation. [FN299] Because modems allow a person to access a computer from anywhere, such an offender could conceivably face prosecution in more than one jurisdiction for the same conduct. [FN300] Several venue provisions are particularly broad. [FN301]

IV. INTERNATIONAL APPROACHES

Computer crime is a global problem. Purely domestic solutions are inadequate because cyberspace has no geographic or political boundaries. [FN302] Many computer systems can be easily and surreptitiously accessed through the global telecommunications network from anywhere in the world. [FN303] International financial institutions are common targets for computer fraud and embezzlement schemes. [FN304] The development of sophisticated computer technology has also enabled organized crime groups to bypass government detection and enter the international realm of drug trafficking and money laundering. [FN305] In addition, the specter of computer terrorism [FN306] calls for an international strategy to preserve *436 global security. [FN307]

All nations continue to struggle with defining computer crime and developing computer crime legislation that is applicable to both domestic and international audiences. [FN308] This section discusses the issues that have recently garnered the most attention: (1) Internet related regulation; (2) areas of convergence and cooperation among nations, international organizations and private corporations; and (3) the debate over encryption policy.

While "computer crime" remains loosely defined, most industrialized countries have amended their legislation to address four needs created by computer crimes: (1) protection of privacy; (2) prosecution of economic crimes; (3) protection of intellectual property; and (4) procedural provisions to aid in the prosecution of computer crimes. [FN309] Worldwide, national governments are adopting computer-specific criminal codes that address unauthorized access and manipulation of data, similar to the Computer Fraud and Abuse Act of 1996 in the United States. [FN310] Criminalization of copyright infringement is also gaining momentum around the world. [FN311]

*437 A. Internet-Related Regulation

In addition to the criminalization of new computer offenses, many nations are facing the problem of the "computerization" of traditional offenses. Specifically, the Internet has spawned legislation as nations attempt to control the exchange of information over the Internet. As one commentator has explained:

The legislation of the various countries share a common goal of preventing undesirable materials from reaching curious eyes. The United States has sought to protect children from indecent and obscene materials on the Internet; the European Union and Germany have sought to eliminate racism and hatred; and France has censored a purloined book. Simultaneously, governments of countries with less-developed telecommunications networks, such as those in Eastern Europe and Asia, have actively promoted limited growth of the Internet. Asian countries have sought to control the information disseminated on the Internet so as to align the Internet with the norms of the countries' respective cultures. [FN312]

Countries that restrict their political discourse are facing the problem that the Internet provides a source of "illegal" information which is difficult to regulate. [FN313] Moreover, what constitutes "acceptable" speech in the various countries on the *438 "information super-highway" differs greatly. In Germany, for example, the dissemination of Nazi propaganda denying the Holocaust is illegal. [FN314] Such material, however, is easily accessible via the World Wide Web. [FN315] While Germany has chosen to target Internet service providers in its efforts to curb this problem, [FN316] other nations may instead begin targeting the individuals who create "objectionable" home- pages. [FN317]

B. International Convergence and Cooperation

While a number of differences remain, [FN318] there are significant areas of convergence in nations' legislation. [FN319] By defining specific, new offenses and penalties, these codes avoid analytical difficulties that arise when general criminal laws are applied to computer crimes. But even when computer-specific criminal statutes are in place, prosecution in several industrialized countries could continue to be *439 hindered until their rules of evidence are adapted to computer crimes. [FN320]

Ultimately, the global interconnection of vulnerable computer systems may require a uniform transnational legal framework for addressing multinational computer-related crimes. One possible solution is to adopt an international convention or treaty standardizing domestic statutes and facilitating cooperative enforcement efforts. [FN321] A proposed approach that would enable such an international convention to achieve effective reduction in international computer-related crimes would be adoption of specific goals such as: (1) consistent extradition of criminals; (2) cooperation in the retention of witnesses and evidence; (3) recognition and enforcement of criminal judgments issued by a particular nation's court; and (4) a combined effort between each nation's law enforcement and prosecutorial organizations. [FN322]

In addition to increased multinational governmental cooperation, international organizations and private corporations are also working to combat international computer crimes. International organizations have contributed to the drive to harmonize national legislation. [FN323] In 1992, the Business Software Alliance, [FN324] a *440 software industry trade group, launched an international copyright enforcement program involving national software trade associations and law enforcement agencies that began by focusing on distribution of counterfeit software. [FN325] This program's efforts are beginning to bear fruit, as the group's most recent statistics show that software piracy is slowly declining as a percentage of copyrighted products illegally copied. In 1995, the group estimated that 46% of new software products had been copied illegally; [FN326] the percentage of piracy dropped to 43% in 1996, and to 40% in 1997. [FN327] Nevertheless, software manufacturers lost $11.4 billion in potential sales in 1997 alone. [FN328]

C. Encryption Regulation

Infiltration of international computer networks has also prompted greater private-sector initiatives. [FN329] A fervent debate over the use of cryptography [FN330] has surfaced as nations decide how to regulate encryption, which is the use of cryptography to ensure confidentiality. Virtually unbreakable encryption programs are widely available, [FN331] fueling the debate between citizens and businesses on one side and legislators and law enforcement officials on the other. Citizens are concerned with the privacy of their communications, both personal, such as *441 medical records, and professional, such as attorney-client communications. Businesses want to protect commercial transactions and increase the use of the Internet for commercial purposes. Law enforcement officials argue that encryption will also protect criminals, further frustrating their crime prevention efforts. Federal Bureau of Investigation Director Louis Freeh has adamantly argued that secure private communications will further facilitate drug dealing, terrorism, espionage, and global disorder. [FN332] Thus, the debate is essentially over whose needs should prevail: the needs of the individual, or state security. [FN333]

Currently, there is no international consensus on the regulation of encryption. The United States government favors the law enforcement position. Accordingly, U.S. computer companies have been restricted from exporting strong security encryption programs [FN334] because they are considered an effective way for terrorists and organized crime groups to communicate without fear of government intervention. [FN335] On November 15, 1996, however, the President issued Executive Order 13,026, which permits U.S. companies to export stronger encryption systems. [FN336] Controversially, this Executive Order included the condition that the computer industry develop a key escrow system in the next two years. [FN337] Key escrow systems have been under continuous attack from both the general public and *442 Congress. [FN338] The Commerce Department recently loosened its regulation of encryption systems, provided that the systems include a key escrow system. [FN339] The 105th Congress had several bills before it dealing with encryption regulation; [FN340] however, no legislation was passed to deal with the issue during the last term. [FN341]

Despite pressure from the United States, most nations have not accepted the regulation of encryption through the establishment of a key escrow system. [FN342] *443 Unless the United States can convince other nations to adopt encryption regulation with key escrow, the United States regulations will not work effectively. [FN343] Encryption restrictions must be internationally coordinated. Otherwise, a user could obtain unregulated encryption software from another country, which is easily accomplished by downloading the material from the Internet. As one scholar has observed, "multilateral consensus having so far failed, foreign availability may prove the final arbiter." [FN344] Without international cooperation, the United States key system would be essentially unenforceable.

V. RECENT DEVELOPMENTS

Despite efforts by both Congress and various state legislatures to address the many questions posed by evolving technology, a number of issues with uncertain legal implications have emerged. The development of the law in this area lags behind the development of technology. Just as law enforcement was initially hampered by the difficulty of trying to shoehorn computer crimes into traditional criminal offenses, [FN345] the development of the Internet as a tool of commerce has called into question traditional notions of state sovereignty in law-making. Issues must be viewed through the prism of cyberspace, where there are no geographical boundaries. This invites jurisdictional problems when a crime is committed by citizens of one state against a citizen of a different state or by a foreigner against a citizen of the United States.

Four issues attracting much attention in the computer crimes arena are: (1) jurisdiction over commerce on the Internet; [FN346] (2) efforts to increase enforcement of computer crimes laws; [FN347] (3) the Child Online Protection Act; and (4) the encryption debate.

The debate over jurisdiction on the Internet extends from international commerce to personal jurisdiction in state courts. The debate over an international approach to Internet commerce regulation is just beginning. [FN348] Likewise, court cases analyzing personal jurisdiction over the Internet are appearing and are at odds with each other. [FN349] A universal jurisdictional standard has yet to be developed *444 by the courts. [FN350]

After the Supreme Court struck down the Communications Decency Act (CDA), [FN351] Congress passed the Child Online Protection Act (COPA) on October 21, 1998. [FN352] COPA attempts to criminalize Internet transmission to minors of material that is "harmful to minors." [FN353] The ACLU filed suit to stop enforcement of the COPA less than 24 hours after it was signed into law. [FN354] At that time, the federal district court imposed an injunction stopping application of the Act pending trial. [FN355] In February of 1999, the court renewed the preliminary injunction. [FN356]

The encryption debate is one arena where nations are finding they cannot act alone. [FN357] Nonetheless, the United States may be doing just that. Current U.S. law greatly restricts exports of encryption and includes the much disliked key escrow system. [FN358] Opponents argue that if this policy continues, reality of cyberspace dictates that wide availability of foreign encryption materials will be detrimental to United States manufacturers. Thus, criminals would still escape detection, the government would have access to the private records of law-abiding individuals, and the American software industry would be shut out from the encryption marketplace, both domestic and abroad. The Commerce Department is currently loosening regulation of encryption systems and perhaps the 106th Congress will pass legislation addressing the issue. [FN359]

[FN1]. The Supreme Court has characterized the Internet as "an international network of interconnected computers" possessing "content ... as diverse as human thought." Reno v. American Civil Liberties Union, 521 U.S. 844, 117 S. Ct. 2329, 2334-35 (1997). The World Wide Web ("WWW"), the most popular form of Internet communication, is "comparable, from the readers' viewpoint, to both a vast library including millions of readily available and indexed publications, and a sprawling mall offering goods and services." Id. at 2335. "The Internet is currently believed to connect more than 159 countries and 109 million users," American Civil Liberties Union v. Johnson, 4 F. Supp. 2d 1029, 1031 (1998) (D.N.M.), and is expected to have 200 million users by 1999. Reno, 117 S. Ct. at 2334. An alternative forecast, based on figures collected by the Computer Emergency Response Team, a federally-funded Internet security group headquartered at Carnegie-Mellon University, puts the number of Internet users at between 200 million and 2 billion by the year 2000. John D. Howard, An Analysis of Security Incidents on the Internet, (visited Jan. 29, 1999) <http://www.cert.org/research/JHThesis/start.html>. The number of Internet host computers, "those that store information and relay communications," grew from 80,000 in January 1988 to 12,880,699 in July 1996 and is expected to reach 200 million by January 2001. Reno, 117 S. Ct. at 2334. Domain names, which identify specific servers, have grown from 2,600 to 488,000 in the same time frame, and the number of World Wide Web sites increased from 50 in January 1993 to 230,000 in July 1996. Id.

[FN2]. Stephen P. Heymann, 34 HARV. J. ON LEGIS. 373, 373-91 (1997) (analyzing technological advances that require new criminal legislation).

[FN3]. See, e.g., United States v. Thomas, 74 F.3d 701 (6th Cir. 1996) (discussing distribution of pornography); Beth Berselli, Gamblers Play the Odds Online, WASH. POST, Aug. 19, 1997, at A1 (noting proliferation of Internet gambling casinos); Tom Kenworthy, Tiny Tribe Clicks on Gray Area Looking for Green in Web-Based National Lottery, WASH. POST, Feb. 10, 1998, at A5 (describing Indian tribe's Internet lottery); see also infra Part II.A.2.f. (distribution of pornography); infra Part II.A.2.a. (discussing copyright infringement).

[FN4]. One such novel offense occurred recently when Eugene Kashpureff found a loophole in domain-name software, which translates common web addresses (such as http://www.ll.georgetown.edu) into Internet protocol numbers (such as 141.161.38.179). See David J. Loundy, Short-Circuit Exposes Chink in the Web, CHI. DAILY L. BULL., Aug. 14, 1997, at 6. Mr. Kashpureff was charged with wire and computer fraud because he "knowingly redirected Internet traffic from the government-approved InterNIC domain-name registry," which assigns addresses to domains such as .com, .org, .gov, or .edu, to his own renegade registry, AlterNIC, which assigns addresses to uncommon domains such as .sex or .web. See Michelle V. Rafter, A Jail Cell Is Now the Domain of Internet Rebel with Cause, ST. LOUIS POST-DISPATCH, Nov. 19, 1997, at C8. Other examples of novel offenses include the disappearance of two web sites created by a company called U.S. Web. James Watson, a former employee of U.S. Web, "pleaded guilty to charges of harming a computer system used in interstate commerce, a crime under the federal anti-hacking statute. Naftali Bendavid, Feds Fight to Take a Byte Out of Computer Hackers, DENV. POST, Oct. 22, 1998, at A27. Omega Engineering Corp., a company that makes equipment for NASA and the U.S. Navy, was also the victim of a novel computer offense. Timothy Lloyd, a former program designer, pled guilty to federal hacking for deleting software from Omega's system. See id. But see Catherine T. Clarke, Innovation and the Information Environment: From CrimINet to Cyber-Perp: Toward an Inclusive Approach to Policing the Evolving Criminal Mens Rea on the Internet, 75 OR. L. REV. 191, 204 (1996) (alleging that most lawyers view all computer crime as some form of traditional crime that occurred in new environment; for example, computer hacking may be considered theft or trespass).

[FN5]. NATIONAL INSTITUTE OF JUSTICE, U.S. DEP'T OF JUSTICE, COMPUTER CRIME: CRIMINAL JUSTICE RESOURCE MANUAL 2 (1989) [hereinafter DOJ COMPUTER CRIME MANUAL]. A derivative definition of computer crimes is "those crimes where knowledge of a computer system is essential to commit the crime." Jo-Ann M. Adams, Comment, Controlling Cyberspace: Applying the Computer Fraud and Abuse Act to the Internet, 12 SANTA CLARA COMPUTER & HIGH TECH. L.J. 403, 408 (1996).

[FN6]. See Joseph M. Olivenbaum, Rethinking Federal Computer Crime Legislation, 27 SETON HALL L. REV. 574, 576 n.4 (1997) (arguing that "the protean difficulty of defining computer crime," victims' reluctance to report it, and dual system of prosecution, have made statistical figures suspect).

[FN7]. See Scott Charney & Kent Alexander, Computer Crime, 45 EMORY L.J. 931, 934 (1996) (stating that term "computer crime" eludes precise definition).

[FN8]. See S. Friedman & Kristin Bissinger, "Infojacking:" Crimes on the Information Super Highway, J. PROPRIETARY RTS., May 1997, at 2 (explaining that many companies decline to report hacker crimes and prefer to suffer losses quietly rather than risk clients and shareholders discovering their vulnerability to computer attacks); see also Bradley Graham, Lack of Disclosure Impedes Development of Safeguards, WASH. POST, Feb. 28, 1998, at A6 (noting that both businesses and government agencies underreport threats to their computer networks).

[FN9]. The Defense Information Systems Agency intentionally "attacked" 38,000 Department of Defense ("DOD") computers to test DOD's security. Of the 24,700 penetrations only 4% were detected by system administrators, of which only 27%were reported. UNITED STATES GENERAL ACCOUNTING OFFICE, INFORMATION SECURITY: COMPUTER ATTACKS AT DEPARTMENT OF DEFENSE POSE INCREASING RISKS (GAO/AIMD 96-84) 3 (1996) [hereinafter INFORMATION SECURITY]; see also Charney & Alexander, supra note 7, at 936 (discussing new technologies which aid in detections of intrusions).

[FN10]. A joint study of the Business Software Alliance (BSA) and the Software Publishers Association (SPA) estimated that illicit software pirating alone cost American businesses $11.4 billion dollars in lost revenue in 1997. Reuters, Technology Software Piracy Estimated at $11.4 Billion, L.A. TIMES, June 17, 1998, at D3. The revenue loss increased from $11.2 billion in 1996. Elizabeth Corcoran, Study: $11.2 Billion Lost to Software Piracy in '96, WASH. POST, May 8, 1997, at E4. A recent WarRoom Research study showed that of 236 corporations studied, 58% reported suffering computer break-ins in the previous year. Of those 58%, 66% incurred damages exceeding $50,000, and 18% suffered losses in excess of $1 million. Friedman & Bissinger, supra note 8, at 2.

The BSA and SPA report also estimates that eliminating software piracy by 2005 would result in approximately $25 billion in additional government revenue worldwide. Business Software Alliance Releases Report Showing Software Industry As One of the Most Significant Sectors of Global Economy, (last modified Oct. 27, 1998) <http://www.bsa.org>. A Presidential Commission surveyed the scope of this problem and recommended more research and development funding, together with legislation establishing new governmental entities to monitor computer terrorism. See President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures (visited Sept. 15, 1998) <http://www.pccip.gov/report_index.html>. See generally John F. Harris, Panel Urges Federal Government to Step Up Efforts Against Computer Terrorism, WASH. POST, Oct. 21, 1997, at A9 (discussing recommendations to more dollars be spent on developing sophisticated anti-intrusion detection devices because of the increased threat of potentially crippling terrorist attacks).

[FN11]. See Anne W. Branscomb, Rogue Computer Programs and Computer Rogues: Tailoring the Punishment to Fit the Crime, 16 RUTGERS COMPUTER & TECH. L.J. 1, 24-26 (1990) (discussing common motivations of transgressors). Exposing security weaknesses, a frequent motivation of computer hackers, can have obvious salutary effects. See, e.g. United States v. Morris, 928 F.2d 504, 505 (2d Cir. 1991) (accepting defendant's assertion that releasing pernicious "worm" on Internet demonstrated security inadequacies). There is a common distinction drawn between "hackers," who have arguably innocuous goals such as exploration, personal challenge, or the elimination of security flaws, and "crackers," or criminal hackers, who have "criminal intent to browse, copy, alter, and/or destroy information." Clarke, supra note 4, at 198, 207 (arguing that traditional hackers should not be considered criminals because of their innocent mens rea). While financial gain was traditionally eschewed by the hacker ethic, this trend may be declining as hackers increasingly seek monetary reward. Id.

[FN12]. Perhaps the most notorious hacker, Kevin Mitnick, was finally indicted after evading authorities for over two years and becoming an "anti- authority hero in the world of renegade hackers." Julie Tamaki, Famed Hacker Is Indicted by U.S. Grand Jury, L.A. TIMES, Sept. 27, 1996, at B1. Mitnick's long history of alleged computer fraud began with breaking into school district computers as a high school student, and included systematic software theft, attacks on Internet service provider computers, hacking into business and educational institution computers, and stealing 20,000 credit card numbers over a two-year period. Id.

Christopher Schanot, a 20-year-old hacker who pled guilty to computer fraud and illegal wiretapping for breaking into TRW's credit reporting system and Sprint Long Distance, was described by authorities as "so cunning he could control virtually any computer system." Hacker, 20, Admits Guilt in Network Break-Ins, STAR-LEDGER (Newark, N.J.), Nov. 18, 1996, at 25.

Teenage hackers remain a problem. Recently, two California teenagers pled guilty to an "organized and systematic" attack on dozens of military and government computer systems. See Jaxon Van Derbeken, Cloverdale Hackers Plead Guilty / Teenagers Raided Invaded Federal Computers, S.F. CHRON., July 30, 1998, at A18; Rajiv Chandrasekaran & Elizabeth Corcoran, Two Calif. Teens Suspected of Breaking into Government Computers, WASH. POST, Feb. 28, 1998, at A6.

[FN13]. See United States v. Czubinski, 106 F.3d 1069, 1071-72 (1st Cir. 1997) (finding IRS employee abused computer access to snoop into private tax returns of acquaintances, former girlfriends, political enemies, presidential candidate, and others); United States v. Sablan, 92 F.3d 865, 866 (9th Cir. 1996) (upholding conviction of fired bank employee who entered bank computer with her old password and damaged files); see also Jonathan Saltzman, Computer Expert Faces Charge of Putting Virus in Textron's System, PROVIDENCE J.-BULL., Oct. 1, 1996, at A1 (reporting that computer specialist described by authorities as "disgruntled employee" denied being "virus queen" who caused unspecified damage to Textron's computers by e-mailing virus-infected programs to all system users); John Schwartz, The Case of the Intel 'Hacker,' Victim of His Own Access, WASH. POST, Sept. 15, 1997, at F17 (noting that Intel security expert was fined $68,000 for using password cracking program, allegedly to check security, without permission of superiors).

[FN14]. The Pentagon reported 250,000 attacks on its computers in 1995 with 65f those attempts yielding computer network entry. INFORMATION SECURITY, supra note 9, at 3. A 1994 incident in which hackers were able to gain access to Rome Laboratory's system, the Air Force's main command and control research center, cost DOD $500,000. Id. at 4. Through the Rome Laboratory system, the hackers gained access to NASA's Goddard Space Flight Center, Wright-Patterson Air Force Base, and other government facilities, and stole critical DOD information including air tasking orders. Id. at 22. See also Scott Mooneyham, Soldier Acquitted of Spying, Gets 3 Years on Lesser Charges, NEWS TRIB. (Tacoma, Wa.), Dec. 23, 1996, A1 (describing conviction on lesser charges of soldier accused of breaking into DOD computers, giving secret password to Chinese citizen and planning to defect to China); Pierre Thomas & Elizabeth Corcoran, Argentine, 22, Charged with Hacking Computer Networks, WASH. POST, Mar. 30, 1996, at A4 (describing efforts to catch Argentinean who gained access to DOD, NASA, and Los Alamos National laboratory systems).

[FN15]. DOJ COMPUTER CRIME MANUAL, supra note 5, at 2.

[FN16]. Viruses are hidden computer programs that can replicate themselves and attach themselves to other programs. Viruses may cause damage such as the display of annoying messages to the deletion of data. See Dale Tarzia, Computerized Bulletin Board Systems: Civil Liability for Rogue Programming, 3 MEDIA L. & POL'Y 17, 17 (1994) (defining computer viruses).

[FN17]. Trojan horses are programs disguised as other programs that do not function in the expected manner, but cause damage instead. Id.

[FN18]. Logic bombs are programs that are activated by a specific event, such as the arrival of a particular date or time. They can be destructive but are also commonly used by software companies to protect against violation of licensing agreements by disabling the program upon detection of a violation. See Dan Goodin, An Incendiary Decision, AM. LAW. MEDIA, Sept. 11, 1996, at 1 (discussing reaction by software vendors to decision that their logic bombs may violate anti-hacking legislation). Logic bombs can also surreptitiously e-mail the company an alert that a licensing violation has occurred. See Robert C. Scheinfeld, Embedded Alert Software: Weapon Against Piracy or Computer Abuse?, N.Y. L.J., Aug. 13, 1996, at 1 (analyzing legality of embedded alert programs).

[FN19]. Sniffer programs are disguised as common, innocuous files but, once placed on a system, collect users' passwords to that system. See Thomas & Corcoran, supra note 14, at A4 (describing how sniffers were used to gain access to sensitive government systems via Harvard University computers).

[FN20]. See United States v. Peterson, 98 F.3d 502, 504 (9th Cir. 1996) (stating that defendant, by hacking into credit reporting service, obtained financial information, which he used to order fraudulent credit cards).

[FN21]. Pub. L. No. 104-294, Title II, § 201, 110 Stat. 3488, 3491-94 [[hereinafter 1996 Act] (amending 18 U.S.C. § 1030).

[FN22]. See Olivenbaum, supra note 6, at 575-76 (arguing that modifying existing criminal statutes is effective, suitable method of handling computer crime and that new legislation has proved repetitive and has improperly focused on use of technology rather than on criminal conduct itself). But see Heymann, supra note 2, at 373 (arguing that intangible nature of technological "property," immense speed and scale of computer activity, and other unique features of computer crime necessitate special legislation).

[FN23]. Pub. L. No. 98-473, Title II, Chapter XXI, § 2102(a), 98 Stat. 1837, 2190 (1984) [hereinafter 1984 Act] (current version at 18 U.S.C. § 1030). For legislative history of the 1984 Act, see H.R. REP. NO. 98-894, at 9 (1984) (indicating that difficulties in prosecuting computer-related crime arise because property involved is intangible, making prosecution under traditional theft and larceny statutes difficult). See also Glenn D. Baker, Note, Trespassers Will Be Prosecuted: Computer Crime in the 1990s, 12 COMPUTER L.J. 61, 63-66 (1993) (discussing background of 1984 Act).

[FN24]. See Dodd S. Griffith, Note, The Computer Fraud and Abuse Act of 1986: A Measured Response to a Growing Problem, 43 VAND. L. REV. 453, 456 (1990) (discussing history of 1984 Act and its 1986 amendments).

[FN25]. See Heymann, supra note 2, at 373 (discussing categories of computer-related crime and special legislation necessary to address special computer crimes).

[FN26]. Pub. L. No. 99-474, § 2, 100 Stat. 1213 (1986) [hereinafter 1986 Act] (current version at 18 U.S.C. § 1030).

[FN27]. See Adams, supra note 5, at 422-23 (discussing changes made by 1986 Act).

[FN28]. Pub. L. No. 100-690, Title VII, § 7065, 102 Stat. 4404 (1988) [[hereinafter 1988 amendments] (current version at 18 U.S.C. § 1030).

[FN29]. Pub. L. No. 101-73, Title IX, § 962 (a) (5), 103 Stat. 502 (1989) [[hereinafter 1989 amendments] (current version at 18 U.S.C. § 1030).

[FN30]. Pub. L. No. 101-647, Title XII, § 1205 (e), Title XXV, § 2597 (j), Title XXXV, § 3533, 104 Stat. 4831, 4910, 4925 (1990) [hereinafter 1990 amendments] (current version at 18 U.S.C. § 1030).

[FN31]. Pub. L. No. 103-322, Title XXIX, § 290001 (b) - (f), 108 Stat. 2097- 2099 (1994) [hereinafter 1994 Act] (current version at 18 U.S.C. § 1030). See Adams, supra note 5, at 425 (describing briefly 1994 intent offenses).

[FN32]. Pub. L. No. 104-294, Title II, § 201, 110 Stat. 3488, 3491-94 (1996) [[hereinafter 1996 Act] (current version at 18 U.S.C. § 1030). See Adams, supra note 5, at 424 (highlighting changes made by 1988, 1989, and 1990 amendments).

[FN33]. For a critique of certain weaknesses of the 1984 Act and an explanation of how the National Information Infrastructure Protection Act (NIIPA) amendments would improve the 1994 Act, see Adams, supra note 5, at 408.

[FN34]. "[P]rotected computer" is defined as:

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not used exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in interstate or foreign commerce or communication.

18 U.S.C.A. § 1030(e)(2) (Supp. 1998).

A "computer" is defined as:

an electronic, magnetic, optical, electrochemical, or other high speed processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.

18 U.S.C.A. § 1030(e)(1) (Supp. 1998). Automatic Teller Machines (ATMs) fit this definition of computer. United States v. Sykes, 4 F.3d 697, 698 (8th Cir. 1993).

[FN35]. "Federal Interest computers" under the 1994 Act included a computer "which is one of two or more computers used in committing the offense, not all of which are located in the same state." 18 U.S.C. § 1030(e)(2) (1994 & Supp. 1995).

[FN36]. Id. The 1994 Act left computers, even those essential to interstate commerce, vulnerable to attack from within their home state. Although computers used in interstate commerce were specifically protected under 18 U.S.C. § 1030(a)(5) under the 1994 Act, the 1996 Act brings them within the purview of sections (a)(2), (a)(4), and (a)(7) as well. The inclusion of computers used in "foreign commerce" confers jurisdiction over international computer crime cases. See Computer Crime and Intellectual Property Section, U.S. Dep't of Justice, The National Information Infrastructure Protection Act of 1996: Legislative Analysis (last modified June 10, 1998) <http:// www.usdoj.gov/criminal/cybercrime/1030_anal.html> [hereinafter Legislative Analysis] (analyzing 1996 Act).

[FN37]. The term "exceeds authorized access," used throughout the statute, means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter." 18 U.S.C.A. § 1030(e)(6) (Supp. 1998).

[FN38]. The scienter element in the 1994 Act, that the offender intend or have reason to believe the information "is to be used" to the injury of the United States was eliminated by the 1996 Act, under which it is a violation if the information "could be used" to the injury of the United States. 18 U.S.C.A. § 1030(a)(1) (Supp. 1998).

[FN39]. Since there is no requirement that the information be transported or copied, merely reading the information may be considered "obtaining." See Legislative Analysis, supra note 36. Merely reading information, however, is not considered "obtaining something of value" for purposes of 18 U.S.C.A. § 1030(a)(4) (Supp. 1998). United States v. Czubinski, 106 F.3d 1069, 1078 (1st Cir. 1997) (reversing defendant's conviction under § 1030(a)(4) for merely reading tax returns in excess of authorization).

[FN40]. "Financial institution" is defined as:

(A) an institution with deposits insured by the Federal Deposit Insurance Corporation;

(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;

(C) a credit union with accounts insured by the National Credit Union Administration;

(D) a member of the Federal home loan bank system and any home loan bank;

(E) any institution of the Farm Credit system under the Farm Credit Act of 1971;

(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to § 15 of the Securities Exchange Act of 1934;

(G) the Securities Investor Protection Corporation;

(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of § 1(b) of the International Banking Act of 1978); and

(I) an organization operating under § 25 or § 25(a) of the Federal Reserve Act.

18 U.S.C.A. § 1030(e)(4) (Supp. 1998).

[FN41]. 18 U.S.C.A. § 1030(a)(2) (Supp. 1998).

[FN42]. 18 U.S.C.A. § 1030(a)(3) (Supp. 1998).

[FN43]. 18 U.S.C.A. § 1030(a)(3) (Supp. 1998).

[FN44]. 18 U.S.C.A. § 1030(e)(2) (Supp. 1998)

[FN45]. See Legislative Analysis, supra note 36 (outlining changes made by 1996 Act).

[FN46]. "Damage" is defined as:

any impairment to the integrity or availability of data, a program, a system, or information, that--

(A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;

(B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;

(C) causes physical injury to any person; or

(D) threatens public health or safety....

18 U.S.C.A. § 1030(e)(8) (Supp. 1998).

[FN47]. 18 U.S.C.A. § 1030(a)(5)(A) (Supp. 1998).

[FN48]. 18 U.S.C.A. § 1030(a)(5)(B) (Supp. 1998).

[FN49]. A reckless violation is a felony under 18 U.S.C.A. § 1030(c)(3)(A) (Supp. 1998).

[FN50]. A negligent violation is a misdemeanor under 18 U.S.C.A. § 1030(c)(2)(A) (Supp. 1998).

[FN51]. 18 U.S.C.A. § 1030(a)(6) (Supp. 1998).

[FN52]. 18 U.S.C.A. § 1030(a)(7) (Supp. 1998). This provision is necessary because it is unclear whether existing statutes, such as the Hobbs Act, 18 U.S.C. § 1951 (1994) (applying to interference with commerce by extortion), or 18 U.S.C. § 875(d) (1994) (dealing with interstate transmission of threat to injure property), are expansive enough to include such intangible views of harm to property as interference with unfettered access to data or tying up system resources. See Legislative Analysis, supra note 36 (analyzing reasons for 1996 Act).

[FN53]. See Charney & Alexander, supra note 7, at 953 (discussing areas covered by § 1030(a)(7)).

[FN54]. See Legislative Analysis, supra note 36 (analyzing reasons for 1996 Act).

[FN55]. 18 U.S.C.A. § 1030(c)(2)(B) (Supp. 1998).

[FN56]. See Friedman & Bissinger, supra note 8 (discussing problem of underreporting of computer crime).

[FN57]. 18 U.S.C.A. § 1030(g) (Supp. 1998).

[FN58]. 18 U.S.C.A. § 1030(b) (Supp. 1998).

[FN59]. 18 U.S.C.A. § 1030(d) (Supp. 1998).

[FN60]. See Legislative Analysis, supra note 36 and accompanying text (explaining changes made by 1996 Act).

[FN61]. Id.

[FN62]. United States v. Morris, 928 F.2d 504 (2d Cir. 1991). Morris was prosecuted for releasing a "worm" on to a computer network. The "worm" spread to thousands of other computers and prevented access to those computers by duplicating itself so many times that all the computers crashed. Id. at 505- 06. Morris argued that under § 1030(a)(5) of the 1986 Act, the government was required to prove not only that he intended unauthorized access to a federal interest computer, but also that he intended to prevent others' access. Since he possessed authorized access to the computer, he argued that he could not be prosecuted under the statute because his only wrong was to exceed the scope of his authorization. Id. at 511. The Second Circuit rejected this argument based on its reading of the legislative history. The court found that Congress, cognizant that people with authorized access to a federal interest computer might try to gain unauthorized access to other such computers, did not intend that authorization for some federal interest computers would constitute authorization for all such computers. Id. The statute thus applied to Morris, although the court noted that this defense was not categorically invalid since a situation could arise that "falls within a nebulous area in which the line between accessing [a computer] without authorization and exceeding authorization might not be clear." Id. at 510.

[FN63]. See United States v. Sablan, 92 F.3d 865 (9th Cir. 1996) (finding lack of mens rea requirement constitutional).

[FN64]. 18 U.S.C.A. § 1030(a)(3) (Supp. 1998).

[FN65]. 18 U.S.C.A. § 1030(a)(3) (Supp. 1998).

[FN66]. See United States v. Czubinski, 106 F.3d 1069, 1078-79 (1st Cir. 1997) (reversing conviction because nothing of value was obtained by defendant's mere browsing of IRS files).

[FN67]. 18 U.S.C.A. § 1030(e)(8)(a) (Supp. 1998) (defining "damages").

[FN68]. 18 U.S.C.A. § 1030(e)(8)(a) (Supp. 1998).

[FN69]. In Morris the court concluded that fixing the problem caused by the worm would cost anywhere from $200 to $53,000. United States v. Morris, 928 F.2d 504, 506 (2d Cir. 1991); see also United States v. Stegora, 849 F.2d 291, 292 (8th Cir. 1988) (using property value in "thieves' market").

[FN70]. 92 F.3d 865 (9th Cir. 1996).

[FN71]. Id. at 869-70.

[FN72]. 18 U.S.C. § 1030(c) (Supp. 1998). The 1996 Act broadens the definition of recidivism by replacing the words "such subsection" with "this section." Pub. L. No. 104-294, Title II, § 201(2)(A), 110 Stat. 3488, 3492 (1996). Thus, while in the past § 1030(c)(1)(A) applied only to individuals already convicted under a specific subsection, the new version punishes those persons convicted of any another offense under § 1030.

[FN73]. U. S. SENTENCING GUIDELINES MANUAL App. A (1998) [hereinafter U.S.S.G.]; see U.S.S.G. Ch. 3 (1998) (setting forth criteria for upward and downward adjustments of offense levels).

[FN74]. The Guidelines set the base offense level for § 1030(a)(1) at 35 if unlawfully accessed national defense information is top secret, and at 30 for obtaining other information or data. U.S.S.G. § 2M3.2(a) (1998).

[FN75]. The offense level for a violation of § 1030(a)(2)-(7) is determined by various U.S.S.G. provisions; those of all but subsection (3) are largely dependent on the value of the loss suffered. Subsection (2) is covered by U.S.S.G. § 2B1.1 (1998) (larceny/embezzlement theft); Subsection (3) by U.S.S.G. § 2B2.3 (1998) (trespass); Subsections (4) and (6) by U.S.S.G. § 2F1.1 (fraud/deceit); Subsection (5) by U.S.S.G. § 2B1.3 (property damage or destruction); and Subsection (7) by U.S.S.G. § 2B3.2 (extortion). For a complete explanation of the application of § 2F1.1 and its loss table, see the MAIL AND WIRE FRAUD article in this issue.

[FN76]. See U.S.S.G. § 2X1.1(a) (1998) (setting base offense levels identical to those assigned to respective completed offenses); see also U.S.S.G. § 2X1.1(b) (1998) (providing enhancement guidelines that differ from those governing completed offenses).

[FN77]. See U.S.S.G. App. C, Amend. 551 (1998) (effective Nov. 1, 1997).

[FN78]. U.S.S.G. § 2B3.2 (1998).

[FN79]. U.S.S.G. § 2B3.2 (1998).

[FN80]. United States v. Petersen, 98 F.3d 502, 506-07 (9th Cir. 1996).

[FN81]. Id.

[FN82]. Pub. L. No. 104-132, Title VIII, § 805, 110 Stat. 1214, 1305 (1996).

[FN83]. Id.

[FN84]. UNITED STATES SENTENCING COMMISSION, REPORT TO THE CONGRESS: ADEQUACY OF FEDERAL SENTENCING GUIDELINE PENALTIES FOR COMPUTER FRAUD AND VANDALISM OFFENSES, 2, 6 (1996) [hereinafter 1996 U.S.S.C. COMPUTER FRAUD REPORT]. This Report is also available on-line at: <http:// www.ussc.gov/compfrd.pdf>.

[FN85]. Id. at 3, 9.

[FN86]. U.S.S.G. App. C, Amend. 551 (1998) (codified at U.S.S.G. § 2B1.3(d)(1) (for 18 U.S.C. § 1030(a)(5)) and U.S.S.G. § 2F1.1(c)(1) (for 18 U.S.C. § 1030(a)(4)).

[FN87]. 1996 U.S.S.C. COMPUTER FRAUD REPORT, supra note 84, at 2.

[FN88]. Id. at n.5.

[FN89]. Id. at 9.

[FN90]. Id. at 6.

[FN91]. UNITED STATES SENTENCING COMMISSION, COMPUTER FRAUD WORKING GROUP, REPORT SUMMARY: SUMMARY OF FINDINGS, 3 (1993) [hereinafter 1993 U.S.S.C. REPORT SUMMARY] (suggesting that while prosecution of computer fraud and abuse continues under traditional generic statutes that apply to many computer- related offenses, some offenses are unique to computers and require prosecution under statutes specific to computer operation and related activities).

[FN92]. See Business Software Alliance Releases Report Showing Software Industry As One of the Most Significant Sectors of Global Economy (last modified Oct. 27, 1998) <http://www.bsa.org/statistics/index>.

[FN93]. See Copyright Infringement Act, 17 U.S.C. § 506(a), as amended by Pub. L. No. 105-147, § 2(b), 111 Stat. 2678 (1997). The December 1997 amendments were expressly enacted to "reverse the practical consequences of United States v. LaMacchia, ... [which precluded criminal sanctions for copyright infringement] in instances in which a defendant does not realize a commercial advantage or private financial gain." H.R. REP. NO. 105-339, at 3 (1997). The LaMacchia case is discussed infra note 96. In 1992, Congress amended 18 U.S.C. § 2319 to provide strict felony penalties for some copyright violations enumerated in Title 17. Pub. L. No. 102-561, 106 Stat. 4233 (1992) (codified at 18 U.S.C. § 2319 (1994)).

[FN94]. See generally COMPUTER CRIME & INTELLECTUAL PROPERTY SECTION-- CRIMINAL DIV., U.S. DEP'T OF JUSTICE, FEDERAL PROSECUTION OF VIOLATIONS OF INTELLECTUAL PROPERTY RIGHTS, at iii (1997) [hereinafter FEDERAL PROSECUTION MANUAL] (analyzing elements of criminal copyright infringement). The December 1997 amendment, supra note 93, changed the third element.

[FN95]. To prove the first element of copyright infringement, the prosecution must show: (1) existence of a valid copyright, and (2) that defendant copied original elements of copyrighted work. See United States v. Manzer, 69 F.3d 222, 227 (8th Cir. 1995) (finding infringement of satellite descrambler program where defendant's program was "more than seventy-percent similar to the copyrighted software"); Montgomery County Ass'n of Realtors, Inc. v. Realty Photo Master Corp., 878 F. Supp. 804, 809-10 (D. Md. 1995) (holding that existence of valid copyright can be established by copyright registration certificate), aff'd 91 F.3d 132 (4th Cir. 1996); see also Feist Publications, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 345 (1991) (finding mere alphabetical listing of information in telephone directory does not possess minimal degree of creativity, thus not qualifying for copyright protection); Charles Von Simson, Feist or Famine: American Database Copyright as an Economic Model for the European Union, 20 BROOK. J. INT'L L. 729 (1995) (noting split among circuit courts in interpreting Feist). But see CCC Info. Servs. v. Maclean Hunter Market Reports, 44 F.3d 61, 65 (2d Cir. 1994) (explaining that Feist's standard of originality in selection and arrangement of information to achieve copyright protection required is low).

[FN96]. See United States v. LaMacchia, 871 F. Supp. 535, 536, 541 (D. Mass. 1994) (holding government cannot prosecute defendant's use of electronic bulletin board to facilitate copying of copyrighted computer software under criminal copyright infringement if it cannot show that defendant sought or derived personal benefit). The December 1997 amendment, supra note 93, had the express legislative purpose of overruling LaMacchia--thus a similarly situated defendant would now be found guilty. See H.R. REP. NO. 105-339, at 3 (1997). But see Wendy M. Grossman, Cyber View; Downloading as a Crime, SCI. AM., Mar. 1998, at 37 (criticizing 1997 amendments for not recognizing fair use exemptions to infringement liability).

Even prior to the December 1997 amendment, several courts had not used the same reasoning as adopted by LaMacchia. See United States v. Moore, 604 F.2d 1228, 1235 (9th Cir. 1979) ("[I]t is irrelevant whether there was an exchange for value so long as there existed the hope..."); Sega Enters. v. Maphia, 948 F. Supp. 923, 940 (N.D. Cal. 1996) (noting civil defendant who operated free bulletin board service from which users could download copyrighted software committed contributory infringement because he encouraged uploading of games, gave instructions and sold copiers to help download games).

[FN97]. "Notwithstanding the [copyright owner's exclusive right to distribute copies granted by 17 U.S.C. § 106(3)], the owner of a particular copy or phonorecord lawfully made ... is entitled, without the authority of the copyright owner, to sell or otherwise dispose of the possession of that copy or phonorecord." 17 U.S.C. § 109(a) (1994); see Bourne v. Walt Disney Co., 68 F.3d 621, 632 (2d Cir. 1995) (applying first sale doctrine to challenged conduct).

[FN98]. See, e.g., United States v. Goss, 803 F.2d 638, 645-46 (11th Cir. 1986) (overturning conviction based on first sale doctrine because government failed to prove defendant did not legally purchase and own copyrighted video game containing memory chips he then sold to FBI agents).

[FN99]. The first sale doctrine does not apply to "any person who has acquired possession of the copy or phonorecord from the copyright owner, by rental, lease, loan, or otherwise, without acquiring ownership of it." 17 U.S.C. § 109(d) (1994). Under most software licensing agreements, the copyright holder maintains ownership of all distributed copies, so first sale is usually not an available defense to software infringement. FEDERAL PROSECUTION MANUAL, supra note 94, at III.e.

[FN100]. See Repp v. Webber, 132 F.3d 882, 889 (2d Cir. 1997) (noting violators are liable for subconscious copyright infringement of musical compositions); United States v. Moran, 757 F. Supp. 1046, 1049 (D. Neb. 1991) (accepting defendant's argument that he believed making just one copy was not copyright infringement); FEDERAL PROSECUTION MANUAL, supra note 94, at III.e.

[FN101]. 18 U.S.C.A. § 2319(b)(1) (as amended by Pub. L. No. 105-147, § 2(d), 111 Stat. 2678, 2679 (1997)); see U.S.S.G. § 2B5.3 (1998). The ten copies can represent an infringement of one copyrighted work, or an aggregation of different works of authorship. H.R. REP. NO. 102-997, at 4 (1992), reprinted in 1992 U.S.C.C.A.N. 3569, 3572.

[FN102]. U.S.S.G. app. A (1998). See e.g., United States v. Hicks, 46 F.3d 1128 (4th Cir. 1995) (holding calculation of loss under Guidelines results in sentence of three years probation, $40,000 fine, and restitution for copyright infringement of satellite decryption systems); United States v. Larracuente, 952 F.2d 672, 674-75 (2d Cir. 1992) (affirming sentencing for criminal copyright infringement based on retail price of films used by defendant to create "bootleg" videotapes).

[FN103]. U.S.S.G. § 2B5.3(a) (1998).

[FN104]. U.S.S.G. § 2B5.3(b)(1) (1998).

[FN105]. 18 U.S.C. § 2314 (1994). See generally INTELLECTUAL PROPERTY CRIMES article in this issue.

[FN106]. 18 U.S.C. § 2314 (1994).

[FN107]. See United States v. Jones, 553 F.2d 351, 356 (4th Cir. 1977) (holding that fraudulent diversion of funds by computer violated NSPA).

[FN108]. See United States v. LaMacchia, 871 F. Supp. 535, 536-38 (D. Mass. 1994) (finding use of computer bulletin board to copy copyrighted software does not involve "physical taking" and thus cannot be prosecuted under NSPA); see also United States v. Brown, 925 F.2d 1301, 1308 (10th Cir. 1991) (concluding computer program in source code form is not tangible item and thus did not constitute "goods" or "wares" under NSPA); United States v. Wang, 898 F. Supp. 758, 760 (D. Colo. 1995) (holding computer program does not qualify as "goods, wares, merchandise, securities or money" for purposes of NSPA).

[FN109]. See United States v. Lyons, 992 F.2d 1029, 1033 (10th Cir. 1993) (rejecting defendant's claim that Brown precludes consideration of value of stolen software in determining sentencing under NSPA).

[FN110]. 18 U.S.C. § 2314 (1994); see United States v. Pierro, 32 F.3d 611, 620 (1st Cir. 1994) (affirming lower court ruling that downward departure from Guidelines was unwarranted because defendant's theft and interstate resale of stolen computer components clearly fell within § 2314 and Guideline provisions).

[FN111]. U.S.S.G. app. A (1998).

[FN112]. U.S.S.G. § 2B1.1(a) (1998).

[FN113]. U.S.S.G. § 2B1.1(b)(1) (1998).

[FN114]. U.S.S.G. § 2B1.1(b)(4)(A) (1998).

[FN115]. U.S.S.G. § 2B1.1(b)(4)(B) (1998).

[FN116]. 18 U.S.C. §§ 1341, 1343 (1994). See generally MAIL AND WIRE FRAUD article in this issue.

[FN117]. 18 U.S.C. §§ 1341, 1343 (1994).

[FN118]. STANLEY S. ARKIN ET AL., PREVENTION AND PROSECUTION OF COMPUTER AND HIGH TECHNOLOGY CRIME, ¶ 3.04[1][a][ii] (1991).

[FN119]. See United States v. Briscoe, 65 F.3d 576 (7th Cir. 1995) (holding fraudulent transfer of funds through computer system violates wire fraud statute); United States v. Gaind, 31 F.3d 73, 75 (2d Cir. 1994) (finding wire fraud violation when government contractor altered computer clocks to "backdate" reports to represent falsely that tests were completed within specified period); Mid Atlantic Telecom, Inc. v. Long Distance Servs., Inc., 18 F.3d 260, 264 (4th Cir. 1994) (allowing civil RICO action based on violations of §§ 1341 and 1343 where reseller of long distance telephone service used computer program to add extra minutes to calls of customers); United States v. Seidlitz, 589 F.2d 152, 155 (4th Cir. 1978) (finding former employee's unauthorized attempt to access computer to obtain company property violated wire fraud statute); United States v. Upton, 856 F. Supp. 727, 733 (E.D.N.Y. 1994) (finding that defendants falsified computer transactions regarding airplane maintenance).

[FN120]. 18 U.S.C. § 1346 (1994); see also ARKIN ET AL., supra note 118, ¶ 3-33 (noting that intangible property is covered by federal mail and wire fraud statutes).

[FN121]. See United States v. Wang, 898 F. Supp. 758, 759 (D. Colo. 1995) (denying motion to dismiss wire fraud charge because computer program, while intangible, is still property, and therefore may be prosecuted under both Copyright Act and wire fraud statute). But see United States v. LaMacchia, 871 F. Supp. 535, 540-44 (D. Mass. 1994) (allowing motion to dismiss wire fraud charge based on use of computer bulletin board to facilitate illegal copying of copyrighted software partially because no plain congressional intent found for wire fraud statute to reach copyrighted material).

[FN122]. 18 U.S.C. §§ 1341, 1343 (1994).

[FN123]. 18 U.S.C. §§ 1341, 1343 (1994).

[FN124]. U.S.S.G. app. A (1998).

[FN125]. U.S.S.G. § 2C1.6(a), (b) (1998).

[FN126]. U.S.S.G. § 2C1.7 (1998); see, e.g., United States v. ReBrook, 58 F.3d 961, 969 (4th Cir. 1995) (upholding increase in offense level pursuant to § 2C1.7(b)(1)(B) for wire fraud conviction based on video lottery systems because defendant was public official holding high-level decision-making or sensitive position).

[FN127]. U.S.S.G. § 2F1.1(a), (b) (1998); see, e.g., United States v. Catalfo, 64 F.3d 1070, 1082-83 (7th Cir. 1995) (upholding sentencing enhancement for wire fraud by illegal computerized futures trading because defendant could have foreseen possible loss from his conduct and was therefore accountable for monetary loss under § 2F1.1). For a complete explanation of these provisions, see the MAIL AND WIRE FRAUD article in this issue.

[FN128]. Pub. L. No. 99-508, 100 Stat. 1848 (1986), codified as amended at 18 U.S.C. §§ 2510-2521, 2701-2710.

[FN129]. 18 U.S.C. § 2511(1)(e) (1994). The Fifth Circuit interpreted the ECPA as supplementing the Communications Act of 1934 (codified as amended at scattered sections of 47 U.S.C.). Accordingly, the court held that concurrent prosecution under both Acts does not violate the Double Jeopardy Clause of the Fifth Amendment. See United States v. Crawford, 52 F.3d 1303, 1306-07 (5th Cir. 1995).

[FN130]. 18 U.S.C.A. § 2701 (Supp. 1998).

[FN131]. See United States v. Reyes, 922 F. Supp. 818, 836-37 (S.D.N.Y. 1996) (concluding that police officer who pressed button on defendant's pager to discover callers' identities did not "intercept" electronic transmissions pursuant to § 2510(4), but rather accessed electronic storage under § 2701(a)); see also Steve Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457, 458 (5th Cir. 1994) (holding that seizure of computer used to operate electronic bulletin board, which in turn contained unretrieved electronic mail, did not constitute interception under § 2510).

[FN132]. See United States v. Petersen, 98 F.3d 502, 504-05 (9th Cir. 1996) (upholding ECPA conviction for hacking into telephone system); see also INFORMATION SECURITY, supra note 9, at 2-3 (citing frequent hacking into DOD's computer networks as evidence that increased computer protections are needed).

[FN133]. 18 U.S.C. § 2510(1) (1996) (broadening statutory definition of communications covered to include those "affecting interstate or foreign commerce").

[FN134]. 18 U.S.C. § 2516 (1996); see In re Askin, 47 F.3d 100, 102- 03 (4th Cir. 1995) (holding that conversations on cordless telephones are not communications protected by ECPA, and thus are open to warrantless police monitoring); United States v. Fregoso, 60 F.3d 1314, 1321 (8th Cir. 1995) (holding that §§ 2510-2522 do not protect caller identification service decoding electronic impulses to display telephone number of receiving call). For a discussion on the conflict between protecting data privacy while allowing for police monitoring of that data for enforcement and national security reasons, see Richard D. Marks, Security, Privacy and Free Expression in the New World of Broadband Networks, 32 HOUS. L. REV. 501-08 (1995) (noting that advances in computer technology inevitably allow users to develop new techniques to outstrip patchwork computer legislation); see also ARKIN ET AL., supra note 118, ¶ 9.02[2] (discussing provisions of Act designed to ease law enforcement investigations through interception of oral and wire communications).

[FN135]. Pub. L. No. 98-473, Title II, Chapter XXI, § 2102(a), 98 Stat. 1837, 2190, codified as amended at 18 U.S.C. §§ 1001, 1030; see also supra Part II.A.1. (discussing substantive provisions of Computer Fraud and Abuse Act as amended by the National Information Infrastructure Act of 1996).

[FN136]. Compare United States v. Chick, 61 F.3d 682, 687-88 (9th Cir. 1995) (permitting government to use ECPA to prosecute defendant for pirating modified satellite descramblers), and United States v. Harrell, 983 F.2d 36, 37-38 (5th Cir. 1993) (acknowledging ECPA's proper application to modified satellite descramblers), with United States v. Shriver, 989 F.2d 898, 904- 07 (7th Cir. 1993) (concluding that § 2512 covers sale or ownership of satellite descramblers only if descramblers are designed primarily to pirate satellite-transmitted broadcasts).

[FN137]. United States v. Crawford, 52 F.3d 1303, 1309-10 (5th Cir. 1995) (affirming convictions under ECPA after defendants repaired and sold modules that descrambled cable television signals).

[FN138]. 18 U.S.C. § 2511(4)(a) (1996). Under the Guidelines, defendants convicted of intercepting communications or eavesdropping receive a base offense level of nine. U.S.S.G. § 2H3.1(a) (1998). If the purpose of the conduct was to obtain direct or indirect commercial advantage or economic gain, the offense level is increased by three. U.S.S.G. § 2H3.1(b)(1) (1998). Additionally, if the purpose of the conduct was to facilitate another offense with a higher offense level, the guideline applicable to an attempt to commit that offense should be applied. U.S.S.G. § 2H3.1(c)(1) (1998).

[FN139]. 18 U.S.C. § 2511(4)(b) (1996). However, interception of an unscrambled radio communication intended for retransmission to the public is not punishable under this section. 18 U.S.C. § 2511(4)(c) (1996).

[FN140]. 18 U.S.C. §§ 2520(a) and 2707(a) (1996) authorize civil suits against any "person or entity" in violation of the ECPA's substantive provisions. The Tenth Circuit was the first federal court of appeals to hold that the police had violated § 2701 by seizing computer equipment that they should have known would hinder e-mail access of customers not connected with their investigation. See Davis v. Gracey, 111 F.3d 1472, 1484 (10th Cir. 1997). However, the court granted the officers' motion for summary judgment because of their valid good faith defense under § 2707. See id. at 1483- 85.

Brown v. Waddell, 50 F.3d 285, 294 (4th Cir. 1995), held that law enforcement use of "clone pagers" to intercept numeric transmissions received on digital display pagers violated § 2511 of ECPA and subjected state officials to civil liability. Clone pagers provide police with the phone numbers and other messages left by the persons calling the original pager. In Brown, police used such a device to discover the telephone numbers of persons paging the defendant, a suspected drug dealer. Id.; see also Organizacion JD Ltda v. United States Dep't of Justice, 18 F.3d 91, 94-95 (2d Cir. 1994) (per curiam) (holding that governmental "entities" can be subject to liability under § 2707(a) where appellants were intended recipients of electronic fund transfers ("EFTs") seized by DEA agents); United States v. Daccarett, 6 F.3d 37, 54 (2d Cir. 1993) (concluding that government seizures of EFTs were not "interceptions" under ECPA because no "device" was used, as required by 18 U.S.C. § 2510(4)). But see Tucker v. Waddell, 83 F.3d 688 (4th Cir. 1996) (stating that § 2703(c) does not authorize civil action against government entity that improperly obtains telephone records).

[FN141]. 18 U.S.C. § 2701(b)(1)(A) (1996).

[FN142]. 18 U.S.C. § 2701(b)(1)(B) (1996).

[FN143]. 18 U.S.C. § 2701(b)(2) (1996).

[FN144]. Pub. L. No. 104-104, Title V, §§ 501-561, 110 Stat. 56, 133-43 (codified at 18 U.S.C. §§ 1462, 1465, 2422 and at scattered sections of Title 47).

[FN145]. 117 S. Ct. 2329 (1997).

[FN146]. Id. at 2340 (analyzing 47 U.S.C. § 223(a)(1)(B)).

[FN147]. Id.

[FN148]. See id. (citing Miller v. California, 413 U.S. 15, 18 (1973), which permits states to ban obscene speech in order to ensure the general welfare of their citizens).

[FN149]. 47 U.S.C.A. § 223(d) (Supp. 1997).

[FN150]. See Reno, 117 S. Ct. at 2340-41 (contrasting CDA with law at issue in Ginsberg v. New York, 390 U.S. 629 (1968), which banned certain magazine sales to persons under age 17 even though magazines were not necessarily obscene to adults).

[FN151]. Id. at 2341-44 (distinguishing CDA from FCC "Filthy Words" regulations at issue in FCC v. Pacifica Foundation, 438 U.S. 726, 730 (1978)).

[FN152]. Reno, 117 S. Ct. at 2349.

[FN153]. Id. at 2344.

[FN154]. U.S.S.G. § 2G3.1(a) (1996).

[FN155]. 18 U.S.C. § 1462(c) (1996).

[FN156]. 18 U.S.C. § 1462(c) (1996).

[FN157]. U.S.S.G. § 2G3.1(b)(1) (1996).

[FN158]. U.S.S.G. § 2G3.1(b)(2) (1996).

[FN159]. Pub. L. No. 104-208, Title I, § 121(a), 110 Stat. 3009, 3009-113 to 3009-129 (amending 18 U.S.C. §§ 2241, 2243, 2251, 2252, 2256, 42 U.S.C. § 2000aa, and adding 18 U.S.C. § 2252A).

[FN160]. See United States v. Airman First Class Falk, No. ACM32456, 1997 WL 583568, at *1 (A.F. Ct. Crim. App. Sept. 5, 1997) (noting that CPPA eliminated loophole that previously exempted "possession of a single computer disk," regardless of how many separate pornographic images it contained); see also FBI Oversight: Hearing Before the Subcomm. on Crime of the House Judiciary Comm., 105th Cong. 4-7 (1997) (statement of Louis Freeh, Director, FBI) (warning Congress of increased risk to children who interact with strangers in cyberspace). But cf. Sharon Waxman, "Lolita:" Forbidden Fruit for Studios; Does Hollywood Fear Remake of Nabokov?, WASH. POST, June 30, 1997, at C1 (illustrating CCPA's potentially chilling effect on artistic representations of pedophilia).

[FN161]. 18 U.S.C.A. §§ 2252(A), 2256 (Supp. 1998).

[FN162]. 18 U.S.C.A. §§ 2252(A), 2256 (Supp. 1998).

[FN163]. Compare Free Speech Coalition v. Reno, No. C97-0281VSC, 1997 WL 487758, at *4 (N.D. Cal. Aug. 12, 1997) (holding CPPA provisions to be "content-neutral regulations" sufficiently defined to withstand vagueness challenge), with United States v. Hilton, 999 F. Supp. 131, 136-37 (D. Me. 1998). For a detailed analysis of the CPPA's potential constitutional infirmity, see Debra D. Burke, The Criminalization of Virtual Child Pornography: A Constitutional Question, 34 HARV. J. ON LEGIS. 439, 456-63 (1997); Debra D. Burke, Cybersmut and the First Amendment: A Call for a New Obscenity Standard, 9 HARV. J.L. & TECH. 87, 115-18 (1997) (questioning CPPA's constitutionality).

[FN164]. 18 U.S.C.A. § 2252A(b)(1) (Supp. 1998).

[FN165]. 18 U.S.C.A. § 2252A(b)(2) (Supp. 1998).

[FN166]. 18 U.S.C.A. § 2252A(b)(2) (Supp. 1998).

[FN167]. 18 U.S.C.A. § 2252A(b)(2) (Supp. 1998).

[FN168]. See Joseph B. Tompkins, Jr. & Frederick S. Ansell, Computer Crime: Keeping Up with High Tech Criminals, CRIM. JUST., Winter 1987, at 30, 32 (discussing United States v. Fadriquela, No. 85-CR-40 (D. Colo. May 1985) in which defendant pleaded guilty to misdemeanor charges and was fined $3,000).

[FN169]. 1993 U.S.S.C. REPORT SUMMARY, supra note 91, at 3; see, e.g., United States v. Morris, 928 F.2d 504, 505 (2d Cir. 1991) (upholding defendant's conviction under § 1030(a)(5) for introducing "worm" into Internet and jamming up to 6,000 federal and federal interest computers across the country).

[FN170]. 1993 U.S.S.C. REPORT SUMMARY, supra note 91, at 3-4.

[FN171]. 1996 U.S.S.C. COMPUTER FRAUD REPORT, supra note 84, at 2, 6.

[FN172]. See United States v. Sykes, 4 F.3d 697, 698 (8th Cir. 1993) (upholding conviction for computer access fraud under 18 U.S.C. § 1030(a)(4) for unauthorized use of automatic teller machine). Compare United States v. Ashe, 47 F.3d 770, 774-75 (6th Cir. 1995) (holding that "tumbling" cellular identification numbers, which prevents cellular telecommunications providers from tracing or billing calls, gives rise to cognizable claim under 18 U.S.C. § 1029 even though such fraud does not burden particular consumers of same services), and United States v. Yates, 914 F. Supp. 152, 154-56 (E.D. Ky. 1995) (determining that prosecution for cloning preexisting cellular accounts to avoid activation and maintenance fees lies at center of § 1029), with United States v. Brady, 13 F.3d 334, 338-39 (10th Cir. 1993) (reasoning that free riding on cellular telephone system without employing device as "means of account access" does not meet definitions of § 1029(e)(1)).

[FN173]. Legislative Analysis, supra note 36.

[FN174]. See generally infra Part III.C.

[FN175]. 18 U.S.C.A. § 1030(e)(2) (Supp. 1998).

[FN176]. See Legislative Analysis, supra note 36 (positing that ambiguous terminology used in § 1030 might account for scarcity of prosecutions).

[FN177]. Economic Espionage Act of 1996, Pub. L. No. 104-294, Title II, § 201, Title VI, § 604(b)(36), 110 Stat. 3488, 3491, 3508 (amending 18 U.S.C. § 1030(e)(2)).

[FN178]. 18 U.S.C.A. § 1030(e)(2)(B) (West Supp. 1998).

[FN179]. See Chris Nerney, Failure to Report Break-Ins Offers License to Hack, NETWORK WORLD, Aug. 12, 1996, at 1 (giving reasons for failure to report computer break-ins).

[FN180]. See Steven J. Stark, Detectives Learn to Act Like Perverts to Ensnare On-Line Child Molesters, CHI. TRIB., Sept. 8, 1997, at N7 (mentioning America Online's cooperation in catching on-line pedophiles). Furthermore, computer think-tanks have expanded their business in response to the threat of hacking. See, e.g., Marc D. Goodman, Why the Police Don't Care About Computer Crime, 10 HARV. J.L. & TECH. 465, 475 (1997) (discussing several private organizations whose purpose is to prevent and to respond to computer crimes).

[FN181]. See infra Part III.A. (summarizing state computer crime statutes).

[FN182]. See, e.g., Gene Barton, Taking a Byte out of Crime: E-Mail Harassment and the Inefficacy of Existing Law, 70 WASH. L. REV. 465, 469-76 (1995) (citing definitional problems arising from application of old statutes criminalizing communications to computer transmissions).

[FN183]. See Goodman, supra note 180, at 474 (enumerating constraints on ability of law enforcement to mount comprehensive attack on computer criminals and recommending that police designate computer specialists).

[FN184]. Federal Bureau of Investigation Director Louis J. Freeh, Statement before Senate Appropriations Subcommittee for the Departments of Commerce, Justice, and State, the Judiciary, and related Agencies, Child Pornography on the Internet and the Sexual Exploitation of Children, (March 10, 1998) <http:// www.fbi.gov/congress/sac310.htm>.

[FN185]. Id.

[FN186]. Internet Crimes Affecting Consumers: Hearings on S. 474, a Bill to Amend Sections 1081 and 1084 of Title 18 United States Code Before the Subcomm. on Technology, Terrorism and Government Information, of the Senate Comm. on the Judiciary, 105th Cong. 52 (1997) (statement of Charles L. Owens, Chief, Financial Crimes Section, FBI) at 53

[FN187]. Id. at 52.

[FN188]. Id.

[FN189]. See United States v. LaMacchia, 871 F. Supp. 535, 536-37, 542- 43 (D. Mass. 1994) (dismissing charges against defendant because prosecution improperly used wire fraud statute to obtain indictment for illegal copying and distribution of copyrighted software where defendant had no fiduciary duty and did not seek to profit personally). Although Mr. LaMacchia apparently did not attempt to sell copyrighted software, others have. "One of the first successful criminal prosecutions involving network software copyright infringement" involved an individual who sold illegal copies of Novell's NetWare network operating system. Bob Brown, Novell Helps Feds Win Case Against Copyright Violator, NETWORK WORLD, Apr. 27, 1992, at 25. See also Barbara Carton, Man Charged in Software Piracy, B. GLOBE, Sept. 1, 1994, at E41 (reporting arrest of man charged with criminal copyright infringement for alleged distribution of copyrighted software to bulletin board subscribers).

[FN190]. See United States v. Paredes, 950 F. Supp. 584, 586-88, 590 (S.D.N.Y. 1996) (rejecting government's theory that defendant's use of long range beeper represented interstate travel, although such use facilitated information about murder contract otherwise implicated federal murder-for-hire statute, 18 U.S.C. § 1958).

[FN191]. See United States v. Thomas, 74 F.3d 701, 704-05 (6th Cir. 1996) (upholding defendant's conviction under federal obscenity law in Tennessee for operating computer bulletin board from their California home); United States v. Chapman, 60 F.3d 894, 896-97 (1st Cir. 1995) (holding that computer transmission of child pornography is not sexual exploitation of minor for sentencing purposes); United States v. Kimbrough, 69 F.3d 723, 726 (5th Cir. 1995) (upholding conviction for receipt and possession of child pornography obtained from computer bulletin board).

An investigation in 1995 targeted not only purveyors of pornography, but also more than 100 individuals who allegedly downloaded pornographic images of children through America Online. Steven Levy, No Place for Kids?: A Parents' Guide to Sex on the Net, NEWSWEEK, July 3, 1995, at 47; see also United States v. Maxwell, 45 M.J. 406, 428 (C.A.A.F. 1996) (partially affirming court- martial of Air Force Colonel for using his personal computer to transmit pornographic materials, but reversing because computer files searched without warrant). Internet Service Providers are faced with difficulties inherent in the use of their systems by customers to transmit child pornography. See Mark Grossman, Kicking Child Porn off the Internet, LEGAL TIMES, Dec. 15, 1997, at 33 (discussing problems with "blocking" customers' access to child pornography).

Encryption technology has also hindered detection of child pornography consumers. In 1994, a child molester stored his victims' names in an encrypted computer file, thereby thwarting police efforts to identify them. Steven Levy, Battle of the Clipper Chip, N.Y. TIMES, June 12, 1994, Section 6, at 46.

[FN192]. See Barton, supra note 182, at 469; Rajiv Chandrasekaran, Undercover on the Dark Side of Cyberspace, WASH. POST, Jan. 2, 1996, at D1 (describing "Innocent Images" investigation that produced arrests for solicitation of minors after suspects arranged sexual meetings with FBI agents posing as minors through on-line service); Computer Pedophile Link Feared, NEWSDAY (N.Y.), Oct. 7, 1994, at A5 (noting pedophiles' use of computer bulletin boards to meet their victims). Efforts of other federal agencies to combat computer crime often focus on child pornography or molestation. See Elaine Shannon, Main Street Monsters, TIME, SEPT. 14, 1998, at 59 (describing U.S. Customs' Operation Cheshire Cat, a coordinated raid on child molesters and pornographers).

[FN193]. Computer Crime and Intellectual Property Section, U.S. Dep't of Justice, Index (Nov. 24, 1998) <http:// www.usdoj.gov/criminal/cybercrime/index.html>.

[FN194]. Id.

[FN195]. See generally Computer Crime and Intellectual Property Section, U.S. Dep't of Justice, Justice Department, FBI Release First Results of Nationwide Crackdown on Criminal Trademark and Copyright Fraud (May 8, 1997) < http:// www.usdoj.gov/criminal/cybercrime/195_ag.htm>.

[FN196]. Pub. L. No. 105-147, 111 Stat. 2678 (1997), codified at 17 U.S.C. §§ 101, 506, and 507 and 18 U.S.C. §§ 2319, 2319A, and 2320. The NET Act closes the perceived statutory loophole exposed in United States v. LaMacchia, 871 F. Supp. 535 (D. Mass. 1994). See discussion supra note 96. The Act also permits prosecution of mass copyright infringement when pecuniary gain is not present. See Computer Crime and Intellectual Property Section, U.S. Dep't of Justice, The No Electronic Theft ("NET") Act: Summary of Changes to the Criminal Copyright and Trademark Laws (Feb. 18, 1998) <http:// www.usdoj.gov/criminal/cybercrime/netsum.htm>.

[FN197]. Federal Bureau of Investigation, National Infrastructure Protection Center, Welcome (visited Sept. 17, 1998) <http://www.fbi.gov/nipc/welcome.htm>.

[FN198]. Federal Bureau of Investigation, National Infrastructure Protection Center, Outreach (visited Sept. 17, 1998) <http:// www.fbi.gov/nipc/outreach.htm>.

[FN199]. Federal Bureau of Investigation, National Infrastructure Protection Center, History (visited Sept. 17, 1998) <http://www.fbi.gov/nipc/history.htm>.

[FN200]. The Fourth Amendment states in relevant part that "[n]o Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." U.S. CONST. amend. IV.

[FN201]. Computer Crime and Intellectual Property Section, U.S. Dep't of Justice, Federal Guidelines for Searching and Seizing Computers (visited Oct. 10, 1998) <http://www.usdoj.gov/criminal/cybercrime/search_docs/toc.htm>. DOJ has recently supplemented those guidelines with additional case material as well as a new discussion of state case law. See generally Computer Crime and Intellectual Property Section, U.S. Dep't of Justice, Supplement to Federal Guidelines for Searching and Seizing Computers (visited Sept. 17, 1998) < http://www.usdoj.gov/criminal/cybercrime/supplement/ssgsup.htm>.

[FN202]. Computer Crime and Intellectual Property Section, U.S. Dep't of Justice, Federal Guidelines for Searching and Seizing Computers (visited Sept. 17, 1998) <http://www.usdoj.gov/criminal/cybercrime/search_docs/toc.htm>.

[FN203]. Id.

[FN204]. 799 F.2d 1494 (11th Cir. 1986).

[FN205]. Id. at 1508, n.15. State courts have split on extending this principle to their search and seizure jurisprudence. Compare People v. Loorie, 630 N.Y.S.2d 483, 486 (Monroe Co. Ct. 1995) (finding police did not exceed scope of warrant by searching contents of computer's internal drive and external disks when warrant only authorized taking possession of property), with State v. Riley, 846 P.2d 1365, 1369 (Wash. 1993) (invalidating as overbroad search warrant permitting seizure of broad categories of computer records without specifying crimes being investigated).

[FN206]. Sawyer, 799 F.2d at 1508.

[FN207]. See United States v. Musson, 650 F. Supp. 525, 532 (D. Colo. 1986) (allowing seizure of disks not listed in warrant, since "in the age of modern technology and commercial availability of various forms of items, the warrant could not be expected to describe with exactitude the precise form the records would take") (quoting United States v. Reyes, 798 F.2d 380, 383 (10th Cir. 1986)).

[FN208]. See Davis v. Gracey, 111 F.3d 1472, 1480-81 (10th Cir. 1997).

[FN209]. See United States v. Sissler, No. 1:90-CR-12, 1991 WL 239000, at *5 (W.D. Mich. Aug. 30, 1991) (stating because police "are permitted to search any container found within the premises if there is reason to believe that the evidence sought pursuant to a warrant is in it ... police [are] permitted to examine the computer's internal memory and the disks since there was every reason to believe that they contained records whose seizure was authorized by the warrant") (citing United States v. Ross, 456 U.S. 798, 820-21 (1982)), aff'd, 966 F.2d 1455 (6th Cir. 1992) (table); cf. United States v. Ponce, 51 F.3d 820 (9th Cir. 1995) (affirming admission of printout made from computer disk seized in search since disk from which printout was made contained drug ledger and was found at defendant's home).

[FN210]. See Sissler, 1991 WL 239000, at *5 ("The police were not obligated to give deference to the descriptive labels placed on the discs. Otherwise, records of illicit activity could be shielded from seizure by simply placing an innocuous label on the computer disk containing them.").

[FN211]. Id.

[FN212]. Id. at n.7.

[FN213]. United States v. Lamb, 945 F. Supp. 441, 459-60 (N.D.N.Y. 1996).

[FN214]. Id. at 461.

[FN215]. Id.

[FN216]. Pub. L. No. 96-440, 94 Stat. 1879 (1980), as amended by Pub. L. 104-208, § 101(a)(6), 110 Stat. 3009, 3009-30 to 3009-31 (1996), codified at 42 U.S.C. §§ 2000aa to 2000aa-12. The Privacy Protection Act includes "mechanically, magnetically or electronically recorded cards, tapes, or discs" in its definition of documentary materials. 42 U.S.C. § 2000aa-7(a) (Supp. 1998).

[FN217]. 42 U.S.C.A. § 2000aa(a)(1), (b)(1) (1994).

[FN218]. One court interpreted the unamended Act as not protecting materials used in dissemination of child pornography. DePugh v. Sutton, 917 F. Supp. 690, 696-97 (W.D. Mo. 1996).

[FN219]. 42 U.S.C.A. § 2000aa (Supp. 1998).

[FN220]. 42 U.S.C.A. § 2000aa (Supp. 1998).

[FN221]. 117 S. Ct. 2329, 2344 (1997). Note that "unqualified" protection does not cover obscenity, which may be totally banned. See discussion, supra Part II.2.f. (discussing Child Pornography Prevention Act of 1996).

[FN222]. 117 S. Ct. at 2348-50

[FN223]. Ariz. Rev. Stat. Ann. § 13-2316 (West 1989 & Supp. 1997).

[FN224]. FLA. STAT. ch. 815.01 to 815.07 (1996).

[FN225]. Ala. Code §§ 13A-8-100 to 13A-8-103 (1994); Alaska Stat. §§ 11.46.200(a)(3), 11.46.484(a)(5), 11.46.740, 11.46.985, 11.46.990 (Michie 1996); Ariz. Rev. Stat. Ann. §§ 13-2301(E), 13-2316 (West 1989 & Supp. 1997); Ark. Code Ann. §§ 5-41-101 to 5-41-108 (Michie 1997); Cal. Penal Code §§ 502, 1203.047 (Deering 1983 & Supp. 1997); Colo. Rev. Stat. §§ 18-5.5-101 to 18-5.5-102 (1997 & Supp. 1998); Conn. Gen. Stat. §§ 53a-250 to 53a-261 (1994 & Supp. 1998); Del. Code Ann. tit. 11, §§ 931-939 (1995); Fla. Stat. ch. 815.01 to 815.07 (1996 & Supp. 1998); Ga. Code Ann. §§ 16-9-90 to 16-9-94 (1996); Haw. Rev. Stat. §§ 708-890 to 708-893 (1994); Idaho Code §§ 18-2201 to 18-2202, 26-1220 (1997); 720 Ill. Comp. Stat. 5/16D-1 to 5/16D-7 (West 1993); Ind. Code §§ 35-43-1-4, 35-41-2-3 (1998); Iowa Code §§ 716A.1 to 716A.16 (1995); Kan. Stat. Ann. § 21-3755 (1995 & Supp. 1997); Ky. Rev. Stat. Ann. §§ 434.840 to 434.860 (Michie 1995); La. Rev. Stat. Ann. §§ 14:73.1 to 14:73.5 (West 1997); Me. Rev. Stat. Ann. tit. 17-A, §§ 431-433 (West Supp. 1997); Md. Ann. Code art. 27, § 146 (1996 & Supp. 1998); Mass. Gen. Laws Ann. ch. 266, §§ 30, 33A, 120F (West 1990 & Supp. 1998); Mich. Comp. Laws Ann. §§ 752.791 to 752.797 (West 1991 & Supp. 1998); Minn. Stat. §§ 609.87 to 609.894 (1996); Miss. Code Ann. §§ 97-45-1 to 97-45-13 (1994); Mo. Ann. Stat. §§ 569.093 to 569.099 (West 1998); Mont. Code Ann. §§ 45-6-310 to 45-6-311 (1997); Neb. Rev. Stat. §§ 28-1343 to 28-1348 (1995); Nev. Rev. Stat. §§ 205.473 to 205.491 (1997); N.H. Rev. Stat. Ann. §§ 638:16 to 638:19 (1996); N.J. Rev. Stat. §§ 2A:38A-1-6, 2C:20-23 to 2C:20-34 (1995); N.M. Stat. Ann. §§ 30-45-1 to 30-45-7 (Michie 1997); N.Y. Penal Law §§ 156.00 to 156.50 (McKinney 1988 & Supp. 1998); N.C. Gen. Stat. §§ 14-453 to 14-457 (1993); N.D. Cent. Code §§ 12.1-06.1-08 (1997); Ohio Rev. Code Ann. § 2913.04 (Banks-Baldwin 1997); Okla. Stat. tit. 21, §§ 1951-1958 (Supp. 1998); Or. Rev. Stat. §§ 164.125, 164.377 (Supp. 1998); 18 Pa. Cons. Stat. § 3933 (Supp. 1998); R.I. Gen. Laws §§ 11-52-1 to 11-52-8 (1994); S.C. Code Ann. §§ 16-16-10 to 16-16-40 (Law. Co-op. 1985 & Supp. 1997); S.D. Codified Laws §§ 43-43B-1 to 43-43B-8 (Michie 1997); Tenn. Code Ann. §§ 39-14-601 to 39-14-603 (1997); Tex. Penal Code Ann. §§ 33.01 to 33.04 (West 1994 & Supp. 1998); Utah Code Ann. §§ 76-6-701 to 76-6- 705 (1995 & Supp. 1997); Va. Code Ann. §§ 18.2-152.2 to 18.2-152.14 (Michie 1996 & Supp. 1998); Wash. Rev. Code §§ 9A.52.110 to 9A.52.130 (1996); W. Va. Code §§ 61-3C-1 to 61-3C-21 (1997); Wis. Stat. Ann § 943.70 (West 1996); Wyo. Stat. Ann. §§ 6-3-501 to 6-3-505 (Michie 1997).

[FN226]. The Vermont Legislature currently has two pending bills dealing with computer crime. See H. 39 (Vt. 1999); S. 38 (Vt. 1999).

[FN227]. S. 240, 96th Cong., § 1 (1979); S. 1766, 95th Cong., § 1 (1977); see also Federal Computer Systems Protection Act: Hearings [on S. 1766] Before the Subcomm. on Criminal Laws and Procedures of the [Senate] Comm. on the Judiciary, 95th Cong. 170-71 (1978) (setting forth proposed 1977 legislation).

[FN228]. Robin K. Kutz, Computer Crime in Virginia: A Critical Examination of the Criminal Offenses in the Virginia Computer Crimes Act, 27 WM. & MARY L. REV. 783, 789-90 (1986). Two states, Ohio and Massachusetts, took a third approach, choosing only to "redefine certain terms in their criminal codes to ensure that their statutes covered computers and computer-related intangible property." Id. at 790.

[FN229]. Jerome Y. Roache, Computer Crime Deterrence, 13 AM. J. CRIM. L. 391, 392 (1986). Computer security is enhanced because potential victims of computer crimes are more aware of specific possible violations, potential violators are more likely to know which particular activities are unlawful, and prosecution is aided by eliminating the need for prosecutors, attorneys, and judges to rationalize the application of a traditional criminal law in a technical, computer-related context. Id.

[FN230]. See, e.g., Cal. Penal Code § 502.01 (Deering 1983 & Supp. 1997); 720 Ill. Comp. Stat. 5/16D-6 (West 1993); N.J. Rev. Stat. § 2C:64-1 (1995); N.M. Stat. Ann. § 30-45-7 (Michie 1997). Illinois distributes half the forfeited proceeds to the local government agency that investigated the computer fraud, for training and enforcement purposes, and half to the county in which the prosecution was brought, where it is placed in a special fund and appropriated to the State's Attorney for use in training and enforcement.

[FN231]. Barton, supra note 182, at 470.

[FN232]. Alaska Stat. § 11.41.270 (Michie 1996); Mich. Comp. Laws Ann. § 750.411(h)(e)(vi) (West 1991 & Supp. 1998); Okla. Stat. tit. 21, § 1173 (Supp. 1998); Wyo. Stat. Ann. § 6-2-506 (Mitchie 1997).

[FN233]. Ala. Code § 13A-11-8(b)(1)(a) (1994); Conn. Gen. Stat. § 53a- 183 (1994 & Supp. 1998); Idaho Code § 18-6710 (3) (1997); N.H. Rev. Stat. Ann. § 644:4(II) (1996); N.Y. Penal Law § 240.30 (McKinney 1988 & Supp. 1998).

[FN234]. See ACLU v. Johnson, 4 F. Supp.2d 1029, 1034 (D. N.M. 1998) (granting preliminary injunction against N.M. STAT. ANN. § 30-37-3.2, on likely success of suit challenging constitutionality of statute designed to ban communication of indecent material to minors.); A.C.L.U. of Georgia v. Miller, 977 F. Supp. 1228, 1231 (N.D.Ga. 1997) (granting preliminary injunction against Ga. Code Ann. § 16-9-93.1, designed to prevent use of pseudonyms in electronic communication, on the likely success of suit challenging its constitutionality). See generally Barton, supra note 182, at 481-82 (suggesting that several telephone harassment statutes incorporating electronic communication could be unconstitutional because state courts in Arizona, Iowa, Maryland, Oregon, and Texas have found telephone harassment statutes to infringe on protected speech or are overly broad).

[FN235]. Nebraska defines a "computer security system" as:

a computer program or device that ... [i]s intended to protect the confidentiality and secrecy of data and information stored in or accessible through the computer system ... [and d]isplays a conspicuous warning to a user that the user is entering a secure system or requires a person seeking access to knowingly respond by use of an authorized code to the program or device in order to gain access....

Neb. Rev. Stat. § 28-1343(5) (1995).

[FN236]. Ark. Code Ann. § 5-41-106 (Michie 1997); Conn. Gen. Stat. § 52-570b (1994 & Supp. 1998); Del Code Ann. tit. 11, § 939 (1995); Ga. Code Ann. § 16-9-93 (1996); 720 Ill. Comp. Stat. 5/16D-3(4)(c) (West 1993); Mo. Ann. Stat. § 537.525 (West 1998); N.J. Rev. Stat. § 2A:38A-1 to -6 (1995); Okla. Stat. tit. 21, § 1955 (Supp. 1998); R.I. Gen. Laws § 11-52- 6 (1994); W. Va. Code § 61-3C-16 (1997).

[FN237]. Goodman, supra note 180, at 468-69.

[FN238]. See People v. Katakam, 660 N.Y.S.2d 334, 336 (N.Y. Sup. Ct. 1997) (convicting defendant for unlawful copying and unlawful possession of employer's proprietary computer programs).

[FN239]. See Davis v. State, 916 P.2d 251, 262 (Okla. Crim. App. 1996) (upholding conviction for using computer to traffic in obscene materials).

[FN240]. Goodman, supra note 180, at 469.

[FN241]. Id.

[FN242]. Branscomb, supra note 11, at 32-36.

[FN243]. Id. at 32; see, e.g., Mass. Gen. Laws Ann. ch. 266, § 30(2) (West 1990 & Supp. 1998) (stating that "[t]he term 'property' ... shall include ... electronically processed or stored data, either tangible or intangible, [and] data while in transit"); Mont. Code Ann. § 45-6-311 (1997) (defining "unlawful use of a computer" as an offense against property, in the section of the code relating to theft); Nev. Rev. Stat. § 205.4755 (1997) (including in definition of property "information, electronically produced data, program[s], and any other tangible or intangible item of value").

[FN244]. Branscomb, supra note 11, at 33; see, e.g., Idaho Code § 18- 2202(2) (1997) (attaching liability to "[a]ny person who knowingly and without authorization alters, damages, or destroys any computer, computer system, or computer network ... or any computer software, program, documentation, or data contained in such computer, computer system, or computer network...."); Md. Ann. Code art. 27, § 146(c)(2)(ii) (1996) (proscribing acts which "[a]lter, damage, or destroy data or a computer program"); see also David C. Tunick, People v. Versaggi: A Conviction for a Computer Crime That was not Committed, 33 Crim. L. Bull. 543, 548-55 (1997) (describing prosecution under computer tampering statute).

[FN245]. Branscomb, supra note 11, at 34. See, e.g., Ariz. Rev. Stat. Ann. § 13-2316 (West 1989 & Supp. 1997) (stating that computer fraud requires "the intent to devise or execute any scheme or artifice to defraud or deceive, or control property or services by means of false of fraudulent pretenses ..."); Haw. Rev. Stat. § 708-891(1)(b) (1994) (defining computer fraud as "access[[ing] or caus[ing] to be accessed any computer, computer system, computer network, or any of its parts with the intent of obtaining money, property or services by means or embezzlement or false or fraudulent representations"); cf. Colo. Rev. Stat. § 18-17-103(5) (1997) (defining racketeering activity to include committing, attempting to commit, or conspiring to commit offenses involving computer crimes, as defined in § 18- 5.5).

[FN246]. Branscomb, supra note 11, at 34; see, e.g., Ala. Code § 13A-8- 102 (1994) (making unauthorized access, modification, destruction, or disclosure of computer programs or data crime against intellectual property); Miss. Code Ann. §§ 97-45-1-9 (1994) (stating that intentional and unauthorized "destruction, insertion or modification," "disclosure, use, copying, taking or accessing" of data, computer programs or software, and "confidential or proprietary information in any form or medium when such is stored in, produced by or intended for use or storage with or in a computer, a computer system or a computer network" is intellectual property offense).

[FN247]. Branscomb, supra note 11, at 34; see, e.g., Iowa Code § 716A.2 (1995) (proscribing unauthorized access); Me. Rev. Stat. Ann. tit. 17-A, § 432 (West Supp. 1997) (making those who "intentionally accesses any computer resource knowing that the person is not authorized to do so" guilty of criminal invasion of computer privacy); Neb. Rev. Stat. § 28-1347 (1995) (barring "knowingly and intentionally exceed[ing] the limits of ... authorization"); Ohio Rev. Code Ann. § 2913.04 (West 1997) (stating that "no person shall knowingly gain access to ... any computer ... without the consent of, or beyond the ... consent of, the owner ....").

[FN248]. 17 U.S.C. § 506 (1994) and 18 U.S.C. §§ 2319, 2319A (1994).

[FN249]. Branscomb, supra note 11, at 35. Compare N.Y. PENAL LAW § 156.30 (McKinney 1988 & Supp. 1997) (stating that copied material need not be copyrightable, offender must only "deprive[ ] or appropriat[e] from an owner ... an economic value or benefit in excess of [$2500]"), with N.J. REV. STAT. § 2C:20-33 (1995) (stating that copying or altering computer program or computer software is not theft if retail value of total theft is $1000 or less and software is not copied for resale).

[FN250]. See State v. Perry, 697 N.E.2d 624, 626 (Ohio 1998) (affirming appellate court ruling that criminal law banning unauthorized use of property was preempted in context of computer software by federal copyright law).

Section 301(a) of the Copyright Act explicitly prohibits states from enacting copyright legislation. See 17 U.S.C. § 301(a) (1994) (stating that as of 1978, "all legal or equitable rights that are equivalent to any of the exclusive rights within the general scope of copyright ... are governed exclusively by this title. Thereafter, no person is entitled to any such right or equivalent right in any such work under the common law or statutes of any State.") (emphasis added). This exercise of legislative power by Congress rests on the Article I, § 8, cl. 8 grant of exclusive authority to "promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries." U.S. CONST. art. I, § 8, cl. 8.

[FN251]. Branscomb, supra note 11, at 35; see, e.g., La. Rev. Stat. Ann. § 14:73.4 (West 1986 & Supp. 1997) (stating that "[a]n offense against computer users is the intentional denial to an authorized user, without consent, of the full and effective use of or access to a computer, a computer system, a computer network, or computer services."); Wyo. Stat. Ann. § 6-3-504 (Michie 1988) (stating that "crime against computer users" occurs if offender "[d]enies computer system services to an authorized user").

[FN252]. See supra notes 16-19 (describing viruses, worms, logic bombs, and sniffers).

[FN253]. Branscomb, supra note 11, at 35; see, e.g., Cal. Penal Code § 502(b)(10) (Deering 1983 & Supp. 1997) (stating that "computer contaminant" includes viruses and worms and other sets of instructions designed to "usurp the normal operation of the computer"); Conn. Gen. Stat. § 53a- 251(e) (1994 & Supp. 1997) (making it unlawful to make or cause to be made unauthorized display, use, disclosure, or copy of data, or to add data to data residing within computer system); Del. Code Ann. tit. 11, § 935 (1995) (proscribing "interrupt[ing] or add[ing] data to data residing within a computer system"); Minn. Stat. § 609.87 (1996) (criminalizing "'[d] estructive computer program"' that "degrades performance," "disables," or "destroys or alters" data); W. Va. Code § 61-3C-8 (1992 & Supp. 1997) (prohibiting "disruption or degradation of computer services").

[FN254]. Branscomb, supra note 11, at 36; see, e.g., Mo. Ann. Stat. § 569.095(5) (West 1994) (setting forth that computer tampering occurs when person "[a]ccesses a computer, computer system, or a computer network, and intentionally examines information about another person"); W. Va. Code § 61- 3C-12 (1997) (defining "[c]omputer invasion of privacy" as "knowingly, willfully, and without authorization access[ing] a computer or computer network and examin[ing] any employment, salary, credit or any other financial or personal information relating to any other person"). But see Ky. Rev. Stat. Ann. § 434.845(2) (Michie 1995) (stating that unauthorized access, even if obtained fraudulently, "shall not constitute a violation ... if the sole purpose of the access was to obtain information").

[FN255]. Branscomb, supra note 11, at 37; see, e.g., Wis. Stat. Ann. § 943.70(2)(4) (West 1996).

[FN256]. Daniel Burke, Virginia Computer Crimes Act, 19 U. RICH. L. REV. 85, 89 (1984).

[FN257]. Lund v. Commonwealth, 232 S.E.2d 745, 748 (Va. 1977) (holding that computer time and services were not "goods" or "chattels," so theft of computer time and services could not form basis of conviction for larceny).

[FN258]. Burke, supra note 256, at 91.

[FN259]. See id. (stating that defining computer crimes as new crimes helped prevent lawyers and judges from trying to draw strained analogies from existing legislation and case law).

[FN260]. Va. Code Ann. §§ 18.2-152.3 to 152.7 (Michie 1996).

[FN261]. Va. Code Ann. §§ 18.2-152.8 to 152.11 (Michie 1996).

[FN262]. Va. Code Ann. §§ 18.2-152.12 (Michie 1996).

[FN263]. Va. Code Ann. §§ 18.2-152.14 (Michie 1996).

[FN264]. See supra Part III.A. (reviewing state criminal codes).

[FN265]. Section 301(a) of the Copyright Act explicitly prohibits states from enacting copyright legislation. 17 U.S.C. § 301(a) (1988).

[FN266]. 17 U.S.C.A. § 301; see also State v. Perry, 697 N.E.2d 624, 626 (Ohio 1998) (discussing language of Federal Copyright Act).

[FN267]. Perry, 697 N.E.2d at 626 (quoting United States ex rel. Berge v. Board of Trustees, 104 F.3d 1453, 1464 (4th Cir. 1997)) (defining test for preemption of state copyright statute)

[FN268]. See Corcoran v. Sullivan, 112 F.3d 836, 838 (7th Cir. 1997) (holding that what defendant destroyed was not covered by copyright).

[FN269]. See Rosciszewski v. Arete Associates, 1 F.3d 225, 229-30 (4th Cir. 1993) (holding that claim was preempted); Perry, 697 N.W.2d at 628 (same).

[FN270]. 1 F.3d 225 (4th Cir. 1993).

[FN271]. Va. Code Ann. § 18.2-152.3 (Michie 1996) (criminalizing conduct of one who uses computer or computer network without authority and with intent to obtain property or services by false pretense or to convert property of another).

[FN272]. Rosciszewski, 1 F.3d at 230.

[FN273]. Id.

[FN274]. See ProCD, Inc. v. Zeidenberg, 86 F.3d 1447, 1454 (7th Cir. 1996) (enforcing shrinkwrap licenses included with computer software did not create rights equivalent to exclusive rights within general scope of copyright, thus not preempted by Copyright Act); Harolds Stores, Inc. v. Dillard Dept. Stores, Inc., 82 F.3d 1533, 1544 (10th Cir. 1996) (holding that Oklahoma Antitrust Act claim based on misuse of copyrighted material is not preempted by Copyright Act); Architectronics, Inc. v. Control Sys., 935 F. Supp. 425, 438-39 (S.D.N.Y. 1996) (holding that breach of contract claims based on alleged breach of software development licensing agreement were not preempted by Copyright Act).

[FN275]. See supra notes 249-50 (citing only two statutes dealing with criminal prosecution for state copyright violations).

[FN276]. See Kenneth E. North, Copyright Act Snarls Computer Crime Laws, NAT'L L.J., Nov. 1, 1993, at S36. For example, Illinois' Computer Crime Prevention Law includes copyrighted information in its definition of property; thus, any criminal conduct involving copyrighted "property" could not be prosecuted under state criminal law. 720 ILL. COMP. STAT. 5/16D- 2(d)(3) (West 1993).

[FN277]. Compare Keeping Track: Heard On The Net, SMARTMONEY, Aug. 1, 1998, at 87 (discussing harmless e-mails and fake viruses), with Goodman, supra note 180, at 470 (arguing that greatest threat of computer crimes comes from skilled hackers who are often employed by organized crime or from organization's own employees).

[FN278]. See Business Software Alliance, 1997 Global Software Piracy Report (visited Sept. 17, 1998) <http://www.bsa.org/statistics/97ipf.pdf> (reporting that 1997 worldwide piracy losses exceeded $11.4 billion and that United States losses of $2.7 billion, comprising 24% of global total, greatly exceeded losses in any other country). The Business Software Alliance is a Washington, D.C.- based organization funded by major software publishers. See id.

[FN279]. Security in Cyberspace: Hearings Before the Permanent Subcomm. on Inv. of the Senate Comm. on Governmental Affairs, 104th Cong. 50 (1996) (citing testimony of Daniel S. Gelber, Chief Subcommittee Counsel (Minority)).

[FN280]. See M.J. Zuckerman, Security On Trial In Case of On-line Citibank Heist, USA TODAY, Sept. 19, 1997, at 12A (discussing facts of 1994 Citibank heist by Russian Vladimar Levin); see also Richard Behar et al., Who's Reading Your Email? As the World Gets Networked, Spies, Rogue Employees and Bored Teens Are Invading Companies' Computers to Make Mischief, Steal Trade Secrets--Even Sabotage Careers, FORTUNE, Feb. 3, 1997, at 56 (discussing various computer crimes against businesses).

[FN281]. Computer Security Institute, Issues and Trends: 1998 CSI/FBI Computer Crime and Security Survey (visited Oct. 30, 1998) <http:// www.gocsi.com/summary.htm>. CSI is an international organization serving information security professionals. The survey was conducted by distributing questionnaires to corporate and government information security practitioners. 520 responses were returned. 241 of the respondents suffered financial losses and quantified them at an aggregate of $136,822,000.

[FN282]. See supra Part III.A. (reviewing state criminal codes).

[FN283]. See State v. Rowell, 908 P.2d 1379, 1384 n.2 (N.M. 1995) (stating that computer crime "prosecution [is] extremely difficult for traditional law enforcement"); People v. Katakam, 660 N.Y.S.2d 334, 335 (N.Y. Sup. Ct. 1997) (commenting on computer crimes statutes in New York, "[c] uriously, despite the bill's laudable goals and the ubiquitous use of computers in business and personal affairs, the number of computer crime prosecutions is exceedingly modest. To this date, there are but a handful of reported decisions involving Penal Law Article 156.").

[FN284]. Computer Security Institute, supra note 281.

[FN285]. See Goodman, supra note 180, at 478 (arguing that police do not care about computer crime and do not actively investigate it because of "[p] olice culture itself, the invisibility of digital crime, the difficulty in investigating high tech crime, an abundance of 'real crime,' a lack of public outcry on the subject, and the high cost of computer training and specialized units").

[FN286]. See Computer Security Institute, supra note 281 (reporting that 17% of respondents indicated that their computers had been attacked and that they had reported attack to law enforcement officials).

[FN287]. See id. at 15 (discussing methods for victims to overcome evidentiary barriers and assist law enforcement officials by implementing the following procedures: (1) backing up system after installation before its first use; (2) backing up system after first problem is detected; (3) ascertaining and documenting the costs of problem, including time and effort in restoring system; and (4) documenting actions taken).

[FN288]. See Marc S. Friedman & Kenneth R. Buys, "Infojacking": Crimes on the Information Superhighway, COMPUTER LAW, Oct. 1996, at 1, 3 (proposing that many computer crimes can be prosecuted under traditional laws); see also State v. Kent, 945 P.2d 145, 147 (Utah Ct. App. 1997) (stating that state did not have to charge defendant with another crime, such as forgery or insurance fraud, even though defendant could have been prosecuted on grounds other than computer crime).

[FN289]. See ProCD, Inc. v. Zeidenberg, 86 F.3d 1447, 1455 (7th Cir. 1996) (interpreting enforcement of breach of shrink-wrap license as state law contract claim that did not create rights equivalent to exclusive rights within general scope of copyright, thus not preempted by Copyright Act); Wesley College v. Pitts, 974 F. Supp. 375 (D. Del. 1997) (granting defendant's summary judgment motion because lack of evidence that defendants had accessed computer system since untoward glance at computer screen is not accessing computer); People v. Lawton, 56 Cal. Rptr. 2d 521, 523 (Cal. App. Dep't Super. Ct. 1996) (interpreting statute prohibiting unauthorized access to computer system to cover authorized access to hardware and unauthorized access to software and data in systems); State v. Allen, 917 P.2d 848, 852 (Kan. 1996) (finding that plaintiff's approaching computer system was not conduct violating statute that prohibited accessing computer system); People v. Barrows, No. 15872/96, 1998 WL481800, at *12 (N.Y. Sup. Ct. June 9, 1998) (invalidating New York statute criminalizing use of computer to disseminate obscene material to minors on grounds that it violates First Amendment); People v. Katakam, 660 N.Y.S.2d 334, 337-38 (N.Y. Sup. Ct. 1997) (holding that even if plaintiff believed he was duplicating computer information of little or no value he was aware that files were not his to appropriate); Davis v. State, 916 P.2d 251, 262 (Okla. Crim. App. 1996) (upholding sufficiency of four obscene computer discs within computer disc changer as evidence that plaintiff was storing data in his computer with the intent to traffic in obscene pictures thus using computer to violate Oklahoma statutes); State v. Marquez, 912 P.2d 390, 392 (Or. Ct. App. 1996) (affirming imposition of restitution for damages claimed to cover labor and costs of county personnel for investigation and interception of plaintiff's tampering with county tax assessor's files), cert. denied, 912 P.2d 390 (Or. 1996); Perk v. Vector Resources Group, Ltd., 485 S.E.2d 140, 142 (Va. 1997) (finding plaintiff asserted actionable claim as matters of proof concerning allegations of theft of computer programs, data, and software could not be decided by demurrer).

[FN290]. See Richard Raysman & Peter Brown, Interpretation of New York's Tampering Statute, N.Y.L.J., Apr. 12, 1994, at 6 (discussing ruling that sabotage of intended use of a computer program constitutes tampering even if nothing is added to or deleted from the program itself).

[FN291]. See People v. Lipsitz, 663 N.Y.S.2d 468, 472-75 (N.Y. Sup. Ct. 1997) (finding in personam jurisdiction for both in-state customers and out-of- state customers in Internet consumer fraud case because defendant was actually present in New York and defendant corporation was doing business in New York with fair degree of permanence and continuity).

[FN292]. See Humphrey v. Granite Gate Resorts, Inc., 568 N.W.2d 715, 716 (Minn. Ct. App. 1997), aff'd without op., 576 N.W.2d 747 (Minn. 1998) ("Appellants, having advertised on the Internet ... and having developed from the Internet a mailing list that includes one or more Minnesota residents, are subject to personal jurisdiction in Minnesota because they purposefully availed themselves of the privilege of conducting commercial activities in this state.").

[FN293]. See Dale M. Cendali & Rebecca L. Weinstein, Personal Jurisdiction and the Internet, 520 PLI/PAT 975, 982-94 (1998) (collecting and summarizing each Internet personal jurisdiction case).

[FN294]. Id. at 994-96.

[FN295]. Ark. Code Ann. § 5-41-105 (1995); Del. Code Ann. tit. 11, § 938 (1995); Ga. Code Ann. § 16-9-94 (1996); Ky. Rev. Stat. Ann. § 434.860 (Michie 1985); Miss. Code Ann. § 97-45-11 (1994); N.H. Rev. Stat. Ann. § 638:19 (1996); N.Y. Penal Law § 20.60 (McKinney 1997); Ohio Rev. Code Ann. § 2701.12(I)(1) (West 1997); S.C. Code Ann. § 16-16-30 (Law. Co- op. 1985 & Supp. 1996); S.D. Codified Laws Ann. § 43-43B-8 (1997); Tenn. Code Ann. § 39-14-603 (1991 & Supp. 1996); Va. Code Ann. § 18.2-152.10 (Michie 1996); W. Va. Code § 61-3C-18 (1992 & Supp. 1997).

[FN296]. See, e.g., Ark. Code Ann. § 5-41-105 (Michie 1995).

[FN297]. See, e.g., Ga. Code Ann. § 16-9-94 (1996).

[FN298]. See, e.g., N.H. REV. STAT. § 638: 19 (1996).

[FN299]. See, e.g., Ky. Rev. Stat. Ann. § 434.860 (Michie 1985).

[FN300]. The issue has arisen in the criminal context under federal laws regulating obscenity. See United States v. Thomas, 74 F.3d 701, 709 (6th Cir. 1996) (finding venue proper as defendant distributed pornography via Internet from California to Tennessee based on proposition that "venue for federal obscenity prosecution lies in any district from, through, or into which the allegedly obscene material moves") (internal citations omitted)). Mr. Thomas was later separately indicted and pleaded guilty in the District of Utah on charges relating to distribution of child pornography into Utah via Internet. See United States v. Thomas, 113 F.3d 1247 (10th Cir. 1997) (affirming conviction; finding that neither collateral estoppel nor double jeopardy arising out of Tennessee proceedings were implicated in Utah prosecution).

[FN301]. See, e.g., Ga. Code Ann. § 16-9-94(4) (1996) (stating venue exists for violations committed "[i]n any county from which, to which, or through which any use of a computer or computer network was made, whether by wires, electromagnetic waves, microwaves, or any other means of communication").

[FN302]. See Reno v. ACLU, 521 U.S. 844, (1997) (defining cyberspace as "unique medium ... located in no particular geographic location but available to anyone, anywhere in the world, with access to the Internet").

[FN303]. See Note, Computer-Related Crime: An International Problem in Need of an International Solution, 27 TEX. INT'L L.J. 479, 494 (1992) (describing globalization of access to computer systems).

[FN304]. See Larry Lange, Trust a Hacker Under 30? You'd Better, ELEC. ENGINEERING TIMES, Aug. 19, 1996, available in 1996 WL 11550843 (estimating that $800 million was lost by banks and other corporations because of attacks on their computer systems, such as one perpetrated by Russian programmer Vladimir Levin who tampered with Citibank's computer system by transferring $10,000,000 to various bank accounts around world). See generally FINANCIAL INSTITUTIONS FRAUD and SECURITIES FRAUD articles in this issue.

[FN305]. See generally Joel S. Solomon, Forming a More Secure Union: The Growing Problem of Organized Crime in Europe as a Challenge to National Sovereignty, 13 DICK. J. INT'L L. 623, 645 (1995) (reporting on use of new computer technology as effective and dangerous mechanism exploited by international criminals).

[FN306]. An example of potential terrorist activities via the computer occurred in New York, when a group of youthful hackers broke into the computers at Memorial Sloan-Kettering Cancer Center and tampered with radiation treatment monitors and patient records. See Phillip Elmer-DeWitt, The 414 Gang Strikes Again, TIME, Aug. 29, 1983, at 75. See generally Matthew R. Burnstein, Conflicts on the Net: Choice of Law in Transnational Cyberspace, 29 VAND. J. TRANSNAT'L L. 75, 85 (1996) (describing other such incidents). But see John Borland, Governments Beat Terrorists To Net Weapons, CMP TECHWEB, Sept. 22, 1998 (nothing lack of sophisticated computer terrorist attacks).

[FN307]. Thus far, unlawful computer system intrusions have fallen short of disastrous terrorist attacks. See Borland, supra note 306 (noting absence of computer terrorist attacks). However, the potential danger is evident. For example, in January 1992, a Lithuanian nuclear power plant operator unsuccessfully introduced a virus into the plant's computers, intending to disrupt the nuclear reactor. See Oleg Bukharin, Upgrading Security at Nuclear Power Plants in the Newly Independent States, NONPROLIFERATION REV., Winter 1997, at 28-39 (describing terrorist incidents at nuclear installations in former Soviet Union).

[FN308]. See John T. Soma et al., Transnational Extradition for Computer Crimes: Are New Treaties and Laws Needed? 34 HARV. J. ON LEGIS. 317, 359-60 (1997) (listing actions called for by United Nation's resolution on computer- related crimes).

[FN309]. See Ulrich Sieber, Computer Crimes and Other Crimes Against Information Technology: Commentary and Preparatory Questions for the Colloquium of the Association Internationale de Droit Penal in Wuerzburg, 64 REV. INT'L DE DROIT PENAL 67, 69-70 (1993).

[FN310]. For reports on computer-crime legislation and prosecution in a number of countries, see generally Colloquium, Computer Crime and Other Crimes Against Information Technology, 64 REV. INT'L DE DROIT PENAL 1 (1993) (reporting on Austria, Belgium, Brazil, Canada, Chile, China, then- Czechoslovakia, Egypt, Finland, France, Germany, Greece, Hungary, Israel, Italy, Japan, Luxembourg, The Netherlands, Poland, Portugal, Romania, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, the United Kingdom, and the United States). See also Miguel Deutch, Computer Legislation: Israel's New Codified Approach, 14 J. MARSHALL J. COMPUTER & INFO. L. 461 (1996) (evaluating Israel's new Computer Law in light of its original aims and process); Stefano Agostini, Focus on Italy: Overview of Intellectual Property Legislation, 7 No. 1 J. Proprietary Rts. 8 (1995) (describing recent modifications of Italian Criminal Code's computer crime rules and criminalization of software copyright violations). For an analysis of how various countries have attempted to control the exchange of information over the Internet, see Amy Knoll, Comment, Any Which Way But Loose: Nations Regulate the Internet, 4 Tul. J. Int'l & Comp. L. 275 (1996) (describing and evaluating legislation in Belarus, China, Croatia, European Union, France, Germany, Russia, Singapore, and United States).

[FN311]. Taiwan and South Korea have indicted companies for illegally copying software for internal use. See BUSINESS SOFTWARE ALLIANCE, BSA WORLD- WIDE REPORT 1990-91 (1991). In Great Britain, software piracy carries prison terms up to two years. See BUSINESS SOFTWARE ALLIANCE, UNITED KINGDOM: SOFTWARE PIRACY AND THE LAW. Similar French laws also provide for restitution, doubled penalties for repeat offenders, and court-ordered business closings. See BUSINESS SOFTWARE ALLIANCE, FRANCE: SOFTWARE PIRACY AND THE LAW. Singapore provides for up to five years imprisonment for illegally copying software. See BUSINESS SOFTWARE ALLIANCE, SINGAPORE: SOFTWARE PIRACY AND THE LAW. See generally the INTELLECTUAL PROPERTY CRIMES article in this issue.

[FN312]. Knoll, supra note 310, at 299. See generally Stephan Wilske & Teresa Schiller, International Jurisdiction In Cyberspace: Which States May Regulate The Internet?, 50 FED. COMM. L.J. 117 (discussing regulation of Internet).

[FN313]. For example, China is finding it increasingly difficult to prevent political dissidents from spreading information within China as well as to prevent importation of information from abroad via the Internet. See Steven Mufson, Chinese Protest Finds a Path on the Internet: Beijing Tightens Its Control; Can't Prevent On-Line Access, WASH. POST, Sept. 17, 1996, at A9. In January of 1996, Chinese officials placed a moratorium on new users and required all Internet providers, Internet Users, and e-mail users to register with the police. See id. As of 1998, China has implemented new regulations which criminalize the "distribution or consumption via the Internet of ... 'harmful information."' Michael Laris, Beijing Launches a New Offense to Squelch Dissent on Internet, WASH. POST, Dec. 31, 1997, at A16 (describing regulations).

Arab countries are also struggling with the growth of the Internet. Habib A1- Rida, Assistant Under-Secretary of the Ministry of Information, United Arab Emirates, noted, "The challenge facing us now is how to protect our society against the potentially harmful influences coming through the system, whether criminal or otherwise, while at the same time, making it possible for our companies and individuals to benefit from the valuable access to the worldwide pool of skills and information that the Internet represents." Ahmad Mardini, Gulf-Culture: Officials Worry About Smut on Internet, INTER PRESS SERVICE, Jan. 19, 1996, available in 1996 WL 7881040; see also Tarek A1-Issawi, Strict Islamic Societies Try to Clamp Down on Internet, FT. WORTH STAR-TELEGRAM, Oct. 5, 1997, at 5 (describing ineffective governmental attempts to censor Internet).

Similarly, communist countries are faced with the conflict between their attempts to regulate information and the free access to information provided by the Internet. Although information on North Korea is not available, Cuba has allowed only 200 of its some 11 million citizens to have access to the Internet, and the government has since cracked down on even that access. See Patrick Symmes, Che is Dead, WIRED, Feb. 1998, at 140, 145 (describing Internet culture in Cuba, including underground attempts).

[FN314]. The German Penal Code (Strafgesetzbuch) proscribes distributing any fascist or other related literature. See § 86 Nr. 1.4 StGB; § 131 Nr. 1 StGB.

[FN315]. For example, Ernst Zundel, a German student in Massachusetts, operated a neo-Nazi web-page on a Santa Cruz, California server. Hiawatha Bray, UMass Shuts Down Web Site Containing Neo-Nazi Material; Student Intended Protest of German Censorship, BOSTON GLOBE, Feb. 2, 1996, at 28.

[FN316]. After threats of prosecution under German law, CompuServe, Germany's largest Internet provider, decided to ban access to over 200 UseNet Newsgroups to all of its customers world wide. See Silvia Ascarelli & Kimberley A. Strassel, Two German Cases Show How Europe Is Still Struggling to Regulate Internet, WALL ST. J., Apr. 21, 1997, at B9. Subsequently, Germany revised its computer crime statutes to provide that "Internet service providers can't be held liable for content they merely transmit." Silvia Ascarelli, Technology & Takeover: Politician Is Acquitted in Internet Case in Berlin, WALL ST. J. EUR., July 1, 1997, at 11.

Similarly, Deutsche Telekom's T-Online, another major Internet provider in Germany, responded to German prosecutorial threats by banning subscribers' access to a Neo-Nazi website. See Silvia Ascarelli, Two On-Line Services Companies Investigated in Racial Hatred Case, WALL ST. J., Jan. 26, 1996, at B2; see also INTELLECTUAL PROPERTY CRIMES article, Part IV.C. (discussing legislation which exempts Internet service providers from certain criminal violations).

[FN317]. For instance, the United States has attempted to target "home- pages" and their creators that provide obscene or indecent material to minors with the Communications Decency Act (CDA). The Supreme Court recently struck down the part of the Act that attempted to criminalize indecent home-pages, but upheld the part directed to obscene home-pages. See Reno v. ACLU, 521 U.S. 844, 935 (1997) (deciding constitutionality of CDA).

[FN318]. For example, some European laws focus more on data protection for privacy reasons than do laws in the United States. See Comment, The Right to Financial Privacy Versus Computerized Law Enforcement: A New Fight in an Old Battle, 86 NW. U.L. REV. 1169, 1169-72, 1215-19 (1992) (comparing creation and purpose of U.S. Treasury Department's Financial Crimes Enforcement Network with independent privacy protection agencies in Sweden, Germany, and France).

In addition, approaches to prosecuting computer hackers vary. See generally Comment, Computer Hacking: A Global Offense, 3 PACE Y.B. INT'L L. 199 (1991) (comparing legislation governing hackers and prosecutions thereunder in Canada, United Kingdom, and United States).

[FN319]. See Cole Durham, The Emerging Structures of Criminal Information Law: Tracing the Contours of a New Paradigm: General Report for the Association Internationale de Droit Penal Colloquium, 64 REV. INT'L DE DROIT PENAL 79, 97- 109 (1993) (discussing patterns of convergence with regard to unauthorized access, unauthorized interception, unauthorized use of computer, alteration of data or programs, computer sabotage, computer espionage, unauthorized use or reproduction of computer program, unauthorized reproduction of topography, computer forgery, and computer fraud).

[FN320]. See generally Clifford Miller, Electronic Evidence--Can You Prove the Transaction Took Place?, COMPUTER LAW, May 1992, at 21 (analyzing problems of getting evidence of computer crimes admitted under United Kingdom rules of evidence as representative of challenges faced by prosecutors in Belgium, France, Germany, and United States). In the United Kingdom, the English Law Commission proposed removing the evidentiary requirements that currently impose a heightened standard upon computer evidence, and returning to the common law evidentiary "presumption that the machine works." THE LAW COMMISSION, CONSULTATION PAPER NO. 138, CRIMINAL LAW; EVIDENCE IN CRIMINAL PROCEEDINGS: HEARSAY AND RELATED TOPICS 207 (1995); see also MICHAEL HIRST, ANDREWS & HIRST ON CRIMINAL EVIDENCE 380-85 (3d ed. 1997) (describing problems with current English evidentiary regime, and agreeing with proposed changes). However, these changes have not been approved by Parliament as of late 1997.

[FN321]. See supra note 303, at 503-04 (suggesting that cooperative international solutions could begin on regional level, such as within the European Community); see also Michael A. Geist, The Reality of Bytes: Regulating Economic Activity In the Age of the Internet, 73 WASH. L. REV. 521, 551-54 (1998) (summarizing various countries' policy papers on regulating Internet). While the EC's 1991 Software Directive is aimed at harmonizing European copyright laws rather than computer security per se, it does mandate that member States adopt prescribed penalties for software piracy and procedures for seizing illegally-copied software, which is a first step towards addressing broader issues raised by computer crimes. See Council Directive 91/250/EEC, 1991 O.J. (L122) 42, 42-46.

[FN322]. See M. Cherif Bassiouni, Effective National and International Action Against Organized Crime and Terrorist Criminal Activities, 4 EMORY INT'L L. REV. 9, 20 (1990); see also Solomon, supra note 305, at 633; Soma et al., supra note 308, at 359-60 (proposing multinational treaty for dealing with extradition in computer crime cases).

Nations are beginning to achieve Bassiouni's goal of combining efforts in law enforcement and prosecution of computer crimes. See David Graves, The Schoolboy Computer Surfer Who Made Waves in the Pentagon, DAILY TELEGRAPH (London), Mar. 22, 1997, at 3 (reporting on British schoolboy who pleaded guilty to 12 offenses under United Kingdom's Computer Misuse Act of 1990 following arrest by New Scotland Yard's Computer Crime Unit for "hacking" into United States Air Force computers).

[FN323]. See Durham, supra note 319, at 97 n.51 (citing efforts by Council of Europe, Organisation for Economic Co-operation and Development (OECD), and United Nations).

The OECD is an intergovernmental organization designed to foster multilateral discussions and cooperation on economic and social policies that have impacts beyond national borders. The OECD was formed in 1961 as a successor to the Organization for European Cooperation. As of January 1998, OECD is comprised of 29 countries: Australia, Austria, Belgium, Canada, the Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Luxembourg, Mexico, The Netherlands, New Zealand, Norway, Poland, Portugal, South Korea, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and the United States. Although the OECD does not have legal powers, its guidelines, reports, and publications can have a major policy impact on policy-making for both member and non-member countries. The Organization for Economic Cooperation and Development's Internet address is: <http://www.oecd.org>. See generally Stewart A. Baker, Decoding OECD Guidelines for Cryptography Policy, 31 INT'L LAW. 729 (1997).

[FN324]. See Business Software Alliance, supra note 278 (describing Business Software Alliance).

[FN325]. The Business Software Alliance, together with the Mexican federal attorney's office, initiated a 1992 software piracy investigation that led to seizure of illegally reproduced software programs. See James Daly, Netherlands, Mexico Chase After Hackers, COMPUTERWORLD, July 13, 1992, at 14.

[FN326]. Business Software Alliance, supra note 278.

[FN327]. Id. In practical terms, this means that 40% of the business software sold around the world in 1997 represented illegal copies.

[FN328]. Id.

[FN329]. See, e.g., Marque Chambliss, Internal Web Site Risk Management, in FIRST ANNUAL INTERNET LAW INSTITUTE 1997, at 281, 285-86 (PLI Pats., Copyrights, Trademarks, and Literary Prop. Course Series No. 482, 1997) (describing "firewalls," hardware and software security systems that shield computers from unauthorized outside access).

[FN330]. As Stewart Baker, former General Counsel to the United States National Security Council explains:

Cryptography is a means of putting data in code. It allows people to transform a message or data into a form that can't be understood (decrypted) without knowledge of some secret information.... Three main reasons why a person might want to use cryptography are to ensure the confidentiality of data, to authenticate data, and to ensure the data's integrity.... The term encryption is used to refer only to the use of cryptography to ensure confidentiality.

Baker, supra note 323, at 729-30.

[FN331]. See Stephen P. Heymann, Legislating Computer Crime, 34 HARV. J. ON LEGIS. 373, 387 (1997) (stating that computer technology readily enables criminals to encrypt communications so that it is nearly impossible to decipher them).

[FN332]. See The Impact of Encryption on Public Safety, 1997: Hearing Before the Subcomm. on Tech., Terrorism, and Gov't Info. of the Senate Comm. on the Judiciary, 105th Cong. (1997) [hereinafter Impact of Encryption] (statement of Louis Freeh, Director, FBI) (testifying that law enforcement's "ability to investigate and sometimes prevent the most serious crimes and terrorism will be impaired," and "national security will also be jeopardized" if strong encryption is permitted without a key recovery system because law enforcement is dependent upon electronic surveillance and search and seizure techniques that encryption can devastate).

[FN333]. See, e.g., John Browning, I Encrypt, Therefore I Am, WIRED, Nov. 1997, at 65, 66 <http://www.wired.com/wired/5.11/netizen.html> (arguing that debate on encryption regulation should focus on privacy and individual rights issues created by technology).

[FN334]. The law prohibiting the exportation of encryption technology garnered extensive media coverage due to the Zimmerman case. Zimmerman, creator of an encryption program called Pretty Good Privacy (PGP), was investigated for allegedly placing it on the Internet in violation of federal law. See Philip L. Dubois, The Zimmerman Case: Issues in Encryption Software, COLO. LAW., May 25, 1996. In related litigation, a district court held that encryption regulations were unconstitutional prior restraints that violated the First Amendment. See Bernstein v. United States Dep't of State, 974 F. Supp. 1288, 1308 (N.D. Cal.), appeal docketed No. 97-16686 (9th Cir. 1997). But see Junger v. Daley, 8 F. Supp. 2d 708 (N.D. Ohio 1998) (upholding encryption regulations).

[FN335]. Jared Sandberg, French Hacker Cracks Netscape Code, Shrugging Off U.S. Encryption Scheme, WALL ST. J., Aug. 17, 1995, at B3.

[FN336]. Administration of Export Controls On Encryption Products, Exec. Order No. 13,026, 3 C.F.R. 228-30 (1996). In 1998, the Department of Commerce proposed to further relax these rules by allowing the export of virus protection software and software used in ATMs and other computers that rely on personal identification numbers. See Bureau of Export Admin., Dep't of Commerce, Implementation of the Wassenaar Arrangement List of Dual-Use Items: Revisions to the Commerce Control List and Reporting Under the Wassenaar Arrangement, 63 Fed. Reg. 2452, 2453 (Jan. 15, 1998) (interim rule with request for comments).

[FN337]. Elizabeth Corcoran, U.S. to Ease Encryption Restrictions; Privacy Advocates Wary of Proposal for Software Exports, WASH. POST, Oct. 1, 1996, at A1.

A key escrow system is a system under which a decryption "key" for a given encryption product is deposited with a trustworthy key recovery agent for safe keeping. The key recovery agent could be a private company, a bank, or other commercial or government entity. When law enforcement needs to decrypt criminal-related communications or computer files, they could obtain the decryption key from the key recovery agent. A key escrow system is also referred to as a key recovery system.

See Impact of Encryption, supra note 332.

[FN338]. See generally Electronic Privacy Information Center, Cryptography Policy (visited Oct. 30, 1998) <http://www.epic.org/crypto> (listing various news items and document relevant to cryptography policy).

[FN339]. See Steve Gold, Commerce Dept. Gives Thumbs-Up To Encryption Export Coalition, NEWSBYTES NEWS NETWORK, Oct. 19, 1998, available in 1998 WL 20717651 (discussing new encryption policy announced by Commerce Department).

[FN340]. See Encryption Protects the Rights of Individuals from Violation and Abuse in Cyberspace (E-PRIVACY) Act, S. 2067, 105th Cong. (1998) ("To protect the privacy and constitutional rights of Americans, to establish standards and procedures regarding law enforcement access to decryption assistance for encrypted communications and stored electronic information, to affirm the rights of Americans to use and sell encryption products, and for other purposes."); Security and Freedom through Encryption (SAFE) Act, H.R. 695, 105th Cong. (1997) (amending Title 18, United States Code to affirm rights of U.S. persons to use and sell encryption and to relax export controls on encryption); Computer Security Enhancement Act of 1997, H.R. 1903, 105th Cong. (1997) (amending National Institute of Standards and Technology (NIST) Act to enhance NIST's ability to improve computer security); Communications Privacy and Consumer Empowerment Act, H.R. 1964, 105th Cong. (1997) (protecting consumer privacy, empowering parents, enhancing telecommunications infrastructure for efficient electronic commerce, and safeguarding data security); Encryption Communications Privacy Act of 1997, S. 376, 105th Cong. (1997) (affirming rights of Americans to use and sell encryption products and establishing privacy standards for voluntary key recovery encryption systems); Promotion of Commerce On-Line in the Digital Era (PRO-CODE) Act of 1997, S. 377, 105th Cong. (1997) (promoting electronic commerce by facilitating use of strong encryption); Secure Public Networks Act, S. 909, 105th Cong. (1997) (encouraging and facilitating creation of secure public networks for communication, commerce, education, medicine, and government); see also Mark Grossman, Digital Fidgeting: In Matters of Cyberspace, There was Lots of Congressional Talk, but not a Lot of Action, LEGAL TIMES, Dec. 22, 1997, at 30 (describing encryption legislation); Michael D. Hintze, 1997 Encryption Legislation: Industry Shifts Focus from Export Liberalization to Domestic Controls, HIGH-TECH INDUS., Jan.-Feb. 1998, at 30 (same).

[FN341]. See Scott Gearity, Focus On Enforcement, EXPORT PRAC., June 15, 1998, available in 1998 WL 10115992 (discussing Rules Committee Chairman's staling of bills).

[FN342]. See Edmund L. Andrews, International Business: Europeans Reject U.S. Plan on Electronic Cryptography, N.Y. TIMES, Oct. 9. 1997, at D4 (reporting that European Commission rejected global key escrow proposal by United States); Organisation for Economic Cooperation and Development, Cryptography Policy: The Guidelines and The Issues (visited Oct. 30, 1998) < http://www.oecd.org//news_ and_events/release/nw97-24a.htm> (recommending principles to guide OECD member countries in formulating policies and legislation relating to use of cryptography (key escrow not adopted)); see also Thomas E. Crocker, Why Banks Should Care About the Crypto Wars Erupting in Washington, AM. BANKER, Aug. 4, 1997, at 42 (noting that Japan is developing strong encryption products without key recovery). But see Stewart A. Baker & Michael D. Hintze, Canadian Export Controls on Encryption Products and Technology, CANADIAN L. NEWS., Spring 1997, at 11 (concluding that Canadian controls are mostly equivalent to U.S. controls, with exception of less stringent key recovery requirements); Andrews, supra at D4 (reporting that United Kingdom generally sides with United States in supporting international system for regulating data encryption); Knoll, supra note 310, at 85 ("Russian President Boris Yeltsin has outlawed strong computer encryption, thus frustrating any attempts at securing privacy over the Internet and e-mail."). In a 1997-98 survey of over seventy countries, the majority were found to have little or no regulation of encryption, in contrast to the U.S. See Global Internet Liberty Campaign, Cryptography and Liberty: An International Survey of Encryption Policy (visited Oct. 30, 1998) < http://www.gilc.org/crypto/crypto- survey.html>.

[FN343]. See Andrews, supra note 342, at D4 (discussing European rejection of U.S. proposals about key escrow system).

[FN344]. Crocker, supra note 342, at 42.

[FN345]. See supra Part III.A. (discussing development of Virginia computer crimes legislation).

[FN346]. See generally Bradley A. Slutsky, Jurisdiction Over Commerce on the Internet (visited Oct. 30, 1998) <http://www.kslaw.com/menu/jurisdic.htm> (providing overview and analysis).

[FN347]. See, e.g., Jon Jefferson, Deleting Cybercrooks, A.B.A. J., Oct. 1997, at 68 (reporting that National Association of Attorneys General ("NAAG") set up working group to study law-enforcement issues posed by Internet; and became NAAG's most heavily subscribed group, comprising 40 of nation's attorney's generals).

[FN348]. See Geist, supra note 321, at 351-60 (discussing current policy papers of various nations).

[FN349]. See Andrew E. Costa, Comment, Minimum Contacts In Cyberspace: A Taxonomy of the Case Law, 35 HOUS. L. REV. 453, 469-92 (1998) (collecting Internet jurisdiction cases).

[FN350]. See id. at 503-04 (summarizing various approaches).

[FN351]. See Reno v. ACLU, 521 U.S. 844 (1997) (striking down CDA).

[FN352]. 47 U.S.C. § 231 (1996).

[FN353]. 47 U.S.C. § 231(a)(1) (1998).

[FN354]. See Frank James, Internet Anti-Smut Law Challenged As Unconstitutional, CHI. TRIB., Oct. 23, 1998, at 3 (discussing challenge to COPA).

[FN355]. John Schwartz, U.S. Judge Blocks Law Curbing Online Smut, WASH POST, Feb. 2, 1999 at A2.

[FN356]. Id.

[FN357]. See supra Part IV.C. (discussing international encryption issues).

[FN358]. See Corcoran, supra note 337 (discussing loosening of encryption restrictions).

[FN359]. See supra Part IV.C. (discussing recent actions regarding encryption).