Irs Bank Deposit Red Flag Limit

Computer crimes.

      A. Defining Computer Crime
      B. Types of Computer-Related Offenses
         1. Object of Crime
         2. Subject of Crime
            a. Spam
            b. Viruses
            c. Worms
            d. Trojan Horses
            e. Logic Bombs
            f. Sniffers
            g. Denial of Service Attacks
            h. Web Bots & Spiders
         3. Instrument of Crime
      A. Constitutional Issues
         1. First Amendment
         2. Fourth Amendment
      B. Jurisdiction
         1. Federal Jurisdiction
         2. State Jurisdiction
      C. Other Issues
      A. Sentencing Guidelines
      B. Federal Statutes
         1. Child Pornography Statutes
            a. Communications Decency Act of 1996
            b. Child Pornography Prevention Act of 1996
         2. Computer Fraud and Abuse Act
            a. Offenses Under the Statute
            b. Jurisdiction
            c. Defenses
            d. Penalties
         3. Controlling the Assault of Non-Solicited Pornography
            and Marketing Act of 2003
         4. Copyright Statutes
            a. Criminal Copyright Infringement in the Copyright
                i. Defenses
                ii. Penalties
            b. Digital Millennium Copyright Act
         5. Electronic Communications Privacy Act
            a. Stored Communications Act
            b. Title III (Wiretap Act)
                i. Defenses
                ii. Penalties
            c. Statutory Issues
         6. Identity Theft
            a. Penalties
         7. Wire Fraud Statute
      C. Enforcement
      A. Overview of State Criminal Codes
      B. Enforcement
      A. Issues
      B. Solutions


This Article discusses federal, state, and international
developments in computer-related criminal law. Section I defines
computer crimes, Section II covers the constitutional and jurisdictional
issues concerning computer crimes, Section III describes the federal
approaches used for prosecuting computer crime and analyzes enforcement
strategies, Section IV examines state approaches to battling computer
crimes, and Section V addresses international approaches to regulating
computer crimes.

A. Defining Computer Crime

The U.S. Department of Justice (“DOJ”) broadly defines
computer crime as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration, investigation,
or prosecution.” (1) Because of the diversity of computer-related
offenses, a narrower definition would be inadequate. While the term
“computer crime” includes traditional crimes committed with
the use of a computer, (2) the rapid emergence of computer technologies
and the exponential expansion of the Internet (3) spawned a variety of
new, technology-specific criminal behaviors that must also be included
in the category of “computer crimes.” (4) To combat these new
criminal behaviors, Congress passed specialized legislation. (5)

Experts have had difficulty calculating the damage caused by
computer crimes due to: (1) the difficulty of adequately defining
“computer crime;” (6) (2) victims’ reluctance to report
incidents for fear of losing customer confidence; (7) (3) the dual
system of prosecution; (8) and (4) the lack of detection. (9) In 2006,
DOJ’s Bureau of Justice Statistics and the Department of Homeland
Security’s National Cyber Security Division conducted a joint
effort to estimate the number of cyber attacks and the number of
incidents of fraud and theft of information. (10) It found that nearly
67 percent of businesses reported at least one incident of computer
crime the past year. (11)

B. Types of Computer-Related Offenses

1. Object of Crime

DOJ divides computer-related crimes into three categories according
to the computer’s role in the particular crime. (12) First, a
computer may be the “object” of a crime. (13) This category
primarily refers to theft of computer hardware or software. Under state
law, computer hardware theft is generally prosecuted under theft or
burglary statutes. (14) Under federal law, computer hardware theft may
be prosecuted under 18 U.S.C. [section] 2314, which regulates the
interstate transportation of stolen or fraudulently obtained goods. (15)
Computer software theft is only included in this category if it is
located on a tangible piece of hardware because the theft of intangible
software is not prosecutable under 18 U.S.C. [section] 2314.

2. Subject of Crime

Second, a computer may be the “subject” of a crime. (16)
In this category, the computer is akin to the pedestrian who is mugged
or the house that is robbed; it is the subject of the attack and the
site of any damage caused. These are computer crimes for which there is
generally no analogous traditional crime so special legislation is
needed. This category encompasses spam, viruses, worms, Trojan horses,
logic bombs, sniffers, distributed denial of service attacks, and
unauthorized web buts or spiders. Each of these subcategories is defined
and discussed below.

In the past, malice or mischief rather than financial gain
motivated most offenders in this category. (17) These types of crimes
were frequently committed by juveniles, disgruntled employees, and
professional hackers as a means of showing off their skills. (18)
Disgruntled employees were once widely thought to pose the biggest
threat to company computer systems. (19) In sentencing juvenile
offenders, courts had a particularly difficult time finding appropriate
penalties. (20) However, in recent years these crimes have been
committed by an increasingly diverse group of individuals, many of whom
are motivated by financial gain. (21)

a. Spam

Spam is unsolicited bulk commercial email from a party with no
preexisting business relationship. (22) Spam is so common that in 2009,
over 97 percent of all emails sent over the Internet were unwanted. (23)
Additionally, hackers often use spam as a way of distributing viruses,
spyware, and other malicious software. (24)

b. Viruses

A virus is a program that modifies other computer programs, causing
them to perform the task for which the virus was designed. (25) It
usually spreads from one host to another when a user transmits an
infected file by e-mail, over the Internet, across a company’s
network, or by disk. (26) c. Worms

Worms are like viruses, but they use computer networks or the
Internet to self-replicate and “send themselves” to other
users, generally via e-mail, while viruses require human action to
spread from one computer to the next. (27) Worms have far more
destructive potential than viruses because they can spread much faster.

d. Trojan Horses

Trojan horses are programs with legitimate functions that also
contain hidden malicious code. (29) Like its namesake, a Trojan horse
dupes a user into installing the seemingly innocent program on his or
her computer system and then activates the hidden code, which may
release a virus or allow an unauthorized user access to the system. (30)
Hackers use Trojan horses as the primary means to transmit viruses. (31)

e. Logic Bombs

Logic bombs are programs that activate when a specific event
occurs, such as the arrival of a particular date or time. (32) They can
be destructive, but software companies also commonly use them to protect
against violation of licensing agreements by disabling the program upon
detection of a violation. (33)

f. Sniffers

Sniffers, also known as network analyzers, can read electronic data
as it travels through a network. (34) Network administrators use them to
monitor networks and troubleshoot network connections. (35) Sniffers can
help network administrators find and resolve network problems. (36)
However, a hacker can break into a network and install a sniffer that
logs all activity across a network, including the exchange of passwords,
credit card numbers, and other personal information. (37)

g. Denial of Service Attacks

In a denial of service attack, hackers bombard the target website
with an overwhelming number of simple requests for connection, thus
rendering the site unable to respond to legitimate users. (38) In
distributed denial of service attacks, hackers use the networks of
innocent third parties to overwhelm websites and prevent them from
communicating with other computers. (39) After breaking into several
network systems, the individual makes one system the “Master”
system and turns the others into agent systems. (40) Once activated, the
Master directs the agents to launch a denial of service attack. (41) The
use of third party “agents” makes it particularly difficult to
identify the culprit. (42)

h. Web Bots & Spiders

“Web bots” or “spiders” are data search and
collection programs that can create searchable databases that catalogue
a website’s activities. (43) Although seemingly innocuous, too many
spiders on the same website can effectively operate as a denial of
service attack. In addition, they can steal data from the websites that
they search. (44)

3. Instrument of Crime

Third, a computer may be an “instrument” used to commit
traditional crimes. (45) These traditional crimes include identity
theft, (46) child pornography, (47) copyright infringement, (48) and
mail or wire fraud. (49)


A. Constitutional Issues

This Part addresses general constitutional issues with computer
crimes. Specific constitutional issues with federal and state statutes
are discussed in the relevant Sections of this Article. Constitutional
issues related to computer crimes usually fall under either the First
Amendment or the Fourth Amendment. There are also some federalism
issues. In particular, there is a question as to how much the federal
government can regulate intrastate behavior under the Commerce Clause.
This is discussed in the following Part on federal jurisdiction.

1. First Amendment

The First Amendment (50) protects the same forms of speech in
cyberspace that it does in the real world. Hate speech and other forms
of racist speech receive the same protection on the Internet as they
have always received under traditional First Amendment analysis. (51)
The guarantee of the First Amendment extends well beyond personally held
beliefs to include speech that advocates conduct, even when that conduct
is illegal. (52) Racist speech is also probably protected on the
Internet, as it is not likely to fit within the “fighting
words” exception to the First Amendment. (53)

There is an exception to this general free speech principle for
“true threats,” (54) such as sending a victim a threatening
e-mail messages, or even making a public announcement on the Internet of
an intention to commit an act that is racially motivated. (55) A similar
exception exists for harassment by e-mail or on the Internet, as long as
it is sufficiently persistent and malicious to inflict, or is motivated
by a desire to cause substantial emotional or physical harm (56) and is
directed at a specific person. (57) Child pornography is not protected
either, but finding a sufficiently narrow description to prevent
dissemination on the Internet has proven difficult. (58)

In 2008, the Virginia Supreme Court struck down a Virginia statute,
which criminalized the falsification of identifying transmission
information in unsolicited bulk e-mail messages (spare), as overly broad
and infringing on the First Amendment right to engage in anonymous
speech. (59) The court emphasized that the statute in question did not
distinguish between commercial and non-commercial unsolicited e-mails,
including those expressing political and religious messages. (60)
Therefore, the statute could not survive strict scrutiny because it was
not narrowly tailored to the compelling state interests, as laid out in
the federal CAN-SPAM Act, (61) of preserving the efficiency and
convenience of e-mail. (62)

2. Fourth Amendment

A number of difficult Fourth Amendment (63) issues inhere in
computer crimes. The Fourth Amendment prohibits unreasonable searches
and seizures by the government. (64) However, what constitutes a search
or seizure with respect to computers is not always clear. There is
disagreement as to whether there should be a special approach created
for computer-related searches and seizures, or whether it is adequate to
draw comparisons from traditional Fourth Amendment analysis. (65)

The Supreme Court has held that a search occurs within the meaning
of the Fourth Amendment when government actions violate an
individual’s legitimate or “reasonable” expectations of
privacy. (66) Generally, a person has a reasonable expectation of
privacy in a computer she owns in her home, but this is less clear-cut
in the workplace. (67) Fourth Amendment issues may also arise when law
enforcement intercepts address information on the Internet, such as
e-mail addresses and website addresses. Before 2001, the FBI routinely
searched similar information on Internet communications without much
mention of constitutional issues. (68) The Ninth Circuit has held that
obtaining Internet address information by installing a surveillance
program at the Internet Service Provider’s (“ISP”)
facility is “constitutionally indistinguishable” from the use
of a pen register and, therefore, Internet users have no expectation of
privacy in such information. (69) The Fourth Circuit has similarly held
that a criminal defendant has no reasonable expectation of privacy in
the information he provides to his ISP. (70)

The use of investigative tools devised for eavesdropping on
Internet communications may present additional Fourth Amendment
questions. (71) The use of a keystroke logger system appears to be
constitutional. (72) The constitutionality of other techniques, however,
will likely be tested as the government discloses more information about
both the nature of its capabilities and the frequency of their

Although the Fourth Amendment generally requires specificity in
search warrants, broad search warrants have been upheld when addressed
to computer crimes. (73) Broad searches have been justified as
“about the narrowest definable search and seizure reasonably likely
to obtain the [evidence].” (74) There is a circuit split as to
whether law enforcement agents with a warrant may search and seize
computer files even though doing so might cause seizure of contents
having no relation to the crime being investigated. (75) There is also a
split as to how the plain view exception (76) should apply to computer
files. (77)

Another relevant Fourth Amendment issue is the doctrine of
staleness, (78) which “applies when information proffered in
support of a warrant application is so old that it casts doubt on
whether the fruits or evidence of a crime will still be found at a
particular location.” (79) The durability of data and graphics
stored on computer hardware has drastically extended the period after
which the staleness doctrine applies. For example, the Ninth Circuit
upheld the validity of a search warrant even though ten-month-old
information supported it. (80)

In executing a warrant, agents may seize and search a disk, even if
its label indicates that it is not within the scope of the warrant. (81)
They may seize an entire computer if they have ample evidence that
documents authorized in a warrant could be found on it. (82) Agents may
also search computer hardware and software when they have reason to
believe that those items contain records covered by the warrant. (83)
They may even remove the hardware and software from the owner’s
premises to conduct their examination.84 They may not, however, seize
peripheral items, such as printers, to assist them in their review of
the seized items. (85) State courts have split on extending this
principle to their search and seizure jurisprudence. (86)

B. Jurisdiction

1. Federal Jurisdiction

The majority of federal computer crimes statutes have been enacted
under Congress’s power “[t]o regulate Commerce … among the
several States….” (87) As the Internet is considered to be both a
channel and instrumentality of interstate commerce, it falls under the
Commerce Clause’s broad power. (88) In the past, most courts
treated jurisdictional components of federal statutes as meaningful
restrictions, (89) necessitating a case-by-case analysis of a given
activity’s effect on interstate commerce. (90) However, this line
of reasoning has been superseded by the Supreme Court’s decision in
Gonzales v. Raich. (91) Under Raich, once it has been determined that
the federal government has the broad power to regulate a class of
activity–such as the possession or production of child
pornography–courts cannot excise individual acts of the class simply
because they appear economically insignificant. (92) Courts following
Raich have ruled that the statute’s reach extends to purely
intrastate activity. (93)

2. State Jurisdiction

A significant challenge to state officials in prosecuting computer
crimes is one of jurisdiction. (94) Jurisdictional problems arise for
state prosecutors when the acts are committed out of state (95) because
the jurisdictional rules of criminal law require the prosecutor to prove
that the defendant intended to cause harm within his state. (96) As a
result, many states have broadened their jurisdictional rules to address
the new concerns that arise from the global nature of the Internet. (97)
For example, Wisconsin’s criminal statute permits jurisdiction even
when no result occurs in the state. (98) Alabama, California, and South
Dakota have statutes providing for jurisdiction where an offense begins
outside the state and “consummates” within the state. (99)

C. Other Issues

In addition to constitutional obstacles, federal laws may interfere
with computer crime statutes at both the federal and state level.
Several laws intended to protect privacy have implications for computer
crimes as well. For example, Title III applies to both the government
and civilians in situations in which there are Fourth Amendment issues.
(100) Title III applies to state actors as well and states may not
legislate lower standards for interception, although they may set higher
ones. (101)

Another complication arises as a result of additional protection
for computer records provided by the Privacy Protection Act of 1980.
(102) The statute requires police to obtain a subpoena prior to
searching or seizing work product or other materials reasonably believed
to pertain to public communications such as newspapers. (103) This
protection does not include child pornography. (104) The Privacy
Protection Act still applies to other material that may be public


This Section explores the major federal statutes, enforcement
strategies, and constitutional issues regarding computer related crimes.
The government can charge computer-related crimes under at least forty
different federal statutes. (105) There are also a number of traditional
criminal statutes whose application to computer crime is unclear. (106)
In addition, the federal government has sometimes used the United States
Sentencing Guidelines (“Guidelines”) to enhance sentences for
traditional crimes committed with the aid of computers. (107) This
Section discusses the role of the Guidelines in general, key federal
statutes in the prosecution of computer crimes, and relevant enforcement
efforts. Although the focus of this Article is the federal
government’s approach to prosecuting criminal computer offenses,
past litigation has also sought civil remedies. (108)

A. Sentencing Guidelines

The Guidelines supplement the federal computer crime statutes and
help determine how much of the maximum sentence a perpetrator should
serve. (109) The Guidelines treat most computer crimes as economic
crimes sentenced under section 2B1.1. (110) The Guidelines also dictate
“special skills” enhancements for particular crimes including
computer crimes. (111)

B. Federal Statutes

Since 1984, Congress has pursued a dual approach to combating
computer crime. The Counterfeit Access Device and Computer Fraud and
Abuse Act of 1984 (112) and subsequent amending acts (113) address
crimes in which the computer is the “subject.” This line of
statutes culminated in the Computer Fraud and Abuse Act
(“CFAA”), (114) which is discussed in detail in Section 2. The
Federal Government’s other approach to regulating computer crime
has been to update traditional criminal statutes to reach similar crimes
involving computers. (115)

1. Child Pornography Statutes

Federal child pornography statutes have not fared well under the
First Amendment. In Reno v. American Civil Liberties Union, (116) the
Supreme Court gave an unqualified level of First Amendment protection to
Internet communications. (117) Under Reno, legislation will not
withstand scrutiny if it requires web surfers or Internet content
providers to estimate the age of those with whom they communicate or to
tag their communications as potentially indecent or offensive, prior to
engaging in “cyberspeech.” (118) The Court found that less
regulation is necessary to protect children on the Internet compared to
television or radio because users rarely come across content on the
Internet accidentally and warnings often precede sexually explicit
images. (119) The global nature of the Internet also renders it
difficult, if not impossible, for users to predict when their
potentially offensive communications will reach a minor. (120)
Consequently, Reno requires courts to apply unqualified First Amendment
scrutiny to speech restrictions affecting the Internet. (121) Note that
“unqualified” protection does not cover obscenity or child
pornography, which the government may ban. (122) Under this standard,
parts of several federal child pornography laws discussed below and all
of the Child Online Protection Act of 1998 (“COPA”) (123) have
been found unconstitutional. (124)

a. Communications Decency Act of 1996

The Communications Decency Act of 1996 (“CDA”), or Title
V of the Telecommunications Act of 1996, (125) originally prohibited the
transmission of “indecent,” (126) “patently
offensive,” (127) or “obscene” (128) material to minors
over the Internet. In Reno v. American Civil Liberties Union, (129) the
Supreme Court struck down those portions of the statute that banned
“indecent” (130) and “patently offensive” (131)
images as being unconstitutionally vague and overbroad. (132) The rest
of [section] 223(a), banning transmission of obscene speech to minors,
remains in effect. (133)

Under [section] 223(a), knowing transmission of obscene speech or
images to minors is punishable by a fine, imprisonment of up to two
years, or both. (134) The Guidelines set a base offense level of ten for
transportation of obscene matter, which is automatically increased by
five levels if the obscene matter is transmitted to a minor. (135) A
seven-level upward adjustment is provided if the distribution was
intended to convince a minor to engage in prohibited sexual conduct.
(136) The base level of the offense can be raised no less than five
levels if the offense is related to distribution of material for
pecuniary gain. (137) If the material involved in the offense portrays
sadistic, masochistic conduct, or other depictions of violence, the
offense level increases by four. (138)

b. Child Pornography Prevention Act of 1996

In 1996, Congress passed the Child Pornography Prevention Act (139)
(“CPPA”), which criminalized the production, distribution, and
reception of computer- generated, sexual images of children. (140) The
CPPA sought to prohibit computer transmission of erotic photographs of
adults doctored to resemble children. (141) However, in April 2002, the
Supreme Court held that two provisions of the statute, which prohibited
pornography that appeared to depict minors but actually depicted
young-looking adults or virtual child pornography, were
unconstitutionally vague and overbroad. (142)

In response, Congress passed the Prosecutorial Remedies and Other
Tools to End the Exploitation of Children Today Act of 2003
(“PROTECT Act”). (143) The PROTECT Act includes a prohibition
against advertisement, distribution, and solicitation of pornography
that reflects a belief or induces others to believe that the material
depicts real children. (144) After a number of circuit courts questioned
the constitutionality of this provision under the reasoning of Ashcroft
v. Free Speech Coalition, (145) the Supreme Court upheld the statute.

2. Computer Fraud and Abuse Act

18 U.S.C. [section] 1030, (147) referred to as the Computer Fraud
and Abuse Act (“CFAA”), (148) protects against various crimes
involving “protected computers.” Because “protected
computers” include those used in interstate commerce or
communications, the statute covers any computer attached to the
Internet, even if all the computers involved are located in the same
state. (149)

a. Offenses Under the Statute

The CFAA prohibits seven specific acts of computer-related crime.
(150) First, it is a crime to access computer files without
authorization and to subsequently transmit, or attempt to transmit,
classified government information if the information “could be
used” to injure the United States. (151) Second, the CFAA prohibits
obtaining, (152) without authorization, information from financial
institutions, (153) any department or agency of the United States, or
private computers that are used in interstate commerce. (154) Third, it
proscribes intentionally accessing a United States department or agency
nonpublic computer without authorization. (155) If the government or a
government agency does not use the computer exclusively, the illegal
access must affect the government’s use. (156) Fourth, accessing a
protected computer, without authorization, with the intent to defraud
and obtain something of value is prohibited. (157)

The fifth prohibition, which addresses computer hacking, has two
categories of offenses depending on whether there is intent to cause
damage. The first category criminalizes knowingly causing the
transmission of a program, code, or command, and intentionally causing
damage to a protected computer. (158) This subsection applies regardless
of whether the user had authorization to access the protected computer.
Thus, company insiders and authorized users can be culpable for
intentional damage to a protected computer.

The second category of offenses prohibits intentional access
without authorization that results in damage but does not require intent
to damage. (159) The statute does not define either “access”
or “authorization.” (160) However, some courts interpret
“access” to mean, at the least, more than passive receipt of
information. (161) The culpability for damage caused can be either
reckless (162) or negligent. (163) Damage under the statute is “any
impairment to the integrity or availability of data, a program, a
system, or information.” (164)

Sixth, the CFAA prohibits someone from trafficking in passwords
knowingly and with intent to defraud. (165) The passwords must either
permit unauthorized access to a government computer or the trafficking
must affect interstate or foreign commerce. (166) Finally, the CFAA
makes it illegal to transmit in interstate or foreign commerce any
threat to cause damage to a protected computer with intent to extort
something of value. (167) Threats against protected computers only
violate the CFAA if they are intended to extort from individuals. (168)

b. Jurisdiction

The United States Secret Service has investigatory authority for
all violations of the CFAA. (169) The FBI has authority to investigate
offenses under (a)(1) that involve espionage, foreign
counterintelligence information protected against unauthorized
disclosure, or restricted data. (170) Certain offenses for obtaining
national security information (171) and damaging a protected computer
(172) are also included in the definition of “federal crime of
terrorism,” bringing them under the express jurisdiction of the
Attorney General. (173)

c. Defenses

One defense to charges of accessing a protected computer without
authorization is that the defendant simply did not “obtain anything
of value.” (174) The First Circuit interpreted the statutory
language “obtain anything of value” to require something more
than simply viewing information. (175) Instead, prosecutors must prove
that the information was valuable to the defendant in conducting his
fraudulent scheme. (176)

In order for the CFAA to apply, a defendant must not only access a
protected computer and cause damage, but that damage must cause some
additional injury. (177) The damage must be at least $5000 over a
one-year period, (178) or lead to potential injury or a threat to public
health or safety. (179)

d. Penalties

The CFAA punishes attempts to commit an offense as if the offense
had been successfully carried out. (180) Additionally, the CFAA has
lesser penalties for first-time offenders of the Act than for repeat
offenders. The CFAA includes as a repeat offense a subsequent violation
of any of the subsections of the act. (181) Thus, a repeat offender can
receive an enhanced sentence even if she commits a different type of
computer fraud than she committed before. Conviction includes any
conviction under state law with a punishment of more than one year if
the elements include unauthorized access to a computer. (182)

First-time offenders who obtain national security information or
intentionally damage a protected computer are subject to a fine,
imprisonment of not more than ten years, or both. (183) Subsections
(a)(2), (a)(3), (a)(5)(A)(iii), and (a)(6) have penalties of a fine,
imprisonment of not more than one year, or both, for first offenses.
(184) First time offenders under [section][section] (a)(4),
(a)(5)(A)(ii), and (a)(7) are subject to a fine, imprisonment of not
more than five years, or both. (185)

CFAA also differentiates between conduct that involves improper
access and conduct in which the defendant uses access for pernicious
purposes. It does so by increasing the maximum prison sentence for first
time violations of [section] (a)(2) to five years if the crime was
committed for financial gain or commercial advantage, in furtherance of
a criminal or tortious act, or if the value of the obtained information
exceeds $5000. (186) This is the same as the sentencing for first time
offenders under [section][section] (a)(4), (a)(5)(A)(ii), and (a)(7).

Repeat offenders may receive much tougher sentences. Maximum
sentences under [section][section] (a)(2), (a)(3), (a)(4),
(a)(5)(A)(ii), (a)(6), and (a)(7) rise to ten years for recidivists.
(188) The maximum sentence goes up to twenty years for repeat offenders
who obtain national security information or intentionally or recklessly
damage a protected computer. (189)

Sentences also go up considerably if serious injury or death
results from the violation. The maximum sentence is twenty years for
anyone who “knowingly or recklessly causes or attempts to cause
serious bodily injury” by intentionally damaging a protected
computer. (190) The maximum sentence is life in prison for anyone who
“knowingly or recklessly causes or attempts to cause death” by
intentionally damaging a protected computer. (191)

The Guidelines set the base offense level for obtaining national
security information at thirty-five if unlawfully accessed national
defense information is top secret, and at thirty otherwise. (192) The
offense levels for violations of the rest of the CFAA, except subsection
(a)(3), are largely dependent on the value of the loss suffered.
Subsections (a)(2), (a)(4), (a)(5), and (a)(6) are covered by the
Guidelines’ section on theft, stolen property, property damage,
fraud, forgery, and counterfeiting. (193) The section on trespass covers
[section] 1030(a)(3), (194) and the section on extortion covers
[section] 1030(a)(7). (195) Attempts to violate the CFAA, a crime under
the statute, are also covered by the Guidelines. (196)

3. Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2003

Unsolicited commercial email or “spam” has been a growing
problem in the

United States for many years. (197) Congress has considered many
proposed federal anti-spam bills since 1995, but did not enact a
comprehensive statute until December of 2003. (198) The Controlling the
Assault of Non-Solicited Pornography and Marketing Act of 2003 (199)
(“CAN-SPAM”) was enacted to establish a national standard for
email solicitations. (200) The CAN-SPAM Act has several key provisions
that affect persons or companies sending commercial solicitations via
email. Section 1037 of Title 18 prohibits a number of well-known
deceptive and/or fraudulent practices commonly used in commercial
emails. (201) These techniques include using deceptive subject lines,
providing false or misleading header information, and using another
computer to relay email messages without authorization to prevent anyone
from tracing the email back to its sender. (202) Section 7704 of Title
15 further prohibits similar deceptive practices, requiring that a
commercial email include a method for the recipient to
“opt-out” of future solicitations and that the subject line
contain a warning if the email contains sexually oriented material.

The CAN-SPAM Act has provisions for both fines and criminal
penalties enforced by the FTC and the DOJ. (204) A violator of the act
is subject to a fine of up to $16,000 for each email in violation of the
law. (205) An individual may be subject to criminal penalties, including
imprisonment, for using someone else’s computer to send spam, using
false information to create multiple email addresses, sending multiple
spam messages and deceiving the recipient about the origin of the
messages, generating email addresses through dictionary attacks, and
using open relays and proxies. (206)

4. Copyright Statutes

Copyright violations are particularly harmful to computer software
developers. (207) Software piracy presents unique challenges to law
enforcement because of the various ways the crime can be committed,
(208) the ease (209) and minimal cost of reproduction, (210) and the
minimal degradation (if any) in the quality of pirated software. (211)
The difficulty of detection also exacerbates the problem of electronic
infringement. (212) Many of these issues also apply to other media in
digital form. (213)

a. Criminal Copyright Infringement in the Copyright Act

Persons who unlawfully copy and distribute copyrighted material by
computer may be subject to punishment for criminal copyright
infringement. (214) The criminal copyright infringement statute has four
elements: (215) (i) existence of a valid copyright; (216) (ii) that the
defendant willfully; (217) (iii) infringed; (218) and (iv) either (1)
for commercial advantage or private financial gain, (219) (2) by
reproducing or distributing infringing copies of works with a total
retail value of more than $1000 over a 180-day period, or (3) by
distributing “a work being prepared for commercial
distribution” by making it available on a publicly-accessible
computer network. (220)

i. Defenses

Under the first sale doctrine, one who legally purchases a copy of
a copyrighted work may freely distribute that particular copy. (221) The
alleged copyright infringer bears the burden of proving that the first
sale doctrine applies. (222) This defense does not apply to computer
software copyright infringement if the software is distributed by
licensing agreement. (223)

The fair use doctrine permits non-copyright holders to make use of
copyrighted works for purposes such as criticism, comment, news
reporting, teaching, scholarship, or research. (224) The “fair
use” defense requires consideration of four factors: (225) (i) the
purpose and character of the use; (226) (ii) the nature of the
copyrighted work; (227) (iii) the amount and substantiality of the
portion used in relation to the work as a whole; (228) and (iv) the
effect of the use upon the potential market or value of the work. (229)
The factors are not to be considered in isolation, but “are to be
explored, and the results weighed together, in light of the purposes of
copyright.” (230) The fourth factor is often emphasized as the most
important element in determining fair use. (231)

ii. Penalties

Section 2319 of Title 18 sets forth the punishment for criminal
copyright infringement. (232) Section 2319(c) provides variable prison
terms and fines for copyright infringements through the reproduction or
distribution of one or more copies or phonorecords with a total retail
value of more than $1000: (i) first- time offenders who reproduce or
distribute more than ten copies or phonorecords of one or more
copyrighted works that have a total retail value of $2500 or more face
up to three years in prison; (ii) subsequent offenders face up to six
years imprisonment; and (iii) those who reproduce or distribute one or
more copies or phonorecords of one or more copyrighted works that have a
total retail value of $1000 or more face up to one year’s
imprisonment. (233)

Sentences for defendants convicted of criminal copyright
infringement are determined by considering [section] 2B5.3 of the
Guidelines. (234) The base offense level is eight. (235) If the retail
value of the infringing items (236) exceeds $2000, then the offense
level is increased by the corresponding number of levels from the table
in [section] 2B 1.1 (237)

b. Digital Millennium Copyright Act

The Digital Millennium Copyright Act of 1998 (“DMCA”)
(238) generally prohibits tampering with any access control or copy
control measures applied to digital copies of copyrighted works. (239)
Section 1201 prohibits circumvention of technological measures used to
protect copyrighted works. (240) “[A] technological measure
‘effectively controls access to a work’ if the measure, in the
ordinary course of its operation, requires the application of
information, or a process or a treatment, with the authority of the
copyright owner, to gain access to the work.” (241) “[To]
‘circumvent a technological measure’ means to descramble a
scrambled work, to decrypt an encrypted work, or otherwise to avoid,
bypass, remove, deactivate, or impair a technological measure, without
the authority of the copyright owner.” (242) No person may
manufacture, import, offer to the public, provide, or otherwise traffic
(243) in a technology, (244) product, service, or device (245) that is
used to circumvent (246) such technological measures, if one of the
following conditions is met: (i) the technology, product, service, or
device is primarily designed or produced to circumvent; (ii) it has only
limited commercial use other than that prohibited by the statute; or
(iii) it is marketed for use in circumventing. (247) A number of
exceptions are available for research and other purposes. (248)

In Universal Cir. Studios, Inc. v. Reimerdes, (249) the United
States District Court for the Southern District of New York acknowledged
that [section] 1201 is in tension with the fair use doctrine in
[section] 107 of the Copyright Act. (250) Despite this tension, the
court held that DMCA does not unduly frustrate the purpose of the fair
use doctrine because DMCA provides exceptions for those uses it
considers fair. (251) The court ruled that the fair use doctrine is
unavailable as a defense under [section] 1201 because production of a
technology circumvention measure does not qualify as a use of a
copyrighted work; furthermore, the prohibition on circumvention does not
extend to an individual who has already obtained an authorized copy of a
copyrighted work. (252)

Section 1202 prohibits interference with the integrity of copyright
management information. (253) “Copyright management
information” includes: (i) the name of the work; (ii) the name of
the author; (iii) the name of the copyright owner; (iv) the name and
other identifying information about the author of a performance fixed,
for example, on audio CD; (v) the name and other identifying information
about the writer, performer, or director of a fixed audio-visual work;
and (vi) terms and conditions of use. (254) Finally, “copyright
management information” includes any information that the Register
of Copyrights may require by regulation. (255)

Section 1202(a) prohibits knowing dissemination of false copyright
management information, if done with the intent to induce, enable,
facilitate, or conceal copyright infringement, while [section] 1202(b)
prohibits the intentional removal of copyright management information
and the dissemination of works from which the copyright management
information has been removed. (256) The statute also prohibits tampering
with the symbols that refer to this information, including Internet
hypertext links to web pages containing copyright management
information. (257)

The “safe harbor defense” provides a defense against
contributory liability for ISPs whose services are used to violate the
DMCA. (258) An ISP is exempt from liability if it: (i) did not know of
the infringement or the facts making infringement apparent; (ii)
received no material benefit from the infringement; and (iii) acted
expeditiously to remove the offending sites once it was made aware of
them. (259)

Violation of either of these sections is subject to a maximum fine
of $500,000 or up to five years imprisonment, or both, for a first
offense, and a maximum fine of $1,000,000 or up to ten years
imprisonment, or both, for repeat offenses. (260)

5. Electronic Communications Privacy Act

The Electronic Communications Privacy Act of 1986
(“ECPA”) (261) regulates crimes with no close
“traditional crime” analog, such as hacking. Unlike CFAA, ECPA
approaches such crimes by updating existing federal prohibitions against
intercepting wire and electronic communications. (262) ECPA updated
Title III and also created the Stored Communications Act
(“SCA”). (263) ECPA attempts to curb hacking activities by
fortifying the privacy rights of computer users (264) and enabling law
enforcement officers to employ electronic surveillance in the course of
investigating computer crimes. (265) The government has used ECPA to
prosecute hackers, (266) although they generally rely on CFAA for such
prosecutions. (267) Prosecutors have invoked ECPA, however, against
piracy of electronically encrypted, satellite-transmitted television
broadcasts. (268) Devices used to intercept cable television signals
likewise fall within ECPA’s purview. (269)

a. Stored Communications Act

Congress intended for the SCA to protect stored email and
voicemail. The SCA prohibits any person from (1) intentionally
accessing, without authorization, a facility through which an electronic
communication service is provided or (2) intentionally exceeding
authorization to access that facility and obtains, alters, or prevents
authorized access to a communication in electronic storage. (270)

There is a good faith defense available for parties who reasonably
relied on a warrant, grand jury subpoena, or other exception to the SCA.
(271) In addition, the SCA does not apply to ISPs reading stored
communications on their own systems, (272) nor does it apply if one of
the parties to the stored communication gives permission to access.

For violations of the SCA a first-time offender shall be fined
under Title 18, imprisoned for not more than one year, or both. If the
SCA is violated for purposes of private financial gain or malicious
destruction or damage, a first-time offender shall be fined under Title
18, imprisoned for not more than five years, or both. (274) A repeat
offender shall be fined under Title 18, imprisoned for not more than ten
years, or both. (275) In a case not involving private financial gain or
malicious destruction or damage, a repeat offender shall be fined under
Title 18, imprisoned for not more than five years, or both. (276)
Additionally, the SCA’s provisions for money damages can address
governmental as well as private transgressions. (277)

b. Title III (Wiretap Act)

ECPA extended the prohibitions in Title III of the Omnibus Crime
Control and Safe Streets Act of 1968 (“Title III”) (278) on
intercepting oral and wire communication to include electronic
communications intercepted during transmission. (279) Title III was
originally intended to protect the privacy of communications by
codifying the Fourth Amendment standards for wiretapping and applying
them to civilians. (280) Now, Title III prohibits any person from
intercepting or attempting to intercept any “wire, oral, or
electronic communication.” (281)

Under Title III, the government needs a court order for a wiretap.
(282) Before issuing such an order, the court will require a showing
that normal investigative techniques for obtaining the information have
failed, are reasonably likely to fail, or are too dangerous to attempt.
(283) It may also require the government minimize the intrusion of any
interception. (284) The application to the court must provide additional
detail, including: whether there have been previous interceptions of the
target’s communications; the identity of the target (if known); the
nature and location of the communication facilities; and a description
of the type of communications sought and the offenses to which the
communications relate. (285)

Senior DOJ staff, the principal prosecuting attorney of a state, or
an attorney for the government must approve the Title III application,
depending on the circumstances. (286) The interception can last no
longer than thirty days without an extension by the court. (287) Courts
may also require that they receive reports detailing the progress made
toward the authorized objective and the need for continued interception.
(288) In addition, the DOJ has other procedures governing the use of
Title III surveillance, including requiring approval from the Office of
Enforcement Operations (“OEO”) in the Criminal Division of the
DOJ. (289)

i. Defenses

There is a good faith defense available for parties who reasonably
relied on a warrant, grand jury subpoena, statutory authorization, or
other exception to Title 111. (290) Title III also allows computer
service providers who are victims of attacks by computer trespassers to
authorize persons acting under color of law to monitor trespassers on
their computer systems in a narrow class of cases without a court order.
(291) A computer trespasser is a person “who accesses a protected
computer without authorization and thus has no reasonable expectation of
privacy in any communications transmitted to, through, or from the
protected computer.” (292) This definition does not encompass those
persons known to have an existing contractual relationship with the
owner or operator for access to all or part of the protected computer.
(293) Interception of an unscrambled satellite communication intended
for retransmission to the public is also not punishable under this
section. (294) Keystroke loggers may also be exempt under Title III.

ii. Penalties

Remedies for violating Title III include criminal sanctions, civil
suits, and adverse employment actions for law enforcement officials.
(296) For repeat offenders, a violation of Title III can result in a
fine, imprisonment for not more than five years, or both. (297) If
offenders violate the statute for purposes other than private financial
gain and the illegally received communication is not scrambled or part
of a cellular telephone communication, punishment is limited to
injunctive relief and, for repeat offenders, a civil fine. (298)

Under the Guidelines, defendants convicted of intercepting
communications or eavesdropping generally receive a base offense level
of nine; defendants will receive a level of six if the offense carries a
statutory maximum term of imprisonment of more than six months and less
than one year. (299) If the purpose of the conduct was to obtain direct
or indirect commercial advantage or economic gain, the offense level is
increased by three. (300) Additionally, if the purpose of the conduct
was to facilitate another offense with a higher offense level, the
guideline applicable to an attempt to commit that offense applies. (301)

Moreover, evidence seized in violation of Title III or the Fourth
Amendment may be suppressed. (302) Additionally, Title III’s
provisions for money damages can address governmental as well as private
transgressions. (303)

c. Statutory Issues

Effectively, Title III governs communications in transit, while the
SCA governs communications in storage. However, while it is clear that
the Wiretap Act governs stored wire communications, courts have
struggled to define the status of electronic communications such as
e-mail, which may be stored temporarily during transmission. In
determining whether an activity falls under the SCA or Title III, courts
have been primarily concerned by the definition of the statutory term
“intercept.” Many decisions have adhered to the view that an
“intercept” is a data acquisition that occurs
contemporaneously with transmission of the data. (304) In Steve Jackson
Games, Inc. v. U.S. Secret Service, (305) the Fifth Circuit reasoned
that, because Congress explicitly included stored communications in the
statutory definition of “wire communication,” (306) its
failure to include stored communications in the definition of
“electronic communications” (307) indicated that Congress
intended to exclude stored communications from the Wiretap Act. (308) In
2002, the Ninth Circuit adopted this analysis, relying in part on the
USA PATRIOT Act. (309) The Eleventh and Third Circuits have also chosen
to follow this analysis. (310)

In contrast, the First Circuit espoused a different view in United
States v. Councilman. (311) In Councilman, the court implicitly rejected
the “contemporaneous acquisition” theory by holding that
interception of electronic communications took place even though the
intercepted e-mails had been stored periodically during transmission,
finding temporary storage during transmission to be intrinsic to the
e-mail process. (312) The Court interpreted the legislative history of
the ECPA to indicate that Congress did not intend to remove electronic
communications from the scope of the Wiretap Act while they are in
temporary storage en route to their destinations. (313)

It is possible to distinguish the facts in Councilman from similar
cases in the other circuits, although the logical extension of the legal
reasoning remains in conflict. For example, in Steve Jackson, (314) the
Fifth Circuit found that unread e-mail in the recipient’s mailbox
is stored and therefore was not intercepted even though the recipient
had not read it yet. (315) However, the interception in Councilman took
place before the file reached the user’s mailbox. (316) The two
cases can be reconciled by assuming that e-mail transmission ends at the
user’s mailbox, not when the user opens the e-mail. (317)

6. Identity Theft

Section 1028 of Title 18 prohibits the knowing transfer,
possession, or use of a means of identification of another person, such
as name, social security number, and date of birth, to commit a crime.
(318) It prohibits the production, (319) transfer, (320) or possession,
in certain circumstances, (321) of false (322) or illegally issued
identification documents. It further prohibits production, transfer, or
possession of a “document-making implement,” (323) with the
intent to use it in the production of a false identification document.
(324) The term “transfer” includes making available online
either a false identification document or a document-making implement.

a. Penalties

The illegal production, transfer, or use of any means of
identification is punishable by a fine, a maximum sentence of five years
imprisonment, or both; (326) the maximum term of imprisonment increases
to fifteen years if the production or transfer involves an
identification document issued under the authority of the United States,
or if it involves more than five fraudulent documents. (327) If the
offense nets the perpetrator more than $1000 in a year, the maximum term
of imprisonment is fifteen years, regardless of the number of means of
identification involved. (328) Up to twenty years imprisonment is
prescribed for these crimes for repeat offenders, if the crime is
intended to aid drug trafficking, or is committed in connection with a
violent crime. (329) There is a maximum sentence of thirty years if the
crime is committed to “facilitate an act … of terrorism.”

The Guidelines ordinarily apply a baseline of six with upward
departures based on the size of the monetary loss. (331) Where the
primary purpose of the offense is to violate, or assist in violating,
immigration laws, different sections apply. (332) Furthermore, where the
established schedule does not fully capture the harmfulness and
seriousness of the conduct, an upward departure beyond that which the
Guidelines recommend is permissible. (333)

7. Wire Fraud Statute

The Federal Wire Fraud Statute (334) prohibits the use of
interstate wire communications to further a fraudulent scheme to obtain
money or property. (335) Several cases have held that the Wire Fraud
Statute applies to computer crimes. (336) District courts have taken
divergent positions as to whether the wire fraud statute reaches
copyright infringement. (337) Partly as a response to these decisions,
Congress amended the Copyright Act to criminalize the willful
infringement of a copyright, by electronic means, “if the
infringement was committed by the reproduction or distribution …
during any 180-day period of 1 or more copies … of one or more
copyrights works, which have a total retail value of more than
$1000.” (338)

Penalties for violation of the wire fraud statute can be severe.
Violations of the Wire Fraud Statute are punishable by fines,
imprisonment of up to twenty years, or both. (339) If the violation
affects a financial institution, the punishment is a fine of not more
than $1,000,000, imprisonment of not more than thirty years, or both.
(340) Violation of the Wire Fraud Statute is also a predicate offense
for RICO and money-laundering charges. (341)

Defendants convicted of wire fraud are subject to punishment for
deprivation of the intangible right to the honest services. (342) In a
recent case, the Supreme Court limited such criminal penalties to cases
involving bribes and kickbacks. (343) The base offense level is
fourteen, and is increased if the loss to the government or the value
gained by a public official exceeds $5000. (344) If the offense involves
an elected official or one holding a decision-making or sensitive
position, the offense level increases by tour. (345) Otherwise, the base
offense level is six and increases according to the table in that
provision if the gain or loss exceeds $5000. (346)

C. Enforcement

Computer crimes are notoriously difficult to prosecute due to both
the nature of the technology itself and the relative unfamiliarity of
law enforcement with the technology. For example, people may encrypt
data so that even if law enforcement seizes or intercepts the data, they
will be unable to understand its contents or use it as evidence. The
nature of the Internet allows people to engage in criminal conduct
online with virtual anonymity. (347) With respect to computer crimes
such as hacking, a victim may never realize that anyone attacked her.
Further impeding law enforcement, many private and commercial entities
that do detect an intrusion are afraid to report offenses due to the
potential for negative publicity. (348)

In 2003, Congress took steps to combat identity theft by passing
the Fair and Accurate Credit Transactions Act. (349) This Act directed
the FTC and other agencies to develop regulations requiring financial
institutions and creditors to address the risk of identity theft. (350)
The FTC in turn issued the “Red Flags Rules”, which requires
all such institutions to develop and implement written identity theft
prevention programs. (351) Due to ambiguity of which institutions are
covered under the Rule, the FTC has delayed enforcement of the Rule
several times. (352)

The FBI and DOJ have created numerous programs and deployed new
technologies to aid in the investigation and prosecution of computer
crime. In 2002, the FBI launched its Cyber Division, dedicated to
investigating computer crimes. (353) The Cyber Division is designed to
act as a central coordinator for the FBI divisions that address computer
crimes. (354) Specifically, the Cyber Division is responsible for
criminal investigations of intellectual property, high-tech, and
computer crimes. (355) The Cyber Division also has jurisdiction over
investigations of online child pornography through the Innocent Images
National Initiative (“IINI”). (356) Between fiscal years 1996
and 2007, there was a 2062 percent increase in the number of IINI cases
opened. (357) The FBI also investigates computer crimes through its
Internet Crime Complaint Center (“IC3”), (358) which acts as
an intermediary between law enforcement agencies and victims of computer
fraud. In 2009, the IC3 received 336,655 complaints of Internet-based
fraud and other crimes, a 22.3 percent increase over the previous year.

DOJ’s efforts to combat computer crime are centralized in its
Computer Crime and Intellectual Property Section (“CCIPS”).
(360) The CCIPS is responsible for prosecuting computer crimes, lobbying
for strengthened penalties, and pushing for expanded coverage of the
federal computer crime statutes. (361)

In March of 2004, the DOJ launched a Task Force on Intellectual
Property to signal a renewed emphasis on combating intellectual property
crime. (362) This became part of a multi-agency Strategy Targeting
Organized Piracy (“STOP”) initiative involving the Department
of Commerce, Department of Homeland Security, and the Office of the
United States Trade Representative. (363) The Task Force has called for
an expansion of the Computer Hacking and Intellectual Property
(“CHIP”) program. (364) CHIP units within U.S. Attorney’s
offices work closely with the FBI and other agencies to establish
relationships with the high-tech community and encourage them to refer
cases to law enforcement. (365) In addition to investigating and
prosecuting computer crimes, CHIP provides specialized training for law
enforcement and businesses on preventing, detecting, and investigating
breaches in cyber security. (366) DOJ has continued this focus on
intellectual property crime by forming a new DOJ Task Force on
Intellectual Property in 20 10. (367)

DOJ has also stepped up its enforcement of child pornography laws.
Through its Child Exploitation and Obscenity Section (“CEOS”),
DOJ provides training and assistance to law enforcement officers
throughout the country. (368) In 2002, DOJ formed the High Tech
Investigative Unit (“HTIU”) within CEOS. (369) The HTIU is a
multi-agency computer forensic and investigatory unit targeting child
pornography and offenses against children that occur or are facilitated
by the Internet. Prosecution of child pornographers appears to be
increasing, despite the constitutional challenges to the various Federal
Child Pornography statutes. (370) In 2010, the DOJ continued these
efforts through the adoption of its National Strategy for Child
Exploitation Prevention and Interdiction. (371)

Given the global nature of Internet-related crimes, CCIPS and CEOS
must work with many other countries to achieve effective prosecution of
cases involving organized Internet piracy and Internet-related child
exploitation. (372) Even so, the proliferation of computer bulletin
boards, peer-to-peer networking, and other online services has created
an ongoing qualitative and quantitative challenge. (373)


A. Overview of State Criminal Codes

In 1978, state legislatures began enacting computer crime statutes,
beginning with Arizona (374) and Florida. (375) Since then, every state
has enacted some form of computer-specific criminal legislation. (376)
Approximately half of the states modeled their statutes on the 1977 or
1979 versions of the proposed Federal Computer Systems Protection Act,
(377) while the remainder enacted comprehensive computer-assisted crime
statutes less closely related to the proposed federal legislation. (378)
The precise definitions and penalties in these specialized provisions
offer significant advantages over general criminal codes by explicitly
addressing the unique issues posed by computer crimes, thereby promoting
computer security, enhancing deterrence, and facilitating prosecution.

Like the federal statutes, many of the state statutes divide
computer crimes into the same three categories: “crimes where a
computer is the target, crimes where a computer is a tool of the crime,
and crimes where a computer is incidental.” (380)

Reforms in state computer crime statutes have included provisions
expanding forfeiture of computer equipment used in crimes, allowing
state authorities to seize property involved in computer crimes. (381)
Some states have begun to respond to the growing concerns of online
harassment by criminalizing online threats by including electronic
communications under “unconsented contact” in anti-stalking
statutes, (382) and incorporating computers and electronic
communications devices into general telephone harassment statutes. (383)
Other state statutes specifically address the problem of offenders whose
target victims are minors. (384) These statutes, however, may face
significant constitutional challenges on First Amendment grounds. (385)

One particularly widespread initiative among the states is the
effort to thwart unsolicited commercial or bulk e-mail
(“spam”). Thirty-seven states have enacted anti-spam laws
regulating the use of Internet communications to send unsolicited
advertisements for the purpose of promoting real property, goods, or
services for sale or lease. (386)

Other states have recognized that prevention may be less difficult
than apprehending and prosecuting computer criminals. Several states
have enacted statutes that provide a civil cause of action for
compensatory damages, (387) thereby encouraging victims of computer
crimes to come forward.

In order to prevent the proliferation of “spyware,” a
type of software usually unknowingly installed that collects a computer
user’s private information or displays unsolicited advertisements
to the user, several states have enacted “anti-spyware” laws,
often with criminal penalties. (388) In those states that do not have
laws specifically directed to spyware, moreover, those provisions that
address computer crime, fraudulent practices, and identity theft will
often apply to spyware practices. (389) However, spyware companies are
rarely criminally prosecuted. (390)

In the absence of federal legislation, twenty-three states (391)
have passed legislation protecting private personal information and
setting requirements for the use and storage of such data. (392) Most of
these statutes closely follow the provisions of the landmark statute
passed by California in 2002. (393)

In the wake of high-profile cases such as that of Megan Meier,
(394) many states are beginning to address the issue of
“cyber-bullying”. (395) These state statutes are being enacted
in order to cover perceived lack of legislative coverage at both the
state and federal levels. (396) Cyber-bullying legislation has recently
been proposed at the federal level as well. (397)

B. Enforcement

Prosecution of computer crimes under state law has been increasing.
(398) In 2005, 60 percent of prosecutors’ offices reported
prosecuting either felony or misdemeanor computer-related crimes under
their state’s computer statutes. (399) In addition, 89 percent of
offices serving populations of one million or more reported conducting
such prosecutions. (400) While the prosecution of child pornography was
the most popular charge, state prosecutors have also charged computer
crimes ranging from credit card fraud, to unauthorized access to
computers, to cyber stalking. (401)


Developing an international paradigm for addressing computer crime
is difficult, given the global nature of the technology. This Section
covers issues in international computer crime law and addresses
solutions to these problems, as well as areas of convergence and
cooperation among nations, international organizations, and private

A. Issues

All nations continue to struggle to define computer crimes and
develop computer crime legislation applicable to both domestic and
international audiences. (402) Purely domestic solutions are inadequate
because cyberspace has no geographic or political boundaries, (403) and
because many computer systems can be easily and surreptitiously accessed
from anywhere in the world. (404) International financial institutions
are common targets for computer fraud and embezzlement schemes. (405) In
addition, the development of sophisticated computer technology has
enabled organized crime and terrorist groups to bypass government
detection and carry out destructive acts of violence. (406) Even when
computer-specific criminal statutes are in place, however, the rules of
evidence in several industrialized countries could continue to hinder
prosecutions until they adapt them to computer crimes. (407)

Countries that restrict their political discourse face the problem
that the Internet provides a source of “illegal” information
that is difficult to regulate. (408) Moreover, what constitutes
“acceptable” speech in the various countries on the
information super-highway differs greatly. In Germany and France, the
dissemination of Nazi propaganda and paraphernalia is illegal. (409)
Such material, however, is easily accessible via the Internet. Countries
observing strict Islamic law have similar problems. (410)

Solutions to freedom of expression issues on the Internet have
varied widely. France and Germany initially tried to target ISPs. (411)
Germany has since decided not to hold ISPs “liable for content they
merely transmit.” (412) China, on the other hand, has implemented
regulations that criminalize the “distribution or consumption via
the Internet of … ‘harmful information.” (413) Cuba has
addressed the problem by limiting Internet access, allowing only 200,000
of its some eleven million citizens to have access. (414)

Intellectual property crimes are also a serious problem in the
international arena. International software piracy remains endemic.
(415) Software piracy remains at around 43 percent worldwide. (416) In
practical terms, this means that approximately 43 percent of all
business software applications existing on PCs around the world continue
to be unpaid-for, illegal copies. (417)

B. Solutions

While “computer crime” remains loosely defined, most
industrialized countries have amended their law to address four needs
created by computer crimes: (i) protection of privacy; (ii) prosecution
of economic crimes; (iii) protection of intellectual property; (418) and
(iv) procedural provisions to aid in the prosecution of computer crimes.
(419) Worldwide, national governments are adopting computer- specific
criminal codes that address unauthorized access and manipulation of data
similar to the CFAA. (420)

While a number of differences remain, there are significant areas
of convergence in nations’ legislation. (421) By defining specific
new offenses and penalties, these codes avoid analytical difficulties
that arise when general criminal laws are applied to computer crimes.
There have also been two significant steps towards achieving a uniform
transnational legal framework for addressing multinational
computer-related crimes. First, forty-six countries have signed the
Council of Europe’s Treaty on Cybercrime. (422) The Treaty requires
parties to: (i) establish substantive laws against cybercrime; (ii)
ensure that their law enforcement officials have the necessary
procedural authorities to investigate and prosecute cybercrime
effectively; and (iii) provide international cooperation to other
parties in the fight against computer-related crime. (423) The
Convention entered into force for the United States on January 1, 2007.
(424) Second, the United States participates in the Subgroup on
High-Tech Crime at G-8’s Lyon Group. (425) One accomplishment of
the Subgroup is the development of a network that allows law enforcement
authorities of member nations to contact each other for rapid assistance
in investigating computer crime and preserving electronic evidence.

In addition to increased multinational governmental cooperation,
international organizations and private corporations are also working to
combat international computer crimes by contributing to the drive to
harmonize national legislation. (427) For example, the Business Software
Alliance, a software industry trade group, has an international
copyright enforcement program involving national software trade
associations and law enforcement agencies. (428) Nonetheless,
international efforts have been mixed.

2009) (defining computer crime as “[a] crime involving the use of a
computer”); Jo-Ann M. Adams, Comment, Controlling Cyberspace:
Applying the Computer Fraud and Abuse Act to the Internet, 12 SANTA
CLARA COMPUTER & HIGH TECH. L.J. 403,409 (1996) (defining computer
crime as “those crimes where knowledge of a computer system is
essential to commit the crime”).

(2.) See, e.g., United States v. Saxena, 229 F.3d 1, 4 (1st Cir.
2000) (finding Internet distribution of financial information
constituted fraud against investors); eBay, Inc. v. Bidder’s Edge,
Inc., 100 F.Supp. 2d 1058, 1065-67 (N.D. Cal. 2000) (analyzing a
traditional trespass claim brought as a result of actions occurring on
the Internet); see also infra Part III.B.I (discussing Internet
distribution of child pornography); infra Part III.B.4 (discussing
copyright infringement).

(3.) See Reno v. ACLU, 52l U.S. 844, 849, 852-53 (1997)
(characterizing the Internet as “an international network of
interconnected computers … [with] content … as diverse as human
thought … comparable … to both a vast library including millions of
readily available and indexed publications and a sprawling mall offering
goods and services.”).

(4.) See Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA.
L. REV. 1003, 1013 (2001) (describing different types of computer crimes
with no real-world analogue); Eric J. Sinrod & William P. Reilly,
Cyber-Crimes: A Practical Approach to the Application of Federal
Computer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH TECH. L.J. 177,
181-87 (2000) (discussing “hacking,” which involves
unauthorized access to computer files, programs, or websites).

(5.) See Stephen P. Heymann, Legislating Computer Crime, 34 HARV.
J. ON LEGIS. 373, 373-91 (1997) (analyzing technological advances that
require new criminal legislation).

(6.) See Joseph M. Olivenbaum, Ctrl-Alt-Delete: Rethinking Federal
Computer Crime Legislation, 27 SETON HALL L. REV. 574, 575 n.4 (1997)
(arguing there exists a “protean difficulty [in] defining a
computer crime”). Compare Int’l Ass’n of Machinists &
Aerospace Workers v. Werner-Masuda, 390 F.Supp. 2d 479, 499 (D. Md.
2005) (noting that 18 U.S.C. [section] 2701 is directed against
unauthorized users gaining access to protected computers rather than
against authorized users gaining access for larcenous acts), with
Int’l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir.
2006) (“[18 U.S.C. [section] 1030] is concerned with … attacks by
virus and worm writers … from the outside, and attacks by disgruntled

(7.) See Shannon L. Hopkins, Cybercrime Convention: A Positive
Beginning to a Long Road Ahead, 2003 J. HIGH TECH. L. 101, 108; see also
Chris J. Hoofnagle, Identity Theft: Making the Known Unknowns Known, 21
HARV. J.L. & TECH. 97, 107 (2007) (arguing that victim reluctance to
report computer crimes make statistics suspect); Bob Tedeschi,
E-Commerce Report; Crime is Soaring in Cyberspace, but Many Companies
Keep it Quiet, N.Y. TIMES, Jan. 27, 2003, at C4, available at
crime-soaring-cyberspace-but-many-companies-keep-it-quiet.html (listing
not only loss of consumer confidence, but also “fear of attracting
other cyberattacks” and “inviting the ridicule of their
competitors” as reasons companies fail to report computer crime).

(8.) See Olivenbaum, supra note 6, at 575 n.4 (arguing that the
dual system of prosecution renders statistics suspect).

at 3 (1996) (revealing the Defense Information Systems Agency
intentionally “attacked” 38,000 DOD computers to test security
and of the 24,700 penetrations only 4% were detected, and only 27% of
those were reported).

(10.) Ramona R. Rantala, Cybercrime Against Businesses, 2005,
BUREAU OF JUSTICE STATISTICS, http:// (last updated Oct. 27, 2008).

(11.) Id.

(12.) See DOJ COMPUTER CRIME MANUAL, supra note 1.

(13.) See id.

(14.) See, e.g., Commonwealth v. Sullivan, 768 N.E.2d 529, 532
(Mass. 2002) (affirming a burglary conviction for theft of computers);
State v. Geer, 799 So. 2d 698 (La. Ct. App. 2001) (upholding sentencing
of a man who pled guilty to state burglary charges for stealing a
computer and other items).

(15.) See, e.g., United States v. Coviello, 225 F.3d 54, 62 (1st
Cir. 2000) (stating that, where defendant is convicted for conspiracy to
transport stolen computer disks in interstate commerce, a sentence
enhancement is warranted based on the value of the intellectual property
located on the disks).

(16.) See DOJ COMPUTER CRIME MANUAL, supra note 1, at 2.

(17.) See Reid Skibell, Cybercrimes & Misdemeanors: A
Reevaluation of the Computer Fraud and Abuse Act, 18 BERKELEY TECH. L.J.
909, 919-21 (2003) (contrasting older studies of hackers motivated by
curiosity, voyeurism, or a sense of power with modern observations of
computer “crackers” primarily interested in profit).

(18.) See Julie Tamaki, Famed Hacker Is Indicted by U.S. Grand
Jury, L.A. TIMES, Sept. 27, 1996, at B1, available at
(stating notorious hacker became

an “anti-authority hero in the world of renegade hackers”
when he caused millions of dollars in damage); see also Sinrod &
Reilly, supra note 4, at 183-85 (discussing motives of hackers, such as
sending a political message, being a disaffected employee, or

(19.) See Bob Drogin, U.S. Scurries to Erect Cyber-Defenses
Security: As Threat Rises, Government Task Force Prepares for Internet
Combat, L.A. TIMES, Oct. 31, 1999, at Al (mentioning that most computer
crimes pending at the FBI involve disgruntled employees who sabotage
computers for revenge); Donna Howell, Network Security Hackers, Security
Firms Wage Code War, INVESTOR’S BUS. DAILY, May 2, 2000, at A8
(discussing how an employee launched an attack against a bank’s
computers from inside the system, even though the bank’s computer
network was secure from external hackers).

(20.) See, e.g., Boucher v. Sch. Bd., 134 F.3d 821, 825-29 (7th
Cir. 1998) (allowing student to be expelled after he wrote an article
about how to hack into the school’s computer, which was published
in an underground newspaper); Thrifty-Tel, Inc. v. Bezenek, 54 Cal.
Rptr. 2d 468, 476-77 (Cal. Ct. App. 1996) (allowing parents to be held
civilly liable for charges when their sons hacked the phone
company’s authorization and access codes).

(21.) See, e.g., Cassell Bryan-Low, Virus for Hire: Growing Number
of Hackers Attack Web Sites for Cash Entrepreneur Asked a Team to
Mastermind Strikes Against Rivals, U.S. Says–WeaKnees on Its Knees,
WALL ST. J., Nov. 30, 2004, at A1 (describing the indictment of a
businessman who paid someone to launch a virus attack against WeaKnees
over a proposed business deal); see also Skibell, supra note 17; Bob
Sullivan, Consumers Still Falling for Phish: FTC, DOJ Announce
Prosecution of Teen-ager, MSNBC, Mar. 22, 2004, (discussing case of
nineteen-year-old college student who pleaded guilty to stealing
identities by using a “phishing” scam); Skibell, supra note

(22.) See Matthew B. Prince, After CAN-SPAM, How States Can Stay
Relevant in the Fight Against Unwanted Messages: How a Children’s
Protection Registry Can be Effective, and Is Not Preempted, Under the
New Federal Anti-Spare Law, 22 J. MARSHALL J. COMPUTER & INFO. L.
29, 45 (2003).

(23.) Darren Waters, Spare Overwhelms E-mail Messages, BBC NEWS
(Apr. 8, 2009), hi/technology/7988579.stm.

(24.) S. REP. No. 108-102, at 6 (2003); see Thomas Claburn, Spare
Costs Billions, INFO. WK. (Feb. 3, 2005),
%20costs%20billions (reporting a study found that spam costs U.S.
companies $21.58 billion annually in lost productivity).

(25.) Katyal, supra note 4, at 1023.

(26.) Id. at 1024.

(27.) Id. at 1024 n.57.

(28.) Id. at 1024.

(29.) Id. at 1026.

(30.) Id.

(31.) Id.

(32.) Id. at 1025.

(33.) See generally Robbin Rahman, Comment, Electronic Self-Help
Repossession and You: A Computer Software Vendor’s Guide to Staying
Out of Jail, 48 EMORY L.J. 1477 (1999) (suggesting ways that software
vendors can restrict their use of logic bombs to avoid legal

(34.) Geoffrey A. North, Carnivore in Cyberspace: Extending the
Electronic Communications Privacy Act’s Framework to Carnivore
Surveillance, 28 RUTGERS COMPUTER & TECH. L.J. 155, 163 (2002).

(35.) Rutrell Yasin, Sniffers Overhauled for E-Biz, INTERNET WK.,
May 5, 2000, at 1.

(36.) Troy Denkinger, The Basics of Sniffing, the Sysadmin’s
Eye Inside the Network, CHI. TRIB., Apr. 6, 2000, at 1.

(37.) Id.

(38.) Katyal, supra note 4, at 1027.

(39.) Id. at 1026.

(40.) Id.

(41.) Id. at 1027.

(42.) Id. at 1026.

(43.) See Intel Corp. v. Hamidi, 71 P.3d 296, 305 n.4 (Cal. 2003)
(citing eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058,
1060-6l (N.D. Cal. 2000)); Laura Quilter, The Continuing Expansion of
Cyberspace Trespass to Chattels, 17 BERKELEY TECH. L.J. 421,423-24
(2002); Maureen A. O’Rourke, Property Rights and Competition on the
Internet: In Search of an Appropriate Analogy, 16 BERKELEY TECH. L.J.
561,570-71 (2001).

(44.) See generally EF Cultural Travel BV v. Explorica, Inc., 274
F.3d 577 (1st Cir. 2001).

(45.) DOJ COMPUTER CRIME MANUAL, supra note 1, at 2.

(46.) See, e.g., United States v. Prochner, 417 F.3d 54, 57 (1st
Cir. 2005) (affirming conviction of defendant who obtained credit card
numbers by hacking into secure websites and computer networks).

(47.) See, e.g., United States v. Brown, 237 F.3d 625,628-29 (6th
Cir. 2001) (upholding enhanced sentence because of computer use in
violating non-computer-dependent child pornography statute).

(48.) See, e.g., Metro-Goldwyn-Mayer Studios, Inc. v. Grokster,
Ltd., 545 U.S. 913 (2005) (holding software distributors who promote the
software’s use to infringe copyright liable for the infringement
carried out by third parties using the software, even if the software
has other lawful uses).

(49.) See, e.g., United States v. Pirello, 255 F.3d 728, 729 (9th
Cir. 2001) (affirming sentence for violation of federal wire fraud
statute where defendant posted a fraudulent solicitation for money on a
classified-ads website).

(50.) U.S. CONST. amend. I.

(51.) See, e.g., Simon & Schuster, Inc. v. Members of N.Y.
State Crime Victims Bd., 502 U.S. 105, 118 (1991) (“[T]he fact that
society may find speech offensive is not a sufficient reason for
suppressing it.”).

(52.) See Brandenburg v. Ohio, 395 U.S. 444, 447 (1969)
(“[T]he constitutional guarantees of free speech and free press do
not permit a State to forbid or proscribe advocacy of the use of force
or of law violation.”).

(53.) See Fallin v. City of Huntsville, 865 So. 2d 473,475 (Ala.
Crim. App. 2003) (stating that the government may punish a limited class
of speech “made with the intent to carry out the threat, that would
cause a reasonable person who is the target of the threat to fear for
his or her safety”). But see COMPUTER CRIME & INTELL. PROP.
HATE SPEECH AND THE INTERNET (Nov. 1997), available at http:// [hereinafter HATE
SPEECH], (explaining that words on the Internet are unlikely to breach
the peace because of the lack of immediate proximity).

(54.) See Watts v. United States, 394 U.S. 705, 707-08 (1969)
(holding that threats that imply action at an uncertain and future
remote time are not true threats and therefore are protected under the
First Amendment). But see United States v. Hardy, 640 F.Supp. 2d 75,
80-81 (D. Me. 2009) (holding that threats that are “meant to
communicate a serious expression of … intent to [perform] an act of
unlawful violence … cannot reasonably be construed as ‘political
hyperbole'” and are therefore not protected speech).

(55.) See HATE SPEECH, supra note 53 (stating that threats of harm
receive no First Amendment protection and threatening e-mails or
statements via Internet could in many cases be punished); see also
United States v. Morales, 272 F.3d 284, 288 (Sth Cir. 2001) (rejecting
defendant’s claim that his threat to kill people at his school
could not constitute a “true threat” because it was made over
the Internet to a third party). But see United States v. Baker, 890 F.
Supp. 1375, 1390 (E.D. Mich. 1995) (granting defendant’s motion to
quash indictment against him for statements he made over the Internet
because they were not true threats).

(56.) See HATE SPEECH, supra note 53 (explaining that harassing
speech must do more than simply anger or distress to lose constitutional

(57.) See id. (“U.S. law does not recognize the notion of
‘harassment’ directed at a general class of persons.”).

(58.) See infra Part III.B. 1 (describing the constitutional
challenges to federal child pornography statutes).

(59.) Jaynes v. Commonwealth, 666 S.E.2d 303,313 (Va. 2008); see
also McIntyre v. Ohio, 514 U.S. 334, 342 (1995) (“[A]n
author’s decision to remain anonymous, like other decisions
concerning omissions or additions to the content of the publication, is
an aspect of freedom of speech protected by the First Amendment.”).

(60.) Jaynes, 666 S.E.2d at 313.

(61.) Pub. L. No. 108-187, 117 Star 2699 (2003) (codified at 15
U.S.C. [section][section] 7701-7713 (2006) and 18 U.S.C. [section] 1037
(2006)); see discussion infra Part III.B.3.

(62.) Jaynes, 666 S.E.2d at 313.

(63.) U.S. CONST. amend. IV (“The right of the people to be
secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause, supported by Oath or
affirmation, and particularly describing the place to be searched, and
the persons or things to be seized.”).

(64.) See, e.g., United States v. Jacobsen, 466 U.S. 109 (1984).

(65.) See Orin S. Kerr, Searches and Seizures in a Digital World,
119 HARV. L. REV. 531, 537-38 (2005) (analyzing the differences between
the processes of searching a computer and of searching physical spaces);
see also G. Robert McLain, Jr., United States v. Hill: A New Rule, but
No Clarity for the Rules Governing Computer Searches and Seizures, 14
GEO. MASON L. REV. 1071, 1090-91 (2007) (describing the two camps: those
who think computers can be governed by the rules concerning containers
and those who think computers are fundamentally distinct).

(66.) Katz v. United States, 389 U.S. 347, 360 (1967) (Harlan, J.,

(67.) See Guest v. Leis, 255 F.3d 325,333 (6th Cir. 2001)
(“Home owners would of course have a reasonable expectation of
privacy in their homes and in their belongings–including
computers–inside the home.”). Compare Leventhal v. Knapek, 266
F.3d 64 (2d Cir. 2001) (finding a reasonable expectation of privacy for
a computer in a private office), with United States v. Angeyine, 281
F.3d 1130, 1134-35 (10th Cir. 2002) (rejecting professor’s claim of
a reasonable expectation of privacy in a university computer), and
United States v. Simons, 206 F.3d 392, 398 (4th Cir. 2000) (finding
government employee lacked a reasonable expectation of privacy in his
office computer in light of his employer’s stated policy that
Internet use would be monitored). But see United States v. Caymen, 404
F.3d 1196, 1200-01 (9th Cir. 2005) (finding no reasonable expectation of
privacy in the contents of a computer obtained through theft or fraud).

criminal/cybercrime/PatriotAct.htm (last visited Nov. 5, 2010).

(69.) United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008)
(holding that the warrantless use of computer surveillance techniques
revealing the to and from addresses of e-mail messages, the addresses of
websites visited by defendant, and the total amount of data transmitted
on defendant’s internet account did not constitute a
“search” under the Fourth Amendment).

(70.) See United States v. Hambrick, No. 99-4793, 2000 WL 1062039,
at *4 (4th Cir. Aug. 3, 2000) (holding that the defendant did not have
reasonable expectation of privacy in information provided to his ISP,
including his IP address, name, and billing address).

(71.) See Amitai Etzioni, Implications of Select New Technologies
for Individual Rights and Public Safety, 15 HARV. J.L. & TECH. 257,
277-78 (2002) (stating that skeptics believe the FBI is acquiring more
information when it uses its Internet surveillance software,
“Carnivore,” than it should be entitled to under the

(72.) See United States v. Scarfo, 180 F. Supp. 2d 572, 581 (D.N.J.
2001) (holding that the use of a keystroke logger did not violate the
defendant’s Fourth Amendment rights); Ted Bridis, FBI Develops
Eavesdropping Tools, Assoc. PRESS, Nov. 22, 2001.

(73.) See United States v. Grimmett, 439 F.3d 1263, 1269 (10th Cir.
2006) (adopting a “forgiving stance” when faced with a
challenge regarding the particularity requirement for computer- related
warrants); United States v. Upham, 168 F.3d 532, 537 (1st Cir. 1999)
(upholding a search warrant authorizing the seizure of “[a]ny and
all computer software and hardware, … computer disks, disk
drives” and “[a]ny and all visual depictions, in any format or
media, of minors engaging in sexually explicit conduct [as defined by
the statute]”). But see United States v. Clough, 246 F.Supp. 2d 84,
87-88 (D.Me. 2003) (holding a search warrant authorizing the seizure of
all text and images contained on a computer as unconstitutionally broad
because it contained “no restrictions on the search, no references
to statutes, and no references to crimes or illegality”).

(74.) Upham, 168 F.3d at 535.

(75.) Compare id. at 532 (upholding warrant allowing seizure of
computer equipment because it is “no easy task to search a
well-laden hard drive” on the premises), with United States v.
Hill, 459 F.3d 966, 974 (9th Cir. 2006) (requiring the government to
show that seizure was made necessary by the impracticality of on-site

(76.) See Horton v. California, 496 U.S. 128 (1990).

(77.) Compare United States v. Highbarger, 380 Fed. App’x. 127
(3d Cir. 2010) (allowing search and seizure of child pornography files
found on a computer while looking for images of drug- related activity
under the plain view exception), United States v. Williams, 592 F.3d
511,521-24 (4th Cir. 2010) (allowing search and seizure of child
pornography images found while looking for evidence of email threats and
harassment under the plain view exception), United States v. Burgess,
576 F.3d 1078, 1096 (10th Cir. 2009) (allowing search and seizure of
child pornography images found on a hard drive while looking for
computer evidence of drug trafficking under the good faith exception),
and United States v. Wong, 334 F.3d 831,838 (9th Cir. 2003) (allowing
search and seizure of child pornography found while looking for graphic
files related to a homicide case under the plain view exception), with
United States v. Carey, 172 F.3d 1268, 1273 (10th Cir. 1999)
(invalidating the seizure of child pornography on the defendant’s
computer, when the search warrant only authorized search for
“documentary evidence pertaining to the sale and distribution of
controlled substances”), and United States v. Comprehensive Drug
Testing, Inc., 621 F.3d 1162, 1178 (9th Cir. 2010) (Kozinski, C.J.,
concurring) (“[W]hen the government wishes to obtain a warrant to
examine a computer hard drive or electronic storage medium to search for
certain incriminating files, or when a search for evidence could result
in the seizure of a computer, magistrate judges should insist that the
government forswear reliance on the plain view doctrine.”). The
Third Circuit occupies the middle ground. See United States v. Stabile,
633 F.3d 219, 240-42 (3d Cir. 2011) (holding that investigators
searching for evidence of financial crimes had properly examined the
“lurid” names of files containing child pornography under the
plain view doctrine, without ruling on whether it would have been proper
to view the files themselves).

(78.) See United States v. Lamb, 945 F.Supp. 441 (N.D.N.Y. 1996).

(79.) Id. at 459.

(80.) See United States v. Lacy, 119 F.3d 742, 746 (9th Cir. 1997)
(“[T]he nature of the crime, as set forth in this affidavit,
provided ‘good reason[ ]’ to believe the computerized visual
depictions … would be present … ten months later.”); United
States v. Irving, 452 F.3d 110 (2d Cir. 2006). But see United States v.
Zimmerman, 277 F.3d 426, 435 (3d Cir. 2002) (finding probable cause
based on stale, six-month-old information).

(81.) See United States v. Gray, 78 F. Supp. 2d 524, 529 (E.D. Va.
1999) (“[The] Agent… was not required to accept as accurate any
file name or suffix and limit his search accordingly.”); United
States v. Sissler, No. 1:90-CR-12, 1991 WL 239000, at *4 (W.D. Mich.
Aug. 30, 1991) (reaching same conclusion that agent was not required to
accept file names’ accuracy and to limit search accordingly).

(82.) See United States v. Giberson, 527 F.3d 882, 887 (9th Cir.
2008) (holding that police did not exceed the scope of a warrant
authorizing search for financial documents when they seized a computer
based on evidence that defendant used it to store his financial

(83.) See, e.g., United States v. Hall, 142 F.3d 988, 994-95 (7th
Cir. 1998) (articulating constitutional validity of searches that extend
into hardware and software).

(84.) See id. at 994-95 (upholding a warrant allowing officers to
seize defendant’s computer from a computer repair shop); United
States v. Gawrysiak, 972 F.Supp. 853, 866 (D.N.J. 1997) (approving
seizure of computer files for off-site search because the Fourth
Amendment “does not require the agent to spend days at the site
viewing the computer screens”).

(85.) See Sissler, 1991 WL 239000, at * 5 n.7 (declining to uphold
seizure of printer on grounds of practicality because they contain no
internal memory and can be used with a variety of computers).

(86.) Compare State v. Lehman, 736 A.2d 256, 260451 (Me. 1999)
(holding that a warrant “was not unconstitutionally overbroad when
it authorized the seizure of all computer- related equipment” in
suspect’s house), with Burnett v. State, 848 So. 2d 1170, 1173-74
(Fla. Dist. Ct. App. 2003) (holding that a warrant failed when it did
not show a likelihood that child pornography would be found on the
suspect’s computer).

(87.) U.S. CONST. art. I, [section] 8, cl. 3.

(88.) See United States v. Mitra, 405 F.3d 492, 496 (7th Cir.
2005); United States v. Homaday, 392 F.3d 1306, 1311 (11th Cir. 2004);
United States v. Carnes, 309 F.3d 950 (6th Cir. 2002); United States v.
Gilbert, 181 F.3d 152 (1st Cir. 1999).

(89.) See United States v. Robinson, 137 F.3d 652, 656 (1st Cir.
1998); see also United States v. Corp, 236 F.3d 325, 332 (6th Cir. 2001)
(“[J]urisdictional components of constitutional statutes are to be
read as meaningful restrictions.”). But see United States v. McCoy,
323 F.3d 1114, 1125 (9th Cir. 2003) (“[T]he limiting jurisdictional
factor is almost useless here, since all but the most self-sufficient
child pornographers will rely on film, cameras, or chemicals that
traveled in interstate commerce.”).

(90.) See Robinson, 137 F.3d at 656 (“The jurisdictional
element in [section] 2252(a)(4)(B) requires an answer on a case-by-case

(91.) 545 U.S. 1, 24-33 (2005) (reconciling United States v. Lopez,
514 U.S. 549 (1995), and United States v. Morrison, 529 U.S. 598 (2000),
with Wickard v. Filburn, 317 U.S. 111, 127-28 (1942) (permitting federal
regulation of local activity if there is a “rational basis”
for concluding that such activity in the aggregate can substantially
affect interstate commerce)).

(92.) See United States v. Bowers, 594 F.3d 522, 524, 527-530 (6th
Cir. 2010) (“We cannot envision, after Raich, a circumstance under
which an as-applied Commerce Clause challenge to a charge of
child-pornography possession or production would be successful.”);
United States v. McCalla, 545 F.3d 750, 755-56 (9th Cir. 2008)
(upholding the criminalization of producing “homegrown” child
pornography as constitutional under Raich because it was within the
statute’s comprehensive goal of exterminating the entire child
pornography market).

(93.) See United States v. Maxwell, 446 F.3d 1210 (11th Cir. 2006)
(holding [section] 2252A(a) constitutional as applied to intrastate
possession of child pornography); United States v. Forrest, 429 F.3d 73
(4th Cir. 2005) (same); United States v. Jeronimo-Bautista, 425 F.3d
1266 (10th Cir. 2005) (holding [section] 2251(a) constitutional for the
same reasons).

(94.) See Strassheim v. Daily, 221 U.S. 280, 285 (1911) (holding
that, for criminal jurisdiction over out-of-state conduct, there must
be: (i) an act occurring outside the state; (ii) which is intended to
produce detrimental effects within the state; and (iii) is the cause of
detrimental effects within the state).

(95.) See Terrence Berg, State Criminal Jurisdiction in Cyberspace:
Is There a Sheriff on the Electronic Frontier?, 79 MICH. Bus. L.J. 659,
660 (2000) (explaining that although a resident of one state is affected
by a computer crime, the website may have “a real-world
address” in another state, and may be hosted by an ISP in yet
another state).

(96.) See id. at 659 (explaining that in criminal cases, “the
‘minimum contacts’ analysis does not apply when determining
criminal jurisdiction … [instead] the analysis focuses on the intent
of the defendant and the effects within the forum state”).

(97.) See id. at 661 (“States that have broadened the …
approach by also allowing jurisdiction where a result of the offense,
whether an element or not, occurs in the forum state, are: Arizona,
Kansas, New York, and Missouri.”).

(98.) See Wis. STAT. ANN. [section] 939.03(1)(C) (West 2010)
(extending jurisdiction where the out-of-state person “does an act
with intent that it cause in this state a consequence set forth in a
section defining a crime”).

(99.) See Berg, supra note 95, at 661 (citing CAL. PENAL CODE
[section] 778 (Deering 1998); S.D. CODIFIED LAWS [section] 23A-16-2

(100.) See discussion infra Part III.B.5.b.

(101.) United States v. Mora, 821 F.2d 860, 863 n.3 (1st Cir.

(102.) Pub. L. No. 96-440, 94 Stat. 1879 (1980) (codified at 42
U.S.C. [section] 2000aa).

(103.) 42 U.S.C. [section] 2000aa(a)(l), (b)(l) (2006).

(104.) Id.; see DePugh v. Sutton, 917 F. Supp. 690, 696-97 (W.D.
Mo. 1996) (interpreting the unamended Privacy Protection Act as not
protecting materials used in dissemination of child pornography).


(106.) Compare United States v. Farraj, 142 F. Supp. 2d 484
(S.D.N.Y. 2001) (upholding application of National Stolen Property Act,
18 U.S.C. [section] 2314, to the email transfer of stolen electronic
data), and United States v. Kwan, No. 02 CR. 241(DAB), 2003 WL 21180401,
at *3 (S.D.N.Y. May 20, 2003) (approving of Farraj), with United States
v. Wang, 898 F. Supp. 758, 760 (D. Colo. 1995) (holding that a computer
program does not qualify as “goods, wares, merchandise, securities
or money” for purposes of NSPA).

(107.) See, e.g., United States v. Brown, 237 F.3d 625, 628-29 (6th
Cir. 2001) (upholding increased sentence due to computer use in
violating child pornography statute).

(108.) See, e.g., AOL v. Nat’l Health Care Disc., Inc., 174 F.
Supp. 2d 890, 898-99 (N.D. Iowa 2002) (holding defendant liable under
statute for damage caused by unsolicited bulk e-mail); eBay, Inc. v.
Bidder’s Edge, Inc., 100 F. Supp. 2d 1058, 1069 (N.D. Cal. 2000)
(considering whether violation of statute created potential for
irreparable harm warranting issuance of a preliminary injunction).

[hereinafter U.S.S.G. MANUAL] (indexing the Guidelines applicable to
each statutory violation). Sentences for violations of federal criminal
laws are determined with reference to the United States Sentencing
Guidelines (“Guidelines”). See 18 U.S.C. [section] 3553(a)(4)
(2006). In 2005, the Supreme Court severed the provision that made the
Guidelines mandatory, rendering them “effectively advisory.”
See United States v. Booker, 543 U.S. 220, 245 (2005); see also
Kimbrough v. United States, 552 U.S. 85, 101 (2007) (“[W]hile [the
federal sentencing statute] still requires a court to give respectful
consideration to the Guidelines, see Gall v. United States, [552 U.S.
38, 50-51] (2007), Booker ‘permits the court to tailor the sentence
in light of other statutory concerns as well.’ Booker, 543 U.S. at
245-46.”). District court sentences are reviewed for
reasonableness, and a sentence within the applicable Guidelines range is
presumptively reasonable. Rita v. United States, 551 U.S. 338, 347

(2010), available at http://www. [hereinafter

(111.) United States v. Petersen, 98 F.3d 502, 506-07 (9th Cir.
1996) (finding defendant’s computer programming was a “special
skill” and thus permitting enhancement under the Guidelines where
defendant did not possess formal computer training but demonstrated
knowledge of computers not shared by the general public). But see United
States v. Lee, 296 F.3d 792, 796-99 (9th Cir. 2002) (holding that
developing a basic website does not require “special skills”
as established in Petersen); United States v. Godman, 223 F.3d 320, 323
(6th Cir. 2000) (holding defendant’s computer skills were not
“particularly sophisticated” as required in Petersen, and
therefore finding upward departure to be unwarranted).

(112.) Pub. L. No. 98-473, Title II, Chapter XXI, [section]
2102(a), 98 Stat. 1837, 2190 (1984); see also H.R. REP. No. 98-894, at 9
(1984) (discussing legislative history of Pub. L. No. 98-473 and the
need for computer specific criminal laws).

(113.) Computer Fraud and Abuse Act of 1986, Pub. L. No. 99-474,
[section] 2, 100 Star. 1213: Pub. L. No. 100-690, Title VII, [section]
7065, 102 Stat. 4404 (1986); USA Patriot Act of 2001, Pub. L. No.
107-56, [section] 814, 115 Stat. 272, 382-84; Cyber Security Enhancement
Act of 2002, Pub. L. No. 107-296, [section] 225, 116 Stat. 2135, 2156;
21st Century Department of Justice Appropriations Authorization Act,
Pub. L. No. 107- 273, 116 Stat. 1758 (2002).

(114.) 18 U.S.C. [section] 1030 (2006 & Supp. 2008); see Jo-Ann
M. Adams, Comment, Controlling Cyberspace: Applying the Computer Fraud
and Abuse Act to the Internet, 12 SANTA CLARA COMPUTER & HIGH TECH.
L.J. 403, 424 (1996) (highlighting changes made by 1988, 1989, and 1990
amendments). But see United States v. Drew, 259 F.R.D. 449 (C.D. Cal.
2009) (holding that the CFAA is unconstitutionally vague).

(115.) For example, the 109th Congress considered several
amendments to Title 18, including H.R. 5318, which would add specific
provisions to [section] 1030 regarding remote access, remove some
cyber-crime stipulations regarding foreign contact, and mandate
increased interagency cooperation, and [section] 1789, the Personal Data
Privacy and Security Act of 2005, which would specify the criminal
penalties under [section] 1039.

(116.) 521 U.S. 844(1997).

(117.) Id. at 870-72.

(118.) Id. at 878-84.

(119.) Id. at 868-69.

(120.) See id. at 880.

(121.) Reno v. American Civil Liberties Union, 521 U.S. 844, 870

(122.) Id. at 872-73.

(123.) 47 U.S.C. [section] 231 (2006).

(124.) ACLU v. Gonzales, 478 F. Supp. 2d 775 (E.D. Pa. 2007).

(125.) Telecommunications Act of 1996, Pub. L. No. 104-104, Title
V, [section] [section] 501-561, 110 Stat. 56, 133-43 (1996) (codified at
18 U.S.C. [section][section] 1462, 1465, 2422 (2006) and at scattered
sections of 47 U.S.C.).

(126.) 47 U.S.C. [section] 223(a)(1)(B).

(127.) Id. [section] 223(d).

(128.) Id. [section] 223(a)(1)(B).

(129.) 521 U.S. 844 (1997).

(130.) See id. at 863-64 (affirming a district court finding that
the statute “sweeps more broadly than necessary and thereby chills
the expression of adults”).

(131.) See id. at 864-66 (distinguishing [section] 223(d) from
similar, constitutionally permissible enactments because it did not
require that patently offensive material lack serious literary,
artistic, political, or scientific value (citing Ginsberg v. New York,
390 U.S. 629 (1968) (banning certain magazine sales to persons under age
seventeen even though magazines were not necessarily obscene to

(132.) Id. (holding that the CDA violated the First Amendment
because it: (a) chilled free speech; (b) criminalized legitimate
protected speech; (c) must be narrowly tailored since it regulated a
fundamental freedom; (d) regulated the content of speech so time, place,
and manner analysis was inapplicable; and (e) was unconstitutionally

(133.) See id. at 872-73 (citing Miller v. California, 413 U.S. 15,
18 (1973) (permitting states to ban obscene speech in order to ensure
the general welfare of their citizens)).

(134.) 47 U.S.C. [section] 223(a) (2006).

(135.) U.S.S.G. MANUAL [section] 2G3.1(b)(1)(C).

(136.) Id. [section] 2G3.1(b)(1)(E).

(137.) Id. [section] 2G3.1(b)(l)(A).

(138.) Id. [section] 2G3.1(b)(4).

(139.) Pub. L. No. 104-208, [section] 121, 110 Stat. 3009, 3009-26
(1996) (amending 18 U.S.C. [section][section] 2241, 2243, 2251, 2252,
2256, 42 U S C [section] 2000aa. and adding 18 U.S.C. [section] 2252A).

(140.) 18 U.S.C. [section][section] 2252A, 2256 (2006 & Supp.

(141.) See id. [section] 2256(8)(C).

(142.) Ashcroft v. Free Speech Coalition, 535 U.S. 234 (2002).

(143.) Pub. L. No. 108-21, 117 Stat. 650 (2003).

(144.) See id. [section] 503, 117 Stat. 680 (codified as amended at
18 U.S.C. [section] 2252A(a)(3)(B)).

(145.) 53 U.S. 234 (2002) (striking down provisions of the CPPA as
overbroad in abridging a significant amount of lawful speech); see also
United States v. Rodriguez-Pacheco, 474 F.3d 434, 436 (1st Cir. 2007);
United States v. Williams, 444 F.3d 1286 (11th Cir. 2006).

(146.) United States v. Williams, 553 U.S. 285, 303 (2008) (stating
that virtual child pornography is permissible as long as it is not
offered up as actual child pornography).

(147.) 18 U.S.C. [section] 1030 (2006 & Supp. 2008). This
Article refers to [section] 1030 as “CFAA” when discussing its
provisions generally, and as the “1996 Act” when
distinguishing between the statute embodied in the 1996 amendments and
its predecessors and successors.

(148.) See, e.g., Othentec Ltd. v. Phelan, 526 F.3d 135, 139 (4th
Cir. 2008); AOL v. Nat’l Health Care Disc., Inc., 174 F. Supp. 2d
890, 898 (N.D. Iowa 2001).

(149.) 18 U.S.C. [section] 1030(e)(2).

(150.) PROSECUTING COMPUTER CRIMES, at 3. DOJ, available at ccmanual/ccmanual.pdf.

(151.) 18 U.S.C. [section] 1030(a)(1).

(152.) See S. REP. No. 99-432, at 6 (1986), reprinted in 1986
U.S.C.C.A.N. 2479, 2484 (obtaining includes reading); see also AOL v.
Nat’l Health Care Disc., Inc., 121 F. Supp. 2d 1255, 1276 (N.D.
Iowa 2000) (same); PROSECUTING COMPUTER CRIMES, supra note 150, at 18
(“[T]he term ‘obtaining information’ is an expansive one
that includes merely viewing information without downloading or copying
a file.”).

(153.) “Financial institution” is defined as: (A) an
institution with deposits insured by the Federal Deposit Insurance
Corporation; (B) the Federal Reserve or a member of the Federal Reserve
including any Federal Reserve Bank; (C) a credit union with accounts
insured by the National Credit Union Administration; (D) a member of the
Federal home loan bank system and any home loan bank; (E) any
institution of the Farm Credit System under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange
Commission pursuant to section 15 of the Securities Exchange Act of
1934; (G) the Securities Investor Protection Corporation: (H) a branch
or agency of a foreign bank (as such terms are defined in paragraphs (1)
and (3) of section 1(b) of the International Banking Act of 1978); and
(I) an organization operating under section 25 or section 25(a) of the
Federal Reserve Act. 18 U.S.C. [section] 1030(e)(4)(A)-(I) (2006).

(154.) Id. [section] 1030(a)(2); see AOL v. LCGM, Inc., 46 F. Supp.
2d 444, 450 (E.D. Va. 1998) (finding that defendants’ use of AOL
membership to harvest e-mail addresses of other AOL members in order to
send bulk e-mail advertisements (“spam”), in violation of
AOL’s terms of service, violated [section] 1030(a)(2)(C) by
exceeding authorized access and obtaining information).

(155.) 18 U.S.C. [section] 1030(a)(3).

(156.) Id.

(157.) Id. [section] 1030(a)(4). There is an exception if the
defendant obtained only computer use and value of such use is less than
$5000 per year. Id.

(158.) Id. [section] 1030(a)(5)(A)(i).

(159.) 18 U.S.C. [section] 1030(a)(5)(A)(ii)-(iii) (2006).

(160.) EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582
n.10 (1st Cir. 2001); SecureInfo Corp. v. Telos Corp., 387 F. Supp. 2d
593, 608 (E.D. Va. 2005); see Orin Kerr, Cybercrime’s Scope:
Interpreting “Access” and “Authorization” in
Computer Misuse Statutes, 78 N.Y.U. L. REV. 1596, 1624-42 (2003)
(highlighting the courts’ struggle with interpreting
“access” and “authorization”). But see
Hewlett-Packard Co. v. Byd:sign, Inc., No. 6:05-CV-456, 2007 U.S. Dist.
LEXIS 5323, at *37 (E.D. Tex. Jan. 25, 2007) (“The CFAA does not
define ‘authorization’ or ‘authorized access.’ It
does, however, define ‘exceeds authorized access’ as ‘to
authorize a computer with authorization and use such access to obtain or
alter information in the computer that the accessor is not entitled so
to obtain or alter.'” (citing 18 U.S.C. [section]

(161.) See, e.g., Role Models Am., Inc. v. Jones, 305 F. Supp. 2d
564, 566-67 (D. Md. 2004) (granting defendant’s motion to dismiss
because plaintiff had no claim for intentional access based on defendant
passively receiving information due to co-defendant’s using it in
dissertation for degree from defendant); AOL, Inc. v. Nat’l Health
Care Disc., Inc., 121 F. Supp. 2d 1255, 1272-73 (N.D. Iowa 2000)
(finding that “access” under the CFAA means to exercise the
ability to make use of information).

(162.) 18 U.S.C. [section] 1030(a)(5)(A)(ii).

(163.) Id. [section] 1030(a)(5)(A)(iii); see AOL v. LCGM, Inc., 46
F. Supp. 2d 444, 450-51 (E.D. Va. 1998) (finding defendants violated
[section] 1030(a)(5)(C) of the 1996 Act by accessing computers within
AOL’s network without authorization and causing damage to its
computer network, reputation, and goodwill).

(164.) 18 U.S.C. [section] 1030(e)(8); see also In re AOL Version
5.0 Software Litig., 168 F. Supp. 2d 1359, 1372-74 (S.D. Fla. 2001 )
(analyzing the ambiguity of pre-Patriot Act assessment of damages under
[section] 1030(a)(5)).

(165.) 18 U.S.C. [section] 1030(a)(6) (2006).

(166.) Id.

(167.) Id. [section] 1030(a)(7).

(168.) Id.

(169.) Id. [section] 1030(d)(l).

(170.) Id. [section] 1030(d)(2), (a)(1).

(171.) 18 U.S.C. [section] 1030(a)(1).

(172.) Id. [section] 1030(a)(5).

(173.) Id. [section] 2332b(g)(5)(B)(i).

(174.) Id. [section] 1030(a)(4).

(175.) United States v. Czubinski, 106 F.3d 1069, 1078-79 (1st Cir.
1997) (reversing conviction because nothing of value was obtained by
defendant’s mere browsing of IRS files); see also P.C. Yonkers,
Inc. v. Celebrations The Party & Seasonal Superstore, LLC, 428 F.3d
504, 508-09 (3d Cir. 2005) (declining to find intent to defraud and
obtain something of value despite proven unauthorized access because
there was “absolutely no evidence as to what, if any, information
was actually viewed”).

(176.) See Czubinski, 106 F.3d at 1078 (finding that prosecutors
failed to show anything more than Cubinski’s intent to merely
“satisfy idle curiosity” about friends and political rivals
when viewing IRS files).

(177.) 18 U.S.C. [section] 1030(a)(5)(B) (2006).

(178.) Id. [section] 1030(a)(5)(B)(i).

(179.) Id. [section] 1030(a)(5)(B)(ii)-(v).

(180.) Id. [section] 1030(b).

(181.) Id. [section] 1030(c).

(182.) 18 U.S.C. [section] 1030(e)(10) (2006).

(183.) Id. [section] 1030(c)(1)(A), (c)(4)(A) (violating [section]
1030(a)(1) and (a)(5)(A)(i) respectively).

(184.) Id. [section] 1030(c)(2)(A).

(185.) Id. [section] 1030(c)(3)(A), (c)(4)(B).

(186.) Id. [section] 1030(c)(2)(B).

(187.) Id. [section] 1030(c)(3)(A), (c)(4)(B).

(188.) 18 U.S.C. [section] 1030(c)(2)(C), (c)(3)(B) (2006).

(189.) Id. [section] 1030(c)(1)(B), (c)(4)(C) (violating [section]
1030 (a)(5)(A)(i) and (a)(5)(A)(ii) respectively).

(190.) Id. [section] 1030(c)(5)(A).

(191.) Id. [section] 1030(c)(5)(B).

(192.) U.S.S.G. MANUAL [section] 2M3.2(a).

(193.) Id. [section] 2B1.1. For a complete explanation of the
application of section 2B1.1 and its loss table, see the Mail and Wire
Fraud article in this issue.

(194.) Id. [section] 2B2.3.

(195.) Id. [section] 2B3.2.

(196.) Id. [section] 2X1.1 (setting base offense levels identical
to those assigned to respective completed offenses, but reducing levels
by three points if acts necessary to commit the offense were not
completed or nearly completed). See generally United States v. Abu Ali,
528 F.3d 210, 264-65 (4th Cir. 2008) (discussing the three-point
deduction for conspiracies that “were not on the verge of

(197.) Jay Lyman, Spare Costs $20 Billion Each Year in Lost
Productivity, E- COMMERCE TIMES, (Dec. 29, 2003, 8:30 AM), (reporting a study
finding the cost to businesses from spare is increasing at a rate of
more than 100% per year).

(198.) See Jeffrey D. Sullivan & Michael B. De Leeuw, Spam
After CAN-SPAM: How Inconsistent Thinking Has Made a Hash Out of
Unsolicited Commercial E-Mail Policy, 20 SANTA CLARA COMPUTER & HIGH
TECH. L.J. 887, 891-93 (2004) (discussing the history of anti-spam
legislation in the United States).

(199.) Pub. L. No. 108-187, 117 Stat 2699 (2003) (codified at 15
U.S.C. [section][section] 7701-7713 and 18 U.S.C. [section] 1037

(200.) Sullivan & De Leeuw, supra note 198, at 888.

(201.) 18 U.S.C. [section] 1037 (2006).

(202.) Id. [section] 1037 (a)(2)-(3).

(203.) 15 U.S.C. [section] 7704 (a)(5), (d)(1) (2006).

(204.) See The CAN-SPAM Act: A Compliance Guide for Business,
business.pdf [hereinafter Compliance Guide] (explaining the range of
fines and criminal penalties for violations of the CAN-SPAM Act).

(205.) Id.

(206.) Id.

(207.) See Seventh Annual BSA and IDC Global Software Piracy Study,
09_Piracy_Study_Report_A4_final_111010.pdf (finding that the U.S.
software makers lost $8.39 billion to pirated software in 2009).

(208.) Types of Software Piracy, FILEMAKER INC., types.html (last
visited Oct. 23, 2011) (describing ten types of software piracy). This
is up from the six kinds of piracy common in 1999. Report on Global
Software Piracy, SOFTWARE & INFO. INDUS. ASS’N, 7 (2000),

(209.) See Fifth Annual BSA and IDC Global Software Piracy Study,
2007_global_piracy_study.pdf (stating programs that took years and
millions of dollars to develop can be “duplicated or illegally
distributed in minutes with the touch of a button”).

(210.) Id. (claiming a computer user can duplicate an otherwise
expensive product in bulk for no more than the cost of a blank compact

(211.) Id. (noting the quality of pirated software is only slightly
inferior to the original).

(212.) See Kenneth Cohen, No Electronic Theft Act: Policy
Development Team Report, U.S. SENTENCING COMM’N, 19 (Feb. 1999), Reports[Intellectual
Property_and_Tech/199902_NET_Act_Report.pdf (noting that investigators
may have trouble tracking down the creators of infringing websites,
since the creators often change their ISPs to avoid detection).

(213.) Peter Brown & Richard Raysman, Napster Threatens
Copyright Law, 224 N.Y.L.J. 3, 3 (2000) (discussing the ease with which
copyrighted music can be distributed via the Internet with little or no
degradation in quality and exploring the potential for massive copyright
infringement because of technological advances).

(214.) Copyright Act, 17 U.S.C. [section] 506(a) (2006); Criminal
Penalties for Copyright Infringement, Pub. L. No. 102-561, 106 Stat.
4233 (1992) (codified at 18 U.S.C. [section] 2319 (2006)).

(215.) 17 U.S.C. [section] 506(a).

(216.) Id. An enforceable copyright must be registered with the
Register of Copyrights, be original, and be fixed in a tangible medium
of expression. Id. [section][section] 102(a), 411(a); Schrock v.
Learning Curve Int’l, Inc. 586 F.3d 513, 517 (7th Cir. 2009).

(217.) 17 U.S.C. [section] 506(a)(1)-(2) (“Evidence of
reproduction or distribution of a copyrighted work, by itself, shall not
be sufficient to establish willful infringement.”). Courts are
split as to whether “willful” refers to intent to copy or
intent to infringe. Compare Repp v. Webber, 132 F.3d 882, 889 (2d Cir.
1997) (noting violators are liable for unconscious copyright
infringement of musical compositions), with United States v. Moran, 757
F. Supp. 1046, 1052 (D. Neb. 1991) (finding no willful intent to
infringe even where there was evidence of intentional copying).

(218.) 17 U.S.C. [section] 506(a)(2).

(219.) The actual realization of commercial advantage or financial
gain is not required under [section] 506(a), just that infringement was
done for such a purpose. United States v. Cross. 816 F.2d 297, 301 (7th
Cir. 1987).

(220.) 17 U.S.C. [section] 506(a)(1)(A)-(C).

(221.) 17 U.S.C. [section] 109(a) (2006). See Quality King
Distribs, Inc. v. L’anza Research Int’l, Inc., 523 U.S. 135,
152 (1998) (“[O]nce the copyright owner places a copyrighted item
in the stream of commerce by selling it, he has exhausted his exclusive
statutory right to control its distribution.”); Bourne v. Walt
Disney Co., 68 F.3d 621, 632-33 (2d Cir. 1995) (applying the first sale
doctrine to challenged conduct).

(222.) Microsoft Corp. v. Harmony Computers & Elec., Inc., 846
F. Supp. 208, 212 (E.D.N.Y. 1994) (holding that defendants’ failure
to meet their burden of proving a chain of title precluded applicability
of first sale doctrine).

(223.) 17 U.S.C. [section] 109(d) (noting the first sale doctrine
does not apply to “any person who has acquired possession of the
copy or phonorecord from the copyright owner, by rental, lease, loan, or
otherwise, without acquiring ownership of it”); Adobe Sys., Inc. v.
One Stop Micro, Inc., 84 F. Supp. 2d 1086, 1089 (N.D. Cal. 2000)
(stating a copyright owner “does not forfeit his right of
distribution by entering into a licensing agreement”).

(224.) 17 U.S.C. [section] 107 (2006).

(225.) Id.

(226.) Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569, 591 (1994)
(noting that transformative uses are more likely to be fair); Sony Corp.
v. Universal City Studios, 464 U.S. 417, 449 (1984) (noting that
commercial uses are presumptively unfair, and noncommercial and
nonprofit activity is presumptively fair).

(227.) See, e.g., Stewart v. Abend, 495 U.S. 207, 237 (1990)
(noting that factual works are more likely to be fair than fictional
works); A.V. v. iParadigms, LLC, 562 F.3d 630, 640 (4th Cir. 2009)
(stating that a use is less likely to be fair when it is a creative

(228.) See, e.g., Harper & Row, Publishers, Inc. v. Nation
Enters., 471 U.S. 539, 564-66 (1985) (holding that the greater the size
or importance of the portion of the work that is used the less likely
the use falls under the “fair use” defense).

(229.) See id. at 568 (“To negate fair use one need only show
that if the challenged use ‘should become widespread, it would
adversely affect the potential market for the copyrighted
work.'” (quoting Sony, 464 U.S. at 468)).

(230.) Campbell, 510 U.S. at 578.

(231.) See, e.g., Stewart, 495 U.S. at 238 (noting that the fourth
factor is the main fair use factor); Harper & Row, 471 U.S. at 566
(stating that the fourth factor is “the single most important
element of fair use”).

(232.) 18 U.S.C. [section] 2319 (2006 & Supp. 2008).

(233.) Id. [section] 2319(c)(1).

(234.) U.S.S.G. MANUAL [section] 2B5.3 (2011).

(235.) Id. [section] 2B5.3(a).

(236.) Id. [section] 2B5.3 cmt. n.2.

(237.) Id. [section] 2B5.3(b)(1).

(238.) Pub. L. No. 105-304, 112 Star. 2863 (1998) (codified as
amended at 17 U.S.C. [section][section] 1201-1205 (2006)).

(239.) 17 U.S.C. [section][section] 1201-1205 (2006 & Supp.

(240.) Id. [section] 1201(a)(1)(A). See, e.g., CoxCom, Inc. v.
Chaffee, 536 F.3d 101, 104 (1st Cir. 2008) (describing how
defendants’ digital cable filter blocked pay-per-view purchase data
from being transmitted to cable company).

(241.) 17 U.S.C. [section] 1201 (a)(3)(B); see also The Digital
Millennium Copyright Act of 1998: U.S. Copyright Office Summary, U.S.
COPYRIGHT OFFICE, 3-4 (Dec. 1998),

(242.) Id. [section] 1201(a)(3)(A).

(243.) See Universal City Studios, Inc. v. Reimerdes, 111 F. Supp.
2d 294, 325 (S.D.N.Y. 2000) (stating that it is a violation of [section]
1201 to place a hypertext link to another site that offers technology
circumvention measures on one’s website, where the purpose of the
hypertext link is to provide the user with access to a technology
circumvention measure).

(244.) This category includes computer code designed to circumvent
encryption software protecting a digital work. See id. In Reimerdes, the
court declined to extend First Amendment protection to computer code
because although it is “expressive,” it is also functional,
and the court may legitimately regulate the undesirable consequences of
its functions. See id. at 304 (stating that the expressive element of
computer code “no more immunizes its functional aspects from
regulation than the expressive motives of an assassin immunize the
assassin’s action”).

(245.) See, e.g., Sony Computer Entm’t Am., Inc. v.
GameMasters, 87 F. Supp. 2d 976, 985 (N.D. Cal. 1999) (granting
preliminary injunction based on evidence that the sale of “game
enhancers,” devices that circumvented a mechanism on the game
console that ensured console would operate only when encrypted data was
read from authorized CD-ROMs, likely violated [section] 1201); see also
Davidson & Assoc. v. Jung, 422 F.3d 630, 641 (8th Cir. 2005)
(holding that the computer game purchasers’ development of an
alternative to the sellers” online gaming service, which allowed
other purchasers to access the service without an encoded identification
key, is “circumvention”).

(246.) See RealNetworks, Inc. v. Streambox, Inc., No. 2:99CV02070,
2000 WL 127311, at *9 (W.D. Wash. Jan. 18, 2000) (holding that the
circumvention does not have to act directly against the technology
protection measure itself). But see MGE UPS Sys., Inc. v. GE Consumer
and Industrial, Inc., 622 F.3d 361, 366 (5th Cir. 2010) (declining to
construe “bypass” or “avoid” to include use of a
copyrighted work after circumvention simply because access to the work
would have been controlled except for the circumvention as such a
construction extends DMCA beyond its intended reach); see also Universal
City Studios. Inc. v. Corley, 273 F.3d 429, 443 (2d Cir. 2001) (finding
that the DMCA “does not concern itself with the use of …
materials after circumvention has occurred”) (emphasis in

(247.) 17 U.S.C. [section] 1201(a)(2) (2006). With the exception of
manufacturers of a certain type of VCR, manufacturers of devices that
could be used to illegally copy or access copyrighted works are not
mandated to implement technological measures preventing consumers from
using it in that manner. See id. [section] 1201(c)(3) (“Nothing in
this section shall require that the design of … a consumer
electronics, telecommunications, or computing product provide for a
response to any particular technological measure….”).

(248.) Id. [section] 1201(d) (excepting non-profit library,
archive, and educational institutions), (e) (excepting governmental law
enforcement and intelligence activities), (f) (excepting reverse
engineering in cases where a person has lawfully obtained a copy of a
computer program in order to make it interoperable with other programs),
(g) (excepting encryption research); [section] 1201(h) (providing an
exception for protection of minors), (i) (providing exception for
personal privacy, where t he technological measure or the work it
protects invades that privacy), (j) (excepting security testing).

(249.) 111 F. Supp. 2d 294 (S.D.N.Y. 2000).

(250.) Id. at 322 (“The use of technological means of
controlling access to a copyrighted work may affect the ability to make
fair uses of the work.”).

(251.) Id. at 323 (stating Congress expressly considered this
problem and included the exceptions listed in [section] 1201(d)-(j) in
direct response).

(252.) See id. (reiterating Congress’s conviction that this
limitation preserves legitimate uses of the fair use defense).

(253.) 17 U.S.C. [section] 1202 (2006).

(254.) Id. [section] 1202(c)(1)-(6).

(255.) Id. [section] 1202(c)(8).

(256.) Id. [section] 1202(a)-(b). But see Kelly v. Aribba Soft
Corp., 336 F.3d 811, 822 (9th Cir. 2003) (holding an Internet search
engine that stores and displays “thumbnail” versions of visual
images without their copyright management information would be a prima
facie violation of [section] 1202, but it is justified under the
“fair use” doctrine).

(257.) 17 U.S.C. [section] 1202(c)(7).

(258.) 17 U.S.C. [section] 512 (2006 & Supp. 2010). But see
A&M Records, Inc. v. Napster, Inc., 284 F.3d 1091, 1099 (9th Cir.
2002) (affirming that a file sharing service is not an ISP eligible for
the safe harbor defense because it is not a “passive conduit”
for information transmission).

(259.) 17 U.S.C. [section] 512(c)(1)(A)-(C); see also ALS Scan,
Inc. v. RemarQ Cmtys., Inc., 239 F.3d 619, 625 (4th Cir. 2001)
(discussing notification requirements under DMCA and noting that, with
respect to multiple works, it is not required to identify all of the
works–a representative list is sufficient).

(260.) 17 U.S.C. [section] 1204 (2006 & Supp. 2010).

(261.) Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as
amended at 18 U.S.C. [section][section] 2510-2521, 2701- 2710, 3121-3126

(262.) Pub. L. No. 99-508 [section][section] 101-303. The Fifth
Circuit interpreted ECPA as supplementing the Communications Act of 1934
(codified as amended at scattered sections of 47 U.S.C.). Accordingly,
the court held that concurrent prosecution under both acts does not
violate the Double Jeopardy Clause of the Fifth Amendment. United States
v. Crawford, 52 F.3d 1303, 1306-07 (5th Cir. 1995).

(263.) Pub. L. No. 99-508, 100 Stat. 1848 (1986) (dividing the Act
into Title I, the Wiretap Act, Title II, the Stored Communications Act,
and Title III, the Pen Register Act).

(264.) Pub. L. No. 99-508 [section] 101(a) (amending [section]
2510(1)) (broadening statutory definition of communications covered to
include those “affecting interstate or foreign commerce”).

(265.) Id. [section] 105(b) (amending 47 U.S.C. [section] 2516)
(granting law enforcement officers the power to file an application to a
Federal judge to get authorization to intercept electronic
communications where such interception may provide evidence of any
Federal felony).

(266.) See United States v. Petersen, 98 F.3d 502, 504-05 (9th Cir.
1996) (upholding ECPA conviction for hacking into telephone system).

(267.) See supra Section III.B.2 (discussing CFAA).

(268.) Compare United States v. Chick, 61 F.3d 682, 687-88 (9th
Cir. 1995) (permitting government to use ECPA to prosecute defendant for
pirating modified satellite descramblers), and United States v. Harrell,
983 F.2d 36, 37-38 (5th Cir. 1993) (acknowledging ECPA’s proper
application to modified satellite descramblers), with United States v.
Shriver, 989 F.2d 898, 904-07 (7th Cir. 1992) (concluding [section] 2512
covers sale or ownership of satellite descramblers only if descramblers
are designed primarily to pirate satellite-transmitted broadcasts).

(269.) 18 U.S.C. [section] 2701(a) (2006).

(270.) Id. See generally Orin Kerr, A User’s Guide to the
Stored Communications Act, and a Legislator’s Guide to Amending it,
72 GEO. WASH. L. REV. 1208 (2004) (stating that author’s goal is to
present the statute’s reasonable effectiveness as well as its

(271.) 18 U.S.C. [section] 2707(e) (2006); McCready v. eBay, Inc.,
453 F.3d 882, 892 (7th Cir. 2006).

(272.) 18 U.S.C. [section] 2701(c)(1).

(273.) Id. [section] 2701(c)(2).

(274.) Id. [section] 2701(b)(1)(A).

(275.) Id. [section] 2701(b)(1)(B).

(276.) Id. [section] 2701(b)(2)(B).

(277.) 18 U.S.C. [section] 2707(a) (2006) (authorizing civil suits
against any “person or entity” other than the United States in
violation of ECPA’s substantive provisions); see also Organizacion
JD Ltda. v. DOJ, 18 F.3d 91, 94-95 (2d Cir. 1994) (per curiam) (holding
that governmental “entities” can be subject to liability under
[section] 2707(a) where appellants were intended recipients of
electronic fund transfers seized by DEA agents); Konop v. Hawaiian
Airlines, Inc. (In re Hawaiian Airlines, Inc.), 355 B.R. 225, 232 (D.
Haw. 2006) (holding that damages may be assessed at $1000 per

(278.) 18 U.S.C. [section][section] 2510-2521 (2006 & Supp.

(279.) Electronic Communications Privacy Act of 1986, Pub. L. No.
99-508, [section][section] 101-111, 100 Stat. 1848, 1848-59 (1986); see
United States v. Suarez, 906 F.2d 977, 980 (4th Cir. 1990) (discussing
relevant legislative history).

(280.) See S. REP. No. 90-1097, at 28 (1968), reprinted in 1968
U.S.C.C.A.N. 2112, 2113 (explaining that Title III codifies Katz v.
United States, 389 U.S. 347 (1967) and Berger v. New York, 388 U.S. 41

(281.) 18 U.S.C. [section] 2511(1)(a).

(282.) Id. [section] 2511(2)(a)(ii)(A).

(283.) Id. [section] 2518(3)(c).

(284.) Id. [section][section] 2518(4)-(5)

(285.) Id. [section][section] 2518(4)(a)-(c).

(286.) 18 U.S.C. [section] 2516(2006).

(287.) Id. [section] 2518(5).

(288.) Id. [section] 2518(6).

(289.) See “Carnivore” and the Fourth Amendment: Hearing
Before the Subcomm. on the Constitution of the H. Comm. on the Judicial,
106th Cong. (2000) (statement of Kevin V. DiGregory, Deputy Assistant
Att’y Gen., DO J) [hereinafter DiGregory Statement] (explaining OEO
reviews each proposed Title III application to ensure that the
interception satisfies Fourth Amendment requirements, and is in
compliance with applicable statutes and regulations).

(290.) 18 U.S.C. [section] 2520(d) (2006); McCready v. eBay, Inc.,
453 F.3d 882,892 (7th Cir. 2006).

(291.) 18 U.S.C. [section] 2511(2) (2006).

(292.) 18 U.S.C. [section] 2510(21) (2006).

(293.) Id.

(294.) 18 U.S.C. [section] 2511(4)(b) (2006).

(295.) See United States v. Ropp, 347 F. Supp. 3d 831, 838 (C.D.
Cal. 2004); United States v. Scarfo, 180 F. Supp. 2d 572, 581 (D.NJ.
2001) (holding that the use of a keystroke logger did not violate
[section] 2510 because it did not capture keystrokes while the
computer’s modern was active).

(296.) 18 U.S.C. [section][section] 2511, 2513, 2520, 2521 (2006
& Supp. 2010); see DiGregory Statement, supra note 289 (listing
remedies for violating Title III by improperly intercepting electronic

(297.) 18 U.S.C. [section] 2511(4)(a).

(298.) Id. [section] 2511(5)(a)(ii).

(299.) U.S.S.G. MANUAL [section] 2H3.1(a).

(300.) Id. [section] 2H3.1(b)(l).

(301.) Id. [section] 2H3.1(c)(1).

(302.) See 18 U.S.C. [section] 2515 (2006); United States v.
Giordano, 416 U.S. 505 (1974) (holding that, with regards to wiretap
interception, statutory exclusionary rule of Title III provides
protection beyond the judicially created exclusionary rule under the
United States Constitution); Alderman v. United States, 394 U.S. 165,
176 (1969); Simmons v. United States, 390 U.S. 377, 389 (1968).

(303.) See 18 U.S.C. [section] 2520(a) (2006) (authorizing civil
suits against any “person or entity” other than the United
States, in violation of ECPA’s substantive provisions); see also
Smoot v. United Transp. Union, 246 F.3d 633 (6th Cir. 2001) (holding a
private individual liable); Brown v. Waddell, 50 F.3d 285, 294 (4th Cir.
1995) (holding that law enforcement use of “clone pagers” to
intercept numeric transmissions received on digital display pagers
violated [section] 2511 and thus subjected state officials to civil

(304.) E.g., In re Pharmatrak, Inc., 329 F.3d 9, 22 (1st Cir.
2003); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113 (3d Cir.
2003) (“[A]n ‘intercept’ … must occur contemporaneously
with transmission.”).

(305.) 36 F.3d 457 (5th Cir. 1994).

(306.) 18 U.S.C. [section] 2510(1) (2006).

(307.) Id. [section] 2510(12).

(308.) Steve Jackson Games, Inc. v. U.S. Secret Serv., 36 F.3d 457,
462-63 (5th Cir. 1994).

(309.) Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876-78 (9th
Cir. 2002).

(310.) United States v. Steiger, 318 F.3d 1039, 1048-49 (11th Cir.
2003); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113-14 (3d Cir.

(311.) 418 F.3d 67 (1st Cir. 2005) (en banc).

(312.) Id. at 80; see also United States v. Szymuszkiewicz, 622
F.3d 701, 706 (7th Cir. 2010) as amended, (Nov. 29, 2010). But see ORIN
S. KERR, COMPUTER CRIME LAW 457 (2006) (noting that the court did not
decide whether there was an interception but suggested in dicta that
there was).

(313.) Councilman, 418 F.3d at 76-78.

(314.) 36 F.3d 457 (5th Cir. 1994).

(315.) Id. at 458.

(316.) 418 F.3d at 70.

(317.) The court in Councilman implied that the transmission ends
when the recipient opens the e-mail, id. at 71, but this language may be
dicta because the e-mail was intercepted before being placed in the
recipient’s mail box.

(318.) 18 U.S.C. [section] 1028(a)(7), (d)(7) (2006).

(319.) Id. [section] 1028(a)(1); see, e.g., United States v.
Rashwan, 328 F.3d 160, 165 (4th Cir. 2003) (holding that aiding and
abetting the production of fraudulent documents is also covered).

(320.) 18 U.S.C. [section] 1028(a)(2).

(321.) E.g., id. [section] 1028(a)(3) (prohibiting possession of
five or more false or stolen identification documents with the intent to
use them unlawfully or to transfer them).

(322.) Id. [section] 1028(d)(4) (“[A] document of a type
intended or commonly accepted for the purposes of identification of
individuals that is not issued by or under the authority of a
governmental entity; and appears to be issued by or under [such]

(323.) Id. [section] 1028(d)(2) (“[D]ocument-making implement
means any … computer file, computer disc, electronic device, or
computer hardware or software, that is specifically configured or
primarily used for making an identification document, a false
identification document, or another document- making implement.”);
see United States v. Cabrera, 208 F.3d 309, 314-15 (1st Cir. 2000)
(defining “primarily used” as referring to “the
particular use to which the defendant put the device, not its
‘general’ use within society”).

(324.) Id. [section] 1028(a)(5).

(325.) Id. [section] 1028(d)(10).

(326.) Id. [section] 1028(b)(2).

(327.) Id. [section] 1028(b)(1).

(328.) Id.

(329.) Id. [section] 1028(b)(3).

(330.) Id. [section] 1028(b)(4).

(331.) U.S.S.G. MANUAL Table 2B1.l.

(332.) Id. [section][section] 2L2.1, 2L2.2, 2B1.1

(333.) Id. [section] 2B1.1 cmt. n. 19; see United States v. Khalil,
214 F.3d 111, 124 (2d Cir. 2000) (applying a three- part test to find an
upward departure appropriate: whether the reasons articulated by the
court are of a kind that may be appropriately relied upon to justify the
departure, whether the findings of fact underlying the court’s
reasoning are clearly erroneous, and whether, giving considerable
deference to the lower court, the departure is reasonable).

(334.) 18 U.S.C. [section] 1343 (2006 & Supp. 2008). See
generally the Mail and Wire Fraud article in this issue.

(335.) Id. [section] 1343.

(336.) See United States v. Pirello, 255 F.3d 728,732 (9th Cir.
2001) (holding that fraudulently soliciting money on a website violated
wire fraud statute); United States v. Briscoe, 65 F.3d 576, 580-81 (7th
Cir. 1995) (holding that fraudulent transfer of funds through a computer
system violates wire fraud statute).

(337.) Compare United States v. Wang, 898 F. Supp. 758, 759 (D.
Colo. 1995) (holding that computer programs are property and
infringement thereof may be prosecuted under both the Copyright Act and
the Wire Fraud Statute), with United States v. LaMacchia, 871 F. Supp.
535, 540-44 (D. Mass. 1994) (dismissing wire fraud charge because
infringement is not criminal).

(338.) 17 U.S.C. [section] 506(a)(1) (2006); see United States v.
Rothberg, 222 F. Supp. 2d 1009, 1018 (N.D. Ill. 2002) (discussing the
amendment to the statute).

(339.) 18 U.S.C. [section] 1343.

(340.) Id.

(341.) 18 U.S.C. [section] 1961 (2006).

(342.) 18 U.S.C. [section] 1346 (2006); United States v. Rybicki,
354 F.3d 124, 142 (2d Cir. 2003) (upholding a statute that extended the
coverage of wire fraud to deprivation of right of honest services in the
case of insurance fraud).

(343.) Skilling v. United States, 130 S. Ct. 2896, 2931 (2010)
(construing [section] 1346 narrowly so as to avoid a finding of

(344.) U.S.S.G. MANUAL [section] 2C1.1(a)(1),(b)(2).

(345.) Id. [section] 2C1.7(b)(1)(A); see, e.g., United States v.
Mack, 159 F.3d 208, 220 (6th Cir. 1998) (applying [section]
2C1.7(b)(1)(B) to a prison security chief); United States v. ReBrook, 58
F.3d 961, 969 (4th Cir. 1995) (upholding increase in offense level
pursuant to [section] 2C1.7(b)(1)(B) for wire fraud conviction based on
video lottery systems because defendant was a public official holding
high-level decision-making or sensitive position).

(346.) U.S.S.G. MANUAL [section] 2B1.1; see, e.g., United States v.
Catalfo. 64 F.3d 1070, 1082-83 (7th Cir. 1995) (upholding sentencing
enhancement for wire fraud by illegal computerized futures trading
because defendant could have foreseen possible loss from his conduct and
was therefore accountable for monetary loss under former [section]

(347.) See Pornography, Technology, and Process: Problems and
Solutions on Peer- to-Peer Networks: Hearing Before the S. Judiciary
Comm., 108th Cong. (2003) (statement of John Malcohn, Deputy Assistant
Attorney General, Criminal Division, DOJ) [hereinafter Malcolm

(348.) See supra note 7 and accompanying text (discussing
victims’ reluctance to report computer crimes).

(349.) Pub. L. No. 108-159, [section] 114 (codified at 15 U.S.C.
[section] 1681m (2006)).

(350.) Id.

(351.) Press Release, FTC, FTC Extends Enforcement Deadline for
Identity Theft Red Flags Rule (May 5, 2010), available at

(352.) Id. (delaying enforcement until Dec. 31, 2010).

(353.) E.g., Piracy Deterrence and Education Act of 2003: Hearing
on H.R. 2517 Before the Subcomm. on Courts, the Internet, and
Intellectual Property of the H. Comm. on the Judiciary, 108th Cong. 23
(2003) (statement of Jana Monroe, Assistant Director, FBI Cyber

(354.) See id.

(355.) See FBI, Cyber Crime, cyber/cyber (last visited Feb.
5, 2011).

(356.) See FBI, Innocent Images,
us/investigate/cyber/innocent/innocent (last visited Feb. 5, 2011).

(357.) See FBI, Innocent Images National Initiative, (last
visited Feb. 5, 2011).

Feb. 5, 2011).

(359.) See id. at 3.

(360.) See generally DOJ, Computer Crime & Intellectual
Property Section, cybercrime/index.html
(providing cases, recent law, reports, and other documents related to
computer crime) (last visited Feb. 5, 2011).

(361.) See Prosecution of Intellectual Property Crimes and the
‘STOP!’ Initiative: Hearing Before the Subcomm. on Oversight
of Government Management, the Fed. Workforce, and the District of
Columbia of the S. Comm. on Homeland Security and Governmental Affairs,
109th Cong. (2005) (statement of Laura H. Parsky, Deputy Assistant
Att’y Gen., Criminal Division, DOJ) (describing recent initiatives
of CCIPS targeting online piracy, fraud and illicit peer-to-peer network
file sharing) [hereinafter Parsky I.P. Crime Statement].

(362.) Press Release, DOJ, Attorney General Alberto R. Gonzales
Renews Commitment to Justice Department’s Intellectual Property
Task Force (Mar. 9, 2005), (last visited Feb.
5, 2011).

(363.) See id.

(364.) See id.

(365.) See id.; see also Parsky I.P. Crime Statement, supra note
361 (describing the CHIP program in detail).

(366.) See Parsky I.P. Crime Statement, supra note 361.

(367.) Press Release, DOJ, Justice Department Announces New
Intellectual Property Task Force as Part of Broad IP Enforcement
Initiative (Feb. 12, 2010), (last visited
Feb. 5, 2011).

(368.) See generally DOJ, Child Exploitation and Obscenity Section, index.html (providing cases, recent
law, testimony, reports, and other documents related to child
pornography) (last visited Feb. 5, 2011).

(369.) See Sexual Crimes Against Children: Hearing on H.R. 2388 and
H.R. 2318 Before the H. Comm. on the Judiciary, 109th Cong. (2005)
(statement of Laura H. Parsky, Deputy Assistant Att’y Gen.,
Criminal Division, DOJ) [hereinafter Parsky Sex Crimes Statement].

(370.) See id. (stating that in 1997, 352 defendants were charged
with child pornography crimes and 299 convicted and in 2004, 1486 cases
were filed and 1066 convicted); Eric Holder, Deputy Attorney Gen., DOJ,
Remarks at the International Conference on Combating Child Pornography
on the Internet (Sept. 29, 1999) (stating that federal prosecutions of
Internet child pornographers have increased 10% every year since 1995,
and approximately 400 Internet child pornographers are prosecuted each
year), cybercrime/dagceos.html. But see
supra Part III.B.1. (describing the constitutional challenges to federal
child pornography statutes).

(371.) Press Release, DOJ, Department of Justice Releases First
National Strategy for Child Exploitation Prevention and Interdiction
(Aug. 2, 2010), available at

(372.) See, e.g., Press Release, DOJ, Justice Department Announces
Eight Charged in Internet Piracy Crackdown (July 28, 2005)
(“Operations … resulted in a total of more than 200 search
warrants executed in 15 countries; [one operation] alone has yielded a
total of 30 U.S. felony convictions and another 10 convictions
overseas.”); Press Release, U.S. Customs Serv., 45 Children
Rescued, 20 Arrests in U.S. Customs, Danish Police Investigation of
Global Child-Molesting, Pornography Ring (Aug. 9, 2002); Press Release,
U.S. Customs Serv., U.S. Customs, 10 Foreign Countries, Serve Multiple
Search Warrants on Internet Child Pornography Ring (Mar. 20, 2002).

(373.) See Parsky I.P. Crime Statement, supra note 361 (describing
the growth of online piracy); id. (describing the burgeoning problem of
child pornography and the ease, speed, and anonymity of distribution
over the Internet).

(374.) ARIZ. REV. STAT. ANN [section] 13-2316 (2000).

(375.) FLA. STAT. [section][section] 815.01-815.07 (1996 &
Supp. 1999).

(376.) ALA. CODE [section][section] 13A-8-100 to 13A-8-103 (1994);
ALASKA STAT. [section][section] 11.46.200(a)(3), 11.46.484(a)(5),
11.46.740, 11.46.985, 11.46.990 (2000); ARIZ. REV. STAT. ANN.
[section][section] 13-2301 (E), 13-2316 (2000); ARK. CODE ANN.
[section][section] 5-41-101 to 5-41-108 (1997); CAL. PENAL CODE
[section][section] 502, 1203.047 (West 1998 & Supp. 2004); COLO.
REV. STAT. [section][section] 18-5.5-101 to 5-102 (2000); CONN. GEN.
STAT. [section][section] 53a-250 to 53a-261 (1999 & Supp. 2001);
DEL. CODE ANN. tit. 11, [section][section] 931-939 (1995 & Supp.
2000); FLA. STAT. [section][section] 815.01-.07 (2000): GA. CODE ANN.
[section][section] 16-9-90 to 16-9-94 (1998); HAW. REV. STAT.
[section][section] 708-890 to 708-893 (1999); IDAHO CODE ANN.
[section][section] 18- 2201 to -2202, 26-1220 (1997); 720 ILL. COMP.
STAT. 5/16D-1 to -7 (1998 & Supp. 1999); IND. CODE
[section][section] 35-41-2-3, 35-43-1-4 (1998); IOWA CODE ANN.
[section][section] 716A.1-.16 (West 1993 & Supp. 2000); KAN. STAT.
ANN. [section] 21-3755 (1995 & Supp. 1999); KY. REV. STAT. ANN.
[section][section] 434.840-.860 (1999); LA. REV. STAT. ANN.
[section][section] 14:73.1-.5 (1997 & Supp. 2001); ME. REV. STAT.
ANN. tit. 17-A, [section][section] 431-433 (West Supp. 2000); MD. COOE
ANN., CRIM. LAW [section] 7-302 (West 2004); MASS. GEN. LAWS ch. 266,
[section][section] 30, 33A. 120F (1992 & Supp. 2000); MICH. COMP.
LAWS [section][section] 752.791 to .797 (1991 & Supp. 2000); MINN.
STAT. [section][section] 609.87-.894 (1998); MISS. CODE ANN.
[section][section] 97-45-1 to -13 (2000); MO. REV. STAT. [section]
569.095 (1994) (amended by Stolen Property–Services–Penalty
Provisions, 2002 Mo. Legis. Serv. 194 (West)); MONT. CODE ANN.
[section][section] 45-6-310, -311 (1999): NEB. REV. STAT.
[section][section] 28-1343 to -1348 (1995); NEV. REV. STAT.
[section][section] 205.473-.491 (2007); N.H. REV. STAT. ANN.
[section][section] 638:16-19 (1996 & Supp. 2005); N.J. STAT. ANN.
[section][section] 2A:38A-1 to -6 (West 2000), 2C:20-23 to -34 (West
1995 & Supp. 2000); N.M. STAT. [section][section] 30-45-1 to -7
(2006); N.Y. PENAL LAW [section][section] 156.00-.50 (McKinney 2006);
N.C. GEN. STAT. [section][section] 14-453 to -457 (2005); N.D. CENT.
CODE [section] 12.1-06.1-08 (1997 & Supp. 2003); OHIO REV. CODE ANN.
[section] 2913.04 (West 20071; OKLA. STAT. ANN. tit. 21,
[section][section] 1951-1958 (West Supp. 2001); OR. REV. STAT.
[section][section] 164.125, 164.377 (1999); 18 PA. CONS. STAT. ANN.
[section] 7601, 7603, 7611, 7615, 7616 (West Supp. 2003); R.I. GEN. LAWS
[section][section] 11-52-1 to -8 (2000); S.C. CODE ANN.
[section][section] 16-16-10 to -40 (Law. 1985 & Supp. 2000) (amended
by Computer Abuse Act of 2002, 2002 S.C. Acts 169); S.D. CODIFIED LAWS
[section][section] 43-43B-1 to -8 (1997); TENN. CODE ANN.
[section][section] 39- 14-601 to -603 (1997 & Supp. 2000): TEX.
PENAL CODE ANN. [section][section] 33.01 to .04 (Vernon 1994 & Supp.
2001); UTAH CODE ANN. [section][section] 76-6-701 to -705 (1999 &
Supp. 2000); VT. STAT. ANN., tit. 13, [section][section] 4101-4107
(Supp. 1999); VA. CODE ANN. [section][section] 18.2-152.1 to .15 (1996
& Supp. 2000); WASH. REV. CODE [section][section] 9A.52.110-.130
(1998); W. VA. CODE. [section][section] 61-3C-1 to -21 (2000): WIS.
STAT. [section] 943.70(1998); WYO. STAT. ANN. [section][section] 6-3-501
to -505 (1999 and Supp. 2000).

(377.) S. 240, 96th Cong. [section] 1 (1979); S. 1766, 95th Cong.
[section] 1 (1977); see also Federal Computer Systems Protection Act:
Hearings on S. 1766 Before the Subcomm. on Criminal Laws and Procedures
of the S. Comm. on the Judicial, 95th Cong. 170-71 (1978) (setting forth
proposed 1977 legislation).

(378.) See Robin K. Kutz, Note, Computer Crime in Virginia: A
Critical Examination of the Criminal Offenses in the Virginia Computer
Crimes Act, 27 WM. & MARY L. REV. 783, 789-90 (1986) (stating that
Ohio and Massachusetts took a third approach, choosing only to
“redefine certain terms in their criminal codes to ensure that
their statutes covered computers and computer-related intangible

(379.) See Jerome Y. Roache, Computer Crime Deterrence, 13 AM. J.
CRIM. L. 391, 392 (1986) (explaining how prosecution is aided by
eliminating the need for prosecutors, attorneys, and judges to
rationalize the application of a traditional criminal law in a
technical, computer-related context).

(380.) See. e.g., Computer Crime and Intellectual Property
Section–United States Dep’t of Justice, The National Information
Infrastructure Protection Act of 1996: Legislative Analysis, (last visited Feb. 5, 2011);
see also Marc D. Goodman, Why the Police Don’t Care About Computer
Crime, 10 HARV. J. L. & TECH. 465, 468-69 (1997).

(381.) See CAL. PENAL CODE [section] 502.01 (West 1998 & Supp.
2004); N.J. STAT. ANN. [section] 2C:64-1 (West 1995 & Supp. 2000);
N.M. STAT. ANN. [section] 30-45-7 (1997). Illinois distributes half the
forfeited proceeds to the local government agency that investigated the
computer fraud for training and enforcement purposes, and half to the
county in which the prosecution was brought, where it is placed in a
special fund and appropriated to the State’s Attorney for use in
training and enforcement. 720 ILL. COMP. STAT. 5/16D-6 (1998 & Supp.

(382.) See ALASKA STAT. [section] 11.41.270 (2000); MICH. COMP.
LAWS ANN. [section] 750.411(h)(e)(vi) (West Supp. 2000); OKLA. STAT.
ANN. tit. 21, [section] 1173 (West Supp. 2001); WIS. STAT. [section]
947.0125 (2001); WYO. STAT. ANN. [section] 6-2-506 (1999).

(383.) ALA. CODE [section] 13A-11-8(b)(1)(a) (1994 & Supp.
2000); CONN. GEN. STAT. [section] 53a-183 (2001); IDAHO CODE ANN.
[section] 18-6710(3) (1997); N.Y. PENAL LAW [section] 240.30 (McKinney
1989 & Supp. 2001).

(384.) E.g., MICH. COMP. LAWS ANN. [section] 750.145(d) (West Supp.

(385.) See Am. Booksellers Found. for Free Expression v.
Strickland, 601 F.3d 622 (6th Cir. 2010) (overturning a district
court’s finding that an Ohio statute prohibiting dissemination over
the internet of materials harmful to minors was unconstitutional); Vives
v. City of New York, 405 F.3d 115 (2d Cir. 2005) (challenging a New York
statute criminalizing sending non-threatening materials with “the
intent to alarm”); ACLU v. Johnson, 194 F.3d 1149 (10th Cir. 1999)
(finding a New Mexico statute criminalizing dissemination by computer of
material harmful to minors violated First Amendment); Southeast
Booksellers Ass’n v. McMaster, 371 F. Supp. 2d 773 (D.S.C. 2005)
(invalidating on First Amendment grounds a state statute providing
criminal sanctions for disseminating harmful material to minors as
applied to digital electronic files sent or received via Internet).

(386.) Alaska, Arizona, Arkansas, California, Colorado,
Connecticut, Delaware, Florida, Georgia, Idaho, Illinois, Indiana, Iowa,
Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Missouri,
Nevada, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma,
Pennsylvania, Rhode Island, South Dakota, Tennessee, Texas, Utah,
Virginia, Washington, West Virginia, Wisconsin, and Wyoming all have
enacted some permutation of anti-spam legislation. See State Spam Laws
(Feb. 10, 2010),

(387.) See ARK. CODE ANN. [section] 5-41-106 (1997); CONN. GEN.
STAT. [section] 52-570b (Supp. 1999); DEL CODE ANN. tit. 11, [section]
939 (1995 & Supp. 2000); GA. CODE ANN. [section] 16-9-93 (1998); 720
ILL. COMP. STAT. 5/16D-3(4)(c) (1998 & Supp. 1999); MO. REV. STAT.
[section] 537.525 (1994); N.J. REV. STAT. [section][section] 2A:38A-1 to
2A:38A-6 (2000); OKLA. STAT. ANN tit. 21, [section] 1955 (West Supp.
2001); R.I. GEN. LAWS [section] 11-52-6 (2000); W. VA. CODE [section]
61-3C-16 (2000).

(388.) See State Spyware Laws (Dec. 29, 2009),

(389.) Id.

(390.) See Benjamin Edelman, “Spyware”–Research,
Testing, Legislation and Suits,
spyware/#suits (last visited Feb. 5, 2011).

(391.) Arkansas, California, Connecticut. Delaware, Florida,
Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana,
Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio,
Pennsylvania, Rhode Island, Tennessee, Texas, and Washington.

(392.) See, e.g., CAL. CIV. CODE [section] 1798.29(a), [section]
1798.82 (West 2007); ARK. CODE ANN. [section][section] 4-110-10l to 108

(393.) See, e.g., CAL. CIV. CODE [section] 1798.29(a), [section]
1798.82 (West 2007): ARK. CODE ANN. [section][section] 4-110-101 to
4-110-108 (2007) (requiring individuals, businesses and state agencies
that acquire, own or license personal information of Arkansas residents
provide reasonable security measures to protect that information).

(394.) See, e.g., Jennifer Steinhauer, Verdict in MySpace Suicide
Case, N.Y. TIMES, Nov. 26, 2008. available at (last
visited Feb. 5, 2011) (discussing a teenage girl who committed suicide
after being bullied via MySpace by the mother of one of her classmates).

(395.) E.g., NEV. REV. STAT. [section] 388.123 (2009); MASS. GEN.
LAW ANN. ch. 71, [section] 370 (West 2010) (effective May 3, 2010).

(396.) In the Meier case, for example, the defendant could only be
charged under the Computer Fraud and Abuse Act (18 U.S.C. [section] 1030
(2006)), which is intended to prevent unauthorized access to computer
systems, and was eventually acquitted. See Cyberbullying: Responses,

(397.) E.g., Megan Meier Cyberbullying Prevention Act, H.R. 3224,
111th Cong. (2009); SAFE Internet Act of 2009, S. 1047, 111th Cong.

PROSECUTORS: PROSECUTORS IN STATE COURTS, 2005, 5 (2006), available at (last
visited Feb. 5, 2011).

(399.) Id.

(400.) Id.

(401.) Id.

(402.) See generally Kate Reder, Ashcroft v. ACLU: Should Congress
Try, Try, and Try Again, or Does the International Problem of Regulating
Internet Pornography Require an International Solution ? 6 N.C. J.L.
& TECH. 139 (2004); Computer Crime & Intellectual Prop. Section,
DOJ, International Aspects of Computer Crime (providing cases, laws,
testimony, reports, and other documents related to international efforts
to combat cybercrime), (last visited Feb. 5,

(403.) See Reno v. ACLU, 521 U.S. 844, 851 (1997) (defining
cyberspace as a “unique medium … located in no particular
geographical location but available to anyone, anywhere in the world,
with access to the Internet”).

(404.) See Walter Gary Sharp, Sr., Note, Redefining National
Security in Today’s World of Information Technology and Emergent
Threats, 9 DUKE J. COMP. & INT’L L. 383, 384 (1999); see also
Steve Shackelford, Note, Computer-Related Crime: An International
Problem in Need of an International Solution, 27 TEX. INT’L L.J.
479, 494 (1992).

(405.) See generally the Financial Institutions Fraud, Mail and
Wire Fraud, and Securities Fraud articles in this issue.

(406.) See, e.g., Katyal, supra note 4, at 1048-49 (describing how
Ramsi Yousef, who masterminded the 1993 World Trade Center bombing, used
encryption to store details of scheme on his laptop computer).

(407.) See Chris Reed, The Admissibility and Authentication of
Computer Evidence–A Confusion of Issues, 5th BILETA Conference (2005);
CRIMINAL EVIDENCE 380-85 (3d ed. 1997) (describing problems with current
English evidentiary regime, and agreeing with proposed changes); THE LAW

(408.) See Amy Knoll, Any Which Way But Loose: Nations Regulate the
Internet, 4 TUL. J. INT’L & COME L. 275 (1996) (describing and
evaluating legislation in Belarus, China, Croatia, the European Union,
France, Germany, Russia, Singapore, and the United States).

(409.) The German Penal Code (Strafgesetzbuch) proscribes
distributing any fascist or other related literature. STRAFGESETZBUCH
[StGB] [PENAL CODE], May 15, 1871, Federal Law Gazette I, 945, as
amended, [section] 86 (Ger.); Code penal [C. pen.] R. 645-1 (Fr.).

(410.) See Ahmad Mardini, Gulf-Culture: Officials Worry About
Smuton Internet, INTER PRESS SERV (1996).

(411.) See Yahoo! Inc. v. La Ligue Contre le Racisme et
L’Antisemitisme, 433 F.3d 1199 (9th Cir. 2006) (en banc)
(dismissing suit where three judges held that there was no jurisdiction
and three held that the suit is not ripe); see also Elissa A.
Okoniewski, Yahoo!, Inc. v. LICRA: The French Challenge to Free
Expression on the Internet, 18 AM. U. INT’L L. REV. 295 (2002)
(showing the legal tensions between nations as cultural and
constitutional norms come into conflict); Silvia Ascarelli &
Kimberley A. Strassel, Two German Cases Show How Europe Still Is
Struggling to Regulate Internet, WALL ST. J., Apr. 21, 1997, at B9;
Silvia Ascarelli, Two On-Line Services Companies Investigated in Racial
Hatred Case, WALL ST. J., Jan. 26, 1996, at B2.

(412.) See Silvia Ascarelli, Technology & Takeovers: Politician
Is Acquitted in Internet Case in Berlin, WALL ST. J. EUR., July 1, 1997,
at 11.

(413.) Michael Laris, Beijing Launches a New Offensive to Squelch
Dissent on Internet, WASH. POST, Dec. 31, 1997, at A 16 (describing

(414.) See Ray Sanchez, Cuba Cutting Internet Access, SUN SENTINEL,
May 7, 2009. available at

SEVENTH ANNUAL BSA/IDC GLOBAL SOFTWARE PIRACY STUDY (2010), available at (last visited Nov. 5,

(416.) Id. (up from forty-one percent in the previous year).

(417.) Id.

(418.) Laura H. Parsky, Deputy Assistant Attorney Gen., DOJ,
Remarks at International Conference on Intellectual Property Protection
(Oct. 14, 2004) (describing international cooperation in combating
intellectual property crime), (last visited
Nov. 5, 2010).

(419.) See Ulrich Sieber, Computer Crimes and Other Crimes Against
Information Technology: Commentary and Preparatory Questions for the
Colloquium of the AIDP in Wuerzburg, 64 REV. INT’L DE DROIT PENAL
67, 69-70 (1993) (discussing adoption of computer crime legislation).

(420.) See, e.g., Computer Misuse Act, 1990, c. 18 (U.K.).

(421.) See Cybercrimes–Coordinated Effort to Attack Cybercrimes, 3
No. 1 CYBERSPACE L. 32, 32 (1998) (discussing cooperative effort to
coordinate Internet legislation between Britain, Canada, France,
Germany, Italy, Japan, Russia, and the United States); Cole Durham, The
Emerging Structures of Criminal Information Law: Tracing the Contours of
a New Paradigm: General Report for the AIDP Colloquium, 64 REV.
INT’L DE DROIT PENAL 79, 97-109 (1993) (discussing patterns of
convergence in computer crime legislation with regard to unauthorized
access, unauthorized interception, unauthorized use of computer,
alteration of data or programs, computer sabotage, computer espionage,
unauthorized use or reproduction of computer programs, unauthorized
reproduction of topography, computer forgery, and computer fraud).

(422.) Council of Europe, Chart of Signatures and Ratifications,
available at
?NT=185&CM=1&DF=08/11/2010&CL=ENG (last visited Feb. 5.
2011) (noting that forty-six countries have signed the treaty including
four parties outside of the Council of Europe).

(423.) Council of Europe, Convention on Cybercrime, opened for
signature Nov. 23, 2001, C.E.T.S. No. 185, (last visited
Feb. 5, 2011).

(424.) See International Aspects of Computer Crime, U.S.
Feb. 5, 2011).

(425.) Fighting Cybercrime: Hearing Before the Subcomm. on Crime of
the H. Comm. on the Judiciary, 107th Cong. 1 (2001) (statement of
Michael Chertoff, Assistant Att’y Gen. Criminal Division), legacy/72616.pdf (last visited Feb. 5,

(426.) Id.

(427.) See Durham, supra note 421, at 97 n.51 (citing efforts by
Council of Europe, OECD, and United Nations).

(last visited Feb. 5, 2011).