Brenner: Bits, Bytes, and Bicycles

817 BRENNER .FI NAL OR .DOCX 817 B RENNER .
FI NAL (DO NOT DE LE TE)
11/13/2013 1:49 PM1:48 PM
Bits, Bytes, and Bicycles: Theft and Cyber Theft
SUS AN W. BRENNER*
INTRODUCTION
An intimate relationship between the law of larceny and the things that men value is clear.1 n the preface to Thirteen Ways to Steal a Bicycle,2 Professor Green uses the actual and potential varieties of bicycle theft as a metaphor to illustrate the messy complexity that currently characterizes American theft law.3 My goal in this article is to supplement his analysis by addressing technology s role in exacerbating the evolving complexity of what was once a relatively straightforward common law crime. 4
I
1 2
* NCR Distinguished Professor of Law & Technology, University of Dayton S chool of Law. Professor Brenner specializes in cyber conflicts, such as cybercrime, cyber terrorism, and cyber warfare. E-mail: susanwbrenner@yahoo.com. JEROME HALL , THEFT, LAW AND S OCIETY 80 (2d ed. 1952). S TUART P. G REEN, 13 WAYS TO S TEAL A BICYCLE : THEFT LAW IN THE INFORMATION A GE x (2012).
3
See id. S pecifically, Professor Green says he uses the metaphor to convey the messy complexity that characterizes theft laws moral content. Id. S ince my approach to law and cyber threats, including cybercrimes, is grounded in an instrumentality theory derived from the sociology of knowledge, I do not focus on its moral content in my analysis. See, e.g. , S usan W. Brenner, Toward a Criminal Law for Cyberspace: Distributed Security, 10 B.U. J. SCI. & TECH. L. 1, 2-5 (2004) [hereinafter Brenner, Distributed Security ]; see also P ETER BERGER & THOMAS LUCKMANN, THE S OCIAL CONSTRUCTION OF REALITY: A TREATISE IN THE S OCIOLOGY OF KNOWLEDGE 4 (1966); S USAN W. BRENNER, CYBERTHREATS : EMERGING FAULT LINES OF THE NATION-S TATE 13-23 (2009); see generally Paul H. Robinson, Why Does the Criminal Law Care What the Layperson Thinks is Just?: Coercive Versus Normative Crime Control, 86 VA. L. REV. 1839, 1839-41 (2000) (discussing the instrumental approach to criminal law and its impact on the Model Penal Code).
4
See, e.g. , 4 WILLIAM BLACKSTONE : COMMENTARIES ON THE LAWS OF ENGLAND 230 (1769) (internal quotation marks omitted) (S imple larc eny . . . is t`he felonious taking, and carrying away, of the personal goods of another. ). Accord Definition of Indictable Crimes, 2 Del. Cas. 235, 236 (Del. 1797). For the origins of common law theft, see HALL , supra note 1, at 3-33. For
817
817 BRENNER .FI NAL OR .DOCX 817 B RENNER .FI NAL (DO NOT DE LE TE)
11/13/2013 1:49 PM1:48 PM
818
Ne w E ng la n d La w Re vie w
v. 47 | 817
More precisely, my goal is to demonstrate how our use of digital technology is generating issues that go not only to the applicability of current American theft law but to the general concept of theft. I shall make no attempt to analyze all of the outlier theft issues that have arisen and are likely to arise.5 My ambitions are far more modest: in the sections below, I demonstrate that our use of cyberspace allows us to engage in conduct that shares certain characteristics with the traditional conception of theft, but otherwise deviates from the empirical assumptions that shaped the common law version of that offense. I also speculate about the advisability of expanding our conception of theft so it also encompasses what I shall refer to as cyber theft. I offer a definition of cyber theft and explain how it differs from theft in Part I.A. In Part I.B, I review cases that illustrate the conceptual and empirical differences between the two phenomena. My purpose is to demonstrate that there is a significant residual category of harm that shares certain characteristics with theft but is not clearly encompassed by existing theft statutes. In Part II, I analyze how, if at all, criminal law should deal with this state of affairs. One issue I consider is whether the crime we know as theft can, and should, be extrapolated to encompass scenarios in which the harm inflicted on the victim is more about emotional distress than about the loss of traditional property, tangible or otherwise.6 The issue here is whether we should expand our conception of theft to encompass deprivations of nontraditional interests. It seems to me that, as I explain below, we have three options for dealing with this type of conduct: we can expand our notions of theft to encompass non-traditional interests; we can create a new, cognate offense that criminalizes nonconsensual takings of interests that do not qualify as property as it is currently defined; or we can decide this is not a harm the criminal law needs to address.7 I also address another, very different issue: criminals use of cyberspace to steal property of whatever type means that their chances of
the evolution of common law larceny, see, for example, 3 WAYNE R. LAFAVE , S UBSTANTIVE CRIMINAL LAW 19.1(a), at 57-59 (2d ed. 2003). 5 See, e.g. , Guerrero v. State, 277 P.3d 735, 741 (Wyo. 2012) (reversing a servers conviction for theft based on manipulating a computer cashier program because the prosecution did not prove a taking); S tate v. Claborn, No. 11AP 549, 2012 WL 1078930, at *6 (Ohio Ct. App. Mar. 30, 2012) (holding that a state employee committed a theft offense unauthorized use of property using the state's computer and the state's access to a proprietary database).
6
See infra Part II.A. As to the nature of the property interests encompassed by the crime of theft, see, for example, LAFAVE, supra note 4, 19.4(a), at 78-79, for an explanation of modern theft statutes, which include both tangible and intangible property. See also D EL . CODE A NN. tit. 11, 933 (2012) (defining the crime of theft of computer services).
7
See infra Part II.B.
11/13/2013 1:49 PM1:48 PM
2013
Bit s , Byt e s , a nd B ic ycle s
819
being apprehended and punished for their crimes are negligible, and often nonexistent.8 This creates an untenable situation because we rely on a credible threat of apprehension and punishment to keep crime under control; absent that threat, there is no disincentive to offend. 9 This state of affairs therefore raises the question of whether we should treat criminals use of cyberspace as an exacerbative harm that we incorporate into our definitions of theft, just as our predecessors incorporated other circumstances when they created new versions of the offense. 10 I. Theft and Cybertheft: Definitions and Iterations Cyberthieves loot $400,000 from city bank account. 11 It is difficult to define cyber theft with any precision given as it is stillevolving. However, some litigation is illustrative of the basic types of cyber theft. At the same time, it is undecided whether criminal law is the proper venue to address the distinct harms that emerge from criminals use of cyberspace to misappropriate property of vary ing types. A. Definitions [U]sing an online computer service, such as one on the Internet, to steal someone elses property or to interfere with someone elses use and enjoyment of property .12 According to the 2009 edition of Blacks Law Dictionary , the above definition of cyber theft was added in 1994, which probably accounts for the rather antiquated reference to using an online computer service.13 That archaism does not, though, affect the content of the definition, which differs from Blacks definition of traditional theft in one notable respect: The
8 9
See infra Part III.A. See BRENNER, supra note 3, at 6-64. 10 See, e.g. , L AFAVE , supra note 4, 20.3, at 172-73 (noting that the offense of robbery was created to address theft under circumstances involving a danger to the victim that required greater punishment).
11
Jaikumar Vijayan, Cyberthieves Loot $400,000 from City Bank Account, Cybercrime and Hacking , COMPUTERWORLD.COM (Oct. 15, 2012, 4:05 PM), http://www.computerworld.com/s/article/9232372/Cyberthieves_loot_400_000_from_city_ban k_account (detailing the sequence of events surrounding the electronic theft of over $400,000 from a local bank). For a similar instance of cy ber theft, see infra Part II.B.1. 12 B LACK' S L AW D ICTIONARY 444 (9th ed. 2009). The ninth edition of the dictionary does not define the term Internet. See id. at 893.
13
See id. at 444.
11/13/2013 1:49 PM1:48 PM
820
v. 47 | 817
dictionary defines theft as the felonious taking and removing of another s personal property with the intent of depriving the true owner of it.14 This conception of theft is subsumed within Blacks definition of cybertheft, in part, as using online technology to steal someone elses property.15 Black s defines steal as [t]o take (personal property) illegally with the intent to keep it unlawfully. 16 So, since keeping another s property unlawfully deprives the true owner of its possession and use, cybertheft encompasses theft, according to Blacks Law Dictionary .17 Blacks authors did not, however, merely equate theft and cybertheft. Instead, they defined cyber theft (1) as depriving another of their property and (2) as using online technology to interfere with someone elses use and enjoyment of property.18 Logically, interfering with someones use and enjoyment of her property is a lesser infringement than taking and removing the true owner s property with the intent to deprive her of it.19
14
Id. at 1615. See also M ODEL P ENAL CODE 223.2(1) (2011) (A person is guilty of theft if he unlawfully takes . . . movable property of another with [the] purpose to deprive him thereof.). As a Kansas court noted, theft was traditionally not concerned with mere . . . tampering, but rather require[d] permanent deprivation, i.e., the intent to deprive the owner permanently of the possession, use, or benefit of the owner's property. Kansas v. Allen, 917 P.2d 848, 853 (Kan. 1996) (citation omitted). See, e.g., State v. York, 5 Del. 493, 1854 WL 854, at *1 (1854) (holding that an indentured servant who took a horse to escape pursuers when fleeing his owner but had no intention of depriving the owner of his property was not guilty of larceny).
15 16
See supra note 12 and accompanying text. BLACK' S LAW D ICTIONARY, supra note 12, at 1548. 17 See S usan W. Brenner, Is There Such a Thing as Virtual Crime?, 4 CAL. CRIM . L. REV . 1, 47-49 (2001) [hereinafter Brenner, Virtual Crime]. This is true of traditional, zero -sum property but is, as we shall see, not necessarily true of various types of non-traditional, digital property. See infra notes 20-2223 and accompanying text.
18 19
See supra note 12 and accompanying text (emphasis added). See supra note 14 and accompanying text. Blacks does not define either interfere or deprive. A more generic but highly respected dictionary defines deprive as deny . . . the possession of use of something and defines interfere as get in the way of . . . handle or adjust without permission. CONCISE O XFORD ENGLISH D ICTIONARY 385, 738 (Rev. 10 th ed. 2002). This dictionary defines deny as refuse to give (something r equested or desired) to someone. Id. at 383. If one applies these definitions, it is reasonable to conclude that interference is a lesser infringement than deprivation. One author used joyriding and vehicle theft to illustrate this proposition. See Lydia Pallas Loren, Digitization, Commodification, Criminalization: The Evolution of Criminal Copyright Infringement and the Importance of the Willfulness Requirement, 77 WASH. U. L. Q. 835, 859 (1999) (noting that a joyrider commits theft by temporarily interfering with an automobile owners use of the property, notwithstanding a lack of intent to permanently deprive the automobiles owner of its use). But see M ODEL PENAL CODE 223.0(1) (Official Draft and Revised Comments, 1980) ([D]eprive means . . . to withhold property of another permanently or for so extended a period as to appropriate a major portion of its economic value, or . . . so as to make it unlikely that the owner will
11/13/2013 1:49 PM1:48 PM
2013
821
Theft and cyber theft are distinguished on the basis that theft is a zerosum offense, in which sole possession of the property, such as funds, information, or software, is transferred from the rightful owner to the thief, while cybertheft is a non-zero-sum offense.20 The non-zero-sum offense consists of interfering with, rather than carrying away, the rightful owner s property with the intention to permanently, and wholly, deprive him or her of its possession and use. The dynamic usually involved in non-zerosum theft consists of the cyber-thiefs copying data that belongs to someone else and carrying [the copy] away.21 This scenario does not involve a zero-sum offense because the victim retains possession of his or her property albeit in diminished capacity because the victim is no longer the sole possessor of the information.22 Unfortunately, while the dichotomy between theft (zero-sum transaction) and cybertheft (non-zero-sum transaction) can be absolute, it can also be more nuanced. The ambiguities that can creep in to the varieties of cyber theft are a function of the conceptual deficit that exists in this area. As the three subsections below demonstrate, cybertheft is a malleable notiona residual category into which lawyers and law enforcement officers consign cyber -mediated activity that more or less resembles traditional theft. This state of affairs is the product of a confluence of two related factors: One is that cyber theft, like federal theft law, has not been the target of a codification effort analogous to the effort that brought order and system to the common law of theft;23 the other
recover it.). 20 Brenner, Virtual Crime, supra note 17, at 47. See also G REEN, supra note 2, at 80, 210-11 (describing theft as a zero -sum transaction). The zero-sum versus non-zero-sum distinction is analogous to the distinction economic theory draws between rivalrous and non-rivalrous goods. See, e.g., Daniel S. Shamah, Note, Password Theft: Rethinking an Old Crime in a New Era , 12 M ICH. TELECOMM . & TECH. L. REV . 335, 338-42 (2006); G REEN, supra note 2, at 208-09.
21 22
Id. Id. For more on this, see, for example, S usan W. Brenner, Cybercrime Metrics: Old Wine, New Bottles? , 9 V A. J. L. & TECH 13, 61-65 (2004) (explaining how the harm caused by a non-zero sum theft is linked with how exclusive the information was intended to be). See also Adam D. Moore,, Intellectual Property: Theory, Privilege, and Pragmatism ,16 CAN. J.L. & JURIS. 191, 212 (2003) (Given that intellectual property is non rivalrous and non-zero sum, it is quite plausible to maintain that some acts of intellectual property creation and exclusion do not harm anyone.); Rachel Brewster, The Surprising Benefits to Developing Countries of Linking International Trade and Intellectual Property , 12 CHI. J. INT' L L. 1, 48 (2011) (footnotes omitted) (Intellectual property is non-rivalrous, meaning that the good can be reproduced without reducing the availability of the good to others.).
23
See generally Jeffrey S . Parker & Michael K. Block, The Limits of Federal Criminal Sentencing Policy; Or, Confessions of Two Reformed Reformers, 9 G EO. M ASON L. REV . 1001, 1045 (2001) ([F]ederal law never adopted the Model Penal Code concept of a consolidated general theft offense . . . [but retains] codified versions of the common-law offenses . . . .). See also M ODEL
11/13/2013 1:49 PM1:48 PM
822
v. 47 | 817
factor is that unlike theft, cyber theft is an evolving, and consequently volatile, phenomenon that does not (yet) lend itself to precise definition. 24 B. Iterations We see more . . . examples of cyber theft [sic] . . . every year. 25 Given the variety and volatility of cyber theft, I cannot provide a comprehensive survey of the activities that can reasonably be included in this emerging category of criminal activity. 26 Instead, I will use three representative cases to demonstrate the differences, and the similarities, between cyber theft and its common law antecedent. Each of the three subsections below reviews the facts involved in a specific incident of cyber theft and outlines the implications the case has for the law s ability to outlaw and thereby control theft. 1. The Bank Job
The first case involves a type of cyber theft that is in most respects analogous to traditional theft: The perpetrators took and removed funds from their rightful owner with the intent to deprive the entity to which they belonged of their possession and use. 27 The only factor that differentiates this activity from traditional, real-space theft is the use of cyber space as a venue for the criminal activity. a. The Facts
Over almost two weeks at the end of June 2009, cyber criminals operating from somewhere outside the United States stole $415,989 from an account at the First Federal Savings Bank ( Bank) in Shepherdsville,
P ENAL CODE 223.1 (Official Draft and Revised Comments, 1980) (discussing consolidation of common law theft offenses). 24 See infra Parts II, II.B . cyber theftcyber theft 25 S hawn J. S oper, Authorities Outline Holiday Shopping Safety Tips, T HE D ISPATCH (Dec. 7, 2012), http://www.mdcoastdispatch.com/articles/2012/12/07/Top-S tories/Authorities-OutlineHoliday-S hopping-S afety-Tips (citations omiited).
26
See also Nelson D. S chwartz, F.B.I. Says 24 Are Arrested in Credit Card Theft Plan , NYTIMES.COM (June 26, 2012), http://www.nytimes.com/2012/06/27/business/fbi-says-24people-are-arrested-in-credit-card-theft.html?adxnnl=1&adxnnlx=1356039696LzIflB5eDI16bvRYZ2cX7Q; Jennifer S ullivan, Restaurant Owner Helps Bust Credit-card Hackers, S EATTLE TIMES (June 11, 2012, 9:37 PM), http://o.seattletimes.nwsource.c om/html/localnews/2018410201_cybercrime12m.html; Jim Finkle & Joseph Menn, LinkedIn Works with FBI on Password Theft, THE HUFF P OST TECH (June 7, 2012, 4:55 PM), http://www.huffingtonpost.com/2012/06/0 8/linkedin-fbipassword_n_1579213.html.
27
See supra note 14 and accompanying text.
11/13/2013 1:49 PM1:48 PM
2013
823
Kentucky.28 The account belonged to the government of Bullitt County ( County ) and held funds used to pay its employees.29 On June 22, someone started making unauthorized wire transfers of $10,000 or less from the county s payroll to accounts belonging to at least 25 individuals around the country.30 It was not until June 29 that bank employees realized something was wrong and froze the account; they also contacted banks that received transfers and asked that they be reversed.31 That same day, Bullitt County officials discovered that $415,989 was missing from the County s account.32 Since no one in Bullitt County knew who was responsible for the unauthorized transfers, County officials contacted the Federal Bureau of Investigation (FBI), which began investigating.33 County officials would later report that the transfers originated in Ukraine, a country known as an operational base for cybercriminals.34 Wherever the Bullit County cyberthieves were based, they used a sophisticated scheme to bypass the security measures the County and the Bank had put in place to prevent what occurred. Since the tactics they used illustrate the technical sophistication that is increasingly typical of cybercrime, 35 it is useful to describe this scheme in some detail. The County used a dual-authorization system to protect the accounts it maintained at the Bank: the County
28
See Emily Hagedorn, Some Funds Recovered from Bullitt Online Theft, COURIER-J., July 8, 2009, available at 2009 WLNR 15630563 [hereinafter Hagedorn, Some Funds Recovered ]; Kelly House, $415,989 Taken from Bullitt Bank Account, COURIER-J., July 2, 2009, available at 2009 WLNR 15629810; Brian Krebs, PC Invader Costs Ky. County $415,000 , S ECURITY FIX WASHINGTON P OST (July 2, 2009, 5:14 PM), http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html [hereinafter Krebs, PC Invader] . 29 See Emily Hagedorn, Theft Used Stealthy Computer Code, COURIER-J., July 27, 2009, available a t 2009 WLNR 15691911 [hereinafter Hagedorn, Theft Used Stealthy ].
30 31
Krebs, PC Invader, supra note 2829. See id. 32 See House, supra note 2829. 33 See id. 34 See Hagedorn, Some Funds Recovered , supra note 2829 . As to Ukraines reputed association with cybercrime, see Yuriy Onyshkiv, Ukraine Thrives as Cybercrime Haven, KYIV P OST (Mar. 8, 2012, 10:31 PM), http://www.kyivpost.com/content/ukraine/ukraine -thrives-as-cybercrimehaven-123965.html; John Leyden, Online Crims Not Just Speccy Geeks, Researchers Warn, THE REGISTER (July 1, 2010), http://www.theregister.co.uk/2010/07/01/cybercrime_gang_profile/.
35
See, e.g. , RS A, RSA 2012 CYBERCRIME TRENDS REPORT: THE CURRENT STATE OF CYBERCRIME WHAT TO EXPECT IN 2012 1-3, available at http://www.rsa.com/products/consumer/whitepapers/11634_CYBRC1 2_WP_0112.pdf; James Bailey, The Increasing Sophistication of Cybercriminals: Techonomys Insecurity Panel , FORBES (Nov. 15, 2011, 12:40 PM), http://www.forbes.com/sites/techonomy/2011/11/15/the -increasingsophistication-of-cybercriminals-techonomys-insecurity-panel/.
AND
11/13/2013 1:49 PM1:48 PM
824
v. 47 | 817
Treasurer and the County Judge-Executive had to authorize fund transfers.36 The Treasurer initiated transfers and the Judge-Executive approved them.37 The Bank relied on several methods to protect its funds, one of which was using special programming to analyze customers computer systems and create a unique fingerprint of their computers.38 So if a criminal tried to log into a customer s account from a computer other than the one the customer routinely used, the login would fail. 39 If the Banks system detected a login attempt made from a computer with an unknown fingerprint, it would not allow the login and would send the account owner an e-mail that contained a one-time passphrase; the customer would then have to enter the passphrase, along with his or her username and password, to access the account. 40 The cybercriminals responsible for the Bullitt County thefts used a Trojan Horse program known as Zeus to bypass both the County s and the Banks systems.41 They somehow got the Zeus Trojan on the Treasurer s computer and used it to steal the username and password she needed to access e-mail and the County s accounts at the Bank.42 Zeus installs itself on a computer s hard drive and steals banking information by recording keystrokes typed on the keyboard; it then uses an instant message to send the information to the criminals who control it. 43 Zeus also creates a direct connection between the infected computer (here, the Treasurer s computer) and the system that the cybercriminals used; this lets them log in to the victim s bank account using the victim s own computer and Internet connection.44 The Bullitt County perpetrators began by stealing the Treasurer s username and password and linking her computer with the one that they would use to extract funds from the County s account.45 They then logged into the account by tunneling through the Treasurer s Internet
36 37
Krebs, PC Invader, supra note 2829. See id. 38 See id. (citations omitted). 39 See id. 40 See id. 41 Id. More precisely, they used a version of the Zeus banking Trojan. Id. For a detailed explanation of the Zeus (or ZeuS ) Trojan, see TREND M ICRO, ZEUS : A P ERSISTENT CRIMINAL ENTERPRISE 3-11 (2010), available at http://www.trendmicro.com/cloudcontent/us/pdfs/security-intelligence/white-papers/wp_zeus-persistent-criminalenterprise.pdf.
42 43 44 45
Krebs, PC Invader, supra note 2829. See id. Id. See id.
11/13/2013 1:49 PM1:48 PM
2013
825
connection.46 Since they were using her Internet connection, the Bank s fingerprinting system did not flag this as a problematic attempt to log into the account.47 Once they logged into the payroll account, the cybercriminals changed the Judge-Executives account password and e-mail address associated with the account.48 Next, they created fictitious County employees and a batch of wire transfers to those individuals that would need approval from the Judge-Executive.49 After they initiated the wire transfers to the fictitious employees, the perpetrators logged into the County s payroll account and the JudgeExecutives account using a computer located outside Kentucky .50 When the Banks system did not recognize that computer s fingerprint, it sent an e-mail with the Judge-Executives passphrase used to log into the payroll account and approve the transfers.51 The e-mail went to the new fraudulent e-mail address one the criminals controlled.52 They then retrieved the passphrase, logged into the account with the Judge-Executives new e-mail address and password, plus the passphrase, and approved the tran sfers.53 Since there was nothing ostensibly problematic about the transfers or the process used to approve them, it is not surprising that it took the Bank a week to realize something was wrong. Where did the funds go? Weeks before the cybercriminals compromised the Treasurer s and Judge-Executives computers, they hired twenty-five individuals as money mules, unwitting dupes who would receive transfers from the County and unwittingly pass the money along to the perpetrators.54 The criminals hired at least some of the mules after finding their resumes on Careerbuilder.com. 55 The Fairlove Delivery Service hired the mules to edit documents for grammar and promised they would be paid eight dollars for each kilobyte of data they processed.56 After one mule edited text for a while, she asked when she would be paid.57 In response, she received an e-mail asking if she would be interested in becoming a local agent for the company; she was told it
46 47 48 49 50 51 52 53 54 55 56 57
Id. See id. Krebs, PC Invader, supra note 2829. Id. Id. Id. Id. Id. See Krebs, PC Invader, supra note 29. Id. Id. Id.
11/13/2013 1:49 PM1:48 PM
826
v. 47 | 817
had trouble getting money to its clients oversea s as quickly as they needed it, and desperately needed help speeding up that process .58 After the woman agreed, she received a wire transfer of over $9900 and was told to wire all of the money except for her 5% commission to a bank account in Ukraine.59 Since she was suspicious, she only wired $3000 of the money.60 Other mules wired all of the money they received except for their commissions.61 If the mules banks reversed the fraudulent transfers (as some ultimately did),62 the mules found themselves owing Bullitt County the money they wired to Ukraine.63 What happened to the money that was wired to Ukraine? No one really knows. It presumably wound up in accounts in Ukraine or in whatever country it was subsequently transferred and was eventually spent by the perpetrators. The only money the County recovered $105,813.06 came from U.S. banks that reversed the fraudulent transfers before the money left the country.64 The County also sued the Bank, claiming the Banks negligence was responsible for its losses and the Bank was therefore required to reimburse the County for its unrecovered losses.65 The Bank denied that it was negligent and claimed the County was at fault for not having caught the unauthorized transfers. 66 In 2011, Bullitt County officials voted to settle its suit with the Bank under certain undisclosed circumstances.67 On the one hand, what happened to Bullitt County is simple, traditional theft: Unknown persons extracted hundreds of thousands of dollars from its bank account, without being authorized to do so, and transported the funds out of the United States, presumably for their own use and gratification. This was a zero-sum transaction: The possession and use of the funds passed entirely (except for what the County eventually recovered) from the rightful owner to the thieves (or cyber-thieves). And yet, this was not a simple, traditional theft: The perpetrators were not
58 59
Id. Id. 60 Krebs, PC Invader, supra note 29. 61 See id. 62 See Hagedorn, Some Funds Recovered , supra note 30. 63 See Krebs, PC Invader, supra note 29. 64 See, e.g. , Hagedorn, Some Funds Recovered , supra note 30. 65 Emily Hagedorn, Bullitt County Sues Bank Over Loss from Online Theft, COURIER-J., Aug. 6, 2009, available at 2009 WLNR 15639322.
66
Bullitt Could Have Prevented Online Theft, Bank Says, COURIER-J., Aug. 26, 2009, available at 2009 WLNR 16706103. For an almost identical case see Patco Const. Co. v. Peoples United Bank, 684 F.3d 197, 199-206 (1st Cir. 2012). 67 See, e.g. , Emily Hagedorn, Fiscal Court to Settle Suit with Bank Over Theft, COURIER-J., Feb. 23, 2011, available at 2011 WLNR 3751997.
11/13/2013 1:49 PM1:48 PM
2013
827
physically proximate, the extraction was not a physical process, and there was no physical crime scene, physical evidence, or eyewitnesses to identify the perpetrators. What happened in Bullitt County was not an isolated incident. Other targets in the United States lost similar amounts to the same tactics, 68 which are still being used. In December of 2012, the media reported that criminals using a new version of Zeus malware that targets mobile devices had extracted 36 million euros, or $47 million, from more than 30,000 corporate and private banking customers in Europe.69 And the use of this particular tool is but a small part of the cybercrime industry. As a 2012 report noted, cybercrime has evolved into a vast and complex commercial enterprise, ostensibly indistinguishable from any other business.70 Like other businesses, the cybercrime industry offers a variety of services, such as consulting on the technical aspects of implementing cyber thefts and other attacks, money exchange and mule ser vices and 71 infection/spreading services. This means cybertheft like other types of cybercrimeis an increasingly egalitarian activity, since one no longer needs to be technologically adept to engage in such activity. 72 Theft, like other types of cybercrime, is far from static. As I write this, at the end of December 2012, credible sources are warning that next spring roughly thirty U.S. investment banks, consumer banks, and credit unions will be the targets of Project Blitzkrieg.73 The attack, if it occurs, will rely on the
68 69
See Patco, 684 F.3d at 199, 204-05. Mathew J. S chwartz, Zeus Botnet Eurograbber Steals $47 Million, INFORMATIONWEEK (Dec. 5, 2012), http://www.informationweek.com/security/attacks/zeus-botnet-eurograbber-steals-47millio/240143837. For more information on ZITMO, the Zeus-In-The-Mobile Trojan horse program, see ERAN KALIGE & D ARRELL BURKEY, A CASE S TUDY OF EUROGRABBER: HOW 36 M ILLION EUROS WAS S TOLEN VIA M ALWARE 3, 4-5 (Dec. 2012), http://www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pd f. This report notes that a variation of this attack could potentially affect banks in countries outside of the European Union as well. Id. at 3.
70
FORTINET, FORTINET 2013 CYBERCRIME REPORT 1 http://www.fortinet.com/sites/default/files/whitepapers/Cybercrime_Report.pdf.

71
(2012),
Id. at 2. According to this report, consulting services cost $350 -$400 (presumably per hour), money exchange and mule services are based on a 25% commission, infection and spreading services are billed at ~$100 per install. Id.
72
See, e.g. , id . at 7; see also Brian Krebs, Service Sells Access to Fortune 500 Firms, KREBS ON S ECURITY (Oct. 22, 2012, 12:01 AM), http://krebsonsecurity.com/2012/10/service -sells-access-tofortune-500-firms/#more-17221. A 2012 study cybercrime found that cybercrime is dominated by gangs, many of whom are middle aged and possess only rudimentary IT skills, which made it feasible for many traditional crimes to move online. John Leyden, Everything You Thought You Knew About Cybercrime Is WRONG , THE REGISTER (Mar. 29, 2012), http://www.theregister.co.uk/2012/03/29/cybercrime_myths_exploded/.
73
Dara Kerr, Threat of Mass Cyberattacks on U.S. Banks Is Real, McAfee Warns , CNET NEWS
11/13/2013 1:49 PM1:48 PM
828
v. 47 | 817
Gozi Prinimalka Trojan, an evolved version of the Trojan used in the Bullitt County case, to extract money from the banks.74 b. Theft Issue
The criminal dynamic involved in the Bullitt County case an d in other, similar instances of financial cyber theft is functionally indistinguishable from the dynamic involved in traditional theft. In both instances, the thieves extract a zero-sum commodity from its rightful owner and carry it away, thereby wholly depriving the owner of its possession and use. What is distinctive about the Bullitt County case and similar cases is not the crime, as such, but how it was carried out. The methodology used in this type of cyber theft erodes the balance nation-states have, for roughly the last century and a half, maintained between lawlessness and law enforcement.75 Unlike conventional bank robbery, which involves low rewards and a high risk of being apprehended, 76 cybertheft is a highreward, low -risk endeavor.77 The Bullitt County incident illustrates both characteristics of online-bank theft. The reward is obvious: An anonymous group of cybercriminals got away with roughly $300,000 in one episode, 78 which almost certainly was not, and would not be, their only foray into cybertheft. This was not an aberrant, isolated incident: In 2007, cybercriminals used similar tactics to hijack $6 million from banks in the United States,
(Dec. 13, 2012, 7:28 PM), http://news.cnet.com/8301 -1009_3-57559153-83/threat-of-masscyberattacks-on-u.s-banks-is-real-mcafee-warns/; see RYAN S HERSTOBITOFF, A NALYZING P ROJECT BLITZKRIEG, A CREDIBLE THREAT 3 (2012), available at http://www.mcafee.com/us/resources/white -papers/wp-analyzing-project-blitzkrieg.pdf.
74
Lucian Constantin, Project Blitzkrieg E-banking Heist Is a Credible Threat, McAfee Says, COMPUTERWORLD.COM (Dec. 13, 2012, 4:53 PM), http://m.computerworld.com/s/article/9234694/Project_Blitzkrieg_e_banking_heist_is_a_credi ble_threat_McAfee_says?mm_ref=https%3A%2F%2Fwww.google.com%2F (noting that the Prinimalka Trojan began development in 2008 and is more functional than Zeus).
75
See generally Brenner, supra note 3, at 6-64 (exploring the effect of cybercrime on traditional law enforcement). 76 S tudies show that real-space bank robbers tend to take very little money and are often apprehended. S cott Michels, Bank Robbery a Loser Crime, ABCNEWS.COM (Aug. 1, 2007), http://abcnews.go.com/TheLaw/story?id=3432084# (stating that in many cases the perpetrator may take only about $1,000, with an arrest rate of fifty -nine percent in 2006); see Matt Bewig, Robbing Banks Is Not A Cost-Efficient Profession, A LL G OV .COM (Aug. 7, 2007), http://www.allgov.com/news/unusual-news/robbing-banks-is-not-a-cost-efficientprofession?news=844940 (In 2011, there were 5,086 bank robberies in the U.S ., generating $38,343,501.96 in revenues for the perpetrators, or an average of $7,539 per heist.).
77 78
For more on this, see infra Part II.A. See supra note 6465 and accompanying text.
11/13/2013 1:49 PM1:48 PM
2013
829
United Kingdom, Spain and Italy.79 In the summer of 2010, unidentified perpetrators used the Zeus Trojan and tactics similar to those involved in the Bullitt County theft to steal at least $1 million from banks in the United Kingdom.80 As I wrote this (and, no doubt, as you read it) an unknown number of similar thefts have occurred.81 In 2011, an FBI official noted that an organized crime ring in Eastern Europe . . . earned about $750,000 per week from cyber theft [sic].82 In 2012, a small Brooklyn business had $1.2 million wiped out of its bank accounts in just hours through online transactions.83 While there are many similar stories, there are probably just as many more unreported. The true costs of cyber theft are unknown.84 We do not have reliable statistics for cybercrime, including cyber theft, because businesses are very reluctant to report being victimized for at least two reasons.85 One reason is that they are afraid their customers will lose confidence in them. 86 The other reason is that, as the Bullitt County case demonstrates, reporting cyber theft tends to be a futile gesture because cyber -thieves are very rarely apprehended and punished for their crimes. 87 The low risk aspect of cyber
79 80
Hagedorn, Theft Used Stealthy , supra note 30. Elinor Mills, Zeus Trojan Steals $1 Million from U.K. Bank Accounts, CNET NEWS (Aug. 10, 2010, 2:54 PM), http://news.cnet.com/8301 -27080_3-20013246-245.html.
81
In October of 2012, the FBI reported it was investigating about 230 cases of electroni c fraud against U.S . banks involving the attempted theft of more than $255 million and the actual loss of about $85 million. S haun Waterman, Brazen Gangsters Show How Cybercrime Pays, WASH.TIMES (Oct. 24, 2012), http://www.washingtontimes.com/news/2012/oct/24/brazen-gangsters-show-how-cybercrimepays/?page=all.
82
Gerry S mith, Cyber- Crimes Pose Existential Threat, FBI Warns, HUFF. P OST TECH. (Jan. 12, 2012, 3:38 PM), http://www.huffingtonpost.com/2012/01/12/cyber-threats_n_1202026.html.
83
S arah E. Needleman, Cybercriminals Sniff Out Vulnerable Firms, WALL S T. J. (July 5, 2012, 6:17 PM), http://online.wsj.com/article/SB10001424052702303933404577504790964060610.html. 84 A Russian cyber security firm reported that the 2012 global cyber crime revenues totaled $12.5 billio n. Kenneth Rapoza, Russias Million Dollar Hackers, FORBES (Apr. 24, 2012, 4:57 PM), http://www.forbes.com/sites/kenrapoza/2012/04/24/russias-millionaire-dollar-hackers/.
85
See Richard Lardner, Cybercrimes: Companies Reluctant to Report Breaches Despite SEC Guidelines, LAS V EGAS REV .-J. (July 5, 2012, 2:01 AM), http://www.lvrj.com/business/cybercrime -companies-reluctant-to-report-breaches-despitesec -guidelines-161409305.html (Companies [fear] going public would damage their reputations, sink stock prices or spark lawsuits.) see also Division of Corporation Finance, CD Disclosure Guidance: Topic No. 2 , U.S. SECURITIES AND EXCHANGE COMMISSION (Oct. 13, 2011), http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (Cyber incidents may also result in . . . impairment of . . . customer-related intangible assets). 86 See sources cited supra note 8586. 87 Aside from the practical problems discussed below, a number of countries are operating at least as de facto cybercrime havens, in that they refuse to extradite accused cybercriminals
11/13/2013 1:49 PM1:48 PM
830
v. 47 | 817
theft tends to be less obvious than its rewards, but is no less significant: The Bullitt County perpetrators have not been, and almost certainly will not be, apprehended and punished.88 Cybercriminals who operate from within the United States are likely to be apprehended, especially if they target U.S. citizens, but those who operate transnationally run little, if any, risk of being apprehended.89 One reason for the difference between the groups is the difficulty of tracing the location from where off-shore cybercriminals operate. The Bullitt County thieves were believed to be in Ukraine, but they might have routed the signals they used to hack the county officials computers and the bank account through Ukraine to hide the fact that they were actually operating from elsewhere.90 Tracing a cybercrimes origins is a difficult and time-consuming process that is often beyond the capacity, and the authority, of local law enforcement agencies. 91 And even if Bullitt County officers with, perhaps, the FBIs assistancewere able to trace the cyberthieves to Ukraine, the officers would not be able to take them into custody. The United States does not have an extradition treaty with Ukraine,92 which means Ukraine would not be obliged to turn the cy berthieves over to U.S. authorities for prosecution. Another factor that differentiates cybercrime from traditional crime is the crime scene. The fact that the Bullitt County theft, like all cybercrimes, involved digital evidence and a virtual crime scene, exacerbated the legal and practical challenges involved in investigating the crime and apprehending those responsible. As we all probably know from movies and television shows like CSI, the investigation of a crime focuses on where
and/or otherwise assist in cybercrime investigations. See, e.g., Onyshkiv, supra note 3435; Antonio S iegfrid O. Alegado, Philippines a Safe Haven for Transnational Cybercrime, BUS. WORLD (Manilla), Oct. 24, 2011, available at 2011 WLNR 21767567; Roman S chell, Russian Hackers Rake in Millions with Little Fear of the Law , D EUTSCHE WELLE (Oct. 28, 2010), http://www.dw.de/Russian-hackers-rake-in-millions-with-little-fear-of-the-law/a-6160167.
88 89
For more on the risk-reward balance, see, Brenner, Distributed Security , supra note 3, at 93. See id. at 106. 90 For a case in which the perpetrators did precisely this, see S usan W. Brenner, At Light Speed: Attribution and Response to Cyberc rime/Terrorism/Warfare, 97 J. CRIM . L. & CRIMINOLOGY 379, 414-15 (2007).
91
See, e.g. , S usan W. Brenner & Joseph J. S chwerha IV, Transnational Evidence Gathering and Local Prosecution of Interna tional Cybercrime, 20 J. M ARSHALL J. COMPUTER & INFO. L. 347, 371-75 (2002); S usan W. Brenner, Toward A Criminal Law for Cyberspace: Product Liability and Other Issues, 5 U. P ITT. J. TECH. L. & P OL ' Y 2, 110 (2005), available at http://tlp.law.pitt.edu/ojs/index.php/tlp/article/download/16/16 (analyzing the viability of local officers in Nebraska tracking down and apprehending the cybercriminals who attacked a Kearney bank while operating from Malaysia).
92
See 18 U.S .C. 3181 (2006 & S upp. I 2009).
11/13/2013 1:49 PM1:48 PM
2013
831
it was committed: the crime scene.93 Real-world crimes like robberies or murders usually occur at one physical place. The investigating officers scrutinize that location for evidence they can use to identify, locate, and convict those responsible for the crime.94 In cybercrimes, the crime scene and any attendant trace evidenceis scattered across multiple locations, e.g., the location from which the perpetrator operated, the location where he or she inflicted harm on the victim, and the intermediate locations through which the bits and bytes involved in the commission of the crime traveled between perpetrator and victim.95 In the Bullitt County case, the crime scene was scattered across at least two continents: North America and Europe. Digital evidence existed in the County Treasurer s and Judge-Executives computer systems, in the Banks computer system, in the Ukrainian computer systems involved in the crime, in the mules computers and in all of the computers in every countries through which the signals involved in consummating the crime traveled. This means the process of putting the crime together and assembling the evidence needed to convict the perpetrators would be extraordinarily complex and would therefore have to be carried out by individuals who had expertise in digital evidence and digital investigations.96 Although Bullitt County might have had investigators with some digital experience, it probably did not have investigators with the expertise needed to unravel a transnational cybercrime of this complexity. As we saw earlier, the FBI was called in to assist with the investigation, but the FBI could only do so much because it had other investigative priorities (e.g., terrorism) and is a comparatively small agency with limited resources.97 It does not appear that the FBI was successful in locating the perpetrators and apprehending them. 98 The conceptual lesson to be learned from the Bullit t County case and similar cases is that cybertheft differs from theft not doctrinally, but
93
See O FFICE OF JUSTICE P ROGRAMS , CRIME S CENE INVESTIGATION: A G UIDE FOR LAW ENFORCEMENT 11 (2000), available a t https://www.ncjrs.gov/pdffiles1/nij/178280.pdf. 94 See id. at 15-18. 95 See Brenner, Distributed Security , supra note 3, at 75; S usan W. Brenner, Toward A Criminal Law for Cyberspace: A New Model of Law Enforcement? , 30 RUTGERS COMPUTER & TECH. L.J. 1, 2526, 30-33 (2004).
96
See, e.g. , O FFICE OF JUSTICE P ROGRAMS, ELECTRONIC CRIME S CENE INVESTIGATION: A G UIDE vii-xi (2d ed. 2008), https://www.ncjrs.gov/pdffiles1/nij/219941.pdf. 97 S USAN W. B RENNER, CYBERCRIME : CRIMINAL T HREATS FROM CYBERSPACE 153-53, 157-60 (2010); House, supra note 29.
FOR FIRST RESPONDERS
98
The last reference to the FBIs involvement in the case appears in a 2009 news story, which quotes an FBI spokesman as saying the investigation is ongoing. Emily Hagedorn, Search Begins for New Bank after Web Theft, COURIER-J., August 12, 2009, available at 2009 WLNR 15630640.
11/13/2013 1:49 PM1:48 PM
832
v. 47 | 817
operationally. Both result in a property owner being unlawfully deprived of his/her/its property. And as I also noted, what particularly differentiates the two is the essential lack of any viable disincentive for cyber -thieves to practice their illegal trade.99 This creates an untenable state of affairs for nation-states, which are charged with protecting the safety and security of their citizens and their citizens property.100 This state of affairs raises the issue of whether criminal law should take cognizance of the lack of a credible disincentive to indulge in cyber theft.. But first, we need to complete our selective review of the varieties of cyber theft. 2. The Password
The second case of theft involves using cyberspace to effect the taking at issue alters the event so it deviates in one notable respect from the traditional conception of theft.101 Unlike the Bullitt County case, which involved the taking and carrying away of zero-sum property,102 the case we will examine below involves a less-than zero-sum transaction. a. The Facts
The case arose in Oregon.103 In the late 1980s, Randal L. Schwartz became an independent contractor for the Intel Corporation. 104 In late 1991 or early 1992, he started working in Intel s Supercomputer Systems Division (SSD), which created large computer systems that could cost millions of dollars and were used for applications such as nuclear weapons safety.105 Those who worked in this division were required to use a unique password to access SSD computers and information stored on them. 106 The passwords were stored in computer files in an encrypted or coded fashion.107 In the spring of 1992, Schwartz disagreed with an Intel systems administrator, Poelitz, about how he handled a problem with SSDs e-mail system.108 The problem was eventually resolved in a manner that upset
99
The greater rewards associated with online bank theft is another differentiating factor, as noted above. See supra notes 77-79 and accompanying text.
100 101 102 103 104 105 106 107 108
See, Brenner, Distributed Security , supra note 3 at 85-88. See supra Part II.A. See supra Part II.B.1. S tate v. S chwartz, 21 P.3d 1128, 1128 (Or. Ct. App. 2001). Id. at 1129 Id. Id. Id. Id.
11/13/2013 1:49 PM1:48 PM
2013
833
Schwartz, leading him to terminate his contract with Intel. 109 Though Schwartz stopped working at SSD, he continued to work as a contractor for a different Intel division.110 In March, 1993, Brandewie, an Intel network programmer and systems administrator, noticed Schwartz w as running a gate program on an Intel computer called Mink, which let users access computers outside Intels systems.111 Gate programs violated Intel security policy because they breached the firewall Intel relied on to prevent outsiders from accessing its computers.112 Schwartz used the gate program to access his e-mail account with his publisher and his Intel e-mail when he was on the road. When Brandewie talked to him about the program, Schwartz acknowledged that external access to Int el computers violated company policy and agreed to modify it.113 A few months later, Brandewie noticed Schwartz was running another, similar program on Mink.114 Schwartz claimed he modified the program to make it secure, but Brandewie said it violated company policy.115 Schwartz decided Mink was useless to him without a gate program, so he asked to have his account on it closed.116 Schwartz moved his gate program onto an Intel computer called Hermeis, but it was too slow, so he finally moved it onto the SSD computer Brillig.117 In the fall of 1993, Schwartz downloaded a sophisticated password guessing program called Crack from the Internet.118 He began running it on password files on various Intel computers.119 When Schwartz ran Crack on Brillig, he discovered the password for Ron B., one of Brilligs authorized users.120 Schwartz used Ron B.s password to log onto Brillig although he knew he did not have the authority to do so.121 At this point, Schwartz used his access to infiltrate another Intel computer and subsequently learned the passwords of numerous other users.122 Schwartz allegedly believed that by demonstrating the system security s diminished quality since his departure
109
Schwartz, 21 P.3d at 1129-30 (noting that all but one of S chwartzs passwords to access the S S D computers were disabled).
110 111 112 113 114 115 116 117 118 119 120 121 122
Id. at 1130. Id. Id. Id. Id. Schwartz, 21 P.3d at 1130. Id. Id. Id. Id. Id. Schwartz, 21 P.3d at 1130. Id. at 1130.
11/13/2013 1:49 PM1:48 PM
834
v. 47 | 817
he would facilitate a chance to make amends with the company.123 However, he unintentionally committed these acts in secret, which nullified his alleged goals and therefore he kept the information to himself.124 Later, Schwartz again hacked into the system with hopes of gathering information that would be useful to bolster the SSD security system. However, an Intel administrator noticed his actions and initiated an internal investigation that ultimately lead to police involvement.125Two detectives investigated Schwartz and executed a search warrant at his home.126 Once there, the detectives asked about previously logging in on SSD.127 In a separate interview, Schwartz recognized that his act ions both violated the company policy and could render him criminally liable.128 However, Schwartz was also adamant that at not [sic] time did he ever actually access files using any of the cracked passwords that he had obtained using the CRACK program.129 Schwartz was subsequently charged with three counts of computer crime in violation of section 164.377 of the Oregon Revised Code.130 A jury convicted him on all three counts, and the judge sentenced him to probation and community service. 131 On appeal, Schwartz sought to have two counts acquitted, which charged him with unlawfully and knowingly access[ing] and us[ing] both a computer network and a computer system for purpose[s] of committing theft.132 The computer crime statute, which has not been revised since the Schwartz case arose,133 makes it a crime to knowingly access or use a computer, computer system, computer network or any part thereof for the purpose of committing theft, including, but not limited to, theft of
123 124
Id. at 1130 Id. 125 Id. For more details on S chwartzs activity involving Mink, Hermes, Brillig and the gate program(s), see J. LILLEY, REPORT OF D ETECTIVE J. LILLEY, http://www.lightlink.com/spacenka/fors/police/report-lilley.html (last visited Jan. 30, 2013).
126
Lilley, supra note 125131; see P. LAZENBY, REPORT OF D ETECTIVE P. LAZENBY, http://www.lightlink.com/spacenka/fors/police/report-lazenby.html (last visited Feb. 5, 2013). 127 L AZENBY, supra note 126132 (asking Schwartz if he recalled the passwords used to log into S S D) . Id. Id. 130 S tate v. S chwartz, 21 P.3d 1128, 1131 (Or. Ct. App. 2001). 131 E-mail from Randal L. S chwartz (S ept. 11, 1999, http://www.lightlink.com/spacenka/fors/sentence.txt.
129 132 133 128
13:11),
available
at
Schwartz, 21 P.3d at 1129, 1135. See O R. REV . STAT. A NN. 164.377 (West 2012); Schwartz, 21 P.3d at 1128. The statute was revised and amended in 2001, but the changes merely modified the definition of computer, thereby not altering the text of 164.377(2)(c). See id. 164.377(2)(c).
11/13/2013 1:49 PM1:48 PM
2013
835
proprietary information.134 It does not define theft,135 but does define property and proprietary information.136 Section 164.377(1)(h) states that property includes, but is not limited to, financial instruments, information, including electronically produced data, and computer softwar e and programs in either computer or human readable form, intellectual property and any other tangible or intangible item of value. Section 164.377(1)(i) defines Proprietary information as including any scientific, technical or commercial information including any design, process, procedure, list of customers, list of suppliers, customers records or business code or improvement thereof that is known only to limited individuals within an organization and is used in a business that the organization conducts.137 At trial, Schwartz moved for a judgment of acquittal on counts II and III, arguing that the state could not successfully prove the statutory elements of theft.138 Schwartz argued, and the prosecution conceded, that the indictment alleged, and the state attempted to prove at trial, only that he violated section 164.015, which is Oregon s general theft statute.139 Since both sides agreed that the prosecution proved that Schwartz knowingly accesse[d] . . . or use[d] . . . [a] computer, computer system, computer network or any part thereof, the only issue before the Court of Appeals was whether the prosecution proved beyond a reasonable doubt that he did so for the purpose of . . . committing theft, including . . . theft of proprietary information.140 The court began its analysis of this issue by noting that while section 164.377 does not define theft, section 164.015 does. The Court of Appeals found that because the section 164.015 definition of theft appears in the same chapter of [the] criminal code, it was appropriate for the court to consider it in construing the meaning of theft as used in section 164.377(2)(c).141 The court then addressed the parties
134 135
Id. 164.377(2). See id. 164.377(1). S ection 164.015(1) says that one commits theft when, with intent to deprive another of property or to appropriate property to the person or to a third person, he or she [t]akes, appropriates, obtains or withholds such property from an owner thereof. Id. 164.015. This definition reflects the traditional understanding of theft. See supra note 14 and accompanying text.
136 137
O R. REV . S TAT. A NN. 164.377(1)(h)-(i). O R. REV . S TAT. A NN. 164.377(1)(i) (West 2012). 138 S tate v. S chwartz, 21 P.3d 1128, 1135 (Or. Ct. App. 2001) (According to defendant the state had failed, first, to put on evidence that he had taken property and, second, to put on evidence that he had acted with the intent or purpose to commit theft.).
139 140
Id. at 1136 (quoting O R. REV . S TAT. A NN. 164.377(2)(c) (West 2012)). Id. 141 See Schwartz, 21 P.3d at 1136.
11/13/2013 1:49 PM1:48 PM
836
v. 47 | 817
arguments on that issue, noting that they did not dispute that the password file and individual passwords have value that there was evidence in the record to support that proposition. 142 It also noted that they disagreed as to whether Schwartz t[ook], appropriate[d], obtain[ed] or withh[e]ld the password file and individual passwords. 143 Schwartz argued that he did not actually steal the passwords because although he moved them to another computer, the individual users whose passwords he obtained still have full, unhindered use of them.144 The prosecution countered that Schwartz effectively stripped the passwords of their value by destroying their exclusive possessory interest, which amounted to theft under the statute. 145 The Court of Appeals began by noting that theft has been defined in varying ways, further indicating that Schwartz s actions may violate the statute.146 It also noted that the Oregon legislature had contemplated theft under section 164.377(2)(c) could be exercised upon . . . proprietary information,147 which was not susceptible to exclusive possession. 148 The Court of Appeals therefore rejected Schwartz s argument, holding the prosecution had presented sufficient evidence to prove that, by copying the passwords and password file, [he] took property of another . . . for the purpose of theft.149 Few courts have reached similar conclusions in cases that involved copying analogous types of property. 150 b. Theft Issue
In the Bullitt County case, there was no question that a theft had occurred, since the possession and use of the money extracted from the County s accounts was wholly transferred from the County to the unknown perpetrators.151 That transaction precisely conforms to the
142 143
Id. Id. (internal quotation marks omitted). 144 Id. 145 Id. at 1136-37. 146 Id. at 1137. 147 Schwartz, 21 P.3d at 1137. 148 Id. 149 Id. 150 See, e.g. , People v. Kozlowski, 117 Cal. Rptr. 2d 504, 515-518 (Cal. Ct. App. 2002) (stating that a personal identification number (PIN) used to access automatic teller machine was property capable of being extorted); People v. Kwok, 75 Cal. Rptr. 2d 40, 49 (Cal. C t. App. 1998) (holding that the unauthorized copying of a key was theft). Extortion is a type of theft. See, e.g., M ODEL P ENAL CODE 223.4 (2011). See also 3 WAYNE R. LAFAVE , S UBSTANTIVE CRIMINAL LAW 19.8(d), at 147 (2d ed. 2003) (explaining that the Mo del Penal Codes aim in defining extortion as a type of theft).
151
See supra Part I.B.1.b.
11/13/2013 1:49 PM1:48 PM
2013
837
traditional conception of theft as a zero-sum event in which the thief deprives the owner of his or her property.152 Unlike the Bullitt County case, Schwartz s case did not involve a zerosum theft of property.153 As Schwartz pointed out, he did not deprive Intel and/or its employees of the passwords he copied, at least not in a zero-sum, absolute sense.154 The case raises the issue of whether he deprived Intel and/or its employees of property in a less than zero-sum sense.155 Perhaps more accurately, the issue is whether criminal law should treat less -thanzero-sum deprivations of property as theft. Theft has historically been defined as taking and carrying away another s property with the intent to permanently and wholly deprive the owner of its possession and use. 156 This definition reflected the realities of a world in which property was necessarily tangible.157 As Blackstone noted, theft (or larceny) necessarily involved personal property because lands . . . cannot in their nature be taken and carried away.158 Blackstone also implicitly, and quite reasonably, given the world in which he lived, assumed that taking property from its owner resulted in the complete transfer of its possession and use from the owner to the thief.159 Prosecutors in the Schwartz case claimed it involved traditional, zerosum theft because once Schwartz copied the passwords, they lost their value because they became useless for their only purpose, protecting access to information in the SSD computers. 160 The prosecution did not deny that Intel and/or its employees still had the passwords or could still
152 153
See supra Part I.A. See also supra notes 14-19 and accompanying text. See supra notes 20-Error! Bookmark not defined. 21 and accompanying text. 154 See supra note 144156 and accompanying text. 155 For the purposes of analysis, I will assume that: (i) the passwords qualified as property and (ii) Intel and the employees who used the passwo rds had a possessory interest in them, i.e., both owned the passwords. See supra notes 158-150164 and accompanying text.
156
See supra note 14 and accompanying text. See also supra note 3 and accompanying text. In Dowling v. United States, the S upreme Court held that the National S tolen Property Act, 18 U.S. Code 2314, did not apply to the transportation of bootleg re cords, i.e., unauthorized copies of commercially unreleased performances of famous entertainers. See 473 U.S. 207, 22628 (1985). 157 See, e.g. , S usan W. Brenner, Fantasy Crime: The Role of Criminal Law in Virtual Worlds, 11 V AND. J. ENT. & TECH. L. 1, 71-72 (2008) [hereinafter Brenner, Fantasy Crime]; Brenner, Virtual Crime, supra note 17, at 43-44.
158 159
4 WILLIAM BLACKSTONE , COMMENTARIES 232 (1897). That assumption persists. See, e.g., People v. Kwok, 75 Cal. Rptr. 2d 40, 49 (Cal. Ct. App. 1998) ([P]roperty is something that one has the exclusive right to possess and use.). 160 S tate v. S chwartz, 21 P.3d 1128, 1136-37 (Or. Ct. App. 2001); see supra note 157 and accompanying text.
11/13/2013 1:49 PM1:48 PM
838
v. 47 | 817
use them to access the SSD computers.161 Instead, the prosecution contended that Schwartz committed zero-sum theft because copying the passwords effectively transferred their entire value to him,162 which was not true. As Schwartz pointed out, Intel and its employees could still use the passwords to log into the SSD computers, which meant that neither of them had been wholly deprived of their property. 163 This is not to say that Intel had not lost something. It had: even though the passwords still allowed Intel employees to access the SSD computers, they no longer guaranteed that only authorized Intel employees would be able to do so. The problem, as far as theft law is concerned, is that the law was less than absolute. By copying the passwords, Schwartz took a quantum of the passwords value from Intel, but he did not wholly deprive the company of their possession and use. In other words, he committed less-than-zero-sum theft.164 We will take up this issue in Part II, after we complete our selective review of the varieties of cyber theft. 3. The Identities
The case we will examine in this section involves the appropriation of property the intangibility of which far exceeds that of the passwords in the Schwartz case. The issue in the case goes neither to the mechanics by which property is misappropriated nor to the extent to which it is taken and carried away. Instead, the issue goes to the extent to which theft law can, and should, take cognizance of deprivations of assets the intangibility of which exceeds the password examined above. 165 a. The Facts
The case arose in Indiana in 2010, and it was prosecuted as a cyber stalking case rather than a theft case. 166 There is no reported opinion
161
See Brief for Petitioner-Appellant at 56, S tate v. Schwartz, 21 P.3d 1128 (Or. Ct. App. 2001) (C940322CR; CA A91702), available at http://www.lightlink.com/spacenka/fors/court/AppealBrief.pdf (The evidence that both the S S D password file and its contents, i.e., the individual users' passwords, were still there and were actively doing their job after the copying occurred was not refuted or even challenged.).
162
See supra note 157 and accompanying text. As noted above, in making this argument the prosecution analogized the passwords to proprietary manufacturing formulas, claiming both have value only so long as no one else knows what they are. Schwartz, 21 P.3d at 113637.
163
See supra note 155169 and accompanying text. See also Brief of Petitioner-Appellant, supra note 161175, at 56-57 ([N]othing was taken. Intel . . . had everything after the S S D password file was copied that it had before [it] was copied.).
164 165 166
See supra note 2223 and accompanying text. See supra Part II.B.2. See Corinne Rose, Wabash Sisters Cyber-stalked, INDIANAS NEWS CENTER (June 18, 2010),
11/13/2013 1:49 PM1:48 PM
2013
839
because the case ended with a plea, and there apparently was no appeal. My knowledge of the case comes from news stories and my communications with two people involved in it.167 The perpetrator s name was Ryan Brown.168 He was 23 years old and worked at a church in Wabash, Indiana.169 For two years, he assumed the identities of two sisters one 28, the other 16 whose families attended the church. 170 Brown created Facebook pages in each of their names and pretended to be them online, posting pictures of the women, displaying their addresses and phone numbers, and even detailing their after -school activities and work places.171 Although he was charged with stalking,172 that is not what Brown did. For example, if he had intended to stalk the victims, he would have used the Facebook pages to torment the women by posting false information about them or using the pages to harass, annoy , or intimidate them.173 In other words, Brown would have needed to direct his actions at them, which is not what he did.174 The victims did not learn about the Facebook pages until the pages had been up for two years. 175 The pastor of the church the victims and Brown attended discovered the pages when he was compiling an Internet list of his congregation to take to his new position out of town.176 That brings us to why Brown created the pages: instead of using them to target the women whose personal information he appropriated, Brown employed their identities for his own purposes. He used the Facebook
http://www.indianasnewscenter.com/news/26932289.html (last visited Feb. 2, 2013).

167
See E-mails Number 1 and Number 2 from Ryan Browns S ister to S usan W. Brenner, (October 7, 2008) (on file with the author). See S usan Brenner, Weird Cyberstalking Case, CYB3RCRIM3: OBSERVATIONS ON TECHNOLOGY, LAW, & LAWLES S NES S (Aug. 18, 2008, 8:28 AM), http://cyb3rcrim3.blogspot.com/2008/08/weird-cyberstalkingcase.html?showComment=1223428440000#c6590537343896391127 (last visited Feb. 2, 2013) [hereinafter Brenner, Cyberstalking Case]; Anonymous, Comment to Weird Cyberstalking Case, CYB3RCRIM3: OBSERVATIONS ON TECHNOLOGY, LAW, & LAWLES S NES S (A UG. 18, 2008, 9:14 PM), http://cyb3rcrim3.blogspot.com/2008/08/weird-cyberstalking-case.html (last visited Feb. 2, 2013) [hereinafter Anonymous Comment]. 168 See Brenner, Cyberstalking Case, supra note 181; Anonymous Comment, supra note 181. 169 See Brenner, Cyberstalking Case, supra note 181; Anonymous Comment, supra note 181. 170 See Rose, supra note 166180; see also Anonymous Comment, supra note 181. 171 Rose, supra note 166180. 172 See infra text accompanying notes 192-95 (detailing Browns harassment charges under Indiana law).
173 174 175 176
Brenner, Cyberstalking Case, supra note 181. See id. Rose, supra note 166180. Id.
11/13/2013 1:49 PM1:48 PM
840
v. 47 | 817
pages he created in their names to have virtual sex with men around the world . . . .177 Therefore, it is reasonable to assume that Brown hoped the women would never find out about the Facebook pages .178 As long as the pages went undiscovered, Brown could continue, but the victims did find out, and when they did, the women were understandably terrified.179 Since the Facebook pages used the victims names and included their addresses, photographs, and other identifying information, they were afraid that any of the men with whom Brown fraternized online would show up at one of their homes, prepared to continue the online affair in the real world. 180 In a comment responding to my blog entry on the case, one of the victims said she and her sister had tr ied to befriend Brown, who had an unfortunate past.181 I also heard from his sister, that his mother has a professed addiction to sex and using the Internet to meet people and his father is a convicted child molester and molested Brown when he was a child.182 Brown was charged with felony stalking and misdemeanor harassment.183 Under Indiana law felony stalking is tantamount to aggravated harassment;184 an analysis of the viability of both charges necessarily begins with whether Brown committed harassment. In diana law defines harassment as conduct directed toward a victim that includes but is not limited to repeated or continuing impermissible contact that would cause a reasonable person to suffer emotional distress and that actually causes the victim to suffer [such] emotional distress.185 Indiana Code 35-45-10-1 incorporates the requirement that the offender s conduct be directed toward the victim into the separate offense of stalking by defining stalking as a course of conduct involving repeated or continuing harassment of another.186 While Brown s actions eventually caused his victims to suffer
177 178
Id. Brenner, Cyberstalking Case, supra note 181. 179 Anonymous Comment, supra note 167181 (My sisters life and mine have been put in danger, yes we have taken precautions but it's still not much more reassuring.). The woman who posted this comment also noted that [they]are not quick to trust people anymore. Id.
180 181
Id. Id. 182 E-mail Number 1 fro m Ryan Browns sister to S usan Brenner, supra note 167181; see also Anonymous Comment, supra note 180194.
183 184
Rose, supra note 180 . See IND. CODE A NN. 35-45-10-5 (West 2012) (criminalizing the offense of stalking as a Class D felony); 35-45-10-1 (defining to stalk). 185 35-45-10-2. 186 See 35-45-10-1; see also 35-45-10-5(a) (A person who stalks another commits stalking, a Class D felony.).
11/13/2013 1:49 PM1:48 PM
2013
841
emotional distress, the effects were indirect (and perhaps unintended). 187 He did not engage in conduct that was specifically directed toward either or both of the victims.188 Brown therefore did not commit either harassment or felony stalking in violation of Indiana law. Due to an agreement between parties, the case was resolved by Brown pleading to a lesser charge and serving a short jail sentence.189 b. Theft Issue
There is no indication that the prosecutor in the Brown case consideredand rejectedthe possibility of charging Brown with theft, even though he clearly took something from his victims. As one of them explained:
He did not just ta ke our name s for a spin. He made the se profile s for ove r two ye ars. Thats [sic] not just fun and game s. Its [sic] obse ssive and sick. He kne w what his inte ntions we re and it was [sic] to sabatodge [sic] mine and my siste rs [sic] ide ntitie s and live s.190
Even if I am correct, it would not, and should not, absolve Brown of liability if his conduct constituted a crime other than harassment or stalking. The crime Brown actually committed was a type of theft more precisely, a type of identity theft. In saying that, I do not refer to identity theft as it is usually defined.191 As Professor Green notes, identity theft is
187
See supra text accompanying note 187 (noting that it is reasonable to assume the thing Brown wanted was for his victims to discover his actions). 188 See supra notes 182-83 and accompanying text. 189 According to an e-mail from his sister, both agreed that a jury would convict if he went to trial on the original charges and he would be in prison until it was overturned (and they both agreed it would be overturned) on appeal. E-mail Number 1 from Ryan Browns sister to S usan Brenner, supra note 167181. Browns defense attorney and the prosecutor therefore negotiated a deal, under which he pled guilty to misdemeanor harassment charges in return for which the prosecution dropped the felony stalking charge. E-mail Number 2 from Ryan Browns sister to S usan Brenner, supra note 167181. E-mail 190 Anonymous Comment, supra note 167181. 191 The crime is variously referred to as identity theft and identity fraud, for no apparent reason. There is generally little, if any, substantive difference between the two offenses. See, e.g ., S amuel H. Johnson, Who We Really Are: On the Need for the United States to Adopt the European Paradigm for Identity Fraud Protection, 15 CURRENTS : INT' L TRADE L.J. 123, 123 (2006) (indicating that the difference between the terms is a matter of preference). But see KAN. S TAT. A NN. 21-4018 (2007 & S upp. 2010) (distinguishing identity theft and identity fraud). My theory is that we have two terms because one focuses on the act by which the criminal obtains the personal identifying information (theft) and the other focuses on what the criminal does once he or she has acquired the information (fraud). See S usan W. Brenner, Identity Theft , CYB3RCRIM3: O BSERVATIONS ON TECHNOLOGY, LAW & LAWLESSNESS (Nov. 14, 2008, 8:02 AM),
11/13/2013 1:49 PM1:48 PM
842
v. 47 | 817
normally a financial crime.192 The perpetrator unlawfully obtains another person s personal identifying information and uses it to enrich himself. 193 The victim s identity is the tool the criminal uses to commit fraud, i.e., to persuade a person or an entity to part with something of value under false pretenses.194 The victim consequently suffers financial harm: He or she may find him- or herself liable for debts incurred by the perpetrator see his, or her credit rating decline or suffer other, similarly tangible harms.195 Ryan Brown did not commit identity theft in this sense when he misappropriated the personal identifying information of his victims and used it for his own purposes.196 His concern was with sexual gratification rather than financial aggrandizement.197 But the fact that he did not commit identity theft in the sense in which the term is commonly used does not mean that Brown did not steal something from his victims something that is far less tangible than the funds at issue in the Bullitt County case or even the password at issue in the Schwartz case. I will address this issue in more detail in Part II.
http://cyb3rcrim3.blogspot.com /2008/11/identity -theft.html. S ince my concern in the discussion above is on the harm the misappropriation of someones identity causes that person, the analysis focuses on the theft crime, rather than on the fraud crime.
192
See G REEN, supra note 2 at 240-45. This is generally true of identity theft, or identity fraud, as it is defined under state law; some states define the crime more broadly, but the primary focus tends to be on the use of personal identifying information to commit theft or fraud. See, e.g., A LA. CODE 13A-8-192(a) (LexisNexis 2005 & S upp. 2010); COLO. REV . S TAT. 18-5902(1)(a)-(d) (2011); IOWA CODE A NN. 715A.8(2) (West 2003); O KLA. S TAT. A NN. tit. 21, 1533.1(A) (West 2002 & Supp. 2013); S.C. CODE ANN. 16-13-510(B) (2003 & S upp. 2012). The federal identity theft statute encompasses the use of such information for these purposes, but sweeps more broadly. See 18 U.S .C. 1028(a) (2006). 193 See, e.g. , CONN. G EN. STAT. 53a-129a(a) (West 2011) (A person commits identity theft when such person knowingly uses personal identifying information of another person to obtain . . . money, credit, goods, services [or] property . . . without the consent of such other person.); see also A LA. CODE 13A-8-192(a) (2012); IOWA CODE ANN. 715A.8(2) (West 2012); S .D. CODIFIED LAWS 22-40-8 (2012).
194 195
See, e.g., People v. DeBranc he, 954 N.Y.S .2d 862, 863 (N.Y. Crim. Ct. , Dec. 7, 2012). See, e.g. , Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability , 57 S .C. L. REV . 255, 299 (2005) ([Identity theft losses] include, but are not limited to: (1) out-ofpocket expenses incurred to restore a good credit rating; (2) personal time spent on that task; and (3) lost opportunities resulting from bad credit.); see also Sights of Identity Theft, FED. TRADE COMMN, http://www.consumer.ftc.go v/articles/0271-signs-identiy-theft (last visited Apr. 21, 2013) (noting that identity thieves can run up charges on the victims credit card or open credit cards in the victims name).
196
At least some of the information Brown used would qualify as personal identifying information under state identity theft/fraud statutes. See, e.g., CONN. G EN. S TAT. A NN. 53a129a(b) (West 2011); NEB . REV. S TAT. A NN. 28-636(2) (West 2012); N.M. S TAT. A NN. 30-1624.1(C)(2) (West 2012).
197
See supra note 189 and accompanying text.
11/13/2013 1:49 PM1:48 PM
2013
II.
843
Cyberspace, Theft, and Nuance
[A] taking is essential to a larceny. . . .198 My goal for this Article is to advocate for expanding the traditional notion of theft so the crime can encompass at least some of the nuanced types of theft that are emerging in cyberspace. It seems to me that, particularly in light of Professor Green s analysis of theft law, the central issue that arises with regard to cyber theft 199 is whether there has been a taking. The cases examined above each illustrate a different way in which our use of cyberspace can impact the notion of a taking. 200 The issue we will examine below is the extent to which the particular impact involved in each of those cases alters the concept of a taking and thereby makes the application of theft law more or less problematic. A. The Bank Job: Revisited As we saw above, the Bullitt County episode raises few, if any, issues about the existence of a taking.201 Unlike traditional bank thieves, the unknown perpetrators did not extract gold, silver , or physical currency from Bullitt County s bank account, but their actions had the same effect. 202 The wire transfers of the County s funds to the mules and then out of the country into accounts controlled by the perpetrators effected a zero-sum taking, the base consequences of which are functionally indistinguishable from the consequences of the thefts carried out by Bonnie and Clyde and other traditional bank robbers.203 In both, the victim was deprived of its property as the result of a taking by the perpetrator, i.e., the possession and use of the property was completely transferred from the former to the latter.204 So, if U.S. law enforcement officers were able to apprehend the Bullitt County perpetrators and bring them to this country for prosecution,205 they could be charged with, and presumably convicted of, bank theft in violation of federal and/or state law. As to the former, section 2113(b) of Title 18 of the U.S. Code makes it a federal crime to take and carry away, with intent to steal or purloin, any property or money . . . exceeding $1,000 belonging to, or in the care,
198 199
S tate v. Higgins, 1 N.C. (Mart) 36, 40 (1792). See generally supra Part I.A. (defining and analyzing the definition of cyber theft). 200 See supra Part I.B. 201 See supra text accompanying notes 76-79, 91-102. 202 See supra Part I.B.1.a. 203 See supra text accompanying notes 55-64; see also infra text accompanying note 229 . 204 Compare supra Part I.B.1.b. (describing the role of talking in the Bullitt County Theft), with supra text accompanying notes 14-16 (providing the traditional definition of theft).
205
See supra notes 97-99, 131-39 and accompanying text.
11/13/2013 1:49 PM1:48 PM
844
v. 47 | 817
custody, control . . . or possession of a bank. The base penalty for the crime is a fine and/or imprisonment for up to ten years. 206 In a similar vein, section 514.030(1) of the Kentucky Revised Statutes makes it a Class C felony to take movable property of another with intent to deprive him thereof if the property s value is equal to or greater than $10,000. Section 532.060(2)(c) of the Kentucky Revised Statutes states that the authorized maximum term of imprisonment for a Class C felony is not less than five (5) years nor more than ten (10) years. These sentences define the penalties that can be imposed on one who merely steals money from a bank or other financial institution. In other words, they address the harm that simple theft the loss of property inflicts on the victim. Because criminal law long ago concluded that the use of force to physically take property from the victim inflicts or threatens the infliction of an added harm the risk of injury to the victim from whom the property is forcibly taken it created the aggravated crime of robbery, which also encompasses armed robbery.207 For example, 2113(a) of Title 18 of the U.S. Code makes it a federal crime to, by force and violence, or by intimidation, take from the person or presence of another money or any other thing of value in the care, custody, control . . . or possession of a bank. The base penalty for federal bank robbery, including armed bank robbery, is a fine and imprisonment for up to twenty years. 208 And under Kentucky law, one who uses or threatens the in between immediate use of physical force upon another, including the use or threat of use of a dangerous or deadly weapon, with the purpose of committing theft commits robbery in the first degree, commits a Class B felony.209 As to penalties, section 532.060(2)(b) of the Kentucky Revised Code states that the authorized maximum term of imprisonment for a Class B felony is not less than ten (10) years nor more than twenty (20) years. Both jurisdictions therefore punish bank robbery, including armed bank robbery, twice as severely as they punish simple bank theft. This is
206
See 18 U.S .C 2113(b) (2006). For specific sentencing standards, see U.S . S ENTENCING G UIDELINES M ANUAL 2B3.1 (2012). 207 See, e.g. , WAYNE R. L AFAVE, S UBSTANTIVE CRIMINAL L AW 20.3, at 996-97 (4th ed. 2003) (Robbery . . . may be thought of as aggravated larcenymisappropriation of property under circumstances involving a danger to the person as well as a danger to property and thus deserving of a greater punishment than that provided for larceny.); see also Green, supra note 2, at 116-18.
208
See 18 U.S .C. 2113(a). As to armed robbery, see , for example , U.S . S ENTENCING G UIDELINES M ANUAL 2B3.1(b)(2) (explaining the level of punishment issued in relation to whether and to what extent the perpetrator used, possessed, or discharged a firearm or other dangerous weapon during the robbery).
209
See KY. REV . S TAT. A NN. 515.020(1) (West 2012).
11/13/2013 1:49 PM1:48 PM
2013
845
also true in domestic and international jurisdictions, the penalties for robbery are invariably higher than for other forms of theft this tends to be true in most, if not all, jurisdictions.210 Since cyber-thieves like the ones who extracted almost half a million dollars from Bullitt County s bank account do not use force, violence, or intimidation to take money from the person or presence of their victims; they cannot be charged with either bank robbery or armed robbery and consequently would not face enhanced penalties in the unlikely event they were apprehended and prosecuted by federal and/or state authorities.211 That outcome is perfectly sensible insofar as the policies responsible for imposing enhanced penalties on bank robbers are concerned.212 But as we saw earlier, the distinct methodology employed by transnational cyber-bank-thieves inflicts a new, exacerbative harm that is found neither in simple bank theft nor in bank robbery the diminished likelihood that the perpetrators will be caught and punished for their crimes.213 The undeniable fact is that, as things currently stand, the Bullitt County perpetrators and their extraterritorial colleagues who steal money and other items of value from U.S. victims have almost no chance of being apprehended and prosecuted in the United States. Cyber theft is a low-risk, high-reward endeavor,214 which is an untenable state of affairs for this
210 211
G REEN, supra note 2, at 116-18. See supra notes 217-18 and accompanying text; see, e.g., Indictment at 2, 5, United S tates v. Elias, No. 12-20401, at 2, 5 (S .D. Fla. 2012), available at http://www.justice.gov/usao/fls/PressReleases/Attachments/120607 -01.Indictement.pdf (Counts 1-17); Press Release, Federal Bureau of Investigation, Miami Division, Fourteen Defendants Charged in Cyber Bank Fraud S cheme (June 7, 2012), available at http://www.fbi.gov/miami/press-releases/2012/fourteen-defendants-charged-in-cyber-bankfraud-scheme; Dan Kaplan, Fourteen Busted on Online Banking Theft Charges, S C M AGAZINE (June 11, 2012), http://www.scmagazine.com/fourteen-busted-on-online-banking-theftcharges/article/245246/ (stating cyber-bank thieves operating from within the United S tates were captured and were charged with, among other things, bank fraud in violation of federal law).
212
See Neil S chwartzman, Kidnapping, Theft and Rape Are Not Cyber Crimes, CIRCLE ID (Nov. 2, 2010, 9:14 AM), http://www.circleid.com/posts/kidnapping_theft_and_rape_are_not_cyber_crimes/; supra notes 217-18 and accompanying text.
213
See S chwartzman, supra note 228; supra Part IB.1.b. (explaining that cyber-bank thieves who are foolish enough to operate from within the United S tates and target U.S . financial institutions are, on the other hand, very likely to be caught and punished); e.g., Kaplan, supra note 211227.
214
See supra Part I.B.1.b. One reason why online bank theft is a particularly high-reward endeavor is the fact that it can be automated. See, e.g., Joseph Menn, New Bank Theft Software Hits Three Continents: Researchers, REUTERS (June 26, 2012), http://www.reuters.com/article/2012/06/26/us-online-bankfraud-idUS BRE85P04620120626.
11/13/2013 1:49 PM1:48 PM
846
v. 47 | 817
country.215 It is an untenable state of affairs because most theories of criminal deterrence emphasize that people comply with the law because they decide, after a calculation of the likely costs and benefits of the crime, to forego the criminal conduct.216 This calculation of risk includes the likelihood of being caught and the severity of punishment. 217 The problem the United States must confront is that the calculation of risk for those contemplating cybercrime, including cyber-bank-theft, currently involves high rewards and a correspondingly low likelihood of being caught and punished.218 In an ideal world, authorities would address this problem by increasing the likelihood that offshore cyber thieves would be arrested and brought to this country for prosecution and punishment. Authorities did something similar in the early twentieth century, when criminals like Bonnie and Clyde could rob a bank in Texas and then flee across the state line into Oklahoma, where Texas officers could not follow them.219 This put the United States in a position analogous to the position U.S. law enforcement currently occupies with regard to transnational cybercriminals: The diminished risk of apprehension resulting from jurisdictional boundaries erodes the disincentive to engage in criminal activity.220 We addressed the mobile-bank-robber problem by federalizing the crime, which meant the Federal Bureau of Investigation could pursue bank robbers across state lines and apprehend them. 221 Unfortunately a similar solution is, at least for now, not a viable solution to the problem of transnational cybercrime.222 But the risk of being caught is not the only factor prospective criminals consider in deciding whether to pursue crime. They also evaluate the severity of the penalties that will be imposed if they are apprehended and
215 216
See Brenner, Distributed Security , supra note 3 at 2-5; supra Part I. Geraldine S zott Moohr, An Enron Lesson: The Modest Role of Criminal Law in Preventing Corporate Crime, 55 FLA. L. REV . 937, 956 (2003); see also supra note 7677 and accompanying text.
217 218
Moohr, supra note 232, at 956-57. S ee id.; Greg Farrell & Michael A. Riley, Hackers Take $1 Billion a Year as Banks Blame Their Clients, BLOOMBERG (Aug. 4, 2011), http://www.bloomberg.com/news/2011 -08-04/hackerstake-1-billion-a-year-from-company-accounts-banks-won-t-indemnify.html. 219 See, e.g. , S USAN W. B RENNER, CYBERCRIME : CRIMINAL T HREATS FROM CYBERSPACE 156 (2010).
220 221
See id. See id. 222 Id. at 172-76. See also Cassandra M. Kirsch, Science Fiction No More: Cyber Warfare and the United States, 40 D ENV . J. INT' L L. & P OL ' Y 620, 640-41 (2012) (noting that the likelihood of achiev ing an international agreement on cyber threats seems implausible given Russias and Chinas refusal to sign the Convention on Cyberc rime).
11/13/2013 1:49 PM1:48 PM
2013
847
prosecuted.223 While many who study criminal deterrence argue that the risk of being apprehended is the most important factor in deterring crime, others argue that the severity of penalties can also play a role in this endeavor.224 Some may argue that if we have no viable way to increase the risk of apprehension for those who commit transnational cyber-bank-theft, there is no reason to increase the penalties for the crime. The imposition of penalties, after all, requires that the perpetrator be apprehended and brought to the jurisdiction where t he crimes were committed to be prosecuted, convicted, and sanctioned. If the likelihood of being arrested for ones cyber-crimes is minimal, at best, then what impact can the prospect of severe penalties have on actual or prospective cyber -bankthieves? I have two responses to that argument. The first is that we have nothing to lose and perhaps something to gain. If we were to approach online bank theft as a new and particularly harmful type of theft crime by creating a cyber-version of armed bank robbery (transnational-cyber theft) that alone would underscore the seriousness of the crime. Logically, the creation of the new crime could be based on the premise noted above i.e., it inflicts a new, worsening harm the effects of which cannot be adequately addressed by prosecuting a transnational-cyber-thief for bank theft.225 This harm should be conceptualized not as a new and distinct harm inflicted on the particular victim of a cyber -bank-theft, but as a systemic harm in that the scale and frequency of online bank theft at least has the potential to erode the security and stability of the United States financial system. 226
223 224
See supra note 217233 and accompanying text. E.g., Katrice Bridges Copeland, Enforcing Integrity , 87 IND. L.J. 1033, 1068 (2012) (Deterrence can be achieved through increasing either the likelihood of detection or the severity of punishment.); Michael J. Zydney Mannheimer, Not the Crime but the Cover-Up: A Deterrence-Based Rationale for the Premeditation-Deliberation Formula, 86 IND. L.J. 879, 919 (2011) (When prospective criminal offenders believe that there is a relatively low likelihood that they will be apprehended and punished quickly for a particular crime, or a crime committed in a particular manner, more suc h potential offenders will be encouraged to commit the crime. In order to balance out this increased motivation to commit the offense, the severity of punishment for the offense must be concomitantly increased.); Moohr, supra note 232, at 95657 (This calculation of risk includes the likelihood of being caught and the severity of punishment.).
225 226
See supra note 213229 and accompanying text. See, e.g. , Julie DiMauro & S tuart Gittleman, Financial Cybercrime a National Security Threat, U.S. Justice Department Official Warns, REUTERS , (S ept. 21, 2012, 4:39 PM), http://blogs.reuters.com/financial-regulatory-forum/2012/09/21/financial-cybercrime-anational-security-threat-u-s-justic e-department-official-warns/; see also Natl S ec. Council, Transnational Organized Crime: A Growing Threat to National and International Security , THE WHITE HOUSE , http://www.whitehouse.gov/administration/eop/nsc/transnational-crime/threat (last visited Jan. 29, 2013) (Through cybercrime, transnational criminal organizations pose a
11/13/2013 1:49 PM1:48 PM
848
v. 47 | 817
My second response to the argument that increasing penalties for cyber-bank-theft will have little deterrent effect on transnational cyber bank-thieves, is more practical than conceptual. While it is true that foreign cyber-thieves are rarely apprehended, sometimes an unwary cybercriminal leaves his haven in a state that does not have an extradition treaty with the United States, to visit one that has such a treaty and is willing and able to extradite him to the United States for prosecution.227 If this country had created the new crime posited above, along with particularly severe
significant threat to financial and trust systems banking, stock markets, e-currency, and value and credit card services on which the world economy depends.); cf. 3 WAYNE R. LAFAVE , SUBSTANTIVE CRIMINAL LAW 20.3 n.3, at 173 (2d ed. 2003) (The modern trend is to consider robbery as an offense against the person.). The creation of a new crime to specifically address such a systematic harm to the United S tates is far from unprecedented: Congress adopted the Economic Espionage Act of 1996 to create a national scheme to prote ct U.S . proprietary economic information. See, e.g. , R. Mark Halligan, Protection of U.S. Trade Secret Assets: Critical Amendments to the Economic Espionage Act of 1996 , 7 J. M ARSHALL REV . INTELL . P ROP. L. 656, 657 (2008). Congress recognized that protec ting U.S . trade secrets was necessary to maintain our industrial and economic edge and thus safeguard our national security. Id. (quoting S. REP. NO. 104-359, at 11 (1996)) (internal quotation marks omitted); see also H.R. REP. NO. 104-788, at 4 (1996), reprinted in 1996 U.S .C.C.A.N. 4021, 4022-23. In hearings on the proposed legislation, then Federal Bureau of Investigation Director Louis Freeh said [e]conomic espionage is the greatest threat to our national security since the Cold War. Alan Gathright & Vanessa Hua, Tech Theft Rises Amid China Ties/Growing Economic, Security Concerns, S FG ATE (Feb. 10, 2003, 4:00 AM), http://www.sfgate.com/news/article/tech-theftrises-amid-china-ties-growing-2635355.php (internal quotation marks omitted). Congress addressed this problem by creating two new theft crimes, one of which targets trade -secret theft by domestic actors. 18 U.S.C. 1832 (2006). The other targets trade -secret theft carried out by someone who intends to or is aware that the theft will benefit a foreign government, foreign instrumentality, or foreign agent. 18 U.S .C. 1831. See, e.g., U.S . D EPT. OF JUST., P ROSECUTING INTELLECTUAL P ROPERTY CRIMES 143-44 (3d ed. 2006), available at http://www.justice.gov/criminal/cybercrime/docs/ipma2006.pdf (defining trade secret). The crimes created by the Economic Espionage Act are not perfectly analogous to the transnational cyber bank theft crime hypothesized above because one targets domestic actors and the other only targets theft committed to benefit a fore ign government, instrumentality, or agent. See 18 U.S .C. 1831(a), 1832(a). The latter, though, is analogous to the crime hypothesized above because both (assuming the latter were created) would target foreign actors extracting proprietary information o r money or other financial assets from United S tates financial institutions, the net effect of which would be to harm the countrys economic stability in several ways. See 18 U.S .C. 1832(a). In other words, the Economic Espionage Act recognized that systematic harm can justify the imposition of novel types of liability. See id.
227
See, e.g., Lisa Vaas, Alleged Russian Cybercriminal Extradited to the US , NAKED S ECURITY (Jan. 19, 2012), http://nakedsecurity.sophos.com/2012/01/19/alleged-cybercriminal-extraditedusa/; see also U.S . Attorneys Office, S. Dist. of N.Y., Manhattan U.S. Attorney and FBI Assistant Director in Charge Announce Extradition of Russian Citizen to Face Charges for International Cyber Crimes, FBI (Jan. 17, 2012), http://www.fbi.gov/newyork/press-releases/2012/manhattan-u.s.attorney-and-fbi-assistant-director-in-charge-announce-extradition-of-russian-citizen-to-facecharges-for-international-cyber-crimes.
11/13/2013 1:49 PM1:48 PM
2013
849
penalties for those who commit the crime, this would allow the United States to make an example of the geographically negligent t hief. While this might have a minimal effect on transnational cyber -thieves, such an offense, with its stringent penalties, could be used to severely sanction U.S. citizens who engage in cyber -bank theft.228 At the very least, it would declare to the world that the United States takes this type of activity very seriously. B. The Password: Revisited Unlike the Bullitt County bank theft, Randal Schwarz s copying the Intel password file does raise an issue as to whether there actually was a taking of property.229 Schwarz claimed he had not taken anything from Intel because it had not been wholly deprived of its property, i.e., it still had the passwords and they still were capable to serving their intended purpose.230 While the prosecution argued that there had, in fact , been a taking of Intel s property because by copying the passwords, Schwarz stripped them of their value by rendering them useless for their only purpose, which was protecting access to information in Intel s SSD computers. 231 From an empirical perspective, both were correct: Intel did, indeed, still have the passwords, and they still served to provide access to the SSD computers. But Intel had also lost a measure of its property because its loss of exclusive access to and control of the passwords meant they were no longer capable of ensuring that unauthorized parties could not access the SSD computers. We therefore have what I refer to as non-zero-sum theft.232 As I noted earlier, this type of theft differs from the traditional, common law theft in that the victim is not wholly deprived of the possession and use of the property. Instead, under the Black s Law Dictionary formulation of theft, the thief has interfered with the victim s possession and use of the property, an affront to ownership which is conceptualized as involving a less than absolute deprivation of the property. 233 Professor Green accepts this less-than-zero-sum notion of theft, noting that twenty -first century theft statutes should leave open the possibility that theft can occur even when the victim still has the property . . . so long as he has been deprived
228
See, e.g. , Kaplan, supra note 211227 (discussing the prosecution of U.S .-based c yber-bank thieves).
229 230 231 232 233
See supra See supra See supra See supra See supra
Part I.B.2.b. note 144156 and accompanying text. note 144156 and accompanying text. notes 20-2223 and accompanying text. notes 18-19 and accompanying text.
11/13/2013 1:49 PM1:48 PM
850
v. 47 | 817
of the basic value of the property.234 Professor Green and I seem, then, to be in agreement on this basic proposition. However, I chose to include a consideration of the Schwarz case in this article because it goes to an issue I do not believe Professor Green explicitly incorporates into his analysis. His premise, what I refer to as non-zero-sum theft, should to some extent be incorporated into twenty first century theft statutes. It seems primarily to be based on a desire to protect intangible property that has inherent financial value, e.g., intellectual property, virtual property and at least certain types of services.235 I would agree that this type of property can be stolen, i.e., subject to a taking, and should therefore be protected by modern theft statutes. I do not, however, think that this is the only type of intangible property that should be protected by such statutes, which is why I chose to focus on the Schwarz case. The passwords themselves have no intrinsic financial value; their value, for the purposes of a theft analysis, lies in their utility, i.e., in how the thief can manipulate them to acquire financial and/or other types of value. The passwords had value because the thief, or the person to whom the thief sold them, could use the passwords to access the SSD computers and perhaps acquire information that could be sold for a profit (depending on the nature of the data contained in the computers). In this scenario, one could argue that there was essentially a two-stage taking. The thief stole the passwords, which had no intrinsic financial value, but then used them to access the SSD computers and acquire data that did, in fact, have such value. This scenario is functionally analogous to the takings of intangible property Professor Green discusses, i.e., the elongated course of conduct ultimately results in the taking of property that has inherent financial value. Alternatively, the person who acquired the passwords from th e thief could use them to access the SSD computers and destroy or alter some or all of the data they contained. This scenario seems to fall outside Professor Green s approach to what I refer to as non-zero-sum theft because: (1) the passwords themselves have no inherent financial value and (2) they are not used to generate financial value. They are, instead, used to destroy property that had financial value. If one focuses on theft as necessarily involving property that has (or perhaps can generate) financial value, then this scenario would appear to fall outside the realm of theft. 236
234 235
Green, supra note 2, at 272. See id. at 64-68, 234-49, 264-67. 236 That does not mean that the perpetrator in this scenario could not be prosecuted for what she did. I am assuming the perpetrator accessed the computer containing the passwords without being authorized to do so, which is a crime under both state and federal law and
11/13/2013 1:49 PM1:48 PM
2013
851
There is also another scenario: The thief copies the password file for the SSD computers, takes the copy, and is immediately apprehended. The thief has simply copied the passw ords; he or she has not (yet) used them to commit any incremental harms, such as obtaining data from the SSD computers and selling it to obtain financial value, or destroying data in the computers. One could approach this as an attempt crime, i.e., arguing that copying the passwords was a substantial step toward using them to obtain financial value or destroying data, but it is quite possible that the person simply intended to copy the passwords perhaps, like Schwarz, for his own, unformulated ends. Would there be a taking? I argue that a taking occurred because Schwarz deprived Intel of an increment of the passwords value. As the passwords could still be used to access the SSD computers, although they had lost that portion of their value which arose from ensuring that only authorized users accessed the computer. Is that a commodity that has value which requires protection by theft law? I think it is. The mere copying of data that has no intrinsic financial value but has what I shall refer to as artifactual value is a taking that should be encompassed by twenty-first century theft law.237 Common-law theft and post-common-law theft both arose in and were designed for a world in which property was tangible, which meant that if I took your property you were, by definition, wholly deprived of it. We inhabit a world in which property is increasingly intangible, a state of affairs that is likely to become more pronounced. As property becomes intangible, it has a tendency to migrate further and further from a person s control. I, for example, use Dropbox, an online data-archiving system, to back up my data and to ensure that I can access all of my data from either of the laptops I use.238 So my intangible property migrates online; I have no idea where it is stored. My only means of access to it, and my only means of preserving it as mine, is my password. If someone were to infiltrate one of my laptops and copy my password, would that be a taking? One could argue that it is a step toward a taking but is not a taking in and of itself because the password has no intrinsic financial value. I do not see the scenario that way. To me, in this scenario I
destroying property inside the S SD computers would exacerbate the penalties for the access crime or could constitute another computer crime. See, e.g., 18 U.S.C. 1030(a)(5) (2006); HAW. REV . S TAT. 708-892(1) (West 2012); IND. CODE A NN. 35-43-1-4 (LexisNexis 2009); V A. CODE A NN. 18.2-152.4 (2009). 237 By artifactual value, I mean that the intangible property can be used ( 1) to acquire, erode or destroy property that has financial value or (2) to erode or destroy the non financial value (e.g., security, privacy) of other types of property. (I assume that the person who takes property that neither has nor can generate fi nancial value has no interest in simply acquiring it.)
238
See D ROPBOX, https://www.dropbox.com/ (last visited Feb. 3, 2013).
11/13/2013 1:49 PM1:48 PM
852
v. 47 | 817
have lost somethingcontrol over my property. I may still be able to use the password to access my files, but I have lost the sense of privacy and security my exclusive possession of the password provides. I would encourage Professor Green to expand his approach to the theft of intangibles to encompass what I refer to as intangible property that has artifactual value. C. The Identities: Revisited This scenario obviously raises new and difficult issues as to the nature and scope of theft and takings of property. While the Brown case involves what could, in a literal sense, be referred to as identity theft, it does not implicate the crime as it currently exists. As I noted above, the current crime of identity theft is a crime that involves the misappropriation of financial value: the identity thief obtains an innocent person s personal identifying information and uses it, without that person s permission, to obtain financial value of varying types.239 This is unlike Brown, who used the personal identifying information of the two women he victimized for his own sexual pleasure.240 As noted above, one of the victims described what Brown did as tak[ing] our names for a spin.241 Here, as an empirical matter, we have a non-zero-sum taking the theif did not use information acquired to obtain financial value. 242 As to whether Brown took intangible property that had artifactual value, 243 that is a difficult question. I do not think he intended to deprive the victims of any or all of the privacy or security of their personal information. Deprivation implies that the thief intends to, or at least realizes that, the victim will at least ultimately realize that something has been taken from him or her.244 I think Brown assumed, and hoped, that the women whose identities he used would never know what he had done, and they might
239
See supra notes 191206-12 and accompanying text. At least one state has an identity theft statute that encompasses the infliction of non-financial harm. Wisconsin makes it a crime to use any personal identifying information . . . of an individual . . . without the authorization or consent of the individual and by representing that he or she is the individual in order to harm the reputation . . . of the individual. WIS. S TAT. 943.201(2)(c) (2012); see, e.g., S tate v. Baron, 769 N.W.2d 34, 36-37 (Wis. 2009) (upholding conviction of one who posed as his supervisor by sending an e-mail that was designed to jeopardize the supervisors reputation and that resulted in his committing suicide). 240 See supra note 177191 and accompanying text. 241 See supra note 190204 and accompanying text. 242 See supra notes 191206-12 and acco mpanying text. See generally supra note 235251 and accompanying text.
243 244
See supra note 237253 and accompanying text; see also supra Part II.B. See supra notes 14-19 and acc ompanying text.
11/13/2013 1:49 PM1:48 PM
2013
853
not have, had their pastor not been transferred to another church. 245 In a sense, the women in the Brown case suffered a subset of the harm that victims of financial identity theft suffer: The harm inflicted on the latter involves both the realization that they have lost at least a measure of control over their selves to a doppelganger and that they have sustained a variety of financial harm.246 The women in the Brown case only suffered the first of these harms: the doppelganger harm.247 Is that should that beenough to justify holding Brown liable for a type of theft presumably a nonfinancial type of identity theft?248 How one answers that question depends on how one conceptualizes the crime of theft or, perhaps more accurately, how expansively one conceptualizes the crime of theft. The issue, of course, is whether my identity not my identity as a tool that can be used to generate financial value but rather my selfhas value that can and should qualify for protection by the law of theft. Like Shakespeare, I believe my identity my namedoes have such value and should qualify for protection under the law of theft. 249 As Shakespeare put it,
Good name in man and woman, de ar my lord, Is the imme diate je we l of the ir souls: Who ste als my purse ste als trash; tis some thing, nothing; Twas mine , tis his, and has be e n slave to thousands: But he that filche s from me my good name Robs me of that which not e nriche s him And make s me poor inde e d.250
Writing long before filched identities could enrich the thief, Shakespeare recognized that there is intangible value in ones name or identity (value that differs from the intangible value associated with intellectual property and other commodities that have or can generate financial value). The issue then becomes whether this particular intangible value is a commodity the criminal law deems worthy of protecton. Professor Green recognizes the existence of the doppelganger harm,251
245 246
See supra note 176190 and accompanying text. See supra notes 191206-10 and accompanying text. 247 For a literary treatment of that harm, see, for example, Edgar Allan Poe, William Wilson, vol. v., no. 4, BURTONS G ENTLEMANS MAGAZINE AND A MERICAN MONTHLY REVIEW 205 (1839), available at http://www.online-literature.com/poe/47/. 248 See, e.g. , S tate v. Baron, 769 N.W.2d 34, 36, 48 (Wis. 2009). 249 See WILLIAM SHAKESPEARE , O THELLO act 3, sc. 3, available at http://shakespeare.mit.edu /othello/othello.3.3.html.
250 251
Id. See generally supra note 246262 and accompanying text.
11/13/2013 1:49 PM1:48 PM
854
v. 47 | 817
but argues that instead of being treated as a type of theft, the infliction of this particular harm should be approached as a type of false personation. 252 He notes that the crime has traditionally involved passing oneself off as a police officer or other public official, which is still true.253 For that proposition, Green cites the federal statute that makes it a crime to pretend to be a federal officer or agent in order to demand and/or obtain any money, paper, document, or thing of value.254 This statute is an institutional identity theft statute because it makes it a crime to assume an institutional identity (federal officer or agent) in order to obtain or attempt to obtain financial value.255 Therefore, the crime is not at all about an individual s unique persona the misappropriation of which is of concern to me, as well as to Shakespeare.256 Various states have false personation statutes that sweep more broadly. California, for example, makes it a crime to falsely personate[] another, and in such assumed character marries or pretends to marry .257 Idaho makes it a crime to falsely personate another and use the assumed identity to (i) [b]ecome[] bail or surety for any party in any court proceeding; (ii) verify, publish or prove in the name of another person, any written instrument with the intent that it will be recorded . . . and used as true; or (iii) do any act whereby, if it were done by the person falsely personated, he might . . . become liable to suit, prosecution or to pay money or whereby any benefit might accrue to the party personating, or to any other person.258 Additionally, as Professor Green notes, some states make it a crime to give a false name to a police officer to avoid arrest.259
252 253
See G REEN, supra note 2, at 245. Id. 254 18 U.S .C. 912 (2006). There are several analogous state statutes. See CAL . P ENAL CODE 530 (West 2012); FLA. STAT. 817.02 (West 2012); LA. REV. STAT. ANN. 14:112 (2012). See also 720 ILL . COMP. S TAT. A NN. 5/17-2 (West 2013) (making it a crime to pretend to be a representative of a charitable organization, a veteran, a law enforce ment officer, a firefighter, or a paramedic); LA. REV . STAT. A NN. 14:122.1 (2012) (establishing the crime impersonating a peace officer or firefighter); D.C. Code 22-1406 (2012) (making it illegal to falsely represent oneself as police officer).
255 256
See supra notes 191206-08 and accompanying text (discussing identity theft). See supra note 249265 and accompanying text. 257 CAL . P ENAL CODE 528 (West 2012); see 21 O KLA. S TAT. A NN. tit. 21, 1531 (West 2012). See generally D.C. CODE 22-1403 (2012) (Whoever falsely personates another person before any court of record or judge thereof, or cle rk of court, or any officer . . . authorized to administer oaths or take the acknowledgment of deeds or other instruments or to grant marriage licenses . . . with intent to defraud, shall be imprisoned . . . .).
258 259
IDAHO CODE A NN. 18-3001 (2012). See, e.g. , N.Y. P ENAL LAW 190.23 (McKinney 2012). See also G REEN, supra note 2, at 245 (citing Alvardo v. People, 132 P.3d 1205, 1205-06 (Colo. 2006) (interpreting COLO. REV. S TAT. 18-5-113 (West 2012)).
11/13/2013 1:49 PM1:48 PM
2013
855
None of these statutes address the issue noted above: the harm that results when Person A pretends to be Person B for reasons other than financial or other non-subjective gain. Brown did not assume his victims identities in order to obtain money to which he was not entitled, marry, pretend to be a state or federal official, forge a document, become a surety for a party in litigation, or avoid arrest. He was not interested in his victims identities as tools he could use to obtain money, property, or other tangible value. He used them because of and in order to enjoy the doppelganger effect, i.e., to have experiences he could have enjoyed in his true guise.260 The only statute I know of that addresses the doppelganger harm to any extent is Wisconsin Code 943.201(2)(c). The statute makes it a crime for the perpetrator to (i) use the personal identifying information of another (ii) without their authorization (iii) in order to represent himself or herself as the victim and (iv) to harm the reputation of that person.261 This statute was at issue in State v. Baron.262 The case involved Christopher Baron s prosecution for unlawfully obtaining access to his supervisor s (Mark Fisher s) e-mail account and sending e-mails from Fisher s account that purported to show he was having an extramarital affair.263 After Fisher committed suicide, Baron was prosecuted for violating Wisconsin Code 943.201(2)(c). 264 Baron successfully moved to dismiss the charge in the trial court, arguing th at it violated the First Amendment; the premise of the argument was that the statute, in effect, created a defamation crime while denying those charged the right to raise a First Amendment defense. 265 The trial court granted his motion but the Wisconsin Supreme Court reversed that decision, holding that the statute did not violate the First Amendment. 266 The offense created by Wisconsin Code 943.201(2) is an identity theft crime but, unlike most identity theft crimes, it encompasses the infliction of harms beyond financial value.267 Had Mark Fisher not killed himself, the
260 261
See supra note 186 and accompanying text. The statute also makes it a crime to use the personal information to (1) harm the victims property, person, or estate; (2) obtain financial value; or (3) avoid civil or criminal process or penalty. WIS. S TAT. A NN. 943.201(2)(a)-(c) (West 2012).
262 263
318 Wis.2d 60, 769 N.W.2d 34 (Wis. 2009). S tate v. Baron, 769 N.W.2d 34, 36 (Wis. 2009). 264 Id. 265 Id. at 37. 266 Id. at 37, 48. 267 For the proposition that 943.201(2) is an identity -theft statute, see, for example, S tate v. Peters, 665 N.W.2d 171, 175 (Wis. 2003). See also S tate v. Clacks, 338 Wis. 2d 486 (Wis. Ct. App. 2011). The Wisconsin statute at issue is a traditional identity theft statute, which makes it a crime to use anothers personal identifying information to obtain credit, money, goods,
11/13/2013 1:49 PM1:48 PM
856
v. 47 | 817
prosecution of Baron would have been designed to address the intangible harm he sustained to his reputation or, as Shakespeare would put it, his name. If the case arose in most U.S. states, there probably would not have been a prosecution. Most state (and federal) identity theft statutes target only the infliction of financial harm, which was not at issue in the Baron case. False personation is not a viable option for victims whose identities are stolen and used in ways that harm their personas, nor is defamation. Very few U.S. states make defamation a crime and when they do, it tends to be a minor misdemeanor.268 That outcome is the result of the fact that the drafters of the Model Penal Code chose not a criminalize defamation, a choice they described as [o]ne of the hardest questions they made in drafting the Code.269 Logically, one might argue that we could addr ess the doppelganger harm by encouraging states to criminalize defamation and to at least allow for the possibility that the seriousness of the crime could exceed that of defamation. That approach would address at least some of the doppelganger harm cases, such as cases like the Baron case, in which the poser s conduct inflicts damage on the victim s reputation. Such a result would seem to address the harm Shakespeare was concerned about. The problem with that solution is inadequacy. Even if we assume that a defamation prosecution would address the doppelganger harm in many online impostor cases, it would not address the residual harm that results when the imposter does not, advertently or inadvertently, use the victim s identity to harm that person. I read about something that happened to Sherry Turkle270 more a decade ago. She noted in an online post, that she had recently had a disconcerting experience: a number of people had come up to her and told her how much they enjoyed the comments she had posted the day before in an online chat room that dealt with technology. Turkle said she was taken aback, because she had not been in that chat room and had not posted the comments in question. She speculated that the event was the result of someones decision to assume her identity, basically for benign purposes, for that brief period of time. If I recall correctly (and I am unable to locate her post after all this time), Turkle said
services, employment, o r any other thing of value or benefit. See WIS. S TAT. A NN. 943.201(2)(a) (West 2012).
268
See S usan W. Brenner, Should Online Defamation Be Criminalized? , 76 M ISS. L.J. 705, 718 (2007); e.g., FLA. STAT. A NN. 836.01 (West 2012); G A. CODE ANN. 16-11-40 (West 2012); LA. REV . S TAT. A NN. 14:47 (2012); N.D. CENT. CODE A NN. 12.1-15-01(1) (West 2011); UTAH CODE A NN. 76-9-404 (West 2012).
269 270
See M ODEL P ENAL CODE 250.7 cmt. 2 at 44 (Tentative Draft No. 13, 1961). See S herry Turkle, MIT.EDU, http://www.mit.edu/~sturkle/ (last visited Apr. 17, 2013).
11/13/2013 1:49 PM1:48 PM
2013
857
she found the experience a little unnervingbecause she had, in effect, lost control of her self.271 Turkles experience may be unique to those who have attained a level of fame or credibility or it may not. Twitter impersonation apparently became so common that Twitter was forced to outlaw use of its system to impersonate others.272 The Twitter Rules advise users and prospective users that they may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse, or deceive others. 273 It seems to me that this prohibition, which of course does not impos e criminal liability on violators, addresses the doppelganger harm, i.e., the theft of another s identity (or name).274 That is, it proscribes the misappropriation of another s identity merely for the purpose of posing as that individual. As to whether the criminal law should take a similar, platform-neutral, step I think it might well be advisable to create a pure identity theft or persona theft, or perhaps more accurately, impostor crime. We might create a basic crime, which like the Twitter Rules, outlawed simply pretending to be someone else. If we were to do that, we might also want to consider creating a crime analogous to the crime at issue in Baron. People are assuming others identities online in a fashion that inflicts what I will refer to as the aggravated doppelganger harm, i.e., instead of simply posing as the other person, they pose as the person in a manner that discredits them, often in embarrassing ways. 275 Some may argue that mere embarrassment is too trivial a harm to justify the imposition of even a small measure of criminal liability on the person responsibleand that may be true. My concern, however, arises from the fact that online it is possible to pretend to be almost anyone (excluding, I assume, the President of the United States). I think the fact we do not have an identity theft crime that encompasses the doppelganger harm (and only the doppelganger harm ) is a function of the fact that until recently, it was extraordinarily difficult to credibly pose as another person.
271
For a somewhat analogous event, see Kevin Frank, Resolved: My Very Own Twitter Impersonator, FILEMAKERHACKS (Jan. 6, 2013), http://www.filemakerhacks.com/?p=6875.
272
See The Twitter Rules, TWITTER HELP CENTER, https://support.twitter.com/entries/18311 (last visited Feb. 3, 2013); see also How to Report Impersonation Accounts, TWITTER HELP CENTER, https://support.twitter.com/groups/33-report-abuse-or-policy-violations/topics/122-reportingviolations/articles/20170142-how-to-report-impersonation-accounts (last visited Feb. 3, 2013).
273 274
The Twitter Rules, supra note 272288. See supra text accompanying note 256; see also notes 247263, 259 and accompanying text. . 275 See, e.g. , S usan Brenner, Imposture, CYB3RCRIM3: O BSERVATIONS ON T ECHNOLOGY, L AW, & LAWLESSNESS (Dec. 12, 2006), http://cyb3rcrim3.blogspot.com/2006/12/imposture.html; see also Brenner, Cyberstalking Case, supra note 181.
11/13/2013 1:49 PM1:48 PM
858
v. 47 | 817
I think that is why false personation statutes tend to focus on posing as one who has a certain position, such as a police officer or a fire-fighter.276 As I tell my students when we discuss these matters in class, forty, fifty or a hundred years ago, I could not credibly pose as a male person not as a male police officer, fire-fighter, or any specific male person. And I would probably have had great difficulty posing as another female, at least as long as I was interacting with people who knew that person. Some of that difficulty no doubt persists, but it is quite possible for me to go online and perhaps after a little online research, assume the identity of the man who lives next door to me or my doctor or some other target. That is not to say I could successfully pretend to be any or all of them or in person for a long period of time. But I could pretend to be one or more of them for long enough to, at a minimum, inflict a measure of the doppelganger harm on that person.277 The issue we need to confront is whether the increasing availability and success of that tactic warrants expanding the law of theft to encompass our names.278
CONCLUSION
My goal in writing this article was to supplement Professor Green s comprehensive analysis of theft law by pointing out how the use of digital technology exacerbates what was once a straightforward crime. To that end, I have focused on three cases, which each raise an important and as of yet unresolvedissue concerning cyber theft. My purpose is simply to point out how the mass migration of activities from physical space to cyberspace can impact various aspects of the common-law crime of theft. The first two cases raise relatively straightforward issues. I doubt the criminal law system will have a great deal of difficulty deciding how, if it all, it will approach the issue raised in those cases. The third case raises an issue that was unimportant at common law , but has become increasing important as more and more aspects of our lives migrate into cyberspace: the infliction of emotional harm. In other articles, I have noted how criminal law has expanded to encompass the infliction of emotional harm in at least two areas: the relatively new crimes of stalking and harassment.279
276 277
See supra note 254270 and accompanying text. See supra notes 200-02 and accompanying text (describing traditional identity theft); supra note 256 and accompanying text (noting a difference between identify theft and the doppelganger harm); supra note 271 and accompanying text (noting a state statute that addresses the doppelganger harm).
278 279
See supra note 249265 and accompanying text. See, e.g. , S usan W. Brenner & Megan Rehberg, Kiddie Crime? The Utility of Criminal Law
11/13/2013 1:49 PM1:48 PM
2013
859
As I noted in those articles, it has been difficult, and often problematic, for criminal law to expand to include emotional harm.280 Much of that difficulty came from concerns similar to those the drafters of the Model Penal Code expressed in explaining why they chose not to criminalize defamation.281 They explained that criminal law is, and should be, reserved for harmful behavior which exceptionally disturbs the community s sense of security,282 they noted that behavior meets this standard for either of two reasons: One reason is that the harm inflicted is very grave, as in rape or murder, so that even the remote possibility of b eing similarly victimized terrifies us.283 The other is that, as in the case of petty theft or malicious mischief, the disturbance of our sense of security derive[s] from the higher likelihood that such lesser harms will be inflicted upon us by those who manifest disregard of other peoples ownership of their property. 284 The harm inflicted by online imposture obviously is not analogous to the harm inflicted by crimes such as rape or murder. But the increasingly likelihood with which online imposture is committed, in various guises, might, if not now, eventually disturb[] the community s sense of security to the point at which we decide that it should, in fact, be criminalized as a type of theft.
in Controlling Cyberbullying , 8 FIRST A MEND. L. REV . 1, 15-23 (2009) [hereinafter Brenner, Kiddie Crime ]; Brenner, Fantasy Crime, supra note 171, at 12-16. 280 See Kiddie Crime, supra note 288, at 22; Brenner, Fantasy Crime, supra note 171, at 16 . 281 See M ODEL P ENAL CODE 250.7 cmt. at 44 (Tentative Draft No. 13, 1961); see also supra note 269285 and accompanying text.
282 283 284
250.7 cmt. at 44. Id. Id.

Brenner: Bits, Bytes, and Bicycles

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Brenner: Bits, Bytes, and Bicycles

Transféré par

Droits d'auteur :

Formats disponibles

817 BRENNER .FI NAL OR .DOCX 817 B RENNER .

FI NAL (DO NOT DE LE TE)

11/13/2013 1:49 PM1:48 PM

Bits, Bytes, and Bicycles: Theft and Cyber Theft

11/13/2013 1:49 PM1:48 PM

See infra Part II.B.

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

See id. at 444.

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

See supra note 14 and accompanying text.

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

FORTINET, FORTINET 2013 CYBERCRIME REPORT 1 http://www.fortinet.com/sites/default/files/whitepapers/Cybercrime_Report.pdf.

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

See 18 U.S .C. 3181 (2006 & S upp. I 2009).

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

See supra Part I.B.1.b.

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

http://www.indianasnewscenter.com/news/26932289.html (last visited Feb. 2, 2013).

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

See supra note 189 and accompanying text.

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

Cyberspace, Theft, and Nuance

See supra notes 97-99, 131-39 and accompanying text.

11/13/2013 1:49 PM1:48 PM

See KY. REV . S TAT. A NN. 515.020(1) (West 2012).

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM

11/13/2013 1:49 PM1:48 PM

Bit s , Byt e s , a nd B ic ycle s

11/13/2013 1:49 PM1:48 PM