We need a uniform computer crimes act, not a patchwork of poorly written state laws.
By Erik J. Heels
First published 2/1/1997; Student Lawyer magazine, “Online” column; publisher: American Bar Association
When I was about 10 years old, I remember reading a little booklet published by Reader’s Digest called (I believe) “It’s the Law.” The booklet was a compilation of silly laws from around the country–such as whistling under water in Vermont being considered a crime. I have not been able to locate a copy of that booklet, but fortunately, lawmakers in this country have given me plenty to work with if I ever want to write a computer law version of that booklet.
When I started my criminal law class at the University of Maine, I immediately looked up Maine’s computer crime bill and found it to be almost as silly at the laws in that Reader’s Digest booklet. But is Maine alone in writing silly computer laws? A quick review of the laws of some other states suggests that, as Maine goes, so goes the nation.
Maine’s criminal code defines a computer virus as “any computer instruction, information, data or program that degrades the performance of a computer resource; damages or destroys a computer resource; or attaches itself to another computer resource and executes when the host computer program, data or instruction is executed or when some other event takes place in the host computer, resource, data or instruction.”
Let’s see … Many law firms have resisted upgrading from Windows 3.1 to Windows95 (or from DOS to Windows 3.1) because Windows95 degrades the performance of their computers. I remember the first time I used Windows95, and it definitely degraded the performance of my computer. Unfortunately, I was in Massachusetts at the time. If I had been in Maine, I could have pressed charges against Microsoft on the grounds that Windows95 is a virus. In fact, even screen savers fall into Maine’s very broad definition of “computer virus.”
Perhaps Maine law has changed. But according to LawSource’s American Law Sources Online website (http://www.lawsource.com/), Maine’s statutes are not yet on the Internet, so I was unable to check if the law had been updated. Fortunately, the laws of many other states are accessible via the Internet.
The Florida Computer Crimes Act, for example, (http://www.scri.fsu.edu/fla-leg/statutes/1995/CHAPTER_815.html) appears to be quite well written. But some of its provisions are also quite broad. For example, consider the following provision of Florida’s laws: “Whoever willfully, knowingly and without authorization modifies equipment or supplies used or intended to be used in a computer, computer system or computer network commits an offense against computer equipment or supplies.” An offense against computer supplies?
Now, imagine that you are a small printing press in Florida, and that you have just received an order to print letterhead for a local law firm. The law firm has instructed you that the paper is intended to be used with the firm’s laser printers. As soon as you modify the paper stock by printing the firm’s name and address on it, you have modified supplies that are intended to be used in a computer system, and you have committed a crime in Florida. Wyoming has a similar provision (http://legisweb.state.wy.us/titles/Title6.htm).
Georgia recently enacted the Georgia Computer Systems Protection Act (http://www.ganet.state.ga.us/). This overly broad law makes it a crime to set up a home page containing a corporate trade name without the permission of the corporation. So if I were to publish this article on the World Wide Web and mention Coke (http://www.cocacola.com/), I would be in violation of the Georgia law. For an extensive selection of links regarding this law, see Atlanta lawyer Jeff Keuester’s website (http://www.kuesterlaw.com/).
Why do these overly broad laws get written? In part because law enforcement agencies want the ability to prosecute new crimes with new laws, and in part because lawmakers do not, in general, have an in-depth understanding of the technologies they are trying to regulate. Or of the acts they are trying to define as crimes.
Some supporters of these computer crime laws argue that law enforcement agencies will not prosecute those who violate the letter, but not the spirit, of these new laws. In other words, we should rely on prosecutorial discretion and simply trust states like Georgia not to prosecute people for linking to the Coke website from their America Online home page. A better solution, though, is to narrow the scope of the laws so that they are not applied in an overly broad manner.
To date, I know of no prosecutions under the laws listed above. But there is ample historical evidence to suggest that law enforcement agencies will try to apply old laws to new situations.
Recall the 1994 case against David LaMacchia (http://www-swiss.ai.mit.edu/dldf/dismiss-order.html). LaMacchia was indicted for conspiracy to commit wire fraud in violation of a federal statute, despite the fact that he has not profited from his activities. The federal wire fraud statute was enacted in 1952 to combat wire fraud–the use of the telephone to defraud unsuspecting individuals.
LaMacchia was accused of running a computer bulletin board used for uploading (copying to) and downloading (copying from) copyrighted commercial software. LaMacchia apparently was aware that the copying was going on, although he has not been accused of any illegal copying. While the federal government has a very good case for saying that Mr. LaMacchia has done some things that are not very nice, it does not have a wire fraud case at all. LaMacchia’s motion to dismiss was granted, but he should never have been charged in the first place.
More recently, I heard a radio broadcast (http://newsradio88.com/schedule/saturday.html) about an appeals court that upheld the conviction of an individual who had “cloned” certain cellular telephones. The defendant appealed on the grounds that the cloning was not the same as forgery–the 19th century statute that was used to convict him. At the other end of the spectrum, Maryland recently made this same activity a felony under a new law (http://www.capitalonline.com/news/newsgen/newsgen530.html).
It is worth noting that, with the exception of the Maine law, I reviewed the laws only of those states that publish their statutory law on the Internet. Presumably, these are the most forward-thinking states, the ones that are ahead of the legal technology power curve. While a comprehensive review of the computer crime laws of all 50 states is beyond the scope of what I can cover here, I suspect that the laws of those states that have not published on the Internet are as bad as–if not worse than–those that have published on the Internet.
And consider a modern application of the Maine law. Downloadable applications are becoming increasing popular on the Internet. By incorporating software into Web browsers (most notably Netscape Navigator and Microsoft Internet Explorer) that can interpret computer programs on the fly, interactive features can be built into websites.
For example, Java is a programming language that allows for this sort of functionality. Netscape Navigator comes complete with a Java interpreter. So unlike most computer programs (which must be compiled into executable binary code by a compiler), Java programs are interpreted in real type by the client’s Web browser. For more information on how Java works, see the website of Sun Microsystems (http://www.sun.com), the folks who wrote Java. Java is to the World Wide Web as the graphical user interface was to the personal computer. It is changing the way people communicate, compute and publish. As in Maine, Java is a computer virus, because it executes when some event takes place in the client’s computer. Beware of the Java police in Maine.
I think we need a Uniform Computer Crimes Act. The most important–and most successful–of the uniform acts is the Uniform Commercial Code (UCC). The reason the UCC has been so widely adopted is because it is a very good codification of the law, and it is essential for commercial transactions to be conducted according to similar laws due to the interstate nature of commerce. The same can be said of the Internet. The Internet touches and concerns commerce and is (at the very least) interstate in nature. What we don’t need is a patchwork of poorly written, overly broad computer crime laws.
I feel that Internet service providers, bulletin board system operators and end users would applaud a standard definition and application of computer crime. If such an act could be written, it would put an end to laws like the Georgia Computer Systems Protection Act. So far, we have survived without such an act, but the Internet continues to grow, and, unfortunately, the legal growing pains that are resulting are becoming more frequent and more painful.