COMPUTER CRIMES
I. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
II. COMPUTER INTRUSION AND FRAUD. . . . . . . . . . . . . . . . . . . . . . . . . 444
A. Botnets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
B. Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
C. Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
D. Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
E. Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
F. Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
G. Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
H. Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
I. Denial of Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
J. Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
K. Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
L. Phishing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
III. FEDERAL APPROACHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
A. The Computer Fraud and Abuse Act 449
. . . . . . . . . . . . . . . . . . .
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
2. Provisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
3. Penalties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
4. Proposed Reform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
B. First Amendment and Online Speech . . . . . . . . . . . . . . . . . . . 454
1. Threat Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
2. Child Pornography and Sexual Communication with
Minors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
3. Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
4. Anonymous Speech . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
5. Miscellaneous Exceptions. . . . . . . . . . . . . . . . . . . . . . . . 459
C. Traditional Crime. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
1. Property Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
2. Identity Theft. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
3. Wire Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
4. Facilitating Prostitution and Section 230 . . . . . . . . . . . . . 462
D. Fourth Amendment Search and Seizure . . . . . . . . . . . . . . . . . 463
1. Scope and Execution of a Search . . . . . . . . . . . . . . . . . . 465
2. Third-Party Doctrine . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
E. Electronic Surveillance & the Electronic Communications
Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
1. Categorization of Information . . . . . . . . . . . . . . . . . . . . . 470
2. Components of the ECPA . . . . . . . . . . . . . . . . . . . . . . . . 472
441
a. Pen/Trap. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
b. Wiretap Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
c. Stored Communications Act . . . . . . . . . . . . . . . . . . 474
3. Exceptions and Defenses . . . . . . . . . . . . . . . . . . . . . . . . 477
IV. STATE APPROACHES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
A. Structure of State Criminal Codes . . . . . . . . . . . . . . . . . . . . . 478
B. State Computer Crime Initiatives . . . . . . . . . . . . . . . . . . . . . . 478
1. Online Harassment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
2. Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
3. Unauthorized Access, Hacking, Spyware, and Phishing . . 479
4. Protection of Personal Information . . . . . . . . . . . . . . . . . 479
5. Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
6. Jurisdiction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
7. Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
V. ENFORCEMENT CHALLENGES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
A. Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
B. Extraterritoriality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
C. International Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
D. Rules of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
I. INTRODUCTION
The U.S. Department of Justice (“DOJ”) broadly defines computer crime—also
known as cybercrime—as crime that “use[s] or target[s] computer networks.”
1
U.S. DEP’T OF JUST., PROSECUTING COMPUTER CRIMES (2d ed. 2010) [hereinafter PROSECUTING COMPUTER
CRIMES], http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf; see also Crime, BLACK’S LAW
DICTIONARY (12th ed. 2024) (defining computer crime similarly).
Although
cybercrime includes traditional crimes, such as fraud or theft committed using a com-
puter,
2
it also encompasses unique, computer-specific crimes like hacking.
3
To combat
cybercrime, prosecutors rely on a combination of traditional criminal law—such as pro-
hibitions on theft and narcotics trafficking—and technology-specific federal legislation—
such as the Computer Fraud and Abuse Act—to combat illicit cyberspace activities.
4
Though cybercrime is prosecuted at the state and federal levels, its frequency is
hard to measure.
5
See, e.g., COUNCIL OF ECON. ADVISERS, EXEC. OFF. OF THE PRESIDENT, THE COST OF MALICIOUS CYBER
ACTIVITY TO THE U.S. ECONOMY 30 (2018) [hereinafter THE COST OF MALICIOUS CYBER ACTIVITY], https://
trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-
Economy.pdf (“[T]he field of cybersecurity is plagued by insufficient data, largely because firms face a strong
Commercial entities and institutions that learn of an intrusion are
1.
2. See infra Section III.C.
3. See, e.g., 18 U.S.C. §§ 1029–1030, 1037; Stephen Cobb, Advancing Accurate and Objective Cybercrime
Metrics, 10 J. NAT’L SEC. L. & POL’Y 605, 610 (2020) (listing examples of cybercrimes and explaining that
“some computer crimes are unique to computers while others are traditionally prohibited forms of human
misbehavior enhanced by technology”).
4. See, e.g., United States v. Sterlingov, 573 F. Supp. 3d 28, 33 (D.D.C. 2021) (prosecuting money laundering
and other financial crimes committed in cyberspace); Counterfeit Access Device and Computer Fraud and Abuse
Act of 1984, Pub. L. No. 99-474, 100 Stat. 1213 (1986) (codified at 18 U.S.C. § 1030).
5.
442 AMERICAN CRIMINAL LAW REVIEW [Vol. 62:441
disincentive to report negative news.”); cf. Cobb, supra note 3, at 605–06 (arguing that “[e]ven the most affluent
of nations have not yet managed to consistently generate acceptable statistics about any crimes, cyber or non-
cyber”).
6.
often reluctant to report the event due to fear of negative publicity, reduced con-
sumer trust, and increased regulatory scrutiny.
6
See Lesley Fair, FTC Addresses Uber’s Undisclosed Data Breach in New Proposed Order, FED. TRADE
COMM’N BUS. BLOG (Apr. 12, 2018), https://www.ftc.gov/news-events/blogs/business-blog/2018/04/ftc-
addresses-ubers-undisclosed-data-breach-new-proposed (describing the FTC’s revised consent order against
Uber after Uber failed to disclose its 2016 breach); see also Robert Lemos, Companies Fall Shot on Mandatory
Reporting of Cybercrimes, DARK READING (June, 2, 2020), https://www.darkreading.com/attacks-breaches/
companies-fall-short-on-mandatory-reporting-of-cybercrimes/d/d-id/1337977 (citing the ISACA “State of
Cybersecurity 2020” report finding 62% of 2,051 surveyed cybersecurity professionals think their companies
under-report cybercrimes); KENNETH OLMSTED & AARON SMITH, PEW RSCH. CTR., AMERICANS AND
CYBERSECURITY 3–4 (2017).
Such disincentives to reporting
cybercrime, the difficulty of detecting it, and the dual systems of state and federal
prosecution
7
make calculating the total damage and frequency of cybercrime diffi-
cult.
8
THE COST OF MALICIOUS CYBER ACTIVITY, supra note 5, at 30; see also Josephine Wolff, The Real
Reasons Why Cybercrimes May Be Vastly Undercounted, SLATE (Feb. 12, 2018) https://slate.com/technology/
2018/02/the-real-reasons-why-cybercrimes-are-vastly-underreported.html (describing why companies may be
reluctant to report accurate numbers regarding cybercrime); cf. Cobb, supra note 3, at 617–18 (outlining
additional challenges in calculating the frequency of cybercrime, including using an outdated conceptualization
and focus on crimes against people rather than commercial organizations in reporting surveys).
Although the legislative
9
Rebecca Beitsch, Spending Bill Includes Large Funding Increase to Boost Cybersecurity, THE HILL (Mar.
11, 2022, 4:30 PM), https://thehill.com/policy/national-security/597902-spending-bill-includes-large-funding-
increase-to-boost-cybersecurity/.
and executive
10
See Press Release, U.S. Dep’t. of Just., Former Chief Security Officer of Uber Convicted of Federal
Charges for Covering Up Data Breach Involving Millions of Uber User Records (Oct. 5, 2022), https://www.
justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach.
branches have made recent efforts
to improve reporting of cyber incidents, it is too early to assess their impact.
Regardless, regular news alerts of compromised consumer accounts
11
See, e.g., Chloe Veltman, Millions of Customers’ Data Found on Dark Web in Latest AT&T Data Breach,
NPR (Mar. 30, 2024, 5:46 PM), https://www.npr.org/2024/03/30/1241863710/att-data-breach-dark-web; Alex
Baker-Whitcomb, WhatsApp Was Hacked, Your Computer Was Exposed, and More News, WIRED (May 14,
2019, 6:41 PM), https://www.wired.com/story/whatsapp-hack-intel-vulnerability-todays-news/.
and recur-
ring threats to U.S. companies and individuals
12
See, e.g., Kevin Collier, Four States Warn Unemployment Benefits Applicants About Data Leaks, NBC
NEWS (May 21, 2020, 5:01 PM), https://www.nbcnews.com/tech/security/four-states-warn-unemployment-
benefits-applicants-about-data-leaks-n1212431 (highlighting how states might have exposed their own residents
to identity theft “in their rush to set up websites to provide emergency benefits during the pandemic”).
show cybercrime has many vic-
tims. In 2019, an academic study found “about half of all property crime, by
volume and by value, is now online.”
13
More than 2 billion data breaches were
reported in 2018, versus 862 million in 2017.
14
See Ingrid Then-Guiraut, Average Cost of Cyber Crime Is Now $13 Million, IT GOVERNANCE USA BLOG
(Mar. 20, 2019), https://www.itgovernanceusa.com/blog/average-cost-of-cyber-crime-is-now-13-million.
Worldwide, cybercrime costs were
estimated to exceed $8 trillion in 2022 and are expected to exceed $20 trillion by
7. See Joseph M. Olivenbaum, Ctrl-Alt-Del: Rethinking Federal Computer Crime Legislation, 27 SETON
HALL L. REV. 574–75 n.4 (1997) (arguing the dual system of prosecution renders statistics suspect).
8.
9.
10.
11.
12.
13. Ross Anderson et al., Measuring the Changing Cost of Cybercrime, THE 18TH ANN. WORKSHOP ON ECON.
OF INFO. SEC. (July 9, 2019), at 1.
14.
2025] COMPUTER CRIMES 443
