The Case for A New Computer Crime Law

As I explained yesterday, the field of cyberlaw has evolved in recent years. Its focus nowadays is mostly on specific areas of law in which the new technologies alter old assumptions. In this post, I want to explain why I think the area of law that will be most changed by the Internet is going to be criminal law, even though criminal law is mostly ignored in today’s classes on cyberlaw.

A quick look through some cyberlaw casebooks confirms that the topics covered in today’s cyberlaw courses are almost entirely civil law topics, not criminal law topics. I think this is true for two reasons. First, the first generation of cyberlaw professors were mostly constitutional theorists and intellectual property professors, rather than criminal law professors. Constitutional theorists like Larry Lessig were interested in constitutional theory generally and used “cyberspace” as a new “place” to test their ideas. IP professors were likely to be techies by nature, and readily made the jump to cyber topics when they arose. The second reason cyberlaw courses focus on civil law topics is that the world of legal academia is mostly concerned with civil law, and there is a pretty sharp divide between the crim law people and the civil law people. Specialists in one don’t often jump over to the other.

As a result of this history, most law professors -- and even most cyberlaw professors – have missed the area of law that is going to be most altered by computers and the Internet: criminal law and criminal procedure. The field of criminal law and procedure is most prone to a rethinking in light of computers and the Internet because it is notably sensitive to the specific means by which individuals engage in legally relevant acts. To paint with a very very broad brush, most areas of civil law are focused on harms, and on victims of the harms recognizing when they are harmed. As a result, the precise means by which A harms B is not nearly as relevant as the fact that A somehow does so. What matters isn’t the precise mechanism so much as the end result.

Criminal law and procedure is different. The rules of criminal law and procedure are particularly sensitive to mechanisms. Substantive criminal laws are statutory prohibitions explaining what individuals cannot do or else face criminal prosecution; under the void for vagueness doctrine, the law must state in reasonably clear terms what is prohibited. The law can’t simply say, “don’t harm B,” or “don’t be negligent.” Rather, the laws are more specific and more rule-like: “Do not enter into B’s dwelling at night without B’s permission,” or “Do not operate a motor vehicle on a public road with a BAC of .08 of over”, etc. The same goes for laws of criminal procedure, which are legal commands that govern police conduct in the course of investigating crime. The law can’t simply say to the police to “investigate nicely,” or “don’t go overboard.” Rather, the rules end up being developed by the courts into often unusually specific commands. They say exactly when the police can enter a person’s home, when they can get a warrant, what the warrant allows the police to do, and the like. Relative to most areas of civil law, the regime of substantive criminal law and procedure has produced clear mechanism-dependent rules.

This has profound significance for the future of criminal law and criminal procedure because computers and the Internet change all of the mechanisms. Traditional criminal law and criminal procedure are designed for a world of physical property. The crimes themselves are tied to physical property: theft is taking away of physical property with intent to permanently deprive; trespass is entrance onto physical property without permission; etc. So are the rules of criminal procedure, and particularly the Fourth Amendment. Entering a home or opening physical containers is a Fourth Amendment “search;” taking away physical property is a “seizure.”

Computers replace the familiar mechanisms with something new. The old crimes remain the same, of course. But there’s a new world that is becoming more and more important over time: a new world of digital crimes and digital evidence. Computers facilitate new types of criminal activity: some of the activity falls into the category of computer misuse crimes, such as hacking and viruses, and the rest of it is traditional criminal activity facilitated by computers, such as fraud schemes, child pornography crimes, and online threats. Even when the crime is a traditional offline offense, like a homicide, there may be digital evidence (e-mails, websurfing records, etc.) that the police may want to collect to prove their case. In the new environment, however, many of the familiar mechanisms used by preexisting law can no longer work. The physical spaces and properties used to define the basic rules of criminal law and procedure are gone, and instead we just have zillions of zeros and ones of electricity.

Coming up with legal rules to define exactly what conduct involving the zillions of zeros and ones is permissible, both as a matter of criminal law and procedure, proves surprisingly difficult. A simple translation of old concepts to the new environment proves much harder than you might think; it triggers a seemingly endless series of new puzzles for the law. To pick just a few basic doctrinal examples, what does it mean to “steal” data? What does it mean to “possess” contraband files? To “search” files? To “damage” them? How about to “seize” them? What rules govern the process of retrieving evidence from computer hard drives? What are the rules that govern government access to e-mail? Are they the same as rules that govern access to homes? Does it matter how the e-mails are obtained? Stepping away from doctrine and looking at a more conceptual level, do the traditional physical concepts “theft” or “search and seizure” even work for digital evidence? Or do we need something else?

As such questions suggest, the new environment of digital evidence ends up creating a new platform for the classic questions of criminal law and procedure where the old answers don’t seem to fit. Existing law is heavily mechanism-dependent, and the mechanisms have changed. The new facts demand new law. As I will explain in my next post, the themes of the new law end up cutting across substantive criminal law and procedure and working together to create a new field of computer crime law.