Computer Crime Law: The New Doctrines

In my last post, I made the conceptual case for a new field of computer crime law. Such abstract arguments aren't enough to create a new field of law, however. Most law school courses cover specific areas of legal doctrine. To establish a new course, it helps to have new statutes, new constitutional questions, and lots of cases interpreting them. You need new issues not covered elsewhere in the law school curriculum. So the question is, what are the areas of doctrinal law taught in a computer crime course?

There are three basic areas, all of which fit together into a coherent whole.

The first area is substantive criminal law, which generally divides into two topics: computer misuse crimes, such as computer hacking and viruses, and traditional crimes committed using computers. Every state and the federal government have enacted computer misuse crimes, new crimes specifically attuned to new types of computer crimes. Most of the statutes prohibit "unauthorized access" to computers, plus a range of other elements. But what does it mean to "access" a computer? And when is access "unauthorized"? Beyond computer misuse crimes, there are also a range of criminal offenses that involve traditional crimes committed in new ways. In some cases, old crimes have largely migrated to the world of computers. For example, there are hundreds of federal cases prosecuted every year involving the possession, receipt, and distribution of child pornography. Almost all of the cases involve computers and digital images. Computerized child pornography raises a number of interesting legal questions, ranging from the meaning of "possession" in the context of a digital file to how the government can prove a defendant's knowledge that an image depicts a real person.

The second major area is criminal procedure, which considers the legal rules that govern the collection of digital evidence. For example, how does the Fourth Amendment apply to retrieving evidence from computers? What does it mean to "search" or "seize" computer data? How does the Fourth Amendment apply to computer networks? In the network context, much of the law is statutory, not constitutional. Students need to master a complex web of Internet surveillance statutes: the Wiretap Act, the Stored Communications Act, and the Pen Register statute. These statutes define the rules that the government must follow when collecting digital evidence in a computer network context, and learning the complex maze of statutes is a major part of understanding the field of computer crime law.

The third area relates to jurisdiction, both in terms of substantive and procedural powers. As a matter of substantive law, are all Internet crimes federal crimes? What powers does the federal government have to regulate local computer crimes, and what powers do state governments have to regulate computer crimes that cross state borders under the dormant Commerce Clause? As a matter of criminal procedure, what powers do state governments have to compel digital evidence from other states, such as from an out of state ISP? What about international computer crimes? When crimes cross international borders, are they substantive crimes in the U.S.? What powers does the federal government have to collect evidence abroad? When must the U.S. cooperate with other governments outside the U.S. in the collection of digital evidence? Looking beyond criminal law, what is the intersection of the regime of criminal law and procedure and foreign intelligence collection, both in terms of the traditional Fourth Amendment rules and FISA's analogs to the trio of criminal Internet surveillance law statutes?

All of these questions work together. The jurisdictional issues are pervasive, and end up pushing different levels of government to perform different tasks. The connection between substantive and procedural computer crime law is intimate; they are often keyed to similar statutory and constitutional principles. Taken together, an understanding of all three areas creates a very powerful base of doctrinal knowledge of the complex set of rules that various governments must follow when investigating and prosecuting illegal conduct involving computers and the Internet.

Finally, my sense is that none of these issues are covered directly in the existing law school curriculum. Criminal law courses are packed with the basic concepts of criminal law, and generally don't touch on computer crimes in any useful way. Criminal procedure courses are focused on Supreme Court cases and constitutional doctrines, rather than complex statutes like the Wiretap Act. And as I understand it, the jurisdictional questions implicated in computer crime cases, including the federal/state line, international law, and the criminal/intelligence line, are generally not considered together elsewhere and in a way focused on criminal law. The net result is a significant opening for a new course in computer crime law.