11 COMPULJ 299
(Cite as: 11 Computer/L.J. 299)
*299 STRAINING THE CAPACITY OF THE LAW: THE IDEA OF COMPUTER CRIME IN THE
AGE OF THE COMPUTER WORM
Brenda Nelson [FNa]
Copyright © 1991 by the Center for Computer/Law; Brenda Nelson
The purpose of this Note is to consider whether traditional justifications for the criminalization of conduct are adequate to encompass new forms of "criminal" behavior arising out of advanced computer technology. Recent acts of Congress have shifted the debate away from arguments about how to categorize the abuse of technology towards a debate about whether there is any justification for subjecting computer hackers to the strictures of the criminal law. In the past, both legal theorists and courts have struggled to apply to "computer crimes," traditional criminal law doctrines used to prosecute theft, burglary, criminal mischief, forgery and other related crimes. The tangibility requirements in most theft laws, for example, have proven to be formidable obstacles to the prosecution of computer-theft when all that is taken is intangible information. [FN1] Similarly, prosecutors of computer crime have had difficulty convicting under traditional larceny statutes, which require a taking with an intent to deprive the owner of possession. With the advent of the Computer Fraud and Abuse Act of 1986, federal prosecutors now have a statute that criminalizes unauthorized access to a federal interest computer whether or not there is resulting damage or loss to the database. [FN2] Thus, the prosecution of computer crime is no longer dependent upon the application of doctrines developed prior to the computer age. But if the Computer Fraud and Abuse Act has put to *300 rest the debate about how to prosecute computer abuse under traditional doctrines, it has also given rise to a chorus of public opposition. The enterprise of tracking down computer hackers and prosecuting them under new criminal statutes has not been well received by many computer users.
Section I of this Note briefly recounts the facts leading to the conviction of computer hacker Robert Tappan Morris in federal district court under the Computer Fraud and Abuse Act. This piece of legislation, and Morris's conviction for introducing a computer "worm" into a national scientific database, are among the most significant recent developments in criminal law in the area of technology abuse. The chief purpose of this section is to describe the reactions of legislators, computer designers and users, and members of the general public who have opposed Morris's trial and conviction. The public debate about whether computer hackers like Morris ought to be tried as criminals sets the stage for the theoretical discussion that follows.
Sections II and III of this Note consider two prominent and competing theories, retribution and utilitarianism, which might justify the punishment of computer hackers as criminals. The thesis of this Note is that both retributive and utilitarian arguments are useful in helping us to understand the conflict that seems to have arisen between two sets of social values: those we seek to protect by means of a criminal justice system and those associated with the basic principles of freedom from interference, freedom of information, freedom of expression and the like. Nonetheless, this Note argues that neither traditional retributive nor utilitarian theory provides a clear justification for the imposition of criminal punishment in the case of the "crime" that Morris committed when he introduced the Internet worm.
Proponents of retribution argue that, regardless of the effects of punishment, society is always justified in imposing criminal sanctions on those who violate the moral order. All retributive arguments in favor of punishment assume that we can define the moral order we seek to protect. The current debate over the appropriateness of Morris's conviction suggests that society is deeply divided as to the content of ethical behavior in the context of technological advancement. Retribution fails to justify the criminal punishment of computer hacking if we are unable to agree that such behavior is morally culpable.
Section III considers the case of Robert Morris in light of utilitarian theories of punishment such as deterrence and reformation. Utilitarianism fails to provide justification for the punishment of computer hackers due to our uncertainties about the relative costs and benefits to society of tighter restrictions on hacking. If we believe that punishment affects behavior (and if we believe that the greatest happiness for the greatest number ought to be the point of our legal system), are we certain *301 what kinds of behavior we want to deter and what kind we want to encourage in order to arrive at utilitarian gain?
The final section of this Note considers the commonly held belief that, in its attempt to accommodate competing demands for order and freedom, criminal law is the most self-restrained of all bodies of legal doctrine. Our system of criminal justice assumes that criminal sanctions are imposed only as the measure of last resort, that is, only in the most pressing circumstances. Here, retributive and utilitarian theories merge to support a policy against the prosecution and conviction of computer hackers.
II. THE COMPUTER FRAUD AND ABUSE ACT AND THE INTERNET WORM
On January 2, 1990, Robert Tappan Morris became the first person convicted by a jury of a felony under the Computer Fraud and Abuse Act of 1986. [FN3] As alleged in his defense, Morris was conducting research on the subject of computer security as a graduate student at Cornell University when he was indicted. Morris admitted releasing a computer worm into Internet, a scientific network that connects an estimated 60,000 academic, corporate and nonclassified military computers nationwide. The Internet worm caused little permanent damage. Nevertheless, affected network subscribers--such as the University of California at Berkeley, NASA, and the U.S. Logistics Command at Wright Air Force Base--estimated the cost of the computer down-time and the labor necessary to diagnose and combat the worm to be between $5 million and $12 million. [FN4]
Morris testified at trial that the Internet worm was never intended to disrupt computer operations. [FN5] A programming error caused the worm to reproduce itself uncontrollably, jamming computers that it should have been able to enter harmlessly. [FN6] Morris's attorney described his client's intended action as a research project aimed at exposing the vulnerabilities of computer security systems. As evidence of Morris's *302 interest in computer security, Morris's lawyers introduced a videotape showing the defendant giving a lecture on the subject at the National Security Agency (NSA) several years earlier. [FN7] At the request of Morris's father, an NSA computer security expert, the NSA allegedly invited Morris to instruct agency officials on methods used by computer hackers to infiltrate protected databases. In the end, however, the videotape of Morris's NSA lecture appears to have been more useful to prosecutors than to Morris's defense. Prosecutors pointed to Morris's expertise as evidence of his disregard for the law and of his willingness to place a crucial information system at risk for the sake of a thrill.
In its indictment, the grand jury charged Morris with intentionally gaining access to a federal-interest computer without authorization, [FN8] preventing access to authorized users, and causing losses of more than $1,000. With Morris's conviction, government prosecutors claimed a victory for the public interest in uninterrupted access to crucial information systems.
In Congress, several bills aimed at amending laws used to fight computer crime were dropped upon receipt of the news that the Computer Fraud and Abuse Act--which does not mention computer worms or viruses--had been adequate to convict Morris. [FN9] Legislators who supported the movement to develop a federal statute were clearly relieved that the 1986 Act proved effective in the Morris case despite the fact that it was drafted prior to the innovation of the computer worm, and thus, without Morris's particular crime in mind.
If legislators who supported the Computer Fraud and Abuse Act were pleased with the guilty verdict in Morris's case, federal prosecutors were clearly disappointed when Morris was given probation and fined $10,000 rather than being sentenced to jail. Under the Act, Morris could have been sentenced to five years in federal prison and fined $250,000. However, the computer industry and the general public have *303 shown little support for the federal government's interpretation of the Computer Fraud and Abuse Act as imposing criminal sanctions on computer hackers like Morris. [FN10] In an "electronic discussion" among computer experts organized by Harper's Magazine, one computer software designer and former hacker argued that Morris's prosecution constituted unjustifiable government intervention in a matter of private behavior. Computer hacking, the former hacker argued, is a right of passage in a computer age and an example of youthful over-indulgence that serves a social purpose. [FN11] Several of the industry's most prominent innovators (e.g., Mitch Kapor, designer of Lotus 1-2-3 and Steve Wozniak, co- founder of Apple Computer) have taken this argument a step further, alleging that hacking is essential to innovation and the development of new technology. [FN12] Other industry experts have expressed fears that the publicity generated by the prosecution of computer hacking will result in a massive effort to tighten computer security. This will result in an interference in the free flow of information. [FN13] Constitutional experts have wondered whether the Morris case raises issues of freedom of information and freedom of expression. [FN14]
Legal theorists have also questioned whether legal precedent exists for punishing an act more severely merely because it involves a computer. A tough new hacker measure recently proposed in England was met with the objection that gaining access to a database without authorization is most like a trespass, which ordinarily subjects the hacker to civil, rather than criminal, liability. [FN15] From the point of view of some commentators, the consequences of a breakdown in crucial information systems--such as those used by hospitals and the military--are so potentially devastating that Congress, in passing the Computer Fraud and Abuse Act, has simply determined that traditional categories of criminal law must be stretched. Of course, with only one jury conviction *304 under the Act, we cannot know whether the courts are likely to comply with such a move. We do not know whether Robert Morris's conviction is likely to withstand an appeal or whether other jurisdictions will follow the district court in Morris. If we believe that the ultimate sources of the law are social needs and social values, then we may believe that the public controversy spawned by Morris is a good indication of the future of criminal law with respect to computer crime. [FN16] Why are creators and users of computer technology themselves so troubled by the idea of "computer crime?"
The remaining sections of this Note propose a theoretical context for the public debate over the criminalization of computer hacking. Ultimately, neither of the traditional arguments for criminal punishment--retribution and utilitarianism--provide a justification for criminal punishment of hackers. The retributive view is that punishment is justified only in response to a violation of the moral order; punishment is justified by the desert of the offender. But the current debate over the appropriateness of Morris's conviction reveals that those who favor and those who oppose the criminalization of computer hacking disagree on the ethical values at stake. Given our indecision as to the content of ethical behavior in the context of computer "abuse," retribution is unavailable as a justification for criminal punishment.
Alternatively, utilitarianism argues that we should punish only when the harm inflicted is outweighed by the good to society as a whole. The current debate over the Morris case reveals no clear indication of what the costs and benefits of criminal sanctions will be, nor is it clear how these factors might weigh in the balance. Given the inapplicability to the Morris case of the traditional arguments in favor of punishment, this Note argues that the public reaction against criminal sanctions for computer hackers, if not expressed in theoretical terms, is intuitively sound. The public reaction against Morris's conviction reflects the expectations of legal experts and non-experts alike that the decision to criminalize will be made with the greatest possible individual freedom in mind.
*305 III. JUSTIFICATIONS FOR THE CRIMINALIZATION OF COMPUTER HACKING:
A. THE TRADITIONAL ARGUMENT IN FAVOR OF PUNISHMENT
The conflict of rights that lies behind the controversy over computer hacking is one example of the continuing challenge that technological innovation is sure to pose for traditional concepts of criminal law. [FN17] Does the problem of what to do about Robert Morris force us to reconsider the traditional classifications of criminal and non-criminal behavior? Did Robert Morris place a strain on the capacity of legal doctrine when he introduced the Internet worm?
Whatever their differences as to what constitutes a "crime," most legal theorists and practitioners seem to agree on one point: since the consequences of criminal liability are potentially severe, the law must act with a clear sense of purpose when it criminalizes behavior. [FN18] In recognition of this principle, criminal defendants are guaranteed certain basic constitutional protections, such as the right to counsel and the right to a jury trial. [FN19]
Most accounts of the fundamental purposes of criminal law begin by distinguishing criminal law from civil law. In a civil suit, the issue before the court is usually how much harm the plaintiff has suffered at the hands of the defendant and what remedies, if any, are appropriate to compensate the victim for her loss. The goal of civil litigation is compensation. By contrast, a criminal case requires the court to determine whether and to what extent the defendant has injured society. The result of a criminal conviction is a sentence designed to punish the defendant for her transgressions. Criminal law seeks to punish, or so the theory goes, because society recognizes that we cannot adequately respond *306 to certain courses of action merely by rendering compensation to the victim.
Of course, once we agree that the fundamental purpose of a criminal justice system is to punish criminals, we are left with the problem of how to state the purposes of punishment. Legal experts have proposed a number of theories. The debate rages on, both in the literature and in the courts, as to which theory of punishment has served as the basis of the law in fact, and which theory ought to shape our decision to criminalize or not to criminalize.
Legal theories about the justification for punishment can be grouped into two main categories: retributionism and utilitarianism. Retribution is an ancient concept. Opponents of the theory have argued that it is an outmoded, even barbaric idea, inappropriate in an enlightened society. [FN20] Speaking for the United States Supreme Court in 1949, Justice Black announced that " r etribution is no longer the dominant objective of the criminal law." [FN21] More recently, however, the Supreme Court has said that retribution is neither "a forbidden objective nor one inconsistent with our respect for the dignity of men." [FN22] Whether they accept the idea of retribution as a justification for punishment, most theorists believe that it remains a significant factor in the allocation of criminal sanctions.
The distinguishing feature of retribution is that "it asks for no further justification of the right to punish than that the offender has committed a wrong." [FN23] The idea is that violators of the law (or, in a broader sense, those who offend morality) merit punishment whether or not punishment can be demonstrated to have any socially desirable effects upon criminals or upon others. The classic, modern statement of the concept of retributive justice is found in Kant, The Philosophy of Law:
Juridical punishment can never be administered merely as a means of promoting another Good either with regard to the Criminal himself or to Civil Society, but must in all cases be imposed only because the individual*307 on whom it is inflicted has committed a Crime ... The Penal Law is a Categorical Imperative; and woe to him who creeps through the serpent- windings of Utilitarianism to discover some advantage that may discharge him from the Justice of punishment, or even from the due measure of it, according to the Pharisaic maxim: "It is better that one man should die than that the whole people should perish." For if Justice and Righteousness perish, human life would no longer have any value in the world. [FN24]
Society avenges itself upon the criminal in order to even the moral score and to protect the moral (as opposed to the social) order. Proponents of retribution have also asserted that the availability of institutionalized revenge is necessary to prevent private retribution, but here the argument takes a utilitarian tack. [FN25]
Ordinarily, theories of retribution are accompanied by two limiting premises that describe the circumstances which justify punishment. First, retribution requires an exercise of free will. The criminal must have chosen to do wrong, otherwise no evil has been committed and no retribution is owed. Second, since retribution is unconcerned with social effects, it cannot justify an infliction of punishment disproportionate to the offense. Retribution demands that the severity of the punishment be proportionate to the gravity of the crime. [FN26]
B. THE CASE OF ROBERT MORRIS IN LIGHT OF THE RETRIBUTIONIST ARGUMENT IN FAVOR
Ordinarily, we reserve our moral arguments for debates about the punishment of more serious crimes such as murder or assault. Thus we might expect to find little opportunity for moral argument either in favor of, or in opposition to, the criminal conviction of Robert Morris for computer hacking. Nonetheless, the influence of a retributive notion of justice is apparent in the framing of the issues in the case, in Morris's theory of defense, in the judge's remarks during sentencing, and in the arguments of those who have reacted unfavorably to the federal government's decision to prosecute.
Clearly, the central point at issue in the case is whether Morris's actions lacked the component of intentional wrongdoing that is required before punishment can be justified on the basis of retribution. As noted *308 above, Morris's defense centered on the contention that he did not intend the program to damage the database or to halt the network. [FN27] As his attorneys argued, if Morris's actions were irresponsible, their results were unintended. The federal district court judge appeared to respond to Morris's lack of intent to do harm when he sentenced Morris to probation instead of prison, noting that the federal sentencing guidelines did not justify a stiffer sentence in the absence of fraud or deceit. [FN28] Judge Munson's efforts to suit the punishment to the crime also reveal the impact of the retributive idea of proportionality.
Given the obvious impact of Morris's lack-of-intent argument on his sentence, we might expect that retribution theory supplies us with terms in which to state a justification for the Computer Fraud and Abuse Act and its application to computer hackers. On the contrary, retribution apparently fails to provide a justification for the criminalization of conduct such as Morris's. This is because retribution requires that we define the moral order that Morris violated when he introduced the worm into Internet. According to the retributive view, crime deserves punishment equivalent in kind to the evil done. But in the case of the Internet worm, what was the evil done? If we accept the retributive premise, but cannot describe the moral order that was disturbed by Morris's actions, then there are no retributive arguments that will justify punishment.
As a theory of punishment, retribution actually exists in the literature in the form of two fundamentally different arguments about the sources of morality and the relation between legal and moral systems. One version of retribution assumes the existence of a transcendental moral order that subsumes all particular forms of social contact. In orthodox Judeo-Christian tradition, the transcendental law that requires retribution for crime is divine law. [FN29] By contrast, in Hegel's formulation of the idea of "natural law," men discover within themselves the source of moral authority. [FN30] Contemporary theorist Michael Moore describes a transcendental theory of retribution in Law and Psychiatry:
Retributivism is quite distinct from a view that urges that punishment is justified because a majority of citizens feel that offenders should be punished. Rather, retributivism is a species of objectivism in ethics that asserts that there is such a thing as desert and that the presence of such a (real) moral quality in a person justifies punishment of that person. *309 What a populace may think or feel about vengeance on an offender is one thing; what treatment an offender deserves is another. [FN31]
In contrast to both the Judeo-Christian notion of God and Hegel's theory of rational morality, retribution theory has also taken the form of an argument against transcendentalism in favor of locating morality in cultural practice. Lord Devlin expresses this point of view in The Enforcement of Morals: "What makes a society of any sort is a community of ideas, not only political ideas but also ideas about the way its members should behave and govern their lives; these latter ideas are its morals." [FN32] Let us assume that we believe that the source of morality is in cultural practice. Is it possible to define a consensus as to what is and is not moral behavior in the context of technological innovation and information sharing? The current debate among lawmakers, courts, and computer users and designers over the propriety of the Morris case suggests that there is no consensus as to the content of ethical behavior in the context of computer use and abuse.
We might propose that the unauthorized access of a computer database is immoral because it violates the dignity of those who have labored and produced something of value over which they expect to exercise a certain amount of control. We might also argue that computer hacking is a moral affront to the right to privacy when a database contains personal information (such as a hospital's list of AIDS patients or a credit bureau's file of personal credit histories). [FN33] However, in the wake of Robert Morris's trial, computer industry experts and others have proposed an "alternative ethic" in defense of computer hacking. In its most extreme form, this "alternative ethic" attempts to turn the previous argument about dignity values on its head. According to the "alternative ethic," computer hacking is an expression of a fundamental human impulse. As one hacker describes, " w hen I reemerge into the *310 light of another day with the design on paper--and with the knowledge that if it ever gets built, things will never be the same again--I know I've been where artists go." [FN34] Another defender of computer hacking argues that structures of control over the free flow of information are instances of immoral power relations:
For all its natural sociopathy, the virus is not without philosophical potency.... [O]ne must consider [its] increasingly robust deterrent potential.... The virus could become the necessary instrument of our freedom. At the risk of sounding like some digital posse comitatus, I say: Fear the Government That Fears Your Computer. [FN35]
C. A RETRIBUTIVE ARGUMENT AGAINST THE CRIMINALIZATION OF COMPUTER HACKING
Though less eloquent than Kant, many of those who oppose the criminalization of computer hacking have expressed their opposition in terms that echo Kant's classic anti-utilitarian argument of punishment as a "principle of equality" rather than a means to an end. If we are unable to frame a retributive argument in favor of punishing Robert Morris, Kant may offer us an argument against expansion of the category of criminal behavior to include computer hacking. We can see why objections to Morris's prosecution and conviction are compelling once we frame them in retributive terms. The notion of retribution helps Kant explain how society's right to punish is a limited right: "Judicial Punishment can never be administered merely as a means for promoting another Good...." This is so, says Kant, because when we punish for purposes other than retribution, we violate certain rights of equality and independent action:
[O]ne man ought never to be dealt with merely as a means subservient to the purpose of another.... Against such treatment his Inborn Personality has a Right to protect him.... He must first be found guilty and punishable, before there can be any thought of drawing from his punishment any benefit for himself or his fellow-citizens. [FN36]
For Kant, retribution is the only justification for punishment because to punish otherwise involves the law in a conflict with the innate right to freedom from interference which belongs to every person. [FN37]
Kant's position is that no benefit accruing to either the criminal or society will justify punishment that is not otherwise needed to maintain the moral equilibrium. If we accept this premise, and if we cannot describe the moral order that Robert Morris violated when he introduced *311 the Internet worm, then we cannot use utilitarian grounds to justify the criminal sanctions levied against him. We are barred from arguing, for example, that vital information networks will be made vulnerable if we fail to punish computer hackers when we can catch them. According to Kant's retributive theory of punishment, we limit the instances in which punishment is justifiable to clear cases of moral transgression. Otherwise, we impose upon the inherent right of the individual to be free from such impositions in the absence of guilt. [FN38] When the law imposes punishment as a means to an otherwise legitimate societal goal, it violates "the one sole original, inborn right" to freedom from the compulsory will of another. [FN39]
Kant's argument against punishment in the absence of moral culpability presents problems when applied to the Morris case. One explanation for the current lack of consensus as to what constitutes ethical behavior in the context of technological innovation is simply the newness of the "crime" of computer hacking. Computer hacking is too new a social phenomenon for us to know whether, and to what extent, such behavior violates the ethical norm, or so the argument goes. But does this mean that there should be no crimes based on new technologies? By similar logic, we should then refrain from enacting laws designed to control behavior in the case of genetic engineering, or treatments for infertility, or euthanasia until the technology has been around long enough to inspire an ethical consensus.
A second line-drawing problem is presented by Morris's supporters when they propose an alternative ethic in defense of computer hacking based on the idea of freedom from interference for the hacker. Kant's argument against punishment without guilt is, in essence, an argument in favor of the dignity rights of the individual whose behavior violates no moral order, though it is undesirable for other reasons. We might *312 make a similar argument, however, on behalf of the dignity rights of most criminals.
Clearly, the argument on behalf of dignity values for criminals is more sympathetic where the crime is a non-violent one. We intuit a difference in the severity of the offense between two instances of interference with the project of another: in one instance, I tear down the house that my neighbor constructs, in another I introduce a worm into a database with the result that authorized computer users are delayed or prevented access. Similarly, we intuit a difference between the killer who attacks with a knife and a pharmaceutical manufacturer that irresponsibly markets a product which turns out to have deadly side-effects for some users. Perhaps the difference is that there are no correlative social benefits at stake in the case of the knife attack, whereas most new drugs save lives or improve the quality of life. Perhaps we are less sympathetic to the dignity rights of those who commit violent crimes because we fear an increase in violence more than we fear an increase in computer hacking or securities fraud or copyright infringements. At any rate, even if we limit the argument about dignity rights for criminals to instances of non-violent crime, a formidable line-drawing problem remains. In which cases of non-violent but unlawful behavior should we value the dignity rights of violators over the rights of victims? Are copyright and patent laws infringing unreasonably on the dignity rights of those who would otherwise be free to benefit and to innovate in their own right?
IV. JUSTIFICATIONS FOR THE CRIMINALIZATION OF COMPUTER HACKING: UTILITY
A. THE TRADITIONAL ARGUMENT IN FAVOR OF PUNISHMENT
Utilitarian or instrumentalist theories of punishment such as deterrence, restraint, and reformation are far more important to the development of modern American jurisprudence than retribution. According to utilitarianism, punishment is only justified if the human costs of effecting change are outweighed by the benefits to society in minimizing criminal violations. There are areas of overlap between retributive and instrumentalist theories of punishment. [FN40] Similar to retributionism, utilitarianism is concerned with the inculcation of moral values and the satisfaction of society's need for revenge. The difference is that the retributivist believes that morality and revenge are ends in themselves, whereas the utilitarian holds that the inculcation of moral values is a means of controlling individual behavior with the net result that society is better off.