Federal Statutes

There are many federal statutes in the USA that can be used to prosecute computer criminals:

(a) Whoever--
(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains--
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if--
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;

shall be punished as provided in subsection (c) of this section.
(b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this section is--
(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph;
(2)(A) a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(C), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and [FN1]
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), if--
(i) the offense was committed for purposes of commercial advantage or private financial gain;
(ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or
(iii) the value of the information obtained exceeds $5,000; [FN2]
(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A), (a)(5)(B), or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A), (a)(5)(B), (a)(5)(C), or (a)(7) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and [FN3]
(d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
(e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
(2) the term "protected computer" means a computer--
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication;
(3) the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;
(4) the term "financial institution" means--
(A) an institution with deposits insured by the Federal Deposit Insurance Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union Administration;
(D) a member of the Federal home loan bank system and any home loan bank;
(E) any institution of the Farm Credit System under the Farm Credit Act of 1971;
(F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;
(G) the Securities Investor Protection Corporation;
(H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and
(I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act. [FN4]
(5) the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution;
(6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
(7) the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5; and [FN5]
(8) the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information, that--
(A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;
(B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;
(C) causes physical injury to any person; or
(D) threatens public health or safety; and
(9) the term "government entity" includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country.
(f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.
(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations involving damage as defined in subsection (e)(8)(A) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.
(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under subsection (a)(5).

(a) Offense.--Except as provided in subsection (c) of this section whoever--
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.
(b) Punishment.--The punishment for an offense under subsection (a) of this section is--
(1) if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain--
(A) a fine under this title or imprisonment for not more than one year, or both, in the case of a first offense under this subparagraph; and
(B) a fine under this title or imprisonment for not more than two years, or both, for any subsequent offense under this subparagraph; and
(2) a fine under this title or imprisonment for not more than six months, or both, in any other case.
(c) Exceptions.--Subsection (a) of this section does not apply with respect to conduct authorized--
(1) by the person or entity providing a wire or electronic communications service;
(2) by a user of that service with respect to a communication of or intended for that user; or
(3) in section 2703, 2704 or 2518 of this title.

State Statutes

California, Minnesota, and Maine are among the few states to explicitly prohibit release of a computer virus or other rogue program.


California Statutes, Title 13 (Penal Code), §§ 502(b)(10) and 502(c)(8) refer to viruses specifically.  The rest of 502(c) delineates computer crimes punishable in California:

502.  (a) It is the intent of the Legislature in enacting this
section to expand the degree of protection afforded to individuals,
businesses, and governmental agencies from tampering, interference,
damage, and unauthorized access to lawfully created computer data and
computer systems.  The Legislature finds and declares that the
proliferation of computer technology has resulted in a concomitant
proliferation of computer crime and other forms of unauthorized
access to computers, computer systems, and computer data.
   The Legislature further finds and declares that protection of the
integrity of all types and forms of lawfully created computers,
computer systems, and computer data is vital to the protection of the
privacy of individuals as well as to the well-being of financial
institutions, business concerns, governmental agencies, and others
within this state that lawfully utilize those computers, computer
systems, and data.
   (b) For the purposes of this section, the following terms have the
following meanings:
(10) "Computer contaminant" means any set of computer instructions
that are designed to modify, damage, destroy, record, or transmit
information within a computer, computer system, or computer network
without the intent or permission of the owner of the information.
They include, but are not limited to, a group of computer
instructions commonly called viruses or worms, that are
self-replicating or self-propagating and are designed to contaminate
other computer programs or computer data, consume computer resources,
modify, destroy, record, or transmit data, or in some other fashion
usurp the normal operation of the computer, computer system, or
computer network.
 
   (c) Except as provided in subdivision (h), any person who commits
any of the following acts is guilty of a public offense:
   (1) Knowingly accesses and without permission alters, damages,
deletes, destroys, or otherwise uses any data, computer, computer
system, or computer network in order to either (A) devise or execute
any scheme or artifice to defraud, deceive, or extort, or (B)
wrongfully control or obtain money, property, or data.
   (2) Knowingly accesses and without permission takes, copies, or
makes use of any data from a computer, computer system, or computer
network, or takes or copies any supporting documentation, whether
existing or residing internal or external to a computer, computer
system, or computer network.
   (3) Knowingly and without permission uses or causes to be used
computer services.
   (4) Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software, or
computer programs which reside or exist internal or external to a
computer, computer system, or computer network.
   (5) Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the denial of
computer services to an authorized user of a computer, computer
system, or computer network.
   (6) Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system, or
computer network in violation of this section.
   (7) Knowingly and without permission accesses or causes to be
accessed any computer, computer system, or computer network.
   (8) Knowingly introduces any computer contaminant into any
computer, computer system, or computer network.
   (9) Knowingly and without permission uses the Internet domain name
of another individual, corporation, or entity in connection with the
sending of one or more electronic mail messages, and thereby damages
or causes damage to a computer, computer system, or computer
network.
   
   

  

California also provides for the forfeiture of computer systems used in the commission of a computer crime. If the defendant is a minor, the parents' computer system can be forfeited.
California Statutes, Title 13 (Penal Code), §§ 502(g) and 502.01(a)(1)

(g) Any computer, computer system, computer network, or any
software or data, owned by the defendant, that is used during the
commission of any public offense described in subdivision (c) or any
computer, owned by the defendant, which is used as a repository for
the storage of software or data illegally obtained in violation of
subdivision (c) shall be subject to forfeiture, as specified in
Section 502.01.
   502.01.  (a) As used in this section:
   (1) "Property subject to forfeiture" means any property of the
defendant that is illegal telecommunications equipment as defined in
subdivision (g) of Section 502.8, or a computer, computer system, or
computer network, and any software or data residing thereon, if the
telecommunications device, computer, computer system, or computer
network was used in committing a violation of, or conspiracy to
commit a violation of, Section 422, 470, 470a, 472, 475, 476, 480,
483.5, 484g, or subdivision (a), (b), or (d) of Section 484e,
subdivision (a) of Section 484f, subdivision (b) or (c) of Section
484i, subdivision (c) of Section 502, or Section 502.7, 502.8, 529,
529a, or 530.5, 537e, 593d, 593e, or 646.9, or was used as a
repository for the storage of software or data obtained in violation
of those provisions.  Forfeiture shall not be available for any
property used solely in the commission of an infraction.  If the
defendant is a minor, it also includes property of the parent or
guardian of the defendant.

  

Cases

 

There is an interesting case under California state law for a criminal who improved his clients' credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992):

Defendant was convicted in the Superior Court, Orange County, No. C-73352, Donald A. McCartin, J., of illegal computer access, grand theft by false pretenses, and unlawful use or manufacture of driver's license. Defendant appealed. The Court of Appeal, Sills, P.J., held that: (1) evidence supported conviction for grand theft by false pretense that defendant could legally clear up credit history of prospective borrower; (2) defendant's implied false pretense that he could legally clear up credit history was adequately corroborated; and (3) deliberately entering false information into credit bureaus' confidential files with knowledge that false names and numbers would result in bureaus' subscribers extending credit to individuals that they would otherwise refuse was the kind of manipulation of computer data files that was to be prohibited by statute against intentionally gaining access to computer system for devising or executing scheme or artifice to defraud or obtaining services with false or fraudulent intent.
Affirmed in part and reversed in part.

 

There is a reported case under Wisconsin state law for inserting a logic bomb into custom software. State v. Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994):

Defendant was convicted in the Circuit Court, Waukesha County, Marianne E. Becker, J., of felony destruction of computer data under Wisconsin Computer Crimes Act (WCCA), and he appealed. The Court of Appeals, Anderson, P.J., held that: (1) defendant did not have copyright under Federal Copyright Act in data that was incorporated into and arranged by the specialized programs that he developed for his employer; (2) applying WCCA to defendant who destroyed data in programs he developed for his employer did not amount to unconstitutional impairment of contract; (3) prosecuting defendant under WCCA did not amount to involuntary servitude in violation of United States and Wisconsin Constitutions; and (4) WCCA was not void for vagueness.
Affirmed.

 

In March 1997, a young hacker disabled the telephone service at the Worcester, Massachusetts airport for six hours, which disabled the air-traffic control system and other critical services. This same hacker also copied patients' records from a computer in a pharmacy on four separate occasions in January, February, and March 1997. This hacker was the first juvenile to be prosecuted by the U.S. Government for computer crime.  The U.S. DOJ posted this press release on March 18, 1998:

JUVENILE COMPUTER HACKER CUTS OFF FAA TOWER AT REGIONAL AIRPORT -- FIRST FEDERAL CHARGES BROUGHT AGAINST A JUVENILE FOR COMPUTER CRIME

BOSTON, MA ... Federal criminal charges were unsealed today against a computer hacker who disabled a key telephone company computer servicing the Worcester airport. As a result of a series of commands sent from the hacker's personal computer, vital services to the FAA control tower were disabled for six hours in March of 1997. In the course of his hacking, the defendant also electronically broke into a pharmacy computer and copied patient records.

The charges announced today by United States Attorney Donald K. Stern and Acting Special Agent in Charge Michael T. Johnston of the U.S. Secret Service are the first ever to have been brought against a juvenile by the federal government for commission of a computer crime. In accordance with federal law, the juvenile was not publicly named.

U.S. Attorney Stern stated: "Computer and telephone networks are at the heart of vital services provided by the government and private industry, and our critical infrastructure. They are not toys for the entertainment of teenagers. Hacking a computer or telephone network can create a tremendous risk to the public and we will prosecute juvenile hackers in appropriate cases, such as this one."

The criminal charges contained in the Information allege that the computer hacker temporarily disabled Next Generation Digital Loop Carrier systems ("loop carrier systems") operated by NYNEX (later purchased by Bell Atlantic Telephone Company) at the Worcester Airport and in the community of Rutland, Massachusetts. Loop carrier systems are programmable remote computers used to integrate voice and data communications originating on a large number of standard, copper-wire telephone lines for efficient transmission over a single, sophisticated fiber-optic cable.

In many respects, a loop carrier system serves the same function as a circuit breaker box in a home or an apartment. Individual electric wires do not run from each plug or light in a home or apartment to the electric company. Rather, the myriad of plugs and lights are connected to a circuit breaker box in a corner of the home or apartment, to which the electric company attaches a single, efficient cable. If the circuit breaker box is disabled, however, none of the lights and outlets in the house can function. Loop carrier systems are used by telephone companies to integrate service provided over hundreds of telephone lines for digital transmission over a single, high capacity fiber-optic cable to a central office.

"Just as disabling a circuit breaker box blacks out an entire house, so disabling a loop carrier system cuts off all communications with the telephone lines it services," explained U.S. Attorney Stern.

The Information alleges that the loop carrier systems operated by the telephone company were accessible from a personal computer's modem. This accessibility was maintained so that telephone company technicians could change and repair the service provided to customers by these loop carrier systems quickly and efficiently from remote computers.

The juvenile computer hacker identified the telephone numbers of the modems connected to the loop carrier systems operated by the telephone company providing service to the Worcester Airport and the community of Rutland, Massachusetts. On March 10, 1997 he accessed and disabled both in sequence.

Acting Special Agent in Charge Johnston stated, "This case, with the associated national security ramifications, is one of the most significant computer fraud investigations conducted by the U.S. Secret Service."

At approximately 9:00 a.m., the juvenile computer hacker intentionally, and without authorization, accessed the loop carrier system servicing the Worcester Airport. He then sent a series of computer commands to it that altered and impaired the integrity of data on which the system relied, thereby disabling it. Public health and safety were threatened by the outage which resulted in the loss of telephone service, until approximately 3:30 p.m., to the Federal Aviation Administration Tower at the Worcester Airport, to the Worcester Airport Fire Department and to other related concerns such as airport security, the weather service, and various private airfreight companies. Further, as a result of the outage, both the main radio transmitter, which is connected to the tower by the loop carrier system, and a circuit which enables aircraft to send an electric signal to activate the runway lights on approach were not operational for this same period of time.

Later on the same day, at approximately 3:30 p.m., the juvenile computer hacker intentionally, and without authorization, accessed the loop carrier system servicing customers in and around Rutland, Massachusetts. Once again, he sent a series of computer commands to the digital loop carrier that altered and impaired the integrity of data on which the system relied, thereby disabling it. The second outage disrupted telephone service throughout the Rutland area, causing financial damage as well as threatening public health and safety as a result of the loss of telephone service. During this attack, the juvenile computer hacker changed the system identification to "Jester".

U.S. Attorney Stern commended Bell Atlantic, which brought the situation to the attention of the Secret Service and his office after it determined that the security of its network had been breached. Stern said: "Technology is never going to create perfect security. As a result of Bell Atlantic's quick reaction and invaluable assistance, the Secret Service was able to identify a vulnerability that affected not only the two telephone company computers hacked in this case, but hundreds of identical computers used by Bell Atlantic around New England and thousands used by telephone companies around the country. Our critical infrastructure is safer because of Bell Atlantic's intolerance of the intrusions it discovered into its network."

Acting Special Agent in Charge Johnston added, "The success of this investigation, as well as previous and other on-going investigations, demonstrates the cooperation that has developed between law enforcement agencies and private industry in the suppression of electronic crimes. The U.S. Secret Service would like to recognize the invaluable assistance provided by the Bell Atlantic Corporation."

The Information also alleges that, in a separate computer intrusion, the juvenile computer hacker used his personal computer and modem to break into the pharmacist's computer in a Worcester area branch of a major pharmacy chain. The pharmacist's computer was accessible by modem after hours when the pharmacy was closed. This accessibility was maintained so that the pharmacy chain could periodically transfer information from the pharmacist's local computer to a centralized computer operated by the chain in the course of its business.

The juvenile computer hacker identified the telephone number associated with the modem servicing the pharmacist's computer in the Worcester pharmacy. On four occasions in January, February and March of 1997, the juvenile computer hacker used his personal computer modem to break into the Worcester pharmacy computer. On each of these days he instructed the Worcester pharmacy computer to transmit to his personal computer files containing all of the prescriptions filled by the pharmacy during the previous week, detailing them by customer name, address, telephone number and prescription medicine supplied.

"While he could not alter the prescriptions and we found no evidence that he disseminated the information, this constituted a serious invasion of privacy," said Stern.

Pursuant to a plea agreement, the juvenile will receive two years' probation, during which he may not possess or use a modem or other means of remotely accessing a computer or computer network directly or indirectly, must pay restitution to the telephone company and complete 250 hours of community service. In addition, he has been required to forfeit all of the computer equipment used during his criminal activity.

Addressing the decisions to prosecute and reach a plea agreement, Stern stated: "This case reflects our intention to prosecute in federal court anyone, including a teenager, who commits a serious computer crime. The plea agreement is a balanced effort, weighing the seriousness of this juvenile's computer intrusions and his lack of malevolence. As with a driver's license, the freedom to explore with a computer and modem comes with the obligation to act responsibly and respect the law."

The case was investigated by the U.S. Secret Service with the cooperation and assistance of Bell Atlantic Telephone Company and the U.S. Postal Inspection Service, Massachusetts State Police, Office of Inspector General of the Social Security Administration, Oxford Police Department, Leicester Police Department and Rutland Police Department. The U.S. Attorney's Office was assisted by Attorney General Scott Harshbarger's Office and Worcester County District Attorney John J. Conte's Office. It is being prosecuted by Assistant U.S. Attorneys Stephen P. Heymann, Deputy Chief of the Criminal Division of the U.S. Attorney's Office and Allison D. Burroughs, of Stern's Economic Crimes Unit.