Appendix C

Cybercrime Offenses Defined in Current Systems and Law

CYBERCRIME OFFENSES DEFINED IN FEDERAL AND STATE LAW

Federal Law

“Cybercrime” was not formally defined in federal law until the cybercrime provisions in the Violence Against Women Act Reauthorization Act of 2022, which set forth a two-pronged definition. In that act, “cybercrime against individuals” is defined as “a criminal offense [. . .] that involves the use of a computer to harass, threaten, stalk, extort, coerce, cause fear to, or intimidate an individual.” The definition also includes nonconsensual pornography, commonly known as revenge porn, which is an offense to “without consent distribute intimate images of an adult, except that use of a computer need not be an element of such an offense” (136 Stat. 945).

Of course, cybercrime-related concepts were defined in federal law prior to 2022, just under different terminology. Wire fraud was likely the earliest instance of a crime being defined by the technical means of communications technology used in its perpetration. Several other computer-based crimes were added by the Computer Fraud and Abuse Act (CFAA) in 1984 and 1986, initially and famously sparked by reactions to the 1983 film WarGames (Berris, 2023; Kaplan, 2016).

A concise summary of key cybercrime offenses defined under federal law follows:

• Wire fraud (18 U.S.C. § 1343): “Fraud by wire, radio, or television” was originally defined in statute in 1952 (66 Stat. 722) as “having

• devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of interstate wire, radio, or television communication, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice.” This was amended in 1956 to read “transmitted by means of wire, radio, or television communication in interstate or foreign commerce” (70 Stat. 523).
• Fraud and related activity in connection with computers (CFAA; 18 U.S.C. § 1030): The first three offenses under this heading were included in the original CFAA language in 1984 (P.L. 98-473; 98 Stat. 2190), with the others added during substantial revision in 1986 (100 Stat. 1213) and later amendments.
  • — Cyberespionage, or unauthorized access via computer to national security information: Amended in 1996 to include sharing (i.e., communicating, delivering, or transmitting) or unauthorized retention of such information
  • — Unauthorized access to and obtaining of certain information via computer: The original 1984 language references “information contained in a financial record of a financial institution [or] contained in a file of a consumer reporting agency on a consumer”; subsequent amendments added “information from any department or agency of the United States” and “information from any protected computer”
  • — Government computer trespassing, or unauthorized access to U.S. federal government computer resources: The original 1984 language included “knowingly uses, modifies, destroys, or discloses information” in federal government computers as an element of the offense, but this detail was subsequently removed
  • — Computer fraud, or unauthorized access to a computer with the intent to commit fraud, resulting in the obtaining of anything of value, “unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”
  • — Computer damage, including the introduction of malware: Specifically, the legal text refers to the “transmission of a program, information, code, or command” that causes damage; offense also includes reckless or unintentional damage to computers done through intentional unauthorized access short of the introduction of malicious code
  • — Trafficking in passwords or other mechanisms for unauthorized access to U.S. federal government computers, with the

• • 
    restriction that “such trafficking affects interstate or foreign commerce”
  • — Extortionate threats to damage computers or disclose information obtained through unauthorized access, provided that the threats are made in the line of “interstate or foreign commerce” (e.g., via the internet). Among the types of threats covered by the section are a “demand or request for money or [an]other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion”; interpreting the placement of encryption locks on computer files as “damage,” this clause has been used to prosecute federal ransomware cases (Berris, 2023, pp. 24–25)

  Attempt to commit these offenses and conspiracy to commit these offenses are both considered offenses under the CFAA. Generally, the act applies to offenses involving “protected computers,” defined as computers used by the U.S. federal government or financial institutions, used in part of a voting system for federal elections, or used in interstate or foreign commerce—the latter clause of which has commonly been interpreted by the courts as including “any computer connected to the internet” (Berris, 2023, p. 6).

• Cyberstalking (18 U.S.C. § 2261A(2)): “[U]ses the mail, any interactive computer service or electronic communication service or electronic communication system of interstate commerce, or any other facility of interstate or foreign commerce to engage in a course of conduct that [places] that person in reasonable fear of the death of or serious bodily injury to [that person or an immediate family member, spouse/intimate partner, or pet/service animal/emotional support animal/horse of that person],” or that “causes, attempts to cause, or would be reasonably expected to cause substantial emotional distress” to any of those parties. This course of conduct is done “with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person.” Original interstate stalking language of § 2261A became law in 1996; the cyberstalking provisions were introduced in 2006 (119 Stat. 2987; part of Violence Against Women and Department of Justice Reauthorization Act of 2005) and amended in 2013 (127 Stat. 78; part of the Violence Against Women Act Reauthorization Act of 2013).
• Identity theft (18 U.S.C. § 1028(a)(7)): “[K]nowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any

• applicable State or local law.” Section 1028(c) includes “the transfer of a document by electronic means” as a triggering circumstance. This language was added by the Identity Theft and Assumption Deterrence Act of 1998 (P.L. 105-318; 112 Stat. 3007). In 2004, the Identity Theft Penalty Enhancement Act (P.L. 108-275, 118 Stat. 831) defined “aggravated identity theft” as “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person […] during and in relation to” a specified set of federal felony violations (e.g., false statements in acquiring a firearm and identity theft in connection with nationality and citizenship).

In addition, some specific categories of offenses defined in federal law may be said to include a cyber or computer component to them. For instance, the chapter of federal statute defining fraud and related offenses includes several variants that have a distinct cyber component to them, including 18 U.S.C. § 1029 and § 1037 concerning access device fraud (i.e., automated teller machine cards) and multiple deceptive email messages, respectively.

As noted in Chapter 1, it is beyond the panel’s scope to discuss the adequacy or coverage of federal or state cybercrime law. But it is relevant and worth observing that key words in definitions are periodically the focus of legal challenges. For instance, it remains to be seen whether or how Congress will react to a recent challenge to the federal CFAA’s underlying “(un)authorized access” definition. In Van Buren v. United States (2021), the U.S. Supreme Court reversed the conviction of a police officer under the terms of the CFAA. The officer, who had credentialed access to license plate databases, ran a search on a particular license plate in return for money. A divided Supreme Court ruled that the strict letter of the CFAA—defining “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter” (18 U.S.C. § 1030(e) (6))—does not cover purpose-based violations, the misuse of information to which a database user is otherwise permitted to access. That is, the officer may have violated departmental policy in running a search on a law enforcement database for non-law-enforcement purposes but not the federal CFAA—a result that may be consequential in other data-related suits.

State Law

Though exact nomenclature and detail varies greatly across the states, a 2022 canvass by the National Conference of State Legislatures (2022) found that all 50 states have some form of computer crime statute in their penal

or criminal codes—Colorado seemingly being unique among the states in explicitly labeling the base offense as “cybercrime” (having switched from “computer crime” in 2018; C.R.S.A. § 18-5.5-102 [West]). The core computer crime typically involves one or more basic elements from the federal CFAA, criminalizing unauthorized access and computer trespass as well as more direct hacking/computer tampering (see also Brinton et al., 2023). The National Conference of State Legislatures, (2022) summary observed that at least 26 states explicitly reference denial-of-service attacks in their statutes, 12 states explicitly reference ransomware/computer extortion, and 23 states explicitly address phishing or social engineering.

EVOLUTION OF THE HANDLING OF CYBERCRIME AND COMPUTER CRIME IN REVISIONS OF NATIONAL INCIDENT-BASED REPORTING SYSTEM MANUALS

Original “NIBRS Edition” Uniform Crime Reporting Manual, 1992

• “Offender(s) Suspected of Using Computer Equipment” as part of original data specification: The data element for Offender(s) Suspected of Using has been part of the National Incident-Based Reporting System (NIBRS) since the system’s inception. In the original handbook, it is described as “indicat[ing] whether any of the offenders in the incident were suspected of consuming alcohol or using drugs/narcotics during or shortly before the incident; or of using a computer, computer terminal, or other computer equipment to perpetrate the crime.” Any or all of the categories—A (Alcohol), C (Computer Equipment), or D (Drugs/Narcotics)—could be coded for the incident. Moreover, the use of computer equipment played into one example illustrating the data element’s use: “Example (4): A computer ‘hacker’ used his personal computer and a telephone modem to gain access to the company’s computer and steal proprietary data. ‘Computer Equipment’ should be reported” (Federal Bureau of Investigation, 1992, p. 38).
• Guidance to code computer crime offenses using other defined offenses: In the handbook’s Offense Lookup Table, the guidance for “Computer Crime” is to “classify same as substantive offense, e.g., Larceny-Theft; Embezzlement.” There is no mention of ticking the Offender(s) Suspected of Using data element in those offenses (Federal Bureau of Investigation, 1992, p. 77).
• Used to illustrate series/continuing activity nature of some offenses: One example raised relative to deciding how many incidents to count reads as follows: “Over a period of 18 months, a computer programmer working for a bank manipulated the

• bank’s computer and systematically embezzled $70,000. The continuing criminal activity constituted a single ‘incident’ involving the crime of embezzlement” (Federal Bureau of Investigation, 1992, p. 28).

NIBRS User Manual Version 1.0, 2013

• “Capturing Computer Crime” advanced as major benefit of NIBRS participation: Appendix material arguing for the benefits to local law enforcement of fully participating in the NIBRS included the following entry: “To combat the growing problem of computer crime (i.e., crimes directed at and perpetrated through the use of computers and related equipment), the NIBRS provides the capability to indicate whether a computer was the object of the reported crime and to indicate whether the offenders used computer equipment to perpetrate a crime” (Federal Bureau of Investigation, 2013a, p. 141).
• Offender Suspected of Using data element retained: Now numbered as Data Element 8, the Offender Suspected of Using item in the 2013 manual contained an identical short definition and response codes as in 1992, save for the addition of an N (Not Applicable) category (Federal Bureau of Investigation, 2013a, p. 71). However, the 2013 version provided no examples for the use of Data Element 8.
• Continued guidance to code computer crime offenses using other defined offenses: In the manual’s Offense Lookup Table, the guidance for “Computer Crime” is to “classify same as substantive offense, e.g., Larceny-Theft, Embezzlement, or Fraud Offenses.” Accordingly, the table notes that the proper offense code “depends on circumstances” and could deem the computer crime either a Group A or Group B offense (Federal Bureau of Investigation, 2013a, p. 47).
• Definition of Wire Fraud expanded to include computer fraud: The 2013 iteration of the handbook retained the base definition of Wire Fraud from 1992—“the use of an electric or electronic communications facility to intentionally transmit a false and/or deceptive message in furtherance of a fraudulent activity.” It limited the applicability of Wire Fraud to those cases in which “telephone, teletype, micro-relay facilities, etc., are used in the commission or furtherance of a fraud” (Federal Bureau of Investigation, 1992, p. 16). However, the 2013 manual expanded Wire Fraud to include a broader array of communication technologies—cases where “telephone, teletype, computers, e-mail, text messages, etc., are used in the commission or furtherance of a fraud.” “For example, if someone uses a computer to order products through a

• fraudulent online auction site and pays for the products but never receives them, LEAs [law enforcement agencies] should classify the incident as” Wire Fraud (Federal Bureau of Investigation, 2013a, p. 28).
• Identity Documents and Identity–Intangible among many new Property Type codes: Identity–Intangible was a first foray into intangible data or information being a property type subject to theft or damage by criminal offenses logged in the NIBRS (Federal Bureau of Investigation, 2013a, p. 96).
• Used to illustrate “same time and place” nature of some offenses: The 2013 manual repeated the 1992 handbook’s example of systematic embezzlement by computer constituting a single incident, save for insertion of the clarifying note that the continuing criminal activity was “against the same victim” (emphasis original) and so constituted a single incident (Federal Bureau of Investigation, 2013a, p. 11).

Version 2.0, 2015

• Addition of Identity Theft and Hacking/Computer Invasion offenses, following their approval by the director of the Federal Bureau of Investigation in April 2014: Identity Theft, defined as “wrongfully obtaining and using another person’s personal data (e.g., name, date of birth, Social Security number, driver’s license number, credit card number),” and Hacking/Computer Invasion, defined as “wrongfully gaining access to another person’s or institution’s computer software, hardware, or networks without authorized permissions or security clearances,” were added as new categories of Fraud Offenses, broadly classified as Offenses Against Property (Federal Bureau of Investigation, 2015, p. 31). Wire Fraud was defined and explained identically to the 2013 manual, preserving the computer-related content.
• Addition of Cyberspace as Location of offense, following the approval of the director of the Federal Bureau of Investigation in fall 2014: Location category 58, Cyberspace, was defined as “a virtual or internet-based network of two or more computers in separate locations which communicate either through wireless or wire connections” (Federal Bureau of Investigation, 2015, p. 84). Four examples underscore the apparent internet focus of the location code rather than general computer involvement (Federal Bureau of Investigation, 2015, pp. 84–85):
  “Police received a phone call from an individual who reported he recently received a letter from a local business informing him that

• the business’ computers were recently hacked from an external source and the customer’s personal information might have been compromised. The individual then reported he noticed someone had opened credit cards and other loans in his name.” In this scenario, the offense would be coded as Identity Theft and the location as Cyberspace because “this crime could not have been committed” in this manner “had the internet not been available.”
  “Police received a phone call from an individual who reported he recently received a letter from the Target Corporation, informing him that the business’ computers were recently stolen and the customer’s personal information may have been compromised. The individual then reported he noticed someone had opened credit cards and other loans in his name.” In this scenario, the offense would still be Identity Theft, but the location would be entered as Department/Discount Store “since this incident is not cyberspace related. The fact the internet exists has nothing to do with the commission of this crime.”
  “Police received a phone call from a business that reported their computers were recently hacked based on information identified by their Information Technology staff. The business reported the hacking/invasion offense appeared to have come from an internet address located in Iran.” Hacking/Computer Invasion would be the offense and Cyberspace the location “because if cyberspace had not been available, this crime could not have been committed.”
  “Police received a phone call from a business that stated an employee had used his computer to download and steal trade secret information from the company. The company stated the individual did not have access to the information and fraudulently accessed the folders where the information was located.” Hacking/Computer Invasion would be the offense, but Commercial/Office Building would be the location type because, “even though a computer was used to steal the information, the subject used an internal system and could have directly accessed the information without utilizing the internet.”
• Data Element 8, Offender Suspected of Using, defined and described identically as in Version 1.0, including the omission of any examples (Federal Bureau of Investigation, 2015, p. 76).

Version 2019.2, 2020, and Subsequent Revisions

• Revision of Data Element 8 (Offender Suspected of Using) to focus on handheld devices: The February 2017 Uniform Crime Reporting Program Quarterly bulletin announced a new policy to

• collect information on vehicular/vessel negligent manslaughter and negligent assault offenses—that is, deaths and injuries caused by under-the-influence or distracted drivers—which would require the “modification of Data Element 8 (Offender Suspected of Using) to include ‘handheld devices’ with Computer Equipment” (Criminal Justice Information Services Division, 2017). The revision logs in versions of the NIBRS User Manual beginning in 2020 suggest that the change completed the approval process and went into effect on January 1, 2019 (Federal Bureau of Investigation, 2020, p. ii). In the manual, the name and general definition of Data Element 8 are kept the same (“suspected of […] using computer equipment to perpetrate the crime”), but the valid data value is revised to “C = Computer Equipment (Handheld Devices)”—suggesting not just the inclusion of cell/smartphones as a type of computer equipment but an exclusive restriction to handheld devices. This impression is reinforced by the manual’s provision of only two examples for application of Data Element 8, both of which address vehicular negligent manslaughter cases. In one, “the officer obtained the phone records of the driver and found a series of texts were sent and received immediately prior to the accident,” so the guidance is to code “C = Computer Equipment (Handheld Devices).” In the other, the death occurs after a driver tries to evade a traffic stop for speeding, but the driver is not observed using a cell phone, hence the guidance to code N for Not Applicable (Federal Bureau of Investigation, 2020, pp. 77–78). More recent revisions of the manual have included the same language and examples (e.g., Federal Bureau of Investigation, 2023b).

This page intentionally left blank.