If you're a frequenter of Null Byte, I bet you have at least some interest in information security. Furthermore, you have a hobby that if applied in certain ways, will get you arrested. I've received quite a few messages from the community here about federal cybercrime law and how it applies to them, so I decided to get together with my lawyer to come up with some answers.
With the recent actions of Anonymous, the state is taking a strong stance now. As players in the game, you need to understand how this all works so you don't get convicted.
Local laws on the topic vary far to wildly to cover here, but knowing how the U.S. Federal system works should give you a decent guideline on what to expect. We're going to look at the '1030' series of laws that cover what you are likely to face.
The term "protected computer" is a statutory term of art that has nothing to do with the security of the computer. In a nutshell, protected computer covers computers used in or affecting interstate or foreign commerce and computers used by the federal government and financial institutions. Unless otherwise mentioned, to be a federal matter, the target machine must be 'protected'.
I am not a lawyer and nothing here should be interpreted as legal advice or substitute for an actual lawyer. I am only presenting my take on the legal system and what to expect. Your mileage may vary with sentencing based on prior convictions or current status. Please check all local laws before engaging in pentesting on machines you do not own. In general, be safe!
If you just rooted your local bank's servers and are paging through files, this one is for you. The crimes established by 18 U.S.C. § 1030(a)(2) punish the unauthorized access of different types of information and computers. Violations of this section are misdemeanors unless aggravating factors exist. Well, what is an aggravating factor, you ask?
- The crime was committed for commercial advantage or private financial gain.
- The crime was committed in furtherance of and criminal act.
- The value of the information obtained exceeds $5,000.
Violate any of the above and you've just turned your misdemeanor into a felony. As you can see, it's not hard to do. If the aggravating factors apply, a violation is punishable by a fine, up to five years' imprisonment, or both.
A violation of this section generally requires that the you actually access a computer without or in excess of authorization, rather than merely receive information that was accessed without or in excess of authorization by another. For example, if your friend on Null Byte obtains information in violation of section 1030(a)(2) and forwards it to you, you have not violated this section, even if you knew the source of the information.
18 U.S.C. § 1030(a)(3) protects against "trespasses" by outsiders into federal government computers, even when no information is obtained during such trespasses. Congress limited this section's application to outsiders out of concern that federal employees could become unwittingly subject to prosecution or punished criminally when administrative sanctions were more appropriate.
Note that section 1030(a)(2) applies to many of the same cases in which section 1030(a)(3) above could be charged. In such cases, section 1030(a)(2) may be the preferred charge, because a first offense of section 1030(a)(2) may be charged as a felony if certain aggravating factors are present, while a first offense of section 1030(a)(3) is only a misdemeanor.
So, what can you expect?
Courts view this as a step above 1030(a)(b), and like I mentioned above, they might charge you with this to get the felony conviction. Violations of this section are punishable by a fine and up to one year in prison, states 1030(c)(2)(A), unless the individual has previously been convicted of a section 1030 offense, in which case the maximum punishment increases to ten years in prison.
Yes, ten years.
When deciding how to charge a computer hacking case, prosecutors will consider this subsection as an alternative to subsection 1030(a)(2) when evidence of fraud exists, particularly because offenses under this section are felonies, whereas offenses under subsection 1030(a)(2) are misdemeanors (unless certain aggravating factors apply).
Prosecutors may also consider charges under the wire fraud statute, 18 U.S.C. § 1343, which requires proof of many elements similar to those needed for section 1030(a)(4), but carries stiffer penalties.
The concept to take away from this is how fraud changes the charges. What could have been a one-year bid under 1030(a)(2) will be a MUCH longer felony charge if you are committing any kind of fraud.
Here is the "you deleted all the information on the server" charge.
Hackers can cause damage to computers in a wide variety of ways. For example, an intruder who gains unauthorized access to a computer can send commands that delete files or shuts the computer down. Intruders can initiate a "denial of service attack" that floods the victim computer with useless information and prevents legitimate users from accessing it. A virus or worm can use up all of the available communications bandwidth on a corporate network, making it unavailable to employees. When a virus or worm penetrates a computer's security, it can delete files, crash the computer, install malicious software, or do other things that impair the computer's integrity.
Prosecutors can use section 1030(a)(5) to charge all of these different kinds of acts.
Did that paragraph sound vague? That's because it is. The law in 1030(a)(5) is vague and covers a long list of 'attacks' that 'damage' data. Furthermore, like all of the mentioned charges, this is a misdemeanor unless the effect of your compromise:
- Results in loss of $5,000 during 1 year OR
- Modifies medical care of a person OR
- Causes physical injury OR
- Threatens public health or safety OR
- Damages systems used by or for government entity for administration of justice, national defense, or national security OR
- Damages affect 10 or more protected computers during 1 year.
Whoops! Now you have a felony!
If the government illegally searches you, your home or your electronic records, the only penalty it's likely to face is exclusion of the evidence illegally obtained in a criminal prosecution of you.
So, they can violate the law with impunity, and still prosecute you, so long as they don't use the bad evidence (or evidence found as a result of the bad evidence) to prove your guilt. And most of the time, they don't even want to prosecute you. They just want your information.
Now you know some of the key charges federal prosecutors love to use. I encourage you to Google around, as this is not an all extensive list. Be careful and be safe.
Start your White-Hat Hacker journey with Null Byte's Beginner's Guide to Mastering Linux eBook.