You are on page 1of 53

VIRGINIA JOURNAL OF LAW & TECHNOLOGY

FALL 2004 UNIVERSITY OF VIRGINIA VOL. 9, NO. 13

Cybercrime Metrics:
Old Wine, New Bottles?
SUSAN W. BRENNER†

ABSTRACT

If we had them, cybercrime metrics could be used to


identify and parse how cybercrime differs from real-world
crime in its commission and in its effects. Metrics are
standards we use to assess the harms resulting from a
category of outlawed conduct. We have metrics for real-
world crime: ad hoc indices we have evolved over centuries
of experience with physically-based crime. But real-world
metrics do not apply to technologically-mediated crime, as
it differs in the methods that are used in its commission and
in the nature and extent of the harms it produces. We need
cybercrime metrics to track the damage it inflicts and to
develop strategies for dealing with it. This article takes the
first step by analyzing cybercrime and identifying the
distinct issues cybercrime metrics need to capture.

© 2004 Virginia Journal of Law & Technology Association, at http://www.vjolt.net. Use paragraph
numbers for pinpoint citations.
† Susan W. Brenner is NCR Distinguished Professor of Law and Technology at the University of
Dayton School of Law. Professor Brenner has spoken at numerous events, including Interpol’s Fourth and
Fifth International Conferences on Cybercrimes, the American Bar Association’s National Cybercrime
Conference, the American Bar Association’s 2003 & 2002 Annual Conferences, the Asia Pacific Fraud
Conference, the International Society for Criminology’s XIII World Congress in Rio de Janeiro, the
National District Attorneys Association’s National Conference, the National Association of Attorneys
General’s cybercrime training program and the Hoover Institution’s Conference on International
Cooperation to Combat Cyber Crime and Terrorism, held at Stanford University. She spoke on cybercrime
legislation at the Ministry of the Interior of the United Arab Emirates, presented a graduate seminar at
CERIAS – Purdue University, spoke at the 2004 Yale Law School Conference on Cybercrime and Digital
Evidence and at the 2004 CTOSE Conference on Cyber Security and Electronic Evidence held in
Edinburgh, Scotland. She served as Chair of the International Efforts Working Group for the American
Bar Association’s Privacy and Computer Crime Committee, serves on the National District Attorneys
Association’s Cybercrimes Committee, is Chair of the National Institute of Justice - Electronic Crime
Partnership Initiative’s Working Group on Law & Policy, and is a participant in the National Institute of
Justice-CCIPS Digital Evidence project.
TABLE OF CONTENTS
I. Introduction................................................................................................................. 1
II. Crime or Cybercrime?................................................................................................. 3
A. Cybercrime? ........................................................................................................ 5
1. Apprehension .............................................................................................. 6
2. Scale ............................................................................................................ 9
3. Evidence.................................................................................................... 11
4. Sum ........................................................................................................... 12
B. Crime/Cybercrime............................................................................................. 12
III. Metrics ...................................................................................................................... 20
A. Crime Metrics ................................................................................................... 20
1. Injury ......................................................................................................... 21
2. Culpability................................................................................................. 27
B. Cybercrime Metrics........................................................................................... 32
1. Individual harm cybercrimes..................................................................... 32
2. Systemic harm cybercrimes ...................................................................... 45
3. Inchoate harm cybercrimes ....................................................................... 49
IV. Conclusion ................................................................................................................ 52

I. INTRODUCTION
Metric . . . a standard of measurement. . . .1

Why have cybercrime metrics? What are cybercrime metrics? Essentially,


¶1
cybercrime metrics – if they existed – would be a way to identify and parse how
cybercrime differs from real-world crime in its commission and in its effects. As one
report explained,
[u]ntil there are accepted measures and benchmarks for the incidence and damage caused
by computer-related crime, it will remain a guess whether we are spending enough
resources to investigate or protect against such crimes. . . . In short, metrics matter.2

¶2 We have never done this,3 even though the term “cybercrime” and its various

1. Merriam-Webster, Merriam-Webster Online Dictionary, “metric,” at http://www.m-w.com/cgi-


bin/dictionary?book=Dictionary&va=metric (last visited Sept. 18, 2004).
2. Edward J. Appel, Preface to Joint Council on Information Age Crime, Computer-Related Crime
Impact: Measuring the Incidence and Cost 2 (Jan. 2004), at http://www.jciac.org/docs/Computer-
Related%20Crime%20Impact%20010904.pdf (last visited Sept. 18, 2004).
3. There have been surveys of the incidence and effects of cybercrime on business. See, e.g., U.S.
Department of Justice – Bureau of Justice Statistics, Cybercrime Against Businesses (2004) (2001 pilot
survey), at http://www.ojp.usdoj.gov/bjs/pub/pdf/cb.pdf (last visited Sept. 18, 2004); Computer Security
Institute, Ninth Annual CSI/FBI Computer Crime and Security Survey (2004), at
http://www.gocsi.com/forms/fbi/pdf.jhtml (last visited Sept. 18, 2004) [hereinafter CSI/FBI Survey];
Australian CERT, 2004 Australian Computer Crime and Security Survey, at http://www.auscert.org.au/
render.html?it=2001&cid=1920 (last visited Sept. 18, 2004); U.S. Department of Justice – Bureau of

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 2

correlates (e.g., “computer crime,” “computer-related crime,” “high-tech crime” and


“information age crime”) have been in use for decades.4 We consequently have no way

Justice Statistics, Prosecutors in State Courts, 2001, at http://www.ojp.usdoj.gov/bjs/pub/pdf/psc01.pdf


(last visited Sept. 18, 2004) [hereinafter Prosecutors in State Courts].
These surveys generally do not differentiate between crime and cybercrime as legal phenomena. The
question used in the Bureau of Criminal Justice Statistics’ 2001 survey of cybercrime against businesses,
for example, asked about the following categories of security threats: embezzlement; fraud theft of
proprietary information; denial of service; vandalism or sabotage (electronic); computer virus, other
intrusion or breach of computer systems, misuse of computers by employees, unlicensed use of copying of
digital products developed for resale, and other. See U.S. Department of Justice - Bureau of Justice
Statistics, 2001 Computer Security Survey 1, at http://www.census.gov/eos/www/css/cssprimary.pdf (last
visited Sept. 18, 2004). The same agency’s survey of cybercrime cases handled by state prosecutors
audited the following issues: credit card fraud, bank card fraud, computer forgery, computer sabotage,
unauthorized access to computer, unauthorized copying or distribution of computer programs,
cyberstalking, theft of intellectual property, transmitting child pornography, and identity theft. See
Prosecutors in State Courts, supra, at 5. The CSI/FBI Computer Crime survey focused on these issues:
virus insider abuse of net access, laptop/mobile theft, unauthorized access to information, system
penetration, denial of service, theft of proprietary information, sabotage, financial fraud, telecom fraud.
CSI/FBI Survey, supra, at 9. As § II infra explains, these categories do not represent increments of a new
type of criminal activity: cybercrime. Instead, they represent the use of computer technology to commit
traditional offenses: crime. Section II infra considers whether the use of computer technology to commit
crimes differs from traditional criminal activity in ways that justify treating it differently for purposes of
legal analysis and/or tracking its incidence and effects. Along these lines, RAND Europe believes:
[t]his analysis of the major survey activities related to computer crime clearly indicates
the need for a set of standardized definitions of the various aspects of such criminal
activities. . . . By structuring collection of data along specific legal definitions of these
criminal phenomena, it would be possible also to undertake comparative analysis. . . .
Finally, harmonization of definitions would assist in assessing the specific financial
impact of individual sets of computer crime.
RAND Europe, Handbook of Legislative Procedures of Computer and Network Misuse in EU Countries
56-57 (2003), at http://europa.eu.int/information_society/eeurope/2005/doc/all_about/
csirt_handbook_v1.pdf (last accessed Sept. 18, 2004); See id. at 46-53 (reviewing computer crime surveys
in the U.S. and elsewhere).
4. The ephemeral nature of digital information makes it difficult to determine when, precisely, the
term “cybercrime” emerged. John Perry Barlow used it in a 1990 article, and does not appear to have taken
credit for coining the term, so it was presumably in general use by then. See John Perry Barlow, A Not
Terribly Brief History of the Electronic Frontier Foundation, EFF.org (Nov. 8, 1990), at
http://www.eff.org/Misc/EFF/history.eff (last accessed Sept. 18, 2004). He also used it in a 1991 article in
a periodical called “Underground Beat.” See Mike Gunderloy & Cari Goldberg Janice, Underground Beat,
Whole Earth Review (Dec. 22, 1991), LEXIS, News, All Library, ALLNWS file.
“Cybercrime” seems to be a neologism for “computer crime,” a term that was being used in the
popular press at least by 1974. See, e.g., New York Times Abstracts (Sept. 8, 1974) (article by W. Thomas
Porter, Jr.), LEXIS, News, All Library, ALLNWS file; New York Times Abstracts (Oct. 6, 1974) (article
by Tom Tugend), LEXIS, News, All Library, ALLNWS file. A 1976 book by Donn Parker, who was at
least one of the first to study cybercrime, referred to the phenomenon as “crime by computer.” See DONN
PARKER, CRIME BY COMPUTER (1976) (reviewed by Robert W. Henkel, Technology’s Child: Automated
Crime, Business Week (June 28, 1976), LEXIS, News, All Library, ALLNWS file). “Information age
crime” was in use by 1982, and “high-tech crime” had appeared by 1985. See Ted Gest with Patricia M.
Schersel, Stealing $200 Billion “The Respectable Way,” U.S. News & World Report (May 20, 1985),
LEXIS, News, All Library, ALLNWS file (“high-tech crime”); Jake Kirchner, Computer Crime Legislation
Resurfaces Briefly, Computerworld (Oct. 4, 1982), LEXIS, News, All Library, ALLNWS file (“information
age crime”).
Legislative and other efforts directed at cybercrime had begun by the mid-1970s. For a review of these
efforts, see Marc D. Goodman & Susan W. Brenner, The Emerging Consensus on Criminal Conduct in

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 3

of identifying what is, and is not, a cybercrime.5 Indeed, we have no basis for
determining whether or not there is cybercrime; that is, whether there really is a class of
unlawful activity that is distinct from crime.6

¶ 3 This article explores the utility and viability of developing cybercrime metrics.
Section II considers whether cybercrime and crime are distinct phenomena, and
concludes they are sufficiently differentiated to warrant an inquiry into the need for
cybercrime metrics. Section III conducts that inquiry; it examines our experience with
crime metrics and extrapolates from that experience to analyze how we might employ
metrics for cybercrime. Finally, Section IV provides a brief conclusion.

II. CRIME OR CYBERCRIME?

Is it a cybercrime for John to meet Mary on the Internet, correspond with her and
¶4
use e-mail to lure her to a meeting where he kills her? News stories often describe
conduct such as this as a cybercrime, or as “Internet murder.”7 But why is this anything
other than murder? We do not, for example, refer to killings orchestrated over the
telephone as “tele-murder” or by snail mail as “mail murder.” 8

Cyberspace, 2002 UCLA J.L. & TECH. 1, 31-53, available at http://www.lawtechjournal.com/articles/


2002/03_020625_goodmanbrenner.pdf (last accessed Sept. 18, 2004). See also Ulrich Sieber, Legal
Aspects of Computer-Related Crime in the Information Society 33 (1998), at
http://europa.eu.int/ISPO/legal/en/comcrime/sieber.doc (last accessed Sept. 18, 2004) (“The history of
‘computer crime’ dates back to the 1960s when first articles on . . . ‘computer crime’ or ‘computer-related
crime’ were published”).
5. See, e.g., Susan W. Brenner, Is There Such a Thing as “Virtual Crime?”, 4 CAL. CRIM. L. REV.
1 ¶¶ 1-13 (2001), at http://www.boalt.org/CCLR/v4/v4brenner.htm (last accessed Sept. 18, 2004)
[hereinafter Brenner, Virtual Crime].
6. This is not unique to cybercrime: popular discourse tends to assume there is a substantive
distinction between crime and terrorism. Doctrinally, though, we tend to treat terrorism as a crime. For
example, a federal grand jury in the Southern District of New York indicted Usama bin Laden and other Al
Qaeda members in the 1998 bombings of the U.S. embassies in Kenya and Tanzania. See United States of
America v. Usama bin Laden, Indictment, No. S(9) 98 Cr. 1023 (S.D.N.Y 1998), at
http://www.terrorismcentral.com/Library/Incidents/USEmbassyKenyaBombing/Indictment/Start.html. See
also Bin Laden, Atef Indicted in U.S. Federal Court for African Bombings, U.S. Dept. of State, at
http://usinfo.state.gov/is/Archive_Index/Bin_Laden_Atef_Indicted_in_U.S._Federal_Court_for_African_B
ombings.html. See, e.g., United States v. Bin Laden, 58 F. Supp.2d 113, 115 (S.D.N.Y. 1999). Bin Laden
and the other defendants were charged with various federal crimes, such as detonating an explosive device
and causing the deaths of persons in violation of 18 U.S.C. § 844 (2004). Several of the defendants in that
case have been tried and convicted of crimes based on their participation in one or more of those bombings.
See, e.g., United States v. Bin Laden, 156 F.Supp.2d 359, 361 (S.D.N.Y. 2001). The same statute was one
of the offenses included in the indictment against Timothy McVeigh, a domestic terrorist. See United
States of America v. Timothy McVeigh, No. Cr. 95-110 (U.S. Dist. Ct. – W.D. Ok.), at
http://www.courttv.com/archive/casefiles/oklahoma/documents/indictment.html. Our failure to distinguish
between crime and terrorism may be the product of factors analogous to those discussed in § II(B) infra.
7. See, e.g., Tania Hershman, Israel’s First “Internet Murder,” Wired News (Jan. 19, 2001),
available at http://www.wired.com/news/politics/0,1283,41300,00.html; Caryl Clarke, Maryland Police
Make Internet Murder Arrest, York Daily Record (Oct. 29, 1996), 1996 WL 11443224.
8 Law has . . . long made it a crime intentionally to cause the death of another human
being. For the most part, contemporary American law defines this generically, as
homicide, rather than differentiating varieties of homicide depending on the method that
is used to cause death. In other words, we do not have method-specific crimes like

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 4

¶5 It seems that this is not a cybercrime, that it is simply a real-world crime the
commission of which happens to involve the use of computer technology. However,
there may be reasons to treat conduct such as this differently and to construe it as
something other than a conventional crime. 9 Those differences become apparent when
we consider another cybercrime: online fraud. Fraud takes many different forms online:
419 scams,10 auction fraud,11 credit card fraud,12 identity theft,13 phishing,14 and
investment fraud15 are the most commonly-encountered varieties of online fraud.16 But
while it takes on new forms online, fraud is fraud; online scams are versions of schemes
that have been around for centuries.17 The federal mail fraud statute, for example, was

“homicide by firearm,” “homicide by poison,” “homicide by beating,” “homicide by


stabbing,” and so forth. Instead, we focus on the harm that results from specific conduct,
such as conduct intended to cause the death of another person, and define an offense that
encompasses that harm. . . .
Brenner, Virtual Crime, supra note 5, at ¶ 12.
9. For more on whether “Internet murder” is a cybercrime, see § II(B) infra.
10. This type of fraud is known either as 4-1-9 fraud or “advance fee fraud.” See, e.g., U.S. Secret
Service, Public Awareness Advisory Regarding “4-1-9” or “Advance Fee Fraud” Schemes, at
http://www.secretservice.gov/alert419.shtml (last accessed Sept. 18, 2004). The “4-1-9” reference derives
from the fact that these scams often originate in, or are presented as originating in, Nigeria; “4-1-9” is the
section of the Nigerian penal code that addresses fraud. Id. In advance fee fraud scams, the target is
convinced to part with substantial sums of money, which are characterized as advance fees the payment of
which will result in the victim’s sharing in a substantial sum of money, usually in the millions. Id.
11. See, e.g., Federal Trade Commission, Internet Auction Fraud Targeted by Law Enforcers (Apr.
30, 2003), at http://www.ftc.gov/opa/2003/04/bidderbeware.htm (last accessed Sept. 18, 2004).
12. Credit card fraud consists of the unauthorized use of a regularly issued or cloned credit card. See,
e.g., Consumer Action, Preventing Credit Card Fraud, at http://www.consumer-action.org/English/library/
credit_cards/2000_PreventingCreditFraud/index.php (last accessed Sept. 18, 2004); BBC News, Credit
Card Cloning (July 7, 2003), at http://www.bbc.co.uk/insideout/east/series3/credit_card_cloning.shtml (last
accessed Sept. 18, 2004).
13. Identity theft can include credit card fraud, but it is much broader: “Identity theft occurs when
someone uses your personal information such as your name, Social Security number, credit card number or
other identifying information, without your permission to commit fraud or other crimes.” Federal Trade
Commission, ID Theft, at http://www.consumer.gov/idtheft/ (last accessed Sept. 18, 2004).
14. Phishing is essentially a method of committing credit card fraud, identity theft and/or generic
theft. Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into
divulging personal financial data such as credit card numbers, account usernames and passwords, social
security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card
companies, phishers are able to convince up to 5% of recipients to respond to them. Anti-Phishing Working
Group, What Is Phishing?, at http://www.antiphishing.org/ (last accessed Sept. 18, 2004).
15. This consists of using online resources to lure people into putting money into fraudulent
investment opportunities. See, e.g., U.S. Securities and Exchange Commission, Internet Fraud: How to
Avoid Internet Investment Scams, at http://www.sec.gov/investor/pubs/cyberfraud.htm (last accessed Sept.
18, 2004).
16. See, e.g., Federal Bureau of Investigation & National White Collar Crime Center, IFCC 2002
Internet Fraud Report 3, at http://www1.ifccfbi.gov/strategy/2002_IFCCReport.pdf. Another common type
of fraud is non-delivery of merchandise and payment. See id. For other types of online fraud, see Internet
Fraud Watch, Internet Fraud Tips, at http://www.fraud.org/internet/inttip/inttip.htm (last accessed Sept. 18,
2004).
17. See, e.g., Brenner, Virtual Crime, supra note 5, at ¶ 12 (“The development of the telephone,
radio and television, for example, all made it possible to perpetrate fraud in new and different ways, but
fraud itself has been outlawed for centuries.”). Still, fraud is actually a relatively recent feature of Anglo-
American criminal law. See, e.g., ROLLIN M. PERKINS & RONALD N. BOYCE, CRIMINAL LAW 289-90, 363-

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 5

enacted in 1872 to provide a way of “dealing with the many frauds and swindles
occurring across the country conducted via the U.S. mails.”18 Even earlier, “almost 300
years ago the South Sea Bubble, the high tech of its day, lured investors with . . . the hope
of riches from the new world, only to collapse amid recriminations against directors and
‘stock-jobbers.’”19 And while modern identifiers such as credit cards and Social Security
numbers may have made identity theft more prevalent, the notion of using another’s
identity to enrich oneself is far from new.20

¶6 If online fraud is substantively undifferentiated from traditional, real-world fraud,


what might justify treating it as something new, as a cybercrime? The differences that
could justify treating online fraud as a distinct phenomenon—as a cybercrime instead of a
crime—lie not in the elements of the offense, but rather in circumstances involved in its
commission.

A. Cybercrime?

¶ 7 One such circumstance is the lack of necessary proximity between the victim and
the perpetrator when a crime is committed. Both online fraud and the “Internet murder”
scenario outlined above involve remote conduct.21 Both are perpetrated in whole or in

88 (3d ed. 1982). See also Stuart P. Green, Lying, Misleading, and Falsely Denying: How Moral Concepts
Inform the Law of Perjury, Fraud, and False Statements, 53 HASTINGS L.J. 157, 182-86 (2001); LAWRENCE
M. FRIEDMAN, CRIME AND PUNISHMENT IN AMERICAN HISTORY, 195-97 (1993).
18. Gregory Howard Williams, Good Government by Prosecutorial Decree: The Use and Abuse of
Mail Fraud, 32 ARIZ. L. REV. 137, 140 (1990). Congress was concerned about crooked lotteries and “gift
schemes,” along with “frauds which are mostly gotten up in the large cities . . . by thieves, forgers, and
rapscallions generally, for the purpose of deceiving and fleecing the innocent people in the country.” Id. at
140-41 (quoting Representative Farnsworth). See also Act of July 27, 1868, ch. 246, § 13 Stat. 196. For a
fictional account of mail fraud as it was practiced in mid-nineteenth century Britain, see Charles Dickens,
The Begging Letter Writer, available at http://www.readbookonline.net/readOnLine/2540/ (last accessed
Sept. 18, 2004).
19. Larry E. Ribstein, Market vs. Regulatory Responses to Corporate Fraud: A Critique of the
Sarbanes-Oxley Act of 2002, 28 J. CORP. L. 1, 19 (2002). In another view:
Investment fraud is a time-honored tradition. As far back as the 1700s, con artists on
London's Exchange Alley were using a ‘pump and dump’ scheme to defraud investors.
The . . . scheme . . . was simple but effective: the price of worthless shares of the ‘South
Sea Bubble,’ a South American trading company, was inflated by false rumors of
profitability spread about the company by owners of the shares, who then sold the shares
at a substantial profit after the price of the shares increased. . . .
Kevin C. Bartels, Note, "Click Here to Buy the Next Microsoft:" The Penny Stock Rules, Online
Microcap Fraud, and the Unwary Investor, 75 IND. L.J. 353 (2000). For a description of the
South Sea Bubble and other pre-twentieth century frauds, see, e.g., CHARLES MACKAY,
EXTRAORDINARY POPULAR DELUSIONS AND THE MADNESS OF CROWDS (1841), available at
http://www.litrix.com/madraven/madne001.htm (other “bubbles” plus the “Mississippi scheme”)
(last accessed Sept. 18, 2004).
20. See, e.g., McIntire v. Pryor, 173 U.S. 38, 53-54 (1899); Jones v. State, 22 Fla. 532, 534-36, 1886
WL 1245 *2-*3 (Fla.). See also David Loth, Cassie Chadwick, in THE SUPER CROOKS 74 (Roger M.
Williams, ed. 1973) (discussing Chadwick’s defrauding of banks out of millions by pretending to be the
illegitimate daughter of Andrew Carnegie).
21. For more on this issue, see Susan W. Brenner, Toward A Criminal Law for Cyberspace:
Distributed Security, 10 BOSTON U. J. SCI. & TECH. L. 1, 50 (2004) [hereinafter Brenner, Criminal Law for
Cyberspace].

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 6

part by the use of computer technology, which lets the parties to a crime communicate
from a distance. Historically, fraud has been a face-to-face event, primarily because face-
to-face communication was the norm.22 Even when remote communication—i.e., snail
mail—could be used to set up a fraudulent transaction, it was often still necessary for the
parties to meet and consummate the crime with a physical transfer of the tangible
property being obtained by deceit.23 Modern technology changes that by automating
fraud; perpetrators can use fraudulent e-mails and fake websites to scam thousands of
victims located around the globe, and may expend less effort in doing so than their
predecessors used to defraud a single victim.24 This capacity to automate crime
differentiates online fraud from real-world fraud in at least two important respects: it is
far more difficult for law enforcement officers to identify and apprehend online
fraudsters, and these offenders can commit crimes on a far broader scale than their real-
world counterparts.25

1. Apprehension

¶8 There are several reasons why law enforcement officers find it difficult to identify
and apprehend online fraudsters.26 One reason is that they can use technology to conceal
their identities and physical location, thereby frustrating law enforcement’s efforts to find
them. Our model of law enforcement assumes the commission of an offense involves
physical proximity between perpetrator and victim. This assumption has shaped our
approaches to criminal investigation and prosecution.27 Real-world criminal
investigations focus on the crime scene as the best way to identify a perpetrator and tie
him to the crime,28 but in automated crime there may either be no crime scene or there
may be many crime scenes, with pieces of the offense scattered throughout cyberspace.29
Identifying an electronic crime scene can be a daunting task when the perpetrator may
have routed his communications with the victim through computers in three or four
countries, with obscure networks that are inaccessible to investigators.30 Additionally,
perpetrators can compound the difficulty of the task by using technology to achieve a
level of anonymity unknown in the real world or to assume the identity of an innocent
person, whose apparent involvement may confuse investigators and cause delays which
make it that much easier for the real criminal to avoid apprehension.31

22. See id.


23. See, e.g., In re Snyder, 17 Kan. 542 (1877). See also State v. Snyder, 20 Kan. 306 (1878).
24. See Brenner, supra note 21, at 59-76.
25. See id. For other factors that differentiate online crime from real-world crime, see id. at 51-55,
68-75.
26. This section focuses on the three most important reasons. For a discussion of other factors that
make it difficult for law enforcement to bring online criminals to justice, see, e.g., Susan W. Brenner &
Joseph J. Schwerha IV, Transnational Evidence-Gathering and Local Prosecution of International
Cybercrime, 20 J. MARSHALL J. COMPUTER & INFO. L. 347 (2002).
27. For more on this issue, see Brenner, supra note 21, at 65-74.
28. See, e.g., BRUCE L. BERG, POLICING IN MODERN SOCIETY 203-220 (1999).
29. See, e.g., U.S. Senate Permanent Subcommittee on Investigations (1996), available at
http://www.fas.org/irp/congress/1996_hr/s960605b.htm.
30. See id.
31. See, e.g., Brenner, supra note 21, at 66.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 7

¶9 Another reason why it is difficult for law enforcement to apprehend online


fraudsters is that even if officers track them down, they may be operating out of a
jurisdiction where their activity is not criminalized or is otherwise not seen as warranting
extradition and prosecution.32 In other words, offenders may exploit an inadvertent or
advertent cybercrime haven, a place where local authorities cannot or will not cooperate
in bringing them to justice.33 This concept of a safe haven from prosecution is not
unknown in criminal law, but it has not been a significant problem—aside, perhaps, from
bank secrecy laws34—for many years.35 It ceased to be a significant problem in the
nineteenth century, when nation-states collaborated effectively to eradicate high-seas
piracy in a process that represented the triumph of territorially-based legal systems over
earlier modes of governance.36 Unfortunately, territorially-based strategies tend not to be
effective against online crime because they are designed to prevent the citizens of one
nation-state from preying on each other, not to prevent their preying on citizens of other
nation-states.37

32. See, e.g., Brenner, supra note 26 at 348-54; Marc D. Goodman & Susan W. Brenner, The
Emerging Consensus on Criminal Conduct in Cyberspace, supra, 2002 UCLA J. L. & TECH. 3, 4-6 (2002).
33. See, e.g., Goodman, supra note 32, at 73-76, 83-88.
34. See, e.g., Howard S. Erbstein, Palm Trees Hide More Than Sunshine: The Extraterritorial
Application of Securities in Haven Jurisdictions, 13 DICK. J. INT’L L. 441, 444-63 (1995) (bank secrecy
havens). See also Mariano-Florentino Cuéllar, The Tenuous Relationship Between the Fight Against
Money Laundering and the Disruption of Criminal Finance, 93 J. CRIM. L. & CRIMINOLOGY 311, 449-55
(2003).
35. The obvious analogy is to the high-seas piracy countries sponsored, then tacitly accepted and
finally outlawed under pressure from other countries. See, e.g., JANICE E. THOMPSON, MERCENARIES,
PIRATES AND SOVEREIGNS: STATE-BUILDING AND EXTRATERRITORIAL VIOLENCE IN EARLY MODERN
EUROPE 21-42, 107-42 (1994). See also id. at 116 (stating that “[b]y the early nineteenth century, European
state leaders charged the state with responsibility for controlling piracy in its own territorial waters. Backed
with the threat of coercion, this charge said in effect: You cannot simply disclaim responsibility for piracy
in your territorial waters, regardless of who its victims are or how much you may profit from it. To be
recognized as sovereign, a state must control piracy within its jurisdiction”).
36. See, e.g., id. at 148-49 (stating that “[w]hile brute force—the traditional state's
solution—was used . . . the permanent solution came only with changes in international and
municipal law. . . . [W]hen the British state decided to act against piracy, it did not simply send
out the navy to physically destroy the pirates. Rather, it reformed its . . . legal system and . . .
offered . . . inducements to the pirates to rejoin society as normal citizens. The Chinese and others
did the same. . . . [so] the state's coercive solution gave way to the national state's legalistic
solution. . .”). See also supra note 35.
37. See, e.g., Goodman, supra note 32, at 74-76 (emphasis added):
[L]aw has evolved to maintain order within a society. Each nation-state is concerned with
fulfilling its obligations to its citizens. . . . [N]o nation can survive if its citizens are free
to prey upon each other. But what if they prey upon citizens of another society? What if
the citizens of Nation A use cyberspace to prey upon the citizens of Nations B and C? Is
this a matter that is likely to be of great concern to Nation A?
There are . . . historical precedents for this type of behavior that may shed some light on
what will ensue in cyberspace. The most analogous . . . involve high-seas piracy and
intellectual piracy. . . .
Both . . . involved instances in which societies were willing to allow (or even encourage)
their citizens to steal from citizens of other societies. In both, the focus was on crimes
against property . . .; the motivation was purely economic. . . .[T]he conduct took place at
the ‘margins’ of the law: high-seas piracy occurred outside the territorial boundaries of
any nation and therefore outside the scope of any laws; eighteenth-century American

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 8

¶ 10 As explained above, online criminals can easily, and invisibly, target victims in
another country. Unlike the high-seas pirates whose activities are truly outside the law,
online criminals can obey the laws and enjoy the protections of Country A while
variously victimizing citizens of Countries B-Z. This creates the potential for a conflict
between national legal systems: high-seas pirates’ ability to operate outside territorially-
based law was eliminated by defining piracy as an offense against the law of nations that
could be prosecuted by any country which captured an offender.38 This very effective
strategy applies territorially-based law to activity that occurs outside the territory of any
nation-state, and it works because high-seas piracy consists of conduct—e.g., murder,
rape, theft—that is unacceptable within any legal system.39 This strategy cannot,
however, be used against online criminals because they generally do not operate outside a
legal system. Online criminals, by default, are usually in the territory of a particular
nation-state when they commit their crimes. They therefore function within a legal
system and may be able to use that circumstance to fend off efforts to secure their
extradition for prosecution in a state whose citizens they have victimized.40 And while an
effort is underway to establish a baseline of consistency in national laws targeting online
crimes,41 it cannot—at least for the foreseeable future—achieve the global, universal
condemnation that proved so effective in discouraging high-seas piracy.42 Unlike high-

intellectual property piracy occurred . . . when the legal status of intellectual property as
‘property’ was still evolving. Both . . . were outlawed when they became economically
disadvantageous for the host countries. . . .
One can, therefore, hypothesize that countries may be inclined to tolerate their citizens’
victimizing citizens of other nations if (a) the conduct takes place at the margins of the
law . . . and (b) results in a benefit to the victimizing nation. The former gives the
victimizing nation . . . plausible deniability when confronted with its tolerance of illegal
activity; the latter is an obvious motive for tolerating the activity. . . .
38. RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW § 404 ¶ 1 (1987) (quoting U.S. v. Smith,
18 U.S. (5 Wheat.) 153, 161-62 (1820)).
39. See, e.g., Goodman, supra note 32, at 70-76.
40. See id. at 4-6, 73-76, 83-88. See, e.g., Ariana Eunjung Cha, Internet Dreams Turn to Crime,
Washington Post (May 18, 2003), available at http://www.washingtonpost.com/ac2/wp-dyn/A2619-
2003May17?language=printer (last visited Sept. 21, 2004):
[Vasiliy] Gorshkov and [Alexey] Ivanov were scouring the Internet looking for security
vulnerabilities in the computer networks of American corporations. When they found a
way in, they would steal credit card numbers or other valuable information. They would
then contact the site's operator and offer to “fix” the breach and return the stolen data—
for a price.
Within a few months, banking, e-commerce and Internet service providers across the
country . . . became victims. . . . . The men would eventually expose American businesses
to perhaps tens of millions of dollars in losses. . . .
International law is often ill suited to deal with the problem, with conflicting views on
what constitutes cybercrime, how – or if – perpetrators should be punished and how
national borders should be applied to a medium that is essentially borderless.
“We don't think about the FBI at all,” Gorshkov told a potential business partner.
“Because they can't get us in Russia.”
41. See Council of Europe, Convention on Cybercrime (ETS No. 185), available at
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm (last visited Sept. 21, 2004). See also
Goodman, supra note 32, at 67-69.
42. See, e.g., Susan W. Brenner, Distributed Security: A New Model of Law Enforcement, JOURNAL
OF INTERNET LAW (forthcoming 2004):

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 9

seas piracy, online crime is not a simple constellation of offenses; it is an intricate array
of behaviors, many of which are generally regarded as unlawful, but others of which are
accepted in varying degrees.43 As long as inconsistencies and gaps in substantive
criminal law persist, online criminals will take advantage of them.

2. Scale

¶ 11 Real-world crime tends to be one-to-one crime, involving one perpetrator and one
victim.44 A crime commences when victimization of the target is begun and ends when
the victimization is concluded; during which time the perpetrator focuses her attention on
consummating that specific crime. When it is complete, she can move on to another
crime and another victim.45 In this way, real-world crime is generally serial crime.46

¶ 12 The default one-to-one scale of real-world crime is not a base characteristic of


online crime.47 As Part II(A) noted, online crime, such as fraud, can be automated.48

[The Convention on Cybercrime’s] underlying premise—that harmonizing national laws


will improve law enforcement’s ability to react across national borders—is
unobjectionable. The difficulty lies in its implementation. The Convention has been
ratified by 5 countries; even if we assume, for the sake of analysis, that the remaining,
roughly 180 countries, ratify it that does not end the matter. The Convention contains 48
Articles, at least 33 of which require parties to adopt legislation or take other
implementing measures. This will be a less-than-onerous task for countries like the
United States that already have cybercrime laws in place; it can be an onerous task for
those that do not. The task will be further complicated by differences in local law and
culture; the Convention was drafted by Europeans who received substantial input from
American lawyers. Consequently, it incorporates notions of substantive and procedural
law that may not be routine in other parts of the world. This does not mean countries
cannot implement the Convention; it means implementing the Convention will be a
complicated process for many countries, one that will take time.
See also Goodman, supra note 32, at 83-86.
43. This variation in national laws has resulted in the United States becoming, in a sense, a
cybercrime haven. See, e.g., Susan W. Brenner, Complicit Publication: When Should the Dissemination of
Ideas and Data Be Criminalized?, 13 ALB. L.J. SCI. & TECH. 273, 275-277 (2003):
The capacity that cyberspace creates for the. . . unfettered dissemination of information . .
. raises difficult issues . . . since the content posted . . . by American citizens can . . .
reach . . . countries where it is illegal. Because their speech is legal in the United States,
those responsible . . . cannot be prosecuted in this country; consequently, they cannot be
extradited for prosecution in countries where their speech is illegal. This . . . creates the
possibility that the United States will become a “speech haven,” i.e., a nation that harbors
those whose speech is outlawed elsewhere . . .
44. See Brenner, Criminal Law for Cyberspace, supra note 22, at 50-51.
45. This aspect of real-world crime derives from the constraints physical reality imposes upon
human activity. See id. A thief cannot pick more than one pocket at a time, and prior to the development
of firearms and similar armament, it was difficult for one bent upon homicide to cause the simultaneous
deaths of more than one person. See id.
This characteristic is more a default than an absolute because exceptions occur, especially as to the
number of perpetrators. See id. Many crimes can involve multiple perpetrators; the aggregation of
offenders and the rise of organized crime is a tendency that has accelerated over the last few centuries. But
while many-to-one deviations from the default have occurred for centuries, one-to-many deviations were
rare prior to the use of technology. See id.
46. See id.
47. See id. at 66-68.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 10

Offenders can use technology to exponentially increase the number of crimes they can
commit within a given time period,49 which creates new problems for law enforcement.

¶ 13 Under our current approach to law enforcement, officers react to a crime by


initiating an investigation of which the intended result is the apprehension of the
perpetrator, who they hope will be prosecuted, convicted, and sanctioned.50 This scenario
assumes real-world crime and, in so doing, assumes crimes will be committed on a
manageable scale.51 However, because online crime utilizes automation, it is committed
on a scale far surpassing that of real-world crime, and online crime tends to be one-to-
many crime, instead of one-to-one crime.52 Online crime also creates a new class of

48. See id.


49. See id. See also British Embassy, Bangkok, Internet Fraud: Information and Guidance (June
2004), at http://www.britishembassy.gov.uk/servlet/Front?pagename=OpenMarket/Xcelerate/ShowPage
&c=Page&cid=1067968224585:
Internet fraud is posing a growing threat to UK commercial interests and individuals.
The speed, low cost and relative anonymity of the Internet has provided organized
criminals with new methods of carrying out old crimes, such as fraud and identity theft.
Fraudsters can send out hundreds of thousands of e-mails and, if only a small proportion
of the recipients fall into the trap, make a significant profit.
50. See Brenner, Criminal Law for Cyberspace, supra note 22, at 55-65. This ensures that law is
enforced and order is maintained; the unlucky criminal is deterred, and his fate serves to deter others. See
id.
51. See id. at 66-68.
52. One-to-many crime is not new. Nineteenth century swindlers often used the press and the
national postal system to their advantage:
As Anthony Costock put it in 1880, swindling depended ‘upon two mighty agencies of
our present civilization, the Newspaper and the United States Mail. By means of these
two instruments . . . it is possible to reach every household in the land.’ . . . Newspapers
were not . . . fastidious about the advertisements they carried . . . Country newspapers, for
example, were happy to print ads for incredibly cheap sewing machines – just send in
your money. What you got in return was worthless. . . .
LAWRENCE M. FRIEDMAN, CRIME AND PUNISHMENT IN AMERICAN HISTORY 195 (BasicBooks
1993)(quoting ANTHONY COMSTOCK, FRAUDS EXPOSED, OR HOW THE PEOPLE ARE DECEIVED AND ROBBED
AND YOUTH CORRUPTED 14 (1880)). Friedman notes, though, that “[m]any swindlers . . . plied their trade
in person.” Id. at 196.
The frauds Friedman describes are an earlier, more primitive version of the online frauds and other
crimes we see today. Both deviate from traditional crime in that they involve the exploitation of many
victims by one; Friedman’s nineteenth century swindlers had, in a sense, discovered automated crime. The
two differ, however, in several important respects, including the absolute scale of the crimes. The victims
of the nineteenth century American swindlers Friedman describes probably numbered in, at most, the
hundreds, due to the effort it required to place ads in various newspapers. Swindlers would first have had
to identify the newspapers they would use, a time-consuming and difficult effort in an era without the
Internet, telephones or air travel. While it would not be difficult to identify well-known urban newspapers,
they might have been more hesitant to accept such ads and their readers might have been less likely to
succumb to them. The rural newspapers Friedman mentions would be more difficult to locate, and placing
ads with them would also be a time-consuming process, even if it were consummated by mail. A swindler
would probably mail the newspaper to price the ad, mail the ad to the paper, and wait until it ran. Then he
could sit back and wait for the money to arrive. A swindler could probably use a particular rural newspaper
only a few times before word of the scam circulated in the area, so the process described above would be
ongoing, with swindlers moving from place to place to consummate their scams and attempt to avoid
detection.
Compare this to contemporary online fraud: Modern swindlers can instantly send hundreds of
thousands or even millions of fraudulent emails to potential victims. Their potential return rate on a single

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 11

crime, in addition to the real-world crimes with which law enforcement must still deal,53
further stretching resources that are already struggling to deal adequately with real-world
crime.54

3. Evidence

¶ 14 The differentiating effects of these factors are exacerbated by another aspect of


online crime. Because online criminals commit their crimes in a virtual environment, the
evidence that law enforcement needs to apprehend and convict them is, for the most part,
intangible, digital evidence.55 Over the last century or so, law enforcement agencies
around the world have developed competencies in dealing with tangible evidence such as
witness and suspect statements, bodily substances, fibers, bullets, and other types of
physical evidence.56 Digital evidence poses new challenges and requires new skills.57 It
is easily altered, so investigators must take special care in preserving, collecting, and
analyzing it.58 Digital evidence can also be erased or hidden, so special expertise and
technologies may be needed to restore or find it.59 Furthermore, digital evidence can be
incredibly voluminous, which means investigators may spend a great deal of time
processing computers and storage media to identify evidence that may be relevant to a
case.60

fraud is much higher than that of their nineteenth century counterparts because their pool of potential
victims is exponentially larger. Modern swindlers also run little, if any, risk of detection: They can
conceal their identities and operate from countries where the laws are hospitable or law enforcement is
approachable. They can also devise and implement new scams quickly, so they may have multiple scams
going at the same time. They also have access to online resources like E-gold and Web Money to launder
the proceeds, making it that much more difficult for law enforcement to track them down. See E-Gold, at
http://www.e-gold.com/e-gold.asp?cid=624985; WebMoney, at http://www.wmtransfer.com/. See, e.g.,
Bob Sullivan, A $55,000 Net Scam Warning, MSNBC (Jan. 23, 2003), at
http://msnbc.msn.com/id/3078503/.
53. See Brenner, Criminal Law for Cyberspace, supra note 22, at 66-68.
54. See id.
55. For a definition of digital evidence, see Carrie Morgan Whitcomb, An Historical Perspective of
Digital Evidence: A Forensic Scientists’ View, International Journal of Digital Evidence (2002), at
http://www.ijde.org/archives_home.html (stating that “[d]igital evidence is any information of probative
value that is either stored or transmitted in a binary form . . . [and] includes computer evidence, digital
audio, digital video, cell phones, digital fax machines, etc.” ).
56. See, e.g., BRUCE L. BERG, POLICING IN MODERN SOCIETY 203-20 (1999).
57. See, e.g., United Kingdom National High-Tech Crime Unit, Good Practice Guide for Computer
Based Electronic Evidence 9-22 (2003), available at http://www.nhtcu.org/ACPO%20Guide%20v3.0.pdf.
58. See, e.g., U.S. Department of Justice, National Institute of Justice, Forensic Examination of
Digital Evidence: A Guide for Law Enforcement 11 (2004), available at http://www.ncjrs.org/pdffiles1/
nij/199408.pdf.
59. See id. at 16-17 (talking about recovering deleted files and dealing with data-hiding techniques
like steganography). See also Gary C. Kessler, An Overview of Steganography for the Computer Forensics
Examiner, available at http://www.wetstonetech.com/f/stego-kessler.pdf.
60. See, e.g., Erin Kenneally, Computer Forensics: Beyond the Buzzword, LOGIN: THE MAGAZINE
OF USENIX & SAGE, Aug. 2002, at 8, 10, available at http://www.usenix.org/publications/login/2002-
08/pdfs/kenneally.pdf:
The traditional approach when investigators . . . encounter a crime scene with a computer
was to seize everything. . . . However, this . . . is no longer feasible in a society where . . .
information is increasingly being stored, transmitted, and created in digital form. . . .
[T]he cost of storage media has declined appreciably, yet the man-hour resources and

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 12

¶ 15 These aspects of digital evidence create additional challenges for law enforcement.
Investigators must be trained to locate, preserve, and analyze digital evidence; and they
must be given the tools—hardware and software—needed to carry out these tasks. Since
computer technology is constantly evolving, these are ongoing and expensive
requirements. It is difficult, if not impossible, for most local agencies to maintain and
equip the investigative staff needed to deal effectively with online crimes, particularly the
more complex varieties of online crime.61

4. Sum

¶ 16 Online crime does differ from traditional, real-world crime in several important
respects. The issue to be resolved is whether these differences are sufficient to warrant
classifying online crime as a new phenomenon: cybercrime. The next section addresses
this issue.

B. Crime/Cybercrime

¶ 17 As the above quotation implies, the function of criminal law is to maintain order in
a society.62 To that end, societies adopt laws that are designed to maintain the integrity of
certain vital interests: the safety of persons, the security of property, the stability of the
state, and the sanctity of particular moral principles.63 As one commentator noted, “[n]o
society can survive if its constituents are free to injure each other, to appropriate each
other’s property, to undermine the political order and/or to flout the moral principles the
citizenry hold dear.”64

¶ 18 Every society will therefore implement laws that define a repertoire of (i) crimes
against persons (e.g., murder, assault, rape), (ii) crimes against property (e.g., theft, arson,
fraud), (iii) crimes against the state (e.g., treason, riot, obstructing justice), and (iv)

capabilities to image and cull through hundreds of gigabytes worth of data on a


compromised network is no small task.
61. See, e.g., Morning Edition (National Public Radio broadcast, July 16, 2004), (transcript on file at
2004 WL 56913730)(stating that “everybody within the computer forensics field . . . is so overwhelmed.
We don't have enough people out there to do these investigations”). See also Douglas Quan, Communities
Struggle with White-Collar Crime, RIVERSIDE PRESS-ENTERPRISE (Apr. 26, 2003), available at 2003 WL
19922822 (quoting prosecutor Richard West that “investigations into cybercrimes are often time-
consuming because of the amount of time it takes to search a computer's hard drive. . . . He added that there
is an overwhelming need to hire more forensic computer experts who know how to do the searches.”).
62. See also ROLLIN M. PERKINS & RONALD N. BOYCE, CRIMINAL LAW 5 (3d ed. 1982) (stating that
“[t]he purpose of the criminal law is to define socially intolerable conduct, and to hold conduct within the
limits which are reasonably acceptable from the social point of view”). For an analysis of how various
systems, including human societies, use rules to maintain order, see Brenner, Criminal Law for
Cyberspace, supra note 22, at 2-49.
63. See Brenner, Criminal Law for Cyberspace, supra note 22, at 2-49. See also Mark D. Goodman
& Susan W. Brenner, The Emerging Consensus on Criminal Conduct in Cyberspace, 2002 UCLA J.L. &
TECH. 3, 56-57 (2004).
64. See Goodman & Brenner, supra note 65. See also WAYNE R. LAFAVE, SUBSTANTIVE CRIMINAL
LAW § 1.2(e) (2003). For more on this proposition, see Brenner, Criminal Law for Cyberspace, supra note
22, at 2-49.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 13

crimes against morality (e.g., obscenity, adultery, defiling a place of worship).65


However, this does not mean every society will define precisely the same crimes. While
there will be a core of consistency across societies as to the definition of certain crimes,
there will be substantial variation as to the number of crimes a society defines and the
way a society defines its crimes. Substantively, the greatest degree of consistency will
occur in the first two categories because they involve the direct infliction of harm by one
person upon another; these are the baseline prohibitions a society must establish if it is to
maintain a threshold level of social order.66 There will also be consistency as to a core of
offenses in the third category such as treason because every society must protect the
stability of its political order.67 But there will also be idiosyncratic deviation in this
category because societies vary in the extent to which they believe it necessary to control
speech and political dissidence.68 Finally, there will be a great deal of deviation as to the
offenses in the fourth category; since these crimes are the product of a society’s cultural
values and religious principles, they tend to be very localized and idiosyncratic in
nature.69

¶ 19 One proposition is a constant in the criminal law of every society: each crime
targets the infliction of a distinct and socially intolerable harm.70 Part II considered two
putative cybercrimes: “Internet murder” and online fraud, and concluded that both
represent nothing more than the commission of traditional crimes by non-traditional
means. This is also true of the other putative cybercrimes. “Computer theft” consists of
using computer technology to take someone’s property without their consent; “computer
forgery” is using computer technology to falsify documents.71 “Cyberstalking” consists

65. See Goodman & Brenner, supra note 65, at 19-21.


66. See id.
67. See id.
68. See id.
69. See id.
70. See, e.g., Brenner, supra note 5 at ¶¶ 1-13. Doctrinally, the principle that the only justification
for criminalizing conduct is to prevent harms is traceable to the writings of John Stuart Mill. In On Liberty,
Mill declared that the
sole end for which mankind are warranted, individually or collectively, in interfering with
the liberty of action of any of their number is self-protection. That the only purpose for
which power can be rightfully exercised over any member of a civilized community,
against his will, is to prevent harm to others.
JOHN STUART MILL, ON LIBERTY 9 (1859). The position Mill takes in this passage, of course, can only be
used to justify the articulation of crimes against persons and crimes against property, for only these crimes
directly inflict harm upon others. In the years after the appearance of On Liberty, Mills and later scholars
expanded the principle so it now reaches a wide variety of harms. See, e.g., Bernard E. Harcourt, The
Collapse of the Harm Principle, 90 J. CRIM. L. & CRIMINOLOGY 109, 120-39 (1999). See also JEROME
HALL, GENERAL PRINCIPLES OF CRIMINAL LAW 213-22 (1960). The nature of the harm encompassed by a
criminal prohibition is not relevant to the issues under consideration in this article; the issue addressed in
the section immediately above is whether or not the varieties of conduct that are currently, and casually,
described as cybercrime result in the infliction of socially-intolerable harms that are distinct from those
addressed by the repertoire of crimes respectively found in contemporary human societies.
71. See, e.g., Brenner, supra note 5, at ¶¶ 39-50 (theft) & 56-58 (forgery). The generic concepts of
theft and forgery also encompass copyright violations and other crimes against intellectual property. See,
e.g., Joseph F. Savage, Jr. & Joel T. Pond, Criminal Prosecution of Intellectual Property Crimes B-11,
American Bar Association Center for Continuing Legal Education (Oct. 23-28, 1998) (“intellectual
property ‘theft:’ copyright infringement, trademark counterfeiting, trade secret theft, and computer

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 14

of using computer technology to threaten or harass someone. While technology gives a


stalker a new range of techniques, the resulting harm is the same as in real-world
stalking.72 This is also true for the other cybercrimes: hacking,73 cracking,74 denial of
service attacks,75 malware,76 hacktivism,77 online child pornography,78 online extortion,79
cyberterrorism, 80 cybervigilantism,81 etc. Each is simply the commission of old crimes
by new methods.

crimes—are now subject to federal criminal prosecution”). See generally Stuart P. Green, Plagiarism,
Norms, and the Limits of Theft Law: Some Observations on the Use of Criminal Sanctions in Enforcing
Intellectual Property Rights, 54 HASTINGS L.J. 167, 240-41 (2002) (stating that the law of intellectual
property crimes relies on theft, fraud and forgery paradigms). Intellectual property crimes tend to be
specialized versions of statutes that criminalize the theft of intangible property; in both, the
conceptualization of “theft” has to be modified so that it is not a zero sum proposition and can, therefore,
reach the copying of data or other intangible property. See, e.g., State v. Schwartz, 173 Ore. App. 301,
317, 21 P.3d 1128, 1137 (Ore. App. 2001), stating that under Oregon Rev. Stat. § 164.015:
[T]heft occurs . . . when a person ‘takes’ the property of another. ‘Take’ is a broad term
with an extensive dictionary entry. Webster's Third New Int'l Dictionary, 2329-31. . . .
The first definition of ‘take’ is "to get into one's hands or into one's possession, power, or
control by force or stratagem. . . " [Id.] at 2329. . . . . Black's defines ‘take’ to include
"[t]o obtain possession or control. . . ". Black's Law Dictionary, 1466 (7th ed. 1999). . .
Turning back to the . . . statute under which defendant was charged, we note that the
legislature contemplated that ‘theft’ . . . could be exercised upon, among other things,
‘proprietary information.’ ‘Proprietary information’ includes “scientific, technical or
commercial information . . . that is known only to limited individuals within an
organization . . . ” [Oregon Rev. Stat. § 164.322(1)(j).] Proprietary information, like the
passwords and password files at issue here, is not susceptible to exclusive possession; it
is information that . . . can be known by more than one person. Nevertheless, the
legislature indicated that it could be subject to ‘theft’. . . . We conclude that the state
presented sufficient evidence to prove that, by copying the passwords and password file,
defendant took property of another, namely Intel, and that his actions, therefore, were for
the purpose of theft.
72. Cf. Brenner, supra note 5, at ¶¶ 61-68. As our experience with cyberstalking evolves, it has
become apparent that it does not involve the infliction of new harms; the problems encountered in using
traditional stalking and threat statutes to address computer-facilitated stalking was not that the harm was
different but that they were too narrow in scope. They required an actual threat of physical harm, instead of
encompassing the more subtle forms of harassment an online stalker can inflict. In a sense, cyberstalking
and cyberharassment are lineal descendants of the obscene or annoying telephone call offenses that were
created roughly a century ago, to address harms resulting from the misuse of a nineteenth century
technology. See Brenner, supra note 5, at ¶ 68. See, e.g., Mass. Gen. Laws Ann. 265 § 43 (criminalizing
use of “a telephonic or telecommunication device including, but not limited to, electronic mail, internet
communications and facsimile communications” to transmit a threat or to engage “in a knowing pattern of
conduct or series of acts . . . directed at a specific person which seriously alarms or annoys that person and
would cause a reasonable person to suffer substantial emotional distress.”).
73. See, e.g., Brenner, supra note 5, at ¶¶ 77-86.
74. See id.
75. See id. at ¶¶ 73-76.
76. See id. at ¶¶ 69-72.
77. See id. at ¶¶ 69-72.
78. See id. at ¶¶ 59-60.
79. See, e.g., United States v. Scott, 42 Fed. Appx. 264, 265 (10th Cir. 2002) (using emails to
extort).
80. See Brenner, supra note 5, at ¶¶ 95-98.
81. See id. at ¶ 76.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 15

¶ 20 That may or may not be the final conclusion on this issue. Our experience of
computer technology and its use to inflict harms is, after all, still in its infancy. Could it
be that we are seeing the emergence of cybercrime? That is, could it be that we are
seeing the development of what will evolve into a truly distinct variety of crime—a fifth
category added to the four outlined above?82 That is possible, but unlikely. Crime, in all
its manifestations, is about the infliction of socially intolerable harms. The four
categories outlined above encompass all the harms human ingenuity has been able to
devise since mankind contrived society.83 While it is quite certain we will use our
ingenuity to come up with different ways of inflicting harm upon each other, it is highly
improbable, to say the least, that we will devise new harms. Even if, for example, we
someday develop technology that allows us to literally steal another’s identity or alter or
erase another person’s memories,84 those are not new harms, they are simply new ways of
inflicting harm upon a person.85 It is therefore reasonable to assume that the present state
of affairs in which computer technology is implemented to commit crimes will continue.
The use of computer (and other) technology for this purpose may well accelerate until its
effects permeate much of crime,86 but this does not alter the underlying structure of the

82. See supra note 65 and accompanying text.


83. See supra notes 62-64 and accompanying text. It is society, of course, that creates the
institutional need for rules that prevent individuals from inflicting various harms upon each other.
84. See, e.g., PHILIP K. DICK, We Can Remember It for You Wholesale, THE PHILIP K. DICK READER
305 (1997).
85. As an example, consider Allan Eric Carlson. In the fall of 2003, Carlson was indicted for
violating various provisions of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. See United States v.
Carlson, Indictment, U.S. Dist. Ct. – E.D. Pa. at http://www.usdoj.gov/usao/pae/News/Pr/2003/oct/
carlson.pdf , stating that
[t]he indictment charges that Carlson, a disgruntled Philadelphia Phillies fan, hacked into
computers of unsuspecting users and from those computers launched spam e-mail attacks
with long messages voicing his complaints about the Phillies management. The
indictment charges that when launching the spam e-mails, Carlson's list of addressees
included numerous bad addresses. When those e-mails arrived at their destinations, the
indictment charges that they were ‘returned’ or ‘bounced’ back to the person who
purportedly sent them—the persons whose e-mail addresses had been ‘spoofed’ or
hijacked. This caused floods of thousands of e-mails into these accounts in a very short
period of time.
U.S. Department of Justice, Press Release: Disgruntled Phillies Fan Charged with Hacking into Computers
Triggering Spam E-mail Attacks (Oct. 7, 2003), at http://www.usdoj.gov/usao/pae/News/Pr/2003/oct/
carlson.html. Carlson is accused, in essence, of (i) gaining unauthorized access to computers, (ii) using
them to send thousands of emails, and (iii) launching a distributed denial of service (DDoS) attack on the
people whose emails he had spoofed. While these acts were carried out in non-traditional ways, each
resulted in the infliction of a harm encompassed by our existing criminal law: gaining unauthorized access
to a computer is a form of trespass; one “makes use of” property without being authorized to do so. See,
e.g., Brenner, supra note 5, at ¶¶ 77-86. Sending spam e-mails is a form of harassment, and a DDoS attack
qualifies as vandalism when unaccompanied by extortionate or other demands. See id. at ¶¶ 73-76 (denial
of service). See also Texas Penal Code § 42.07(a)(7) (harassment).
86. Some contend that this will culminate in the transformation of crime into cybercrime. See, e.g.,
Brenner, supra note 5, at ¶ 1 (“At some point, we can do away with cybercrime laws because most crimes
will involve computers in some way, and all crime will be cybercrime.”) (quoting email from Donn Parker
to Susan Brenner). See also Donn B. Parker, Is Computer Crime Real?, Letters - 4 CAL. CRIM. L. REV.
(2001), at http://www.boalt.org/CCLR/v4/v4letterstoeditor.htm. The problem with this contention is that it
proves too much: The concept of “cybercrime” is useful only insofar as it serves to differentiate a

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 16

crimes, just as the proliferation of motor vehicles did not transform crime into “car
crime.”87

¶ 21 Doctrinally,the correct approach is to treat cybercrime as a variety of crime. Does


that mean our inquiry into cybercrime metrics ends here, with our conclusion that, as a
matter of law, there is no such thing as cybercrime? If there is no such thing as
cybercrime, it seems the metrics we have used for crime should suffice for the conduct
that is popularly known as cybercrime.88 Nevertheless, that may not be the case. To
understand why, we need to return to the point made earlier; the methods used to commit
online crime are distinctive and they have distinct consequences for (i) law enforcement’s
ability to apprehend online criminals and (ii) the scale of the harms they can inflict.89
Are these considerations alone appropriate predicates for the development and utilization
of metrics focusing on online crime?

¶ 22 That is a difficult question to answer, because as Part III explains, we have never
broken these factors out as independent variables in our approach to crime. We consider
the harm a particular offense or particular type of offense inflicts (i) when we define the
offense and (ii) when we articulate the appropriate sentence for that offense. Since we
have just concluded that cybercrime is, in fact, merely crime, it seems this assessment has
already been made. If we were to decide that the extant crimes calculus does not
adequately take into account the scale on which harms can be inflicted by utilizing
computer technology, we could make the use of computer technology an aggravating
factor in sentencing, just as we do with firearms.90 Neither of these approaches would
require our identifying and utilizing cybercrime metrics, and neither would address the
residual issue, i.e., the fact that computer technology makes it much more difficult for
law enforcement to apprehend cybercriminals. 91 This residual issue is not a matter we
have incorporated into our crime-harm calculus. As Part III explains, we criminalize acts

particular, unique class of crime. If all crime becomes cybercrime, there is no need to differentiate the two.
We would simply have crimes being committed differently than they were 20, 40, or a 100 years before.
87. The analogy is not as strained as it may seem. The proliferation of motor vehicles presented law
enforcement with challenges it had not faced before, challenges that are comparable to, though of lesser
magnitude than, those posed by computer technology. Motor vehicles gave criminals the ability to quickly
flee the scene of the crime and, often, to cross-jurisdictional borders, which frustrated law enforcement’s
ability to track and apprehend them. See, e.g., Brooks v. United States, 267 U.S. 432, 438-39 (1925):
It is known of all men that the radical change in transportation of persons and goods
effected by the introduction of the automobile, the speed with which it moves, and the
ease with which evil-minded persons can avoid capture, have greatly encouraged and
increased crimes. One of the crimes which have been encouraged is the theft of the
automobiles themselves. . . . Elaborately organized conspiracies for the theft of
automobiles and the spiriting of them away into some other State and their sale . . . far
away from the owner . . . have roused Congress. . . . The quick passage of the machines
into another State helps to conceal the trail of the thieves, gets the stolen property into
another police jurisdiction and facilitates the finding of a safer place in which to dispose
of the booty at a good price.
88. See supra Part III for a discussion of metrics.
89. See supra Parts II(A)(1) and II(A)(2).
90. See supra Part III(B)(1)(b)(i) for a discussion of scale and a comparison of automation in
cybercrime to firearms in real-world crime.
91. See supra Parts II(A)(1) and II(A)(3).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 17

taken to interfere with the prosecution of an offender, but not acts taken to prevent her
apprehension.

¶ 23 Part III of this article discusses metrics. However, we cannot proceed to consider
metrics unless and until we resolve the outstanding issue: are increased difficulty of
apprehension and increased magnitude of inflicted harms appropriate predicates for the
articulation and implementation of cybercrime metrics?

¶ 24 They are, for reasons that have nothing to do with the way we have always
approached crime. As noted earlier, the function of criminal law is to maintain order
within a society by discouraging those who populate that society from preying on each
other.92 The traditional model of law enforcement evolved to implement the laws that are
designed to achieve this order by apprehending those who commit crimes and seeing that
they are sanctioned for their misdeeds.93 We assume sanctioning apprehended offenders
maintains order by deterring (and incapacitating) them from re-offending and by
deterring others from following their example.94 Of course, not all offenders are
apprehended and sanctioned, but because life and crime are both grounded in the real,
physical world, enough are sanctioned and apprehended to create a climate in which the
perceived risk serves as an effective disincentive to commit crimes.95 The result is an
effective crime control strategy, the effects of which are complemented by other
strategies that maintain external order, i.e., that secure the society’s relations with its
external environment and with other societies. 96

¶ 25 Online crime eludes these strategies, and in that regard it is truly distinguishable
from traditional crime. Online criminals operate in the virtual world and are therefore not
subject to the physical and territorial constraints that govern conduct in the real world.97
Their crimes are not necessarily internal events; it is at least as easy for a Nigerian
fraudster to defraud someone in the United States as it is for him to victimize his
neighbor.98 Territory, which is the foundation of our approach to crime, consequently
becomes irrelevant in the arena of online crimes.99 Territory defines the scope of a
society’s law and the reach of its law enforcement officers.100 By eluding the effects of
territory, online crime becomes something other than crime—not in a legal, doctrinal
sense, but in a pragmatic sense. The rules, institutions and assumptions we rely upon to

92. See supra note 65 and accompanying text.


93. For more on assumptions behind and evolution of the traditional model of law enforcement, see
Brenner, Criminal Law for Cyberspace, supra note 22, at 49-65.
94. Id. at 59-60.
95. Id. at 60.
96. See id. at 45-46 (discussing why internal systems are not sufficient to control external threats).
97. See supra Part II(A)(1).
98. Id.
99. Brenner, Criminal Law for Cyberspace, supra note 22, at 46-49.
100. See, e.g., Eugene Kontorovich, The Piracy Analogy: Modern Universal Jurisdiction’s Hollow
Foundation, 45 HARV. INT’L L.J. 183, 188 (2004):
International law regards criminal jurisdiction as a prerogative of sovereign states. As a
result, the traditional limits on national criminal jurisdiction are largely coextensive with
the limits of national sovereignty. States obviously have territorial jurisdiction over
offenses committed within their confines for control over territory is the hallmark of
sovereignty. (notes omitted).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 18

maintain order and stability within our societies become problematic because they are not
designed to deal with external crime, that is, with external threats to internal order.101 In
that sense, online crime is cybercrime, i.e., it is a distinct phenomenon.

¶ 26 The pragmatic distinctiveness of cybercrime also derives from the other aspect of
online crime, the scale with which computer-facilitated harms can be inflicted. We noted
earlier that crimes generally involve one victim and one perpetrator, but cybercrimes can,
and often do, consist of one perpetrator’s inflicting harm upon many victims.102 This
circumstance goes to one aspect of the scale of the harm a given perpetrator can inflict; a
fraudster using automated techniques can defraud a thousand victims as easily as his real-
world counterpart can defraud one. In this scenario, the fraudster exceeds the scale of
real-world crime with the essentially simultaneous commission of a thousand crimes,
something that would be impossible in the real world.103 This is the commission of
discrete crimes on a vastly enhanced scale.

¶ 27 The scale of cybercrime can also exceed that of real-world crime in another way,
the degree of harm inflicted by a single event, by a single crime. Consider bank robbery.
In the United States, the “average amount netted from an individual [real-world] bank
robbery is less than $8,000.”104 While bank robbery is a common occurrence, the scale of
the harm resulting from each incident is small.105 Compare this with an incident that
occurred in 1995 when Russian hacker Vladimir Levin and his associates transferred $12
million surreptitiously, and illegally, from Citibank customer accounts.106 The $12
million was transferred in increments, each of which far exceeded the $8,000 average for
a real-world bank robbery.107 The Levin incident is ancient in Internet time, but it reveals
the other scale aspect of cybercrime; single attacks, single crimes, can inflict harms on a
scale that are functionally impossible in the real world.

¶ 28 The Levin incident also illustrates another aspect of the scale issue—the external
threat. As computer technology makes national borders irrelevant, wealthy countries will
find themselves increasingly the object of undesired attention from hackers—

101. Brenner, Criminal Law for Cyberspace, supra note 22, at 45-46.
102. See Part II.A.2 supra.
103. See supra note 49 and accompanying text. See, e.g., U.S. Department of Justice, Special Report
on “Phishing,” at http://www.usdoj.gov/criminal/fraud/Phishing.pdf. See also Cyber Blackmail Targets
Office Workers, CNN.com (Dec. 29, 2003), at http://www.cnn.com/2003/TECH/internet/12/29/
cyber.blackmail.reut/ (discussing automated fraud techniques).
104. FBI, CRIME IN THE UNITED STATES 2002, 305 (2002), available at http://www.fbi.gov/ucr/
cius_02/pdf/5sectionfive.pdf.
105. In addition to the small scale of harm, the chances of being apprehended are also very high.
According to the FBI, “the clearance for bank robbery was 57.7 percent in 2001. This is a relatively high
clearance rate when compared with that of other . . . crimes. Only murder, at 62.4 percent, has a higher
percentage of crimes cleared by arrest.” Id. at 303 (citations omitted).
106. See, e.g., William M. Carley and Timothy L. O’Brien, Cyber Caper: How Citicorp Was Raided
and Funds Moved Around the World, WALL ST. J., Sept. 12, 1995, at A1, available at 1995 WL-WSJ
9899337.
107. See id. (noting, for example, transfers of $188,000, $717,000 and $901,000).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 19

cybercriminals—in other countries. The notorious bank robber Willie Sutton108 allegedly
said, when asked why he robbed banks, “because that’s where the money is.”109 The
same can be said for cybercrime, at least for financially motivated cybercrime.
Individuals and entities in wealthier countries are “where the money is,” and therefore
present tempting targets for online criminals in their own and in other countries. The fact
that the wealthy are targets of criminal opportunists is not new; what is new is that their
target status has become essentially unbounded. They can no longer assume the threats
they face are internal threats, i.e., threats from their compatriots; their threat parameters
must now encompass the possibility of attacks launched anywhere on the globe.

¶ 29 Finally,there is a third aspect to the scale issue. Attacks like Levin’s assault on
Citibank are not merely crime, because so much of our personal and business activities
are conducted online, external attacks on our computer systems, on our companies and on
ourselves become de facto or de jure attacks on our critical infrastructure.110 The lines
between cybercrime, “cyberterrorism” and “information warfare” are blurry, and will
become more so.111 Our assumptions that crime (i) is internal and (ii) can be dealt with
using the rules, institutions and processes we have evolved over the last several centuries
no longer holds.112 External actors can penetrate our borders, attack our civilians and
inflict harms the effects of which exceed the discrete individual harms that are captured
by our criminal law.113

¶ 30 We must devise new approaches to dealing with this new phenomenon, and to do
that, we need to understand it. To understand this phenomenon, we must study it. This

108. See, e.g., FBI, FAMOUS CASES: WILLIE SUTTON, at http://www.fbi.gov/libref/historic/famcases/


sutton/sutton.htm.
109. But see Steve Cocheo, The Bank Robber, The QUOTE, and the Final Irony, American Bankers
Ass’n Journal (Mar. 1997), at http://www.banking.com/aba/profile_0397.htm.
110. See Brenner, Criminal Law for Cyberspace, supra note 22, at 85-88.
111. See, e.g., DOROTHY E. DENNING, INFORMATION WARFARE AND SECURITY 21-74 (1998);
Dorothy E. Denning, Activism, Hacktivism and Cyberterrorism: The Internet as a Tool for Influencing
Foreign Policy in NETWORKS AND NETWARS: THE FUTURE OF TERROR, CRIME AND MILITANCY 239 (John
Arquilla & David Ronfeldt, eds.) (2001), at http://www.rand.org/publications/MR/MR1382/. See also
supra note 6 & accompanying text.
112. See, e.g., Paul Davidson, 29 Nations Target Cross-Border Internet Scams, USA TODAY, June 17,
2003, at http://www.usatoday.com/tech/techinvestor/2003-06-16-efraud_x.htm.
113. See Susan W. Brenner, Distributed Security: A New Model of Law Enforcement, J. OF
INTERNET LAW, 74 (2004):
Unlike real-world crime, which inflicts harm of various types upon discrete victims,
cybercrime can inflict both individual harm and systemic harm. Cyberspace and related
technologies have become an essential part of national critical infrastructures. . . . While
cybercrime harms individual victims, it is not limited to that; as the National Strategy to
Secure Cyberspace noted, cybercrime can undermine or even destroy a nation’s critical
infrastructure. This makes it a far more pressing threat than traditional, real-world crime;
in a sense, cybercrime erodes the distinction between internal and external threats. As
long as human activity was grounded only in the real world, societies could divide threats
into external and internal and allocate the responsibility for dealing with each to
respective social institutions; while we will always need institutions to deal with real-
world threats, we no longer live only in the real world. We need a strategy to deal with
threats that come from the virtual world; in devising that strategy, we need to decide if
we should retain the historical distinction between internal and external threats.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 20

brings us to cybercrime metrics. Substantively, online crime is crime, nothing more, and
we need little, if any, in the way of new laws criminalizing the conduct at issue. What we
need are new tactics for combating crime-as-externality. Devising these tactics may
involve many things, such as developing new crime control models,114 re-allocating
resources and creating specialized law enforcement units whose task it is to concentrate
on external crime. If we are to succeed in this endeavor, we need to understand this
phenomenon at least as well as we understand conventional crime.115 The first step in
this process is the articulation and implementation of cybercrime metrics. Section III
considers how we might go about doing this.

III. METRICS
[T]here is no such thing as ‘an obvious metric’ for any crime.116

¶ 31 While online crime differs from crime in several important respects, the two share
an essential commonality: both represent socially intolerable conduct that threatens a
society’s ability to maintain order.117 It is therefore logical to begin the process of
identifying cybercrime metrics by examining the metrics we use for crime. Part III(A)
does precisely that. Part III(B) analyzes the extent to which we can extrapolate these
crime metrics to cybercrime; it also investigates the possibility of developing cybercrime-
specific metrics.

A. Crime Metrics

¶ 32 We have been dealing with crime since mankind developed intelligence and
began to live in social groupings.118 As part of dealing with crime, we established
metrics to parse the harm associated with particular crimes.119 Having parsed crimes
according to their respective harms, we then ordered them hierarchically in terms of the

114. See id. at 76-105.


115. Over the centuries, we have developed an understanding of real-world crime, in terms of the
nature and extent of the harms it can inflict. We can also identify patterns in certain types of real-world
crime, and can use these patterns to allocate law enforcement resources in such a way as to enhance law
enforcement’s ability to react to completed crimes. See Brenner, Criminal Law for Cyberspace, supra note
22, at 49-55. Neither is true for online crime: as was explained earlier, we have no way of categorizing
and quantifying the harms it inflicts. And, for reasons that are explained in § III, we currently have no
ability to identify patterns in cybercrime. See id. at 70-75.
116. Erik Luna, Punishment Theory, Holism, and the Procedural Conception of Restorative Justice,
2003 UTAH L. REV. 205, 248 (quoting Richard Delgado, Goodbye to Hammurabi: Analyzing the Atavistic
Appeal of Restorative Justice, 52 STAN. L. REV. 751, 759 (2000)).
117. Crime threatens a society’s ability to maintain internal order. See § II (B) supra. Cybercrime, as
defined above, threatens a society’s ability to maintain both internal and external order. See id.
118. See Brenner, Criminal Law for Cyberspace, supra note 22, at 5-49 (describing the evolution of
human intelligence and its role in crime).
119. See, e.g., JEROME HALL, GENERAL PRINCIPLES OF CRIMINAL LAW 216-17 (1960):
Criminal harms differ in gravity, first, because of the differential external effect upon the
victim and the community, e.g. a battery is obviously less serious than a death; and
secondly, by reference to the degree of moral culpability of the offender, e.g. a death
caused by a motorist's reckless driving is a less serious harm than a death caused by a
deliberate murderer.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 21

extent, and degree, to which each warranted the infliction of punitive sanctions.120 All of
this is an integral part of the crime control strategy we have relied upon for centuries. It
assumes that if the balance between harm and punishment is properly calibrated, the
infliction of punishment will serve both to vindicate the harm done to society and to deter
the offenders, and others, from inflicting such harm in the future.121 In assessing the
harm associated with a specific crime, we consider (i) the injury it inflicts and (ii) the
culpability of the offender.122 Both are examined below.

1. Injury

¶ 33 In evaluating the injury inflicted by a crime, we need to differentiate between three


types of harm: individual, systemic, and inchoate. Each is discussed below.

a. Individual harm

¶ 34 Individual harm is the gravamen of traditional, real-world crimes such as murder,


rape, assault, theft, arson and burglary.123 These are the mala in se crimes;124 Blackstone
calls them “crimes against the law of nature,” because they are the oldest, most deeply
embedded threats to societal order.125 Because the mala in se crimes are our oldest
crimes, they have shaped our basic conception of crime. As every law student knows, a

120. See id. at 213:


In penal theory, harm is the focal point between criminal conduct … and the punitive
sanction…. In relation to criminal conduct, harm is essential as the relevant effect, the
end sought. Without an effect or end, it is impossible to have a cause or means, and
everything in penal law associated with causation and imputation would be
superfluous…. [H]arm is equally necessary in the elucidation of punishment…. Harm, in
sum, is the fulcrum between criminal conduct and the punitive sanction; and the
elucidation of these interrelationships is a principal task of penal theory.
See also, e.g., Model Penal Code Articles 210-251(Official Draft and Revised Commentary 1980); United
States Sentencing Commission, Guidelines Manual 43-304 (Nov. 2003), at http://www.ussc.gov/2003guid/
2003guid.pdf; Oregon Criminal Justice Commission, Sentencing Guidelines Rules – Crime Seriousness
Scale (2003), at http://arcweb.sos.state.or.us/rules/OARS_200/OAR_213/213_017.html.
121. See, e.g., HALL, GENERAL PRINCIPLES OF CRIMINAL LAW, supra, at 302-16. See also WAYNE R.
LAFAVE, SUBSTANTIVE CRIMINAL LAW § 1.2(e) (2003); Brenner, Criminal Law for Cyberspace, supra note
22, at 55-65. For an overview of federal and state sentencing philosophies, see, e.g., Robin L. Lubitz &
Thomas W. Ross, Sentencing Guidelines: Reflections on the Future in U.S. Department of Justice—
National Institute of Justice, Sentencing & Corrections: Issues for the 21st Century 1 (June, 2001), at
http://www.ncjrs.org/pdffiles1/nij/186480.pdf.
122. See Brenner, Criminal Law for Cyberspace, supra note 22, at 5-49.
123. See, e.g., Hammurabi—Code of Laws, The Avalon Project at Yale Law School, at
http://www.yale.edu/lawweb/avalon/medieval/hamframe.htm; The Salic Law, The Avalon Project at Yale
Law School, at http://www.yale.edu/lawweb/avalon/medieval/salic.htm.
124. Criminal law has traditionally differentiated between crimes that are mala in se and those that
are mala prohibita. See, e.g., Commonwealth v. Adams, 114 Mass. 323, 1873 WL 12017 (Mass. 1873):
Acts mala in se include, in addition to felonies, all breaches of public order, injuries to
person or property, outrages upon public decency or good morals, and breaches of
official duty, when done willfully or corruptly. Acts mala prohibita include any matter
forbidden or commanded by statute, but not otherwise wrong.
See also I W. BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND 55-58.
125. See BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND, supra note 126, at 55-58; IV W.
BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND 7-9. See also § II(B) supra.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 22

crime has four elements: conduct, intent, causation, and injury.126 Injury, or harm, is our
primary benchmark for determining the severity of a specific crime:127 Modern criminal
codes rank individual harm crimes according to the severity of the particular harm
inflicted; homicide is usually ranked as the worst crime, with other crimes following in
descending order.128 Having established this general hierarchy of crimes, modern
criminal codes then use culpability to parse crimes into degrees of severity.129

¶ 35 Individual harm does not necessarily mean the crime is directed at a human being.
Many mala in se crimes can be committed against artificial entities; a corporation, for
example, can be the victim of theft, embezzlement, arson and other crimes.130 What
individual harm encompasses is the proposition that there is a specific, identifiable
victim; traditional, real-world crime consists of a dynamic involving a criminal and a
victim.131 The criminal inflicts harm upon the victim and, in so doing, wrongs both the
victim and the society in which the event occurs. That society, in turn, reacts to the
victimization in an effort to apprehend and punish the perpetrator, which will vindicate
both its own interests and those of the victim.132

¶ 36 Because mala in se crimes assume this dynamic, they effectively incorporate a


metric into their definition of a crime; the metric is the harm resulting from the
commission of that crime.133 The harm resulting from murder is a loss of human life; the
harm resulting from theft is a loss of property; the harm resulting from assault is physical
injury and so on.134 As societies evolved, they developed more nuanced notions of harm.
English law, for example, distinguished between murder and manslaughter by the
sixteenth century.135 This process of differentiating degrees of harm continued over the
centuries for both mala in se and mala prohibita crimes;136 it is therefore not uncommon

126. See, e.g., Joshua Dressler, Reassessing the Theoretical Underpinnings of Accomplice Liability:
New Solutions to an Old Problem, 37 HASTINGS L.J. 91, 125 (1985). But see supra § III(A)(1)(b).
127. See HALL, GENERAL PRINCIPLES OF CRIMINAL LAW, supra note 121, at 216-17.
128. See, e.g., Model Penal Code Articles 210-51 (Official Draft and Revised Commentary 1980).
129. See, e.g., Model Penal Code §§ 210.1-210.4 (dividing criminal homicide into murder,
manslaughter and reckless homicide) (Official Draft and Revised Commentary 1980). See also supra §
III(A)(2)(a).
130. See, e.g., State v. Schwartz, 173 Or.App. 301, 303-05, 21 P.3d 1128, 1129 (Or. App. 2001)
(employee charged with stealing from his employer, the Intel Corporation). See also Hammurabi—Code of
Laws 6, The Avalon Project at Yale Law School, at http://www.yale.edu/lawweb/avalon/medieval/
hamframe.htm (“If any one steal the property of a temple or of the court, he shall be put to death”).
131. This is the minimum required for the crime dynamic. It can also involve many criminals and
one victim, many criminals and many victims or, most recently, one criminal and many victims. See supra
§ II(A)(2).
132. See, e.g., Alan Vinegrad, The Role of the Prosecutor: Serving the Interests of All the People, 28
HOFSTRA L. REV. 895, 897 (2000); Lawrence Crocker, The Upper Limit of Just Punishment, 41 EMORY L.J.
1059, 1063 (1992).
133. The same is true for prohibita crimes, though the harms they address tend to be systemic, rather
than individual, harms. See § III(A)(1)(b) infra.
134. See, e.g., Model Penal Code § 210.1 (homicide), § 223.2 (theft) and § 211.1 (assault).
135. See, e.g., THEODORE F.T. PLUCKNETT, A CONCISE HISTORY OF THE COMMON LAW 445-46 (5th
ed. 1956).
136. As noted earlier, mala in se crimes encompass “inherently wrongful conduct”, while mala
prohibita crimes encompass “conduct that is wrongful only because the legislature has declared it to be so.”

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 23

for offenses to be parsed into three, four, or even five degrees in contemporary American
criminal law.137

¶ 37 Along with parsing harms into increments, modern American criminal law attempts
to refine and standardize the calculus between harm and sanction. This effort has
culminated in the almost universal use of guidelines in sentencing at the state and federal
levels.138 Sentencing guidelines are intended to reduce judicial discretion in sentencing
and ensure a closer, more objective match between the harm inflicted and the punishment
imposed.139 As part of this process, sentencing guidelines have broadened our conception
of harm. Traditionally, the measure of harm has been the injury to the victim; thus, for
example, the harm in property crimes was defined by the amount lost by the victim.140
But for financial crimes, the federal sentencing guidelines factor in both the economic
gain to the perpetrator and the economic loss to the victim when defining the harm
caused by a crime.141

Sharon L. Davies, The Jurisprudence of Willfulness: An Evolving Theory of Excusable Ignorance, 48 DUKE
L.J. 341, 391 (1998). An example of a mala prohibita crime is a:
traffic law that makes it a crime. . . to drive on the ‘wrong side’ of the road. Inherently, of
course, there is no ‘right side’ of the road. The legislature simply chooses one side over
the other, and declares it to be so. Once the legislature has acted, . . . the interest in
vehicular and pedestrian safety make it eminently fair and necessary to expect all drivers
in the community to . . . abide by that rule.
Id. at n.197. See also Leo P. Martinez, Taxes, Morals and Legitimacy, 1994 BYU L. REV. 521, 556 (1994)
(“Internal Revenue Code embodies the essence of mala prohibita crimes”).
There has been a dramatic increase in the number of mala prohibita crimes over the last century due,
in part, to a “perceived need to protect the public in an increasingly complex and industrialized society.”
Jill Evans, The Lawyer as Enlightened Citizen: Towards A New Regulatory Model in Environmental Law,
24 VT. L. REV. 229, 264 (2000). See, e.g., Henry M. Hart, Jr., The Aims of the Criminal Law, 23 LAW &
CONTEMP. PROBS. 401, 414, 419-20 (1958). The distinction between mala in se and mala prohibita crimes
is relevant to this discussion only insofar as the latter tend to address systemic, rather than individual,
harms. See supra § III(A)(1)(b).
137. See, e.g., ALASKA STAT. §§ 11.46.475, 11.46.480, 11.46.482, 11.46.484 & 11.46.486 (breaking
criminal mischief down into five degrees).
138. See, e.g., Robin L. Lubitz & Thomas W. Ross, Sentencing Guidelines: Reflections on the
Future, supra note 123, at 1-2. As this is being written, the Supreme Court has agreed to decide the
constitutionality of sentencing guideline systems, which was called into question by its decision in Blakely
v. Washington, 124 S.Ct. 2531 (2004). See United States v. Booker, 2004 WL 1713654 (2004); United
States v. Fanfan, 2004 WL 1713655 (2004).
139. See, e.g., Lubitz & Ross, supra note 123, at 1 (stating that “guidelines were conceived as a way
to guide judicial discretion in accomplishing . . . sentencing and correctional objectives. Generally, two
criteria—seriousness of the crime and criminal history of the defendant—are used to prescribe punishment.
By introducing more uniformity and consistency into the sentencing process, guidelines also make it easier
to predict sentencing outcomes and correctional costs”).
140. See, e.g., State v. Savoy, 205 La. 650, 667, 17 So.2d 908, 914 (La. 1944) (in prosecution for
embezzlement, the amount embezzled determined the grade of the offense and therefore the penalty). See
also State v. Johnson, 186 S.C. 202, 195 S.E. 329, 329 (1938) (same). See generally Robert Ditzion,
Elizabeth Geddes & Mary Rhodes, Computer Crimes, 40 AM. CRIM. L. REV. 285, 303 n.120 (2003) (noting
the “typical loss-based approach to sentencing”).
141. See, e.g., Michael A. Simons, Vicarious Snitching: Crime, Cooperation, and "Good Corporate
Citizenship," 76 ST. JOHN’S L. REV. 979, 990 (2002) (citing U.S. SENTENCING GUIDELINES MANUAL §
8C2.4 (2003)). See also U.S. SENTENCING GUIDELINES MANUAL § 5E1.2 (2003); U.S. SENTENCING
GUIDELINES MANUAL § 2R1.1 application note 3 (2003) (sentencing court should consider both gain and
loss). Some states include “intangible losses, such as psychological harm caused by the crime.” CAL.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 24

¶ 38 The federal guidelines introduce another innovation: “real offense sentencing.”142


In real offense sentencing, the sentence is based on the defendant’s “actual conduct,”
instead of on the conduct that constitutes the elements of the crime with which he
was charged and of which he was convicted (‘charge offense’ sentencing).
A bank robber, for example, might have used a gun, frightened bystanders,
taken $50,000, injured a teller, refused to stop when ordered, and raced
away damaging property during escape. A pure real offense system would
sentence on the basis of all identifiable conduct. A pure charge offense
system would overlook some of the harms that did not constitute statutory
elements of the offenses of which the defendant was convicted.143

Real offense sentencing, which is the norm in the federal system but not among the
states,144 allows a sentencing court to consider all “relevant conduct” pertaining to the
offense(s) of conviction, “including uncharged crimes and ‘crimes’ of which the
defendant has been acquitted.”145

b. Systemic harm

¶ 39 Mala prohibita crimes are far from new,146 but the last century has seen the rise of
mala prohibita crimes that encompass the infliction of systemic, rather than individual,
harms.147 Criminal antitrust is a good example. In a traditional criminal proceeding, the
state reacts to a discrete harm inflicted upon a member of the social system it
represents,148 whereas in a criminal antitrust enforcement proceeding, the state acts to
ensure the viability of an essential component of that social system.149 The harm at issue
in an antitrust offense is an erosion of the principle of competition; as one commentator
notes, “free and competitive markets result in maximum economic development, wealth
creation, and consumer welfare, but . . . markets will not always remain free and

PENAL CODE § 1202.4(d) (2004). See also THOMAS W. HUTCHINSON, et al., FEDERAL SENTENCING LAW
AND PRACTICE § 8C2.8 (2004) (inclusion of nonpecuniary loss in fine calculation).
The guidelines define ‘loss’ as “the greater of actual loss or intended loss.” U.S. SENTENCING
GUIDELINES MANUAL § 2B1.1, application note 3 (2003). “Actual loss” is “the reasonably foreseeable
pecuniary harm that resulted from the offense,” while “intended loss” is “the pecuniary harm that was
intended to result from the offense.” Id. Intended loss includes “intended pecuniary harm that would have
been impossible or unlikely to occur (e.g., as in a government sting operation, or an insurance fraud in
which the claim exceeded the insured value).” Id.
For a critique of gain-based sentencing, see, e.g., Neil Kumar Katyal, Deterrence’s Difficulty, 95
MICH. L. REV. 2385, 2423 n.133 (1997).
142. See U.S. SENTENCING GUIDELINES MANUAL § 1A1.1 (2003) (quoting Chap. 1 - § 4(a) (1987)).
143. Id.
144. See, e.g., Rebecca Poate, Note, Beyond Relevant Conduct--The Federal Sentencing
Commission's (In)Discretion: How U.S.S.G. Section 2g2.2(B)(4) Illustrates the Future of The Sentencing
Guidelines, 51 HASTINGS L.J. 1363, 1389 (2000).
145. Kyron Huigens, Solving the Apprendi Puzzle, 90 GEO. L.J. 387, 412 (2002).
146. See supra note 126.
147. See generally supra § III(A)(2).
148. See, e.g., AMERICAN BAR ASSOCIATION STANDARDS FOR CRIMINAL JUSTICE, Standard 3-2.1,
Commentary. See also supra § III(A)(1)(a).
149. See Brenner, Toward A Criminal Law for Cyberspace: Product Liability and Other Issues,
(forthcoming 2004).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 25

competitive in the absence of effective government oversight.”150 Criminal antitrust


prosecutions therefore target systemic harms, i.e., harms that impact upon a society’s
infrastructure instead of upon its individual citizens.151

¶ 40 This difference has certain consequences for the structure of these mala prohibita
offenses. For one thing, the crime dynamic is different; instead of having to show that
the perpetrator inflicted an actual, discrete harm upon a victim, the prosecution may be
able to rely on a presumption of harm.152 Certain of these offenses, such as antitrust,
incorporate the incipiency standard, which allows prosecution based on systemic harm
that has not occurred but is deemed likely to occur.153 Others allow prosecution based
upon potential harm, i.e., upon a defendant’s creating a situation from which harm could
result.154 And as Part II(A)(2) explains, these offenses often eliminate intent, which is an

150. Joel I. Klein, Rethinking Antitrust Policies for the New Economy, Address at The
Haas/Berkeley New Economic Forum (May 9, 2000), at http://www.usdoj.gov/atr/public/speeches/
4707.htm. See also U.S. DEPT. OF JUSTICE: UNITED STATES ATTORNEYS’ MANUAL, § 7-1.100 (1997),
available at http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title7/1mant.htm (last visited Sept.
19, 2004). For more on systemic harm offenses, see Brenner, Toward A Criminal Law for Cyberspace:
Product Liability and Other Issues, supra note 151.
151. Charles S. Start, International Cooperation in the Pursuit of Cartels, 6 GEO. MASON L. REV. 533
(1998) (“antitrust . . . enforcement . . . is very much a part of the global economic infrastructure”).
152. See, e.g., Christopher R. Leslie, Comment, Achieving Efficiency through Collusion: A Market
Failure Defense to Horizontal Price-Fixing, 81 CAL. L. REV. 243, 273 (1993):
James F. Rill, the head of the Antitrust Division of the Department of Justice, noted that
‘[g]ain or loss is not a necessary element of proof for per se antitrust crimes; harm is
presumed given the nature of the violation. Thus, the Department traditionally has not
investigated gain or loss or made factual damage presentations in its criminal cases.
See also Northern Pac. Ry. Co. v. U.S., 356 U.S. 1, 5 (1958):
[T]here are certain . . . practices which because of their pernicious effect on competition .
. . are conclusively presumed to be unreasonable and therefore illegal without elaborate
inquiry as to the precise harm they have caused. . . . This . . . avoids the necessity for an
incredibly complicated and prolonged economic investigation into the entire history of
the industry involved . . . in an effort to determine at large whether a particular restraint
has been unreasonable--an inquiry so often wholly fruitless when undertaken.
153. See, e.g., Jennifer R. Connors, Comment, A Critical Misdiagnosis: How Courts Underestimate
the Anticompetitive Implications of Hospital Mergers, 91 CAL. L. REV. 543, 554 (2003) (“As the Supreme
Court has recognized, the purpose of antitrust law is to arrest concentration ‘in its incipiency’.”) (citing
Brown Shoe Co. v. United States, 370 U.S. 294, 317 (1962)). See also Thomas B. Leary, Dialogue between
Students of Business and Students of Antitrust, 47 N.Y.L. SCH. L. REV. 1, 2 (2003) (“With the exception of
so-called ‘per se’ offenses that are presumed to cause immediate consumer harm, all antitrust is focused to
some degree on incipiency concerns.” (footnote omitted)).
154. The distinction between incipient and potential systemic harm lies in the likelihood that a harm
will occur. Incipient harm statutes are analogous to the inchoate harm offenses discussed later in the text
above. See infra § III(A)(1)(c). They target activity that is leading to the infliction of systemic harm; in the
antitrust context, for example, the government can bring a prosecution based upon activities that would
have resulted in an anticompetitive harm had it not been interrupted. See supra note 155. Potential harm
statutes target conduct that creates the conditions that can produce individual harm. The actual occurrence
of such harm is not, however, an element of the offense.
For example, in United States v. Park, a corporate officer was convicted of violating 21 U.S.C. §
331(k), which makes it a federal crime to let food that has been shipped in interstate commerce and is being
held for sale to become adulterated. 421 U.S. 658, 660 (1975). Park was the president of a “national retail
food chain” that used a Baltimore warehouse to store food that being held for sale. Id. Federal inspectors
determined the warehouse was “accessible to rodents” that were contaminating the food stored there; such

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 26

intrinsic feature of traditional, mala in se crimes.

c. Inchoate harm

¶ 41 The notion that the state should be able to intervene to prevent incipient harm is far
from new, and is the premise of three common law crimes: attempt, conspiracy and
solicitation.155 These inchoate, or incomplete, crimes address conduct leading to the
commission of another target crime.156 They allow someone to be punished “even though
he has not consummated the crime that is the object of his efforts. Indeed, the main
purpose of punishing inchoate crimes is to allow the judicial system to intervene before
an actor completes the object crime.”157

¶ 42 Scholars disagree as to whether inchoate crimes result in the infliction of harm.


Some claim harm is “not an element of inchoate offenses,”158 but others disagree.159
While no actual harm results from these crimes, they encompass a potential for harm that
is legitimately within the scope of the criminal law. As noted earlier, inchoate crimes
address conduct that is designed to result in the commission of a completed crime.160 To

contamination constituted adulteration under 21 U.S.C. § 331(k). Id. Park and the company were charged
with violating section 331(k); the company pled guilty, he pled not guilty. Id. at 661-62. Park claimed he
was not responsible for the contamination. Id. He conceded that while all of the company’s employees
“were in a sense under his general direction,” the responsibility for ensuring sanitary conditions at the
warehouse belonged to the Baltimore division vice president; Park claimed he had checked and was told
the vice president was taking “corrective action.” Id. at 663-64. Notwithstanding that claim, Park was
convicted and appealed to the Supreme Court. The Court upheld his conviction, concluding that Park’s
“responsible” position in the company’s corporate structure justified holding him liable for not preventing
the contamination. Id. at 669, 676. What is interesting about the Park case, with regard to this discussion,
is that the government was not required to prove that any actual, individual harm resulted from the
contamination at the warehouse. The gravamen of the offense was that Park and his company created
conditions that could have resulted in individual harm, i.e., illness on the part of those who consumed
contaminated food from the warehouse. Id. at 672-73. Had individuals actually become ill, the state could
have brought a traditional criminal prosecution for reckless or negligent injury. See, e.g., Haw. Rev. Stat.
Ann. § 707-706 (2003).
155. See, e.g., WAYNE R. LAFAVE, SUBSTANTIVE CRIMINAL LAW §§ 1.2 & 2.1 (2003).
156. See, e.g., Geraldine Szott Moohr, Mail Fraud Meets Criminal Theory, 67 U. CIN. L. REV. 1, 16
(1998) (stating that “Inchoate crimes prohibit an act performed in anticipation of committing another
criminal act. An inchoate, or . . . incomplete crime, does not require . . . the accomplishment of a
prohibited harm. Rather, an inchoate offense mandates punishment even when the actor has not
consummated the ‘target’ crime that is the object of his or her efforts.”) (notes omitted).
157. Ira P. Robbins, Double Inchoate Crimes, 26 HARV. J. ON LEGIS. 1, 3 (1989) (note omitted).
158. Evan Tsen Lee, Canceling Crime, 30 CONN. L. REV. 117 (1997) (note omitted).
159. See, e.g., Paul Robinson, A Theory of Justification: Societal Harm as a Prerequisite for Criminal
Liability, 23 UCLA L. REV. 226, 269 (1975) (inchoate crimes “are harms in themselves.” The “harm is
intangible . . . and society is its object”). See also JEROME HALL, GENERAL PRINCIPLES OF CRIMINAL LAW
219 (1960):
Any conduct. . . . has some effect. For example, the taking possession of burglar's tools
or narcotics by persons who intend to use them illegally alters the previous condition of
affairs. The quality of daily life is impaired by such conduct; and one need only ask
whether he would want to live in a community where attempts to kill and to commit
robberies and arsons were frequent, to indicate that there are harmful effects of such
conduct not only in the apprehension aroused but also in the increased danger of
becoming the victim of a more serious crime.
160. See LAFAVE, supra note 157.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 27

attempt murder, for example, I must engage in a course of conduct that either (i)
constitutes a substantial step toward causing the death of another human being or (ii)
would result in such a death absent circumstances beyond my control.161 The virtue of
having such an offense is that it allows law enforcement to intervene before the aspiring
murderer commits the target crime and inflicts real harm.162

¶ 43 Attempt, solicitation and conspiracy are not the only inchoate crimes. Federal and
state criminal codes include a variety of inchoate offenses, each encompassing conduct
that can reliably be said to create a risk of harm.163 American law generally regards
“inchoate offenses as substantive crimes, distinct . . . from the completed crimes toward
which they tend.”164 Most states follow the common law rule, which punishes inchoate
offenses less severely than a completed target crime.165 A substantial minority, though,
follows the Model Penal Code and punishes inchoate crimes as severely as a completed
target crime.166

2. Culpability

¶ 44 Essentially, culpability is guilt. For criminal liability, we require not only that
someone have inflicted harm, but also that he did so with the requisite level of moral
fault.167 “[I]t is normally a prerequisite for legal guilt that there be conscious fault or

161. See, e.g., Model Penal Code § 5.01(1) (Official Draft and Revised Commentary 1980). To
conspire to commit murder, I must agree with another that a third person will be killed; and to solicit
murder I must ask another to commit murder or facilitate its commission. See, e.g., Model Penal Code §§
5.02(1) & 5.03(1) (Official Draft and Revised Commentary 1980).
162. See, e.g., Robbins, Double Inchoate Crimes, supra note 159, at 3.
163. See, e.g., Moohr, Mail Fraud Meets Criminal Theory, supra note 158, at 16-17 (mail fraud is an
inchoate crime); State v. McDonald, 31 Ohio St. 3d 47, 57 n.7, 509 N.E. 2d 57, 65 n.7 (Ohio 1987) (“All
statutes prohibiting possession of burglar's tools define a crime that is inchoate”).
164. See, e.g., Robbins, Double Inchoate Crimes, supra note 159, at 3.
165. See Paul H. Robinson, Is Justice Just Us? A Symposium on the Use of Social Science to Inform
the Substantive Criminal Law: Testing Lay Intuitions of Justice: How and Why?, 28 HOFSTRA L. REV. 611,
622 (2000).
166. See, e.g., Bruce Braun, Dane Drobny & Douglas C. Gessner, www.commercial_terrorism.com:
A Proposed Federal Criminal Statute Addressing the Solicitation of Commercial Terrorism Through the
Internet, 37 HARV. J. ON LEGIS. 159, 173 n.92 (2000). Furthermore, “except in the case of capital crimes or
first-degree felonies, the [Model Penal] Code prescribes the same punishment for the crimes of attempt,
solicitation, and conspiracy as for the crime attempted or solicited or that is the object of the conspiracy.”
Frederick M. Lawrence, The Punishment of Hate: Toward A Normative Theory of Bias-Motivated Crimes,
93 MICH. L. REV. 320, 355 n.142 (1994). See Model Penal Code § 5.05(1). The federal sentencing
guidelines take a modified approach, in which the base offense level used to calculate a sentence for
attempt, conspiracy or solicitation is the same as that for the substantive offense that was the target of the
inchoate crime. See also United States Sentencing Commission, Guidelines Manual § 2X1.1 (2003). The
sentence imposed is reduced by three levels unless the defendant completed all the acts he or she believed
necessary for the commission of the target crime. See id. See also JOSHUA DRESSLER, UNDERSTANDING
CRIMINAL LAW 331, 363 (2001).
167. See, e.g., HALL, GENERAL PRINCIPLES OF CRIMINAL LAW, supra note 161 at 93:
Moral culpability, i.e. personal guilt, includes both mens rea and motivation. For
example, D kills T. . . . [W]as D acting from cupidity, knowing he was named the chief
beneficiary of T's will? Or was the motive his love for his sick wife who needed an
operation? Just as we cannot pass an adequate moral judgment if we know only what
harm has been committed . . . we cannot properly estimate conduct solely on the basis of

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 28

culpability with respect to wrongdoing.”168 We tend to require blameworthy conduct for


two reasons: the first is that criminal law is intended to maintain internal order by
discouraging socially intolerable conduct.169 Harm is one benchmark of such conduct,
but we also consider culpability because we reserve criminal liability for those whose
actions clearly threaten social order.170 The second reason we require blameworthy
conduct is that criminal liability results in the imposition of punishment, and we use
culpability to calibrate the appropriate punishment for various crimes.171 As a general
matter, culpability interacts with harm to determine the seriousness of a specific crime.172
However, its precise function depends upon the nature of the harm at issue, i.e., upon
whether it is individual, systemic or inchoate.

a. Individual harm

¶ 45 When a crime involves the actual infliction of individual harm, the actor’s
culpability is used to determine the seriousness of the crime and the severity of the
penalty to be imposed.173 As noted above, modern criminal law uses culpability to parse
what were once generic crimes into hierarchically structured degrees.174 Early English
law, for example, had a single offense—homicide—that encompassed the killing of
another human being.175 Contemporary American criminal codes divide homicide into
descending degrees according to the blameworthiness of a defendant’s conduct.176 They
essentially distinguish murder (purposely killing) from voluntary manslaughter (killing in
the heat of passion), involuntary manslaughter (recklessly causing death), and negligent
homicide (negligently causing death).177

¶ 46 As an earlier section noted,178 modern criminal codes sequentially rank individual


harm crimes according to the specific harm that is inflicted by that general category of
crime (e.g., homicide versus vandalism). This produces a hierarchical ordering of crimes
according to the generic seriousness of the harm each category inflicts.179 Modern
criminal codes then use culpability to define gradations, or degrees, within each

its motivation. . . . It is necessary to unite these judgments in a single evaluation to


determine the moral culpability of the actor.
See also Phyllis L. Crocker, Concepts of Culpability and Deathworthiness: Differentiating Between Guilt
and Punishment in Death Penalty Cases, 66 FORDHAM L. REV. 21, 35-36 (1997) (culpability means that a
defendant “is blameworthy and deserves punishment” (note omitted)).
168. Herbert Morris, Guilt in 2 ENCYCLOPEDIA OF CRIME AND JUSTICE 822 (Sanford H. Kadish ed.,
Free Press 1983).
169. See supra § II(B).
170. See, e.g., Brenner, Criminal Law for Cyberspace, supra note 22, at 49-65.
171. See, e.g., Russell L. Christopher, The Prosecutor’s Dilemma: Bargains and Punishments, 72
FORDHAM L. REV. 93, 132 (2003).
172. See supra note 121.
173. Id.
174. See supra notes 131, 138, 139 and accompanying text.
175. See, e.g., THEODORE F.T. PLUCKNETT, A CONCISE HISTORY OF THE COMMON LAW 445-46 (5th
ed. 1956).
176. See, e.g., Model Penal Code §§ 210.2-210.4.
177. See, e.g., Cal. Penal Code §§ 187, 192; S.C. Code Ann. §§ 16-3-10, 16-3-50, 16-3-60.
178. See supra § III(A)(1)(a).
179. See, e.g., Model Penal Code, Arts. 210-251 (Official Draft and Revised Commentary 1980).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 29

categorical crime; so, as the previous paragraph explained, homicide is often


differentiated into four degrees. Other crimes are differentiated even further, into five,180
six,181 or even seven degrees.182

¶ 47 This system of hierarchically ordering crimes and degrees of crimes produces a set
of rather precisely calibrated crime metrics. The categories it establishes can be used to
track the incidence with which crimes involving the infliction of individual harms are
committed and the respective damage they inflict.183

b. Systemic harm

¶ 48 Systemic harms can be actual, potential or a combination of both.184 When a


systemic harm crime targets the infliction of actual harm, the offense usually requires
some culpability on the part of an offender.185 That tends not to be true when a systemic
harm crime targets incipient or potential harm;186 these crimes usually replace culpability
with strict liability, i.e., with liability that is not based on moral fault.187 This is
particularly true when the crime consists of failing to take steps to prevent systemic harm
or the potential for systemic harm.188

¶ 49 There are two justifications given for eliminating culpability in crimes that target a
failure to prevent systemic harm. One derives from the fact that unlike traditional crimes,

180. See, e.g., Alaska Stat. § 11.46.486 (describing criminal mischief in the fifth degree).
181. See, e.g., Conn. Gen. Stat. Ann. § 53a-125b (describing larceny in the sixth degree).
182. See, e.g., R.I. Gen. Laws § 11-4-8 (describing arson in the seventh degree).
183. See, e.g., U.S. Department of Justice—Bureau of Justice Statistics, Sourcebook of Criminal
Justice Statistics § 3 (2002), at http://www.albany.edu/sourcebook/1995/pdf/section3.pdf, U.S. Department
of Justice—Bureau of Justice Statistics, Criminal Victimization in the United States—Table 1 (2002), at
http://www.ojp.usdoj.gov/bjs/pub/pdf/cvus02.pdf (personal and property crimes); Federal Bureau of
Investigation, Uniform Crime Reports: Crime in the United States (2002), at
http://www.fbi.gov/ucr/cius_02/pdf/2sectiontwo.pdf.
184. See supra § III(A)(1)(b).
185. See, e.g., Thomas M. Russo, How U.S. Environmental Maritime Criminal Law Has Turned
"Crime and Punishment" into "Mistake and Punishment," American Law Institute—American Bar
Association Continuing Legal Education SE72 ALI-ABA 123, 130-31 (May 11, 2000) (explaining
“knowing” conduct is required for many environmental crimes). See also Sedima S.P.R.L. v. Imrex Co.,
741 F.2d 482, 495-96 (2nd Cir. 1984), reversed, 473 U.S. 479 (1985). In Sedima, the court noted that the
federal anti-racketeering statute known as RICO criminalizes the infliction of actual systemic harm. Id.
While RICO itself is a strict liability crime, the predicate offenses which one must commit to violate the
RICO statute require culpability, usually either willfulness or knowing conduct. See 18 U.S.C. §§ 1961,
1962.
186. For the distinction between the two, see supra note 156.
187. Id. See also supra § III(A)(2); United States v. FMC Corp., 572 F.2d 902, 906-08 (2d Cir.
1978).
188. See, e.g., supra note 156. The imposition of criminal liability for one’s failure to prevent a
particular type of generalized, systemic harm dates back to the beginning of the twentieth century and the
invention of ‘public welfare’ offenses. See Francis B. Sayre, Public Welfare Offenses, 33 COLUM. L. REV.
55, 67-68 (1933). The development of ‘public welfare,’ or regulatory, offenses resulted from a “shift in
emphasis from the protection of individual interests which marked nineteenth century criminal
administration to the protection of public and social interests.” M. Diane Barber, Fair Warning: The
Deterioration Of Scienter Under Environmental Criminal Statutes, 26 LOY. L.A. L. REV. 105, 110 (1992).
See also Sayre, Public Welfare Offenses, supra, at 67-68.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 30

these crimes target omissions; the theory is that the most effective way to encourage
prevention is to punish failures without regard to fault.189 The CEO of a grocery
company can be held criminally liable for allowing food in a warehouse to be
contaminated, regardless of whether he did so “maliciously,” ”willfully” or even
“knowingly.”190 The other justification is that these crimes often target organizational
conduct, and it can be difficult, if not impossible, to prove personal moral fault on the
part of specific corporate employees.191

¶ 50 Our practice of de-emphasizing culpability in crimes involving the infliction of


systemic harm means harm is really the only metric we have for these crimes. And since
the harm at issue in these crimes is diffuse or unrealized, we cannot track the incidence
and effects of these crimes with the precision we bring to individual harm crimes.192 In
this regard, systemic harm crimes are analogous to inchoate harm crimes.

(c) Inchoate harm

¶ 51 Inchoatecrimes do not inflict actual harm.193 They target conduct that is leading to
the commission of a completed crime, the consummation of which would produce actual
harm.194 The rationale for inchoate crimes is that they let law enforcement officers
intervene to prevent the commission of the target crime without forfeiting prosecution.195
If we did not have inchoate crimes, officers who knew John Doe was planning to murder
Jane Doe would have two equally undesirable options: (i) let him commit the murder and
then see he was prosecuted for it; or (ii) intervene and prevent him from committing the
murder, but be unable to do anything to stop him from trying again without their
knowledge. Like systemic harm crimes, inchoate harm crimes target incipient or
potential harm.196

189. See, e.g., WAYNE R. LAFAVE, SUBSTANTIVE CRIMINAL LAW § 5.5(c) (2003).
190. See supra note 156. Malice, willfulness and knowledge are among the mental states criminal
law uses in assessing culpability. See, e.g., WAYNE R. LAFAVE, SUBSTANTIVE CRIMINAL LAW § 5.1 (2003).
191. See, e.g., LAFAVE, SUBSTANTIVE CRIMINAL LAW § 5.5(c), supra note 191.
192. Compare U.S. Department of Justice—Bureau of Justice Statistics, Compendium of Federal
Justice Statistics (2001), at http://www.ojp.usdoj.gov/bjs/pub/pdf/cfjs01.pdf, with U.S. Department of
Justice—Bureau of Justice Statistics, Sourcebook of Criminal Justice Statistics § 3 (2002), and U.S.
Department of Justice—Bureau of Justice Statistics, Criminal Victimization in the United States—Table 1
(2002). With regard to arrest, prosecution and adjudication, the Compendium of Federal Justice Statistics
breaks out some federal systemic harm cases, such as antitrust and food and drug act violations, but lumps
the others into its ‘other regulatory offenses’ category. See U.S. Department of Justice—Bureau of Justice
Statistics, Compendium of Federal Justice Statistics (2001), at Table 4.1, at
http://www.ojp.usdoj.gov/bjs/pub/pdf/cfjs0104.pdf. It also provides no indication of the losses, or harms
resulting from these crimes. Cf. U.S. Department of Justice—Bureau of Criminal Justice Statistics,
Criminal Victimization in the United States, Statistical Tables 75, 81 (2002), at
http://www.ojp.usdoj.gov/bjs/pub/pdf/cvus0204.pdf (describing personal injury and economic loss resulting
from individual harm crimes).
193. See supra § III(A)(1)(c).
194. See id.
195. See id.
196. Unlike systemic harm crimes, inchoate crimes generally require affirmative acts, not omissions.
But see Model Penal Code § 5.01(1) (Official Draft and Revised Commentary 1980) (stating that ‘attempt’

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 31

¶ 52 The two differ dramatically in the way they approach unrealized harm. Systemic
harm crimes are designed to protect the security and integrity of essential societal
interests, such as marketplace competition; the harms such crimes address are by
definition diffuse.197 While it is possible to show that conduct constituting an antitrust
crime would have had an anticompetitive effect, it is impossible to quantify that effect
with any precision. Antitrust crimes, like all systemic harm crimes, target complex
activity, the proper functioning of which, is essential for the survival of a society.198
Since the harms are diffuse and the activities are so complex, the traditional approach to
criminal liability—requiring intent, culpability, causation and demonstrable, discrete
injury—is not a viable option. Consequently, systemic harm crimes presume harm or do
not require the prosecution to show true harm; proof of conditions that could produce
harm can support the imposition of liability.199 Systemic harm crimes also eliminate
culpability on the assumption that the most effective way to encourage the prevention of
systemic harms is to put the absolute risk of failure on those who are in the best position
to do so.200

¶ 53 This unorthodox approach to criminal liability is predicated on the unique


circumstances systemic harm crimes have so far encompassed. Those who commit
systemic harm crimes, whether by affirmative act or omission, do not set out to harm a
social system; their goal is to engage in conduct that will somehow redound to their
individual or corporate benefit.201 The systemic harm in these crimes results from the
wider consequences of the conduct in which these offenders engage.202 In these crimes,
therefore, we cannot require the synchronization of harm and culpability that is a defining
characteristic of traditional, individual harm-crimes.203

consists, in part, of purposely doing or omitting to do something as part of conduct leading to the
commission of the target crime).
197. See supra § III(A)(1)(b).
198. Id.
199. Id.
200. See supra § III(A)(2)(b).
201. See, e.g., Sedima S.P.R.L. v. Imrex Co., 741 F.2d at 495-96:
RICO was intended to ‘address the infiltration of legitimate business by organized
crime.’ . . . . According to the congressional statement of findings and purpose, the Act
was to seek to eradicate organized crime because ‘organized crime activities in the
United States weaken the stability of the Nation's economic system, . . . interfere with
free competition, seriously burden interstate and foreign commerce, threaten the domestic
security, and undermine the general welfare of the Nation and its citizens.’ . . . RICO was
not enacted merely because criminals break laws, but because mobsters, either through
the infiltration of legitimate enterprises or through the activities of illegitimate
enterprises, cause systemic harm to competition and the market, and thereby injure
investors and competitors.
(citations omitted) (quoting United States v. Turkette, 452 U.S. 576, 591 (1981)). As explained
earlier, RICO is a systemic harm crime that incorporates traditional criminal activity. See supra
note 187.
202. See supra note 203.
203. The result would presumably be otherwise if the infliction of systemic harm were the offender’s
goal, which may, perhaps, be the case with terrorism. We have not yet considered whether terrorism is
simply a type of crime or whether it should be regarded as something else, as something more than
traditional, individual harm-crime. See supra note 6.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 32

¶ 54 We require this synchronization for inchoate crimes because they are really a
version of individual harm-crimes. But since inchoate crimes are interrupted crimes, no
actual, individual harms result from their commission. We compensate for the lack of
harm by requiring compelling proof that one charged with an inchoate offense was
indeed dedicated to committing the target crime, and would have succeeded but for the
intervention of law enforcement officials.204 Culpability therefore becomes the primary
metric for inchoate crimes; we cannot identify actual harm, but we can track aspirational
harm. This is, of course, an imprecise endeavor. Imagine that Eric Harris and Dylan
Klebold were interrupted before they could carry out their April 20, 1999 attack on the
students and teachers at Columbine High School. Assume they were stopped in the
school parking lot as they were on their way to launch the assault because law
enforcement officers had credible evidence to believe they intended to commit such an
act. Since their conduct would have been interrupted, no one would actually have been
harmed. They could have been prosecuted for attempted murder, but we would have no
way of knowing the extent of the individual harms they intended to inflict had they not
been intercepted. We might infer some level of individual harm from the firepower and
ammunition they were carrying, but that assessment would be speculative.

¶ 55 Our only metric for inchoate harm crimes, therefore, is culpability. We infer the
nature and extent of actual, individual harm the interrupted offender meant to inflict
based on his words and actions.

B. Cybercrime Metrics

¶ 56 Our metrics for crime are harm and culpability, which we apply in different degrees
to crimes that inflict individual harms, systemic harms and inchoate harms.205 We now
need to consider metrics for cybercrime. The sections below examine two issues: first,
to what extent can we apply crime metrics to cybercrime? Second, what additional
metrics, if any, do we need for cybercrime? The sections below analyze these issues with
regard to (i) individual harm cybercrimes; (ii) systemic harm cybercrimes; and (iii)
inchoate harm cybercrimes.

1. Individual harm cybercrimes

¶ 57 Like individual harm crimes, individual harm cybercrimes produce actual, discrete
harms. We need to be able to track those harms. This discussion analyzes the possibility
of (i) applying crime metrics to cybercrime, and (ii) developing additional metrics for
cybercrime.

a. Crime metrics

¶ 58 As Part II explained, what is popularly called cybercrime is simply crime, the


commission of which involves the use of computer technology. Substantively, there is no

204. See JOSHUA DRESSLER, UNDERSTANDING CRIMINAL LAW 329, 339, 365, 384 (3rd ed. 2001). See
also Robbins, Double Inchoate Crimes, supra note 159, at 8 (“The mens rea for inchoate crimes, therefore,
is the specific intent to commit a particular completed offense, or target . . . crime”).
205. See supra § III(A).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 33

difference between the generic individual harm-crimes (e.g., fraud, theft, extortion,
harassment, forgery, murder) and their cyber-analogues. The core offense harm is the
same in both.206 It seems, then, we should be able to use crime metrics—the harm
inflicted by a crime and the culpability of the person who committed it to track
cybercrime. The basic metrics for an online fraudster’s crime, for example, would be (i)
the number of victims and extent of the harms inflicted on each, and (ii) his/her
culpability.

¶ 59 The culpability calculus for these cybercrimes should be the same as for their real-
world analogues. For example, cyber-theft, like real-world theft, requires that the
offender have acted with the purpose of depriving another of their property. This
requirement is made for most other property crimes, such as online fraud, forgery,
extortion, etc.207 The culpability calculus should also remain the same for the “crimes
against the person” that migrate into cyberspace,208 as well as for crimes against the state
and crimes against morality.209 Since human behavior is a constant in offline and online
crime, and since our experience with human misbehavior has given us a good sense as to
the appropriate levels of fault to assign to various misdeeds, we should not need to alter
culpability standards, except perhaps to accommodate new crime variations.210

¶ 60 The calculus is more difficult for the harms. The core harm will be the same for
online and offline crime analogs: a loss of property for theft, fraud, extortion and other
property crimes; a loss of life or physical injury when homicide and other crimes against
the person migrate into cyberspace; emotional distress for stalking and harassment
crimes; an erosion of essential government functions for crimes against the state; and the
myriad subtle and complex harms resulting from the crimes against morality.211 But
while the core harm may remain the same, it can manifest itself in different ways.

¶ 61 Online theft, for example, can consist either (i) of the zero-sum phenomenon we

206. See supra § II(B).


207. Id.
208. Stalking has already made the transition, and it is only a matter of time before homicide does so.
As to the former, many stalking/harassment statutes now encompass real-world and online conduct and
apply the same standard of culpability to both. See, e.g., Alaska Stat. § 11.41.270; California Penal Code §
646.9; Kansas Stat. Ann. § 21-3438. It was necessary to incorporate online activity into these statutes
because stalking and harassment have traditionally been defined in terms of real-world conduct, such as
following someone. See, e.g., Alaska Stat. § 11.41.270. That should not be true for most homicide
statutes, as they focus on the prohibited harm, i.e., causing the death of another human being, rather than on
the method used to achieve that result. As to other crimes against persons, it does not seem rape can be
committed online, at least not in the traditional sense, and the same is probably true for assault as well.
209. See supra § II(B).
210. It may not be necessary to alter culpability when we address new variations on old crimes. We
have already done this with regard to several online activities: hacking, cracking, disseminating malware
and launching denial of service attacks. While we could treat these activities as real-world crimes (e.g.
trespass, burglary and vandalism), we have found it useful to make each the focus of a new crime to
accommodate certain nuances technology introduces into the conduct and the resulting harms. The
culpability levels, however, have remained constant in the offline and online versions of these crimes.
Compare Ark. Code Ann. § 5-39-203 (criminal trespass) with Ark. Code Ann. § 5-41-104 (computer
trespass).
211. See Part II(B) supra. See also supra note 210.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 34

know from the real-world, in which the thief totally deprives an owner of the possession
and use of her tangible or intangible property; or (ii) of the non-zero-sum, online version
in which the thief takes a copy of intangible property and leaves the owner with the
“original.”212 In both instances, the owner suffers a loss of property.213 Are the losses
identical? Is the non-zero-sum loss equivalent to the zero-sum loss? In a zero-sum theft,
the owner is completely deprived of the possession and use of her property; in a non-
zero-sum theft, she is deprived of a quantum of the possession and use of her property. 214
The harm associated with this less-than-zero-sum loss depends, at least in part, on the
extent to which the value of the property is a function of its exclusivity; in other words,
the extent to which dominion and control of the property is limited.

¶ 62 If an employee copies a computer password file belonging to his employer, the


Acuit Company, the company suffers a harm, the precise nature of which depends upon
the extent to which it sought to limit dominion and control over the information in the
file. If the passwords in the copied file are the current passwords employees use to
access Acuit’s computer system, we can assume the company expended a great deal of
effort to prevent unauthorized persons from gaining dominion and control over them, and
that it therefore suffered a significant harm. This harm is for the most part contingent;
the real harm comes not from the loss of the data in the password file but from the fact
that someone can use this data to access Acuit’s computer system and inflict further
harms upon the company. How do we express this harm? Is it an actual, individual harm
to Acuit? Is it an inchoate harm—the first step in an attempt to hack into Acuit’s system
to copy or destroy files? The harm is both actual and inchoate. We have a completed,
non-zero-sum theft; we also have the possibility, and the suspicion, that the theft was
only the first step in the infliction of further harms upon the Acuit Company.215 How do
we parse the harms from this event? Do we incorporate the potential harms associated
with the use of the passwords in the file into the harm resulting from the non-zero-sum
theft? Do we, in other words, expand the harm associated with the non-zero-sum theft
beyond the actual loss, which was the erosion of the Acuit Company’s ability to control
who had dominion and control over the password file?

¶ 63 These are difficult issues, issues that do not arise with regard to real world, zero-
sum theft. To understand why that is so, it is helpful to consider two variations on the
hypothetical outlines above. In the first variation, the employee steals a key to a safe that
contains money. The theft of the key is a zero-sum theft; the employee has the key and
the company does not. We could, therefore, prosecute the employee for stealing the key.
As a practical matter, such a prosecution is highly unlikely. If the employee uses the key

212. See supra note 73. See Goodman & Brenner, supra note 65, at 61.
213. See Goodman & Brenner, supra note 65, at 61.
214. See id.
215. We can analogize the passwords to the key to a safe; the key’s value lies in its ability to grant
access to the safe. The owner of the safe, therefore, will seek to ensure that only authorized persons can
exercise dominion and control over the key. If someone steals the key, in a zero-sum theft, the owner of
the safe has suffered two harms; he has lost the key itself, which is a small harm, and he has lost the ability
to control access to the safe, which is a significant harm, the precise significance being a function of the
contents of the safe and his ability to change the lock and render the key useless. See, e.g., State v. Green,
81 N.C. 560, 1879 WL 2414 *1 (N.C. 1879). See also Fifth Third Bank v. Stanek, 806 N.E.2d 861, 863
(Ind. App. 2004).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 35

to take the money in the safe, we will prosecute him for that theft. The theft of the key
will, in effect merge into the greater theft and the greater harm.216 If the employee is
apprehended before he can use the key to take the money in the safe, we will charge him
with an attempt to steal the money in the safe; the theft of the key will become a
component of the conduct alleged to constitute the inchoate crime. No prosecutor will
pursue the theft of the key itself because the harm is simply too minimal to warrant
prosecution.

¶ 64 The other variation on our hypothetical illustrates why different issues arise when
the theft is online. Assume the passwords in the copied file are old passwords that are no
longer used. It might seem that, as with a key to a lock that is no longer used, the
company has no reason to prevent unauthorized persons from gaining dominion and
control over the data in the file. The theft of the file, like the theft of the key, would
constitute the infliction of a harm too minimal to warrant prosecution. However, that is
not necessarily true. An aspiring cybercriminal may be able to use the data in the file to
identify current passwords, since people often re-use old passwords despite being told not
to do so. The cybercriminal might also be able to use the data in the file to derive new
passwords by analyzing the system the company uses to create passwords for its
employees. In either scenario, the company may sustain significant harm.

¶ 65 Asthe hypothetical and its variations illustrate, cybercrimes can have consequential
harms that are at least as significant as the core harm resulting from the offense. There
are actually two consequential harms in the hypothetical itself. The first, an inchoate
harm, is the possibility that the data in the password file can be used to hack Acuit’s
computer system and inflict further harms upon the company by, for example, deleting or
destroying data. The other harm is actual, Acuit will have to respond to the inchoate
harm by, for example, seeing that the passwords in the file are replaced by new
passwords and conducting an audit of its computer security to locate and eliminate the
vulnerabilities the employee exploited to steal the file. While real-world crimes,
including theft, can also produce consequential harms, we do not include them into the
metrics we use for crime. Our metric for the harm resulting from real-world property is
the value of the property taken, damaged or destroyed, presumably because the
consequential harms resulting from real-world property crimes are slight compared to
those generated by their cyber-counterparts. We can retain this basic metric for crime,
but we must include an assessment of consequential harm in the metrics we develop for
cybercrime.217

216. See supra note 217.


217. The basic federal cybercrime statute, 18 U.S.C. § 1030, does this, since it was amended by the
Patriot Act: the statute makes it a crime to gain unauthorized access to a civilian computer and cause
“damage” or “loss.” 18 U.S.C. § 1030(a)(5). Section 1030(e)(11) defines the “loss” resulting from an
offense under the statute as:
any reasonable cost to any victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data, program, system, or information
to its condition prior to the offense, and any revenue lost, cost incurred, or other
consequential damages incurred because of interruption of service.
Patriot Act, Pub. L. No. 107-56, § 814(d)(5), 115 Stat. 272, 384 (2001). The amendments added by the
Patriot Act were intended to incorporate the approach taken in United States v. Middleton, 231 F.3d 1207,
1213 (9th Cir. 2000).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 36

¶ 66 There are two ways we can go about doing this, the first being to incorporate
consequential harm as part of the individual harm resulting from the commission of a
conventional crime, or cybercrime. If we take this approach, the prosecution will have to
prove the nature and extent of consequential harm sustained in a cybercrime case
involving property loss or damage.218 It would become a component of an individual
harm prosecution. The second way to approach this issue is to construe consequential
harm as a systemic harm; the virtue of this tactic is that a quantum of consequential harm
could be presumed, instead of having to be quantified and proven beyond a reasonable
doubt.219 Probably the best approach is to do both, i.e., to make consequential harm an
element that must be proven in individual harm prosecutions but incorporate presumptive
consequential harm into selected, systemic harm offenses.220

¶ 67 The importance of acknowledging, and tracking, consequential harm is perhaps


most apparent with regard to property crimes, especially those involving unauthorized
intrusions into computer systems. But, it is equally important with regard to crimes
against the state, such as unauthorized intrusions into computer systems used by courts,
the military or state and federal agencies. The resolution of this consequential harm issue
is simplified, somewhat, by the fact that crimes against the state are systemic harm
crimes. This issue is addressed below.221 The significance of consequential harm is not
apparent for crimes against persons and crimes against morality. It may be that
consequential harm is not a factor we need to take into account in tracking the harm
resulting from these crimes, because it does not appreciably augment the core harm
encompassed by the real-world crime. If John uses the Internet to lure Jane to a park,
where he kills her, does his utilization of computer technology result in the infliction of
harm exceeding the core harm encompassed by the crime of murder, i.e., the death of a
human being? His use of computer technology may make it more difficult for law
enforcement to apprehend him, but that is not an offense, despite the fact that it may be a
factor we want to take into account in tracking cybercrime.222 That possibility is
considered immediately below. The same conclusion applies to crimes against morality:
computer technology makes it much easier for pedophiles and others to acquire and
circulate child pornography and to do so without being apprehended, but that, again, is
not an offense, it is a circumstance that goes to law enforcement’s ability to react to and
discourage the conduct at issue and, as such is discussed below.223

¶ 68 At this point in our experience with cybercrime, it is impossible to tell, with any

218. See generally United States v. Pierre-Louis, No. 00-434-CR, 2002 WL 1268396, at *2-*5 (S.D.
Fla. 2002) (interpreting the “consequential damages” provision of the Patriot Act).
219. Other amendments to the Patriot Act incorporated this approach into 18 U.S.C. § 1030. The
amended version of the statute essentially makes it a federal crime to gain unauthorized access to a
computer and either (i) cause “loss” as defined above or (ii) to cause either “the modification or
impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or
care of 1 or more individuals” or “damage affecting a computer system used by or for a government entity
in furtherance of the administration of justice, national defense, or national security.” 18 U.S.C. §§
1030(a)(5)(B)(i), (ii), (v).
220. See supra note 219.
221. See supra Part III(B)(2).
222. See supra Part III(B)(1)(b)(ii).
223. Id.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 37

certainty, whether consequential harm is a factor we need to consider in tracking


cybercrimes against persons and against morality. As we become more adept at using
computer technology, we may see it used to add consequential harms to the infliction of
the harms already addressed by these crimes; if that possibility eventuates, we will have
to consider how we should deal with these varieties of consequential harm.

b. Cybercrime metrics

¶ 69 We decided that crime metrics provide a core set of characteristics we can use to
track individual harm cybercrimes. The issue we need to resolve now is whether to
incorporate the distinctive characteristics discussed earlier into the metrics we use for
cybercrime.224 Those characteristics, again, are: (i) difficulty of apprehension and (ii)
infliction of harm on a greater-than-real-world scale.225

(i) Scale

¶ 70 We begin with the second characteristic; it is the less problematic of the two since
it deals with a traditional factor, i.e., offense harm. Our historical default model of a
crime has been an event involving two persons: a perpetrator and a victim.226 We
therefore based our assessment of the harm resulting from such an event on the injury to
the victim—the person who sustained actual harm.227 We retained that approach as we
began dealing with criminals who inflicted sequential harms on multiple victims; our
approach to this scenario is to parse the harms into discrete crimes, each of which
becomes a count in the charging instrument used against the offender.228 If the defendant
in such a prosecution inflicted more than one harm upon a victim, each harm becomes a
separate count in the charging instrument.229 And if a defendant is convicted of inflicting
all the harms charged in such a document, his sentence will be based on the accumulative
harm she inflicted upon the various victims.230

224. See supra Part II(A).


225. The earlier discussion focused on three distinguishing characteristics: difficulty of
apprehension, infliction of greater harm, and the challenges presented by digital evidence. See supra Part
II(A). While the digital evidence challenges are empirically and conceptually distinct from the
apprehension issues examined above, their effect is to exacerbate the difficulties law enforcement faces in
apprehending and prosecuting cybercriminals. Id. The evidentiary challenges are, therefore, folded into
the “difficulty of apprehension” characteristic for the purposes of this discussion.
226. See supra Part II(A)(2).
227. This accounts for the fact that common law criminal procedure only allowed one offense to be
charged at a time. See, e.g., 1 JAMES FITZJAMES STEPHEN, A HISTORY OF THE CRIMINAL LAW OF ENGLAND
508 (London, MacMillan 1883) (stating that “[i]n an indictment for felony one offence only can . . . be
charged”).
228. See, e.g., United States v. Carlson, (E.D. Pa. 2003), available at http://www.usdoj.gov/usao/pae/
News/Pr/2003/oct/carlson.pdf (last visited Sept. 30, 2004). This reflects the greater latitude modern
criminal procedure gives prosecutors. See, e.g., Ashe v. Swenson, 397 U.S. 436, 453 (1970) (Brennan, J.,
concurring).
229. See United States v. Carlson, Indictment, Counts 1-11, supra note 230, at 38-52.
230. See, e.g., United States v. Green, 225 F.3d 955, 957-58 (8th Cir. 2000) (calculating an offense
level by increasing the level for factors such as losses and number of victims). See also U.S. SENTENCING
GUIDELINES MANUAL § 2B1.1 application note 3(C)(iii) (2004) (explaining that when calculating “loss” in
sentencing for a fraud offense, multiply the number of victims by the loss to each victim).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 38

¶ 71 This approach, which we devised for crime, tracks the harms attributable to a
course of criminal conduct by (i) discrete, individual harms to a victim, (ii) number of
victims and (iii) amount of loss to each victim.231 Is this approach adequate for
cybercrime? The issue raised earlier was the significantly greater scale of the harms a
cybercriminal can inflict by automating criminal activity, such as fraud.232 An online
fraudster can use e-mail to contact an exponentially greater number of victims than he
could in person or even by using telephones;233 in so doing, he increases his chances of
successfully victimizing a greater number of individuals.234 He can further increase his
chances of doing so by using automated processes to harvest credit card and other
personal information from those who respond to his emails, either directly or indirectly
by communicating with a “phishing” website identified in those emails.235 Two types of
harm result from our hypothetical fraudster’s online activity; the first is actual, individual
harm, which consists of the losses he inflicts on those whom he successfully victimizes.
The second is inchoate harm. This is the unrealized harm he sought to inflict on the
recipients of his e-mails or other online solicitations. We consider this inchoate harm
below.236

¶ 72 Our concern here is the harm, or harms, this hypothetical fraudster actually inflicts
upon those who respond to his automated communications. Do we need to somehow
factor this into our metrics for online crime, or is it adequately addressed by the approach
outlined above, which tracks the effects of crime according to the number of victims and
the extent of the loss inflicted on each victim? Should we be tracking what is, in effect,
the aggregate harm resulting from online activities, such as fraud? Why might we want
to do this? Would such an endeavor identify any distinct data that is relevant to
understanding and analyzing online crime?

¶ 73 These are difficult questions. One argument for tracking aggregate harm is that
focusing on discrete harms inflicted upon individual victims ignores the generalized
effect a course of criminal conduct can have.237 Two of the sentencing enhancements in

231. The approach outlined above assumes property crimes, in which the amount of loss can be
quantified. A similar approach, however, can be used for crimes against persons, crimes against the state or
crimes against morality. See, e.g., State v. Braddy, 2004 WL 1364730 (Ohio App. 2004) (involving
multiple counts of rape); United States v. Kennedy, 372 F.3d 686 (4th Cir. 2004) (involving multiple
counts of perjury); United States v. Dodds, 347 F.3d 893, (11th Cir. 2003) (sentencing for possession of
child pornography based on the number of images possessed).
232. See supra Part II(A)(2).
233. See, e.g., Femi Oyesanya, The Nigerian 419 Email Cycle, The Nigerian Village Square, (last
modified May 2, 2004), at http://www.nigeriavillagesquare1.com/Articles/femi_oyesanya3.html.
Telephone contact lets fraudsters communicate with a greater number of potential victims because they do
not have to travel to each victim’s physical location. But because telephone communication is still one-to-
one; a phone fraudster can only focus on one victim at a time.
234. See supra Part II(A)(2).
235. Id. See also What Is Phishing?, Anti-Phishing Working Group, at http://www.antiphishing.org/
(last visited Sep. 30, 2004); John Shinal, Phishers Reel in Money: E-mail Scammers Get Victims’ Checking
Account Information, SFGate.com, (June 16, 2004), at http://www.sfgate.com/cgi-
bin/article.cgi?f=/c/a/2004/06/16/BUGQU76KBO1.DTL (last visited Sept. 30, 2004).
236. See supra Part III(B)(3).
237. See, e.g., United States v. Copple, 24 F.3d 535, 548 (3d Cir. 1994), cert. denied, 513 U.S. 989
(1994) (asserting that schemes involving many victims tend to result in greater losses). Large-scale

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 39

the federal Sentencing Guidelines seem to incorporate this concern: the first authorizes
increasing the basic offense level by two levels if the crime “was committed through
mass-marketing.”238 The second authorizes incremental increases in the basic offense
level to reflect the total number of victims involved.239 Under the Sentencing Guidelines,
the offense level is the measure of the harm a crime inflicts.240 These enhancements,
therefore, are apparently meant to capture generalized harms exceeding those captured by
the offense(s) of conviction.241 Unfortunately, it is not clear whether the enhancements
are intended to capture an incremental, aggregate, actual harm or rather are directed at
inchoate harm, i.e., at the harm the offender sought to inflict.242

¶ 74 Thereis another source of guidance on this issue, one that may account for why we
would want to track the aggregate harm resulting from large-scale, automated cybercrime
activity. As noted earlier, conspiracy is an inchoate crime.243 Unlike the other inchoate
crimes, however, conspiracy is not outlawed merely because it leads to the commission
of a completed, substantive crime.244 As one commentator noted,
conspiracy law serves two societal purposes. First, as an inchoate offense,
a conspiracy comprises the mere planning of a crime; as such, authorities
can arrest conspirators before they actually commit their intended offense.
Second, conspiracy law addresses the special problem of group danger by
imposing extra punishment on those who threaten society through
concerted group action. . . .
The group danger associated with a conspiracy poses a substantial threat
to society because individuals who conspire may pool their resources, may
commit more complex (and less easily detected) crimes, and are more
likely to complete the planned crime due to the pressure inherent in-group
activity.245

criminal activity can also inflict indirect harms upon individuals other than the direct victims. See, e.g.,
United States v. Melvin, 187 F.3d 1316, 1321-24 (11th Cir. 1999), cert. denied, 530 U.S. 1231 (2000).
238. See U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(2)(A)(ii) (2003) (amended 2004).
“[M]ass-marketing” is “a plan, program, promotion, or campaign that is conducted through solicitation by
telephone, mail, the Internet, or other means to induce a large number of persons to (i) purchase goods or
services; (ii) participate in a contest or sweepstakes; or (iii) invest for financial profit.” Id. at § 2B1.1, cmt.
n.4(A).
239. See id. at § 2B1.1(b)(2)(A)-(C). If the offense involved 10 or more victims, the offense level is
increased by two levels; if it involved 50 or more victims, the offense level is increased by four levels, and
if the offense involved 250 or more victims, the offense level can be increased by six levels. Id.
240. See, e.g., id. at § 2B1.1.
241. See generally THOMAS W. HUTCHISON ET AL., FEDERAL SENTENCING LAW AND PRACTICE §
2F1.1, cmt. 5 (2004) (stating that mass-marketing enhancement resulted from “a congressional directive,
which required the Commission to provide ‘substantially increased penalties’ for telemarketing fraud.”)
(quoting Telemarketing Fraud Prevention Act of 1998, Pub. L. No. 105-184, § 6(b)-(d), 112 Stat. 520, 521
(1998)).
242. See, e.g., United States v. Copple, 24 F.3d at 548 (observing that “losses actually caused by”
large-scale criminal activity “may under represent the amount of losses the defendant intended”).
243. See supra Part III(A)(1)(c).
244. See id.
245. Geoff Lundeen Carter, Comment, Agreements Within Government Entities and Conspiracies
Under § 1985(3)--A New Exception to the Intracorporate Conspiracy Doctrine?, 63 U. CHI. L. REV. 1139,
1142 (1996) (footnotes omitted). See also Callanan v. United States, 364 U.S. 587, 593-94 (1961):

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 40

The added dangers associated with group activity are also the rationale responsible for
complex crimes such as RICO and CCE.246

¶ 75 Conspiracy, RICO, and CCE are concerned with the added harms that result from
concerted human activity. We are concerned with an analogous issue; the possibility that
emergent, aggregate harms result from large-scale, automated cybercrime. Both concerns
derive from the same problem, which is the human ability to enhance criminal activity so
it inflicts harm vastly exceeding what an individual can accomplish.247 We dealt with
enhancements resulting from collective activity—the “group danger” phenomenon—by
developing crimes that target the additive effects of concerted human action.248 The
expanded scale of harm in cybercrime results not from concerted human action, but from
automation.249 “Group danger” crimes are useless against automation, so we may need to
devise strategies that address the enhanced harms produced by automating crime.
“Group danger” crimes evolved as our understanding of collective criminal activity
evolved;250 we must understand automated cybercrime if we are to respond to it. To do
that, we must study it, which means we must incorporate assessments of the incidence,
nature, and effects of automating online crime into our cybercrime metrics.

¶ 76 How shall we do this? It is useful to analogize automation’s role in cybercrime to


the role firearms play in real-world crime. Both are, in effect, enhancers of the harm that
can result from criminal conduct.251 Firearms differ from automation in that the harms
they contribute to a course of criminal activity are often tangential, unintended, but not
unanticipated consequences of embarking on a course of action. Notwithstanding that,
we have for some time tracked the use of firearms in the commission of crimes.252 The
use of firearms is tracked, in effect, as an actual or potential enhancer of the harm

[C]ollective criminal agreement . . . presents a greater potential threat to the public than
individual derelicts. Concerted action both increases the likelihood that the criminal
object will be successfully attained and decreases the probability that the individuals
involved will depart from their path of criminality. Group association . . . often . . .
makes possible the attainment of ends more complex than those which one criminal could
accomplish. Nor is the danger of a conspiratorial group limited to the particular end
toward which it has embarked. Combination in crime makes more likely the commission
of crimes unrelated to the original purpose for which the group was formed.
246. See 18 U.S.C. §§ 1961-1962 (2000 & Supp. I 2001); 21 U.S.C. § 848. RICO has been described
as a “super-conspiracy” statute. David Vitter, Comment, The RICO Enterprise as Distinct from the Pattern
of Racketeering Activity: Clarifying the Minority View, 62 TUL. L. REV. 1419, 1443-44 (1988).
247. See supra Part II(A)(2).
248. See supra note 247.
249. See supra notes 49-50.
250. See, e.g., Michael Vitiello, Has the Supreme Court Really Turned RICO Upside Down?: An
Examination of NOW v. Scheidler, 85 J. CRIM. L. & CRIMINOLOGY 1223, 1233 (1995) (arguing that “RICO
grew out of almost twenty years of concern about the influence of the Mafia or La Cosa Nostra”).
251. See generally Michael R. Schechter, Note, Sentencing Enhancements Under the Federal
Sentencing Guidelines: Punishment Without Proof, 19 N.Y.U. REV. L. & SOC. CHANGE, 653, 665 (1992-
93).
252. See BUREAU OF JUSTICE STATISTICS, U.S. DEP’T OF JUSTICE, FIREARMS AND CRIME STATISTICS
(2004), available at http://www.ojp.usdoj.gov/bjs/guns.htm (last modified Sept. 12, 2004).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 41

resulting from various crimes.253 The use of a firearm may not be a constituent element
of a particular crime, but it can act as a “crime multiplier,” that is, it can exacerbate
aspects of the offense.254

¶ 77 Automation plays a central role in the type of cybercrime under consideration here.
It, too, acts as a “crime multiplier,” but in ways we do not understand. Our cybercrime
metrics, therefore, should track the use of automation in the commission of online crime.
Among other things, they should focus on issues such as: how is automation used to
enhance the scale of the harms resulting from a particular type of cybercrime? Is it used
to increase victimization in property crimes such as fraud, forgery, embezzlement, and
theft? If so, how? Is it used to inflict additive harms in extortion and blackmail? How, if
at all, is it used in crimes against morality, including the distribution of child
pornography? Is it being used in crimes against persons? If so, how is it being used and
why? The inquiry should also examine (i) who is supplying the automated techniques
that are being used and (ii) the sophistication of these techniques and the extent to which
they appear to be evolving.255

¶ 78 The primary goal of this inquiry is to understand how automation is being used as a
“cybercrime multiplier.” A subsidiary goal is to be able to extrapolate how it may be
used in the future. As part of this inquiry, the automation metric should analyze and
compare how automation is being used in the commission of different crimes and how it
is being used by cybercriminals from different countries. We might be able to identify
patterns in its usage, which we could then use to tailor responses to this type of enhanced
criminal activity.256

¶ 79 Another issue to track is whether automation is being used as a substitute for


collective human activity or to augment that activity. Essentially, we need to know what
we are dealing with. Are we (only) confronting a new type of “group danger,” or is
automation being used to enhance the effectiveness of group criminality?257 Organized
cybercriminals may be using automation to further enhance the “group dangers” they

253. See, e.g., 18 U.S.C. § 924(c) (2000 & Supp. I 2001), amended by Pub. L. No. 108-174, § 1, 117
Stat. 2481, 2481 (2003).
254. See, e.g., Christine Martin et al., An Examination of Rearrests and Reincarcerations Among
Discharged Day Reporting Center Clients, FED. PROBATION, June 2003, at 24, 29 (concluding that “illicit
drug use is . . . a crime multiplier. When offenders are using drugs, they are significantly more likely to
engage in criminal activities” (citation omitted)). Moreover, “[m]ilitary and law enforcement personnel use
the term ‘force multiplier’ to denote factors which enhance the effectiveness of troops or weapons.” Susan
W. Brenner & Marc D. Goodman, In Defense of Cyberterrorism: An Argument for Anticipating Cyber-
Attacks, 2002 U. ILL. J.L. TECH. & POL’Y 1, 26 (footnote omitted).
255. Donn Parker, who has been studying computer crime since the 1960s, believes we will see the
emergence of totally automated crimes, which are available for purchase. See Donn Parker, Automated
Crime, WindowSecurity.com (2002), at http://secinf.net/misc/Automated_Crime_.html/ (last modified Oct.
16, 2002).
256. Another problem we have in dealing with cybercrime is that we cannot, at least as yet, identify
patterns in crimes or in victimization. See Brenner, Criminal Law for Cyberspace, supra note 22, at 53-55,
70-75.
257. See, e.g., Matthew Wall, The Web’s Wise Guys: Organised Crime Is Thriving Online but Many
Victims Want to Keep It Quiet, GUARDIAN (London), June 3, 2004, available at
http://www.guardian.co.uk/online/story/0,3605,1229875,00.html (last visited Sept. 18, 2004).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 42

pose, which would in effect be combining “crime multipliers.”258

(ii) Apprehension

¶ 80 The section above explained that computer technology could act as a “crime
multiplier” by enhancing the substantive harms resulting from online criminal conduct.
Computer technology can also act, in effect, as a multiplier in another way: by making it
difficult for law enforcement to apprehend those who commit crimes online.259 While we
are accustomed to factoring the effects of multipliers like firearms into our offense harm
calculations for crime,260 we have not made it a practice to factor conduct that makes law
enforcement’s task more difficult into these calculations.

¶ 81 Should we approach cybercrime differently? Should we implement metrics that


track how the use of computer technology makes it more difficult to apprehend
cybercriminals? Is difficulty in apprehending a cybercriminal a legitimate component of
the harms he inflicts? If it is not a legitimate component of offense harm, are there other,
equally valid reasons to include this factor in the metrics we develop for cybercrime?

¶ 82 As to the first issue, we criminalize certain harms pertaining to the apprehension


and prosecution of offenders. We hold someone liable as an accessory after the fact if he
or she helps someone avoid capture after committing a crime;261 we charge people with
obstructing justice if they destroy, fabricate or alter evidence in an effort to prevent
someone’s being convicted of a crime;262 and we prosecute those who perjure themselves
to the same end.263 These offenses, however, generally apply to conduct that takes place
after the commission of a crime has been discovered and after the processes of
investigation and prosecution have begun.264 They also tend to focus on the actions of
someone other than the perpetrator of the crime.265 These offenses seem, therefore, to be
concerned with protecting the integrity of the criminal justice system,266 rather than with
conduct involved in actually committing a crime.

¶ 83 Protecting the integrity of a criminal justice system, which has swung into motion
and begun the processes of investigating and prosecuting a specific crime, is a very
different matter from penalizing general offense conduct. Or, to put it another way, is it

258. Concerted criminal activity is essentially another type of “crime multiplier.”


259. See supra Parts II(A)(1), II(A)(3).
260. See supra Part III(B)(1)(b)(i). See also Mark D. Knoll & Richard G. Singer, Searching for the
”Tail of the Dog:” Finding “Elements” of Crimes in the Wake Of McMillan v. Pennsylvania, 22 SEATTLE
U. L. REV. 1057, 1057, 1080-90 (1999) (analyzing the role firearms play in sentencing, either as an element
of the offense or as a sentencing factor).
261. See, e.g., ARIZ. REV. STAT. ANN. § 26-1078; FLA. STAT. ANN. § 777.03.
262. See, e.g., 720 ILL. COMP. STAT. ANN. § 5/31-4; LA. REV. STAT. ANN. § 14:130.1.
263. See, e.g., ALA. CODE § 13A-10-101; CAL. PENAL CODE § 118. See also 18 U.S.C § 4
(misprision of felony).
264. Even accessory after the fact statutes tend to require that someone have sought to prevent
another’s arrest. See, e.g., IOWA CODE ANN. § 703.3.
265. See supra notes 263-65.
266. See, e.g., Jeffrey S. Parker, The Economics of Mens Rea, 79 VA. L. REV. 741, 764 n.67 (1993)
(“Offenses such as obstruction of justice, jury or witness tampering, and perjury are all similarly oriented
toward penalizing behavior that lowers the probability of conviction.”).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 43

reasonable to penalize cybercriminals for taking steps to avoid being apprehended and
prosecuted?

¶ 84 Thisseems counterintuitive, perhaps because we have been conditioned by media


portrayals of a law enforcement dynamic that takes the form of a contest; a “cat and
mouse game” between official and offender.267 We assume any right-thinking criminal
will do all she can to avoid being detected and apprehended, thus it seems a peculiar
notion to consider making this a crime.

¶ 85 Thereis, however, precedent for factoring such efforts into the harm calculus,
though not at the offense level. The federal Sentencing Guidelines allow sentences to be
enhanced for using “sophisticated means” to commit a crime.268 This enhancement,
which allows a sentencing court to increase the base offense level269 if the commission of
the crime involved “sophisticated means,” is available in sentencing for theft, fraud,
embezzlement and property destruction.270 “Sophisticated means” denotes
especially complex or . . . intricate offense conduct pertaining to the
execution or concealment of an offense. For example, in a telemarketing
scheme, locating the main office of the scheme in one jurisdiction but
locating soliciting operations in another jurisdiction ordinarily indicates
sophisticated means . . . . [H]iding assets or transactions, or both, through
the use of fictitious entities, corporate shells, or offshore financial
accounts also ordinarily indicate sophisticated means.271

¶ 86 Deterrenceis the justification for this and similar enhancements.272 According to


the U.S. Sentencing Commission, “unusually sophisticated efforts to conceal” a crime
“decrease the likelihood of detection and therefore warrant an additional sanction for

267. It also seems like a Catch-22: if I commit a crime and make no effort to avoid being
apprehended, I will be caught; if I commit a crime and attempt to avoid being apprehended, my attempt to
avoid being apprehended becomes another crime. See, e.g., Catch-22, DICTIONARY.COM, at
http://dictionary.reference.com/search?q=catch-22%20 (last visited Sept. 22, 2004) (defining Catch-22 as a
“situation in which a desired outcome . . . is impossible to attain because of a set of inherently illogical
rules or conditions”).
268. See U.S. SENTENCING GUIDELINES MANUAL §§ 2B1.1(b)(8), 2T1.1(b)(2) (2004).
269. See supra notes 241-43 and accompanying text. See also infra note 279.
270. See U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(8).
271. U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(8), at cmt. n.7. Operating a fraudulent
scheme from another jurisdiction “to evade law enforcement” constitutes “sophisticated means,” as does
perpetrating a “substantial part” of a fraudulent scheme from outside the United States. U.S. SENTENCING
GUIDELINES MANUAL § 2B1.1(b)(8). Section 2B2.1(b)(1), which applies to burglary and trespass crimes,
allows an enhancement if a crime “involved more than minimal planning.” U.S. SENTENCING GUIDELINES
MANUAL § 2B2.1(b)(1). The use of a computer has been held to warrant application of the “sophisticated
means” enhancement. See United States v. Lascola, 45 Fed. Appx. 5, 8 (1st Cir. 2002). Among other
things, “more than minimal planning” exists “if significant affirmative steps were taken to conceal the
offense.” U.S. SENTENCING GUIDELINES MANUAL § 2B2.1(b)(1), at cmt. n.4.
272. The federal Sentencing Guideline for child pornography permits an enhancement if the
defendant’s “possession of the material resulted” from his using a computer. See U.S. SENTENCING
GUIDELINES MANUAL § 2G2.4(b)(3) (2003). This enhancement is also based on the need to deter
sophisticated offenders. See, e.g., United States v. Fellows, 157 F.3d 1197, 1202 (9th Cir. 1993).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 44

deterrence purposes."273 Basing a sentence on conduct that is not an element of the crime
of which an offender has been convicted is consistent with the approach the Sentencing
Guidelines take to sentencing.274 As explained earlier, the federal Sentencing Guidelines
base sentences on a defendant’s “actual conduct,” rather than on the conduct of which he
was convicted.275 The Sentencing Guidelines, in effect, allow a sentencing court to factor
in the influence of “crime multipliers,” such as the use of computer technology, even
though the multiplier is not itself an element of the offense.276 This approach is based, at
least implicitly, on the proposition that multipliers are a component of the harm resulting
from the commission of a crime.277

¶ 87 We could, therefore, cite the federal Sentencing Guidelines as support if we want to


base the implementation of metrics tracking techniques that complicate the apprehension
and prosecution of offenders on a harms theory. We could justify tracking
cybercriminals’ evasive technologies on the theory that such techniques are part and
parcel of the infliction of harms and are consequently relevant for sentencing, if not for
conviction.278

¶ 88 We could do that. If we did, this aspect of our metrics would focus on the harms
produced by cybercriminal activity. While there is nothing inherently objectionable
about focusing on harms, such an emphasis could limit the metrics we designed. For
example, they might be more concerned with the fit between specific technologies and
harms than with the general impact various technologies have on law enforcement’s
ability to deal with cybercrime. Assume we implement metrics based on the harms
theory. Assume further that we use these metrics, in part, to track how pedophiles use
computer technologies to create and distribute child pornography; one way they use these

273. United States v. Lewis, 93 F.3d 1075, 1080 (2d Cir. 1996) (quoting U.S. SENTENCING
GUIDELINES MANUAL § 2T1.1 comment (background)).
274. See, e.g., The Law of Evidence in Federal Sentencing Proceedings, 177 F.R.D. 513, 513 (1998):
The crime of conviction is merely the starting point (‘base offense level’) to be adjusted
after a series of factual determinations . . .regarding offense characteristics . . .,
defendant's role in the offense, harm to the victim, and other factors. A controversial
feature of the Guidelines requires aggregation for sentencing purposes of all ‘relevant
conduct’--even if the defendant has been acquitted of, or was never even charged with,
committing that conduct. The level calculated after these adjustments marks the point on
the vertical axis of a grid . . ., while defendant's criminal history . . . is measured along
the horizontal axis. The point at which the two lines intersect yields the permissible range
of sentence from which . . . the judge must select.
As noted earlier, the Supreme Court has agreed to decide the constitutionality of the guideline sentencing
system. See supra note 138.
275. See supra notes 144-47 & accompanying text.
276. At least, they currently allow this. See supra note 140. We may, at some point, want to
incorporate the use of computer technology into our offense definitions, just as we have done for firearms.
Compare Ga. Code. Ann. § 16-8-40 (robbery) with Ga. Code. Ann. § 16-8-41 (armed robbery).
277. See supra notes 94-98 & accompanying text. The proposition noted above derives from the need
to maintain internal order in a society. See id. Crimes inflict harms and, in so doing, threaten to undermine
internal order. See id. Multipliers are a part of this process because they increase the harm that results
from the commission of a crime. The use of a “crime multiplier” therefore becomes part of the process of
inflicting harm and, as such, must be taken into account at sentencing to ensure deterrence. See generally
id.
278. But see supra note 140.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 45

technologies is to reduce their chances of being apprehended and prosecuted for breaking
the law.279 Under a harms theory, we would focus on how the technologies are used for
that purpose and we would see them, essentially, as implements for the infliction of the
particular harms associated with child pornography. In so doing, we might ignore other
uses of these technologies, such as to share information about law enforcement tactics
online, information that concerns crimes other than child pornography. Or we might
ignore, misinterpret or misunderstand how the technologies were evolving for use in very
different ways.280

¶ 89 An alternative approach is to structure our metrics not around the harms being
inflicted by cybercrime but around the technologies themselves. This approach focuses
on technology as an implement, not as a component of offense harm; we use an
analogous approach to track the use of firearms in the commission of crimes.281 So
instead of focusing on how child pornographers use steganography, this approach would
focus on steganography itself, i.e., on how it is being used by various types of
cybercriminals. Structuring the metrics around the technologies has two advantages: it
would give us a broader picture of how the various technologies are being used to
conceal the commission of cybercrime or otherwise evade apprehension, and it would let
us track how the use of a specific technology is evolving.

2. Systemic harm cybercrimes

¶ 90 Like the individual harm cybercrimes discussed above, systemic harm


cybercrimes inflict actual harm.282 Systemic harm cybercrimes differ from individual
harm cybercrimes in that systemic harm cybercrimes inflict harms on society’s
infrastructures rather than solely on its citizens.283

¶ 91 Systemic harm cybercrimes inflict two types of harms: aggregated individual


harms and generalized individual harms.284 We can use a hypothetical to illustrate the

279. See, e.g., Eric Hwang, Child Pornography on the Internet, 2002 UCLA J.L. & TECH. Notes 7, at
http://www.lawtechjournal.com/notes/2002/07_020819_hwang.php.
280. One problem with a harms approach is that it assumes a predictable relationship between the
technologies—the multiplier—and harms. This assumption holds for some multipliers, like firearms;
firearms have very limited uses, so it is reasonable make certain assumptions about their role in the actual
or potential infliction of certain types of harms. This assumption does not hold for computer technologies;
for one thing, cybercriminals often utilize legitimate technologies for illegitimate purposes.
281. See, e.g., U.S. Department of Justice—Bureau of Justice Statistics, Firearm Use by Offenders
(2001), at http://www.ojp.usdoj.gov/bjs/pub/pdf/fuo.pdf; U.S. Department of Justice—Bureau of Justice
Statistics, Guns Used in Crime (1995), at http://www.ojp.usdoj.gov/bjs/pub/pdf/guic.pdf.
282. There can also be unrealized efforts to inflict systemic harms; these inchoate harms are discussed
below. See infra Part III(B)(3).
283. See supra Part III(A)(1)(b).
284. There is also a third category: direct systemic harm. Direct systemic harm is not discussed
above because it is a product of terrorism, not cybercrime. While we have not clearly differentiated the
two, it is accurate to characterize cybercrime as an act undertaken for personal motives, such as profit and
revenge, and cyberterrorism as an act undertaken for political motives, namely a desire to advance a
particular ideology. Because cybercrime is undertaken for personal reasons, the systemic harms that
cybercrime inflicts are incidental harms, as is explained above. In other words, when a cybercriminal
attacks citizens of particular society, she does so to benefit herself, not to damage essential components of
the society’s infrastructure; it is presumably not in her interest to damage the society’s infrastructure since

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 46

differences between the two. Assume two scenarios: (i) a dispersed and large-scale
online activity carried out by A-L defrauds 5,000 individuals of $5,000,000;285 and (ii) a
concentrated and limited conduct carried out online by X & Z extracts $25,000,000 from
corporations A and B.286 All the victims are from the United States, and the motive for
both crimes is personal gain.287 Does either or both of these events inflict systemic
harms? If so, why? What makes harm systemic and not individual?

¶ 92 The systemic harm in the first scenario is clearly incidental to inflicting individual
harms on the 5,000 discrete persons. The individual harm in this case is apparent to us,
but the systemic harm may not be. We need to start thinking in terms of systemic harm,
instead of only in terms of individual harms. Historically, criminal law has been
primarily concerned with individual harms. Its initial goals were “compensation or
revenge,”288 and it has assumed the victim-offender dynamic as discussed earlier.289 Yet,
societies have realized, of course, that crimes have broader consequences. For the past
century or so, societies have tracked the incidence and characteristics of crimes in effort
to determine their effects on internal order and quality of life.290 This kind of research,
however, viewed crimes as discontinuous phenomena, which only impact individual
victims and it generated statistics that, for example, track the percentage of individuals
affected by particular crimes in specific time periods.291 This focus on individual
victimization may be appropriate under the traditional notion of crimes, as the twenty-
first century crimes are considered to retain the victim-offender dynamic; that is, while
the state takes cognizance of these crimes, the harms from the crimes primarily impact
those involved in its commission.292

the society provides her with the funds and other rewards she seeks. A cyberterrorist, on the other hand, is
interested not in personal rewards but in attacking a particular societal system in hopes of damaging or
destroying it. Thus, the systemic harms a cyberterrorist inflicts on a society are, therefore, direct systemic
harms. The cyberterrorist attacks the system directly. See, e.g., Brenner & Goodman, supra note 256, at
12-52.
285. See, e.g., The National White Collar Crime Center, Internet Fraud Complaint Center Internet
Fraud Report: January 1, 2002—December 31, 2002, at 13, 15 (2003), available at
http://www1.ifccfbi.gov/strategy/2002_IFCCReport.pdf (last visited Sept. 17, 2004) (Teresa Smith
defrauded over 300 victims for more than $800,000; Raj Trivedi defrauded over 700 individuals for more
than $992,000).
286. See, e.g., Romanian Man Indicted in $10 Million Hack, Associated Press, MSNBC (Aug. 5,
2004), at http://msnbc.msn.com/id/5614132/ (last visited Sept. 17, 2004); Gregory G. Lockhart, Milford
Man Pleads Guilty to Hacking—Intrusion and Theft of Data Cost Company $5.8 million, U.S. Department
of Justice, Press Release (Dec. 18, 2003), available at http://www.cybercrime.gov/baasPlea.htm (last
visited Sept. 17, 2004).
287. Cf. supra note 286.
288. See, e.g., Jennifer Gerarda Brown, The Use of Mediation to Resolve Criminal Cases: A
Procedural Critique, 43 EMORY L.J. 1247, 1254 (1994).
289. See supra Part II(B).
290. See, e.g., Crime and Victims Statistics, U.S. Department of Justice—Bureau of Justice Statistics
(March 2004) available at http://www.ojp.usdoj.gov/bjs/cvict.htm (last visited Sept. 17, 2004).
291. See, e.g., Crime and the Nation’s Households, 2000: With Trends, 1994-2000, U.S. Department
of Justice—Bureau of Justice Statistics, (Sept. 2002) available at http://www.ojp.usdoj.gov/bjs/pub/pdf/
cnh00.pdf (last visited Sept. 17, 2004).
292. Immediate and consequent harm impacts a victim who may lose property, life or intangible
commodities, such as a sense of security. The harm can also have an impact on the perpetrator who in turn
reaps some benefit from the commission of crime.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 47

¶ 93 The crime in the first scenario generates individual harms, but its effects are not
limited to them. The 5,000 individuals defrauded by A-L suffered individual harms, but
their combined victimization also produces an aggregate, systemic harm. Let us assume
that they all fell victims to a “phishing” scam,293 in which the perpetrators used e-mails
and fake Web sites to harvest credit card and social security numbers and other
identifying information. This information was then used to commit identity thefts, credit
card frauds and other types of frauds.294 The resulting aggregate harm has negative
effects on the social system of the victims; it produces loss of confidence in financial
institutions, online commerce and online activities in general.295 Thus, this is a systemic
harm. The aggregate effects of the activities that these cybercriminals carried out for the
purpose of enriching themselves are incidental harms inflicted upon a society’s
infrastructure.

¶ 94 The same result ensues in the second scenario, but in a slightly different way. We
will assume that these perpetrators (X and Z) acted only for the purpose of benefiting
themselves.296 X and Z presumably targeted these corporations because a significantly
greater return than their effort was promised.297 We will assume that Corporation A lost
$15,000,000 and Corporation B lost $10,000,000. These are individual harms, but they
are not the only harms. In addition to the consequential harms,298 there are systemic
harms. When the attacks on the corporations become public knowledge, each corporation
will suffer losses of customer and investor confidence.299 These losses are generalized
individual “harms.”300 The attacks on individual victims have a ripple effect that has
impacts beyond the immediate victims. If the attacks were styled as cyberterrorism, we
would see these losses as harms inflicted by terrorists,301 but because X and Z were
committing a cybercrime, we tend to focus only on the immediate effects of their actions
and ignore the systemic consequences.

¶ 95 There are two reasons why cybercrime metrics need to track the systemic harm, in
addition to the individual harm. First, the systemic harm is a distinct type of harm, which

293. See supra note 15.


294. See, e.g., Bob Sullivan, Consumers Still Falling for Phish, MSNBC.com (July 28, 2004), at
http://www.msnbc.msn.com/id/5519990/ (last visited Sept. 17, 2004).
295. See, e.g., CIOL Bureau, ‘Phishing’ Attacks Lead to Loss of Identity, CIOL.com (May 6, 2004),
at http://www.ciol.com/content/news/2004/104050604.asp (last visited Sept. 17, 2004) (Gartner survey
showed that phishing attacks undermine individual “confidence in the authenticity of e-mail originators,
threatening consumer trust in the very foundation of Internet-based communications.”). These criminal
activities also result in financial losses. See, e.g., John Leyden, Phishing Scams Cost UK Banks £ 1m+,
Register (Apr. 26, 2004), available at http://www.theregister.co.uk/2004/04/26/phishing_scams/ (last
visited Sept. 17, 2004).
296. Cf. supra note 286.
297. See supra notes 110-11.
298. See supra Part III(B)(1)(a).
299. See, e.g., Martin P. Loeb, InfoSec Economics, Security Pipeline (Apr. 15, 2004), at
http://nwc.securitypipeline.com/network/showArticle.jhtml?articleId=18901529&printableArticle=true
(last visited Sept. 17, 2004) (“The real financial damage done by cybercrime stems from breaches of
confidence. Such breaches can drive down revenue over time, and stock market investors take that
possibility into account by lowering their estimation of the worth of the company's stock.”).
300. See supra note 286.
301. Id.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 48

we historically have not taken into account. Second, the systemic harm can be a result of
a phenomenon discussed earlier: crime-as-externality.302 External, private threats to
societal infrastructures and social systems are something new to our experience, as
criminal law had been developed to deal with internal threats to social order.303 We need
to know whether X and Z perpetrated their crimes from within the United States or from
abroad. If they committed the crimes from abroad, we need to know their locations,
nationalities and criminal affinities to the extent possible. Are they, for example, self-
employed Russian cybercriminals?304 Or are they foreign hackers who carried out these
crimes for hire?305 If they were hired, who hired them and why? Systemic harm needs to
be tracked so we can identify the extent to which this harm is the product of internal
versus external threats. This is an essential step in learning about external threats and in
devising strategies for dealing with this distinct type of crime.

¶ 96 Therefore, it is of utmost importance to ensure that cybercrime metrics track


systemic harms. Cybercrime metrics need to parse out certain types of systemic harm
events, such as aggregate individual harm attacks that come from the same external
source and generalized systemic harm attacks that target entities that are essential
constituents of our infrastructures. We must also track aberrant attacks which inflict
systemic harm but in which the usual motives—profit, etc.—appear to be missing.
Aberrant attacks may be instances of cyberterrorism.306

¶ 97 Finally, there are two caveats when dealing with systemic harm. First, in tracking
systemic harms, it is important to limit the scope. Systemic harm can encompass almost
everything. If we consider our computer systems as part of our infrastructure, then any
attack on a computer could be considered a systemic harm, i.e., an attack on our
infrastructure. An essential part of implementing cybercrime metrics is designing a
system that can differentiate true systemic harm from individual harm.

¶ 98 The second caveat also deals with scope. Most surveys dealing with the harms
inflicted by cybercrime have focused on commercial harms, i.e., on cybercrime targeting
corporate and other commercial entities.307 This may reflect an implicit assumption that
the systemic harm inflicted by cybercrime only comes from attacks against business
entities. While it is true that such attacks can inflict significant systemic harm, they are
not the only source of such harm. Therefore, it is also important to track aggregate
individual harm.

302. See supra Part II(B).


303. Id.
304. See, e.g., Ariana Eunjung Cha, Internet Dreams Turn to Crime, Washington Post (May 18,
2003), available at http://www.washingtonpost.com/ac2/wp-dyn/A2619-2003May17?language=printer
(last visited Sept. 17, 2004).
305. See, e.g., Jay Lyman, Online Extortion Bust Highlights Profit, Problem, Tech News World (July
22, 2004), at http://www.technewsworld.com/story/35288.html (last visited Sept. 17, 2004) (noting
“hackers for hire” who “offer to hit sites for certain amounts of time” and “’bot or zombie armies’ . . . that
are available for rental”).
306. See supra note 294.
307. See supra note 3.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 49

3. Inchoate harm cybercrimes

¶ 99 It is useful to divide the inchoate harms resulting from cybercrime into two
categories: inferential inchoate harm and potential inchoate harm. These categories are
not based on intrinsic differences in the types of harms, but on the nature of the conduct
that gives rise to the harm.

¶ 100 We will begin with inferential inchoate harm. Because inchoate crimes are by
definition incomplete,308 all inchoate harms and all inchoate crimes are the product of
inference. With a lack of actual harm, we infer inchoate harm.309 In this context,
however, inferential inchoate harm has a distinct meaning. It denotes the type of harm
that was identified earlier, in considering the harms resulting from the conduct of a
hypothetical fraudster.310 This hypothetical fraudster sent out millions of e-mails as part
of a scheme to defraud individuals out of their credit card numbers and other financial
information.311 His efforts inflicted two types of harm: (i) individual harm consisting of
the losses he inflicts on those whom he successfully victimizes; and (ii) inchoate harm
consisting of the unrealized harm he sought to inflict on those who received his e-mails
but did not respond to them. We addressed the individual harm earlier and deferred
consideration of the inchoate harm until now.312

¶ 101 If the hypothetical fraudster had sent out millions of e-mails and then had
immediately been arrested, he could have been prosecuted for attempting to defraud the
recipients of those e-mails. This would be a classic inchoate crime. The harm resulting
from his conduct would be wholly inchoate—his demonstrated capacity for criminal
conduct.313 Scenarios such as this require extrapolating traditional inchoate principles
into cyberspace. Therefore, one who uses the Internet to hire a hit man is guilty of
solicitation and has generated the inchoate harm associated with that crime.314
Cybercrime metrics should track the migration of inchoate offenses into cyberspace, if
only because it will make it more difficult to apprehend those who are embarking on a
course of criminal conduct. There is nothing problematic about incorporating inchoate
harms into those metrics; because the harms are unrealized, they differ far less in their
online and offline guises than do the actual harms that were discussed earlier.

¶ 102 The original scenario outlined above is not a classic inchoate crime. Our
hypothetical fraudster (i) successfully defrauded a number of unidentified victims and
also (ii) failed to defraud an unspecified number of additional victims. He inflicted an
unknown number of actual harms by committing a number of fraud crimes, but what
about his failures? Can we take them into account or are they, in effect, an attempt that
merged into the completed crimes?315

308. See supra Part III(A)(1)(c).


309. Id.
310. See supra Part III(B)(1)(b)(i).
311. Id.
312. Id.
313. Id.
314. Id.
315. “Attempt is considered a preparatory step that merges into the completed offense.” Neal Kumar
Katyal, Conspiracy Theory, 112 YALE L.J. 1307, 1371 n.238 (2003).

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 50

¶ 103 The answer to that question depends upon how his conduct is construed. If his
efforts are seen as directed toward the commission of a single crime—one scheme to
defraud—then we might conclude that the failed attempts merge into the completed
crime. The conclusion will be different if his conduct is construed as being directed
toward the commission of a series of discrete crimes; here, each email represents a
quantum of harm, realized or unrealized. Therefore, in assessing the harms that our
fraudster inflicted, the best approach is to treat his entire course of conduct as a partially
completed series of crimes.316 He succeeded in victimizing individuals #1-200 and failed
in his attempt to victimize individuals #200-400. In tracking the harms resulting from his
conduct, we should assess (i) what he did and (ii) what he sought to do. The first
assessment was conducted earlier.317 For the second assessment, we can use what he
accomplished to support inferences about what he sought to accomplish. These
inferences are (i) that if these individuals had responded, he would have defrauded them
in the same way as those who did respond and (ii) that in defrauding his putative victims
he would have inflicted quantifiable harms analogous to those he inflicted on his actual
victims. This analysis uses the fraudster’s intent as the gauge of the inchoate harms he
inflicted.318

¶ 104 The inferential inchoate harm category is a satisfactory standard for traditional
inchoate crimes and for conduct that is analogous to traditional inchoate crimes, such as a
partially completed series of offenses. The residual category—potential inchoate harm—
is a hypothetical construct that would encompass harms generated by a new type of
conduct that is found online.

¶ 105 The conduct in question consists of using cyberspace to publicize information that
can be used to commit a crime—anything from copyright violations to murder.319 For
example, an activity that has generated controversy is the publicizing of vulnerabilities in
software. Because these vulnerabilities can be exploited for unlawful purposes, some
argue that publicizing them should trigger criminal liability under an aiding and abetting
theory or under some extension of that theory.320 Another activity that has received
similar criticism is the posting of public personal information about police officers
online. Critics suggest this is tantamount to soliciting injury to the officers or, at the very
least, aiding and abetting those that inflict such harm.321 In the United States, calls to

316. See, e.g., U.S. SENTENCING GUIDELINES MANUAL § 2B1.1 application note 16 (2003) (partially
completed offenses). See also Frank O. Bowman III, A Judicious Solution: The Criminal Law Committee
Draft Redefinition of the "Loss" Concept in Economic Crime Sentencing, 9 GEO. MASON L. REV. 451, 460
(2000) (distinguishing between a completed crime, a partially completed crime and a wholly incomplete
crime).
317. See supra Part III(B)(1)(b)(i).
318. See, e.g., Frank O. Bowman III, U. S. Sentencing Commission Economic Crime Symposium
Briefing Paper on Problems in Redefining "Loss", 13 FED. SENT. R., 2000 WL 33402284 *2 (2000) (“In
inchoate offenses, ‘intended loss’ serves as . . . an important indicator of the degree of risk of actual harm
posed by the defendant's conduct.”).
319. See, e.g., Susan W. Brenner, Complicit Publication: When Should the Dissemination of Ideas
and Data Be Criminalized?, 13 ALB L.J. SCI. & TECH 273, 339-22 (2003).
320. Id. at 404-14.
321. Id. at 386-403.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 51

criminalize this and other types of online publishing fall under the First Amendment.322
Criminal liability cannot be imposed for merely distributing information. To support the
imposition of such liability, the government must prove that the individual responsible
for disseminating the information acted with the purpose of aiding and abetting the
commission of a specific crime.323 If the government can do this, it can prosecute the
individual that is responsible for aiding and abetting the target crime.324 If the
government cannot do this, the individual cannot be prosecuted, even if the information
was used in the commission of a crime.325

¶ 106 This article is interested in cybercrime metrics and is not concerned with
prosecutions. The addition of a potential inchoate harm category in the metrics would be
a possible way of dealing with the conduct outlined above. We could track the
publication of certain types of information that could be directly used to commit certain
crimes, on the theory that this is the potential infliction of an inchoate harm. If the
government can show that an individual acted with the purpose of facilitating the
commission of such a crime, it can prosecute him or her for attempting to aid and abet the
commission of that crime.326 Consequently, the government can intervene and prevent
the information from being used in the commission of the crime. Cybercrime metrics
would track this as an inferential inchoate harm.327

¶ 107 What if the government cannot show that a person acted with the intent of
facilitating the commission of a substantive crime? Such an individual is not guilty of
aiding and abetting the commission of a crime nor of attempting to do so, but the
information she has published can be used to commit a crime. As pointed out in the
earlier example, one who publishes software vulnerabilities is disseminating information
that can be used to commit cybercrime.328 Even though criminal liability cannot be
imposed on someone who does not intend to facilitate a crime, this data is relevant to our

322. Id. at 395-406.


323. Id.
324. Id.
325. Id.
326. See, e.g., MODEL PENAL CODE § 5.01(3). Actually, the facilitator will be prosecuted for
attempting to commit the target crime, since aiding and abetting is not defined as an offense. See, e.g.,
Larry Alexander, Crime and Culpability, 1994 J. CONTEMP. LEGAL ISSUES 1, 29 n.97 (1994).
327. It is useful to track this because the actual commission of the target crime might or might not
involve conduct that would be picked up by cybercrime metrics. For example, consider the following two
scenarios: in the first, someone with a grudge against a police officer finds his home address from a
website and uses that information to locate and murder the officer. In the second scenario, a hacker
discovers a new software vulnerability by visiting a website that posts such information and then uses the
vulnerability to launch an attack on a large corporation. Cybercrime metrics would track the second crime,
but would not track the first because computer technology played a minimal role in the commission of the
murder. This is appropriate, because we need to retain the distinction between crime and cybercrime. See
supra Part II(B). It is also appropriate, however, to track the online conduct that played a material role in
the commission of this real world crime. If nothing else, it will illuminate how strangers can use
cyberspace to facilitate crimes that are committed by someone with whom they have no personal
relationship. This goes to the “difficulty of apprehension” issues discussed earlier. See supra Part II(A)(1).
Real-world accomplices generally have some type of relationship with those whose crimes they facilitate,
which can make it easier to identify and apprehend them.
328. See supra text accompanying note 320.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13


2004 Brenner, Cybercrime Metrics: Old Wine, New Bottles? 52

effort to track cybercrime. It helps us deal with the potential inchoate harms. Putting the
information into the public domain creates conditions that can give rise to the
commission of cybercrime. It would be useful to track the dissemination of such
information, as it might allow us to identify associations among cybercriminals and
patterns in their conduct. Regardless of how we characterize this harm, the conceptual
difficulty is that tracking it would involve the monitoring of perfectly legal activity.
Because the activity in question is by definition public, it would not involve an invasion
of privacy. Moreover, law enforcement agencies already monitor the dissemination of
certain types of information, including software vulnerabilities, on an informal, often ad
hoc basis.

IV. CONCLUSION

¶ 108 Historically, the metrics we use for crime have been ad hoc—embedded
assumptions and calculations derived from centuries of experience with crime. This
system has been satisfactory because crimes and harms are constant. Although we see
variations in the methods used to commit crimes, variations in the extent of harm
inflicted and variations in the types of victims chosen, the core harms and core motives
remain constant.

¶ 109 Cybercrime is different with regard to the methods that are used in its commission
and the tangential harms that result from its commission. Because cybercrime is
different, it eludes the scope of the metrics we use for crime. Those metrics do capture
aspects of cybercrime but they miss important data. Cybercrime-specific metrics are
needed in order to track the traditional and non-traditional aspects of cybercrime. As
noted earlier, we cannot develop responses to cybercrime and institute procedures for
preventing it if we do not understand the phenomenon itself.

¶ 110 Developing cybercrime-specific metrics will be a lengthy and complex process.


We have to decide what aspects of our crime metrics are to be included and excluded;
decide how to identify and quantify the various types of harm resulting from cybercrime;
and decide what peripheral circumstances pertaining to the mechanics of inflicting harm
should be factored into these new metrics. This is a particularly difficult issue because
the metrics we currently use for crime focus on offense harm, instead of focusing on the
process of inflicting harm.

¶ 111 This article is intended as a first step in the process of developing cybercrime
metrics. While these metrics will not be based on particular legal principles, the overall
theory used to develop cybercrime-specific metrics must be grounded in the doctrines
that govern the imposition of criminal liability. Cybercrime is, after all, simply crime.

Vol. 9 VIRGINIA JOURNAL OF LAW & TECHNOLOGY No. 13