Professional Documents
Culture Documents
Cybercrime Metrics:
Old Wine, New Bottles?
SUSAN W. BRENNER†
ABSTRACT
© 2004 Virginia Journal of Law & Technology Association, at http://www.vjolt.net. Use paragraph
numbers for pinpoint citations.
† Susan W. Brenner is NCR Distinguished Professor of Law and Technology at the University of
Dayton School of Law. Professor Brenner has spoken at numerous events, including Interpol’s Fourth and
Fifth International Conferences on Cybercrimes, the American Bar Association’s National Cybercrime
Conference, the American Bar Association’s 2003 & 2002 Annual Conferences, the Asia Pacific Fraud
Conference, the International Society for Criminology’s XIII World Congress in Rio de Janeiro, the
National District Attorneys Association’s National Conference, the National Association of Attorneys
General’s cybercrime training program and the Hoover Institution’s Conference on International
Cooperation to Combat Cyber Crime and Terrorism, held at Stanford University. She spoke on cybercrime
legislation at the Ministry of the Interior of the United Arab Emirates, presented a graduate seminar at
CERIAS – Purdue University, spoke at the 2004 Yale Law School Conference on Cybercrime and Digital
Evidence and at the 2004 CTOSE Conference on Cyber Security and Electronic Evidence held in
Edinburgh, Scotland. She served as Chair of the International Efforts Working Group for the American
Bar Association’s Privacy and Computer Crime Committee, serves on the National District Attorneys
Association’s Cybercrimes Committee, is Chair of the National Institute of Justice - Electronic Crime
Partnership Initiative’s Working Group on Law & Policy, and is a participant in the National Institute of
Justice-CCIPS Digital Evidence project.
TABLE OF CONTENTS
I. Introduction................................................................................................................. 1
II. Crime or Cybercrime?................................................................................................. 3
A. Cybercrime? ........................................................................................................ 5
1. Apprehension .............................................................................................. 6
2. Scale ............................................................................................................ 9
3. Evidence.................................................................................................... 11
4. Sum ........................................................................................................... 12
B. Crime/Cybercrime............................................................................................. 12
III. Metrics ...................................................................................................................... 20
A. Crime Metrics ................................................................................................... 20
1. Injury ......................................................................................................... 21
2. Culpability................................................................................................. 27
B. Cybercrime Metrics........................................................................................... 32
1. Individual harm cybercrimes..................................................................... 32
2. Systemic harm cybercrimes ...................................................................... 45
3. Inchoate harm cybercrimes ....................................................................... 49
IV. Conclusion ................................................................................................................ 52
I. INTRODUCTION
Metric . . . a standard of measurement. . . .1
¶2 We have never done this,3 even though the term “cybercrime” and its various
of identifying what is, and is not, a cybercrime.5 Indeed, we have no basis for
determining whether or not there is cybercrime; that is, whether there really is a class of
unlawful activity that is distinct from crime.6
¶ 3 This article explores the utility and viability of developing cybercrime metrics.
Section II considers whether cybercrime and crime are distinct phenomena, and
concludes they are sufficiently differentiated to warrant an inquiry into the need for
cybercrime metrics. Section III conducts that inquiry; it examines our experience with
crime metrics and extrapolates from that experience to analyze how we might employ
metrics for cybercrime. Finally, Section IV provides a brief conclusion.
Is it a cybercrime for John to meet Mary on the Internet, correspond with her and
¶4
use e-mail to lure her to a meeting where he kills her? News stories often describe
conduct such as this as a cybercrime, or as “Internet murder.”7 But why is this anything
other than murder? We do not, for example, refer to killings orchestrated over the
telephone as “tele-murder” or by snail mail as “mail murder.” 8
¶5 It seems that this is not a cybercrime, that it is simply a real-world crime the
commission of which happens to involve the use of computer technology. However,
there may be reasons to treat conduct such as this differently and to construe it as
something other than a conventional crime. 9 Those differences become apparent when
we consider another cybercrime: online fraud. Fraud takes many different forms online:
419 scams,10 auction fraud,11 credit card fraud,12 identity theft,13 phishing,14 and
investment fraud15 are the most commonly-encountered varieties of online fraud.16 But
while it takes on new forms online, fraud is fraud; online scams are versions of schemes
that have been around for centuries.17 The federal mail fraud statute, for example, was
enacted in 1872 to provide a way of “dealing with the many frauds and swindles
occurring across the country conducted via the U.S. mails.”18 Even earlier, “almost 300
years ago the South Sea Bubble, the high tech of its day, lured investors with . . . the hope
of riches from the new world, only to collapse amid recriminations against directors and
‘stock-jobbers.’”19 And while modern identifiers such as credit cards and Social Security
numbers may have made identity theft more prevalent, the notion of using another’s
identity to enrich oneself is far from new.20
A. Cybercrime?
¶ 7 One such circumstance is the lack of necessary proximity between the victim and
the perpetrator when a crime is committed. Both online fraud and the “Internet murder”
scenario outlined above involve remote conduct.21 Both are perpetrated in whole or in
88 (3d ed. 1982). See also Stuart P. Green, Lying, Misleading, and Falsely Denying: How Moral Concepts
Inform the Law of Perjury, Fraud, and False Statements, 53 HASTINGS L.J. 157, 182-86 (2001); LAWRENCE
M. FRIEDMAN, CRIME AND PUNISHMENT IN AMERICAN HISTORY, 195-97 (1993).
18. Gregory Howard Williams, Good Government by Prosecutorial Decree: The Use and Abuse of
Mail Fraud, 32 ARIZ. L. REV. 137, 140 (1990). Congress was concerned about crooked lotteries and “gift
schemes,” along with “frauds which are mostly gotten up in the large cities . . . by thieves, forgers, and
rapscallions generally, for the purpose of deceiving and fleecing the innocent people in the country.” Id. at
140-41 (quoting Representative Farnsworth). See also Act of July 27, 1868, ch. 246, § 13 Stat. 196. For a
fictional account of mail fraud as it was practiced in mid-nineteenth century Britain, see Charles Dickens,
The Begging Letter Writer, available at http://www.readbookonline.net/readOnLine/2540/ (last accessed
Sept. 18, 2004).
19. Larry E. Ribstein, Market vs. Regulatory Responses to Corporate Fraud: A Critique of the
Sarbanes-Oxley Act of 2002, 28 J. CORP. L. 1, 19 (2002). In another view:
Investment fraud is a time-honored tradition. As far back as the 1700s, con artists on
London's Exchange Alley were using a ‘pump and dump’ scheme to defraud investors.
The . . . scheme . . . was simple but effective: the price of worthless shares of the ‘South
Sea Bubble,’ a South American trading company, was inflated by false rumors of
profitability spread about the company by owners of the shares, who then sold the shares
at a substantial profit after the price of the shares increased. . . .
Kevin C. Bartels, Note, "Click Here to Buy the Next Microsoft:" The Penny Stock Rules, Online
Microcap Fraud, and the Unwary Investor, 75 IND. L.J. 353 (2000). For a description of the
South Sea Bubble and other pre-twentieth century frauds, see, e.g., CHARLES MACKAY,
EXTRAORDINARY POPULAR DELUSIONS AND THE MADNESS OF CROWDS (1841), available at
http://www.litrix.com/madraven/madne001.htm (other “bubbles” plus the “Mississippi scheme”)
(last accessed Sept. 18, 2004).
20. See, e.g., McIntire v. Pryor, 173 U.S. 38, 53-54 (1899); Jones v. State, 22 Fla. 532, 534-36, 1886
WL 1245 *2-*3 (Fla.). See also David Loth, Cassie Chadwick, in THE SUPER CROOKS 74 (Roger M.
Williams, ed. 1973) (discussing Chadwick’s defrauding of banks out of millions by pretending to be the
illegitimate daughter of Andrew Carnegie).
21. For more on this issue, see Susan W. Brenner, Toward A Criminal Law for Cyberspace:
Distributed Security, 10 BOSTON U. J. SCI. & TECH. L. 1, 50 (2004) [hereinafter Brenner, Criminal Law for
Cyberspace].
part by the use of computer technology, which lets the parties to a crime communicate
from a distance. Historically, fraud has been a face-to-face event, primarily because face-
to-face communication was the norm.22 Even when remote communication—i.e., snail
mail—could be used to set up a fraudulent transaction, it was often still necessary for the
parties to meet and consummate the crime with a physical transfer of the tangible
property being obtained by deceit.23 Modern technology changes that by automating
fraud; perpetrators can use fraudulent e-mails and fake websites to scam thousands of
victims located around the globe, and may expend less effort in doing so than their
predecessors used to defraud a single victim.24 This capacity to automate crime
differentiates online fraud from real-world fraud in at least two important respects: it is
far more difficult for law enforcement officers to identify and apprehend online
fraudsters, and these offenders can commit crimes on a far broader scale than their real-
world counterparts.25
1. Apprehension
¶8 There are several reasons why law enforcement officers find it difficult to identify
and apprehend online fraudsters.26 One reason is that they can use technology to conceal
their identities and physical location, thereby frustrating law enforcement’s efforts to find
them. Our model of law enforcement assumes the commission of an offense involves
physical proximity between perpetrator and victim. This assumption has shaped our
approaches to criminal investigation and prosecution.27 Real-world criminal
investigations focus on the crime scene as the best way to identify a perpetrator and tie
him to the crime,28 but in automated crime there may either be no crime scene or there
may be many crime scenes, with pieces of the offense scattered throughout cyberspace.29
Identifying an electronic crime scene can be a daunting task when the perpetrator may
have routed his communications with the victim through computers in three or four
countries, with obscure networks that are inaccessible to investigators.30 Additionally,
perpetrators can compound the difficulty of the task by using technology to achieve a
level of anonymity unknown in the real world or to assume the identity of an innocent
person, whose apparent involvement may confuse investigators and cause delays which
make it that much easier for the real criminal to avoid apprehension.31
32. See, e.g., Brenner, supra note 26 at 348-54; Marc D. Goodman & Susan W. Brenner, The
Emerging Consensus on Criminal Conduct in Cyberspace, supra, 2002 UCLA J. L. & TECH. 3, 4-6 (2002).
33. See, e.g., Goodman, supra note 32, at 73-76, 83-88.
34. See, e.g., Howard S. Erbstein, Palm Trees Hide More Than Sunshine: The Extraterritorial
Application of Securities in Haven Jurisdictions, 13 DICK. J. INT’L L. 441, 444-63 (1995) (bank secrecy
havens). See also Mariano-Florentino Cuéllar, The Tenuous Relationship Between the Fight Against
Money Laundering and the Disruption of Criminal Finance, 93 J. CRIM. L. & CRIMINOLOGY 311, 449-55
(2003).
35. The obvious analogy is to the high-seas piracy countries sponsored, then tacitly accepted and
finally outlawed under pressure from other countries. See, e.g., JANICE E. THOMPSON, MERCENARIES,
PIRATES AND SOVEREIGNS: STATE-BUILDING AND EXTRATERRITORIAL VIOLENCE IN EARLY MODERN
EUROPE 21-42, 107-42 (1994). See also id. at 116 (stating that “[b]y the early nineteenth century, European
state leaders charged the state with responsibility for controlling piracy in its own territorial waters. Backed
with the threat of coercion, this charge said in effect: You cannot simply disclaim responsibility for piracy
in your territorial waters, regardless of who its victims are or how much you may profit from it. To be
recognized as sovereign, a state must control piracy within its jurisdiction”).
36. See, e.g., id. at 148-49 (stating that “[w]hile brute force—the traditional state's
solution—was used . . . the permanent solution came only with changes in international and
municipal law. . . . [W]hen the British state decided to act against piracy, it did not simply send
out the navy to physically destroy the pirates. Rather, it reformed its . . . legal system and . . .
offered . . . inducements to the pirates to rejoin society as normal citizens. The Chinese and others
did the same. . . . [so] the state's coercive solution gave way to the national state's legalistic
solution. . .”). See also supra note 35.
37. See, e.g., Goodman, supra note 32, at 74-76 (emphasis added):
[L]aw has evolved to maintain order within a society. Each nation-state is concerned with
fulfilling its obligations to its citizens. . . . [N]o nation can survive if its citizens are free
to prey upon each other. But what if they prey upon citizens of another society? What if
the citizens of Nation A use cyberspace to prey upon the citizens of Nations B and C? Is
this a matter that is likely to be of great concern to Nation A?
There are . . . historical precedents for this type of behavior that may shed some light on
what will ensue in cyberspace. The most analogous . . . involve high-seas piracy and
intellectual piracy. . . .
Both . . . involved instances in which societies were willing to allow (or even encourage)
their citizens to steal from citizens of other societies. In both, the focus was on crimes
against property . . .; the motivation was purely economic. . . .[T]he conduct took place at
the ‘margins’ of the law: high-seas piracy occurred outside the territorial boundaries of
any nation and therefore outside the scope of any laws; eighteenth-century American
¶ 10 As explained above, online criminals can easily, and invisibly, target victims in
another country. Unlike the high-seas pirates whose activities are truly outside the law,
online criminals can obey the laws and enjoy the protections of Country A while
variously victimizing citizens of Countries B-Z. This creates the potential for a conflict
between national legal systems: high-seas pirates’ ability to operate outside territorially-
based law was eliminated by defining piracy as an offense against the law of nations that
could be prosecuted by any country which captured an offender.38 This very effective
strategy applies territorially-based law to activity that occurs outside the territory of any
nation-state, and it works because high-seas piracy consists of conduct—e.g., murder,
rape, theft—that is unacceptable within any legal system.39 This strategy cannot,
however, be used against online criminals because they generally do not operate outside a
legal system. Online criminals, by default, are usually in the territory of a particular
nation-state when they commit their crimes. They therefore function within a legal
system and may be able to use that circumstance to fend off efforts to secure their
extradition for prosecution in a state whose citizens they have victimized.40 And while an
effort is underway to establish a baseline of consistency in national laws targeting online
crimes,41 it cannot—at least for the foreseeable future—achieve the global, universal
condemnation that proved so effective in discouraging high-seas piracy.42 Unlike high-
intellectual property piracy occurred . . . when the legal status of intellectual property as
‘property’ was still evolving. Both . . . were outlawed when they became economically
disadvantageous for the host countries. . . .
One can, therefore, hypothesize that countries may be inclined to tolerate their citizens’
victimizing citizens of other nations if (a) the conduct takes place at the margins of the
law . . . and (b) results in a benefit to the victimizing nation. The former gives the
victimizing nation . . . plausible deniability when confronted with its tolerance of illegal
activity; the latter is an obvious motive for tolerating the activity. . . .
38. RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW § 404 ¶ 1 (1987) (quoting U.S. v. Smith,
18 U.S. (5 Wheat.) 153, 161-62 (1820)).
39. See, e.g., Goodman, supra note 32, at 70-76.
40. See id. at 4-6, 73-76, 83-88. See, e.g., Ariana Eunjung Cha, Internet Dreams Turn to Crime,
Washington Post (May 18, 2003), available at http://www.washingtonpost.com/ac2/wp-dyn/A2619-
2003May17?language=printer (last visited Sept. 21, 2004):
[Vasiliy] Gorshkov and [Alexey] Ivanov were scouring the Internet looking for security
vulnerabilities in the computer networks of American corporations. When they found a
way in, they would steal credit card numbers or other valuable information. They would
then contact the site's operator and offer to “fix” the breach and return the stolen data—
for a price.
Within a few months, banking, e-commerce and Internet service providers across the
country . . . became victims. . . . . The men would eventually expose American businesses
to perhaps tens of millions of dollars in losses. . . .
International law is often ill suited to deal with the problem, with conflicting views on
what constitutes cybercrime, how – or if – perpetrators should be punished and how
national borders should be applied to a medium that is essentially borderless.
“We don't think about the FBI at all,” Gorshkov told a potential business partner.
“Because they can't get us in Russia.”
41. See Council of Europe, Convention on Cybercrime (ETS No. 185), available at
http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm (last visited Sept. 21, 2004). See also
Goodman, supra note 32, at 67-69.
42. See, e.g., Susan W. Brenner, Distributed Security: A New Model of Law Enforcement, JOURNAL
OF INTERNET LAW (forthcoming 2004):
seas piracy, online crime is not a simple constellation of offenses; it is an intricate array
of behaviors, many of which are generally regarded as unlawful, but others of which are
accepted in varying degrees.43 As long as inconsistencies and gaps in substantive
criminal law persist, online criminals will take advantage of them.
2. Scale
¶ 11 Real-world crime tends to be one-to-one crime, involving one perpetrator and one
victim.44 A crime commences when victimization of the target is begun and ends when
the victimization is concluded; during which time the perpetrator focuses her attention on
consummating that specific crime. When it is complete, she can move on to another
crime and another victim.45 In this way, real-world crime is generally serial crime.46
Offenders can use technology to exponentially increase the number of crimes they can
commit within a given time period,49 which creates new problems for law enforcement.
crime, in addition to the real-world crimes with which law enforcement must still deal,53
further stretching resources that are already struggling to deal adequately with real-world
crime.54
3. Evidence
fraud is much higher than that of their nineteenth century counterparts because their pool of potential
victims is exponentially larger. Modern swindlers also run little, if any, risk of detection: They can
conceal their identities and operate from countries where the laws are hospitable or law enforcement is
approachable. They can also devise and implement new scams quickly, so they may have multiple scams
going at the same time. They also have access to online resources like E-gold and Web Money to launder
the proceeds, making it that much more difficult for law enforcement to track them down. See E-Gold, at
http://www.e-gold.com/e-gold.asp?cid=624985; WebMoney, at http://www.wmtransfer.com/. See, e.g.,
Bob Sullivan, A $55,000 Net Scam Warning, MSNBC (Jan. 23, 2003), at
http://msnbc.msn.com/id/3078503/.
53. See Brenner, Criminal Law for Cyberspace, supra note 22, at 66-68.
54. See id.
55. For a definition of digital evidence, see Carrie Morgan Whitcomb, An Historical Perspective of
Digital Evidence: A Forensic Scientists’ View, International Journal of Digital Evidence (2002), at
http://www.ijde.org/archives_home.html (stating that “[d]igital evidence is any information of probative
value that is either stored or transmitted in a binary form . . . [and] includes computer evidence, digital
audio, digital video, cell phones, digital fax machines, etc.” ).
56. See, e.g., BRUCE L. BERG, POLICING IN MODERN SOCIETY 203-20 (1999).
57. See, e.g., United Kingdom National High-Tech Crime Unit, Good Practice Guide for Computer
Based Electronic Evidence 9-22 (2003), available at http://www.nhtcu.org/ACPO%20Guide%20v3.0.pdf.
58. See, e.g., U.S. Department of Justice, National Institute of Justice, Forensic Examination of
Digital Evidence: A Guide for Law Enforcement 11 (2004), available at http://www.ncjrs.org/pdffiles1/
nij/199408.pdf.
59. See id. at 16-17 (talking about recovering deleted files and dealing with data-hiding techniques
like steganography). See also Gary C. Kessler, An Overview of Steganography for the Computer Forensics
Examiner, available at http://www.wetstonetech.com/f/stego-kessler.pdf.
60. See, e.g., Erin Kenneally, Computer Forensics: Beyond the Buzzword, LOGIN: THE MAGAZINE
OF USENIX & SAGE, Aug. 2002, at 8, 10, available at http://www.usenix.org/publications/login/2002-
08/pdfs/kenneally.pdf:
The traditional approach when investigators . . . encounter a crime scene with a computer
was to seize everything. . . . However, this . . . is no longer feasible in a society where . . .
information is increasingly being stored, transmitted, and created in digital form. . . .
[T]he cost of storage media has declined appreciably, yet the man-hour resources and
¶ 15 These aspects of digital evidence create additional challenges for law enforcement.
Investigators must be trained to locate, preserve, and analyze digital evidence; and they
must be given the tools—hardware and software—needed to carry out these tasks. Since
computer technology is constantly evolving, these are ongoing and expensive
requirements. It is difficult, if not impossible, for most local agencies to maintain and
equip the investigative staff needed to deal effectively with online crimes, particularly the
more complex varieties of online crime.61
4. Sum
¶ 16 Online crime does differ from traditional, real-world crime in several important
respects. The issue to be resolved is whether these differences are sufficient to warrant
classifying online crime as a new phenomenon: cybercrime. The next section addresses
this issue.
B. Crime/Cybercrime
¶ 17 As the above quotation implies, the function of criminal law is to maintain order in
a society.62 To that end, societies adopt laws that are designed to maintain the integrity of
certain vital interests: the safety of persons, the security of property, the stability of the
state, and the sanctity of particular moral principles.63 As one commentator noted, “[n]o
society can survive if its constituents are free to injure each other, to appropriate each
other’s property, to undermine the political order and/or to flout the moral principles the
citizenry hold dear.”64
¶ 18 Every society will therefore implement laws that define a repertoire of (i) crimes
against persons (e.g., murder, assault, rape), (ii) crimes against property (e.g., theft, arson,
fraud), (iii) crimes against the state (e.g., treason, riot, obstructing justice), and (iv)
¶ 19 One proposition is a constant in the criminal law of every society: each crime
targets the infliction of a distinct and socially intolerable harm.70 Part II considered two
putative cybercrimes: “Internet murder” and online fraud, and concluded that both
represent nothing more than the commission of traditional crimes by non-traditional
means. This is also true of the other putative cybercrimes. “Computer theft” consists of
using computer technology to take someone’s property without their consent; “computer
forgery” is using computer technology to falsify documents.71 “Cyberstalking” consists
crimes—are now subject to federal criminal prosecution”). See generally Stuart P. Green, Plagiarism,
Norms, and the Limits of Theft Law: Some Observations on the Use of Criminal Sanctions in Enforcing
Intellectual Property Rights, 54 HASTINGS L.J. 167, 240-41 (2002) (stating that the law of intellectual
property crimes relies on theft, fraud and forgery paradigms). Intellectual property crimes tend to be
specialized versions of statutes that criminalize the theft of intangible property; in both, the
conceptualization of “theft” has to be modified so that it is not a zero sum proposition and can, therefore,
reach the copying of data or other intangible property. See, e.g., State v. Schwartz, 173 Ore. App. 301,
317, 21 P.3d 1128, 1137 (Ore. App. 2001), stating that under Oregon Rev. Stat. § 164.015:
[T]heft occurs . . . when a person ‘takes’ the property of another. ‘Take’ is a broad term
with an extensive dictionary entry. Webster's Third New Int'l Dictionary, 2329-31. . . .
The first definition of ‘take’ is "to get into one's hands or into one's possession, power, or
control by force or stratagem. . . " [Id.] at 2329. . . . . Black's defines ‘take’ to include
"[t]o obtain possession or control. . . ". Black's Law Dictionary, 1466 (7th ed. 1999). . .
Turning back to the . . . statute under which defendant was charged, we note that the
legislature contemplated that ‘theft’ . . . could be exercised upon, among other things,
‘proprietary information.’ ‘Proprietary information’ includes “scientific, technical or
commercial information . . . that is known only to limited individuals within an
organization . . . ” [Oregon Rev. Stat. § 164.322(1)(j).] Proprietary information, like the
passwords and password files at issue here, is not susceptible to exclusive possession; it
is information that . . . can be known by more than one person. Nevertheless, the
legislature indicated that it could be subject to ‘theft’. . . . We conclude that the state
presented sufficient evidence to prove that, by copying the passwords and password file,
defendant took property of another, namely Intel, and that his actions, therefore, were for
the purpose of theft.
72. Cf. Brenner, supra note 5, at ¶¶ 61-68. As our experience with cyberstalking evolves, it has
become apparent that it does not involve the infliction of new harms; the problems encountered in using
traditional stalking and threat statutes to address computer-facilitated stalking was not that the harm was
different but that they were too narrow in scope. They required an actual threat of physical harm, instead of
encompassing the more subtle forms of harassment an online stalker can inflict. In a sense, cyberstalking
and cyberharassment are lineal descendants of the obscene or annoying telephone call offenses that were
created roughly a century ago, to address harms resulting from the misuse of a nineteenth century
technology. See Brenner, supra note 5, at ¶ 68. See, e.g., Mass. Gen. Laws Ann. 265 § 43 (criminalizing
use of “a telephonic or telecommunication device including, but not limited to, electronic mail, internet
communications and facsimile communications” to transmit a threat or to engage “in a knowing pattern of
conduct or series of acts . . . directed at a specific person which seriously alarms or annoys that person and
would cause a reasonable person to suffer substantial emotional distress.”).
73. See, e.g., Brenner, supra note 5, at ¶¶ 77-86.
74. See id.
75. See id. at ¶¶ 73-76.
76. See id. at ¶¶ 69-72.
77. See id. at ¶¶ 69-72.
78. See id. at ¶¶ 59-60.
79. See, e.g., United States v. Scott, 42 Fed. Appx. 264, 265 (10th Cir. 2002) (using emails to
extort).
80. See Brenner, supra note 5, at ¶¶ 95-98.
81. See id. at ¶ 76.
¶ 20 That may or may not be the final conclusion on this issue. Our experience of
computer technology and its use to inflict harms is, after all, still in its infancy. Could it
be that we are seeing the emergence of cybercrime? That is, could it be that we are
seeing the development of what will evolve into a truly distinct variety of crime—a fifth
category added to the four outlined above?82 That is possible, but unlikely. Crime, in all
its manifestations, is about the infliction of socially intolerable harms. The four
categories outlined above encompass all the harms human ingenuity has been able to
devise since mankind contrived society.83 While it is quite certain we will use our
ingenuity to come up with different ways of inflicting harm upon each other, it is highly
improbable, to say the least, that we will devise new harms. Even if, for example, we
someday develop technology that allows us to literally steal another’s identity or alter or
erase another person’s memories,84 those are not new harms, they are simply new ways of
inflicting harm upon a person.85 It is therefore reasonable to assume that the present state
of affairs in which computer technology is implemented to commit crimes will continue.
The use of computer (and other) technology for this purpose may well accelerate until its
effects permeate much of crime,86 but this does not alter the underlying structure of the
crimes, just as the proliferation of motor vehicles did not transform crime into “car
crime.”87
¶ 22 That is a difficult question to answer, because as Part III explains, we have never
broken these factors out as independent variables in our approach to crime. We consider
the harm a particular offense or particular type of offense inflicts (i) when we define the
offense and (ii) when we articulate the appropriate sentence for that offense. Since we
have just concluded that cybercrime is, in fact, merely crime, it seems this assessment has
already been made. If we were to decide that the extant crimes calculus does not
adequately take into account the scale on which harms can be inflicted by utilizing
computer technology, we could make the use of computer technology an aggravating
factor in sentencing, just as we do with firearms.90 Neither of these approaches would
require our identifying and utilizing cybercrime metrics, and neither would address the
residual issue, i.e., the fact that computer technology makes it much more difficult for
law enforcement to apprehend cybercriminals. 91 This residual issue is not a matter we
have incorporated into our crime-harm calculus. As Part III explains, we criminalize acts
particular, unique class of crime. If all crime becomes cybercrime, there is no need to differentiate the two.
We would simply have crimes being committed differently than they were 20, 40, or a 100 years before.
87. The analogy is not as strained as it may seem. The proliferation of motor vehicles presented law
enforcement with challenges it had not faced before, challenges that are comparable to, though of lesser
magnitude than, those posed by computer technology. Motor vehicles gave criminals the ability to quickly
flee the scene of the crime and, often, to cross-jurisdictional borders, which frustrated law enforcement’s
ability to track and apprehend them. See, e.g., Brooks v. United States, 267 U.S. 432, 438-39 (1925):
It is known of all men that the radical change in transportation of persons and goods
effected by the introduction of the automobile, the speed with which it moves, and the
ease with which evil-minded persons can avoid capture, have greatly encouraged and
increased crimes. One of the crimes which have been encouraged is the theft of the
automobiles themselves. . . . Elaborately organized conspiracies for the theft of
automobiles and the spiriting of them away into some other State and their sale . . . far
away from the owner . . . have roused Congress. . . . The quick passage of the machines
into another State helps to conceal the trail of the thieves, gets the stolen property into
another police jurisdiction and facilitates the finding of a safer place in which to dispose
of the booty at a good price.
88. See supra Part III for a discussion of metrics.
89. See supra Parts II(A)(1) and II(A)(2).
90. See supra Part III(B)(1)(b)(i) for a discussion of scale and a comparison of automation in
cybercrime to firearms in real-world crime.
91. See supra Parts II(A)(1) and II(A)(3).
taken to interfere with the prosecution of an offender, but not acts taken to prevent her
apprehension.
¶ 23 Part III of this article discusses metrics. However, we cannot proceed to consider
metrics unless and until we resolve the outstanding issue: are increased difficulty of
apprehension and increased magnitude of inflicted harms appropriate predicates for the
articulation and implementation of cybercrime metrics?
¶ 24 They are, for reasons that have nothing to do with the way we have always
approached crime. As noted earlier, the function of criminal law is to maintain order
within a society by discouraging those who populate that society from preying on each
other.92 The traditional model of law enforcement evolved to implement the laws that are
designed to achieve this order by apprehending those who commit crimes and seeing that
they are sanctioned for their misdeeds.93 We assume sanctioning apprehended offenders
maintains order by deterring (and incapacitating) them from re-offending and by
deterring others from following their example.94 Of course, not all offenders are
apprehended and sanctioned, but because life and crime are both grounded in the real,
physical world, enough are sanctioned and apprehended to create a climate in which the
perceived risk serves as an effective disincentive to commit crimes.95 The result is an
effective crime control strategy, the effects of which are complemented by other
strategies that maintain external order, i.e., that secure the society’s relations with its
external environment and with other societies. 96
¶ 25 Online crime eludes these strategies, and in that regard it is truly distinguishable
from traditional crime. Online criminals operate in the virtual world and are therefore not
subject to the physical and territorial constraints that govern conduct in the real world.97
Their crimes are not necessarily internal events; it is at least as easy for a Nigerian
fraudster to defraud someone in the United States as it is for him to victimize his
neighbor.98 Territory, which is the foundation of our approach to crime, consequently
becomes irrelevant in the arena of online crimes.99 Territory defines the scope of a
society’s law and the reach of its law enforcement officers.100 By eluding the effects of
territory, online crime becomes something other than crime—not in a legal, doctrinal
sense, but in a pragmatic sense. The rules, institutions and assumptions we rely upon to
maintain order and stability within our societies become problematic because they are not
designed to deal with external crime, that is, with external threats to internal order.101 In
that sense, online crime is cybercrime, i.e., it is a distinct phenomenon.
¶ 26 The pragmatic distinctiveness of cybercrime also derives from the other aspect of
online crime, the scale with which computer-facilitated harms can be inflicted. We noted
earlier that crimes generally involve one victim and one perpetrator, but cybercrimes can,
and often do, consist of one perpetrator’s inflicting harm upon many victims.102 This
circumstance goes to one aspect of the scale of the harm a given perpetrator can inflict; a
fraudster using automated techniques can defraud a thousand victims as easily as his real-
world counterpart can defraud one. In this scenario, the fraudster exceeds the scale of
real-world crime with the essentially simultaneous commission of a thousand crimes,
something that would be impossible in the real world.103 This is the commission of
discrete crimes on a vastly enhanced scale.
¶ 27 The scale of cybercrime can also exceed that of real-world crime in another way,
the degree of harm inflicted by a single event, by a single crime. Consider bank robbery.
In the United States, the “average amount netted from an individual [real-world] bank
robbery is less than $8,000.”104 While bank robbery is a common occurrence, the scale of
the harm resulting from each incident is small.105 Compare this with an incident that
occurred in 1995 when Russian hacker Vladimir Levin and his associates transferred $12
million surreptitiously, and illegally, from Citibank customer accounts.106 The $12
million was transferred in increments, each of which far exceeded the $8,000 average for
a real-world bank robbery.107 The Levin incident is ancient in Internet time, but it reveals
the other scale aspect of cybercrime; single attacks, single crimes, can inflict harms on a
scale that are functionally impossible in the real world.
¶ 28 The Levin incident also illustrates another aspect of the scale issue—the external
threat. As computer technology makes national borders irrelevant, wealthy countries will
find themselves increasingly the object of undesired attention from hackers—
101. Brenner, Criminal Law for Cyberspace, supra note 22, at 45-46.
102. See Part II.A.2 supra.
103. See supra note 49 and accompanying text. See, e.g., U.S. Department of Justice, Special Report
on “Phishing,” at http://www.usdoj.gov/criminal/fraud/Phishing.pdf. See also Cyber Blackmail Targets
Office Workers, CNN.com (Dec. 29, 2003), at http://www.cnn.com/2003/TECH/internet/12/29/
cyber.blackmail.reut/ (discussing automated fraud techniques).
104. FBI, CRIME IN THE UNITED STATES 2002, 305 (2002), available at http://www.fbi.gov/ucr/
cius_02/pdf/5sectionfive.pdf.
105. In addition to the small scale of harm, the chances of being apprehended are also very high.
According to the FBI, “the clearance for bank robbery was 57.7 percent in 2001. This is a relatively high
clearance rate when compared with that of other . . . crimes. Only murder, at 62.4 percent, has a higher
percentage of crimes cleared by arrest.” Id. at 303 (citations omitted).
106. See, e.g., William M. Carley and Timothy L. O’Brien, Cyber Caper: How Citicorp Was Raided
and Funds Moved Around the World, WALL ST. J., Sept. 12, 1995, at A1, available at 1995 WL-WSJ
9899337.
107. See id. (noting, for example, transfers of $188,000, $717,000 and $901,000).
cybercriminals—in other countries. The notorious bank robber Willie Sutton108 allegedly
said, when asked why he robbed banks, “because that’s where the money is.”109 The
same can be said for cybercrime, at least for financially motivated cybercrime.
Individuals and entities in wealthier countries are “where the money is,” and therefore
present tempting targets for online criminals in their own and in other countries. The fact
that the wealthy are targets of criminal opportunists is not new; what is new is that their
target status has become essentially unbounded. They can no longer assume the threats
they face are internal threats, i.e., threats from their compatriots; their threat parameters
must now encompass the possibility of attacks launched anywhere on the globe.
¶ 29 Finally,there is a third aspect to the scale issue. Attacks like Levin’s assault on
Citibank are not merely crime, because so much of our personal and business activities
are conducted online, external attacks on our computer systems, on our companies and on
ourselves become de facto or de jure attacks on our critical infrastructure.110 The lines
between cybercrime, “cyberterrorism” and “information warfare” are blurry, and will
become more so.111 Our assumptions that crime (i) is internal and (ii) can be dealt with
using the rules, institutions and processes we have evolved over the last several centuries
no longer holds.112 External actors can penetrate our borders, attack our civilians and
inflict harms the effects of which exceed the discrete individual harms that are captured
by our criminal law.113
¶ 30 We must devise new approaches to dealing with this new phenomenon, and to do
that, we need to understand it. To understand this phenomenon, we must study it. This
brings us to cybercrime metrics. Substantively, online crime is crime, nothing more, and
we need little, if any, in the way of new laws criminalizing the conduct at issue. What we
need are new tactics for combating crime-as-externality. Devising these tactics may
involve many things, such as developing new crime control models,114 re-allocating
resources and creating specialized law enforcement units whose task it is to concentrate
on external crime. If we are to succeed in this endeavor, we need to understand this
phenomenon at least as well as we understand conventional crime.115 The first step in
this process is the articulation and implementation of cybercrime metrics. Section III
considers how we might go about doing this.
III. METRICS
[T]here is no such thing as ‘an obvious metric’ for any crime.116
¶ 31 While online crime differs from crime in several important respects, the two share
an essential commonality: both represent socially intolerable conduct that threatens a
society’s ability to maintain order.117 It is therefore logical to begin the process of
identifying cybercrime metrics by examining the metrics we use for crime. Part III(A)
does precisely that. Part III(B) analyzes the extent to which we can extrapolate these
crime metrics to cybercrime; it also investigates the possibility of developing cybercrime-
specific metrics.
A. Crime Metrics
¶ 32 We have been dealing with crime since mankind developed intelligence and
began to live in social groupings.118 As part of dealing with crime, we established
metrics to parse the harm associated with particular crimes.119 Having parsed crimes
according to their respective harms, we then ordered them hierarchically in terms of the
extent, and degree, to which each warranted the infliction of punitive sanctions.120 All of
this is an integral part of the crime control strategy we have relied upon for centuries. It
assumes that if the balance between harm and punishment is properly calibrated, the
infliction of punishment will serve both to vindicate the harm done to society and to deter
the offenders, and others, from inflicting such harm in the future.121 In assessing the
harm associated with a specific crime, we consider (i) the injury it inflicts and (ii) the
culpability of the offender.122 Both are examined below.
1. Injury
a. Individual harm
crime has four elements: conduct, intent, causation, and injury.126 Injury, or harm, is our
primary benchmark for determining the severity of a specific crime:127 Modern criminal
codes rank individual harm crimes according to the severity of the particular harm
inflicted; homicide is usually ranked as the worst crime, with other crimes following in
descending order.128 Having established this general hierarchy of crimes, modern
criminal codes then use culpability to parse crimes into degrees of severity.129
¶ 35 Individual harm does not necessarily mean the crime is directed at a human being.
Many mala in se crimes can be committed against artificial entities; a corporation, for
example, can be the victim of theft, embezzlement, arson and other crimes.130 What
individual harm encompasses is the proposition that there is a specific, identifiable
victim; traditional, real-world crime consists of a dynamic involving a criminal and a
victim.131 The criminal inflicts harm upon the victim and, in so doing, wrongs both the
victim and the society in which the event occurs. That society, in turn, reacts to the
victimization in an effort to apprehend and punish the perpetrator, which will vindicate
both its own interests and those of the victim.132
126. See, e.g., Joshua Dressler, Reassessing the Theoretical Underpinnings of Accomplice Liability:
New Solutions to an Old Problem, 37 HASTINGS L.J. 91, 125 (1985). But see supra § III(A)(1)(b).
127. See HALL, GENERAL PRINCIPLES OF CRIMINAL LAW, supra note 121, at 216-17.
128. See, e.g., Model Penal Code Articles 210-51 (Official Draft and Revised Commentary 1980).
129. See, e.g., Model Penal Code §§ 210.1-210.4 (dividing criminal homicide into murder,
manslaughter and reckless homicide) (Official Draft and Revised Commentary 1980). See also supra §
III(A)(2)(a).
130. See, e.g., State v. Schwartz, 173 Or.App. 301, 303-05, 21 P.3d 1128, 1129 (Or. App. 2001)
(employee charged with stealing from his employer, the Intel Corporation). See also Hammurabi—Code of
Laws 6, The Avalon Project at Yale Law School, at http://www.yale.edu/lawweb/avalon/medieval/
hamframe.htm (“If any one steal the property of a temple or of the court, he shall be put to death”).
131. This is the minimum required for the crime dynamic. It can also involve many criminals and
one victim, many criminals and many victims or, most recently, one criminal and many victims. See supra
§ II(A)(2).
132. See, e.g., Alan Vinegrad, The Role of the Prosecutor: Serving the Interests of All the People, 28
HOFSTRA L. REV. 895, 897 (2000); Lawrence Crocker, The Upper Limit of Just Punishment, 41 EMORY L.J.
1059, 1063 (1992).
133. The same is true for prohibita crimes, though the harms they address tend to be systemic, rather
than individual, harms. See § III(A)(1)(b) infra.
134. See, e.g., Model Penal Code § 210.1 (homicide), § 223.2 (theft) and § 211.1 (assault).
135. See, e.g., THEODORE F.T. PLUCKNETT, A CONCISE HISTORY OF THE COMMON LAW 445-46 (5th
ed. 1956).
136. As noted earlier, mala in se crimes encompass “inherently wrongful conduct”, while mala
prohibita crimes encompass “conduct that is wrongful only because the legislature has declared it to be so.”
for offenses to be parsed into three, four, or even five degrees in contemporary American
criminal law.137
¶ 37 Along with parsing harms into increments, modern American criminal law attempts
to refine and standardize the calculus between harm and sanction. This effort has
culminated in the almost universal use of guidelines in sentencing at the state and federal
levels.138 Sentencing guidelines are intended to reduce judicial discretion in sentencing
and ensure a closer, more objective match between the harm inflicted and the punishment
imposed.139 As part of this process, sentencing guidelines have broadened our conception
of harm. Traditionally, the measure of harm has been the injury to the victim; thus, for
example, the harm in property crimes was defined by the amount lost by the victim.140
But for financial crimes, the federal sentencing guidelines factor in both the economic
gain to the perpetrator and the economic loss to the victim when defining the harm
caused by a crime.141
Sharon L. Davies, The Jurisprudence of Willfulness: An Evolving Theory of Excusable Ignorance, 48 DUKE
L.J. 341, 391 (1998). An example of a mala prohibita crime is a:
traffic law that makes it a crime. . . to drive on the ‘wrong side’ of the road. Inherently, of
course, there is no ‘right side’ of the road. The legislature simply chooses one side over
the other, and declares it to be so. Once the legislature has acted, . . . the interest in
vehicular and pedestrian safety make it eminently fair and necessary to expect all drivers
in the community to . . . abide by that rule.
Id. at n.197. See also Leo P. Martinez, Taxes, Morals and Legitimacy, 1994 BYU L. REV. 521, 556 (1994)
(“Internal Revenue Code embodies the essence of mala prohibita crimes”).
There has been a dramatic increase in the number of mala prohibita crimes over the last century due,
in part, to a “perceived need to protect the public in an increasingly complex and industrialized society.”
Jill Evans, The Lawyer as Enlightened Citizen: Towards A New Regulatory Model in Environmental Law,
24 VT. L. REV. 229, 264 (2000). See, e.g., Henry M. Hart, Jr., The Aims of the Criminal Law, 23 LAW &
CONTEMP. PROBS. 401, 414, 419-20 (1958). The distinction between mala in se and mala prohibita crimes
is relevant to this discussion only insofar as the latter tend to address systemic, rather than individual,
harms. See supra § III(A)(1)(b).
137. See, e.g., ALASKA STAT. §§ 11.46.475, 11.46.480, 11.46.482, 11.46.484 & 11.46.486 (breaking
criminal mischief down into five degrees).
138. See, e.g., Robin L. Lubitz & Thomas W. Ross, Sentencing Guidelines: Reflections on the
Future, supra note 123, at 1-2. As this is being written, the Supreme Court has agreed to decide the
constitutionality of sentencing guideline systems, which was called into question by its decision in Blakely
v. Washington, 124 S.Ct. 2531 (2004). See United States v. Booker, 2004 WL 1713654 (2004); United
States v. Fanfan, 2004 WL 1713655 (2004).
139. See, e.g., Lubitz & Ross, supra note 123, at 1 (stating that “guidelines were conceived as a way
to guide judicial discretion in accomplishing . . . sentencing and correctional objectives. Generally, two
criteria—seriousness of the crime and criminal history of the defendant—are used to prescribe punishment.
By introducing more uniformity and consistency into the sentencing process, guidelines also make it easier
to predict sentencing outcomes and correctional costs”).
140. See, e.g., State v. Savoy, 205 La. 650, 667, 17 So.2d 908, 914 (La. 1944) (in prosecution for
embezzlement, the amount embezzled determined the grade of the offense and therefore the penalty). See
also State v. Johnson, 186 S.C. 202, 195 S.E. 329, 329 (1938) (same). See generally Robert Ditzion,
Elizabeth Geddes & Mary Rhodes, Computer Crimes, 40 AM. CRIM. L. REV. 285, 303 n.120 (2003) (noting
the “typical loss-based approach to sentencing”).
141. See, e.g., Michael A. Simons, Vicarious Snitching: Crime, Cooperation, and "Good Corporate
Citizenship," 76 ST. JOHN’S L. REV. 979, 990 (2002) (citing U.S. SENTENCING GUIDELINES MANUAL §
8C2.4 (2003)). See also U.S. SENTENCING GUIDELINES MANUAL § 5E1.2 (2003); U.S. SENTENCING
GUIDELINES MANUAL § 2R1.1 application note 3 (2003) (sentencing court should consider both gain and
loss). Some states include “intangible losses, such as psychological harm caused by the crime.” CAL.
Real offense sentencing, which is the norm in the federal system but not among the
states,144 allows a sentencing court to consider all “relevant conduct” pertaining to the
offense(s) of conviction, “including uncharged crimes and ‘crimes’ of which the
defendant has been acquitted.”145
b. Systemic harm
¶ 39 Mala prohibita crimes are far from new,146 but the last century has seen the rise of
mala prohibita crimes that encompass the infliction of systemic, rather than individual,
harms.147 Criminal antitrust is a good example. In a traditional criminal proceeding, the
state reacts to a discrete harm inflicted upon a member of the social system it
represents,148 whereas in a criminal antitrust enforcement proceeding, the state acts to
ensure the viability of an essential component of that social system.149 The harm at issue
in an antitrust offense is an erosion of the principle of competition; as one commentator
notes, “free and competitive markets result in maximum economic development, wealth
creation, and consumer welfare, but . . . markets will not always remain free and
PENAL CODE § 1202.4(d) (2004). See also THOMAS W. HUTCHINSON, et al., FEDERAL SENTENCING LAW
AND PRACTICE § 8C2.8 (2004) (inclusion of nonpecuniary loss in fine calculation).
The guidelines define ‘loss’ as “the greater of actual loss or intended loss.” U.S. SENTENCING
GUIDELINES MANUAL § 2B1.1, application note 3 (2003). “Actual loss” is “the reasonably foreseeable
pecuniary harm that resulted from the offense,” while “intended loss” is “the pecuniary harm that was
intended to result from the offense.” Id. Intended loss includes “intended pecuniary harm that would have
been impossible or unlikely to occur (e.g., as in a government sting operation, or an insurance fraud in
which the claim exceeded the insured value).” Id.
For a critique of gain-based sentencing, see, e.g., Neil Kumar Katyal, Deterrence’s Difficulty, 95
MICH. L. REV. 2385, 2423 n.133 (1997).
142. See U.S. SENTENCING GUIDELINES MANUAL § 1A1.1 (2003) (quoting Chap. 1 - § 4(a) (1987)).
143. Id.
144. See, e.g., Rebecca Poate, Note, Beyond Relevant Conduct--The Federal Sentencing
Commission's (In)Discretion: How U.S.S.G. Section 2g2.2(B)(4) Illustrates the Future of The Sentencing
Guidelines, 51 HASTINGS L.J. 1363, 1389 (2000).
145. Kyron Huigens, Solving the Apprendi Puzzle, 90 GEO. L.J. 387, 412 (2002).
146. See supra note 126.
147. See generally supra § III(A)(2).
148. See, e.g., AMERICAN BAR ASSOCIATION STANDARDS FOR CRIMINAL JUSTICE, Standard 3-2.1,
Commentary. See also supra § III(A)(1)(a).
149. See Brenner, Toward A Criminal Law for Cyberspace: Product Liability and Other Issues,
(forthcoming 2004).
¶ 40 This difference has certain consequences for the structure of these mala prohibita
offenses. For one thing, the crime dynamic is different; instead of having to show that
the perpetrator inflicted an actual, discrete harm upon a victim, the prosecution may be
able to rely on a presumption of harm.152 Certain of these offenses, such as antitrust,
incorporate the incipiency standard, which allows prosecution based on systemic harm
that has not occurred but is deemed likely to occur.153 Others allow prosecution based
upon potential harm, i.e., upon a defendant’s creating a situation from which harm could
result.154 And as Part II(A)(2) explains, these offenses often eliminate intent, which is an
150. Joel I. Klein, Rethinking Antitrust Policies for the New Economy, Address at The
Haas/Berkeley New Economic Forum (May 9, 2000), at http://www.usdoj.gov/atr/public/speeches/
4707.htm. See also U.S. DEPT. OF JUSTICE: UNITED STATES ATTORNEYS’ MANUAL, § 7-1.100 (1997),
available at http://www.usdoj.gov/usao/eousa/foia_reading_room/usam/title7/1mant.htm (last visited Sept.
19, 2004). For more on systemic harm offenses, see Brenner, Toward A Criminal Law for Cyberspace:
Product Liability and Other Issues, supra note 151.
151. Charles S. Start, International Cooperation in the Pursuit of Cartels, 6 GEO. MASON L. REV. 533
(1998) (“antitrust . . . enforcement . . . is very much a part of the global economic infrastructure”).
152. See, e.g., Christopher R. Leslie, Comment, Achieving Efficiency through Collusion: A Market
Failure Defense to Horizontal Price-Fixing, 81 CAL. L. REV. 243, 273 (1993):
James F. Rill, the head of the Antitrust Division of the Department of Justice, noted that
‘[g]ain or loss is not a necessary element of proof for per se antitrust crimes; harm is
presumed given the nature of the violation. Thus, the Department traditionally has not
investigated gain or loss or made factual damage presentations in its criminal cases.
See also Northern Pac. Ry. Co. v. U.S., 356 U.S. 1, 5 (1958):
[T]here are certain . . . practices which because of their pernicious effect on competition .
. . are conclusively presumed to be unreasonable and therefore illegal without elaborate
inquiry as to the precise harm they have caused. . . . This . . . avoids the necessity for an
incredibly complicated and prolonged economic investigation into the entire history of
the industry involved . . . in an effort to determine at large whether a particular restraint
has been unreasonable--an inquiry so often wholly fruitless when undertaken.
153. See, e.g., Jennifer R. Connors, Comment, A Critical Misdiagnosis: How Courts Underestimate
the Anticompetitive Implications of Hospital Mergers, 91 CAL. L. REV. 543, 554 (2003) (“As the Supreme
Court has recognized, the purpose of antitrust law is to arrest concentration ‘in its incipiency’.”) (citing
Brown Shoe Co. v. United States, 370 U.S. 294, 317 (1962)). See also Thomas B. Leary, Dialogue between
Students of Business and Students of Antitrust, 47 N.Y.L. SCH. L. REV. 1, 2 (2003) (“With the exception of
so-called ‘per se’ offenses that are presumed to cause immediate consumer harm, all antitrust is focused to
some degree on incipiency concerns.” (footnote omitted)).
154. The distinction between incipient and potential systemic harm lies in the likelihood that a harm
will occur. Incipient harm statutes are analogous to the inchoate harm offenses discussed later in the text
above. See infra § III(A)(1)(c). They target activity that is leading to the infliction of systemic harm; in the
antitrust context, for example, the government can bring a prosecution based upon activities that would
have resulted in an anticompetitive harm had it not been interrupted. See supra note 155. Potential harm
statutes target conduct that creates the conditions that can produce individual harm. The actual occurrence
of such harm is not, however, an element of the offense.
For example, in United States v. Park, a corporate officer was convicted of violating 21 U.S.C. §
331(k), which makes it a federal crime to let food that has been shipped in interstate commerce and is being
held for sale to become adulterated. 421 U.S. 658, 660 (1975). Park was the president of a “national retail
food chain” that used a Baltimore warehouse to store food that being held for sale. Id. Federal inspectors
determined the warehouse was “accessible to rodents” that were contaminating the food stored there; such
c. Inchoate harm
¶ 41 The notion that the state should be able to intervene to prevent incipient harm is far
from new, and is the premise of three common law crimes: attempt, conspiracy and
solicitation.155 These inchoate, or incomplete, crimes address conduct leading to the
commission of another target crime.156 They allow someone to be punished “even though
he has not consummated the crime that is the object of his efforts. Indeed, the main
purpose of punishing inchoate crimes is to allow the judicial system to intervene before
an actor completes the object crime.”157
contamination constituted adulteration under 21 U.S.C. § 331(k). Id. Park and the company were charged
with violating section 331(k); the company pled guilty, he pled not guilty. Id. at 661-62. Park claimed he
was not responsible for the contamination. Id. He conceded that while all of the company’s employees
“were in a sense under his general direction,” the responsibility for ensuring sanitary conditions at the
warehouse belonged to the Baltimore division vice president; Park claimed he had checked and was told
the vice president was taking “corrective action.” Id. at 663-64. Notwithstanding that claim, Park was
convicted and appealed to the Supreme Court. The Court upheld his conviction, concluding that Park’s
“responsible” position in the company’s corporate structure justified holding him liable for not preventing
the contamination. Id. at 669, 676. What is interesting about the Park case, with regard to this discussion,
is that the government was not required to prove that any actual, individual harm resulted from the
contamination at the warehouse. The gravamen of the offense was that Park and his company created
conditions that could have resulted in individual harm, i.e., illness on the part of those who consumed
contaminated food from the warehouse. Id. at 672-73. Had individuals actually become ill, the state could
have brought a traditional criminal prosecution for reckless or negligent injury. See, e.g., Haw. Rev. Stat.
Ann. § 707-706 (2003).
155. See, e.g., WAYNE R. LAFAVE, SUBSTANTIVE CRIMINAL LAW §§ 1.2 & 2.1 (2003).
156. See, e.g., Geraldine Szott Moohr, Mail Fraud Meets Criminal Theory, 67 U. CIN. L. REV. 1, 16
(1998) (stating that “Inchoate crimes prohibit an act performed in anticipation of committing another
criminal act. An inchoate, or . . . incomplete crime, does not require . . . the accomplishment of a
prohibited harm. Rather, an inchoate offense mandates punishment even when the actor has not
consummated the ‘target’ crime that is the object of his or her efforts.”) (notes omitted).
157. Ira P. Robbins, Double Inchoate Crimes, 26 HARV. J. ON LEGIS. 1, 3 (1989) (note omitted).
158. Evan Tsen Lee, Canceling Crime, 30 CONN. L. REV. 117 (1997) (note omitted).
159. See, e.g., Paul Robinson, A Theory of Justification: Societal Harm as a Prerequisite for Criminal
Liability, 23 UCLA L. REV. 226, 269 (1975) (inchoate crimes “are harms in themselves.” The “harm is
intangible . . . and society is its object”). See also JEROME HALL, GENERAL PRINCIPLES OF CRIMINAL LAW
219 (1960):
Any conduct. . . . has some effect. For example, the taking possession of burglar's tools
or narcotics by persons who intend to use them illegally alters the previous condition of
affairs. The quality of daily life is impaired by such conduct; and one need only ask
whether he would want to live in a community where attempts to kill and to commit
robberies and arsons were frequent, to indicate that there are harmful effects of such
conduct not only in the apprehension aroused but also in the increased danger of
becoming the victim of a more serious crime.
160. See LAFAVE, supra note 157.
attempt murder, for example, I must engage in a course of conduct that either (i)
constitutes a substantial step toward causing the death of another human being or (ii)
would result in such a death absent circumstances beyond my control.161 The virtue of
having such an offense is that it allows law enforcement to intervene before the aspiring
murderer commits the target crime and inflicts real harm.162
¶ 43 Attempt, solicitation and conspiracy are not the only inchoate crimes. Federal and
state criminal codes include a variety of inchoate offenses, each encompassing conduct
that can reliably be said to create a risk of harm.163 American law generally regards
“inchoate offenses as substantive crimes, distinct . . . from the completed crimes toward
which they tend.”164 Most states follow the common law rule, which punishes inchoate
offenses less severely than a completed target crime.165 A substantial minority, though,
follows the Model Penal Code and punishes inchoate crimes as severely as a completed
target crime.166
2. Culpability
¶ 44 Essentially, culpability is guilt. For criminal liability, we require not only that
someone have inflicted harm, but also that he did so with the requisite level of moral
fault.167 “[I]t is normally a prerequisite for legal guilt that there be conscious fault or
161. See, e.g., Model Penal Code § 5.01(1) (Official Draft and Revised Commentary 1980). To
conspire to commit murder, I must agree with another that a third person will be killed; and to solicit
murder I must ask another to commit murder or facilitate its commission. See, e.g., Model Penal Code §§
5.02(1) & 5.03(1) (Official Draft and Revised Commentary 1980).
162. See, e.g., Robbins, Double Inchoate Crimes, supra note 159, at 3.
163. See, e.g., Moohr, Mail Fraud Meets Criminal Theory, supra note 158, at 16-17 (mail fraud is an
inchoate crime); State v. McDonald, 31 Ohio St. 3d 47, 57 n.7, 509 N.E. 2d 57, 65 n.7 (Ohio 1987) (“All
statutes prohibiting possession of burglar's tools define a crime that is inchoate”).
164. See, e.g., Robbins, Double Inchoate Crimes, supra note 159, at 3.
165. See Paul H. Robinson, Is Justice Just Us? A Symposium on the Use of Social Science to Inform
the Substantive Criminal Law: Testing Lay Intuitions of Justice: How and Why?, 28 HOFSTRA L. REV. 611,
622 (2000).
166. See, e.g., Bruce Braun, Dane Drobny & Douglas C. Gessner, www.commercial_terrorism.com:
A Proposed Federal Criminal Statute Addressing the Solicitation of Commercial Terrorism Through the
Internet, 37 HARV. J. ON LEGIS. 159, 173 n.92 (2000). Furthermore, “except in the case of capital crimes or
first-degree felonies, the [Model Penal] Code prescribes the same punishment for the crimes of attempt,
solicitation, and conspiracy as for the crime attempted or solicited or that is the object of the conspiracy.”
Frederick M. Lawrence, The Punishment of Hate: Toward A Normative Theory of Bias-Motivated Crimes,
93 MICH. L. REV. 320, 355 n.142 (1994). See Model Penal Code § 5.05(1). The federal sentencing
guidelines take a modified approach, in which the base offense level used to calculate a sentence for
attempt, conspiracy or solicitation is the same as that for the substantive offense that was the target of the
inchoate crime. See also United States Sentencing Commission, Guidelines Manual § 2X1.1 (2003). The
sentence imposed is reduced by three levels unless the defendant completed all the acts he or she believed
necessary for the commission of the target crime. See id. See also JOSHUA DRESSLER, UNDERSTANDING
CRIMINAL LAW 331, 363 (2001).
167. See, e.g., HALL, GENERAL PRINCIPLES OF CRIMINAL LAW, supra note 161 at 93:
Moral culpability, i.e. personal guilt, includes both mens rea and motivation. For
example, D kills T. . . . [W]as D acting from cupidity, knowing he was named the chief
beneficiary of T's will? Or was the motive his love for his sick wife who needed an
operation? Just as we cannot pass an adequate moral judgment if we know only what
harm has been committed . . . we cannot properly estimate conduct solely on the basis of
a. Individual harm
¶ 45 When a crime involves the actual infliction of individual harm, the actor’s
culpability is used to determine the seriousness of the crime and the severity of the
penalty to be imposed.173 As noted above, modern criminal law uses culpability to parse
what were once generic crimes into hierarchically structured degrees.174 Early English
law, for example, had a single offense—homicide—that encompassed the killing of
another human being.175 Contemporary American criminal codes divide homicide into
descending degrees according to the blameworthiness of a defendant’s conduct.176 They
essentially distinguish murder (purposely killing) from voluntary manslaughter (killing in
the heat of passion), involuntary manslaughter (recklessly causing death), and negligent
homicide (negligently causing death).177
¶ 47 This system of hierarchically ordering crimes and degrees of crimes produces a set
of rather precisely calibrated crime metrics. The categories it establishes can be used to
track the incidence with which crimes involving the infliction of individual harms are
committed and the respective damage they inflict.183
b. Systemic harm
¶ 49 There are two justifications given for eliminating culpability in crimes that target a
failure to prevent systemic harm. One derives from the fact that unlike traditional crimes,
180. See, e.g., Alaska Stat. § 11.46.486 (describing criminal mischief in the fifth degree).
181. See, e.g., Conn. Gen. Stat. Ann. § 53a-125b (describing larceny in the sixth degree).
182. See, e.g., R.I. Gen. Laws § 11-4-8 (describing arson in the seventh degree).
183. See, e.g., U.S. Department of Justice—Bureau of Justice Statistics, Sourcebook of Criminal
Justice Statistics § 3 (2002), at http://www.albany.edu/sourcebook/1995/pdf/section3.pdf, U.S. Department
of Justice—Bureau of Justice Statistics, Criminal Victimization in the United States—Table 1 (2002), at
http://www.ojp.usdoj.gov/bjs/pub/pdf/cvus02.pdf (personal and property crimes); Federal Bureau of
Investigation, Uniform Crime Reports: Crime in the United States (2002), at
http://www.fbi.gov/ucr/cius_02/pdf/2sectiontwo.pdf.
184. See supra § III(A)(1)(b).
185. See, e.g., Thomas M. Russo, How U.S. Environmental Maritime Criminal Law Has Turned
"Crime and Punishment" into "Mistake and Punishment," American Law Institute—American Bar
Association Continuing Legal Education SE72 ALI-ABA 123, 130-31 (May 11, 2000) (explaining
“knowing” conduct is required for many environmental crimes). See also Sedima S.P.R.L. v. Imrex Co.,
741 F.2d 482, 495-96 (2nd Cir. 1984), reversed, 473 U.S. 479 (1985). In Sedima, the court noted that the
federal anti-racketeering statute known as RICO criminalizes the infliction of actual systemic harm. Id.
While RICO itself is a strict liability crime, the predicate offenses which one must commit to violate the
RICO statute require culpability, usually either willfulness or knowing conduct. See 18 U.S.C. §§ 1961,
1962.
186. For the distinction between the two, see supra note 156.
187. Id. See also supra § III(A)(2); United States v. FMC Corp., 572 F.2d 902, 906-08 (2d Cir.
1978).
188. See, e.g., supra note 156. The imposition of criminal liability for one’s failure to prevent a
particular type of generalized, systemic harm dates back to the beginning of the twentieth century and the
invention of ‘public welfare’ offenses. See Francis B. Sayre, Public Welfare Offenses, 33 COLUM. L. REV.
55, 67-68 (1933). The development of ‘public welfare,’ or regulatory, offenses resulted from a “shift in
emphasis from the protection of individual interests which marked nineteenth century criminal
administration to the protection of public and social interests.” M. Diane Barber, Fair Warning: The
Deterioration Of Scienter Under Environmental Criminal Statutes, 26 LOY. L.A. L. REV. 105, 110 (1992).
See also Sayre, Public Welfare Offenses, supra, at 67-68.
these crimes target omissions; the theory is that the most effective way to encourage
prevention is to punish failures without regard to fault.189 The CEO of a grocery
company can be held criminally liable for allowing food in a warehouse to be
contaminated, regardless of whether he did so “maliciously,” ”willfully” or even
“knowingly.”190 The other justification is that these crimes often target organizational
conduct, and it can be difficult, if not impossible, to prove personal moral fault on the
part of specific corporate employees.191
¶ 51 Inchoatecrimes do not inflict actual harm.193 They target conduct that is leading to
the commission of a completed crime, the consummation of which would produce actual
harm.194 The rationale for inchoate crimes is that they let law enforcement officers
intervene to prevent the commission of the target crime without forfeiting prosecution.195
If we did not have inchoate crimes, officers who knew John Doe was planning to murder
Jane Doe would have two equally undesirable options: (i) let him commit the murder and
then see he was prosecuted for it; or (ii) intervene and prevent him from committing the
murder, but be unable to do anything to stop him from trying again without their
knowledge. Like systemic harm crimes, inchoate harm crimes target incipient or
potential harm.196
189. See, e.g., WAYNE R. LAFAVE, SUBSTANTIVE CRIMINAL LAW § 5.5(c) (2003).
190. See supra note 156. Malice, willfulness and knowledge are among the mental states criminal
law uses in assessing culpability. See, e.g., WAYNE R. LAFAVE, SUBSTANTIVE CRIMINAL LAW § 5.1 (2003).
191. See, e.g., LAFAVE, SUBSTANTIVE CRIMINAL LAW § 5.5(c), supra note 191.
192. Compare U.S. Department of Justice—Bureau of Justice Statistics, Compendium of Federal
Justice Statistics (2001), at http://www.ojp.usdoj.gov/bjs/pub/pdf/cfjs01.pdf, with U.S. Department of
Justice—Bureau of Justice Statistics, Sourcebook of Criminal Justice Statistics § 3 (2002), and U.S.
Department of Justice—Bureau of Justice Statistics, Criminal Victimization in the United States—Table 1
(2002). With regard to arrest, prosecution and adjudication, the Compendium of Federal Justice Statistics
breaks out some federal systemic harm cases, such as antitrust and food and drug act violations, but lumps
the others into its ‘other regulatory offenses’ category. See U.S. Department of Justice—Bureau of Justice
Statistics, Compendium of Federal Justice Statistics (2001), at Table 4.1, at
http://www.ojp.usdoj.gov/bjs/pub/pdf/cfjs0104.pdf. It also provides no indication of the losses, or harms
resulting from these crimes. Cf. U.S. Department of Justice—Bureau of Criminal Justice Statistics,
Criminal Victimization in the United States, Statistical Tables 75, 81 (2002), at
http://www.ojp.usdoj.gov/bjs/pub/pdf/cvus0204.pdf (describing personal injury and economic loss resulting
from individual harm crimes).
193. See supra § III(A)(1)(c).
194. See id.
195. See id.
196. Unlike systemic harm crimes, inchoate crimes generally require affirmative acts, not omissions.
But see Model Penal Code § 5.01(1) (Official Draft and Revised Commentary 1980) (stating that ‘attempt’
¶ 52 The two differ dramatically in the way they approach unrealized harm. Systemic
harm crimes are designed to protect the security and integrity of essential societal
interests, such as marketplace competition; the harms such crimes address are by
definition diffuse.197 While it is possible to show that conduct constituting an antitrust
crime would have had an anticompetitive effect, it is impossible to quantify that effect
with any precision. Antitrust crimes, like all systemic harm crimes, target complex
activity, the proper functioning of which, is essential for the survival of a society.198
Since the harms are diffuse and the activities are so complex, the traditional approach to
criminal liability—requiring intent, culpability, causation and demonstrable, discrete
injury—is not a viable option. Consequently, systemic harm crimes presume harm or do
not require the prosecution to show true harm; proof of conditions that could produce
harm can support the imposition of liability.199 Systemic harm crimes also eliminate
culpability on the assumption that the most effective way to encourage the prevention of
systemic harms is to put the absolute risk of failure on those who are in the best position
to do so.200
consists, in part, of purposely doing or omitting to do something as part of conduct leading to the
commission of the target crime).
197. See supra § III(A)(1)(b).
198. Id.
199. Id.
200. See supra § III(A)(2)(b).
201. See, e.g., Sedima S.P.R.L. v. Imrex Co., 741 F.2d at 495-96:
RICO was intended to ‘address the infiltration of legitimate business by organized
crime.’ . . . . According to the congressional statement of findings and purpose, the Act
was to seek to eradicate organized crime because ‘organized crime activities in the
United States weaken the stability of the Nation's economic system, . . . interfere with
free competition, seriously burden interstate and foreign commerce, threaten the domestic
security, and undermine the general welfare of the Nation and its citizens.’ . . . RICO was
not enacted merely because criminals break laws, but because mobsters, either through
the infiltration of legitimate enterprises or through the activities of illegitimate
enterprises, cause systemic harm to competition and the market, and thereby injure
investors and competitors.
(citations omitted) (quoting United States v. Turkette, 452 U.S. 576, 591 (1981)). As explained
earlier, RICO is a systemic harm crime that incorporates traditional criminal activity. See supra
note 187.
202. See supra note 203.
203. The result would presumably be otherwise if the infliction of systemic harm were the offender’s
goal, which may, perhaps, be the case with terrorism. We have not yet considered whether terrorism is
simply a type of crime or whether it should be regarded as something else, as something more than
traditional, individual harm-crime. See supra note 6.
¶ 54 We require this synchronization for inchoate crimes because they are really a
version of individual harm-crimes. But since inchoate crimes are interrupted crimes, no
actual, individual harms result from their commission. We compensate for the lack of
harm by requiring compelling proof that one charged with an inchoate offense was
indeed dedicated to committing the target crime, and would have succeeded but for the
intervention of law enforcement officials.204 Culpability therefore becomes the primary
metric for inchoate crimes; we cannot identify actual harm, but we can track aspirational
harm. This is, of course, an imprecise endeavor. Imagine that Eric Harris and Dylan
Klebold were interrupted before they could carry out their April 20, 1999 attack on the
students and teachers at Columbine High School. Assume they were stopped in the
school parking lot as they were on their way to launch the assault because law
enforcement officers had credible evidence to believe they intended to commit such an
act. Since their conduct would have been interrupted, no one would actually have been
harmed. They could have been prosecuted for attempted murder, but we would have no
way of knowing the extent of the individual harms they intended to inflict had they not
been intercepted. We might infer some level of individual harm from the firepower and
ammunition they were carrying, but that assessment would be speculative.
¶ 55 Our only metric for inchoate harm crimes, therefore, is culpability. We infer the
nature and extent of actual, individual harm the interrupted offender meant to inflict
based on his words and actions.
B. Cybercrime Metrics
¶ 56 Our metrics for crime are harm and culpability, which we apply in different degrees
to crimes that inflict individual harms, systemic harms and inchoate harms.205 We now
need to consider metrics for cybercrime. The sections below examine two issues: first,
to what extent can we apply crime metrics to cybercrime? Second, what additional
metrics, if any, do we need for cybercrime? The sections below analyze these issues with
regard to (i) individual harm cybercrimes; (ii) systemic harm cybercrimes; and (iii)
inchoate harm cybercrimes.
¶ 57 Like individual harm crimes, individual harm cybercrimes produce actual, discrete
harms. We need to be able to track those harms. This discussion analyzes the possibility
of (i) applying crime metrics to cybercrime, and (ii) developing additional metrics for
cybercrime.
a. Crime metrics
204. See JOSHUA DRESSLER, UNDERSTANDING CRIMINAL LAW 329, 339, 365, 384 (3rd ed. 2001). See
also Robbins, Double Inchoate Crimes, supra note 159, at 8 (“The mens rea for inchoate crimes, therefore,
is the specific intent to commit a particular completed offense, or target . . . crime”).
205. See supra § III(A).
difference between the generic individual harm-crimes (e.g., fraud, theft, extortion,
harassment, forgery, murder) and their cyber-analogues. The core offense harm is the
same in both.206 It seems, then, we should be able to use crime metrics—the harm
inflicted by a crime and the culpability of the person who committed it to track
cybercrime. The basic metrics for an online fraudster’s crime, for example, would be (i)
the number of victims and extent of the harms inflicted on each, and (ii) his/her
culpability.
¶ 59 The culpability calculus for these cybercrimes should be the same as for their real-
world analogues. For example, cyber-theft, like real-world theft, requires that the
offender have acted with the purpose of depriving another of their property. This
requirement is made for most other property crimes, such as online fraud, forgery,
extortion, etc.207 The culpability calculus should also remain the same for the “crimes
against the person” that migrate into cyberspace,208 as well as for crimes against the state
and crimes against morality.209 Since human behavior is a constant in offline and online
crime, and since our experience with human misbehavior has given us a good sense as to
the appropriate levels of fault to assign to various misdeeds, we should not need to alter
culpability standards, except perhaps to accommodate new crime variations.210
¶ 60 The calculus is more difficult for the harms. The core harm will be the same for
online and offline crime analogs: a loss of property for theft, fraud, extortion and other
property crimes; a loss of life or physical injury when homicide and other crimes against
the person migrate into cyberspace; emotional distress for stalking and harassment
crimes; an erosion of essential government functions for crimes against the state; and the
myriad subtle and complex harms resulting from the crimes against morality.211 But
while the core harm may remain the same, it can manifest itself in different ways.
¶ 61 Online theft, for example, can consist either (i) of the zero-sum phenomenon we
know from the real-world, in which the thief totally deprives an owner of the possession
and use of her tangible or intangible property; or (ii) of the non-zero-sum, online version
in which the thief takes a copy of intangible property and leaves the owner with the
“original.”212 In both instances, the owner suffers a loss of property.213 Are the losses
identical? Is the non-zero-sum loss equivalent to the zero-sum loss? In a zero-sum theft,
the owner is completely deprived of the possession and use of her property; in a non-
zero-sum theft, she is deprived of a quantum of the possession and use of her property. 214
The harm associated with this less-than-zero-sum loss depends, at least in part, on the
extent to which the value of the property is a function of its exclusivity; in other words,
the extent to which dominion and control of the property is limited.
¶ 63 These are difficult issues, issues that do not arise with regard to real world, zero-
sum theft. To understand why that is so, it is helpful to consider two variations on the
hypothetical outlines above. In the first variation, the employee steals a key to a safe that
contains money. The theft of the key is a zero-sum theft; the employee has the key and
the company does not. We could, therefore, prosecute the employee for stealing the key.
As a practical matter, such a prosecution is highly unlikely. If the employee uses the key
212. See supra note 73. See Goodman & Brenner, supra note 65, at 61.
213. See Goodman & Brenner, supra note 65, at 61.
214. See id.
215. We can analogize the passwords to the key to a safe; the key’s value lies in its ability to grant
access to the safe. The owner of the safe, therefore, will seek to ensure that only authorized persons can
exercise dominion and control over the key. If someone steals the key, in a zero-sum theft, the owner of
the safe has suffered two harms; he has lost the key itself, which is a small harm, and he has lost the ability
to control access to the safe, which is a significant harm, the precise significance being a function of the
contents of the safe and his ability to change the lock and render the key useless. See, e.g., State v. Green,
81 N.C. 560, 1879 WL 2414 *1 (N.C. 1879). See also Fifth Third Bank v. Stanek, 806 N.E.2d 861, 863
(Ind. App. 2004).
to take the money in the safe, we will prosecute him for that theft. The theft of the key
will, in effect merge into the greater theft and the greater harm.216 If the employee is
apprehended before he can use the key to take the money in the safe, we will charge him
with an attempt to steal the money in the safe; the theft of the key will become a
component of the conduct alleged to constitute the inchoate crime. No prosecutor will
pursue the theft of the key itself because the harm is simply too minimal to warrant
prosecution.
¶ 64 The other variation on our hypothetical illustrates why different issues arise when
the theft is online. Assume the passwords in the copied file are old passwords that are no
longer used. It might seem that, as with a key to a lock that is no longer used, the
company has no reason to prevent unauthorized persons from gaining dominion and
control over the data in the file. The theft of the file, like the theft of the key, would
constitute the infliction of a harm too minimal to warrant prosecution. However, that is
not necessarily true. An aspiring cybercriminal may be able to use the data in the file to
identify current passwords, since people often re-use old passwords despite being told not
to do so. The cybercriminal might also be able to use the data in the file to derive new
passwords by analyzing the system the company uses to create passwords for its
employees. In either scenario, the company may sustain significant harm.
¶ 65 Asthe hypothetical and its variations illustrate, cybercrimes can have consequential
harms that are at least as significant as the core harm resulting from the offense. There
are actually two consequential harms in the hypothetical itself. The first, an inchoate
harm, is the possibility that the data in the password file can be used to hack Acuit’s
computer system and inflict further harms upon the company by, for example, deleting or
destroying data. The other harm is actual, Acuit will have to respond to the inchoate
harm by, for example, seeing that the passwords in the file are replaced by new
passwords and conducting an audit of its computer security to locate and eliminate the
vulnerabilities the employee exploited to steal the file. While real-world crimes,
including theft, can also produce consequential harms, we do not include them into the
metrics we use for crime. Our metric for the harm resulting from real-world property is
the value of the property taken, damaged or destroyed, presumably because the
consequential harms resulting from real-world property crimes are slight compared to
those generated by their cyber-counterparts. We can retain this basic metric for crime,
but we must include an assessment of consequential harm in the metrics we develop for
cybercrime.217
¶ 66 There are two ways we can go about doing this, the first being to incorporate
consequential harm as part of the individual harm resulting from the commission of a
conventional crime, or cybercrime. If we take this approach, the prosecution will have to
prove the nature and extent of consequential harm sustained in a cybercrime case
involving property loss or damage.218 It would become a component of an individual
harm prosecution. The second way to approach this issue is to construe consequential
harm as a systemic harm; the virtue of this tactic is that a quantum of consequential harm
could be presumed, instead of having to be quantified and proven beyond a reasonable
doubt.219 Probably the best approach is to do both, i.e., to make consequential harm an
element that must be proven in individual harm prosecutions but incorporate presumptive
consequential harm into selected, systemic harm offenses.220
¶ 68 At this point in our experience with cybercrime, it is impossible to tell, with any
218. See generally United States v. Pierre-Louis, No. 00-434-CR, 2002 WL 1268396, at *2-*5 (S.D.
Fla. 2002) (interpreting the “consequential damages” provision of the Patriot Act).
219. Other amendments to the Patriot Act incorporated this approach into 18 U.S.C. § 1030. The
amended version of the statute essentially makes it a federal crime to gain unauthorized access to a
computer and either (i) cause “loss” as defined above or (ii) to cause either “the modification or
impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or
care of 1 or more individuals” or “damage affecting a computer system used by or for a government entity
in furtherance of the administration of justice, national defense, or national security.” 18 U.S.C. §§
1030(a)(5)(B)(i), (ii), (v).
220. See supra note 219.
221. See supra Part III(B)(2).
222. See supra Part III(B)(1)(b)(ii).
223. Id.
b. Cybercrime metrics
¶ 69 We decided that crime metrics provide a core set of characteristics we can use to
track individual harm cybercrimes. The issue we need to resolve now is whether to
incorporate the distinctive characteristics discussed earlier into the metrics we use for
cybercrime.224 Those characteristics, again, are: (i) difficulty of apprehension and (ii)
infliction of harm on a greater-than-real-world scale.225
(i) Scale
¶ 70 We begin with the second characteristic; it is the less problematic of the two since
it deals with a traditional factor, i.e., offense harm. Our historical default model of a
crime has been an event involving two persons: a perpetrator and a victim.226 We
therefore based our assessment of the harm resulting from such an event on the injury to
the victim—the person who sustained actual harm.227 We retained that approach as we
began dealing with criminals who inflicted sequential harms on multiple victims; our
approach to this scenario is to parse the harms into discrete crimes, each of which
becomes a count in the charging instrument used against the offender.228 If the defendant
in such a prosecution inflicted more than one harm upon a victim, each harm becomes a
separate count in the charging instrument.229 And if a defendant is convicted of inflicting
all the harms charged in such a document, his sentence will be based on the accumulative
harm she inflicted upon the various victims.230
¶ 71 This approach, which we devised for crime, tracks the harms attributable to a
course of criminal conduct by (i) discrete, individual harms to a victim, (ii) number of
victims and (iii) amount of loss to each victim.231 Is this approach adequate for
cybercrime? The issue raised earlier was the significantly greater scale of the harms a
cybercriminal can inflict by automating criminal activity, such as fraud.232 An online
fraudster can use e-mail to contact an exponentially greater number of victims than he
could in person or even by using telephones;233 in so doing, he increases his chances of
successfully victimizing a greater number of individuals.234 He can further increase his
chances of doing so by using automated processes to harvest credit card and other
personal information from those who respond to his emails, either directly or indirectly
by communicating with a “phishing” website identified in those emails.235 Two types of
harm result from our hypothetical fraudster’s online activity; the first is actual, individual
harm, which consists of the losses he inflicts on those whom he successfully victimizes.
The second is inchoate harm. This is the unrealized harm he sought to inflict on the
recipients of his e-mails or other online solicitations. We consider this inchoate harm
below.236
¶ 72 Our concern here is the harm, or harms, this hypothetical fraudster actually inflicts
upon those who respond to his automated communications. Do we need to somehow
factor this into our metrics for online crime, or is it adequately addressed by the approach
outlined above, which tracks the effects of crime according to the number of victims and
the extent of the loss inflicted on each victim? Should we be tracking what is, in effect,
the aggregate harm resulting from online activities, such as fraud? Why might we want
to do this? Would such an endeavor identify any distinct data that is relevant to
understanding and analyzing online crime?
¶ 73 These are difficult questions. One argument for tracking aggregate harm is that
focusing on discrete harms inflicted upon individual victims ignores the generalized
effect a course of criminal conduct can have.237 Two of the sentencing enhancements in
231. The approach outlined above assumes property crimes, in which the amount of loss can be
quantified. A similar approach, however, can be used for crimes against persons, crimes against the state or
crimes against morality. See, e.g., State v. Braddy, 2004 WL 1364730 (Ohio App. 2004) (involving
multiple counts of rape); United States v. Kennedy, 372 F.3d 686 (4th Cir. 2004) (involving multiple
counts of perjury); United States v. Dodds, 347 F.3d 893, (11th Cir. 2003) (sentencing for possession of
child pornography based on the number of images possessed).
232. See supra Part II(A)(2).
233. See, e.g., Femi Oyesanya, The Nigerian 419 Email Cycle, The Nigerian Village Square, (last
modified May 2, 2004), at http://www.nigeriavillagesquare1.com/Articles/femi_oyesanya3.html.
Telephone contact lets fraudsters communicate with a greater number of potential victims because they do
not have to travel to each victim’s physical location. But because telephone communication is still one-to-
one; a phone fraudster can only focus on one victim at a time.
234. See supra Part II(A)(2).
235. Id. See also What Is Phishing?, Anti-Phishing Working Group, at http://www.antiphishing.org/
(last visited Sep. 30, 2004); John Shinal, Phishers Reel in Money: E-mail Scammers Get Victims’ Checking
Account Information, SFGate.com, (June 16, 2004), at http://www.sfgate.com/cgi-
bin/article.cgi?f=/c/a/2004/06/16/BUGQU76KBO1.DTL (last visited Sept. 30, 2004).
236. See supra Part III(B)(3).
237. See, e.g., United States v. Copple, 24 F.3d 535, 548 (3d Cir. 1994), cert. denied, 513 U.S. 989
(1994) (asserting that schemes involving many victims tend to result in greater losses). Large-scale
the federal Sentencing Guidelines seem to incorporate this concern: the first authorizes
increasing the basic offense level by two levels if the crime “was committed through
mass-marketing.”238 The second authorizes incremental increases in the basic offense
level to reflect the total number of victims involved.239 Under the Sentencing Guidelines,
the offense level is the measure of the harm a crime inflicts.240 These enhancements,
therefore, are apparently meant to capture generalized harms exceeding those captured by
the offense(s) of conviction.241 Unfortunately, it is not clear whether the enhancements
are intended to capture an incremental, aggregate, actual harm or rather are directed at
inchoate harm, i.e., at the harm the offender sought to inflict.242
¶ 74 Thereis another source of guidance on this issue, one that may account for why we
would want to track the aggregate harm resulting from large-scale, automated cybercrime
activity. As noted earlier, conspiracy is an inchoate crime.243 Unlike the other inchoate
crimes, however, conspiracy is not outlawed merely because it leads to the commission
of a completed, substantive crime.244 As one commentator noted,
conspiracy law serves two societal purposes. First, as an inchoate offense,
a conspiracy comprises the mere planning of a crime; as such, authorities
can arrest conspirators before they actually commit their intended offense.
Second, conspiracy law addresses the special problem of group danger by
imposing extra punishment on those who threaten society through
concerted group action. . . .
The group danger associated with a conspiracy poses a substantial threat
to society because individuals who conspire may pool their resources, may
commit more complex (and less easily detected) crimes, and are more
likely to complete the planned crime due to the pressure inherent in-group
activity.245
criminal activity can also inflict indirect harms upon individuals other than the direct victims. See, e.g.,
United States v. Melvin, 187 F.3d 1316, 1321-24 (11th Cir. 1999), cert. denied, 530 U.S. 1231 (2000).
238. See U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(2)(A)(ii) (2003) (amended 2004).
“[M]ass-marketing” is “a plan, program, promotion, or campaign that is conducted through solicitation by
telephone, mail, the Internet, or other means to induce a large number of persons to (i) purchase goods or
services; (ii) participate in a contest or sweepstakes; or (iii) invest for financial profit.” Id. at § 2B1.1, cmt.
n.4(A).
239. See id. at § 2B1.1(b)(2)(A)-(C). If the offense involved 10 or more victims, the offense level is
increased by two levels; if it involved 50 or more victims, the offense level is increased by four levels, and
if the offense involved 250 or more victims, the offense level can be increased by six levels. Id.
240. See, e.g., id. at § 2B1.1.
241. See generally THOMAS W. HUTCHISON ET AL., FEDERAL SENTENCING LAW AND PRACTICE §
2F1.1, cmt. 5 (2004) (stating that mass-marketing enhancement resulted from “a congressional directive,
which required the Commission to provide ‘substantially increased penalties’ for telemarketing fraud.”)
(quoting Telemarketing Fraud Prevention Act of 1998, Pub. L. No. 105-184, § 6(b)-(d), 112 Stat. 520, 521
(1998)).
242. See, e.g., United States v. Copple, 24 F.3d at 548 (observing that “losses actually caused by”
large-scale criminal activity “may under represent the amount of losses the defendant intended”).
243. See supra Part III(A)(1)(c).
244. See id.
245. Geoff Lundeen Carter, Comment, Agreements Within Government Entities and Conspiracies
Under § 1985(3)--A New Exception to the Intracorporate Conspiracy Doctrine?, 63 U. CHI. L. REV. 1139,
1142 (1996) (footnotes omitted). See also Callanan v. United States, 364 U.S. 587, 593-94 (1961):
The added dangers associated with group activity are also the rationale responsible for
complex crimes such as RICO and CCE.246
¶ 75 Conspiracy, RICO, and CCE are concerned with the added harms that result from
concerted human activity. We are concerned with an analogous issue; the possibility that
emergent, aggregate harms result from large-scale, automated cybercrime. Both concerns
derive from the same problem, which is the human ability to enhance criminal activity so
it inflicts harm vastly exceeding what an individual can accomplish.247 We dealt with
enhancements resulting from collective activity—the “group danger” phenomenon—by
developing crimes that target the additive effects of concerted human action.248 The
expanded scale of harm in cybercrime results not from concerted human action, but from
automation.249 “Group danger” crimes are useless against automation, so we may need to
devise strategies that address the enhanced harms produced by automating crime.
“Group danger” crimes evolved as our understanding of collective criminal activity
evolved;250 we must understand automated cybercrime if we are to respond to it. To do
that, we must study it, which means we must incorporate assessments of the incidence,
nature, and effects of automating online crime into our cybercrime metrics.
[C]ollective criminal agreement . . . presents a greater potential threat to the public than
individual derelicts. Concerted action both increases the likelihood that the criminal
object will be successfully attained and decreases the probability that the individuals
involved will depart from their path of criminality. Group association . . . often . . .
makes possible the attainment of ends more complex than those which one criminal could
accomplish. Nor is the danger of a conspiratorial group limited to the particular end
toward which it has embarked. Combination in crime makes more likely the commission
of crimes unrelated to the original purpose for which the group was formed.
246. See 18 U.S.C. §§ 1961-1962 (2000 & Supp. I 2001); 21 U.S.C. § 848. RICO has been described
as a “super-conspiracy” statute. David Vitter, Comment, The RICO Enterprise as Distinct from the Pattern
of Racketeering Activity: Clarifying the Minority View, 62 TUL. L. REV. 1419, 1443-44 (1988).
247. See supra Part II(A)(2).
248. See supra note 247.
249. See supra notes 49-50.
250. See, e.g., Michael Vitiello, Has the Supreme Court Really Turned RICO Upside Down?: An
Examination of NOW v. Scheidler, 85 J. CRIM. L. & CRIMINOLOGY 1223, 1233 (1995) (arguing that “RICO
grew out of almost twenty years of concern about the influence of the Mafia or La Cosa Nostra”).
251. See generally Michael R. Schechter, Note, Sentencing Enhancements Under the Federal
Sentencing Guidelines: Punishment Without Proof, 19 N.Y.U. REV. L. & SOC. CHANGE, 653, 665 (1992-
93).
252. See BUREAU OF JUSTICE STATISTICS, U.S. DEP’T OF JUSTICE, FIREARMS AND CRIME STATISTICS
(2004), available at http://www.ojp.usdoj.gov/bjs/guns.htm (last modified Sept. 12, 2004).
resulting from various crimes.253 The use of a firearm may not be a constituent element
of a particular crime, but it can act as a “crime multiplier,” that is, it can exacerbate
aspects of the offense.254
¶ 77 Automation plays a central role in the type of cybercrime under consideration here.
It, too, acts as a “crime multiplier,” but in ways we do not understand. Our cybercrime
metrics, therefore, should track the use of automation in the commission of online crime.
Among other things, they should focus on issues such as: how is automation used to
enhance the scale of the harms resulting from a particular type of cybercrime? Is it used
to increase victimization in property crimes such as fraud, forgery, embezzlement, and
theft? If so, how? Is it used to inflict additive harms in extortion and blackmail? How, if
at all, is it used in crimes against morality, including the distribution of child
pornography? Is it being used in crimes against persons? If so, how is it being used and
why? The inquiry should also examine (i) who is supplying the automated techniques
that are being used and (ii) the sophistication of these techniques and the extent to which
they appear to be evolving.255
¶ 78 The primary goal of this inquiry is to understand how automation is being used as a
“cybercrime multiplier.” A subsidiary goal is to be able to extrapolate how it may be
used in the future. As part of this inquiry, the automation metric should analyze and
compare how automation is being used in the commission of different crimes and how it
is being used by cybercriminals from different countries. We might be able to identify
patterns in its usage, which we could then use to tailor responses to this type of enhanced
criminal activity.256
253. See, e.g., 18 U.S.C. § 924(c) (2000 & Supp. I 2001), amended by Pub. L. No. 108-174, § 1, 117
Stat. 2481, 2481 (2003).
254. See, e.g., Christine Martin et al., An Examination of Rearrests and Reincarcerations Among
Discharged Day Reporting Center Clients, FED. PROBATION, June 2003, at 24, 29 (concluding that “illicit
drug use is . . . a crime multiplier. When offenders are using drugs, they are significantly more likely to
engage in criminal activities” (citation omitted)). Moreover, “[m]ilitary and law enforcement personnel use
the term ‘force multiplier’ to denote factors which enhance the effectiveness of troops or weapons.” Susan
W. Brenner & Marc D. Goodman, In Defense of Cyberterrorism: An Argument for Anticipating Cyber-
Attacks, 2002 U. ILL. J.L. TECH. & POL’Y 1, 26 (footnote omitted).
255. Donn Parker, who has been studying computer crime since the 1960s, believes we will see the
emergence of totally automated crimes, which are available for purchase. See Donn Parker, Automated
Crime, WindowSecurity.com (2002), at http://secinf.net/misc/Automated_Crime_.html/ (last modified Oct.
16, 2002).
256. Another problem we have in dealing with cybercrime is that we cannot, at least as yet, identify
patterns in crimes or in victimization. See Brenner, Criminal Law for Cyberspace, supra note 22, at 53-55,
70-75.
257. See, e.g., Matthew Wall, The Web’s Wise Guys: Organised Crime Is Thriving Online but Many
Victims Want to Keep It Quiet, GUARDIAN (London), June 3, 2004, available at
http://www.guardian.co.uk/online/story/0,3605,1229875,00.html (last visited Sept. 18, 2004).
(ii) Apprehension
¶ 80 The section above explained that computer technology could act as a “crime
multiplier” by enhancing the substantive harms resulting from online criminal conduct.
Computer technology can also act, in effect, as a multiplier in another way: by making it
difficult for law enforcement to apprehend those who commit crimes online.259 While we
are accustomed to factoring the effects of multipliers like firearms into our offense harm
calculations for crime,260 we have not made it a practice to factor conduct that makes law
enforcement’s task more difficult into these calculations.
¶ 83 Protecting the integrity of a criminal justice system, which has swung into motion
and begun the processes of investigating and prosecuting a specific crime, is a very
different matter from penalizing general offense conduct. Or, to put it another way, is it
reasonable to penalize cybercriminals for taking steps to avoid being apprehended and
prosecuted?
¶ 85 Thereis, however, precedent for factoring such efforts into the harm calculus,
though not at the offense level. The federal Sentencing Guidelines allow sentences to be
enhanced for using “sophisticated means” to commit a crime.268 This enhancement,
which allows a sentencing court to increase the base offense level269 if the commission of
the crime involved “sophisticated means,” is available in sentencing for theft, fraud,
embezzlement and property destruction.270 “Sophisticated means” denotes
especially complex or . . . intricate offense conduct pertaining to the
execution or concealment of an offense. For example, in a telemarketing
scheme, locating the main office of the scheme in one jurisdiction but
locating soliciting operations in another jurisdiction ordinarily indicates
sophisticated means . . . . [H]iding assets or transactions, or both, through
the use of fictitious entities, corporate shells, or offshore financial
accounts also ordinarily indicate sophisticated means.271
267. It also seems like a Catch-22: if I commit a crime and make no effort to avoid being
apprehended, I will be caught; if I commit a crime and attempt to avoid being apprehended, my attempt to
avoid being apprehended becomes another crime. See, e.g., Catch-22, DICTIONARY.COM, at
http://dictionary.reference.com/search?q=catch-22%20 (last visited Sept. 22, 2004) (defining Catch-22 as a
“situation in which a desired outcome . . . is impossible to attain because of a set of inherently illogical
rules or conditions”).
268. See U.S. SENTENCING GUIDELINES MANUAL §§ 2B1.1(b)(8), 2T1.1(b)(2) (2004).
269. See supra notes 241-43 and accompanying text. See also infra note 279.
270. See U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(8).
271. U.S. SENTENCING GUIDELINES MANUAL § 2B1.1(b)(8), at cmt. n.7. Operating a fraudulent
scheme from another jurisdiction “to evade law enforcement” constitutes “sophisticated means,” as does
perpetrating a “substantial part” of a fraudulent scheme from outside the United States. U.S. SENTENCING
GUIDELINES MANUAL § 2B1.1(b)(8). Section 2B2.1(b)(1), which applies to burglary and trespass crimes,
allows an enhancement if a crime “involved more than minimal planning.” U.S. SENTENCING GUIDELINES
MANUAL § 2B2.1(b)(1). The use of a computer has been held to warrant application of the “sophisticated
means” enhancement. See United States v. Lascola, 45 Fed. Appx. 5, 8 (1st Cir. 2002). Among other
things, “more than minimal planning” exists “if significant affirmative steps were taken to conceal the
offense.” U.S. SENTENCING GUIDELINES MANUAL § 2B2.1(b)(1), at cmt. n.4.
272. The federal Sentencing Guideline for child pornography permits an enhancement if the
defendant’s “possession of the material resulted” from his using a computer. See U.S. SENTENCING
GUIDELINES MANUAL § 2G2.4(b)(3) (2003). This enhancement is also based on the need to deter
sophisticated offenders. See, e.g., United States v. Fellows, 157 F.3d 1197, 1202 (9th Cir. 1993).
deterrence purposes."273 Basing a sentence on conduct that is not an element of the crime
of which an offender has been convicted is consistent with the approach the Sentencing
Guidelines take to sentencing.274 As explained earlier, the federal Sentencing Guidelines
base sentences on a defendant’s “actual conduct,” rather than on the conduct of which he
was convicted.275 The Sentencing Guidelines, in effect, allow a sentencing court to factor
in the influence of “crime multipliers,” such as the use of computer technology, even
though the multiplier is not itself an element of the offense.276 This approach is based, at
least implicitly, on the proposition that multipliers are a component of the harm resulting
from the commission of a crime.277
¶ 88 We could do that. If we did, this aspect of our metrics would focus on the harms
produced by cybercriminal activity. While there is nothing inherently objectionable
about focusing on harms, such an emphasis could limit the metrics we designed. For
example, they might be more concerned with the fit between specific technologies and
harms than with the general impact various technologies have on law enforcement’s
ability to deal with cybercrime. Assume we implement metrics based on the harms
theory. Assume further that we use these metrics, in part, to track how pedophiles use
computer technologies to create and distribute child pornography; one way they use these
273. United States v. Lewis, 93 F.3d 1075, 1080 (2d Cir. 1996) (quoting U.S. SENTENCING
GUIDELINES MANUAL § 2T1.1 comment (background)).
274. See, e.g., The Law of Evidence in Federal Sentencing Proceedings, 177 F.R.D. 513, 513 (1998):
The crime of conviction is merely the starting point (‘base offense level’) to be adjusted
after a series of factual determinations . . .regarding offense characteristics . . .,
defendant's role in the offense, harm to the victim, and other factors. A controversial
feature of the Guidelines requires aggregation for sentencing purposes of all ‘relevant
conduct’--even if the defendant has been acquitted of, or was never even charged with,
committing that conduct. The level calculated after these adjustments marks the point on
the vertical axis of a grid . . ., while defendant's criminal history . . . is measured along
the horizontal axis. The point at which the two lines intersect yields the permissible range
of sentence from which . . . the judge must select.
As noted earlier, the Supreme Court has agreed to decide the constitutionality of the guideline sentencing
system. See supra note 138.
275. See supra notes 144-47 & accompanying text.
276. At least, they currently allow this. See supra note 140. We may, at some point, want to
incorporate the use of computer technology into our offense definitions, just as we have done for firearms.
Compare Ga. Code. Ann. § 16-8-40 (robbery) with Ga. Code. Ann. § 16-8-41 (armed robbery).
277. See supra notes 94-98 & accompanying text. The proposition noted above derives from the need
to maintain internal order in a society. See id. Crimes inflict harms and, in so doing, threaten to undermine
internal order. See id. Multipliers are a part of this process because they increase the harm that results
from the commission of a crime. The use of a “crime multiplier” therefore becomes part of the process of
inflicting harm and, as such, must be taken into account at sentencing to ensure deterrence. See generally
id.
278. But see supra note 140.
technologies is to reduce their chances of being apprehended and prosecuted for breaking
the law.279 Under a harms theory, we would focus on how the technologies are used for
that purpose and we would see them, essentially, as implements for the infliction of the
particular harms associated with child pornography. In so doing, we might ignore other
uses of these technologies, such as to share information about law enforcement tactics
online, information that concerns crimes other than child pornography. Or we might
ignore, misinterpret or misunderstand how the technologies were evolving for use in very
different ways.280
¶ 89 An alternative approach is to structure our metrics not around the harms being
inflicted by cybercrime but around the technologies themselves. This approach focuses
on technology as an implement, not as a component of offense harm; we use an
analogous approach to track the use of firearms in the commission of crimes.281 So
instead of focusing on how child pornographers use steganography, this approach would
focus on steganography itself, i.e., on how it is being used by various types of
cybercriminals. Structuring the metrics around the technologies has two advantages: it
would give us a broader picture of how the various technologies are being used to
conceal the commission of cybercrime or otherwise evade apprehension, and it would let
us track how the use of a specific technology is evolving.
279. See, e.g., Eric Hwang, Child Pornography on the Internet, 2002 UCLA J.L. & TECH. Notes 7, at
http://www.lawtechjournal.com/notes/2002/07_020819_hwang.php.
280. One problem with a harms approach is that it assumes a predictable relationship between the
technologies—the multiplier—and harms. This assumption holds for some multipliers, like firearms;
firearms have very limited uses, so it is reasonable make certain assumptions about their role in the actual
or potential infliction of certain types of harms. This assumption does not hold for computer technologies;
for one thing, cybercriminals often utilize legitimate technologies for illegitimate purposes.
281. See, e.g., U.S. Department of Justice—Bureau of Justice Statistics, Firearm Use by Offenders
(2001), at http://www.ojp.usdoj.gov/bjs/pub/pdf/fuo.pdf; U.S. Department of Justice—Bureau of Justice
Statistics, Guns Used in Crime (1995), at http://www.ojp.usdoj.gov/bjs/pub/pdf/guic.pdf.
282. There can also be unrealized efforts to inflict systemic harms; these inchoate harms are discussed
below. See infra Part III(B)(3).
283. See supra Part III(A)(1)(b).
284. There is also a third category: direct systemic harm. Direct systemic harm is not discussed
above because it is a product of terrorism, not cybercrime. While we have not clearly differentiated the
two, it is accurate to characterize cybercrime as an act undertaken for personal motives, such as profit and
revenge, and cyberterrorism as an act undertaken for political motives, namely a desire to advance a
particular ideology. Because cybercrime is undertaken for personal reasons, the systemic harms that
cybercrime inflicts are incidental harms, as is explained above. In other words, when a cybercriminal
attacks citizens of particular society, she does so to benefit herself, not to damage essential components of
the society’s infrastructure; it is presumably not in her interest to damage the society’s infrastructure since
differences between the two. Assume two scenarios: (i) a dispersed and large-scale
online activity carried out by A-L defrauds 5,000 individuals of $5,000,000;285 and (ii) a
concentrated and limited conduct carried out online by X & Z extracts $25,000,000 from
corporations A and B.286 All the victims are from the United States, and the motive for
both crimes is personal gain.287 Does either or both of these events inflict systemic
harms? If so, why? What makes harm systemic and not individual?
¶ 92 The systemic harm in the first scenario is clearly incidental to inflicting individual
harms on the 5,000 discrete persons. The individual harm in this case is apparent to us,
but the systemic harm may not be. We need to start thinking in terms of systemic harm,
instead of only in terms of individual harms. Historically, criminal law has been
primarily concerned with individual harms. Its initial goals were “compensation or
revenge,”288 and it has assumed the victim-offender dynamic as discussed earlier.289 Yet,
societies have realized, of course, that crimes have broader consequences. For the past
century or so, societies have tracked the incidence and characteristics of crimes in effort
to determine their effects on internal order and quality of life.290 This kind of research,
however, viewed crimes as discontinuous phenomena, which only impact individual
victims and it generated statistics that, for example, track the percentage of individuals
affected by particular crimes in specific time periods.291 This focus on individual
victimization may be appropriate under the traditional notion of crimes, as the twenty-
first century crimes are considered to retain the victim-offender dynamic; that is, while
the state takes cognizance of these crimes, the harms from the crimes primarily impact
those involved in its commission.292
the society provides her with the funds and other rewards she seeks. A cyberterrorist, on the other hand, is
interested not in personal rewards but in attacking a particular societal system in hopes of damaging or
destroying it. Thus, the systemic harms a cyberterrorist inflicts on a society are, therefore, direct systemic
harms. The cyberterrorist attacks the system directly. See, e.g., Brenner & Goodman, supra note 256, at
12-52.
285. See, e.g., The National White Collar Crime Center, Internet Fraud Complaint Center Internet
Fraud Report: January 1, 2002—December 31, 2002, at 13, 15 (2003), available at
http://www1.ifccfbi.gov/strategy/2002_IFCCReport.pdf (last visited Sept. 17, 2004) (Teresa Smith
defrauded over 300 victims for more than $800,000; Raj Trivedi defrauded over 700 individuals for more
than $992,000).
286. See, e.g., Romanian Man Indicted in $10 Million Hack, Associated Press, MSNBC (Aug. 5,
2004), at http://msnbc.msn.com/id/5614132/ (last visited Sept. 17, 2004); Gregory G. Lockhart, Milford
Man Pleads Guilty to Hacking—Intrusion and Theft of Data Cost Company $5.8 million, U.S. Department
of Justice, Press Release (Dec. 18, 2003), available at http://www.cybercrime.gov/baasPlea.htm (last
visited Sept. 17, 2004).
287. Cf. supra note 286.
288. See, e.g., Jennifer Gerarda Brown, The Use of Mediation to Resolve Criminal Cases: A
Procedural Critique, 43 EMORY L.J. 1247, 1254 (1994).
289. See supra Part II(B).
290. See, e.g., Crime and Victims Statistics, U.S. Department of Justice—Bureau of Justice Statistics
(March 2004) available at http://www.ojp.usdoj.gov/bjs/cvict.htm (last visited Sept. 17, 2004).
291. See, e.g., Crime and the Nation’s Households, 2000: With Trends, 1994-2000, U.S. Department
of Justice—Bureau of Justice Statistics, (Sept. 2002) available at http://www.ojp.usdoj.gov/bjs/pub/pdf/
cnh00.pdf (last visited Sept. 17, 2004).
292. Immediate and consequent harm impacts a victim who may lose property, life or intangible
commodities, such as a sense of security. The harm can also have an impact on the perpetrator who in turn
reaps some benefit from the commission of crime.
¶ 93 The crime in the first scenario generates individual harms, but its effects are not
limited to them. The 5,000 individuals defrauded by A-L suffered individual harms, but
their combined victimization also produces an aggregate, systemic harm. Let us assume
that they all fell victims to a “phishing” scam,293 in which the perpetrators used e-mails
and fake Web sites to harvest credit card and social security numbers and other
identifying information. This information was then used to commit identity thefts, credit
card frauds and other types of frauds.294 The resulting aggregate harm has negative
effects on the social system of the victims; it produces loss of confidence in financial
institutions, online commerce and online activities in general.295 Thus, this is a systemic
harm. The aggregate effects of the activities that these cybercriminals carried out for the
purpose of enriching themselves are incidental harms inflicted upon a society’s
infrastructure.
¶ 94 The same result ensues in the second scenario, but in a slightly different way. We
will assume that these perpetrators (X and Z) acted only for the purpose of benefiting
themselves.296 X and Z presumably targeted these corporations because a significantly
greater return than their effort was promised.297 We will assume that Corporation A lost
$15,000,000 and Corporation B lost $10,000,000. These are individual harms, but they
are not the only harms. In addition to the consequential harms,298 there are systemic
harms. When the attacks on the corporations become public knowledge, each corporation
will suffer losses of customer and investor confidence.299 These losses are generalized
individual “harms.”300 The attacks on individual victims have a ripple effect that has
impacts beyond the immediate victims. If the attacks were styled as cyberterrorism, we
would see these losses as harms inflicted by terrorists,301 but because X and Z were
committing a cybercrime, we tend to focus only on the immediate effects of their actions
and ignore the systemic consequences.
¶ 95 There are two reasons why cybercrime metrics need to track the systemic harm, in
addition to the individual harm. First, the systemic harm is a distinct type of harm, which
we historically have not taken into account. Second, the systemic harm can be a result of
a phenomenon discussed earlier: crime-as-externality.302 External, private threats to
societal infrastructures and social systems are something new to our experience, as
criminal law had been developed to deal with internal threats to social order.303 We need
to know whether X and Z perpetrated their crimes from within the United States or from
abroad. If they committed the crimes from abroad, we need to know their locations,
nationalities and criminal affinities to the extent possible. Are they, for example, self-
employed Russian cybercriminals?304 Or are they foreign hackers who carried out these
crimes for hire?305 If they were hired, who hired them and why? Systemic harm needs to
be tracked so we can identify the extent to which this harm is the product of internal
versus external threats. This is an essential step in learning about external threats and in
devising strategies for dealing with this distinct type of crime.
¶ 97 Finally, there are two caveats when dealing with systemic harm. First, in tracking
systemic harms, it is important to limit the scope. Systemic harm can encompass almost
everything. If we consider our computer systems as part of our infrastructure, then any
attack on a computer could be considered a systemic harm, i.e., an attack on our
infrastructure. An essential part of implementing cybercrime metrics is designing a
system that can differentiate true systemic harm from individual harm.
¶ 98 The second caveat also deals with scope. Most surveys dealing with the harms
inflicted by cybercrime have focused on commercial harms, i.e., on cybercrime targeting
corporate and other commercial entities.307 This may reflect an implicit assumption that
the systemic harm inflicted by cybercrime only comes from attacks against business
entities. While it is true that such attacks can inflict significant systemic harm, they are
not the only source of such harm. Therefore, it is also important to track aggregate
individual harm.
¶ 99 It is useful to divide the inchoate harms resulting from cybercrime into two
categories: inferential inchoate harm and potential inchoate harm. These categories are
not based on intrinsic differences in the types of harms, but on the nature of the conduct
that gives rise to the harm.
¶ 100 We will begin with inferential inchoate harm. Because inchoate crimes are by
definition incomplete,308 all inchoate harms and all inchoate crimes are the product of
inference. With a lack of actual harm, we infer inchoate harm.309 In this context,
however, inferential inchoate harm has a distinct meaning. It denotes the type of harm
that was identified earlier, in considering the harms resulting from the conduct of a
hypothetical fraudster.310 This hypothetical fraudster sent out millions of e-mails as part
of a scheme to defraud individuals out of their credit card numbers and other financial
information.311 His efforts inflicted two types of harm: (i) individual harm consisting of
the losses he inflicts on those whom he successfully victimizes; and (ii) inchoate harm
consisting of the unrealized harm he sought to inflict on those who received his e-mails
but did not respond to them. We addressed the individual harm earlier and deferred
consideration of the inchoate harm until now.312
¶ 101 If the hypothetical fraudster had sent out millions of e-mails and then had
immediately been arrested, he could have been prosecuted for attempting to defraud the
recipients of those e-mails. This would be a classic inchoate crime. The harm resulting
from his conduct would be wholly inchoate—his demonstrated capacity for criminal
conduct.313 Scenarios such as this require extrapolating traditional inchoate principles
into cyberspace. Therefore, one who uses the Internet to hire a hit man is guilty of
solicitation and has generated the inchoate harm associated with that crime.314
Cybercrime metrics should track the migration of inchoate offenses into cyberspace, if
only because it will make it more difficult to apprehend those who are embarking on a
course of criminal conduct. There is nothing problematic about incorporating inchoate
harms into those metrics; because the harms are unrealized, they differ far less in their
online and offline guises than do the actual harms that were discussed earlier.
¶ 102 The original scenario outlined above is not a classic inchoate crime. Our
hypothetical fraudster (i) successfully defrauded a number of unidentified victims and
also (ii) failed to defraud an unspecified number of additional victims. He inflicted an
unknown number of actual harms by committing a number of fraud crimes, but what
about his failures? Can we take them into account or are they, in effect, an attempt that
merged into the completed crimes?315
¶ 103 The answer to that question depends upon how his conduct is construed. If his
efforts are seen as directed toward the commission of a single crime—one scheme to
defraud—then we might conclude that the failed attempts merge into the completed
crime. The conclusion will be different if his conduct is construed as being directed
toward the commission of a series of discrete crimes; here, each email represents a
quantum of harm, realized or unrealized. Therefore, in assessing the harms that our
fraudster inflicted, the best approach is to treat his entire course of conduct as a partially
completed series of crimes.316 He succeeded in victimizing individuals #1-200 and failed
in his attempt to victimize individuals #200-400. In tracking the harms resulting from his
conduct, we should assess (i) what he did and (ii) what he sought to do. The first
assessment was conducted earlier.317 For the second assessment, we can use what he
accomplished to support inferences about what he sought to accomplish. These
inferences are (i) that if these individuals had responded, he would have defrauded them
in the same way as those who did respond and (ii) that in defrauding his putative victims
he would have inflicted quantifiable harms analogous to those he inflicted on his actual
victims. This analysis uses the fraudster’s intent as the gauge of the inchoate harms he
inflicted.318
¶ 104 The inferential inchoate harm category is a satisfactory standard for traditional
inchoate crimes and for conduct that is analogous to traditional inchoate crimes, such as a
partially completed series of offenses. The residual category—potential inchoate harm—
is a hypothetical construct that would encompass harms generated by a new type of
conduct that is found online.
¶ 105 The conduct in question consists of using cyberspace to publicize information that
can be used to commit a crime—anything from copyright violations to murder.319 For
example, an activity that has generated controversy is the publicizing of vulnerabilities in
software. Because these vulnerabilities can be exploited for unlawful purposes, some
argue that publicizing them should trigger criminal liability under an aiding and abetting
theory or under some extension of that theory.320 Another activity that has received
similar criticism is the posting of public personal information about police officers
online. Critics suggest this is tantamount to soliciting injury to the officers or, at the very
least, aiding and abetting those that inflict such harm.321 In the United States, calls to
316. See, e.g., U.S. SENTENCING GUIDELINES MANUAL § 2B1.1 application note 16 (2003) (partially
completed offenses). See also Frank O. Bowman III, A Judicious Solution: The Criminal Law Committee
Draft Redefinition of the "Loss" Concept in Economic Crime Sentencing, 9 GEO. MASON L. REV. 451, 460
(2000) (distinguishing between a completed crime, a partially completed crime and a wholly incomplete
crime).
317. See supra Part III(B)(1)(b)(i).
318. See, e.g., Frank O. Bowman III, U. S. Sentencing Commission Economic Crime Symposium
Briefing Paper on Problems in Redefining "Loss", 13 FED. SENT. R., 2000 WL 33402284 *2 (2000) (“In
inchoate offenses, ‘intended loss’ serves as . . . an important indicator of the degree of risk of actual harm
posed by the defendant's conduct.”).
319. See, e.g., Susan W. Brenner, Complicit Publication: When Should the Dissemination of Ideas
and Data Be Criminalized?, 13 ALB L.J. SCI. & TECH 273, 339-22 (2003).
320. Id. at 404-14.
321. Id. at 386-403.
criminalize this and other types of online publishing fall under the First Amendment.322
Criminal liability cannot be imposed for merely distributing information. To support the
imposition of such liability, the government must prove that the individual responsible
for disseminating the information acted with the purpose of aiding and abetting the
commission of a specific crime.323 If the government can do this, it can prosecute the
individual that is responsible for aiding and abetting the target crime.324 If the
government cannot do this, the individual cannot be prosecuted, even if the information
was used in the commission of a crime.325
¶ 106 This article is interested in cybercrime metrics and is not concerned with
prosecutions. The addition of a potential inchoate harm category in the metrics would be
a possible way of dealing with the conduct outlined above. We could track the
publication of certain types of information that could be directly used to commit certain
crimes, on the theory that this is the potential infliction of an inchoate harm. If the
government can show that an individual acted with the purpose of facilitating the
commission of such a crime, it can prosecute him or her for attempting to aid and abet the
commission of that crime.326 Consequently, the government can intervene and prevent
the information from being used in the commission of the crime. Cybercrime metrics
would track this as an inferential inchoate harm.327
¶ 107 What if the government cannot show that a person acted with the intent of
facilitating the commission of a substantive crime? Such an individual is not guilty of
aiding and abetting the commission of a crime nor of attempting to do so, but the
information she has published can be used to commit a crime. As pointed out in the
earlier example, one who publishes software vulnerabilities is disseminating information
that can be used to commit cybercrime.328 Even though criminal liability cannot be
imposed on someone who does not intend to facilitate a crime, this data is relevant to our
effort to track cybercrime. It helps us deal with the potential inchoate harms. Putting the
information into the public domain creates conditions that can give rise to the
commission of cybercrime. It would be useful to track the dissemination of such
information, as it might allow us to identify associations among cybercriminals and
patterns in their conduct. Regardless of how we characterize this harm, the conceptual
difficulty is that tracking it would involve the monitoring of perfectly legal activity.
Because the activity in question is by definition public, it would not involve an invasion
of privacy. Moreover, law enforcement agencies already monitor the dissemination of
certain types of information, including software vulnerabilities, on an informal, often ad
hoc basis.
IV. CONCLUSION
¶ 108 Historically, the metrics we use for crime have been ad hoc—embedded
assumptions and calculations derived from centuries of experience with crime. This
system has been satisfactory because crimes and harms are constant. Although we see
variations in the methods used to commit crimes, variations in the extent of harm
inflicted and variations in the types of victims chosen, the core harms and core motives
remain constant.
¶ 109 Cybercrime is different with regard to the methods that are used in its commission
and the tangential harms that result from its commission. Because cybercrime is
different, it eludes the scope of the metrics we use for crime. Those metrics do capture
aspects of cybercrime but they miss important data. Cybercrime-specific metrics are
needed in order to track the traditional and non-traditional aspects of cybercrime. As
noted earlier, we cannot develop responses to cybercrime and institute procedures for
preventing it if we do not understand the phenomenon itself.
¶ 111 This article is intended as a first step in the process of developing cybercrime
metrics. While these metrics will not be based on particular legal principles, the overall
theory used to develop cybercrime-specific metrics must be grounded in the doctrines
that govern the imposition of criminal liability. Cybercrime is, after all, simply crime.