There is a lot of debate concerning the criminalization of cracking. It has been noted that current laws cannot even keep up with communication technologies, let alone address abuses and crimes which involve them. Others suggest that digital crime laws should be based on analog (physical) models. Author Anne Branscomb compares cracking a system to trespassing on private property.
The Clinton administration has proposed tightening or making new intellectual property laws for information transmitted over the Internet. But these laws only make it illegal to copy and sell copyrighted and protected information. The David LaMacchia case is a salient example of this loophole in our current regulatory system.
You may have noticed that on the page "Crackers In The Public Eye" (link to it) we used the word stolen instead of copied. Technically one could say that the crackers did not really steal anything as the original data was usually left unchanged on its original system. However, many computer ethics experts agree that copying digital information is the same as stealing it. In the analog world, copying other's work is only punishable if one tries to profit from it. Most crackers are not interested in reselling or misusing the information they access, but instead are in it for the challenge. The light senetencing many crackers have received to date has reflected this ethical and legal dilemma.
There is also little uniformity in cracking laws. The states seldom regulate cracking activities the same way, as do different nations across the globe. Prosecuting crackers is further complicated by venue: for example, a computer crime against a system located in California may be accomplished by a cracker working from New York or even from another country.
To combat cracking, state legislatures have often times moved quicker than the federal government! Their responses, however, have not been uniform. States have enacted laws that expand the definition of property and expand unlawful destruction to include cracking. Other legislation has taken unauthorized uses, data insertion, voyeurism, and venue into account. States, like Texas and California, have also attempted to punish crackers by confiscating computers allegedly used to crack systems.
Several states have expanded the definition of property to include intellectual products. The state of Montana has extended the notion of 'property" to include bits and bytes of data within a machine (to make it illegal to copy data from a machine that is not yours). A similar Massachusetts law extends property to include data while in transit (to prosecute crackers who eavesdrop).
Many state statutes prohibit acts which alter, damage, delete, or destroy computer files or programs. Illinois has one of the broadest unlawful destruction laws refering to computer tampering. The Illinois statute extends computer tampering to include harsher penalties for those who cause ill health or death to someone by cracking (for example, by altering medical files).
The most salient laws to cracking are those that regard "knowingly unauthorized use". Nevada is typical of many states when it defines "unauthorized use" as entering, copying, taking, using, disclosing, destroying, or modifying data. Ohio's laws on unauthorized use of property were also extended in 1994 to include computer data and software.
A large number of crackers are literally voyeurs who enjoy observing strange systems at work. For this reason Missouri passed a law to protect privacy making it illegal to intentionally use a computer to view confidential information about another person without specific authorization.
Twelve states have made agreements for extradition and venue to make sure that crackers are prosecuted to the fullest extent of the law. Litigation of cracking cases is often complicated because they involve several jurisdictions. Cracking is often an interstate crime, and to respond to it about 15 states, like Georgia, have liberalized their venue laws to grant jurisdiction to the location of the victim.
Under Title 18 of the US Code the following sections have been used to successfully prosecute crackers:
section 1029: fraud and related activity in connection with access devices
section 1030: the computer fraud and abuse act
section 1343: fraud by wire, radio, or television
section 1346: scheme to artifice or defraud
section 1362: malicious mischief with government property
section 2150: electronic privacy act--1986
section 2710a: unlawful access to stored communications
Cracking is not just a phenomenon restricted to the United States. An increasing number of crackers are from overseas. The problem with these crackers is that they are sometimes untouchable becuase their native country's laws are not equal with American ones. (American cracking laws, though better than most countries, is still behind a few others in legistlation). Some examples of the world's best and worst cracking laws:
According to the Computer Misuse Act of 1990, a person is guilty of an offence if he causes a computer to perform any function with intent to secure access to any program or data held within a computer or if the access he intends to secure is unauthorized. The 1990 act failed to include eavesdropping and voyeurism, although criminal liability starts at an early stage.
The Computer Misuse Act covered employees accessing more information than they should be, using terminals at work. Most nations do not have this statute even though employee cracking is one of the most common acts. One important restriction in the UK is that data must be protected by security measures for a cracker to be prosecuted for trespass.
German law dictates three years or less in prison for any person who obtains information (data) not meant for him/her which was protected by security measures. The German parliament defined data as stored or transmitted electronic/magnetic information. This definition of data allows messages sent by e-mail or the internet to be protected as private.
Citizens of Norway are subject to punishment similar to Germany's when a person is caught breaking a protection or obtaining unauthorized data and programs stored or transmitted by electrical or other technical means.
The unique thing about Dutch law is that it can be broadly applied to indict a larger number of crackers. Dutch law makes it illegal to "breach computer peace", which is one of the world's loosest defined cracking laws. Cracking will get Dutch citizens up to four years in prison and fines not to exceed 25,000 guilders.
Polish law takes a strong stand against eavesdropping. The 1993 Computer Criminal Code covers eavesdropping, viewing unauthorized data, disclosure of confidential data to a third party, and also makes measures to protect privacy. The only drawback is that prosecution must be initiated on an application by the victim, which slows down prosecution.
Although the laws are on the books, lack of enforcement and bribing of officials has made China a large nation of crackers. Chinese crackers have pirated (link to Joanna's page on the subject) many western programs and put them for sale on the black market. A similar situation in Pakistan resulted in the spread of virus-tainted, bootlegged software back in the early eighties.
We as a society must also worry about the overcriminalization of cracking. Overcriminalization might lead to witch hunts and hurt the development of a computer-skilled workforce. However, cracking also hurts the adoption of (and confidence in) computers since it may contribute to their reputation as an unreliable and unsafe form of communication
Crackers are not without their benefits to society. Author Stephen Levy points out that most crackers are benign and point out errors, bugs, and security holes in systems. These beneficial acts tend not to get much publicity either, since programmers usually get embarassed or get bruised egos when their systems have been cracked.