Despite the amount of behind-the-back trash-talking and whispered secrets passed along in e-mails between friends, we feel at ease because our electronic correspondence is secure, right? While most take solace in the fact that their e-mail accounts can only be accessed with a password, websites like Activehacker.net and Hackmail.net provide hacking services for anyone who wishes to view another person’s e-mail account. E-mail is now the primary means of communication among individuals, organizations, businesses and governments – and it is vulnerable. As the rate of innovation in computer technology increases, the advancement of hackers’ abilities treks closely behind. The Federal Bureau of Investigation estimates that online banking attacks, primarily through the use of Trojan Horses and phishing scams, has resulted in attempted losses of $100 million as of October 2009. Additionally, the recent surge of new viruses making their way through the Internet, causing substantial disruption and financial damage, shows that computer hacking and online fraud are constant threats.
“Hacking,” defined as “the illegal entry into a computer system through unauthorized means . . . via a direct or indirect approach[,]” has been taking place since the 1980s. While financial gain is the most commonly cited motive for computer hacking, other reasons include desire for entertainment, furthering political agendas, and revenge. Hackers can commit several different types of technology-based crimes, and each crime presents novel and challenging enforcement issues. Deterring and prosecuting e-mail hackers, however, is particularly difficult because paying customers can access targeted e-mail accounts undetected.
In the United States, the main law governing cyber crime comes from the Computer Fraud and Abuse Act (CFAA), codified in 18 U.S.C. § 1030. The CFAA, however, is primarily aimed at protecting government computer systems. More specifically, section 1030(a)(1)-(7) prohibits anyone from knowingly accessing a computer without authorization to (1) obtain national security data, (2) obtain financial institution information, (3) obtain information from any U.S. agency or department, (4) obtain financial gain by fraud, (5) cause damage to a “protected computer,” (6) knowingly use password information to defraud, and (7) obtain information for extortion purposes. Some critics argue that this law is poorly written because it allows one to access a non-government computer without authorization, so long as he or she does so without intent to defraud – no help to the private web e-mail user.
Federal laws on e-mail hacking are set forth in 18 U.S.C. § 2701. Section 2701(a) punishes anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided[,] or intentionally exceeds an authorization to access that facility[,] and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system . . . .” If an offense was committed for commercial gain, the punishment enforced under this statute is a fine or imprisonment up to five years for first-time offenders, and up to ten years for repeat offenders. All other offenses may be punishable by a fine and imprisonment up to a year for first-time offenders, and up to five years for repeat offenders.
All Internet users and services are vulnerable to hacker attacks. Even major e-mail players like Google and Microsoft are not beyond the reach of online fraud. Due to the increased and widespread use of the Internet, seasoned hackers can obtain confidential information on almost anyone. For example, shortly after John McCain named Alaska Governor Sarah Palin as his running mate in 2008, a group of hackers made headlines by hacking into her email account and posting what they found on Wikileaks.org, a website that provides an online forum for leaked documents. The high-profile nature of the case led to law enforcement action. Alleged hacker David Kernell, a twenty-year-old college student, was charged with violating federal e-mail hacking laws, fraud, unlawful electronic transmission of material across state lines, and an attempt to conceal records to impede an FBI investigation. His trial is set to begin in April of 2010.
In addition to federal legislation, states have tried to pick up the slack, also passing hacking and unauthorized access laws. However, these measures have proven to be ineffective. John Thompson, CEO of computer security powerhouse Symantec, stated in a speech that “[i]t is impractical to have 40 different states, each with its own laws; we need a federal law with very high standards today.” Regardless, federal and state laws do not appear to deter e-mail hackers from continuing operations. In a recent Washington Post article, George Washington University law professor Orin Kerr concedes that federal law clearly prohibits hacking into e-mail accounts and services, but the offense only constitutes a misdemeanor, unless further illegal activity stems from the hacking. Furthermore, Professor Kerr acknowledged that “[t]he feds usually don’t have the resources to investigate and prosecute misdemeanors . . . [a]nd part of the reason is that normally it’s hard to know when an account has been compromised, because e-mail snooping doesn’t leave a trace.” Because the services provided by e-mail hacking experts are merely misdemeanors, typically not investigated by the FBI, and difficult to track, hacking service providers can continue operations with little fear of being caught.
Adding to the difficulties in enforcement, many hackers providing services to the United States have sprung up overseas. Alissa Cooper of the Center for Democracy and Technology said that “[t]his kind of thing has been on the radar of law enforcement already . . . [but] in practice it takes a lot of resources and time to build up relationships with [law enforcement] in other countries.” Because hackers have many tricks and techniques at their disposal to avoid capture, including the creation of fake trails concealing their location, the fact that hackers are now located throughout the world solidifies the presumption that enforcement is impractical. James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, adds that “[i]t’s very difficult to track hacker attacks, and even if you can track it, you don’t always know with 100 percent certainty if you’re right . . . .” Even when hackers are caught, some escape harsh punishment through plea bargains in exchange for information about other notorious hackers. After all, sophisticated hackers are better equipped than federal authorities to break through other hackers’ defense mechanisms.
It seems reasonable that the FBI would rather devote its resources to the next big drug bust or tracking a serial killer, rather than attempting to take down hacking service providers owned and operated by college students and part-time Internet bandits. While hacking into e-mail accounts of high-profile politicians and well-known public figures is more likely to result in federal investigations and prosecutions, enforcement of anti-hacking laws where the target is one of over hundreds of millions in the general public seems unlikely.
The government’s concern over cyber security will continue to grow, so long as technological innovations take place and scammers who thrive on beating the system keep perpetrating frauds. Currently, citizens who knowingly open paper mail addressed to other people without authorization are guilty of a federal felony under 18 U.S.C. § 1702. Those who knowingly open e-mail addressed to other people without authorization, on the other hand, are guilty of a misdemeanor, presumably because sending e-mails is like sending a post-card through the postal service—and one does not send confidential information on a post card. When it comes to hacking into e-mail accounts, however, the question we must ask is whether e-mail hackers should be punished as felony offenders. Depending on the nature of the harm effected, some might feel uneasy about sending dorm-room chop shoppers to serve five-year prison terms. Others, however, are in favor of stricter laws.
Congress has responded to widespread cyber crime with increased prison sentences for computer hackers targeting government computers. U.S. Senators John Rockefeller (D-WVA) and Olympia Snowe (R-ME) further advocated for a new “cyber security czar” to serve as the government’s top cyber security official, with the goal of creating an integrated and creative cyber security system, and in 2009, President Obama announced the creation of the “cyber czar” position. These developments demonstrate the administration’s commitment to protecting critical national security computer networks, but they do not address concerns over the growing number of hacking service providers. It appears that e-mail privacy for the general public will not become a major governmental concern anytime soon; as such, those who are looking to transmit confidential information would be better off sending self-destructing disks via snail mail in the vein of Mission Impossible rather than conveying messages through e-mail.