NPR’s All Things Considered had a segment today on computer hacking featuring an interview with computer security expert Hugh Thompson. NPR’s Robert Seigel started off by asking Thompson about the law of computer hacking. Thompson is a tech guy, not a law guy. But Thompson tried to wing it, and unfortunately he managed to bungle the legal issues pretty badly. I transcribed the exchange as follows, with Thompson’s answers in bold:
SIEGEL: Here’s a hypothetical case which happens to be not-so-hypothetical. Some hackers break in to the NPR computer system. First, for starts, is that a crime? If so, do we know what crime it is? And who is trying to investigate that crime?
THOMPSON: You bring up a fascinating question. I think the law is really trying to sort this out now. And cybercrime has moved so quickly. The laws move so slowly. But to your hypothetical, one of the laws that prosecutors may use in their arsenal is the Computer Fraud and Abuse Act, which is a relatively recent piece of legislation that targets and covers computers that are in the federal interest.
SIEGEL: So if the NPR computer were in the federal interest, someone could prosecute somebody for doing that. But what if they said, “You know, it’s just a radio network. It’s not in the federal interest, it’s not a .mil operation.” Is it a crime for somebody to poke around our computers?
THOMPSON: Then things get more complicated. So there are laws about stored communications. In many cases, prosecutors have had to get creative. But if you look at it from an individual perspective, obviously something wrong has happened. Someone has trespassed, someone has caused harm to the system. And I think what we’re dealing with is a big lag between the speed with which technology has moved and the lumbering speed of the legal process.
Umm, no. Absolutely it’s a crime, and it has been a crime for a pretty long time. Congress has criminalized computer hacking since the 1980s thanks to a law Thompson mentioned — 18 U.S.C. 1030, first enacted in 1984 and often called the Computer Fraud and Abuse Act. The law is incredibly broad, and it protects pretty much everything with a microchip on the Planet Earth. All fifty states have state criminal laws that this conduct would violate, too. In some circumstances poking around NPR’s computers would be a misdemeanor, and in some a felony, but it’s definitely and clearly a crime. In terms of who would investigate, the FBI and other federal agencies investigate these sorts of cases relatively frequently, and some state agencies do, as well. Of course, they may not catch the folks responsible: Computer intrusion investigations are very difficult for the government for both technical and legal reasons, and savvy intruders are caught only rarely. But the conduct is clearly criminal, and it has been for a long time.