Michigan’s Arsenal for Fighting Cybercrime: An Overview of State Laws Relating to Computer Crimes
As Michigan is swept along with the rest of the world by the twin tidal waves of change caused by the technological revolution and the universalization of the Internet, Michigan law enforcement has the daunting task of keeping up with criminal usage of high technology and computers. Does Michigan law provide adequate tools to help law enforcement in the battle against unlawful conduct on the Internet and computer-related crime, or has the rapidly changing technology left Michigan's prosecutors and police out-gunned by cybercriminals?
The laws presently in existence provide law enforcement with solid tools for combating computer crime. Nevertheless, Michigan needs new statutes and amendments to existing laws to more effectively protect Michigan citizens from the negative impact of increased illegal computer usage. This article will explore the Michigan laws presently available to investigate and prosecute computer-related crimes,1 and will also review some of the computer-related changes contemplated by the Michigan Legislature.
MICHIGAN'S COMPUTER CRIMES STATUTE
Over a decade ago, the Michigan Legislature had the foresight to enact a computer crimes statute, MCL 752.791-97, which has been a guide for other states in formulating similar statutes. While this law has some shortcomings—many of which the Michigan Legislature is presently addressing2—it provides some solid tools for prosecuting sophisticated computer intrusion crimes, as well as traditional crimes committed through the use of computers.
Michigan's computer crimes statute prohibits:
(1) the intentional and unauthorized access, or the causing of access, to a computer to acquire, alter, damage, delete, or destroy property, or otherwise use the service of a computer program3
(2) inserting, attaching, or knowingly creating the opportunity for an unknowing and unwanted insertion or attachment of a set of instructions or program into a computer4
(3) intentionally accessing, or causing access, to a computer to devise or execute a scheme or artifice with intent to defraud or to obtain money, property, or a service by a false or fraudulent pretense, representation, or promise5
(4) utilizing a computer to commit any crime6
This statute could be used to prosecute incidents involving both crimes against a victim's computer and crimes facilitated by a computer.7 For example, the unauthorized access provision appears to apply to acts such as unauthorized usage of the services of a Michigan computer to store "cracker" tools to perform a denial of service attack at some future date on a remote location.
The unauthorized insertion provision could be used to investigate and prosecute the insertion of a "virus" into another person's computer to damage that computer or steal information from it. The scheme to defraud provision could be used against e-mails fraudulently soliciting victim's money. Finally, the general provision incriminating use of a computer to commit any crime appears to be a great catch-all for any of the traditional crimes where a computer is used.
The penalty for each of these violations depends upon the amount of loss.8 The meaning of loss and directions on how to calculate loss are found in the statute's definition of "aggregate amount." "Aggregate amount" means:
any direct or indirect loss incurred by a victim including, but not limited to, the value of any money, property or service lost, stolen, or rendered unrecoverable by the offense, or any actual expenditure incurred by the victim to verify that a computer program, computer, computer system, or computer network was not altered, acquired, damaged, deleted, disrupted, or destroyed by the access.9
For purposes of calculating loss in the context of unauthorized access to a computer, the statute appears flexible. The definition of "service" includes computer time, data processing, storage functions, computer memory, or the unauthorized use of a computer.10 Since the definition of aggregate amount includes the value of service lost, it appears that loss could be quantified by examining the cost of something as broad as lost computer time.
Because the penalty is entirely determined by the amount of financial loss, however, application of the statute has severe limitations. For example, given the requirement of showing some kind of financial loss, this statute does not appear to provide an effective tool to prosecute nonfinancial computer crimes, such as charging a drug dealer who uses a computer to commit his crime.
In addition, the loss calculation in a fraud scheme allows aggregation of loss only as to a single victim. This provision is not helpful in addressing Internet fraud cases, which typically involve multiple victims for small amounts of money. For a hypothetical scheme in which 100 Michigan victims were each defrauded of $199 (for a total loss of $19,900), it would only be possible to charge 100 misdemeanor counts with a 93-day penalty.11
The Michigan Legislature is working to correct the problems existing in Michigan's computer crimes statute. As of March 2000, the Michigan Legislature was close to enacting House Bills 5184-87. These bills would, inter alia:
(1) change the definition of "aggregate amount" to permit aggregation of loss for multiple victims
(2) criminalize both the unauthorized access to computer and the unauthorized insertion provisions without regard to the amount lost
(3) allow the general provision making it a crime to use a computer to commit any crime to be used without regard to the amount of loss and tailor the penalty for this provision to the underlying crime that the computer was used to commit
These legislative changes would significantly enhance the utility of MCL 752.791-797 as a tool for law enforcement.
RECENT COMPUTER CRIME LEGISLATION
In the summer of 1999, the Michigan Legislature enacted MCL 750.145d to enhance the penalties for crimes involving both minors and the use of computers.12 MCL 750.145d makes it a crime to use a computer to communicate with any person for the purpose of committing, attempting, conspiring to commit, or soliciting another person to commit certain specified crimes13 where the victim or intended victim is a minor.
Effective March 10, 2000, the Michigan Legislature amended MCL 750.145d to prohibit using a computer to communicate with any person for the purpose of committing, attempting to commit, conspiring to commit, or soliciting another person to commit, without regard to whether the victim is a minor, stalking, aggravated stalking, and various explosives and gambling violations.14
The March 10, 2000 amendment is likely not the last change to this statute. As of March 2000, the Michigan Legislature was close to enacting Senate Bills 893 and 894. These bills, which are expected to become law, would, inter alia: (1) allow use of this statute when the defendant believed that the victim was a minor;15 and (2) tailor the penalty for a violation of this statute to the underlying crime.
TRADITIONAL CRIMES COMMITTED THROUGH USE OF COMPUTER
While the Internet presents new problems for fighting crime, prosecutors should not be deterred from charging traditional crimes committed through the use of a computer using existing Michigan laws. Laws on communications offenses,16 obscenity,17 solicitation of minors and child pornography,18 sales of controlled substances,19 fraud,20 and other crimes,21 are available to prosecute crimes committed over the Internet. Shortcomings often exist in the application of these traditional laws to Internet related crimes;22 nevertheless, many of Michigan's longstanding criminal statutes provide an instrument to consider using until the Michigan Legislature equips law enforcement with more effective alternatives.23
Aside from the "pure" computer crimes such as those prohibited in Michigan's computer crimes statute, many of the violations committed over the Internet can be described as little more than "old wine in new bottles"—the crime is the same even though the method for committing the crime has changed. While not ideally situated, Michigan law enforcement is presently equipped with various statutes that provide the means to investigate and prosecute computer-related crimes. The Michigan Legislature, in attempting24 to address the problems presented to Michigan citizens by the Internet, will continue to consider computer-related legislation.25
1In the context of a computer crime investigation, various laws presently exist permitting access to electronically stored evidence. While the breadth of this topic—retrieval of electronic evidence in a criminal law context—is beyond the scope of this article, certain laws are worth mentioning. For example, the Electronic Communications Privacy Act, 18 USC 2701 et seq., establishes procedures for law enforcement to obtain stored public electronic communications from Internet service providers.
Another federal statute, 18 USC 3121 et seq., governs the issuance of pen register and trap and trace device orders. This federal law provides tools for computer crime investigators to obtain real-time monitoring information regarding where a computer intruder may be coming from or where the intruder is going. Pen register and trap and trace orders are available to Michigan law enforcement.
The federal wiretap statute, 18 USC 2510 et seq., governs the interception of the content of real-time electronic communications—the content, for example, of an incoming or outgoing electronic mail. While a state officer could participate in and seek to admit federal wiretap evidence (for certain felonies) in state court, Michigan law does not presently permit a court-authorized wiretap. As of March 2000, the Michigan Legislature was considering a Michigan wiretap bill similar to the federal law. See SB 497.
Additionally, Michigan law enforcement can, in some instances, use an investigative subpoena to obtain electronic records. See MCL 767A.1 et seq.
Finally, investigators can use the traditional search warrant to obtain a variety of electronic records—both from public electronic communication providers as well as from defendants who somehow use their computers in the commission of a crime.
If retrieval of electronic evidence is important in a case, the reader is advised to thoroughly study these complex statutes and the application of the Fourth Amendment to searching and seizing computers.
2 See, e.g., House Bills 5184-5187. The most recent status of these bills can be viewed by visiting the Michigan Legislature's website at www.michiganlegislature.org
3 MCL 752.795(a).
4 MCL 752.795(b).
5 MCL 752.794.
6 MCL 752.796.
7Application of the computer crimes statute has not been fully tested. As of the preparation of this article, only one published case has interpreted the statute. People v Jemison, 187 Mich App 90 (1991) (computer fraud conviction of DSS employee not supported by sufficient evidence; statute requires more than merely supplying bogus information that finds its way into a computer system).
8 MCL 752.797 (up to $200 loss/93-day misdemeanor; $200-1,000 loss/one-year misdemeanor; $1,000-20,000 loss/five-year felony; $20,000 plus loss/10-year felony).
9 MCL 752.792(2).
10 MCL 752.793(2).
11 If facing that situation, a prosecutor may want to consider charging the fraud scheme under a different statute, such as MCL 750.218, which allows aggregation as to multiple incidents over a 12-month period of time.
12 Violation of MCL 750.145d is a two-year felony for a first offense, or a five-year felony if the defendant has one or more prior convictions for a violation of the statute. The court may order this penalty consecutive to the penalty for the underlying crime.
13 The offenses include: Child sexual abuse, MCL 750.145c; kidnapping, MCL 750.349; stalking, MCL 750.411h; aggravated stalking, MCL 750.411i; criminal sexual conduct, MCL 750.520b-e; assault with intent to commit criminal sexual conduct, MCL 750.520g; soliciting a child for immoral purposes, MCL 750.145a; recruiting a minor to commit a felony, MCL 750.157c; and kidnapping a minor under age 14, MCL 750.350.
14 The original version of MCL 750.145d included stalking and aggravated stalking as specified crimes only when the victim or intended victim was a minor. Moreover, no explosives or gambling violations were included in the original version.
15 For example, when the defendant believed that the victim was a minor but was actually an undercover officer posing as a minor.
16 See, e.g., MCL 750.411h and 750.411i (stalking and aggravated stalking; specifically includes "electronic communications"); MCL 750.411a (false crimes, reports to officers, bombings); MCL 750.352 (molesting and disturbing persons in pursuit of occupation, vocation, avocation); MCL 750.390 (malicious annoyance by writing); MCL 750.213 (malicious threats to extort money); MCL 750.540e (malicious use of service provided by communications common carrier); MCL 750.147b (ethnic intimidation). Prosecutors could consider these statutes to prosecute various computer-related offenses such as offensive e-mails in the work place, unsolicited e-mail that is obscene, and threatening e-mails or websites on the basis of race.
17 See, e.g., MCL 752.365 (obscenity); MCL 722.675 (distributing obscene matter to a minor); MCL 722.677 (displaying obscene matter to a minor).
18 See, e.g., MCL 750.13 (enticing away a female under 16); MCL 750.145a (soliciting a child for immoral purposes); MCL 750.520b-g (criminal sexual conduct); MCL 750.145c (child sexual abuse).
19 MCL 333.7453 (sale of drug paraphernalia—includes "kits"); MCL 333.7407a; 333.7401 (inducement/solicitation to manufacture controlled substances); MCL 750.157a (conspiracy).
20 See, e.g., MCL 750.218 (false pretenses with intent to defraud).
21 For example, MCL 750.540 (cutting, breaking, tapping, connecting line, wire, or cable) could be considered in prosecuting less damaging intrusions into computer systems (not tied to monetary loss).
22 For example, many of the statutes provide maximum penalties of only 90 days imprisonment or do not clearly apply to the manner in which the Internet was used to commit the crime ( e.g., a defendant who solicits others to harass his ex-wife through a misrepresentation on an electronic bulletin board is likely not prosecutable under the stalking statute, MCL 750.411h and i).
23 Effective February 3, 2000, the Michigan Legislature created an identity theft law that, while no mention is made of use of a computer or the Internet, could be used in the Internet context. MCL 750.219e and 750.219f incriminate (without regard to a financial amount of loss) the use of another's identity to apply for a loan or extension of credit—common occurrences over the Internet.
24 For example, 1999 Public Act 33, amending MCL 722.671, et seq., approved by Governor Engler on June 1, 1999, and intended to be effective August 1, 1999, would have incriminated the knowing dissemination of sexually explicit material to a minor. Shortly after the filing of a federal complaint by various organizations and individuals in the United States District Court, Eastern District of Michigan, asserting a violation of the First Amendment and the Commerce Clause of the U.S. Constitution, U.S. District Court Judge Arthur Tarnow found the statute unconstitutional. Cyberspace Communications, Inc, et al. v John Engler, et al., No. 99-CV-73150 (July 29, 1999).
25 For example, as of March 2000, the Michigan Legislature was considering, inter alia, Senate Bill 526 (to incriminate use of computer to sell liquor to minors), House Bill 4689 (to incriminate use of Internet to engage in gambling or offer gambling), and Senate Bill 936 (requiring libraries, if they offer Internet access, to make computers available with both unrestricted and restricted access).