Another factor that makes a hard-and-fast definition of cybercrime difficult is the jurisdictional dilemma. Laws in different jurisdictions define terms differently, and it is important for law enforcement officers who investigate cybercrime, as well as network administrators who want to become involved in prosecuting cybercrimes that are committed against their networks, to become familiar with the applicable laws. In the case of most crimes in the United States, that means getting acquainted with local ordinances and state statutes that pertain to the offense. Generally, criminal behavior is subject to the jurisdiction in which it occurs. For example, if someone assaults you, you would file charges with the local police in the city or town where the assault actually took place.
Because cybercrimes often occur in the virtual place we call cyberspace, it becomes more difficult to know what laws apply. In many cases, offender and victim are hundreds or thousands of miles apart and might never set foot in the same state or even the same country. Because laws can differ drastically in different geographic jurisdictions, an act that is outlawed in one location could be legal in another.
What can you do if someone in California, which has liberal obscenity laws, makes pornographic pictures available over the Internet to someone in Tennessee, where prevailing community standardson which the states laws are basedare much more conservative? Which state has jurisdiction? Can you successfully prosecute someone under state law for commission of a crime in a state where that person has never been? As a matter of fact, that was the subject of a landmark case, U.S. v. Thomas and Thomas (see the CyberLaw Review sidebar in this section).
U.S. v. Thomas and Thomas
Robert and Carleen Thomas, residents of California, were charged with violation of the obscenity laws in Tennessee when a Memphis law enforcement officer downloaded sexually explicit materials from their California Bulletin Board Service (BBS) to a computer in Tennessee. This was the first time prosecutors had brought charges in an obscenity case in the location where the material was downloaded rather than where it originated. The accused were convicted, and they appealed; the appeals court upheld the conviction and sentences; the U.S. Supreme Court rejected their appeal.
Even if the act that was committed is illegal across jurisdictions, however, you might find that no one wants to prosecute because of the geographic nightmare involved in doing so (see the On the Scene sidebar in this section for an example of one officers experience).
On the Scene
Real Life Experiences
From Wes Edens, Criminal Investigator and Computer Forensics Examiner
Heres how the typical multijurisdictional case complicates the life of a working police detective. Put yourself in this detectives shoes: Bob Smith, who lives in your jurisdiction in Oklahoma, reports that he has had some fraudulent purchases on his credit card. In addition, he has been informed that two accounts have been opened using his information via the Internet at two banks: Netbank, based in Georgia, and Wingspan, which was recently bought by Bank One. The suspect(s) applied for a loan to buy a car in Dallas, Texas. As a result, the suspects changed Bob's address on his credit profile to 123 Somewhere Street, Dallas. This is a nonexistent address. In the course of your investigation, you contact Netbank (Georgia) and they inform you that they do not keep Internet Protocol (IP) addresses of people opening accounts online. You obtain a copy of the online credit application. It contains all of Bob Smith's credit information, but the address is now 321 Elsewhere Street, Dallas. It is also a nonexistent address.
You contact all the companies at which purchases have been made with Bobs bogus credit cards. Half won't speak to you unless you have paperwork, and half of those say that the paperwork has to be from a court in the state where they are located, not where you are. Now you have to find police departments in five different states that are willing to help you generate court papers to get records. Since you have filed no charges and the victim (and presumably the suspect) do not live in their jurisdiction, most of these organizations are reluctant to get involved.
You get the paperwork from half of the companies. Of 10, only one actually has an IP address. It is an American Online (AOL) account, which means it could have been accessed from anywhere in the world, further complicating the jurisdictional nightmare, but you press on. You get a subpoena for AOL, requesting the subscriber information for that IP address at that date and time. Three weeks later, AOL informs you that they keep logs for only 21 days, so youre out of luck because the target IP date and time occurred two months ago.
You run down the 15 phone numbers used on the various suspect accounts and applications. All 15 are different. Three are in Dallas, two in Fort Worth, and the remainder are either disconnected numbers or are in a random spattering of towns across south Texas. There is no apparent connection between any of the numbers. You get the addresses used to ship the purchased items. Every address is different; three are in Dallas, two in Fort Worth. Several are either pay-by-the-week rentals or flop houses where people come and go as in a bus station. A couple are mail drops. You subpoena those records, only to find that all the information they contain is bogus. You decide to visit with your boss and explain to him that you need to travel to another state for a few days to solve this $1500 caper. He listens intently until you start mentioning going to Georgia, Maryland, and Texas. You then tell him you also have three other such cases that involve nine other states, and you'll probably have to go to all those locations, too. You can hear him laughing as he walks out the door.
You decide to go visit with the DA just for the heck of it. You explain the case thus far, and she asks: What crime was committed here? (Your answer: Well, none that I know of for sure.) Does the suspect live here? (Probably not.) Can we show that any exchange of money or physical contact between suspect and victim took place here? (No, not really.) Do you have any idea where the suspect is? (Probably in Texas.) Were any of the purchases made in Oklahoma? (No.) Why are you conducting this investigation? (Because the victim is standing in my office.)
The DA tells you that the victim needs to report this crime to the Texas authorities. You give the victim a list of seven different agencies in Texas, one in Georgia, and one in Maryland. You tell him that he needs to contact them. He calls you back three days later and says that they want him to go to each place to fill out a crime report and he can't afford to take off two weeks and travel 2000 miles to report that he is a victim. You suggest he call the FBI, even though deep down you know that they are not going to touch a $1500 fraud case.
You give up on that case and pick up the other three identity-theft cases that landed on your desk while you were spinning your wheels on this one. You note that all three were done entirely through the Internet and, like the first one, they all involve a multitude of states.
While well discuss jurisdictional issues in greater depth in Chapter 16, Building the Cybercrime Case, it is important that we also take notice of the other edge of this double-edged sword. Legislation in different states or countries may be in direct conflict or diverge from the intent of different laws or constitutional rights. For example, in 2001, a number of non-member States of the Council of Europe signed the Convention on Cybercrime treaty that we discussed earlier. These included Canada, Japan and the United States. The treaty was ratified by the U.S. Senate in 2006 and put it into force on January 1, 2007, improving international cooperation in cybercrime investigations. However, this has created some controversy, as the treaty doesnt require dual criminality, where an act must be criminal under the laws of both countries. This would enable one country to spy on the Internet activities of citizens of another country, where no laws have been broken. Under the terms of the treaty, a service provider would need to cooperate with search and seizures (without reimbursement), and may be prevented from deleting logs or other data related to a person who is law abiding in that country.