Cybercrime is, undoubtedly, a growing problem. Scarcely a week goes by without reports of massive online misconduct. The primary federal legislative response so far has been to impose computer abuse liability on network attackers. Every state has enacted a similar statute. But do these cybercrime statutes actually punish and deter hackers? Members of Congress and Department of Justice prosecutors think so - and have repeatedly sought to expand the scope and consequences of liability. Meanwhile, scholars, advocates, and some judges have argued that computer abuse legislation is overbroad and ineffective. Law and policy debate has proceeded from these dueling narratives, not from data. This Article presents the first comprehensive empirical analysis of litigation under the federal cybercrime statute, the Computer Fraud and Abuse Act. Drawing on a new dataset compiled from hundreds of civil and criminal pleadings, the Article addresses fundamental and unanswered questions about the on-the-ground function of cybercrime law. The data reflect that there has been a nationwide cybercrime litigation explosion, and most cases look nothing like the hacker archetype. The overwhelming majority of civil claims arise from mundane business and employment disputes, not sophisticated computer intrusions. And while federal prosecutors do sometimes charge serious offenders, the plurality fact pattern in criminal litigation involves a low-level government employee mishandling data. What's more, cybercrime law appears to be redundant in civil cases, and there is little reason to believe that it deters the most concerning hackers. The Article closes with normative recommendations. In the near term, I suggest that (1) Congress and state legislatures should repeal civil cybercrime liability, (2) prosecutors should establish enforcement policies that prioritize significant misconduct, and (3) courts should narrowly construe cybercrime statutes to better effectuate legislative intent. As a structural matter, I challenge the net benefit of cybercrime law. An expansive computer abuse construct is a poor fit for modern technology, which is increasingly pervasive and increasingly shared. Policy should emphasize alternative means of protecting computer security and privacy.
|Original language||English (US)|
|Number of pages||55|
|Journal||University of Pennsylvania Law Review|
|State||Published - Jul 2016|
All Science Journal Classification (ASJC) codes