Document Type


Publication Date



Two of the most talked-about crimes of the year, the ILoveYou computer worm and the denial of service attacks on Yahoo, eBay, and ETrade, suggest that a new form of crime is emerging: cybercrime. Thousands of these crimes occur each year, and the results are often catastrophic; in terms of economic damage, the ILoveYou worm may have been the most devastating crime in history, causing more than $11 billion in losses.

This paper asks how cybercrime is best deterred. It identifies five constraints on crime - legal sanctions, monetary perpetration cost, social norms, architecture, and physical risks - and explains how each of these constraints may be reduced by committing crime in cyberspace. The ease of cybercrime risks negative substitution effects, as offenders move away from realspace and look towards the Net. Because cybercrime requires fewer resources and less investment to cause a given level of harm, the law might want to use approaches that differ somewhat from those in realspace. In part, this is so because computers provide a cheaper means to perpetrate crime. Criminal law must be concerned not only with punishing crime ex post, but with creating ex ante barriers to inexpensive ways of carrying out criminal activity. For example, if computers serve as substitutes for conspirators, then law might develop doctrines that treat computers as quasi-conspirators and establish inchoate liability.

Some government barriers, however, will create dead-weight losses. For example, encryption has the potential to further massive terrorism (which leads many in the law enforcement community to advocate its criminalization) but also the potential to facilitate greater security in communication and encourage freedom (which leads many others to push for unfettered access to the technology). To help solve such problems, the paper advocates the use of sentencing enhancements as tools that surgically target bad acts. Sentencing enhancements have received relatively little attention in the academic literature; this Article attempts to fill that gap.

Cyberspace also adds additional parties to the traditional perpetrator-victim scenario of crime. In particular, much cybercrime is carried out through the use of Internet Service Providers. Law should impose modest responsibilities on third parties because doing so promotes cost deterrence and capitalizes on what Reinier Kraakman has called gatekeeper liability. Third parties can develop ways to make crime more expensive, and may be able to do so in ways that the government cannot always directly accomplish, such as cost effective regulation of the architecture of the Net. The same logic sometimes applies to victims of cybercrime; law can develop mechanisms to encourage optimal victim behavior as well. Burden-shifting must not, however, sacrifice the value of interconnectivity and network effects.

Publication Citation

149 U. Pa. L. Rev. 1003 (2000-2001)