Tuesday, December 02, 2014
We live in a world of passwords. We use them for everything: to access
our e-mail and credit cards; to read content on LexisNexis and
ESPN.com; to chat with our friends on America Online and Yahoo!. We
have so many of them it can be easy to forget which password belongs to
which service. Because of their ubiquity, we also tend to reuse our passwords.
The password to access my e-mail, for instance, is the same
password I use to access LexisNexis. The ubiquity of passwords, however,
has given rise to an entire criminal enterprise focused on acquiring
them. Criminals reason, rightly so, that if they have acquired one
* Georgetown University Law Center, JD May, 2006. The author would like to thank
Professor Neal Kumar Katyal for his assistance.
password, they have access to much of what you do.1 Consequently, security
experts have suggested for years that to increase security,
computer users should vary their passwords frequently, and use different
passwords for different services.2 Few take this advice.3 In a world built
on access and information, the password has become the ultimate skeleton
key.
While stealing passwords is not a new crime, in the world of Internet
theft, it has taken on new dimensions. In general, identifying the victim
of criminal behavior on the Internet has become increasingly difficult.
Traditional notions of criminal deterrence—from both economic and
sociological perspectives—have become skewed in a world where even
the criminal does not necessarily know who he is criminalizing.4 The
anonymous nature of the Internet, where the identity of criminals can be
obscured, and the identity of the victims is often unknown even to the
criminals, has elicited a number of proposals from scholars.5 These proposals
have ranged from regulating the very code of cyberspace6 to
acquiescence in the face of Internet’s anarchic nature.7 The threat of
stealing a password—a sequence of digits that may contain access to an
individual’s entire life savings and private thoughts—has given these
concerns a heightened sense of urgency.
In late 1999, the world got its first glimpse on a mass scale of the
difficulties Internet crime poses. Napster, with access to millions of
Internet users who had billions of directories containing countless
amounts of copyrighted material, created the world’s largest marketplace
for music theft.8 The astonishing feature of the Napster revolution, however,
was not just its sheer size; it was the kind of people involved.
College students, who otherwise would not shoplift a candy bar, engaged
in widespread copyright theft, rationalizing their behavior on a variety of
1. See, Jack Seward, Always Look Both Ways—Especially When Using Digital/
Electronic Communications, Am. Bankruptcy Institute.
4. See generally Gary Becker, Crime and Punishment: An Economic Approach, 76 J.
Pol. Econ. 69 (1968) (analyzing criminal behavior from an economic perspective); Michel
Foucault, Discipline and Punish 73–103 (Alan Sheridan trans., Vintage Books 1979) (1975)
(a sociological perspective on criminal behavior).
5. See generally, Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. Pa. L.
Rev. 1003 (2001); Lawrence Lessig, Code and Other Laws of Cyberspace, 46–7 (1999).
6. Lessig, supra note 5, at 85–86.
7. Dov Wisebrod, Controlling the Uncontrollable: Regulating the Internet, 4 Media &
Comm. L. Rev. 331 (1995), available at http://www.catalaw.com/dov/docs/dw-inet.htm.
8. For a legal discussion of why Napster’s actions constituted copyright infringement,
see A&M Records v. Napster, Inc., 284 F.3d 1091 (9th Cir. 2002).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Spring 2006] Password Theft 337
factors. While many griped about the expense of albums, the ease of access,
or the effect of peer pressure, the fundamental issue was quite
simple, if unstated: no one thought it was a crime. Put bluntly, copying
your friend’s music files was widely considered victimless, harmless.
Seven years later, there has been an astonishing turn around in the
public perception of music downloading. According to a recent study,
legal music downloading has tripled, while illegal downloading has
grown at a far slower pace.9 A 2004 Pew survey showed that illegal music
downloading is on the decline.10 Something happened between 1999
and the present that has changed people’s minds about music downloading.
What was once an acceptable action, committed by almost every
college and high school student with a high-speed Internet connection, is
now viewed by millions as criminal.
Clearly a part of what happened in the Napster story is that people
began to view the act of downloading music freely as illegal. A significant
part of this was accomplished by shifting victimhood—instead of
thinking of it as harmlessly taking the music from someone’s computer,
people began to think of music downloading as stealing directly from the
record companies and artists. By putting themselves out in front as the
victims, the Recording Industry Association of America (RIAA) helped
reshape the governing norms of the times, and as a result, people viewed
the act of file-sharing differently.11 By forcing people to see music
downloading as a form of theft, the RIAA was quite successful in deterring
it. In the process, they also proposed a radical view of theft that
changes our basic economic understandings of the action.
The Napster story serves as a useful template for thinking about
password theft. If Tom steals Mary’s password to access her LexisNexis
account, there are two possible victims: Mary and Lexis. At first glance,
we would probably say Mary is the primary victim, but that is not altogether
clear. After all, Tom would probably argue that Mary can still
access LexisNexis even as he is using her password. And even if Lexis
were to design their software to deprive Tom and Mary of simultaneous
use, Tom is likely to argue that he is not really harming Mary because he
is only depriving her of the short period of usage when he is online: the
deprivation is not permanent. This problem is further complicated if,
rather than stealing her Lexis password, Tom borrows it from Mary with
her permission. In this case, Mary is no longer a victim, she is a
9. Keith Regan, Study: Legal Music Downloading Triples Worldwide, E-Commerce
Times, July 21, 2005, http://www.ecommercetimes.com/story/44871.html.
10. Techweb.com, Survey: Illegal Music Downloading Declines, TechWeb, Jan. 05,
2004, http://www.techweb.com/wire/26803753.
11. But cf. Katyal, supra note 5, at 1033 (arguing that harnessing third parties, like
credit card companies, can make music theft less profitable and thereby deter it).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
338 Michigan Telecommunications and Technology Law Review [Vol. 12:335
co-conspirator, and the real victim has become even further obscured. If
we think of LexisNexis as the victim in both scenarios, however, the answer
becomes clearer: in both cases Tom’s actions were criminal, and
Mary was his co-criminal in the second scenario.
This paper argues that the RIAA’s model for deterring music theft
could be successfully used to deter many other forms of computer theft,
and, specifically, stealing passwords. By focusing on the victim, contentproviders
can alter people’s views of their own actions, thereby properly
bringing what was once an innocuous activity into the realm of the
criminal where it belongs. To accomplish this task, however, we have to
comport our traditional views of theft to the realities of the Internet.
First, economic notions of rivalry and non-rivalry are undermined in a
digital world where data is infinitely copyable, and these notions need to
be updated appropriately. Secondly, finding real space analogues to
password theft is important when locating an existing legal framework in
which to work. This Note attempts to do both.
Part I of this Note gives a brief background and explication of rivalrous
and non-rivalrous theft, and the problems that the Internet poses,
specifically in the music downloading area. In so doing, I propose a new
way of conceiving of rivalry that fits into the realities of digital networks.
Part II is an analysis of password theft, in particular the
distinction between first-party and second-party password theft. Firstparty
password theft concerns actions—stealing personal identification
numbers and the like—that are probably familiar to most readers. Second-
party password theft, however, is a far more radical notion that is
crucial for understanding why password theft in general is criminal, and
why it can be so damaging. I analogize first and second-party password
theft to larceny and embezzlement, respectively; the purpose of this is to
provide a legal framework for analyzing password theft as a criminal
activity. Additionally, I show how the updated views of rivalry proposed
in Part I allow us to evaluate properly the harm that password theft
causes. Finally, Part III argues that by following the model of the RIAA,
the government, content-providers, and law enforcement can effectively
deter password theft in a variety of ways.
I. Rivalrous versus Non-Rivalrous Theft
Economic theory distinguishes between two forms of theft: rivalrous
and non-rivalrous.12 Rivalrous theft is traditionally understood as theft
that deprives the victim of using whatever it is that was stolen. So if John
12. For a general introduction, see generally David A. Besanko & Ronald R. Braeutigam,
Microeconomics: An Integrated Approach 749 (2001).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Spring 2006] Password Theft 339
steals Frank’s car, the theft is rivalrous because John has taken the car
and deprived Frank of its usage. Non-rivalrous theft is theft that does not
deprive the victim of any usage. The classic example of non-rivalrous
theft is information. If Tom tries to sell information, and Frank steals it,
theoretically he is not depriving Tom of selling just as much information
as before. The theft, in other words, causes no depletion.13 The two models
of theft therefore reflect two forms of goods: those that deplete and
those that do not.
Accordingly, theft that is not rivalrous, under the common law, is not
theft.14 The traditional laws regarding theft always required some form of
permanent deprivation, whether the theft was characterized as larceny or
embezzlement.15 Unauthorized use of information is usually protected by
copyright or intellectual property laws designed to encourage innovation
while preventing usurpation of ideas and free-riding.16 So if Frank photocopies
Tom’s book and attempts to sell it as his own, his actions are
criminalized by copyright law, not the traditional laws of theft. Theoretically
at least, Tom has not been deprived of anything—he can sell just as
many books as he had before. In contrast, if Frank walks into a bookstore
and steals Tom’s book from the store, his theft has deprived the
bookstore of a book it could have sold. Because the law recognizes the
important public good that information represents, goods that do not deplete
with theft—like information—are not accorded the same level of
protection as those goods that do.
In a digital world, however, this dichotomy begins to find itself on
shaky ground, as it becomes unclear who the law is supposed to protect.
In real space, information can easily be protected by copyright law, because
it is readily apparent whom we are protecting—the innovators,
creators, and disseminators of that information.17 Digitization, however,
has allowed information to be replicated and disseminated faster and
13. See James Boyle, The Second Enclosure Movement and the Construction of the
Public Domain, L. & Contemp. Probs. Winter-Spring 2003, at 33, 41 (“By contrast, a gene
sequence, an MP3 file, or an image may be used by multiple parties; my use does not interfere
with yours. To simplify a complicated analysis, this means that the threat of overuse of fields
and fisheries is generally not a problem with the informational or innovational commons”);
Robert P. Merges et al., Intellectual Property in the New Technological Age, 13
(Aspen Law & Business, 2d ed. 2000).
14. See, e.g., Kansas v. Allen, 917 P.2d 848, 853 (Kan. 1996) (internal quotation marks
omitted) (“Theft . . . is not concerned with mere occupation, detention, observation, or tampering,
but rather requires permanent deprivation. The intent required for theft is an intent to
deprive the owner permanently of the possession, use, or benefit of the owner’s property”).
15. Wayne R. LaFave, Criminal Law, §§ 19.2, 19.6 (4th ed. 2003).
16. See, e.g., Mark A. Lemley, Property, Intellectual Property, and Free Riding, 83 Tex.
L. Rev. 1031 (2005).
17. See 17 U.S.C. § 201(a) (2005) (establishing that the author of a work owns the
copyright).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
340 Michigan Telecommunications and Technology Law Review [Vol. 12:335
wider than ever before. Buying and selling information is no longer prohibitively
expensive, and copyright law has proven insufficient in
protecting holders.18 Furthermore, on digital networks it is harder to determine
who owns the copyright. In real space, when a consumer
purchases a book or CD, the copyright owner’s mark is stamped on the
product, and the consumer readily recognizes ownership of the copyright.
19 The protection that the law accords to copyrighted material in this
setting is therefore lower than that accorded to rivalrous goods. On the
Internet, however, the copyright owner is not readily apparent; information
appears as anonymous digital files that may not bear any mark or
distinguishing feature, and users have no easy way of determining who
owns that particular file, let alone the copyright. The real space level of
protection accorded to copyrighted material is not sufficient in this environment.
What actually happened in the Napster story was a profound shift in
an understanding of rivalrous versus non-rivalrous theft. From a traditional
standpoint, downloading music should be viewed as non-rivalrous
theft—when Tom downloads music off of Frank’s computer, he never
deprived Frank, or anyone, of listening to that song or purchasing that
song. Theoretically, just as many songs could be purchased after the
download. The trouble with this construction is that it views Frank as the
victim, when in reality he is hardly a victim; if anything, by making his
music available on his computer, Frank is an enabler.20 When Napster
took off, this question of who the victim was had no apparent answer,
and that in large part fueled Napster’s popularity: music downloading,
our e-mail and credit cards; to read content on LexisNexis and
ESPN.com; to chat with our friends on America Online and Yahoo!. We
have so many of them it can be easy to forget which password belongs to
which service. Because of their ubiquity, we also tend to reuse our passwords.
The password to access my e-mail, for instance, is the same
password I use to access LexisNexis. The ubiquity of passwords, however,
has given rise to an entire criminal enterprise focused on acquiring
them. Criminals reason, rightly so, that if they have acquired one
* Georgetown University Law Center, JD May, 2006. The author would like to thank
Professor Neal Kumar Katyal for his assistance.
password, they have access to much of what you do.1 Consequently, security
experts have suggested for years that to increase security,
computer users should vary their passwords frequently, and use different
passwords for different services.2 Few take this advice.3 In a world built
on access and information, the password has become the ultimate skeleton
key.
While stealing passwords is not a new crime, in the world of Internet
theft, it has taken on new dimensions. In general, identifying the victim
of criminal behavior on the Internet has become increasingly difficult.
Traditional notions of criminal deterrence—from both economic and
sociological perspectives—have become skewed in a world where even
the criminal does not necessarily know who he is criminalizing.4 The
anonymous nature of the Internet, where the identity of criminals can be
obscured, and the identity of the victims is often unknown even to the
criminals, has elicited a number of proposals from scholars.5 These proposals
have ranged from regulating the very code of cyberspace6 to
acquiescence in the face of Internet’s anarchic nature.7 The threat of
stealing a password—a sequence of digits that may contain access to an
individual’s entire life savings and private thoughts—has given these
concerns a heightened sense of urgency.
In late 1999, the world got its first glimpse on a mass scale of the
difficulties Internet crime poses. Napster, with access to millions of
Internet users who had billions of directories containing countless
amounts of copyrighted material, created the world’s largest marketplace
for music theft.8 The astonishing feature of the Napster revolution, however,
was not just its sheer size; it was the kind of people involved.
College students, who otherwise would not shoplift a candy bar, engaged
in widespread copyright theft, rationalizing their behavior on a variety of
1. See, Jack Seward, Always Look Both Ways—Especially When Using Digital/
Electronic Communications, Am. Bankruptcy Institute.
4. See generally Gary Becker, Crime and Punishment: An Economic Approach, 76 J.
Pol. Econ. 69 (1968) (analyzing criminal behavior from an economic perspective); Michel
Foucault, Discipline and Punish 73–103 (Alan Sheridan trans., Vintage Books 1979) (1975)
(a sociological perspective on criminal behavior).
5. See generally, Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. Pa. L.
Rev. 1003 (2001); Lawrence Lessig, Code and Other Laws of Cyberspace, 46–7 (1999).
6. Lessig, supra note 5, at 85–86.
7. Dov Wisebrod, Controlling the Uncontrollable: Regulating the Internet, 4 Media &
Comm. L. Rev. 331 (1995), available at http://www.catalaw.com/dov/docs/dw-inet.htm.
8. For a legal discussion of why Napster’s actions constituted copyright infringement,
see A&M Records v. Napster, Inc., 284 F.3d 1091 (9th Cir. 2002).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Spring 2006] Password Theft 337
factors. While many griped about the expense of albums, the ease of access,
or the effect of peer pressure, the fundamental issue was quite
simple, if unstated: no one thought it was a crime. Put bluntly, copying
your friend’s music files was widely considered victimless, harmless.
Seven years later, there has been an astonishing turn around in the
public perception of music downloading. According to a recent study,
legal music downloading has tripled, while illegal downloading has
grown at a far slower pace.9 A 2004 Pew survey showed that illegal music
downloading is on the decline.10 Something happened between 1999
and the present that has changed people’s minds about music downloading.
What was once an acceptable action, committed by almost every
college and high school student with a high-speed Internet connection, is
now viewed by millions as criminal.
Clearly a part of what happened in the Napster story is that people
began to view the act of downloading music freely as illegal. A significant
part of this was accomplished by shifting victimhood—instead of
thinking of it as harmlessly taking the music from someone’s computer,
people began to think of music downloading as stealing directly from the
record companies and artists. By putting themselves out in front as the
victims, the Recording Industry Association of America (RIAA) helped
reshape the governing norms of the times, and as a result, people viewed
the act of file-sharing differently.11 By forcing people to see music
downloading as a form of theft, the RIAA was quite successful in deterring
it. In the process, they also proposed a radical view of theft that
changes our basic economic understandings of the action.
The Napster story serves as a useful template for thinking about
password theft. If Tom steals Mary’s password to access her LexisNexis
account, there are two possible victims: Mary and Lexis. At first glance,
we would probably say Mary is the primary victim, but that is not altogether
clear. After all, Tom would probably argue that Mary can still
access LexisNexis even as he is using her password. And even if Lexis
were to design their software to deprive Tom and Mary of simultaneous
use, Tom is likely to argue that he is not really harming Mary because he
is only depriving her of the short period of usage when he is online: the
deprivation is not permanent. This problem is further complicated if,
rather than stealing her Lexis password, Tom borrows it from Mary with
her permission. In this case, Mary is no longer a victim, she is a
9. Keith Regan, Study: Legal Music Downloading Triples Worldwide, E-Commerce
Times, July 21, 2005, http://www.ecommercetimes.com/story/44871.html.
10. Techweb.com, Survey: Illegal Music Downloading Declines, TechWeb, Jan. 05,
2004, http://www.techweb.com/wire/26803753.
11. But cf. Katyal, supra note 5, at 1033 (arguing that harnessing third parties, like
credit card companies, can make music theft less profitable and thereby deter it).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
338 Michigan Telecommunications and Technology Law Review [Vol. 12:335
co-conspirator, and the real victim has become even further obscured. If
we think of LexisNexis as the victim in both scenarios, however, the answer
becomes clearer: in both cases Tom’s actions were criminal, and
Mary was his co-criminal in the second scenario.
This paper argues that the RIAA’s model for deterring music theft
could be successfully used to deter many other forms of computer theft,
and, specifically, stealing passwords. By focusing on the victim, contentproviders
can alter people’s views of their own actions, thereby properly
bringing what was once an innocuous activity into the realm of the
criminal where it belongs. To accomplish this task, however, we have to
comport our traditional views of theft to the realities of the Internet.
First, economic notions of rivalry and non-rivalry are undermined in a
digital world where data is infinitely copyable, and these notions need to
be updated appropriately. Secondly, finding real space analogues to
password theft is important when locating an existing legal framework in
which to work. This Note attempts to do both.
Part I of this Note gives a brief background and explication of rivalrous
and non-rivalrous theft, and the problems that the Internet poses,
specifically in the music downloading area. In so doing, I propose a new
way of conceiving of rivalry that fits into the realities of digital networks.
Part II is an analysis of password theft, in particular the
distinction between first-party and second-party password theft. Firstparty
password theft concerns actions—stealing personal identification
numbers and the like—that are probably familiar to most readers. Second-
party password theft, however, is a far more radical notion that is
crucial for understanding why password theft in general is criminal, and
why it can be so damaging. I analogize first and second-party password
theft to larceny and embezzlement, respectively; the purpose of this is to
provide a legal framework for analyzing password theft as a criminal
activity. Additionally, I show how the updated views of rivalry proposed
in Part I allow us to evaluate properly the harm that password theft
causes. Finally, Part III argues that by following the model of the RIAA,
the government, content-providers, and law enforcement can effectively
deter password theft in a variety of ways.
I. Rivalrous versus Non-Rivalrous Theft
Economic theory distinguishes between two forms of theft: rivalrous
and non-rivalrous.12 Rivalrous theft is traditionally understood as theft
that deprives the victim of using whatever it is that was stolen. So if John
12. For a general introduction, see generally David A. Besanko & Ronald R. Braeutigam,
Microeconomics: An Integrated Approach 749 (2001).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
Spring 2006] Password Theft 339
steals Frank’s car, the theft is rivalrous because John has taken the car
and deprived Frank of its usage. Non-rivalrous theft is theft that does not
deprive the victim of any usage. The classic example of non-rivalrous
theft is information. If Tom tries to sell information, and Frank steals it,
theoretically he is not depriving Tom of selling just as much information
as before. The theft, in other words, causes no depletion.13 The two models
of theft therefore reflect two forms of goods: those that deplete and
those that do not.
Accordingly, theft that is not rivalrous, under the common law, is not
theft.14 The traditional laws regarding theft always required some form of
permanent deprivation, whether the theft was characterized as larceny or
embezzlement.15 Unauthorized use of information is usually protected by
copyright or intellectual property laws designed to encourage innovation
while preventing usurpation of ideas and free-riding.16 So if Frank photocopies
Tom’s book and attempts to sell it as his own, his actions are
criminalized by copyright law, not the traditional laws of theft. Theoretically
at least, Tom has not been deprived of anything—he can sell just as
many books as he had before. In contrast, if Frank walks into a bookstore
and steals Tom’s book from the store, his theft has deprived the
bookstore of a book it could have sold. Because the law recognizes the
important public good that information represents, goods that do not deplete
with theft—like information—are not accorded the same level of
protection as those goods that do.
In a digital world, however, this dichotomy begins to find itself on
shaky ground, as it becomes unclear who the law is supposed to protect.
In real space, information can easily be protected by copyright law, because
it is readily apparent whom we are protecting—the innovators,
creators, and disseminators of that information.17 Digitization, however,
has allowed information to be replicated and disseminated faster and
13. See James Boyle, The Second Enclosure Movement and the Construction of the
Public Domain, L. & Contemp. Probs. Winter-Spring 2003, at 33, 41 (“By contrast, a gene
sequence, an MP3 file, or an image may be used by multiple parties; my use does not interfere
with yours. To simplify a complicated analysis, this means that the threat of overuse of fields
and fisheries is generally not a problem with the informational or innovational commons”);
Robert P. Merges et al., Intellectual Property in the New Technological Age, 13
(Aspen Law & Business, 2d ed. 2000).
14. See, e.g., Kansas v. Allen, 917 P.2d 848, 853 (Kan. 1996) (internal quotation marks
omitted) (“Theft . . . is not concerned with mere occupation, detention, observation, or tampering,
but rather requires permanent deprivation. The intent required for theft is an intent to
deprive the owner permanently of the possession, use, or benefit of the owner’s property”).
15. Wayne R. LaFave, Criminal Law, §§ 19.2, 19.6 (4th ed. 2003).
16. See, e.g., Mark A. Lemley, Property, Intellectual Property, and Free Riding, 83 Tex.
L. Rev. 1031 (2005).
17. See 17 U.S.C. § 201(a) (2005) (establishing that the author of a work owns the
copyright).
SHAMAH FINALTYPEAND PAGINATED.DOC 10/3/2006 9:11 AM
340 Michigan Telecommunications and Technology Law Review [Vol. 12:335
wider than ever before. Buying and selling information is no longer prohibitively
expensive, and copyright law has proven insufficient in
protecting holders.18 Furthermore, on digital networks it is harder to determine
who owns the copyright. In real space, when a consumer
purchases a book or CD, the copyright owner’s mark is stamped on the
product, and the consumer readily recognizes ownership of the copyright.
19 The protection that the law accords to copyrighted material in this
setting is therefore lower than that accorded to rivalrous goods. On the
Internet, however, the copyright owner is not readily apparent; information
appears as anonymous digital files that may not bear any mark or
distinguishing feature, and users have no easy way of determining who
owns that particular file, let alone the copyright. The real space level of
protection accorded to copyrighted material is not sufficient in this environment.
What actually happened in the Napster story was a profound shift in
an understanding of rivalrous versus non-rivalrous theft. From a traditional
standpoint, downloading music should be viewed as non-rivalrous
theft—when Tom downloads music off of Frank’s computer, he never
deprived Frank, or anyone, of listening to that song or purchasing that
song. Theoretically, just as many songs could be purchased after the
download. The trouble with this construction is that it views Frank as the
victim, when in reality he is hardly a victim; if anything, by making his
music available on his computer, Frank is an enabler.20 When Napster
took off, this question of who the victim was had no apparent answer,
and that in large part fueled Napster’s popularity: music downloading,
