Burglar's Tools

As I’ve noted before, many U.S. states (and probably many countries) outlaw the possession of “burglar’s tools.”

Here’s New York’s possession of burglar’s tools statute:

A person is guilty of possession of burglar's tools when he possesses any tool, instrument or other article adapted, designed or commonly used for committing or facilitating offenses involving forcible entry into premises. . . under circumstances evincing an intent to use or knowledge that some person intends to use the same in the commission of an offense of such character.

McKinney’s Penal Law of New York § 140.35. Possession of burglar’s tools is a misdemeanor under § 140.35.

Some states go further and outlaw creating burglar’s tools:

A person is guilty of manufacturing . . . burglar's tools when he manufactures . . . any tool, instrument or other thing adapted, designed or commonly used for advancing or facilitating offenses involving unlawful entry into premises . . .under circumstances manifesting an intent to use or knowledge that some person intends to use the same in the commission of an offense of such character.

Connecticut General Statutes Annotated § 531-106(a). Manufacturing burglar’s tools is a misdemeanor under the Connecticut statute.

The rationale for outlawing the possession of burglar’s tools is the same as the rationale for outlawing an attempt to commit a crime: In both instances, the law (i.e., the burglar’s tools law or the law making it a crime to attempt to commit a crime like murder or theft) lets police interrupt someone before they have actually completed the commission of the crime they’re clearly heading toward.

Attempt is an inchoate, or incomplete, crime.. If police get credible information that John Doe is going to murder his neighbor on Friday, and if they investigate and find evidence corroborating what they’re heard (e.g., Doe has bought a high-powered rifle or poison and he has been telling people his neighbor “won’t be around any more”), then they can arrest Doe for attempting to murder his neighbor. Obviously, the evidence has to be pretty strong to support their conclusion that he was attempting to do so; we don’t lock people up for simply holding a grudge against their neighbor or saying bad things about them. But if they’ve clearly embarked on a course of conduct that indicates they intend to kill their neighbor, we say police should be able to intervene, instead of having to wait around till the crime is committed, and then charge Doe with murder.

Possessing of burglar’s tools is, therefore, a very specific kind of attempt crime. The premise behind this particular offense is, as the New York statute demonstrates, that if you are found in possession of tools specifically adapted for committing burglary (which is breaking into property for the purpose of committing a crime – theft, murder, arson, etc. – once inside) and if the circumstances inferentially indicate that it was your intent to use those tools, you can be arrested for possession of burglar’s tools. If you have gone far enough in your effort to commit burglary, you can also be charged with attempted burglary, but that’s a different matter. (To be charged with attempted burglary, you’re really going to have to have started doing something to get into the premises; to be charged with possession of burglar’s tools, you merely have to have the tools in a context that indicates it was your intention to use them, at some point.)

Possession of burglar’s tools statutes essentially define an attempt to attempt a crime. The law distinguishes between “mere preparation” (which is not an attempt – it’s conduct that’s so prefatory to any criminal activity that we can’t reasonably conclude you’ve embarked on a course of conduct leading to the commission of a crime) and “attempt (which is conduct – like being found outside a house, which is not yours and which you have no business being at, having broken out a window – that pretty clearly indicates you are getting ready to commit a crime). Possession of burglar’s tools makes “mere preparation” a crime and, in so doing, arguably criminalizes an attempt to attempt a crime.

Okay, that’s the rationale for outlawing possessing burglar’s tools. The rationale for outlawing the manufacture of burglar’s tools, as defined by statutes like the Connection one quoted above, is based on accomplice liability, not attempt. The premise here is that one who creates burglar’s tools is, in effect, an accomplice of those who use them. That is, by creating tools that can be used to commit burglary, I am aiding and abetting those who subsequently use those tools to do just that. The Connecticut statute (and, I think, other manufacture of burglar’s tools statutes) deviates from accomplice liability in one respect: As I’ve noted before, an accomplice stands in the shoes of the person who actually commits the crime, i.e., the accomplice is liable for the crime the perpetrator commits. So if someone aids and abets a murderer by, say, supplying him with the murder weapon, they will be held liable for the murder just as if they’d committed it.

But the Connecticut statute (and other, similar statutes in the U.S.) don’t go that far – they make manufacturing the burglar’s tools a misdemeanor. They do that essentially out of fairness: An accomplice is someone who knows that the perpetrator is going to commit a specific crime and, with that knowledge, purposely helps the perpetrator to succeed in doing so. When someone manufactures burglar’s tools, they know, at some level, what the tools can be used for, so they are in a very general sense aiding and abetting the crime of burglar. But since they don’t act with a specific purpose to aid and abet a specific crime, the law essentially gives them a break; they commit a distinct crime, one with smaller penalties.

So why, you ask, am I talking about burglar’s tools on a cybercrime blog? The reason is that someone asked me recently what we can do about malware – software that is up to no good. Malware is, as Wikipedia notes, a catch-all term for viruses, worms, Trojan horse programs, spyware, botnets, etc.

Should we simply follow the burglar’s tools approach and criminalize the possession and/or manufacture of malware?

As far as I can tell, the only U.S. jurisdiction to do so is Pennsylvania. Before I talk about what they do, let me know what the federal system and, it seems, the other states do: They all criminalize the use of malware; their focus is on the damage a virus, etc. does to a particular computer system. So these statutes are, in effect, burglary statutes, i.e., they criminalize the actual infliction of damage.

The Pennsylvania statute is captioned “distribution of computer virus” and here is what it says:

A person commits an offense if the person intentionally or knowingly sells, gives or otherwise distributes or possesses with the intent to sell, give or distribute computer software or a computer program that is designed or has the capability to:

(1) prevent, impede, control, delay or disrupt the normal operation or use of a computer, computer program, computer software, computer system, computer network, computer database, World Wide Web site or telecommunication device; or
(2) degrade, disable, damage or destroy the performance of a computer, computer program, computer software, computer system, computer network, computer database, World Wide Web site or telecommunication device or any combination thereof.

18 Pennsylvania Consolidated Statutes § 7616(a). The offense is a third-degree felony, so it’s more serious than possessing or manufacturing burglar’s tools, but probably less serious than actually using a virus.

As you may know, the Council of Europe’s Convention on Cybercrime does something similar, under the concept of “misuse of devices.” Article 6 of the Convention requires parties to the Convention to criminalize “the production, sale, procurement for use, import, distribution or otherwise making available of” a “device, including a computer program, designed or adapted primarily for the purpose of committing” crimes that encompass unauthorized access to computer systems, interfering with access to such systems and/or altering or damaging computer data.

Under Article 6, the production, sale, etc. must be “committed intentionally and without right”. The same Article requires parties to criminalize the possession of any of the above items with the intent that the item(s) be used to commit the crimes noted above. The Explanatory Report for the Convention explains that this provision “restricts its scope to cases where the devices are objectively designed, or adapted, primarily for the purpose of committing an offence” which will presumably “exclude dual-use devices.” Explanatory Report ¶ 73.

Is this a good idea? Possession of burglar’s tools statutes are sometimes challenged on the grounds that they are impermissibly vague – what is a burglar’s tool? – or are overly broad – encompass too many things. That hasn’t been a particular problem in the real, physical world (though one court threw out a conviction based on possessing a plastic bag, thank heavens), but isn’t software far more ambiguous than burglar’s tools? And what about ambiguity – the dual-use – notion? How can you tell when malware is just malware, nothing more?