Good Grief!
CDT POLICY POST Volume 6, Number 11 May 22, 2000
A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY
CONTENTS:
(1) Senate Bill Would Make Federal Offenses of Minor Computer Abuses
(2) Assistance to Foreign Governments; Expanded forfeiture and Wiretap
Authority
(3) Other Provisions in S. 2448: Satellite Viewing; Notice and Opt-out; Spam
(4) Extending Pen Register Surveillance to the Internet
________________________________________________________________
(1) SENATE BILL WOULD MAKE FEDERAL OFFENSES OF MINOR COMPUTER ABUSES
Legislation on a fast track in the Senate would make minor computer hacking
a federal felony, investigated by the FBI and the Secret Service. The bill
is S. 2448, the "Internet Integrity and Critical Infrastructure Protection
Act." It was introduced by Sen. Orrin Hatch (R-UT), chairman of the Senate
Judiciary Committee, and Sen. Charles Schumer (D-NY).
Procedural posture: The Senate Judiciary Committee had actually scheduled
the bill for a vote on May 18. That was put off one week, to Thursday,
May 25. The Committee is also considering holding a hearing on May 24 or
25, with a witness list at present heavily weighted with current and former
law enforcement officials.
S. 2448 was introduced before the recent "love bug" virus hit computers
worldwide, and has no relevance to that or other recent viruses and attacks,
all of which, including the Melissa virus and the denial of service attacks
in February, were already federal felonies, even when created and launched
from overseas.
The main effect of S. 2448's criminal provisions would be to extend federal
jurisdiction over minor computer abuses not previously thought serious
enough to merit federal resources. Currently, federal jurisdiction exists
for some computer crimes only if they result in at least $5,000 of aggregate
damage or cause especially significant damage, such as any impairment of
medical records, or pose a threat to public safety. Any virus affecting more
than a few computers easily meets the $5,000 threshold. S. 2448 would
eliminate the $5,000 threshold.
Specifically, the bill would make it a felony to send any transmission
intending to cause damage or to intentionally access a computer and
recklessly cause damage, punishable for up to 3 years in prison, even if
the damage caused is negligible. In addition, the bill would make it a
misdemeanor to intentionally access any computer and cause damage, even
unintentional damage, again regardless of the extent of such damage. Also,
for certain hacking offenses, the maximum punishment would be doubled
from 5 years to 10 for first offenses.
Among the conduct that would become a federal crime under S. 2448:
* a private sector employee snoops without authorization on a
co-worker's computer and accidentally deletes a file or a message;
* a teenage hacker modifies a friend's vanity Web page as a joke.
S. 2448 is available at
thomas.loc.gov
CDT will be posting additional information about S. 2448 at our new
Cyber Security page, cdt.org.
_______________________________________________________________
(2) S. 2448 AUTHORIZES ASSISTANCE TO FOREIGN GOVERNMENTS; EXPANDS
FORFEITURE AND WIRETAP AUTHORITY
Another part of S. 2448 permits the US Attorney General to provide
computer crime evidence to foreign law enforcement authorities "without
regard to whether the conduct investigated violates any Federal computer
crime law." It is unclear whether this expands the Justice Department's
investigative authority to investigate lawful conduct in the US at the
request of foreign governments.
Other criminal law sections of S. 2448 would --
* amend the forfeiture law in ways that could result in seizure by
the government of the house in which sat a computer used in
hacking;
* expand the authority of the US Secret Service to investigate
computer crimes;
* expand wiretap authority by making all computer crimes a predicate
for wiretaps, a change that would be especially sweeping in light
of the provisions extending the federal computer crime law to fairly
insignificant criminal conduct.
________________________________________________________________
(3) OTHER PROVISIONS IN S. 2448: SATELLITE VIEWING; NOTICE AND
OPT-OUT; SPAM
S. 2448 contains several provisions that its sponsors labelled privacy
protections, although they would do little to advance privacy. The
bill would --
* prohibit satellite TV service providers from disclosing information
about their customers and their viewing habits unless the customers
have affirmatively agreed ("opted-in") to such sharing. A large
exception, however, allows disclosure to the government without
notice and an opportunity to object, thereby giving satellite TV
viewers less protection than existing federal law affords to cable
TV subscribers.
* require commercial Web sites to give visitors notice of data
collection and sharing practices and the opportunity to opt-out.
* make fraudulent access to personally identifiable information a
crime - a provision that overlaps with current identity theft and
fraud provisions in 18 USC sec. 1029, and that may also cover
commercial collection of data.
* make it a crime to send spam advertisement with falsified Internet
domain name, header information, date or time stamp, originating
email address, or other identifier.
_______________________________________________________________
(4) EXTENDING PEN REGISTER SURVEILLANCE TO THE INTERNET
If the Senate Judiciary Committee does take up S. 2448, it could serve as
the vehicle for other Internet crime and surveillance amendments. For
example, Sen. Schumer has introduced another bill that extends government
surveillance authority over the Internet in broad and ill-defined ways.
The second Schumer bill, S. 2092, focuses on pen registers, which collect
the numbers dialed on outgoing calls, and trap and trace devices, which
collect the phone numbers identifying incoming calls. These surveillance
devices have long been used by law enforcement in the plain old telephone
world. Because they are not supposed to identify the parties to a
communication nor whether the communication was even completed, the standard
for approval of a pen register is very low: the law provides that a judge
"shall" approve any request by the government that claims the information
sought is "relevant" to an investigation. This really says that the court
must rubber stamp any government request.
The pen register and trap and trace statute only applies to the numbers
dialed or otherwise transmitted on the telephone line to which the device
is attached. S. 2092 would extend the pen register and trap and trace
authority to all Internet traffic. It does so with very broad terminology,
stating that the pen register can collect "dialing, routing, addressing or
signaling information," without further definition.
S. 2092 also would give every federal pen register and trap and trace order
nationwide effect, without limit and without requiring the government to
make a showing of need, creating a sort of "roving pen register."
CDT's analysis of S. 2092 is at
cdt.org
_____________________________________________________________
Detailed information about online civil liberties issues may be found at
cdt.org.
This document may be redistributed freely in full or linked to
cdt.org.
Excerpts may be re-posted with prior permission of ari@cdt.org
Policy Post 6.11 Copyright 2000 Center for Democracy and Technology
---------------------------------------
CDT Policy Post Subscription Information
To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org In
the BODY of the message type "subscribe policy-posts" without the quotes.
To unsubscribe from CDT's Policy Post list, send mail to majordomo@cdt.org
In the BODY of the message type "unsubscribe policy-posts" without
the quotes.
Detailed information about online civil liberties issues may be found at
cdt.org |
