IP: Computer hacking and jail for life

[David Farber <dave () farber net>]

> Date: Mon, 01 Oct 2001 13:47:40 -0500
> To: farber () cis upenn edu
> From: Peter Swire <pswire () law gwu edu>
> Subject: Computer hacking and jail for life
>
> David:
>
>         Here is an update/clarification on the Ashcroft proposal and how 
> it would apply to the Computer Fraud and Abuse Act, 18 U.S.C. 1030.  It 
> may be useful for your list.
>
>         The bill would create the new category of "Federal terrorism 
> offense."  It repeals all statute of limitations for these 
> offenses.  Imprisonment for up to life, "notwithstanding any maximum term 
> of imprisonment specified in the law describing the offense."
>
>         In email I wrote last week to another list, I mentioned that spam 
> had been found to violate Section 1030(a)(2) and (a)(5)(c).  Mark Lemley 
> noted that sending a bot had been found to violate Section 1030, and it 
> turns out to have been the same subsections.
>
>         Importantly, the Ashcroft proposal does not apply to these 
> subsections.
>
>         However, the bill does apply to (a)(1), (a)(4), (a)(5)(A), and 
> (a)(7).  In terms of overbreadth and possible unintended consequences, I 
> direct people's attention to (a)(4) and (a)(5)(A):
>
>         1030(a)(4) makes it a crime whoever "knowingly and with intent to 
> defraud, accesses a protected computer without authorization, or exceeds 
> authorized access, and by means of such conduct furthers the intended 
> fraud and obtains anything of value, unless the object of the fraud and 
> the thing obtained consists only of the use of the computer and the value 
> of such use is not more than $5,000 in any 1-year period."
>
>         1030(a)(5)(A) makes it a crime whoever "knowingly causes the 
> transmission of a program, information, code, or command, and  as a 
> result of such conduct, intentionally causes damage without 
> authorization, to a protected computer."
>
>         Let me make absolutely clear that I am against fraud and against 
> intentional damage to a computer.  That said, these provisions are very 
> broad and can apply to an enormous range of activity that is not 
> "terrorist" activity.  Here are some examples from a quick research of 
> the case law of "Federal terrorist offenses" punishable with life in 
> prison for violation of 1030 (a)(4):
>
>         (1) U.S. v. Butler, 2001 WL 733424 (conviction for employees of a 
> credit agency who tampered with credit histories of customers).
>
>         (2) U.S. v. Bae, 250 F. 3d 774 (fraudulent procurement of lottery 
> tickets).
>
>         (3) U.S. v. Sadolsky, 234 F. 3d 938 (Sears manager fraudulently 
> used the store's computers to steal money and pay off gambling debts).
>
>         (4) U.S. v. Petersen, 98 F. 3d 502 (conviction for using 
> computers to hack into a credit agency and do identity theft).
>
>         (5) U.S. v. Sykes, 4 F. 3d (conviction for unauthorized use of 
> automatic teller machine).
>
>         (6) Shurgard Storage Centers, Inc. v. Safeguard Self Storage, 
> Inc., 119 F. Supp. 2d 1121 (held that the statute's "use of 'fraud' 
> simply means wrongdoing and not proof of the common law elements of fraud").
>
>         As for 1030(a)(5)(A), here are some of the new terrorism offenses:
>
>         (1)  U.S. v. Sablan, 92 F.3d 865 (A former employee accessed her 
> old account and claimed she accidentally deleted some files.  Conviction 
> upheld because government did not need to prove she intended to damage 
> the employer's files.)
>
>         (2) U.S. v. Morris, 928 F.2d 504 (In case involving surprisingly 
> large damage from release of a computer worm, "we conclude that section 
> 1030(a)(5)(A) does not require the Government to demonstrate that the 
> defendant intentionally prevented authorized use and thereby caused loss.")
>
>         (3) Shaw v. Toshiba America Information Systems, Inc., 91 F. 
> Supp. 2d 926 ( "Specifically, does Title 18 U.S.C. § 1030(a)(5)(A) 
> prohibit Defendants' design, manufacture, creation, distribution, sale, 
> transmission, and marketing of floppy-diskette controllers ("FDC's") 
> allegedly made faulty by defective microcode? Yes, it does.)
>
>         Modest disclaimer -- there are more cases, and I read the above 
> cases somewhat quickly.  But everyone else can do the research, too, on 
> how broadly these provisions sweep.
>
>         Peter
>
> Prof. Peter P. Swire, Ohio State University
> Visiting, George Washington Law School, 2001-02
> Former Chief Counselor for Privacy, U.S. Office
>    of Management & Budget
> (301) 213-9587, www.osu.edu/units/law/swire.htm



For archives see: http://www.interesting-people.org/