FW: Policy Post 6.11: Senate Internet Crime Bill on a Fast Track

[William Knowles <wk () C4I ORG>]

Forwarded by: Marjorie Simmons <lawyer () usit net>

CDT POLICY POST Volume 6, Number 11 May 22, 2000

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:

(1) Senate Bill Would Make Federal Offenses of Minor Computer Abuses
(2) Assistance to Foreign Governments; Expanded forfeiture and Wiretap
Authority
(3) Other Provisions in S. 2448: Satellite Viewing; Notice and Opt-out; Spam
(4) Extending Pen Register Surveillance to the Internet
_______________________________________________________________

(1) SENATE BILL WOULD MAKE FEDERAL OFFENSES OF MINOR COMPUTER ABUSES

Legislation on a fast track in the Senate would make minor computer hacking
a federal felony, investigated by the FBI and the Secret Service. The bill
is S. 2448, the "Internet Integrity and Critical Infrastructure Protection
Act." It was introduced by Sen. Orrin Hatch (R-UT), chairman of the Senate
Judiciary Committee, and Sen. Charles Schumer (D-NY).

Procedural posture: The Senate Judiciary Committee had actually scheduled
the bill for a vote on May 18. That was put off one week, to Thursday,
May 25. The Committee is also considering holding a hearing on May 24 or
25, with a witness list at present heavily weighted with current and former
law enforcement officials.

S. 2448 was introduced before the recent "love bug" virus hit computers
worldwide, and has no relevance to that or other recent viruses and attacks,
all of which, including the Melissa virus and the denial of service attacks
in February, were already federal felonies, even when created and launched
from overseas.

The main effect of S. 2448's criminal provisions would be to extend federal
jurisdiction over minor computer abuses not previously thought serious
enough to merit federal resources. Currently, federal jurisdiction exists
for some computer crimes only if they result in at least ,000 of aggregate
damage or cause especially significant damage, such as any impairment of
medical records, or pose a threat to public safety. Any virus affecting more
than a few computers easily meets the ,000 threshold. S. 2448 would
eliminate the ,000 threshold.

Specifically, the bill would make it a felony to send any transmission
intending to cause damage or to intentionally access a computer and
recklessly cause damage, punishable for up to 3 years in prison, even if
the damage caused is negligible. In addition, the bill would make it a
misdemeanor to intentionally access any computer and cause damage, even
unintentional damage, again regardless of the extent of such damage. Also,
for certain hacking offenses, the maximum punishment would be doubled
from 5 years to 10 for first offenses.

Among the conduct that would become a federal crime under S. 2448:

*     a private sector employee snoops without authorization on a
      co-worker's computer and accidentally deletes a file or a message;

*     a teenage hacker modifies a friend's vanity Web page as a joke.

S. 2448 is available at
http://thomas.loc.gov/cgi-bin/query/z?c106:S.2448.IS:

CDT will be posting additional information about S. 2448 at our new
Cyber Security page, http://www.cdt.org/security/.


_______________________________________________________________

(2) S. 2448 AUTHORIZES ASSISTANCE TO FOREIGN GOVERNMENTS; EXPANDS
FORFEITURE AND WIRETAP AUTHORITY

Another part of S. 2448 permits the US Attorney General to provide
computer crime evidence to foreign law enforcement authorities "without
regard to whether the conduct investigated violates any Federal computer
crime law." It is unclear whether this expands the Justice Department's
investigative authority to investigate lawful conduct in the US at the
request of foreign governments.

Other criminal law sections of S. 2448 would --

*     amend the forfeiture law in ways that could result in seizure by
      the government of the house in which sat a computer used in
      hacking;

*     expand the authority of the US Secret Service to investigate
      computer crimes;

*     expand wiretap authority by making all computer crimes a predicate
      for wiretaps, a change that would be especially sweeping in light
      of the provisions extending the federal computer crime law to fairly
      insignificant criminal conduct.

________________________________________________________________

(3) OTHER PROVISIONS IN S. 2448: SATELLITE VIEWING; NOTICE AND
OPT-OUT; SPAM

S. 2448 contains several provisions that its sponsors labelled privacy
protections, although they would do little to advance privacy. The
bill would --

*     prohibit satellite TV service providers from disclosing information
      about their customers and their viewing habits unless the customers
      have affirmatively agreed ("opted-in") to such sharing. A large
      exception, however, allows disclosure to the government without
      notice and an opportunity to object, thereby giving satellite TV
      viewers less protection than existing federal law affords to cable
      TV subscribers.

*     require commercial Web sites to give visitors notice of data
      collection and sharing practices and the opportunity to opt-out.

*     make fraudulent access to personally identifiable information a
      crime - a provision that overlaps with current identity theft and
      fraud provisions in 18 USC sec. 1029, and that may also cover
      commercial collection of data.

*     make it a crime to send spam advertisement with falsified Internet
      domain name, header information, date or time stamp, originating
      email address, or other identifier.


_______________________________________________________________

(4) EXTENDING PEN REGISTER SURVEILLANCE TO THE INTERNET

If the Senate Judiciary Committee does take up S. 2448, it could serve as
the vehicle for other Internet crime and surveillance amendments. For
example, Sen. Schumer has introduced another bill that extends government
surveillance authority over the Internet in broad and ill-defined ways.

The second Schumer bill, S. 2092, focuses on pen registers, which collect
the numbers dialed on outgoing calls, and trap and trace devices, which
collect the phone numbers identifying incoming calls. These surveillance
devices have long been used by law enforcement in the plain old telephone
world. Because they are not supposed to identify the parties to a
communication nor whether the communication was even completed, the standard
for approval of a pen register is very low: the law provides that a judge
"shall" approve any request by the government that claims the information
sought is "relevant" to an investigation. This really says that the court
must rubber stamp any government request.

The pen register and trap and trace statute only applies to the numbers
dialed or otherwise transmitted on the telephone line to which the device
is attached. S. 2092 would extend the pen register and trap and trace
authority to all Internet traffic. It does so with very broad terminology,
stating that the pen register can collect "dialing, routing, addressing or
signaling information," without further definition.

S. 2092 also would give every federal pen register and trap and trace order
nationwide effect, without limit and without requiring the government to
make a showing of need, creating a sort of "roving pen register."

CDT's analysis of S. 2092 is at
http://www.cdt.org/security/000404amending.shtml
_____________________________________________________________

Detailed information about online civil liberties issues may be found at
http://www.cdt.org/.

This document may be redistributed freely in full or linked to
http://www.cdt.org/publications/pp_6.11.shtml.

Excerpts may be re-posted with prior permission of ari () cdt org

Policy Post 6.11 Copyright 2000 Center for Democracy and Technology
--
To subscribe to CDT's Activist Network, sign up at:
  http://www.cdt.org/join/

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".