Previous Politech coverage: "Congress works through weekend on anti-terrorism bill" http://www.politechbot.com/p-02587.html "Bush administration hopes to make computer crime a terrorist act" http://www.politechbot.com/p-02562.html ********** Date: Mon, 01 Oct 2001 13:46:05 -0500 To: declanat_private From: Peter Swire <pswireat_private> Subject: Computer hacking and jail for life Declan: Here is an update/clarification on the Ashcroft proposal and how it would apply to the Computer Fraud and Abuse Act, 18 U.S.C. 1030. It may be useful for your list. The bill would create the new category of "Federal terrorism offense." It repeals all statute of limitations for these offenses. Imprisonment for up to life, "notwithstanding any maximum term of imprisonment specified in the law describing the offense." In email I wrote last week, I mentioned that spam had been found to violate Section 1030(a)(2) and (a)(5)(c). Mark Lemley noted that sending a bot had been found to violate Section 1030, and it turns out to have been the same subsections. Importantly, the Ashcroft proposal does not apply to these subsections. However, the bill does apply to (a)(1), (a)(4), (a)(5)(A), and (a)(7). In terms of overbreadth and possible unintended consequences, I direct people's attention to (a)(4) and (a)(5)(A): 1030(a)(4) makes it a crime whoever "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." 1030(a)(5)(A) makes it a crime whoever "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer." Let me make absolutely clear that I am against fraud and against intentional damage to a computer. That said, these provisions are very broad and can apply to an enormous range of activity that is not "terrorist" activity. Here are some examples from a quick research of the case law of "Federal terrorist offenses" punishable with life in prison for violation of 1030 (a)(4): (1) U.S. v. Butler, 2001 WL 733424 (conviction for employees of a credit agency who tampered with credit histories of customers). (2) U.S. v. Bae, 250 F. 3d 774 (fraudulent procurement of lottery tickets). (3) U.S. v. Sadolsky, 234 F. 3d 938 (Sears manager fraudulently used the store's computers to steal money and pay off gambling debts). (4) U.S. v. Petersen, 98 F. 3d 502 (conviction for using computers to hack into a credit agency and do identity theft). (5) U.S. v. Sykes, 4 F. 3d (conviction for unauthorized use of automatic teller machine). (6) Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (held that the statute's "use of 'fraud' simply means wrongdoing and not proof of the common law elements of fraud"). As for 1030(a)(5)(A), here are some of the new terrorism offenses: (1) U.S. v. Sablan, 92 F.3d 865 (A former employee accessed her old account and claimed she accidentally deleted some files. Conviction upheld because government did not need to prove she intended to damage the employer's files.) (2) U.S. v. Morris, 928 F.2d 504 (In case involving surprisingly large damage from release of a computer worm, "we conclude that section 1030(a)(5)(A) does not require the Government to demonstrate that the defendant intentionally prevented authorized use and thereby caused loss.") (3) Shaw v. Toshiba America Information Systems, Inc., 91 F. Supp. 2d 926 ( "Specifically, does Title 18 U.S.C. § 1030(a)(5)(A) prohibit Defendants' design, manufacture, creation, distribution, sale, transmission, and marketing of floppy-diskette controllers ("FDC's") allegedly made faulty by defective microcode? Yes, it does.) Modest disclaimer -- there are more cases, and I read the above cases somewhat quickly. But everyone else can do the research, too, on how broadly these provisions sweep. Peter Prof. Peter P. Swire, Ohio State University Visiting, George Washington Law School, 2001-02 Former Chief Counselor for Privacy, U.S. Office of Management & Budget (301) 213-9587, www.osu.edu/units/law/swire.htm ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 12:08:09 PDT