FC: Peter Swire on ATA bill, computer hacking, and life in prison

From: Declan McCullagh (declanat_private)
Date: Mon Oct 01 2001 - 11:49:36 PDT

  • Next message: Declan McCullagh: "FC: Congress drafts new "anti-terror" bill -- with expiration date"

    Previous Politech coverage:
    
    "Congress works through weekend on anti-terrorism bill"
    http://www.politechbot.com/p-02587.html
    
    "Bush administration hopes to make computer crime a terrorist act"
    http://www.politechbot.com/p-02562.html
    
    **********
    
    Date: Mon, 01 Oct 2001 13:46:05 -0500
    To: declanat_private
    From: Peter Swire <pswireat_private>
    Subject: Computer hacking and jail for life
    
    Declan:
    
             Here is an update/clarification on the Ashcroft proposal and how 
    it would apply to the Computer Fraud and Abuse Act, 18 U.S.C. 1030.  It may 
    be useful for your list.
    
             The bill would create the new category of "Federal terrorism 
    offense."  It repeals all statute of limitations for these 
    offenses.  Imprisonment for up to life, "notwithstanding any maximum term 
    of imprisonment specified in the law describing the offense."
    
             In email I wrote last week, I mentioned that spam had been found 
    to violate Section 1030(a)(2) and (a)(5)(c).  Mark Lemley noted that 
    sending a bot had been found to violate Section 1030, and it turns out to 
    have been the same subsections.
    
             Importantly, the Ashcroft proposal does not apply to these 
    subsections.
    
             However, the bill does apply to (a)(1), (a)(4), (a)(5)(A), and 
    (a)(7).  In terms of overbreadth and possible unintended consequences, I 
    direct people's attention to (a)(4) and (a)(5)(A):
    
             1030(a)(4) makes it a crime whoever "knowingly and with intent to 
    defraud, accesses a protected computer without authorization, or exceeds 
    authorized access, and by means of such conduct furthers the intended fraud 
    and obtains anything of value, unless the object of the fraud and the thing 
    obtained consists only of the use of the computer and the value of such use 
    is not more than $5,000 in any 1-year period."
    
             1030(a)(5)(A) makes it a crime whoever "knowingly causes the 
    transmission of a program, information, code, or command, and  as a result 
    of such conduct, intentionally causes damage without authorization, to a 
    protected computer."
    
             Let me make absolutely clear that I am against fraud and against 
    intentional damage to a computer.  That said, these provisions are very 
    broad and can apply to an enormous range of activity that is not 
    "terrorist" activity.  Here are some examples from a quick research of the 
    case law of "Federal terrorist offenses" punishable with life in prison for 
    violation of 1030 (a)(4):
    
             (1) U.S. v. Butler, 2001 WL 733424 (conviction for employees of a 
    credit agency who tampered with credit histories of customers).
    
             (2) U.S. v. Bae, 250 F. 3d 774 (fraudulent procurement of lottery 
    tickets).
    
             (3) U.S. v. Sadolsky, 234 F. 3d 938 (Sears manager fraudulently 
    used the store's computers to steal money and pay off gambling debts).
    
             (4) U.S. v. Petersen, 98 F. 3d 502 (conviction for using computers 
    to hack into a credit agency and do identity theft).
    
             (5) U.S. v. Sykes, 4 F. 3d (conviction for unauthorized use of 
    automatic teller machine).
    
             (6) Shurgard Storage Centers, Inc. v. Safeguard Self Storage, 
    Inc., 119 F. Supp. 2d 1121 (held that the statute's "use of 'fraud' simply 
    means wrongdoing and not proof of the common law elements of fraud").
    
             As for 1030(a)(5)(A), here are some of the new terrorism offenses:
    
             (1)  U.S. v. Sablan, 92 F.3d 865 (A former employee accessed her 
    old account and claimed she accidentally deleted some files.  Conviction 
    upheld because government did not need to prove she intended to damage the 
    employer's files.)
    
             (2) U.S. v. Morris, 928 F.2d 504 (In case involving surprisingly 
    large damage from release of a computer worm, "we conclude that section 
    1030(a)(5)(A) does not require the Government to demonstrate that the 
    defendant intentionally prevented authorized use and thereby caused loss.")
    
             (3) Shaw v. Toshiba America Information Systems, Inc., 91 F. Supp. 
    2d 926 ( "Specifically, does Title 18 U.S.C. § 1030(a)(5)(A) prohibit 
    Defendants' design, manufacture, creation, distribution, sale, 
    transmission, and marketing of floppy-diskette controllers ("FDC's") 
    allegedly made faulty by defective microcode? Yes, it does.)
    
             Modest disclaimer -- there are more cases, and I read the above 
    cases somewhat quickly.  But everyone else can do the research, too, on how 
    broadly these provisions sweep.
    
             Peter
    
    Prof. Peter P. Swire, Ohio State University
    Visiting, George Washington Law School, 2001-02
    Former Chief Counselor for Privacy, U.S. Office
        of Management & Budget
    (301) 213-9587, www.osu.edu/units/law/swire.htm
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 12:08:09 PDT