Information Security News mailing list archives
FW: Policy Post 6.11: Senate Internet Crime Bill on a Fast Track
From: William Knowles <wk () C4I ORG>
Date: Wed, 24 May 2000 22:07:09 -0500
Forwarded by: Marjorie Simmons <lawyer () usit net> CDT POLICY POST Volume 6, Number 11 May 22, 2000 A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE from THE CENTER FOR DEMOCRACY AND TECHNOLOGY CONTENTS: (1) Senate Bill Would Make Federal Offenses of Minor Computer Abuses (2) Assistance to Foreign Governments; Expanded forfeiture and Wiretap Authority (3) Other Provisions in S. 2448: Satellite Viewing; Notice and Opt-out; Spam (4) Extending Pen Register Surveillance to the Internet _______________________________________________________________ (1) SENATE BILL WOULD MAKE FEDERAL OFFENSES OF MINOR COMPUTER ABUSES Legislation on a fast track in the Senate would make minor computer hacking a federal felony, investigated by the FBI and the Secret Service. The bill is S. 2448, the "Internet Integrity and Critical Infrastructure Protection Act." It was introduced by Sen. Orrin Hatch (R-UT), chairman of the Senate Judiciary Committee, and Sen. Charles Schumer (D-NY). Procedural posture: The Senate Judiciary Committee had actually scheduled the bill for a vote on May 18. That was put off one week, to Thursday, May 25. The Committee is also considering holding a hearing on May 24 or 25, with a witness list at present heavily weighted with current and former law enforcement officials. S. 2448 was introduced before the recent "love bug" virus hit computers worldwide, and has no relevance to that or other recent viruses and attacks, all of which, including the Melissa virus and the denial of service attacks in February, were already federal felonies, even when created and launched from overseas. The main effect of S. 2448's criminal provisions would be to extend federal jurisdiction over minor computer abuses not previously thought serious enough to merit federal resources. Currently, federal jurisdiction exists for some computer crimes only if they result in at least ,000 of aggregate damage or cause especially significant damage, such as any impairment of medical records, or pose a threat to public safety. Any virus affecting more than a few computers easily meets the ,000 threshold. S. 2448 would eliminate the ,000 threshold. Specifically, the bill would make it a felony to send any transmission intending to cause damage or to intentionally access a computer and recklessly cause damage, punishable for up to 3 years in prison, even if the damage caused is negligible. In addition, the bill would make it a misdemeanor to intentionally access any computer and cause damage, even unintentional damage, again regardless of the extent of such damage. Also, for certain hacking offenses, the maximum punishment would be doubled from 5 years to 10 for first offenses. Among the conduct that would become a federal crime under S. 2448: * a private sector employee snoops without authorization on a co-worker's computer and accidentally deletes a file or a message; * a teenage hacker modifies a friend's vanity Web page as a joke. S. 2448 is available at http://thomas.loc.gov/cgi-bin/query/z?c106:S.2448.IS: CDT will be posting additional information about S. 2448 at our new Cyber Security page, http://www.cdt.org/security/. _______________________________________________________________ (2) S. 2448 AUTHORIZES ASSISTANCE TO FOREIGN GOVERNMENTS; EXPANDS FORFEITURE AND WIRETAP AUTHORITY Another part of S. 2448 permits the US Attorney General to provide computer crime evidence to foreign law enforcement authorities "without regard to whether the conduct investigated violates any Federal computer crime law." It is unclear whether this expands the Justice Department's investigative authority to investigate lawful conduct in the US at the request of foreign governments. Other criminal law sections of S. 2448 would -- * amend the forfeiture law in ways that could result in seizure by the government of the house in which sat a computer used in hacking; * expand the authority of the US Secret Service to investigate computer crimes; * expand wiretap authority by making all computer crimes a predicate for wiretaps, a change that would be especially sweeping in light of the provisions extending the federal computer crime law to fairly insignificant criminal conduct. ________________________________________________________________ (3) OTHER PROVISIONS IN S. 2448: SATELLITE VIEWING; NOTICE AND OPT-OUT; SPAM S. 2448 contains several provisions that its sponsors labelled privacy protections, although they would do little to advance privacy. The bill would -- * prohibit satellite TV service providers from disclosing information about their customers and their viewing habits unless the customers have affirmatively agreed ("opted-in") to such sharing. A large exception, however, allows disclosure to the government without notice and an opportunity to object, thereby giving satellite TV viewers less protection than existing federal law affords to cable TV subscribers. * require commercial Web sites to give visitors notice of data collection and sharing practices and the opportunity to opt-out. * make fraudulent access to personally identifiable information a crime - a provision that overlaps with current identity theft and fraud provisions in 18 USC sec. 1029, and that may also cover commercial collection of data. * make it a crime to send spam advertisement with falsified Internet domain name, header information, date or time stamp, originating email address, or other identifier. _______________________________________________________________ (4) EXTENDING PEN REGISTER SURVEILLANCE TO THE INTERNET If the Senate Judiciary Committee does take up S. 2448, it could serve as the vehicle for other Internet crime and surveillance amendments. For example, Sen. Schumer has introduced another bill that extends government surveillance authority over the Internet in broad and ill-defined ways. The second Schumer bill, S. 2092, focuses on pen registers, which collect the numbers dialed on outgoing calls, and trap and trace devices, which collect the phone numbers identifying incoming calls. These surveillance devices have long been used by law enforcement in the plain old telephone world. Because they are not supposed to identify the parties to a communication nor whether the communication was even completed, the standard for approval of a pen register is very low: the law provides that a judge "shall" approve any request by the government that claims the information sought is "relevant" to an investigation. This really says that the court must rubber stamp any government request. The pen register and trap and trace statute only applies to the numbers dialed or otherwise transmitted on the telephone line to which the device is attached. S. 2092 would extend the pen register and trap and trace authority to all Internet traffic. It does so with very broad terminology, stating that the pen register can collect "dialing, routing, addressing or signaling information," without further definition. S. 2092 also would give every federal pen register and trap and trace order nationwide effect, without limit and without requiring the government to make a showing of need, creating a sort of "roving pen register." CDT's analysis of S. 2092 is at http://www.cdt.org/security/000404amending.shtml _____________________________________________________________ Detailed information about online civil liberties issues may be found at http://www.cdt.org/. This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_6.11.shtml. Excerpts may be re-posted with prior permission of ari () cdt org Policy Post 6.11 Copyright 2000 Center for Democracy and Technology -- To subscribe to CDT's Activist Network, sign up at: http://www.cdt.org/join/ ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- FW: Policy Post 6.11: Senate Internet Crime Bill on a Fast Track William Knowles (May 24)