------------------------------------------------------------------------
* Date: Mon, 01 Oct 2001 14:49:36 -0400
* To: politech@politechbot.com
* Subject: FC: Peter Swire on ATA bill, computer hacking, and life in
prison
* From: Declan McCullagh <declan@well.com>
* Cc: pswire@law.gwu.edu
------------------------------------------------------------------------
Previous Politech coverage:
"Congress works through weekend on anti-terrorism bill"
http://www.politechbot.com/p-02587.html
"Bush administration hopes to make computer crime a terrorist act"
http://www.politechbot.com/p-02562.html
**********
Date: Mon, 01 Oct 2001 13:46:05 -0500
To: declan@well.org
From: Peter Swire <pswire@law.gwu.edu>
Subject: Computer hacking and jail for life
Declan:
Here is an update/clarification on the Ashcroft proposal and how
it would apply to the Computer Fraud and Abuse Act, 18 U.S.C. 1030. It may
be useful for your list.
The bill would create the new category of "Federal terrorism
offense." It repeals all statute of limitations for these
offenses. Imprisonment for up to life, "notwithstanding any maximum term
of imprisonment specified in the law describing the offense."
In email I wrote last week, I mentioned that spam had been found
to violate Section 1030(a)(2) and (a)(5)(c). Mark Lemley noted that
sending a bot had been found to violate Section 1030, and it turns out to
have been the same subsections.
Importantly, the Ashcroft proposal does not apply to these
subsections.
However, the bill does apply to (a)(1), (a)(4), (a)(5)(A), and
(a)(7). In terms of overbreadth and possible unintended consequences, I
direct people's attention to (a)(4) and (a)(5)(A):
1030(a)(4) makes it a crime whoever "knowingly and with intent to
defraud, accesses a protected computer without authorization, or exceeds
authorized access, and by means of such conduct furthers the intended fraud
and obtains anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value of such use
is not more than $5,000 in any 1-year period."
1030(a)(5)(A) makes it a crime whoever "knowingly causes the
transmission of a program, information, code, or command, and as a result
of such conduct, intentionally causes damage without authorization, to a
protected computer."
Let me make absolutely clear that I am against fraud and against
intentional damage to a computer. That said, these provisions are very
broad and can apply to an enormous range of activity that is not
"terrorist" activity. Here are some examples from a quick research of the
case law of "Federal terrorist offenses" punishable with life in prison for
violation of 1030 (a)(4):
(1) U.S. v. Butler, 2001 WL 733424 (conviction for employees of a
credit agency who tampered with credit histories of customers).
(2) U.S. v. Bae, 250 F. 3d 774 (fraudulent procurement of lottery
tickets).
(3) U.S. v. Sadolsky, 234 F. 3d 938 (Sears manager fraudulently
used the store's computers to steal money and pay off gambling debts).
(4) U.S. v. Petersen, 98 F. 3d 502 (conviction for using computers
to hack into a credit agency and do identity theft).
(5) U.S. v. Sykes, 4 F. 3d (conviction for unauthorized use of
automatic teller machine).
(6) Shurgard Storage Centers, Inc. v. Safeguard Self Storage,
Inc., 119 F. Supp. 2d 1121 (held that the statute's "use of 'fraud' simply
means wrongdoing and not proof of the common law elements of fraud").
As for 1030(a)(5)(A), here are some of the new terrorism offenses:
(1) U.S. v. Sablan, 92 F.3d 865 (A former employee accessed her
old account and claimed she accidentally deleted some files. Conviction
upheld because government did not need to prove she intended to damage the
employer's files.)
(2) U.S. v. Morris, 928 F.2d 504 (In case involving surprisingly
large damage from release of a computer worm, "we conclude that section
1030(a)(5)(A) does not require the Government to demonstrate that the
defendant intentionally prevented authorized use and thereby caused loss.")
(3) Shaw v. Toshiba America Information Systems, Inc., 91 F. Supp.
2d 926 ( "Specifically, does Title 18 U.S.C. § 1030(a)(5)(A) prohibit
Defendants' design, manufacture, creation, distribution, sale,
transmission, and marketing of floppy-diskette controllers ("FDC's")
allegedly made faulty by defective microcode? Yes, it does.)
Modest disclaimer -- there are more cases, and I read the above
cases somewhat quickly. But everyone else can do the research, too, on how
broadly these provisions sweep.
Peter
Prof. Peter P. Swire, Ohio State University
Visiting, George Washington Law School, 2001-02
Former Chief Counselor for Privacy, U.S. Office
of Management & Budget
(301) 213-9587, www.osu.edu/units/law/swire.htm
-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------
Credits
-- UnKnown --
|