[Politech logo]

Politech is the oldest Internet resource devoted to politics and technology. Launched in 1994 by Declan McCullagh, the mailing list has chronicled the growing intersection of culture, technology, politics, and law. Since 2000, so has the Politech web site.

Peter Swire on ATA bill, computer hacking, and life in prison

Previous Politech coverage:

"Congress works through weekend on anti-terrorism bill"
http://www.politechbot.com/p-02587.html

"Bush administration hopes to make computer crime a terrorist act"
http://www.politechbot.com/p-02562.html

**********

Date: Mon, 01 Oct 2001 13:46:05 -0500
To: declan@well.org
From: Peter Swire <pswire@law.gwu.edu>
Subject: Computer hacking and jail for life

Declan:

         Here is an update/clarification on the Ashcroft proposal and how 
it would apply to the Computer Fraud and Abuse Act, 18 U.S.C. 1030.  It may 
be useful for your list.

         The bill would create the new category of "Federal terrorism 
offense."  It repeals all statute of limitations for these 
offenses.  Imprisonment for up to life, "notwithstanding any maximum term 
of imprisonment specified in the law describing the offense."

         In email I wrote last week, I mentioned that spam had been found 
to violate Section 1030(a)(2) and (a)(5)(c).  Mark Lemley noted that 
sending a bot had been found to violate Section 1030, and it turns out to 
have been the same subsections.

         Importantly, the Ashcroft proposal does not apply to these 
subsections.

         However, the bill does apply to (a)(1), (a)(4), (a)(5)(A), and 
(a)(7).  In terms of overbreadth and possible unintended consequences, I 
direct people's attention to (a)(4) and (a)(5)(A):

         1030(a)(4) makes it a crime whoever "knowingly and with intent to 
defraud, accesses a protected computer without authorization, or exceeds 
authorized access, and by means of such conduct furthers the intended fraud 
and obtains anything of value, unless the object of the fraud and the thing 
obtained consists only of the use of the computer and the value of such use 
is not more than $5,000 in any 1-year period."

         1030(a)(5)(A) makes it a crime whoever "knowingly causes the 
transmission of a program, information, code, or command, and  as a result 
of such conduct, intentionally causes damage without authorization, to a 
protected computer."

         Let me make absolutely clear that I am against fraud and against 
intentional damage to a computer.  That said, these provisions are very 
broad and can apply to an enormous range of activity that is not 
"terrorist" activity.  Here are some examples from a quick research of the 
case law of "Federal terrorist offenses" punishable with life in prison for 
violation of 1030 (a)(4):

         (1) U.S. v. Butler, 2001 WL 733424 (conviction for employees of a 
credit agency who tampered with credit histories of customers).

         (2) U.S. v. Bae, 250 F. 3d 774 (fraudulent procurement of lottery 
tickets).

         (3) U.S. v. Sadolsky, 234 F. 3d 938 (Sears manager fraudulently 
used the store's computers to steal money and pay off gambling debts).

         (4) U.S. v. Petersen, 98 F. 3d 502 (conviction for using computers 
to hack into a credit agency and do identity theft).

         (5) U.S. v. Sykes, 4 F. 3d (conviction for unauthorized use of 
automatic teller machine).

         (6) Shurgard Storage Centers, Inc. v. Safeguard Self Storage, 
Inc., 119 F. Supp. 2d 1121 (held that the statute's "use of 'fraud' simply 
means wrongdoing and not proof of the common law elements of fraud").

         As for 1030(a)(5)(A), here are some of the new terrorism offenses:

         (1)  U.S. v. Sablan, 92 F.3d 865 (A former employee accessed her 
old account and claimed she accidentally deleted some files.  Conviction 
upheld because government did not need to prove she intended to damage the 
employer's files.)

         (2) U.S. v. Morris, 928 F.2d 504 (In case involving surprisingly 
large damage from release of a computer worm, "we conclude that section 
1030(a)(5)(A) does not require the Government to demonstrate that the 
defendant intentionally prevented authorized use and thereby caused loss.")

         (3) Shaw v. Toshiba America Information Systems, Inc., 91 F. Supp. 
2d 926 ( "Specifically, does Title 18 U.S.C. § 1030(a)(5)(A) prohibit 
Defendants' design, manufacture, creation, distribution, sale, 
transmission, and marketing of floppy-diskette controllers ("FDC's") 
allegedly made faulty by defective microcode? Yes, it does.)

         Modest disclaimer -- there are more cases, and I read the above 
cases somewhat quickly.  But everyone else can do the research, too, on how 
broadly these provisions sweep.

         Peter

Prof. Peter P. Swire, Ohio State University
Visiting, George Washington Law School, 2001-02
Former Chief Counselor for Privacy, U.S. Office
    of Management & Budget
(301) 213-9587, www.osu.edu/units/law/swire.htm




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------

Enter your email address to join Politech, Declan McCullagh's moderated technology and politics announcement list:

Return to politechbot.com