Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001
Date: October 15, 2003Source: Computer Crime Research Center
Nextfrom a protected computer. Before monitoring can occur, however, four
requirements must be met. First, section 2511(2)(i)(I) requires that the
owner or operator of the protected computer must authorize the interception
of the trespasser’s communications. Second, section 2511(2)(i)(II)
requires that the person who intercepts the communication be lawfully
engaged in an ongoing investigation. Both criminal and intelligence investigations
qualify, but the authority to intercept ceases at the conclusion of the
investigation.
Third, section 2511(2)(i)(III) requires that the person acting under
color of law have reasonable grounds to believe that the contents of the
communication to be intercepted will be relevant to the ongoing investigation.
Fourth, section 2511(2)(i)(IV) requires that investigators intercept only
the communications sent or received by trespassers. Thus, this section
would only apply where the configuration of the computer system allows
the interception of communications to and from the trespasser, and not
the interception of non-consenting users authorized to use the computer.
Finally, section 217 of the Act amends section 2510 of title 18 to create
a definition of "computer trespasser." Such trespassers include
any person who accesses a protected computer (as defined in section 1030
of title 18)4 without authorization. In addition, the definition explicitly
excludes any person "known by the owner or operator of the protected
computer to have an existing contractual relationship with the owner or
operator for access to all or part of the computer." 18 U.S.C. §
2510(21). For example, certain Internet service providers do not allow
their customers to send bulk unsolicited e-mails (or "spam").
Customers who send spam would be in violation of the provider’s terms
of service, but would not qualify as trespassers – both because they
are authorized users and because they have an existing contractual relationship
with the provider. These provisions will sunset December 31, 2005.
Previous law: Section 2703(a) requires the government to use
a search warrant to compel a provider to disclose unopened e-mail less
than six months old. Because Rule 41 of the Federal Rules of Criminal
Procedure requires that the "property" to be obtained be "within
the district" of the issuing court, however, some courts have declined
to issue section 2703(a) warrants for e-mail located in other districts.
Unfortunately, this refusal has placed an enormous administrative burden
on those districts in which major ISPs are located, such as the Eastern
District of Virginia and the Northern District of California, even though
these districts may have no relationship with the criminal acts under
investigation. In addition, requiring investigators to obtain warrants
in distant jurisdictions has slowed time-sensitive investigations.
Amendment: Section 220 of the Act amends section 2703(a) of title
18 (and parallel provisions elsewhere in section 2703) to allow investigators
to use section 2703(a) warrants to compel records outside of the district
in which the court is located, just as they use federal grand jury subpoenas
and orders under section 2703(d). This change enables courts with jurisdiction
over investigations to compel evidence directly, without requiring the
intervention of agents, prosecutors, and judges in the districts where
major ISPs are located. This provision will sunset December 31, 2005.
Section 814 makes a number of changes to improve 18 U.S.C. § 1030,
the Computer Fraud and Abuse Act. This section increases penalties for
hackers who damage protected computers (from a maximum of 10 years to
a maximum of 20 years); clarifies the mens rea required for such
offenses to make explicit that a hacker need only intend damage, not a
particular type of damage; adds a new offense for damaging computers
used for national security or criminal justice; expands the coverage of
the statute to include computers in foreign countries so long as there
is an effect on U.S. interstate or foreign commerce; counts state convictions
as "prior offenses" for purpose of recidivist sentencing enhancements;
and allows losses to several computers from a hacker’s course of
conduct to be aggregated for purposes of meeting the $5,000 jurisdictional
threshold.
The following discussion analyzes these and other provisions in more
detail.
A. Section 1030(c) - Raising the maximum penalty for hackers that
damage protected computers and eliminating mandatory minimums
Previous law: Under previous law, first-time offenders who violate
section 1030(a)(5) could be punished by no more than five years’
imprisonment, while repeat offenders could receive up to ten years. Certain
offenders, however, can cause such severe damage to protected computers
that this five-year maximum did not adequately take into account the seriousness
of their crimes. For example, David Smith pled guilty to violating section
1030(a)(5) for releasing the "Melissa" virus that damaged thousands
of computers across the Internet. Although Smith agreed, as part of his
plea, that his conduct caused over $80,000,000 worth of loss (the maximum
dollar figure contained in the Sentencing Guidelines), experts estimate
that the real loss was as much as ten times that amount.
In addition, previous law set a mandatory sentencing guidelines minimum
of six months imprisonment for any violation of section 1030(a)(5), as
well as for violations of section 1030(a)(4) (accessing a protected computer
with the intent to defraud).
Amendment: Section 814 of the Act raises the maximum penalty
for violations for damaging a protected computer to ten years for first
offenders, and twenty years for repeat offenders. 18 U.S.C. § 1030(c)(4).
Congress chose, however, to eliminate all mandatory minimum guidelines
sentencing for section 1030 violations.
B. Subsection 1030(c)(2)(C) and (e)(8) - Hackers need only intend to
cause damage, not a particular consequence or degree of damage
Previous law: Under previous law, in order to violate subsections
(a)(5)(A), an offender had to "intentionally [cause] damage without
authorization." Section 1030 defined "damage" as impairment
to the integrity or availability of data, a program, a system, or information
that (1) caused loss of at least $5,000; (2) modified or impairs medical
treatment; (3) caused physical injury; or (4) threatened public health
or safety.
The question repeatedly arose, however, whether an offender must intend
the $5,000 loss or other special harm, or whether a violation occurs if
the person only intends to damage the computer, that in fact ends
up causing the $5,000 loss or harming the individuals. It appears that
Congress never intended that the language contained in the definition
of "damage" would create additional elements of proof of the
actor’s mental state. Moreover, in most cases, it would be almost
impossible to prove this additional intent.
Amendment: Section 814 of the Act restructures the statute to
make clear that an individual need only intend to damage the computer
or the information on it, and not a specific dollar amount of loss or
other special harm. The amendments move these jurisdictional requirements
to 1030(a)(5)(B), explicitly making them elements of the offense, and
define "damage" to mean "any impairment to the integrity
or availability of data, a program, a system or information." 18
U.S.C. § 1030(e)(8) (emphasis supplied). Under this clarified structure,
in order for the government to prove a violation of 1030(a)(5), it must
show that the actor caused damage to a protected computer (with one of
the listed mental states), and that the actor’s conduct caused either
loss exceeding $5,000, impairment of medical records, harm to a person,
or threat to public safety. 18 U.S.C. §...
Add comment
Email to a Friend
| Discussion is closed - view comments archieve |
| 2005-09-02 05:27:51 - Very nice Anelia |
| Total 1 comments |
