|
October 4, 2000
CDT Analysis of Proposed Changes to the Computer Fraud and Abuse Act
contained in
S.3083, the Enhancement of Privacy and Public Safety in Cyberspace Act
| I. Background |
S. 3083 is the Clinton Administration's computer crime bill. It was introduced 9/20/00 by Sen. Patrick Leahy (D-VT) "by request," which means that the sponsor does not support everything in the bill, but is introducing it as an accommodation to the Administration.
The bill's declared purpose is "To enhance privacy and the protection of the public in the use of computers and the Internet, and for other purposes." According to the Proposed Legislative History that accompanies the bill, it would update the relevant statutes � the Computer Fraud and Abuse Act (CFAA), the Wiretap Act, and the Cable Act � to create "a legal structure that will support detection and successful prosecution of offenders" in cyberspace. Particular problems mentioned by the Proposed Legislative History are a) child pornography transmission, b) commission of crimes using encryption, c) attacks on financial computers, d) illegal access to consumers' personal and credit information, e) use of the Internet to commit "large-scale" fraud globally, and f) terrorists' using the Internet to communicate threats over the Internet.
Most of proposed amendments, however, do not address these substantive offenses directly. Instead, the substantive focus of the bill is illegal computer intrusion and vandalism -- the bill aims to beef up the Computer Fraud and Abuse Act (18 USC 1030), both in its scope and in the severity of its sanctions.
This analysis focuses primarily on the Administration's proposed changes to the CFAA. Apart from the CFAA changes, the Administration bill focuses on electronic surveillance issues--- primarily by standardizing wiretap, pen register, and other information-gathering procedures for all types of communications, and by making the standards apply uniformly regardless of how the communications are transmitted. (E.g., e-mail may be sent through telephone-based, cable-based, or wireless-based Internet access, but the standards for court-ordered retrieval of e-mail by law enforcement would be largely the same, under this bill.) CDT has a separate memo addressing these issues. See "Amending the Pen Register and Trap and Trace Statute in Response to Recent Internet Denial of Service Attacks � and to Establish Meaningful Privacy Protection" (April 4, 2000).
| II. Overview of CDT Concerns with Proposed Amendments to the CFAA |
Although this is not a complete list of problems we find with the proposed amendments to the Computer Fraud and Abuse Act, we see the following ten issues as significant enough to raise strong questions as to the wisdom of going forward with the proposed amendments in the form suggested by the Administration.
The major criticisms are:
| III. Section-by-Section Analysis and Discussion |
Amendment language is italicized; commentary is in normal text font.
A. Part I � Offenses
(1) OFFENSES- Subsection (a) of section 1030 of title 18, United States Code, is amended--
(A) in paragraph (3), by striking `accesses such a computer' and inserting `or in excess of authorization to access any nonpublic computer of a department or agency of the United States, accesses a computer'; and
This language is aimed at addressing vandalization of government websites. Since a site run from a "nonpublic" government computer is itself in some sense open to the public, the statute would be amended to focus on access "in excess of authorization." In short, you're authorized to access a government website open to the public, but you're not authorized to tinker with it.
The Administration's section-by-section analysis states that that the amendment addresses a trespass of a "public government computer," but this doesn't track the actual amendment language, which uses the word "nonpublic." This is possibly a drafting error.
-----
(B) in paragraph (7), by striking `, firm, association, educational institution, financial institution, government entity, or other legal entity,'.
The amended statute would simply address intent to extort "from any person." The stricken words are reinserted in a new definition of "person," which the proposed amendment would add to the statute's definition section, so the change has no substantive effect.
-----
(2) ATTEMPTED OFFENSES- Subsection (b) of that section is amended by inserting before the period the following: `as if such person had committed the completed offense'.
The original language refers the reader to subsection (c) for the punishment provisions under 1030, but does not expressly say that attempts are punishable to the same degree as completed offenses are. This amendment would change subsection (b) so that it states this expressly.
B. Part II - Punishment
(3) PUNISHMENT- Subsection (c) of that section is amended--
(A) in paragraph (1), by striking `, or an attempt to commit an offense punishable under this subparagraph' each place it appears in subparagraphs (A) and (B);
Given the change proposed in the ATTEMPTED OFFENSES subsection, the references to "an attempt to commit an offense under this subsection" would become surplusage, and thus should be removed, which is what this amendment does.
----- (B) in paragraph (2)--
(i) by striking subparagraph (A) and inserting the following new subparagraph (A):
`(A) except as provided in subparagraphs (B) and (C) of this subparagraph, a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5), or (a)(6) of this section which does not occur after a conviction for another offense under this section;';
This removes the "attempt" language in the original subparagraph 1030(c)(2)(A) and replaces the paragraph with new language that sets the ceiling for punishment for basic first-time offenses under 18 USC 1030(a)(2), (a)(3), (a)(5), or (a)(6).
1030(a)(2) addresses the unauthorized access to, and obtaining of any information from, financial-records and financial-institution computers, government computers, and "protected computers if the conduct involved an interstate or foreign communication." This last provision is problematic in that, while federal Commerce Clause jurisdiction may arguably apply to financial-records and financial-institution computers, and while the federal government has jurisdiction to protect its own department or agency computers, it's not clear what the Constitutional basis is for the scope of "protected computer" or for the focus on "interstate or foreign communication." For further discussion of this point, see below.
This amendment also expands to all of (a)(5) the punishment provisions of (c)(2)(A). In the current statute, (c)(2)(A) applies only to (a)(5)(C) offenses (in which offender "intentionally accesses a protected computer without authorization, and as a result, causes damage"). Subparagraphs (a)(5)(A), a "knowingly" offense, and (a)(5)(B), a "recklessly" offense, are thus put into the same punishment range as (a)(5)(C), an offense with no mens rea requirement as to damage -- a fine and/or a prison sentence of not more than one year for first offenders under this statute.
-----
(ii) in subparagraph (B), by adding `and' at the end; and The above is just a cosmetic change. Subparagraph (B) remains substantively unchanged, and prescribes a fine or sentence of up to five years for violations of (a)(2) if the violation was for the purposes of financial gain or commercial advantage, or if the violation was committed in furtherance of criminal or tortious acts prohibited federal or state law, or if the value of the information obtained exceeds $5000.
-----
(iii) by striking subparagraph (C) and inserting the following new subparagraph (C):
`(C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(5)(A) or (a)(5)(B) if the offense caused (or, in the case of an attempted offense, would, if completed, have caused)--
`(i) loss to one or more persons during any one year period (including loss resulting from a related course of conduct affecting one or more other protected computers) aggregating at least $5,000;
`(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of one or more individuals;
`(iii) physical injury to any individual;
`(iv) a threat to public health or safety; or
`(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;';
This is a major change. The original text of (C) is a recidivist provision -- it sets an up-to-ten-year penalty and/or fine for those who violate (a)(2), (a)(3), or (a)(6) offense provisions under the current statute if the offender has previously been convicted of another offense under the Computer Fraud and Abuse Act.
The revised version of (C) is no longer a recidivist provision. Instead, it sets an up-to-ten-year penalty for offenses that result in (or that could result in, if the offense is attempted but not completed) certain specific outcomes.
The scope of this provision is very broad, and raises important Constitutional questions about the proper scope of federal jurisdiction. First of all, it relies on a definition of "protected computer" in the current statute, which is already probably unconstitutionally broad. This point requires some discussion:
The Computer Fraud and Abuse Act has been vastly expanded in scope since its initial passage in 1984. The original language of 1030 limited the scope of the statute to "federal interest computers" -- computers owned by the federal government or used by financial institutions. In the 1990s, however, the scope of 1030 was greatly expanded to include any computer "which is used in interstate or foreign commerce or communication." The Act now potentially covers every private computer connected to the Internet. The statute has already been stretched, probably further than the Constitution allows. Note that it is not limited to any computer in "interstate or foreign commerce." It also covers any computer used for "interstate or foreign communication." (18 USC 1030(e)(2)(B)) Yet the Constitution includes no power to regulate "interstate or foreign communication" separate from interstate or foreign commerce. Thus, there may be a latent "Lopez problem" in the statute, even if unamended. The Supreme Court stated in U.S. v. Lopez, 514 U.S. 549 (1995) that the scope of Interstate Commerce jurisdiction is not unlimited. The Court reaffirmed this principle this spring in U.S. v. Morrison, 120 S. Ct. 1740 (2000). In the Lopez case, concerning the constitutionality of the Gun-Free School Zones Act of 1990, and in the Morrison case, which involved the Violence Against Women Act, the Court held that there must be economic activity, or some colorable impact on economic activity, for federal Commerce Clause jurisdiction to exist. In both cases, that economic-activity nexus was lacking. Clearly, even under its current terms, the Computer Crime Act may already go farther than allowed under Lopez and Morrison. But the detailed listing of ten-year-penalty crimes exacerbates whatever Lopez problem the statute may have.
(C) in paragraph (3)--
(i) by striking `(3)(A)' and inserting `(3)';
(ii) by striking `, (a)(5)(A), (a)(5)(B),';
(iii) by striking `, or an attempt to commit an offense punishable under this subparagraph;'; and
This passage would amend 1030 (c)(3) by removing the (a)(5)(A) and (a)(5)(B) offenses altogether from this section of the punishment scheme. As amended, 1030(c)(3) would apply only to the (a)(4) and (a)(7) offenses -- computer-based fraud and computer-based extortion, respectively.
This means that all offenses under (a)(5) -- broadly, offenses involving intentional unauthorized access followed by unwitting, reckless, or intentional damage to a "protected computer" -- are dealt with elsewhere in the statute. Under the current version of the statute, offenders under the (a)(5)(A) and (a)(5)(B) provisions who are first-time offenders may receive a fine and/or sentence of up to five years' imprisonment. But under the proposed amendment, as we have seen, first-time offenders under (a)(5)(A) or (a)(5)(B) receive up to a one-year prison term -- provided, of course, that their offense did not result in one of the outcomes laid out in 1030(c)(2)(C). So first-time offenders under (a)(5)(A) or (a)(5)(B) whose violations are relatively inconsequential would actually face lower potential prison sentences under the amended statute.
If, however, a first-time offender under (a)(5)(A) or (a)(5)(B) committed a violation that resulted in an aggregate loss of $5000, modification or impairment of health care, physical injury to an individual, "a threat to public health or safety," or damage to governmental law-enforcement, national-defense, or national-security-related computers, he or she will face up to ten years in prison, even though it is a first offense.
The government's proposed legislative history for this change gives the following as the reason for this steepening of penalties for certain first-time offenders:
"Certain offenders can cause such severe damage to protected computers that the current five year maximum does not adequately take into account the seriousness of the crime. For example, David Smith recently pled guilty to violating subsection 1030(a)(5)(A) for releasing the "Melissa" virus in 1999 that caused massive damage to thousands of computers across the internet. Although Smith agreed, as part of his plea, that his conduct caused over $80,000,000 worth of damage (the maximum dollar figure contained in the Sentencing Guidelines), experts estimate that the real amount of damage could have been as much as ten times that amount. Thus, amendments to section 1030(c)(2)(C) raise the maximum penalty for violations of this type to ten years."
This argument has at least three problems. The most basic one is that damages estimates based on release of self-propagating computer programs are highly speculative. It is not the case that those whose computers were affected by the Melissa virus, for example, reported their damages to the Department of Justice, which then tallied up the total. Thus, unlike other crimes involving allegations of property damage, there is no precise anchoring of damage estimates to reports of real damage.
Secondly, the deterrent or punitive value of doubling the penalties for first offenders of this type is unclear. First offenders are, prior to conviction, the least likely defendants to have adequately assessed the damages risks involved in releasing self-propagating programs. In the Internet Worm case, prosecuted in the late 1980s, defendant Robert Tappan Morris had no idea that his worm program would propagate as quickly as it did, or that it would have the effect of shutting down Internet traffic. While it is important, obviously, that the knowing or reckless release of programs that engage in unauthorized access to others' computers and do damage be a punishable offense, it's not clear that doubling the potential penalty would have an appropriate punitive effect or any measurably increased deterrent effect.
Third, what seems more likely is that the increase in penalties is aimed at giving prosecutors a bigger stick to use when pressuring defendants into plea agreements. This interest is sufficiently distant from questions of deterrence and proportionality that it ought not to give any weight to the government's proposal here.
Note: the removal of the "attempt" language here tracks other proposed changes in how the statute deals with attempt crimes.
-----
(iv) by striking subparagraph (B); and
(D) by adding at the end the following new paragraph:
`(4) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(4), (a)(5), (a)(6), or (a)(7) of this section which occurs after a conviction for another offense under this section.'.
This is a new recidivism section for the punishment scheme. It combines recidivism provisions that are found in the current statute under 1030(c)(2)(C) and 1030(c)(3)(B).
C. Part III -- Secret Service Authority
(4) INVESTIGATIVE AUTHORITY OF UNITED STATES SECRET SERVICE- Subsection (d) of that section is amended--
(A) in the first sentence, by striking `subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of'; and
(B) in the second sentence, by striking `which shall be entered into by' and inserting `between'.
This amendment would expand Secret Service jurisdiction to investigate computer crimes to include all offenses listed under the Computer Fraud and Abuse Act. The Secret Service, which has labored over the last decade to define itself as the foremost federal computer-crime-investigating agency, has long sought expansion of its authority under the CFAA. Originally, the Secret Service's jurisdiction under the Act came from its focus on counterfeiting-related crimes: the root of the Secret Service's role in the computer crime area was use of false passwords and dummy accounts, as well as credit-card fraud through the use of false cards or card numbers.
This bill would give the agency authority coterminous with the limits of the Act, limited only by whatever agreement is made between the Secretary of the Treasury and the Attorney General.
Because an increasing percentage of crimes may have some nexus with computer use or abuse during the coming decades, the amended provision for Secret Service jurisdiction is likely to have the effect of greatly expanding the scope of its investigations over time. This presents Congress with the policy question of whether it wants to expand the Secret Service into a more general federal law-enforcement agency.
There is no discussion of this proposed change in the government's Proposed Legislative History.
D. Part IV -- Definitions
(5) DEFINITIONS- Subsection (e) of that section is amended--
(A) in paragraph (2)(B), by inserting before the semicolon the following: `, including a computer located outside the United States';
This amendment includes in the already-broad definition of "protected computer" those computers that reside outside the United States, and are either government or financial-institution computers, or used by the U.S. government or financial institutions. The amendment also includes foreign computers that are "used in interstate or foreign commerce or communication."
In effect, this passage expands the scope of the CFAA to encompass every computer connected to the Internet, everywhere on the globe.
Note also that, on its face, the amendment language classifies all computers belonging to foreign financial institutions as "protected computers" under the statute. (See the definitions of "financial institution" under 1030(e)(4), and particularly (e)(4)(H).) And, in fact, the new definition extends the scope of the statute to foreign computers of all types.
The Proposed Legislative History argues that "[t]his amendment makes clear the intent to include computers outside the United States within the definition of "protected computers" for purposes of section 1030, if there is any activity affecting the United States."
-----
(B) in paragraph (7), by striking `and' at the end;
This is a cosmetic change.
-----
(C) in paragraph (8), by striking `or information,' and all that follows through the end of the paragraph and inserting `or information;';
This amendment changes the definition of "damage" and makes it far more broad. The original definition includes what are apparently attempts at jurisdictional constraints
At present, because of the broad scope of the definition of "protected computer," the only remaining limitation on the scope of 1030, as far as general computer-access offenses go, is the $5,000 jurisdictional amount. Eliminating the $5,000 threshold would federalize what otherwise would be state crimes.
All states currently have statutes in place that address unlawful computer intrusion or computer vandalism. Criminal acts that currently fall below the federal jurisdictional amount can be, and routinely are, addressed by state and local law-enforcement authorities.
Elimination of the jurisdictional amount limitation in 1030 would give the FBI and the Secret Service broad authority to investigate what would otherwise fall into state and local law-enforcement jurisdictions.
This raises another "latent Lopez problem"; the Supreme Court in Lopez said that "Under our federal system, the 'States possess primary authority for defining and enforcing the criminal law.'" Removing the jurisdictional requirement will remove the last shred of constitutional support for 1030, turning it into the kind of general federal criminal statute, ungrounded in a Constitutional grant of power, that the Supreme Court expressly criticized in Lopez.
Elimination of the jurisdictional amount would turn the following activities into federal felonies that might be investigated by the FBI or by the Secret Service or both:
A. Spouses. A husband is concerned that his wife may be having an affair, so, when she brings home the laptop computer she uses at work to send interstate and international e-mail and to do research, he waits until she leaves the house on an errand, then attempts to gain access to her AOL account. In doing so, he recklessly causes damage to her AOL login settings. This would be a crime under the amended 1030, punishable by 1 year in prison.
B. Teacher. A schoolteacher confiscates a student's laptop that the student normally uses to send Internet e-mail, but was using in this instance to show what she believes are inappropriate pictures to classmates. The teacher takes the laptop and erase the pictures. This would be a crime under the amended 1030, punishable by 1 year in prison.
C. Co-workers. Programmers at a Silicon Valley start-up access a fellow worker's computer to change the image that appears on the Windows desktop to a humorous picture. In doing so, they unwittingly corrupt his Windows registration file, causing him to lose several hours reinstalling the software. This would be a crime under the amended 1030, punishable by 1 year in prison.
-----
(D) in paragraph (9), by striking the period at the end and inserting a semicolon; and
This change is cosmetic.
-----
(E) by adding at the end the following new paragraphs:
`(10) the term `conviction for another offense under this section' includes--
`(A) an adjudication of juvenile delinquency for a violation of this section; and
Essentially, this provision makes prior offenses committed when defendant was a juvenile applicable to the sentencing a defendant who is convicted under 18 USC 1030 as an adult.
Given the increased scope of what would qualify as an offense under the amendments to 1030, this means that an 11-year-old could be investigated and convicted of a minor offense (of less than $5000 in damage), then face up to 10 years' imprisonment as a 26-year-old for a similar minor offense, even with no intervening offenses. We may take it as a given that minor offenses should be prosecuted, but it is unclear what the justice/policy/constitutional rationale is for expanding federal jurisdiction over minor computer crimes and for drastically increasing the criminal liability for an adult for a minor computer crime simply because he committed another small-scale offense when he was a juvenile.
Once again, it seems that the primary focus of this expansive recidivism provision is to give prosecutors immense ability to pressure defendants into plea agreements.
-----
`(B) a conviction under State law for a crime punishable by imprisonment for more than one year, an element of which is unauthorized access, or exceeding authorized access, to a computer; It seems counterintuitive for the statute to redefine "conviction for another offense under this section" to include state-law criminal offenses. Those offenses are not "under this section" in any straightforward English-language sense. More importantly, this amendment would have the effect of indirectly federalizing state-law computer crimes. Once again, the rationale may be to increase the ability of federal prosecutors to obtain plea agreements.
-----
`(11) the term `loss' means any reasonable cost to any victim, including responding to the offense, conducting a damage assessment, restoring any data, program, system, or information to its condition before the offense, and any revenue lost or costs incurred because of interruption of service; and
This tracks the applicable "loss" definition of the Sentencing Guidelines (See U.S.S.G. Sec. 2B1.1 Commentary, Application note 2). It should be noted, however, that neither the Sentencing Guidelines nor the amendment language provides any guidance as to what a "reasonable" cost to any victim might be. There is an incentive under these provisions for victims to inflate their costs to bring the offense within the scope of a federal investigation even under the current version of the CFAA. Under the amended version, the incentive to overstate the "reasonable costs" would be to ensure that a first-time offender faced a possible prison term of up to ten years.
-----
`(12) the term `person' includes any individual, firm, association, educational institution, financial institution, corporation, company, partnership, society, government entity, or other legal entity.'.
This definition of "person" simply puts into the statute's definitional section language that had been in (a)(7).
E. Part V -- Causes Of Action
(6) CIVIL ACTIONS- Subsection (g) of that section is amended to read as follows:
`(g) Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive or other equitable relief. An action under this subsection for a violation of subsection (a)(5) may be brought only if the conduct involves one or more of the factors set forth in subsection (c)(2)(C). No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.'.
This language amends the civil-cause-of-action provision of 1030(g) in a number of ways. First, it. The first sentence of 1030(g) remains unchanged from the existing statute. A provision that limits recovery for damage in excess $5000 to "economic damages" has been removed. (This may mean that plaintiffs can seek recovery for other kinds of damages, provided the $5000-damage threshold of the new (c)(2)(C)has been crossed.) The "factors set forth in (c)(2)(C)" include economic damages in excess of $5000, "modification or impairment" of health care, physical injury to an individual, "a threat to public health or safety," or damage to government law-enforcement, national-defense, or national-security computers.
Obviously, it may be difficult to imagine what a private cause of action based on "a threat to public health or safety" or damage to a national-defense computer might look like. But presumably standard tort principles requiring proof of loss would apply.
F. Part VI -- Forfeiture
(7) FORFEITURE- That section is further amended--
(A) by redesignating subsection (h) as subsection (j); and
The CFAA expressly requires an annual report to Congress from the Secretary of the Treasury and from the Attorney General of investigations and prosecutions under this statute. There are no further specifics as to the prescribed mode of compliance with this provision, and it is unclear, in fact, whether the agencies in question have ever complied in producing a report. It would be better if the statute required reports to the public rather than reports to Congress -- statistics on investigations and prosecutions under the CFAA, if widely available, would make it easier to assess the government's claims about what needs to be changed in the statute.
At any rate, this particular amendment moves the reporting-requirement section of the statute down to the end of the section, and makes room for the forfeiture provision.
-----
(B) by inserting after subsection (g), as amended by paragraph (6) of this subsection, the following new subsections (h) and (i):
`(h)(1) The court, in imposing sentence on any person convicted of a violation of this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States--
`(A) such person's interest in any property, whether real or personal, that was used or intended to be used to commit or to facilitate the commission of such violation; and
`(B) any property, whether real or personal, constituting or derived from, any proceeds that such person obtained, whether directly or indirectly, as a result of such violation.
`(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any administrative or judicial proceeding in relation thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.
`(i)(1) The following shall be subject to forfeiture to the United States, and no property right shall exist in them:
`(A) Any property, whether real or personal, used or intended to be used to commit or to facilitate the commission of any violation of this section.
`(B) Any property, whether real or personal, which constitutes or is derived from proceeds traceable to any violation of this section.
`(2) The provisions of chapter 46 of this title relating to civil forfeiture shall apply to any seizure or civil forfeiture under this subsection.'.
This is a very broad civil and criminal forfeiture scheme with no obvious limiting principle, and it illustrates the hazards of wholesale importation of anti-drug-abuse/anti-drug-trafficking into a statutory scheme that is designed to address a fundamentally different kind of problem.
The Proposed Legislative History justifies the addition of this broad forfeiture language cursorily: "It is the experience of the Department of Justice that forfeiture of property used in the commission of computer crime or proceeds derived therefrom can provide for effective punishment and deterrence, and that it makes little sense to return computers to convicted computer criminals."
Naturally, one may wonder how this can be the "experience of the Department of Justice" when there has been no forfeiture provision under the CFAA before now. Alternatively, if the DOJ is routinely applying forfeiture law from another part of the U.S. Code -- applying it enough to get authoritative "experience" -- what need is there for a forfeiture provision in the CFAA?
But this is the least of the questions raised by the provision and by the Proposed Legislative History. While the forfeiture of property that "proceeds" from the violation is comparatively unproblematic, it is unclear what limits, if any, there would be on the forfeiture of property that might be said to have been "used" in the commission of a computer crime. For example, if a juvenile engages in computer-intrusion from the privacy of his upstairs bedroom, is his parents' house forfeit? The plain language of the proposed amendment, which includes real property that is used "to commit" or "to facilitate" an offense under the CFAA, suggests that there are few practical limits to the scope of forfeiture. (Indeed, this also may provide yet another tool for prosecutors to compel a plea agreement -- "Take the deal, kid, or we'll go after your parents' house.")
The Proposed Legislative History does not attempt to justify the scope of the envisioned real-property forfeiture provisions except in terms of "the experience of the Department of Justice" -- it is an undocumented assertion. It should be remembered, however, that computer crime is not like drug trafficking, in which there is some colorable claim that the owner of a house constructively knows about the deals taking place there. Instead, an offender committing a computer crime may not seem visibly any different from a student doing homework or a programmer working under deadline for a dotcom. The forfeiture provision should at the very least be narrowed to computers and other electronic tools used in committing the offenses under the CFAA, plus any proceeds from those offenses.
Moreover, in an era in which private individuals as well as businesses and governments increasingly store vital data on computers, the forfeiture of computer equipment needs to be handled with regard for the constitutional and privacy rights of third-party non-targets who may have communications or data stored on the seized machine. There is no policy justification, for example, for depriving a family of its tax records, medical data, business records, and private correspondence if none of that information was implicated in the commission of a CFAA crime committed by one child in the family. Even if it is deemed appropriate to compel forfeiture of computer and electronic hardware, the government has no colorable right to have long-term access to non-targets' personal, private, or business data, or information, or their installed software if those data and software packages were not directly used in the commission of a crime (or the proceeds of a criminal endeavor).
At minimum, any computer-forfeiture provision should take into account these privacy and justice interests. One possible solution would include making the non-implicated data and software available to the non-defendants, or to provide them with an opportunity to make comprehensive backups. It would also include an express requirement that non-implicated data and software stored on seized computers be completely erased.
Apart from the government's declaration that "it makes little sense to return computers to convicted computer criminals," we are given little to go on with regard to justifying the treatment of this kind of property in the same manner that we treat the property of drug-trafficking criminals. What seems a likelier explanation of this call for forfeiture is that the government has been sued successfully for overbroad searches and seizures of computers with private mail and business data on them. See Steve Jackson Games v. United States Secret Service. If the government is given the option of proceeding to forfeiture -- especially civil forfeiture, with its lower burden of proof -- for computer equipment seized under an evidentiary search warrant, this forecloses the possibility that the government will be called to account for mishandling, invasive handling, or destruction of the private data of third-party non-targets. In effect, the forfeiture provisions proposed in this bill make the government effectively unaccountable for mishandling third-party data. It seems reasonable to suspect that this is a goal of the provision.
Finally, it is unclear whether, in fact, "it makes little sense to return computers to convicted computer criminals." The presumption on the part of the government heretofore has been that computers, far from being general-purpose tools that can be used for good or ill, are more like guns, or like drugs -- either tools for committing crime or harmful in themselves, when in the hands of offenders. But this presumption has not been backed with any serious study of the issue, and it seems at least intuitively plausible that offenders, chastened by their convictions, could be steered into using their skills and tools in rehabilitative or restitutionary ways. This may not be the case, but there is at least an open question about it, but the government treats the issue as a closed question.
G. Part VII -- Sentencing Guidelines
(b) AMENDMENTS TO SENTENCING GUIDELINES- Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the sentencing guidelines to ensure any individual convicted of a violation of paragraph (4) or a felony violation of paragraph (5)(A), but not a felony violation of paragraph (5)(B) or (5)(C), of section 1030(a) of title 18, United States Code, is imprisoned for not less than 6 months.
This provision, according to the Proposed Legislative History, is designed to ensure that misdemeanor offenses under (a)(5)(a), where the prison terms range is from zero to one year, do not require a mandatory six-month sentence (which is currently mandated for (a)(4) and (a)(5) by Section 805 of the Antiterrorism and Effective Death Penalty Act of 1996).
The provision also distinguishes between felony (a)(5)(A) violations (knowing release of a program with the intent of causing damage), which will get the mandatory six-month sentence, and felony and (a)(5)(B) and (a)(5)(C) violations, which won't. The (a)(5)(B) offense occurs when offender intentionally engages in unauthorized access and recklessly causes damage, while the (a)(5)(C) offense is based on intentional unauthorized access that causes damage, regardless of the absence of any mens rea with regard to causing such damage.