20 December 2000: Add source and date of Kopel report.
19 December 2000: Add Congressional Record excerpts on Senate debate and text of Amendment 4366 to H.R. 46.
19 December 2000. Thanks to B.
http://www.nationalreview.com/kopel/kopel121500.shtml
The National Review
15 December 2000
By Dave Kopel of the Independence Institute
Congress may adjourn today — but not before inflicting a series of blows on civil liberties and federalism. As is usual for end-of-the-session assaults on civil liberties, the plan is to speed the new laws through as attachments to some innocuous law, before most people in Congress have time to notice.
The only real chance for stopping this plan lies in House and Senate leadership (especially the House) being flooded with phone calls objecting to yet another sneak attack on the Bill of Rights.
At issue is H.R. 46, a seemingly harmless bill titled "Public Safety Medal of Valor." The bill sets up a federal board to award federal Medals of Valor to policemen, federal agents, and the like. But Congress, unlike many state legislatures, does not operate under a constitutional requirement that a bill's subject matter and title be the same. And it turns out that there's much more in this bill than just medals for firefighters. What the bill does is:
Expand federal asset forfeiture.Expand wiretapping.
Provide special additional punishments for people who use encryption.
Federalize juvenile crimes, which are properly matters for state governments to address.
The House committee report on the bill, of course, only discusses medals for police officers — and not any of the unrelated material which is being added in the closing hours of Congress. The unrelated, dangerous, material comes mostly from the never-passed H.R. 2448.
These new provisions were added to H.R. 46 on October 24, 2000, by the Senate. (See Congressional Record page 10913).
Forfeiture
Section 304 of the "Medal of Valor" bill provides for "Criminal and Civil Forfeiture for Computer Fraud and Abuse." Although federal forfeiture laws have been partially reformed, they are still massively weighted in favor of the government, and allow the government to seize property from people who have never been convicted of a crime.
H.R. 46 would expand federal forfeiture law to include various computer crimes, and allow the forfeiture of any personal property used "to commit or to facilitate the commission of such violation." So the federal government could seize every computer you own, before you have even been charged — let alone convicted — of a computer crime.
Wiretapping
Section 308 of the bill provides federal wiretapping authority over people suspected of committing various computer crimes — allowing the interception of "wire, oral, and electronic communications relating to computer fraud and abuse." So if the federal government asks for a warrant (and wiretap warrants are almost never denied), not only could federal agents read your e-mail (an "electronic communication"), they could also put listening devices in every room in your house.
If a teenager were suspected of computer hacking (even hacking which caused no real damage, but which allegedly posed "a threat to public health"), then H.R. 46 would allow the government to wiretaps the parents' telephone. The average telephone wiretap results in the interception of 1,971 conversations, according to the Wiretap Report for 1999 (Published by the administrative office of the United States Courts).
Current federal wiretap authority stems from the Wiretap Act of 1968. President Lyndon B. Johnson was very concerned about the dangers of wiretapping--perhaps because he personally had ordered some abusive wiretaps; so the president opposed proposals to create federal wiretap power.
Eventually, he accepted the Wiretap Act as part of a larger compromise to allow passage of the Gun Control Act of 1968. Part of the compromise was that wiretap powers would be invoked only for certain enumerated and particularly dangerous offenses. These were crimes involving espionage, treason, violence, or organized crime.
Unfortunately, in the following three decades, the number of suspected offenses for which wiretapping is allowed has quadrupled, to over 100. Among these offenses are making false statements on student-loan applications or passport applications. 18 U.S.C. sec. 2516(1).
Now, H.R. 46 would expand wiretapping to include a wide variety of computer crimes, many of which are relatively minor.
Why Wiretaps Are Especially Dangerous
When the Fourth Amendment was written, the Founders expected that all searches and seizures would be controlled by an important type of checks and balances. Whenever a person was searched, he would know about the search; government agents would enter his home or business, look around, and take property away.
The victim of the search would necessarily know that he had been searched. He would have every incentive to use all legal means to ensure that the search was conducted properly, according to the warrant, and that the warrant itself was properly issued. After the search, he would be able to seek various forms of redress, including filing a lawsuit, if any part of the search had been improper.
Wiretaps, however, destroy this important check that safeguards the Fourth Amendment. Under current federal law, wiretaps-unlike every other kind of search-may be conducted in secret. 18 U.S.C. sec. 2518.
The law allows delay of months — and sometimes-indefinite delay — in notifying a person that she has been subjected to wiretaps. Thus, the most important element of the Fourth Amendment's checks and balances — the desire of the person being searched to protect her privacy — is eliminated.
Moreover, ordinary search warrants must specifically describe what will be searched for, and where the search will be conducted. So if the police are looking for a stolen car, they will check the garage, but not rummage through a person's bedroom drawers.
Wiretaps, in contrast, more closely resemble the Writs of Assistance, which provoked the American Revolution. When a wiretap is placed on a phone, the police listen to every conversation, since they cannot tell in advance whether the people will talk about a subject related to the wiretap warrant, or about something else.
Technically, the police are required to stop listening when they are sure that the conversation is not about the alleged crime involving the wiretap. But in practice, it is very difficult to ensure that this requirement is obeyed. Even the most conscientious police wiretapper cannot help overhearing many innocent conversations, since he cannot foresee what the parties will talk about. In recent years, there have been about two million innocent conservations per year overheard as a result of federal and state wiretaps, according to the Wiretap Report.
Unfortunately, while wiretaps are subject to fewer checks and balances than ordinary searches, they are considerably more invasive and destructive to security and privacy. Supreme Court Justice Louis Brandeis explained:
The evil incident to invasion of the privacy of the telephone is far greater than that involved in tampering with the mails. Whenever a telephone line is tapped, the privacy of the persons at both ends of the line is invaded, and all conversations between them upon any subject, and although proper, confidential, and privileged, may be overheard.
Moreover, the tapping of one man's telephone line involves the tapping of the telephone of every other person whom he may call, or who may call him. As a means of espionage, writs of assistance and general warrants are but puny instruments of tyranny and oppression when compared with wire-tapping. (Olmstead v. United States, 277 U.S. 438 (1928)(Brandeis, J., dissenting))
Earlier this year, the Clinton administration promised that there would be no more wiretapping bills until privacy reforms were enacted — such as a requirement that the police have probable cause before obtaining cell-phone records which disclose your location. Nevertheless, H.R. 46 is moving forward, and contains nothing to improve privacy protection.
Special Punishment for Encryption
Section 310 provides enhanced (more severe) sentencing for computer criminals who use encryption. But as the ACLU points out, we don't provide extra punishment for burglars who wear gloves, or embezzlers who use paper shredders. So why provide extra punishment simply because a criminal uses encryption? The obviously answer, the ACLU notes, is because enhanced punishment "stigmatizes the use of encryption, suggesting that it is somehow worse to use this method to conceal a crime than to use other methods."
Federalizing Juvenile Crime
Although Congress nearly passed a mammoth bill in 1999 to federalize juvenile crime, the issue of juvenile justice (like most other criminal justice issues) is properly a matter for states. Section 306 of H.R. 46 would allow federal courts to hear juvenile delinquency cases involving alleged teenage computer criminals.
But there's no reason to believe that federal courts are better than state courts in dealing with 14-year-olds accused of hacking. Notably, every state has some kind of juvenile justice program, to provide appropriate treatment to rehabilitate juveniles.
The federal government does not. Besides, federal courts are already so overwhelmed with drug cases that there is no reason to burden them further with juvenile matters that belong in state court.
H.R. 46 required "unanimous consent." But the bill remains a threat under procedures which allow suspension of the rules, or as an attachment to the omnibus spending bill.
Thanks to S.
[Congressional Record: December 15, 2000 (Senate)]
[Page S11886-S11890]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr15de00pt2-144]
PUBLIC SAFETY OFFICER MEDAL OF VALOR ACT OF 2000
Mr. STEVENS. Mr. President, I ask unanimous consent that the
Judiciary Committee be discharged from further consideration of H.R. 46
and the Senate proceed to its immediate consideration.
The PRESIDING OFFICER. Without objection, it is so ordered. The clerk
will report the bill by title.
The assistant legislative clerk read as follows:
A bill (H.R. 46) to provide a national medal for public
safety officers who act with extraordinary valor above and
beyond the call of duty.
There being no objection, the Senate proceeded to consider the bill.
Mr. LEAHY. Mr. President, today we consider three bipartisan measures
offered together as a package: the Public Safety Officer Medal of Valor
Act, H.R. 46; the Computer Crime Enforcement Act, which I introduced as
S. 1314, on July 1, 1999, with Senator DeWine and is now also co-
sponsored by Senators Robb, Hatch and Abraham; and a Hatch-Leahy-
Schumer ``Internet Security Act'' amendment. I thank my colleagues for
their hard work on these pieces of legislation, each of which I will
discuss in turn.
I support the Public Safety Officer Medal of Valor Act. I cosponsored
the Stevens bill, S. 39, to establish a Public Safety Medal of Valor.
In April and May, 1999, I made sure that the Senate acted on Senator
Stevens' bill, S. 39.
On April 22, 1999, the Senate Judiciary Committee took up that
measure in regular order and reported it unanimously. At that time I
congratulated Senator Stevens and thanked him for his leadership. I
noted that we had worked together on a number of law enforcement
matters and that the senior Senator from Alaska is a stalwart supporter
of the men and women who put themselves at risk to protect us all. I
said that I looked forward to enactment of this measure and to seeing
the extraordinary heroism of our police, firefighters and correctional
officers recognized with the Medal of Valor.
On May 18, 1999, I was privileged to be on the floor of the Senate
when we proceeded to consider S. 39 and passed it unanimously. I took
that occasion to commend Senator Stevens and all who had worked so hard
to move this measure in a timely way. That was over one year ago,
during National Police Week last year. The measure was sent to the
House where it lay dormant for the rest of last year and most of this
one.
The President of the United States came to Capitol Hill to speak at
the Law Enforcement Officers Memorial Service on May 15, 2000, and said
on that occasion that if Congress would not act on the Medal of Valor,
he was instructing the Attorney General to explore ways to award such
recognition by Executive action.
Unfortunately, these calls for action did not waken the House from
its slumber on this matter and the House of Representatives refused to
pass the Senate-passed Medal of Valor bill. Instead, over the past
year, the House has insisted that the Senate take up, fix and pass the
House-passed version of this measure if it is to become law. House
members have indicated that they are now prepared to accept most of the
Senate-passed text, but insist that it be enacted under the House bill
number. In order to get this important measure to the President, that
is what we are doing today. We are discharging the House-passed version
of that bill, H.R. 46, from the Judiciary Committee, adopting a
complete substitute, and sending it back to the House.
I have worked with Senator Hatch, Senator Stevens and others to
perfect the final version of this bill. We have crafted bipartisan
improvements to ensure that the Medal of Valor Board will worked
effectively and efficiently with the National Medal of Valor Office
within the Department of Justice. Our legislation establishes both of
these entities and it is essential that they work well together to
design the Medal of Valor and to create the criteria and procedures for
recommendations of nominees for the award. The men and women who will
be honored by the Medal of Valor for their brave deeds deserve nothing
less.
The information age is filled with unlimited potential for good, but
it also creates a variety of new challenges for law enforcement. A
recent survey by the FBI and the Computer Security Institute found that
62 percent of information security professionals reported computer
security breaches in the past year. These breaches in computer security
resulted in financial losses of more than $120 million from fraud,
theft of
[[Page S11887]]
information, sabotage, computer viruses, and stolen laptops. Computer
crime has become a multi-billion dollar problem.
Many of us have worked on these issues for years. In 1984, we passed
the Computer Fraud and Abuse Act to criminalize conduct when carried
out by means of unauthorized access to a computer. In 1986, we passed
the Electronic Communications Privacy Act (ECPA), which I was proud to
sponsor, to criminalize tampering with electronic mail systems and
remote data processing systems and to protect the privacy of computer
users. In 1994, the Violent Crime Control and Law Enforcement Act
included the Computer Abuse Amendments which I authored to make illegal
the intentional transmission of computer viruses.
In the 104th Congress, Senators Kyl, Grassley and I worked together
to enact the National Information Infrastructure Protection Act to
increase protection under federal criminal law for both government and
private computers, and to address an emerging problem of computer-age
blackmail in which a criminal threatens to harm or shut down a computer
system unless their extortion demands are met. In the 105th Congress,
Senators Kyl and I also worked together on criminal copyright
amendments that became law to enhance the protection of copyrighted
works online.
The Congress must be constantly vigilant to keep the law up-to-date
with technology. The Computer Crime Enforcement Act, S. 1314, and the
Hatch-Leahy-Schumer ``Internet Security Act'' amendment are part of
that ongoing effort. These complementary pieces of legislation reflect
twin-track progress against computer crime: More tools at the federal
level and more resources for local computer crime enforcement. The fact
that this is a bipartisan effort is good for technology policy.
But make no mistake about it: even with passage of this legislation,
there is more work to be done--both to assist law enforcement and to
safeguard the privacy and other important constitutional rights of our
citizens. I wish that the Congress had also tackled online privacy
in this session, but that will now be punted into the next
congressional session.
The legislation before us today does not attempt to resolve every
issue. For example, both the Senate and the House held hearings this
session about the FBI's Carnivore program. Carnivore is a computer
program designed to advance criminal investigations by capturing
information in Internet communications pursuant to court orders. Those
hearings sparked a good debate about whether advances in technology,
like Carnivore, require Congress to pass new legislation to assure that
our private Internet communications are protected from government over-
reaching while protecting the government's right to investigate crime.
I look forward to our discussion of these privacy issues in the next
Congress.
The Computer Crime Enforcement Act is intended to help states and
local agencies in fighting computer crime. All 50 states have now
enacted tough computer crime control laws. They establish a firm
groundwork for electronic commerce, an increasingly important sector of
the nation's economy.
Unfortunately, too many state and local law enforcement agencies are
struggling to afford the high cost of enforcing their state computer
crime statutes. Earlier this year, I released a survey on computer
crime in Vermont. My office surveyed 54 law enforcement agencies in
Vermont--43 police departments and 11 State's attorney offices--on
their experience investigating and prosecuting computer crimes. The
survey found that more than half of these Vermont law enforcement
agencies encounter computer crime, with many police departments and
state's attorney offices handling 2 to 5 computer crimes per month.
Despite this documented need, far too many law enforcement agencies
in Vermont cannot afford the cost of policing against computer crimes.
Indeed, my survey found that 98 percent of the responding Vermont law
enforcement agencies do not have funds dedicated for use in computer
crime enforcement. My survey also found that few law enforcement
officers in Vermont are properly trained in investigating computer
crimes and analyzing cyber-evidence.
According to my survey, 83 percent of responding law enforcement
agencies in Vermont do not employ officers properly trained in computer
crime investigative techniques. Moreover, my survey found that 52
percent of the law enforcement agencies that handle one or more
computer crimes per month cited their lack of training as a problem
encountered during investigations. Without the necessary education,
training and technical support, our law enforcement officers are and
will continue to be hamstrung in their efforts to crack down on
computer crimes.
I crafted the Computer Crime Enforcement Act, S. 1314, to address
this problem. The bill would authorize a $25 million Department of
Justice grant program to help states prevent and prosecute computer
crime. Grants under our bipartisan bill may be used to provide
education, training, and enforcement programs for local law enforcement
officers and prosecutors in the rapidly growing field of computer
criminal justice. Our legislation has been endorsed by the Information
Technology Association of America and the Fraternal Order of Police.
This is an important bipartisan effort to provide our state and local
partners in crime-fighting with the resources they need to address
computer crime.
The Internet Security Act of 2000 makes progress to ensure that we
are properly dealing with the increase in computer crime. I thank and
commend Senators Hatch and Schumer for working with me and other
Members of the Judiciary Committee to address some of the serious
concerns we had with the first iteration of their bill, S. 2448, as it
was originally introduced.
Specifically, as introduced, S. 2448 would have over-federalized
minor computer abuses. Currently, federal jurisdiction exists for a
variety of computer crimes if, and only if, such criminal offenses
result in at least $5,000 of damage or cause another specified injury,
including the impairment of medical treatment, physical injury to a
person or a threat to public safety. S. 2448, as introduced, would have
eliminated the $5,000 jurisdictional threshold and thereby criminalized
a variety of minor computer abuses, regardless of whether any
significant harm resulted.
For example, if an overly-curious college sophomore checks a
professor's unattended computer to see what grade he is going to get
and accidently deletes a file or a message, current Federal law does
not make that conduct a crime. That conduct may be cause for discipline
at the college, but not for the FBI to swoop in and investigate. Yet,
under the original S. 2448, as introduced, this unauthorized access to
the professor's computer would have constituted a federal crime.
Another example is that of a teenage hacker, who plays a trick on a
friend by modifying the friend's vanity Web page. Under current law, no
federal crime has occurred. Yet, under the original S. 2448, as
introduced, this conduct would have constituted a federal crime.
As America Online correctly noted in a June, 2000 letter,
``eliminating the $5,000 threshold for both criminal and civil
violations would risk criminalizing a wide range of essentially benign
conduct and engendering needless litigation. . . .'' Similarly, the
Internet Alliance commented in a June, 2000 letter that ``[c]omplete
abolition of the limit will lead to needless federal prosecution of
often trivial offenses that can be reached under state law. . . .''
Those provisions were overkill. Our federal laws do not need to reach
each and every minor, inadvertent and harmless computer abuse--after
all, each of the 50 states has its own computer crime laws. Rather, our
federal laws need to reach those offenses for which federal
jurisdiction is appropriate.
Prior Congresses have declined to over-federalize computer offenses
as originally proposed in S. 2448, as introduced, and sensibly
determined that not all computer abuses warrant federal criminal
sanctions. When the computer crime law was first enacted in 1984, the
House Judiciary Committee reporting the bill stated:
The Federal jurisdictional threshold is that there must be
$5,000 worth of benefit to the defendant or loss to another
in order to concentrate Federal resources on the more
substantial computer offenses that affect
[[Page S11888]]
interstate or foreign commerce. (H.Rep. 98-894, at p. 22,
July 24, 1984).
Similarly, the Senate Judiciary Committee under the chairmanship of
Senator Thurmond, rejected suggestions in 1986 that ``the Congress
should enact as sweeping a Federal statute as possible so that no
computer crime is potentially uncovered.'' (S. Rep. 99-432, at p. 4,
September 3, 1986).
The Hatch-Leahy-Schumer substitute amendment to S. 2448, which was
reported unanimously by the Judiciary Committee on October 5th,
addresses those federalism concerns by retaining the $5,000
jurisdictional threshold in current law. That Committee-reported
substitute amendment, with the additional refinements reflected in the
Hatch-Leahy-Schumer Internet Security Act amendment to H.R. 46, which
the Senate considers today, makes other improvements to the original
bill and current law, as summarized below.
First, titles II, III, IV and V of the original bill, S. 2448, about
which various problems had been raised, are eliminated. For example,
title V of the original bill would have authorized the Justice
Department to enter into Mutual Legal Assistance Treaties (MLAT) with
foreign governments that would allow the Attorney General broad
discretion to investigate lawful conduct in the U.S. at the request of
foreign governments without regard to whether the conduct investigated
violates any Federal computer crime law. In my view, that discretion
was too broad and troubling.
Second, the amendment includes an authorization of appropriations of
$5 million to the Computer Crime and Intellectual Property (CCIP)
section within the Justice Department's Criminal Division and requires
the Attorney General to make the head of CCIP a ``Deputy Assistant
Attorney General,'' which is not a Senate-confirmed position, in order
to highlight the increasing importance and profile of this position.
This authorized funding level is consistent with an amendment I
sponsored and circulated to Members of the Judiciary Committee to
improve S. 2448 and am pleased to see it incorporated into the Internet
Security Act amendment to H.R. 46.
Third, the amendment modifies section 1030 of title 18, United States
Code, in several important ways, including providing for increased and
enhanced penalties for serious violations of federal computer crime
laws, clarifying the definitions of ``loss'' to ensure that the full
costs to a hacking victim are taken into account and of ``protected
computer'' to facilitate investigations of international computer
crimes affecting the United States, and preserving the existing $5,000
threshold and other jurisdictional prerequisites for violations of
section 1030(a)(5)--i.e., no Federal crime has occurred unless the
conduct (1) causes loss to 1 or more persons during any 1-year period
aggregating at least $5,000 in value, (2) impairs the medical care of
another person, (3) causes physical injury to another person, (4)
threatens public health or safety, or (5) causes damage affecting a
computer system used by or for a government entity in furtherance of
the administration of justice, national defense, or national security.
The amendment clarifies the precise elements of the offense the
government must prove in order to establish a violation by moving these
prerequisites from the current definition of ``damage'' to the
description of the offense. In addition, the amendment creates a new
category of felony violations where a hacker causes damage to a
computer system used by or for a government entity in furtherance of
the administration of justice, national defense, or national security.
Currently, the Computer Fraud and Abuse Act provides for federal
criminal penalties for those who intentionally access a protected
computer or cause an unauthorized transmission to a protected computer
and cause damage. ``Protected computer'' is defined to include those
that are ``used in interstate or foreign commerce.'' See 18 U.S.C.
1030(e)(2)(B). The amendment would clarify the definition of
``protected computer'' to ensure that computers which are used in
interstate or foreign commerce but are located outside of the United
States are included within the definition of ``protected computer''
when those computers are used in a manner that affects interstate or
foreign commerce or communication of this country. This will ensure
that our government will be able to conduct domestic investigations and
prosecutions against hackers from this country who hack into foreign
computer systems and against those hacking though the United States to
other foreign venues. Moreover, by clarifying the fact that a domestic
offense exists, the United States will be able to use speedier domestic
procedures in support of international hacker cases, and create the
option of prosecuting such criminals in the United States.
The amendment also adds a definition of ``loss'' to the Computer
Fraud and Abuse Act. Current law defines the term ``damage'' to include
impairment of the integrity or availability of data, programs, systems
or information causing a ``loss aggregating at least $5,000 in value
during any 1-year period to one or more individuals.'' See 18 U.S.C.
Sec. 1030(e)(8)(A). The new definition of ``loss'' to be added as
section 1030(e)(11) will ensure that the full costs to victims of
responding to hacking offenses, conducting damage assessments,
restoring systems and data to the condition they were in before an
attack, as well as lost revenue and costs incurred because of an
interruption in service, are all counted. This statutory definition is
consistent with the definition of ``loss'' appended by the U.S.
Sentencing Commission to the Federal Sentencing Guidelines (see
U.S.S.G. Sec. 2B1.1 Commentary, Application note 2), and will help
reconcile procedures by which prosecutors value loss for charging
purposes and by which judges value loss for sentencing purposes.
Getting this type of true accounting of ``loss'' is important because
loss amounts can be used to calculate restitution and to determine the
appropriate sentence for the perpetrator under the sentencing
guidelines.
Fourth, section 303(e) of the Hatch-Leahy-Schumer Internet Security
Act amendment to H.R. 46 clarifies the grounds for obtaining damages in
civil actions for violations of the Computer Fraud and Abuse Act.
Current law authorizes a person who suffers ``damage or loss'' from a
violation of section 1030 to sue the violator for compensatory damages
or injunctive or other equitable relief, and limits the remedy to
``economic damages'' for violations ``involving damage as defined
in subsection (e)(8)(A),'' relating to violations of 1030(a)(5) that
cause loss aggregating at least $5,000 during any 1-year period.
Current law does not contain a definition of ``loss,'' which is being
added by this amendment.
To take account of both the new definition of ``loss'' and the
incorporation of the requisite jurisdictional thresholds into the
description of the offense (rather than the current definition of
``damage''), the amendment to subsection (g) makes several changes.
First, the amendment strikes the reference to subsection (e)(8)(A) in
the current civil action provision and retains Congress' previous
intent to allow civil plaintiffs only economic damages for violations
of section 1030(a)(5) that do not also affect medical treatment, cause
physical injury, threaten public health and safety or affect computer
systems used in furtherance of the administration of justice, the
national defense or national security.
Second, the amendment clarifies that civil actions under section
1030, and not just 1030(a)(5), are limited to conduct that involves one
of the factors enumerated in new subsection (a)(5)(B), namely, the
conduct (1) causes loss to 1 or more persons during any 1-year period
aggregating at least $5,000 in value, (2) impairs the medical care of
another person, (3) causes physical injury to another person, (4)
threatens public health or safety, or (5) causes damage affecting a
computer system used by or for a government entity in furtherance of
the administration of justice, national defense, or national security.
This clarification is consistent with judicial constructions of the
statute, requiring proof of the $5,000 loss threshold as a prerequisite
for civil suit, for example, under subsection 1030(a)(2)(C). See, e.g.,
America Online, Inc. v. LCGM, Inc., 46 F.Supp. 2d 444, 450 (E.D. Va.
1998) (court granted summary judgment on claim under 1030(a)(2)(C),
stating, ``[p]laintiff asserts that as a result of defendants' actions,
it suffered damages exceeding $5,000, the statutory threshold
requirement'').
[[Page S11889]]
While proof of ``loss'' is required, this amendment preserves current
law that civil enforcement of certain violations of section 1030 is
available without requiring proof of ``damage,'' which is defined in
the amendment to mean ``any impairment to the integrity or availability
of data, a program, a system, or information.'' In fact, only
subsection 1030(a)(5) requires proof of ``damage''; civil enforcement
of other subsections of this law may proceed without such proof. Thus,
only the factors enumerated in new subsection (a)(5)(B), and not its
introductory language referring to conduct described in subsection
(a)(5)(A), constitute threshold requirements for civil suits for
violations of section 1030 other than subsection 1030(a)(5).
Finally, the amendment adds a new sentence to subsection 1030(g)
clarifying that civil actions may not be brought ``for the negligent
design or manufacture of computer hardware, computer software, or
firmware.''
The Congress provided this civil remedy in the 1994 amendments to the
Act, which I originally sponsored with Senator Gordon Humphrey, to
enhance privacy protection for computer communications and the
information stored on computers by encouraging institutions to improve
computer security practices, deterring unauthorized persons from
trespassing on computer systems of others, and supplementing the
resources of law enforcement in combating computer crime. [See The
Computer Abuse Amendments Act of 1990: Hearing Before the Subcomm. On
Technology and the Law of the Senate Comm. On the Judiciary, 101st
Cong., 2nd Sess., S. Hrg. 101-1276, at pp. 69, 88, 92 (1990); see also
Statement of Senator Humphrey, 136 Cong. Rec. S18235 (1990) (``Given
the Government's limited capacity to pursue all computer crime cases,
the existence of this limited civil remedy will serve to enhance
deterrence in this critical area.'')]. The ``new, civil remedy for
those harmed by violations of the Computer Fraud and Abuse Act'' was
intended to ``boost the deterrence of the statute by allowing aggrieved
individuals to obtain relief.'' [S. Rep. No. 101-544, 101st Cong., 2d
Sess., p. 6-7 (1990); see also Statement of Senator Leahy, 136 Cong.
Rec. S18234 (1990)]. We certainly and expressly did not want to ``open
the floodgates to frivolous litigation.'' [Statement of Senator Leahy,
136 Cong. Rec. S4614 (1990)].
At the time the civil remedy provision was added to the Computer
Fraud and Abuse Act, this Act contained no prohibition against
negligently causing damage to a computer through unauthorized access,
reflected in current law, 18 U.S.C. Sec. 1030(a)(5)(C). That
prohibition was added only with subsequent amendments made in 1996, as
part of the National Information Infrastructure Protection Act.
Nevertheless, the civil remedy has been interpreted in some cases to
apply to the negligent manufacture of computer hardware or software.
See, e.g., Shaw v. Toshiba America Information Systems, Inc., NEC, 91
F.Supp. 2d 926 (E.D. TX 1999) (court interpreted the term transmission
to include sale of computers with a minor design defect).
The Hatch-Leahy-Schumer Internet Security Act amendment to subsection
1030(g) is intended to ensure that the civil remedy is a robust option
for private enforcement actions, while limiting its applicability to
negligence cases that are more appropriately governed by contractual
warranties, state tort law and consumer protection laws.
Fifth, sections 304 and 309 of the Hatch-Leahy-Schumer Internet
Security Act amendment to H.R. 46 authorize criminal forfeiture of
computers, equipment, and other personal property used to violate the
Computer Fraud and Abuse Act, as well as real and personal property
derived from the proceeds of computer crime. Property, both real and
personal, which is derived from proceeds traceable to a violation of
section 1030, is currently subject to both criminal and civil
forfeiture. See 18 U.S.C. Sec. 981(a)(1)(C) and 982(a)(2)(B). Thus,
the amendment would clarify in section 1030 itself that forfeiture
applies and extend the application of forfeiture to property that is
used or intended to be used to commit or to facilitate the commission
of a computer crime. In addition, to deter and prevent piracy, theft
and counterfeiting of intellectual property, the section 309 of the
amendment allows forfeiture of devices, such as replicators or other
devices used to copy or produce computer programs to which counterfeit
labels have been affixed.
The criminal forfeiture provision in section 304 specifically states
that only the ``interest of such person,'' referring to the defendant
who committed the computer crime, is subject to forfeiture. Moreover,
the criminal forfeiture authorized by Sections 304 and 309 is made
expressly subject to Section 413 of the Comprehensive Drug Abuse
Prevention and Control Act of 1970, but subsection (d) of section 413
is expressly exempted from application to Section 304 and 309. That
subsection (d) creates a rebuttable presumption of forfeiture in favor
of the government where a person convicted of a felony acquired the
property during the period that the crime was committed or within a
reasonable time after such period and there was no likely source for
such property other than the criminal violation. Thus, by making
subsection (d) inapplicable, Sections 304 and 309 make it more
difficult for the government to prove that the property should be
forfeited.
Sixth, unlike the version reported by the Judiciary Committee, the
amendment does not require that prior delinquency adjudications of
juveniles for violations of the Computer Fraud and Abuse Act be counted
under the definition of ``conviction'' for purposes of enhanced
penalties. This is an improvement that I urged since juvenile
adjudications simply are not criminal convictions. Juvenile proceedings
are more informal than adult prosecutions and are not subject to the
same due process protections. Consequently, counting juvenile
adjudications as a prior conviction for purposes of the recidivist
sanctions under the amendment would be unduly harsh and unfair. In any
event, prior juvenile delinquency adjudications are already subject to
sentencing enhancements under certain circumstances under the
Sentencing Guidelines. See, e.g., U.S.S.G. Sec. 411.2(d) (upward
adjustments in sentences required for each juvenile sentence to
confinement of at least sixty days and for each juvenile sentence
imposed within five years of the defendant's commencement of instant
offense).
Seventh, the amendment changes a current directive to the Sentencing
Commission enacted as section 805 of the Antiterrorism and Effective
Death Penalty Act of 1996, P.L. 104-132, that imposed a 6-month
mandatory minimum sentence for any conviction of the sections
1030(a)(4) or (a)(5) of title 18, United States code. The
Administration has noted that ``[i]n some instances, prosecutors have
exercised their discretion and elected not to charge some defendants
whose actions otherwise would qualify them for prosecution under the
statute, knowing that the result would be mandatory imprisonment.''
Clearly, mandatory imprisonment is not always the most appropriate
remedy for a federal criminal violation, and the ironic result of this
``get tough'' proposal has been to discourage prosecutions that might
otherwise have gone forward. The amendment eliminates that mandatory
minimum term of incarceration for misdemeanor and less serious felony
computer crimes.
Eighth, section 310 of the amendment directs the Sentencing
Commission to review and, where appropriate, adjust sentencing
guidelines for computer crimes to address a variety of factors,
including to ensure that the guidelines provide sufficiently stringent
penalties to deter and punish persons who intentionally use encryption
in connection with the commission or concealment of criminal acts.
The Sentencing Guidelines already provide for enhanced penalties when
persons obstruct or impede the administration of justice, see U.S.S.G.
Sec. 3C1.1, or engage in more than minimal planning, see U.S.S.G.
Sec. 2B1.1(b)(4)(A). As the use of encryption technology becomes more
widespread, additional guidance from the Sentencing Commission would be
helpful to determine the circumstances when such encryption use would
warrant a guideline adjustment. For example, if a defendant employs an
encryption product that works automatically and transparently with a
telecommunications service or software product, an enhancement for use
of encryption may not be appropriate, while the deliberate use of
[[Page S11890]]
encryption as part of a sophisticated and intricate scheme to conceal
criminal activity and make the offense, or its extent, difficult to
detect, may warrant a guideline enhancement either under existing
guidelines or a new guideline.
Ninth, the Hatch-Leahy-Schumer Internet Security Act amendment to
H.R. 46 would eliminate certain statutory restrictions on the authority
of the United States Secret Service ("Secret Service''). Under current
law, the Secret Service is authorized to investigate offenses under six
designated subsections of 18 U.S.C. Sec. 1030, subject to agreement
between the Secretary of the Treasury and the Attorney General:
subsections (a)(2)(A) (illegally accessing a computer and obtaining
financial information); (a)(2)(B) (illegally accessing a computer and
obtaining information from a department or agency of the United
States); (a)(3) (illegally accessing a non-public computer of a
department or agency of the United States either exclusively used by
the United States or used by the United States and the conduct affects
that use by or for the United States); (a)(4) (accessing a protected
computer with intent to defraud and thereby furthering the fraud and
obtaining a thing of value, unless the object of the fraud and the
thing obtained consists only of the use of the computer and the value
of such use is not more than $5,000 in a one-year period); (a)(5)
(knowingly causing the transmission of a program, information, code or
command and thereby intentionally and without authorization causing
damage to a protected computer; and illegally accessing a protected
computer and causing damage recklessly or otherwise); and (a)(6)
(trafficking in a password with intent to defraud).
Under current law, the Secret Service is not authorized to
investigate offenses under subsection (a)(1) (accessing a computer and
obtaining information relating to national security with reason to
believe the information could be used to the injury of the United
States or to the advantage of a foreign nation and willfully retaining
or transmitting that information or attempting to do so); (a)(2)(C)
(illegally accessing a protected computer and obtaining information
where the conduct involves an interstate or foreign communication); and
(a)(7) (transmitting a threat to damage a protected computer with
intent to extort).
The Internet Security Act removes these limitations on the authority
of the Secret Service and authorizes the Secret Service to investigate
any offense under Section 1030 relating to its jurisdiction under 18
U.S.C. Sec. 3056 and subject to agreement between the Secretary of the
Treasury and the Attorney General. This provision also makes clear that
the FBI retains primary authority to investigate offenses under
subsection 1030(a)(1).
Prior to 1996 amendments to the Computer Fraud and Abuse Act, the
Secret Service was authorized to investigate all violations of Section
1030. According to the 1996 Committee Reports of the 104th Congress,
2nd Session, the 1996 amendments attempted to concentrate the Secret
Service's jurisdiction on certain subsections considered to be within
the Secret Service's traditional jurisdiction and not grant authority
in matters with a national security nexus. According to the
Administration, which first proposed the elimination of these statutory
restrictions in connection with transmittal of its comprehensive crime
bill, the ``21st Century Law Enforcement and Public Safety Act,''
however, these specific enumerations of investigative authority ``have
the potential to complicate investigations and impede interagency
cooperation.'' (See Section-by-section Analysis, SEC. 3082, for ``21st
Century Law Enforcement and Public Safety Act'').
The current restrictions, for example, risk hindering the Secret
Service from investigating ``hacking'' into White House computers or
investigating threats against the President that may be delivered by
such a ``hacker,'' and fulfilling its mission to protect financial
institutions and the nation's financial infrastructure. The provision
thus modifies existing law to restore the Secret Service's authority to
investigate violations of Section 1030, leaving it to the Departments
of Treasury and Justice to determine between them how to allocate
workload and particular cases. This arrangement is consistent with
other jurisdictional grants of authority to the Secret Service. See,
e.g., 18 U.S.C. Sec. Sec. 1029(d), 3056(b)(3).
Tenth, section 307 of the Hatch-Leahy-Schumer Internet Security Act
amendment would provide an additional defense to civil actions relating
to preserving records in response to government requests. Current law
authorizes civil actions and criminal liability for unauthorized
interference with or disclosures of electronically stored wire or
electronic communications under certain circumstances. 18 U.S.C.
Sec. Sec. 2701, et seq. A provision of that statutory scheme makes
clear that it is a complete defense to civil and criminal liability if
the person or entity interfering with or attempting to disclose a
communication does so in good faith reliance on a court warrant or
order, grand jury subpoena, legislative or statutory authorization. 18
U.S.C. Sec. 2707(e)(1).
Current law, however, does not address one scenario under which a
person or entity might also have a complete defense. A provision of the
same statutory scheme currently requires providers of wire or
electronic communication services and remote computing services, upon
request of a governmental entity, to take all necessary steps to
preserve records and other evidence in its possession for a renewal
period of 90 days pending the issuance of a court order or other
process requiring disclosure of the records or other evidence. 18
U.S.C. Sec. 2703(f). Section 2707(e)(1), which describes the
circumstances under which a person or entity would have a complete
defense to civil or criminal liability, fails to identify good faith
reliance on a governmental request pursuant to Section 2703(f) as
another basis for a complete defense. Section 307 modifies current law
by addressing this omission and expressly providing that a person or
entity who acts in good faith reliance on a governmental request
pursuant to Section 2703(f) also has a complete defense to civil and
criminal liability.
Finally, the bill authorizes construction and operation of a National
Cyber Crime Technical Support Center and 10 regional computer forensic
labs that will provide education, training, and forensic examination
capabilities for State and local law enforcement officials charged with
investigating computer crimes. The section authorizes a total of $100
million for FY 2001, of which $20 million shall be available solely for
the 10 regional labs and would complement the state computer crime
grant bill, S. 1314, with which this bill is offered.
Amendment No. 4366
(Purpose: To enhance computer crime enforcement and Internet security,
and for other purposes)
Mr. STEVENS. Mr. President, Senator Hatch has an amendment which is
at the desk.
The PRESIDING OFFICER. The clerk will report.
The assistant legislative clerk read as follows:
The Senator from Alaska [Mr. Stevens], for Mr. Hatch,
proposes an amendment numbered 4366.
(The text of the amendment is printed in today's Record under
``Amendments Submitted.'')
Mr. STEVENS. Mr. President, I ask unanimous consent that the
amendment be agreed to.
The PRESIDING OFFICER. Without objection, it is so ordered.
The amendment (No. 4366) was agreed to.
Mr. STEVENS. Mr. President, I ask unanimous consent that the bill, as
amended, be read the third time and passed, the motion to reconsider be
laid upon the table, the amendment to the title be agreed to, and any
statements relating to the bill be printed in the Record.
The PRESIDING OFFICER. Without objection, it is so ordered.
The bill (H.R. 46), as amended, was read the third time and passed.
The title was amended so as to read:
To provide a national medal for public safety officers who
act with extraordinary valor above and beyond the call of
duty, to enhance computer crime enforcement and Internet
security, and for other purposes.
____________________
--------------------------------------------------------------------------
[Congressional Record: December 15, 2000 (Senate)]
[Page S11931-S11936]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
[DOCID:cr15de00pt2-204]
AMENDMENTS SUBMITTED
PUBLIC SAFETY OFFICER MEDAL OF VALOR ACT OF 1999
______
HATCH AMENDMENT NO. 4366
Mr. STEVENS (for Mr. Hatch) proposed an amendment to the bill (H.R.
46) to provide for a national medal for public safety officers who act
with extraordinary valor above and beyond the call of duty; as follows:
Strike all after the enacting clause and insert the
following:
TITLE I--PUBLIC SAFETY MEDAL OF VALOR
SECTION 101. SHORT TITLE.
This title may be cited as the ``Public Safety Officer
Medal of Valor Act of 2000''.
SEC. 102. AUTHORIZATION OF MEDAL.
After September 1, 2001, the President may award, and
present in the name of Congress, a Medal of Valor of
appropriate design, with ribbons and appurtenances, to a
public safety officer who is cited by the Attorney General,
upon the recommendation of the Medal of Valor Review Board,
for extraordinary valor above and beyond the call of duty.
The Public Safety Medal of Valor shall be the highest
national award for valor by a public safety officer.
SEC. 103. MEDAL OF VALOR BOARD.
(a) Establishment of Board.--There is established a Medal
of Valor Review Board
[[Page S11932]]
(hereinafter in this title referred to as the ``Board''),
which shall be composed of 11 members appointed in accordance
with subsection (b) and shall conduct its business in
accordance with this title.
(b) Membership.--
(1) Members.--The members of the Board shall be individuals
with knowledge or expertise, whether by experience or
training, in the field of public safety, of which--
(A) two shall be appointed by the majority leader of the
Senate;
(B) two shall be appointed by the minority leader of the
Senate;
(C) two shall be appointed by the Speaker of the House of
Representatives;
(D) two shall be appointed by the minority leader of the
House of Representatives; and
(E) three shall be appointed by the President, including
one with experience in firefighting, one with experience in
law enforcement, and one with experience in emergency
services.
(2) Term.--The term of a Board member shall be 4 years.
(3) Vacancies.--Any vacancy in the membership of the Board
shall not affect the powers of the Board and shall be filled
in the same manner as the original appointment.
(4) Operation of the board.--
(A) Chairman.--The Chairman of the Board shall be elected
by the members of the Board from among the members of the
Board.
(B) Meetings.--The initial meeting of the Board shall be
conducted within 90 days of the appointment of the last
member of the Board. Thereafter, the Board shall meet at the
call of the Chairman of the Board. The Board shall meet not
less often than twice each year.
(C) Voting and rules.--A majority of the members shall
constitute a quorum to conduct business, but the Board may
establish a lesser quorum for conducting hearings scheduled
by the Board. The Board may establish by majority vote any
other rules for the conduct of the Board's business, if such
rules are not inconsistent with this title or other
applicable law.
(c) Duties.--The Board shall select candidates as
recipients of the Medal of Valor from among those
applications received by the National Medal Office. Not more
often than once each year, the Board shall present to the
Attorney General the name or names of those it recommends as
Medal of Valor recipients. In a given year, the Board shall
not be required to select any recipients but may not select
more than 5 recipients. The Attorney General may in
extraordinary cases increase the number of recipients in a
given year. The Board shall set an annual timetable for
fulfilling its duties under this title.
(d) Hearings.--
(1) In general.--The Board may hold such hearings, sit and
act at such times and places, administer such oaths, take
such testimony, and receive such evidence as the Board
considers advisable to carry out its duties.
(2) Witness expenses.--Witnesses requested to appear before
the Board may be paid the same fees as are paid to witnesses
under section 1821 of title 28, United States Code. The per
diem and mileage allowances for witnesses shall be paid from
funds appropriated to the Board.
(e) Information From Federal Agencies.--The Board may
secure directly from any Federal department or agency such
information as the Board considers necessary to carry out its
duties. Upon the request of the Board, the head of such
department or agency may furnish such information to the
Board.
(f) Information To Be Kept Confidential.--The Board shall
not disclose any information which may compromise an ongoing
law enforcement investigation or is otherwise required by law
to be kept confidential.
SEC. 104. BOARD PERSONNEL MATTERS.
(a) Compensation of Members.--(1) Except as provided in
paragraph (2), each member of the Board shall be compensated
at a rate equal to the daily equivalent of the annual rate of
basic pay prescribed for level IV of the Executive Schedule
under section 5315 of title 5, United States Code, for each
day (including travel time) during which such member is
engaged in the performance of the duties of the Board.
(2) All members of the Board who serve as officers or
employees of the United States, a State, or a local
government, shall serve without compensation in addition to
that received for those services.
(b) Travel Expenses.--The members of the Board shall be
allowed travel expenses, including per diem in lieu of
subsistence, at rates authorized for employees of agencies
under subchapter I of chapter 57 of title 5, United States
Code, while away from their homes or regular places of
business in the performance of service for the Board.
SEC. 105. DEFINITIONS.
In this title:
(1) Public safety officer.--The term ``public safety
officer'' means a person serving a public agency, with or
without compensation, as a firefighter, law enforcement
officer, or emergency services officer, as determined by the
Attorney General. For the purposes of this paragraph, the
term ``law enforcement officer'' includes a person who is a
corrections or court officer or a civil defense officer.
(2) State.--The term ``State'' means each of the several
States of the United States, the District of Columbia, the
Commonwealth of Puerto Rico, the Virgin Islands, Guam,
American Samoa, and the Commonwealth of the Northern Mariana
Islands.
SEC. 106. AUTHORIZATION OF APPROPRIATIONS.
There are authorized to be appropriated to the Attorney
General such sums as may be necessary to carry out this
title.
SEC. 107. NATIONAL MEDAL OF VALOR OFFICE.
There is established within the Department of Justice a
national medal of valor office. The office shall provide
staff support to the Board to establish criteria and
procedures for the submission of recommendations of nominees
for the Medal of Valor and for the final design of the Medal
of Valor.
SEC. 108. CONFORMING REPEAL.
Section 15 of the Federal Fire Prevention and Control Act
of 1974 (15 U.S.C. 2214) is amended--
(1) by striking subsection (a) and inserting the following
new subsection (a):
``(a) Establishment.--There is hereby established an
honorary award for the recognition of outstanding and
distinguished service by public safety officers to be known
as the Secretary's Award For Distinguished Public Safety
Service (`Secretary's Award').'';
(2) in subsection (b)--
(A) by striking paragraph (1); and
(B) by striking ``(2)'';
(3) by striking subsections (c) and (d) and redesignating
subsections (e), (f), and (g) as subsections (c), (d), and
(e), respectively; and
(4) in subsection (c), as so redesignated--
(A) by striking paragraph (1); and
(B) by striking ``(2)''.
SEC. 109. CONSULTATION REQUIREMENT.
The Board shall consult with the Institute of Heraldry
within the Department of Defense regarding the design and
artistry of the Medal of Valor. The Board may also consider
suggestions received by the Department of Justice regarding
the design of the medal, including those made by persons not
employed by the Department.
TITLE II--COMPUTER CRIME ENFORCEMENT
SEC. 201. SHORT TITLE.
This title may be cited as the ``Computer Crime Enforcement
Act''.
SEC. 202. STATE GRANT PROGRAM FOR TRAINING AND PROSECUTION OF
COMPUTER CRIMES.
(a) In General.--Subject to the availability of amounts
provided in advance in appropriations Acts, the Office of
Justice Programs shall make a grant to each State, which
shall be used by the State, in conjunction with units of
local government, State and local courts, other States, or
combinations thereof, to--
(1) assist State and local law enforcement in enforcing
State and local criminal laws relating to computer crime;
(2) assist State and local law enforcement in educating the
public to prevent and identify computer crime;
(3) assist in educating and training State and local law
enforcement officers and prosecutors to conduct
investigations and forensic analyses of evidence and
prosecutions of computer crime;
(4) assist State and local law enforcement officers and
prosecutors in acquiring computer and other equipment to
conduct investigations and forensic analysis of evidence of
computer crimes; and
(5) facilitate and promote the sharing of Federal law
enforcement expertise and information about the
investigation, analysis, and prosecution of computer crimes
with State and local law enforcement officers and
prosecutors, including the use of multijurisdictional task
forces.
(b) Use of Grant Amounts.--Grants under this section may be
used to establish and develop programs to--
(1) assist State and local law enforcement in enforcing
State and local criminal laws relating to computer crime;
(2) assist State and local law enforcement in educating the
public to prevent and identify computer crime;
(3) educate and train State and local law enforcement
officers and prosecutors to conduct investigations and
forensic analyses of evidence and prosecutions of computer
crime;
(4) assist State and local law enforcement officers and
prosecutors in acquiring computer and other equipment to
conduct investigations and forensic analysis of evidence of
computer crimes; and
(5) facilitate and promote the sharing of Federal law
enforcement expertise and information about the
investigation, analysis, and prosecution of computer crimes
with State and local law enforcement officers and
prosecutors, including the use of multijurisdictional task
forces.
(c) Assurances.--To be eligible to receive a grant under
this section, a State shall provide assurances to the
Attorney General that the State--
(1) has in effect laws that penalize computer crime, such
as penal laws prohibiting--
(A) fraudulent schemes executed by means of a computer
system or network;
(B) the unlawful damaging, destroying, altering, deleting,
removing of computer software, or data contained in a
computer, computer system, computer program, or computer
network; or
(C) the unlawful interference with the operation of or
denial of access to a computer, computer program, computer
system, or computer network;
(2) an assessment of the State and local resource needs,
including criminal justice resources being devoted to the
investigation and enforcement of computer crime laws; and
[[Page S11933]]
(3) a plan for coordinating the programs funded under this
section with other federally funded technical assistant and
training programs, including directly funded local programs
such as the Local Law Enforcement Block Grant program
(described under the heading ``Violent Crime Reduction
Programs, State and Local Law Enforcement Assistance'' of the
Departments of Commerce, Justice, and State, the Judiciary,
and Related Agencies Appropriations Act, 1998 (Public Law
105-119)).
(d) Matching Funds.--The Federal share of a grant received
under this section may not exceed 90 percent of the costs of
a program or proposal funded under this section unless the
Attorney General waives, wholly or in part, the requirements
of this subsection.
(e) Authorization of Appropriations.--
(1) In general.--There is authorized to be appropriated to
carry out this section $25,000,000 for each of fiscal years
2001 through 2004.
(2) Limitations.--Of the amount made available to carry out
this section in any fiscal year not more than 3 percent may
be used by the Attorney General for salaries and
administrative expenses.
(3) Minimum amount.--Unless all eligible applications
submitted by any State or unit of local government within
such State for a grant under this section have been funded,
such State, together with grantees within the State (other
than Indian tribes), shall be allocated in each fiscal year
under this section not less than 0.75 percent of the total
amount appropriated in the fiscal year for grants pursuant to
this section, except that the United States Virgin Islands,
American Samoa, Guam, and the Northern Mariana Islands each
shall be allocated 0.25 percent.
(f) Grants to Indian Tribes.--Notwithstanding any other
provision of this section, the Attorney General may use
amounts made available under this section to make grants to
Indian tribes for use in accordance with this section.
TITLE III--INTERNET SECURITY
SEC. 301. SHORT TITLE.
This title may be cited as the ``Internet Security Act of
2000''.
SEC. 302. DEPUTY ASSISTANT ATTORNEY GENERAL FOR COMPUTER
CRIME AND INTELLECTUAL PROPERTY.
(a) Establishment of Position.--(1) Chapter 31 of title 28,
United States Code, is amended by inserting after section 507
the following new section:
``Sec. 507a. Deputy Assistant Attorney General for Computer
Crime and Intellectual Property
``(a) The Attorney General shall appoint a Deputy Assistant
Attorney General for Computer Crime and Intellectual
Property.
``(b) The Deputy Assistant Attorney General shall be the
head of the Computer Crime and Intellectual Property Section
(CCIPS) of the Department of Justice.
``(c) The duties of the Deputy Assistant Attorney General
shall include the following:
``(1) To advise Federal prosecutors and law enforcement
personnel regarding computer crime and intellectual property
crime.
``(2) To coordinate national and international law
enforcement activities relating to combatting computer crime.
``(3) To provide guidance and assistance to Federal, State,
and local law enforcement agencies and personnel, and
appropriate foreign entities, regarding responses to threats
of computer crime and cyber-terrorism.
``(4) To serve as the liaison of the Attorney General to
the National Infrastructure Protection Center (NIPC), the
Department of Defense, the National Security Agency, and the
Central Intelligence Agency on matters relating to computer
crime.
``(5) To coordinate training for Federal, State, and local
prosecutors and law enforcement personnel on laws pertaining
to computer crime.
``(6) To propose and comment upon legislation concerning
computer crime, intellectual property crime, encryption,
electronic privacy, and electronic commerce, and concerning
the search and seizure of computers.
``(7) Such other duties as the Attorney General may
require, including duties carried out by the head of the
Computer Crime and Intellectual Property Section of the
Department of Justice as of the date of the enactment of the
Internet Security Act of 2000.''.
(2) The table of sections at the beginning of such chapter
is amended by inserting after the item relating to section
507 the following new item:
``507a. Deputy Assistant Attorney General for Computer Crime and
Intellectual Property.''.
(b) First Appointment to Position of Deputy Assistant
Attorney General.--(1) The individual who holds the position
of head of the Computer Crime and Intellectual Property
Section (CCIPS) of the Department of Justice as of the date
of the enactment of this title shall act as the Deputy
Assistant Attorney General for Computer Crime and
Intellectual Property under section 507a of title 28, United
States Code, until the Attorney General appoints an
individual to hold the position of Deputy Assistant Attorney
General for Computer Crime and Intellectual Property under
that section.
(2) The individual first appointed as Deputy Assistant
Attorney General for Computer Crime and Intellectual Property
after the date of the enactment of this title may be the
individual who holds the position of head of the Computer
Crime and Intellectual Property Section of the Department of
Justice as of that date.
(c) Authorization of Appropriations for CCIPS.--There is
hereby authorized to be appropriated for the Department of
Justice for fiscal year 2001, $5,000,000 for the Computer
Crime and Intellectual Property Section of the Department for
purposes of the discharge of the duties of the Deputy
Assistant Attorney General for Computer Crime and
Intellectual Property under section 507a of title 28, United
States Code (as so added), during that fiscal year.
SEC. 303. DETERRENCE AND PREVENTION OF FRAUD, ABUSE, AND
CRIMINAL ACTS IN CONNECTION WITH COMPUTERS.
(a) Clarification of Protection of Protected Computers.--
Subsection (a)(5) of section 1030 of title 18, United States
Code, is amended--
(1) by inserting ``(i)'' after ``(A)'';
(2) by redesignated subparagraphs (B) and (C) as clauses
(ii) and (iii), respectively, of subparagraph (A);
(3) by adding ``and'' at the end of clause (iii), as so
redesignated; and
(4) by adding at the end the following new subparagraph:
``(B) whose conduct described in clause (i), (ii), or (iii)
of subparagraph (A) caused (or, in the case of an attempted
offense, would, if completed, have caused)--
``(i) loss to 1 or more persons during any 1-year period
(including loss resulting from a related course of conduct
affecting 1 or more other protected computers) aggregating at
least $5,000 in value;
``(ii) the modification or impairment, or potential
modification or impairment, of the medical examination,
diagnosis, treatment, or care of 1 or more individuals;
``(iii) physical injury to any person;
``(iv) a threat to public health or safety; or
``(v) damage affecting a computer system used by or for a
government entity in furtherance of the administration of
justice, national defense, or national security;''.
(b) Protection from Extortion.--Subsection (a)(7) of that
section is amended by striking ``, firm, association,
educational institution, financial institution, governmental
entity, or other legal entity,''.
(c) Penalties.--Subsection (c) of that section is amended--
(1) in paragraph (2)--
(A) in subparagraph (A)--
(i) by inserting ``except as provided in subparagraph
(B),'' before ``a fine'';
(ii) by striking ``(a)(5)(C)'' and inserting
``(a)(5)(A)(iii)''; and
(iii) by striking ``and'' at the end;
(B) in subparagraph (B), by inserting ``or an attempt to
commit an offense punishable under this subparagraph,'' after
``subsection (a)(2),'' in the matter preceding clause (i);
and
(C) in subparagraph (C), by striking ``and'' at the end;
(2) in paragraph (3)--
(A) by striking ``, (a)(5)(A), (a)(5)(B),'' both places it
appears; and
(B) by striking ``(a)(5)(C)'' and inserting
``(a)(5)(A)(iii)''; and
(3) by adding at the end the following new paragraph:
``(4)(A) a fine under this title, imprisonment for not more
than 10 years, or both, in the case of an offense under
subsection (a)(5)(A)(i), or an attempt to commit an offense
punishable under this subparagraph;
``(B) a fine under this title, imprisonment for not more
than 5 years, or both, in the case of an offense under
subsection (a)(5)(A)(ii), or an attempt to commit an offense
punishable under this subparagraph; and
``(C) a fine under this title, imprisonment for not more
than 20 years, or both, in the case of an offense under
subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to
commit an offense punishable under this subparagraph, that
occurs after a conviction for another offense under this
section.''.
(d) Definitions.--Subsection (e) of that section is
amended--
(1) in paragraph (2)(B), by inserting ``, including a
computer located outside the United States that is used in a
manner that affects interstate or foreign commerce or
communication of the United States'' before the semicolon;
(2) in paragraph (7), by striking ``and'' at the end;
(3) by striking paragraph (8) and inserting the following
new paragraph (8):
``(8) the term `damage' means any impairment to the
integrity or availability of data, a program, a system, or
information;''
(4) in paragraph (9), by striking the period at the end and
inserting a semicolon; and
(5) by adding at the end the following new paragraphs:
``(10) the term `conviction' shall include a conviction
under the law of any State for a crime punishable by
imprisonment for more than 1 year, an element of which is
unauthorized access, or exceeding authorized access, to a
computer;
``(11) the term `loss' means any reasonable cost to any
victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to the
offense, and any revenue lost, cost incurred, or other
consequential damages incurred because of interruption of
service; and
``(12) the term `person' means any individual, firm,
corporation, educational institution, financial institution,
governmental entity, or legal or other entity.''.
(e) Damages in Civil Actions.--Subsection (g) of that
section is amended--
[[Page S11934]]
(1) by striking the second sentence and inserting the
following new sentences: ``A suit for a violation of this
section may be brought only if the conduct involves one of
the factors enumerated in clauses (i) through (v) of
subsection (a)(5)(B). Damages for a violation involving only
conduct described in subsection (a)(5)(B)(i) are limited to
economic damages.''; and
(2) by adding at the end the following new sentence: ``No
action may be brought under this subsection for the negligent
design or manufacture of computer hardware, computer
software, or firmware.''.
SEC. 304. CRIMINAL FORFEITURE FOR COMPUTER FRAUD AND ABUSE.
Section 1030 of title 18, United States Code, as amended by
section 303 of this Act, is further amended--
(1) by redesignating subsection (h) as subsection (i); and
(2) by inserting after subsection (g) the following new
subsection (h):
``(h)(1) The court, in imposing sentence on any person
convicted of a violation of this section, shall order, in
addition to any other sentence imposed and irrespective of
any provision of State law, that such person forfeit to the
United States--
``(A) the interest of such person in any personal property
that was used or intended to be used to commit or to
facilitate the commission of such violation; and
``(B) any property, whether real or personal, constituting
or derived from any proceeds that such person obtained,
whether directly or indirectly, as a result of such
violation.
``(2) The criminal forfeiture of property under this
subsection, any seizure and disposition thereof, and any
administrative or judicial proceeding relating thereto, shall
be governed by the provisions of section 413 of the
Comprehensive Drug Abuse Prevention and Control Act of 1970
(21 U.S.C. 853), except subsection (d) of that section.''.
SEC. 305. ENHANCED COORDINATION OF FEDERAL AGENCIES.
Subsection (d) of section 1030 of title 18, United States
Code, is amended to read as follows:
``(d)(1) The United States Secret Service shall, in
addition to any other agency having such authority, have the
authority to investigate offenses under this section relating
to its jurisdiction under section 3056 of this title and
other statutory authorities. Such authority of the United
States Secret Service shall be exercised in accordance with
an agreement which shall be entered into by the Secretary of
the Treasury and the Attorney General.
``(2) The Federal Bureau of Investigation shall have
primary authority to investigate offenses under subsection
(a)(1) for any cases involving espionage, foreign
counterintelligence, information protected against
unauthorized disclosure for reasons of national defense or
foreign relations, or Restricted Data (as that term is
defined in section 11 y. of the Atomic Energy Act of 1954 (42
U.S.C. 2014(y)), except for offenses affecting the duties of
the United States Secret Service pursuant to section 3056(a)
of this title.''.
SEC. 306. ADDITIONAL DEFENSE TO CIVIL ACTIONS RELATING TO
PRESERVING RECORDS IN RESPONSE TO GOVERNMENT
REQUESTS.
Section 2707(e)(1) of title 18, United States Code, is
amended by inserting after ``or statutory authorization'' the
following: ``(including a request of a governmental entity
under section 2703(f) of this title)''.
SEC. 307. FORFEITURE OF DEVICES USED IN COMPUTER SOFTWARE
COUNTERFEITING AND INTELLECTUAL PROPERTY THEFT.
(a) In General.--Section 2318(d) of title 18, United States
Code, is amended--
(1) by inserting ``(1)'' before ``When'';
(2) in paragraph (1), as so designated, by inserting ``,
and of any replicator or other device or thing used to copy
or produce the computer program or other item to which the
counterfeit labels have been affixed or which were intended
to have had such labels affixed'' before the period; and
(3) by adding at the end the following:
``(2) The forfeiture of property under this section,
including any seizure and disposition of the property, and
any related judicial or administrative proceeding, shall be
governed by the provisions of section 413 (other than
subsection (d) of that section) of the Comprehensive Drug
Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''.
(b) Conforming Amendment.--Section 492 of such title is
amended in the first undesignated paragraph by striking ``or
1720,'' and inserting ``, 1720, or 2318''.
SEC. 308. SENTENCING DIRECTIVES FOR COMPUTER CRIMES.
(a) Amendment of Sentencing Guidelines Relating to Certain
Computer Crimes.--Pursuant to its authority under section
994(p) of title 28, United States Code, the United States
Sentencing Commission shall amend the Federal sentencing
guidelines and, if appropriate, shall promulgate guidelines
or policy statements or amend existing policy statements to
address--
(1) the potential and actual loss resulting from an offense
under section 1030 of title 18, United States Code (as
amended by this title);
(2) the level of sophistication and planning involved in
such an offense;
(3) the growing incidence of offenses under such
subsections and the need to provide an effective deterrent
against such offenses;
(4) whether or not such an offense was committed for
purposes of commercial advantage or private financial
benefit;
(5) whether or not the defendant involved a juvenile in the
commission of such an offense;
(6) whether or not the defendant acted with malicious
intent to cause harm in committing such an offense;
(7) the extent to which such an offense violated the
privacy rights of individuals harmed by the offense; and
(8) any other factor the Commission considers appropriate
in connection with any amendments made by this title with
regard to such subsections.
(b) Amendment of Sentencing Guidelines Relating to Certain
Computer Fraud and Abuse.--Pursuant to its authority under
section 994(p) of title 28, United States Code, the United
States Sentencing Commission shall amend the Federal
sentencing guidelines to ensure that any individual convicted
of a violation of section 1030(a)(5)(A)(ii) or
1030(a)(5)(A)(iii) of title 18, United States Code (as
amended by section 303 of this Act), can be subjected to
appropriate penalties, without regard to any mandatory
minimum term of imprisonment.
(c) Amendment of Sentencing Guidelines Relating to Use of
Encryption.--Pursuant to its authority under section 994(p)
of title 28, United States Code, the United States Sentencing
Commission shall amend the Federal sentencing guidelines and,
if appropriate, shall promulgate guidelines or policy
statements or amend existing policy statements to ensure that
the guidelines provide sufficiently stringent penalties to
deter and punish persons who intentionally use encryption in
connection with the commission or concealment of criminal
acts sentenced under the guidelines.
(d) Emergency Authority.--The Commission may promulgate the
guidelines or amendments provided for under this section in
accordance with the procedures set forth in section 21(a) of
the Sentencing Act of 1987, as though the authority under
that Act had not expired.
SEC. 309. ASSISTANCE TO FEDERAL, STATE, AND LOCAL COMPUTER
CRIME ENFORCEMENT AND ESTABLISHMENT OF NATIONAL
CYBER CRIME TECHNICAL SUPPORT CENTER.
(a) National Cyber Crime Technical Support Center.--
(1) Construction required.--The Director of the Federal
Bureau of Investigation shall provide for the construction
and equipping of the technical support center of the Federal
Bureau of Investigation referred to in section 811(a)(1)(A)
of the Antiterrorism and Effective Death Penalty Act of 1996
(Public Law 104-132; 110 Stat. 1312; 28 U.S.C. 531 note).
(2) Naming.--The technical support center constructed and
equipped under paragraph (1) shall be known as the ``National
Cyber Crime Technical Support Center''.
(3) Functions.--In addition to any other authorized
functions, the functions of the National Cyber Crime
Technical Support Center shall be--
(A) to serve as a centralized technical resource for
Federal, State, and local law enforcement and to provide
technical assistance in the investigation of computer-related
criminal activities;
(B) to assist Federal, State, and local law enforcement in
enforcing Federal, State, and local criminal laws relating to
computer-related crime;
(C) to provide training and education for Federal, State,
and local law enforcement personnel regarding investigative
technologies and forensic analyses pertaining to computer-
related crime;
(D) to conduct research and to develop technologies for
assistance in investigations and forensic analyses of
evidence related to computer-related crimes;
(E) to facilitate and promote efficiencies in the sharing
of Federal law enforcement expertise, investigative
technologies, and forensic analysis pertaining to computer-
related crime with State and local law enforcement personnel,
prosecutors, regional computer forensic laboratories, and
multijurisdictional computer crime task forces; and
(F) to carry out such other activities as the Director
considers appropriate.
(b) Development and Support of Computer Forensic
Activities.--The Director shall, in consultation with the
heads of other Federal law enforcement agencies, take
appropriate actions to develop at least 10 regional computer
forensic laboratories, and to provide support, education, and
assistance for existing computer forensic laboratories, in
order that such computer forensic laboratories have the
capability--
(1) to provide forensic examinations with respect to seized
or intercepted computer evidence relating to criminal
activity;
(2) to provide training and education for Federal, State,
and local law enforcement personnel and prosecutors regarding
investigations, forensic analyses, and prosecutions of
computer-related crime;
(3) to assist Federal, State, and local law enforcement in
enforcing Federal, State, and local criminal laws relating to
computer-related crime;
(4) to facilitate and promote the sharing of Federal law
enforcement expertise and information about the
investigation, analysis, and prosecution of computer-related
crime with State and local law enforcement personnel and
prosecutors, including the use of multijurisdictional task
forces; and
(5) to carry out such other activities as the Attorney
General considers appropriate.
(c) Authorization of Appropriations.--
(1) Authorization.--There is hereby authorized to be
appropriated for fiscal year
[[Page S11935]]
2001, $100,000,000 for purposes of carrying out this section,
of which $20,000,000 shall be available solely for activities
under subsection (b).
(2) Availability.--Amounts appropriated pursuant to the
authorization of appropriations in paragraph (1) shall remain
available until expended.
Amend the title to read as follows: ``To provide a national
medal for public safety officers who act with extraordinary
valor above and beyond the call of duty, to enhance computer
crime enforcement and Internet security, and for other
purposes.''.
______