Summary of Key Provisions of “Internet Security Act of 2000

May 05, 2000

Jurisdictional and Definitional Changes to the Computer Fraud and Abuse Act: The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, is the primary federal criminal statute prohibiting computer frauds and hacking. This bill would amend the statute to clarify the appropriate scope of federal jurisdiction. First, the bill adds a broad definition of “loss” to the definitional section. Calculation of loss is important both in determining whether the $5,000 jurisdictional hurdle in the statute is met, and, at sentencing, in calculating the appropriate guideline range and restitution amount.

Second, the bill amends the definition of “protected computer,” to expressly include qualified computers even when they are physically located outside of the United States. This clarification will preserve the ability of the United States to assist in international hacking cases. A “Sense of Congress” provision specifies that federal jurisdiction is justified by the “interconnected and interdependent nature of computers used in interstate or foreign commerce.”

Finally, the bill expands the jurisdiction of the United States Secret Service to encompass investigations of all violations of 18 U.S.C. § 1030. Prior to the 1996 amendments to the Computer Fraud and Abuse Act, the Secret Service was authorized to investigate any and all violations of section 1030, pursuant to an agreement between the Secretary of Treasury and the Attorney General. The 1996 amendments, however, concentrated Secret Service jurisdiction on certain specified subsections of section 1030. The current amendment would return full jurisdiction to the Secret Service and would allow the Justice and Treasury Departments to decide on the appropriate work-sharing balance between the two.

Elimination of Mandatory Minimum Sentence for Certain Violations of Computer Fraud and Abuse Act: Currently, a directive to the Sentencing Commission requires that all violations, including misdemeanor violations, of certain provisions of the Computer Fraud and Abuse Act be punished with a term of imprisonment of at least six months. The bill would change this directive to the Sentencing Commission so that no such mandatory minimum would be required.

Additional Criminal Forfeiture Provisions: The bill adds a criminal forfeiture provision to the Computer Fraud and Abuse Act, requiring forfeiture of physical and real property used in or to facilitate the offense as well as property derived from proceeds of the offense. It also supplements the current forfeiture provision in 18 U.S.C. § 2318, which prohibits trafficking in, among other things, counterfeit computer program documentation and packaging, to require the forfeiture of replicators and other devices used in the production of such counterfeit items.

Pen Registers and Trap and Trace Devices: The bill makes it easier for law enforcement to use these investigative techniques in the area of cybercrime, and institutes corresponding privacy protections. On the law enforcement side, the bill gives nationwide effect to pen register and trap and trace orders obtained by Government attorneys, thus obviating the need to obtain identical orders in multiple federal jurisdictions. It also clarifies that such devices can be used on all electronic communication lines, not just telephone lines. On the privacy side, the bill provides for greater judicial review of applications for pen registers and trap and trace devices and institutes a minimization requirement for the use of such devices. The bill also amends the reporting requirements for applications for such devices by specifying the information to be reported.

Denial of Service Investigations: Currently, a person whose computer is accessed by a hacker as a means for the hacker to reach a third computer cannot simply consent to law enforcement monitoring of his computer. Instead, because this person is not technically a party to the communication, law enforcement needs wiretap authorization under Title III to conduct such monitoring. The bill will close this loophole by explicitly permitting such monitoring without a wiretap if prior consent is obtained from the person whose computer is being hacked through and used to send “harmful interference to a lawfully operating computer system.”

Encryption Reporting: The bill directs the Attorney General to report the number of wiretap orders in which encryption was encountered and whether such encryption precluded law enforcement from obtaining the plaintext of intercepted communications.

State and Local Computer Crime Enforcement: The bill directs the Office of Federal Programs to make grants to assist State and local law enforcement in the investigation and prosecution of computer crime.