February 26, 2002
BY MAIL & FAX
The Honorable Lamar Smith, Chairman
Sub-committee on Crime
Committee on Judiciary, United States House of Representatives
2231 Rayburn House Office Building
Washington, DC 20515-4321The Honorable Robert C. Scott, Ranking Member
Sub-committee on Crime
Committee on Judiciary, United States House of Representatives
2464 Rayburn House Office Building
Washington, DC 20515-4603Re: H.R. 3482 "The Cyber Security Enhancement Act of 2002"
Dear Representatives Smith and Scott,
We are writing to comment on H.R. 3482 "The Cyber Security Enhancement Act of 2002" (CSEA) [1] that may be considered by the Subcommittee this week. We request that this letter be placed on the hearing record. Several sections in Title I of CSEA raise important questions about the appropriate Congressional response to the problem of cyber crime. Section 102 in particular allows for a significant expansion of enforcement authority without corresponding judicial oversight. We recommend that your Committee take the opportunity make changes in the bill so that it is consistent with current privacy law and with our constitutional limitations on government investigative power.
The Electronic Privacy Information Center (EPIC) is a public interest research center in Washington, D.C. that seeks to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values. For over a decade we have reviewed proposals for information system security in the federal government, testified on the subject at House and Senate hearings, made recommendations for changes, and pursued litigation where appropriate. EPIC Executive Director Marc Rotenberg has testified before Congress regarding computer crime on several occasions.
As you are aware, our country has become increasingly dependent on high-tech infrastructure for everything from power and communications to transportation and national defense. Computers and the Internet are also becoming more accessible to broader segments of the population who rely on them for a wide range of transactions. [2] Information system security is therefore a serious problem that demands carefully calibrated action from the government. Punishing fraud, developing effective deterrents to criminal behavior, coordinating enforcement activity are all measures that will improve our security. But any effort to protect our security remains should be appropriately tailored to the problem identified and should be consistent with our constitutional values. Clearly, well established safeguards and constitutional protections should not be diminished simply because the criminal might operate in the "virtual" world.
Specifically, we draw your attention to the following sections of CSEA that require further consideration.
Section 101: Sentencing Guidelines
Section 101 directs the United States Sentencing Commission (USSC) to amend sentencing guidelines related to cyber crime. We support the view that the penalties for cyber crime should closely follow their counterparts for crimes in the physical world. Particular attention needs to be placed on the harm caused by cyber crime and in creating effective deterrents and remedies to protect consumers and other affected parties. We welcome §101(6), which requires the USSC to take into account the violation of individuals privacy rights in drafting sentencing guidelines. The USSC should draft guidelines that are fair, equitable and appropriately tailored to the extent of the harm caused.
We also urge Congress to consider drafting parallel laws that would make software companies and other information technology providers legally accountable for weak or lax security. The notion that a company can produce a consumer product that is systemically flawed, and not be liable, appears to only hold true in the information technology industry.
Section 102: Emergency Disclosure
Section 102 is a major departure from existing privacy protections in the law. This section allows law enforcement authorities and other governmental entities to circumvent the legal protections to access the content of communications, and it provides no scope for oversight or governmental accountability. The USA PATRIOT Act of 2001 already allows communication service providers to disclose the content of their customer's communications to law enforcement authorities if the provider "reasonably believed" that the information was regarding an "emergency involving immediate danger of death or serious physical injury to any person" (18 U.S.C. 2702(b)(6)(c)).
We note that the PATRIOT Act enacted sweeping changes in computer crime and government surveillance statutes without proper deliberation and despite law enforcement and intelligence agencies already possessing broad authority to conduct investigations of suspected terrorist activity. Section 102 of CSEA seeks to further modify a section of the law despite any clear or convincing demonstration of need.
Section 102 departs from the PATRIOT Act in three key respects:
o The information can be divulged to any governmental entity from school principals to the Center for Disease Control. Under current law only law enforcement authorities are authorized to receive the information.
o The information can be turned over by the communications providers merely on a "good faith" standard rather than the more responsible "reasonable belief" standard. This lax standard will endangers users' privacy because providers can rely on the side of increased disclosure without taking into interest their customers' rights.
o The proposed standard for the content of the communications is no longer an "immediate danger" to life or limb, but simply a vague and expansive "danger."
Allowing information to be disclosed to any government entity is not only a great risk to personal privacy, but is plainly a poor security strategy. To permit broad access to sensitive information to so many entities could easily create new security risks. A specific agency designated to handle such disclosures can provide an important information clearinghouse function and should be equipped to route critical information expediently to the appropriate agency. Most government entities would otherwise have trouble sorting through a flood of information. The CDC for instance ignored an e-mail message from a Canadian team that conducted a critical study on the Anthrax mail delivery model for two months, because the person in charge was inundated with messages. [3]
Limiting disclosure to one entity might also restrict the misuse of the law in practice, where enforcement authorities approach the communications providers for emergency disclosures of content. The law specifically provides that under those conditions the information collection requires proper judicial authority. There is a highly evolved judicial practice in granting access under time-sensitive conditions that law enforcement can avail if appropriate. The emergency disclosure provision, if it has any utility, provides an avenue for communications providers to disclose information that they might have inadvertently come across. Such disclosures should at least be limited to when the provider reasonably believes that there is an immediate danger. Providers should not become an agent of law enforcement by routinely turning over their customer's private communications under a weak "good faith" and any "danger" standard. The provider's liability for such disclosures ought to be dealt with elsewhere in the law if necessary without changing the standard.
There is also an urgent need for Congress to create proper public and judicial oversight for the use emergency disclosure procedures. Because there is no record or audit trail for such requests some of the public commentors are forced to rely on suppositions and anecdotal evidence. Congress must also draft a provision that notice of such disclosure must be provided to the suspect at an appropriate juncture, following the law with respect to wiretaps.
Section 106: Increased penalties under 1030(c)
Section 106 adds a new sub-part to the penalties under 18 U.S.C. 1030(c) introducing fines and potential life sentences for offenders who either knowingly or recklessly attempt to or cause death to any person. Section 106 also provides for fines and prison terms up to 20 years for offenders who knowingly or recklessly attempt to or cause serious bodily injury. Clearly offenders who use computer technology to kill or seriously injure others ought to be punished for their crime and that punishment should be consistent with penalties for crimes perpetrated through other means. However, it is not clear why the use of a computer as an instrumentality should be the basis for elevated sentencing. Congress should instruct the Sentencing Commission to research and report on sentencing guidelines that will ensure that computer criminals are punished appropriately for their crimes. Recklessness, for example, is not usually treated as rising to a sufficient criminal level of intent to warrant such prison terms.
Section 107: Provider Assistance
Section 107 inappropriately attempts to create a new information collection tool for law enforcement. Under current law a court order or a certification is needed to access private communications. Section 107 will allow a government entity's "statutory authority," presumably derived from §102 of this title, to compel disclosure of information. This circumvents existing legal protections. Section 107 also provides for civil penalties for providers who choose to protect their customer's privacy.
Section 108: Emergencies
Section 108 modifies the pen register and trap and trace device standard so that they can be installed without a court order if there is an "immediate threat" to "a national security interest" or when there is an "on-going attack" on a "protected computer." These conditions are overly broad any number of things might be construed as a national security interest and a protected computer includes any computer used in interstate commerce. The threshold for obtaining a pen register or trap and trace device is already low and covers instances where serious harm justifies emergency installation without court order. At least the statutory language for §108 must track the language used for emergency installation of such devices to combat organized crime. An order authorizing the installation and use of such devices must also be thought to be obtainable with "due diligence." In any event emergency installation must be certified in 48 hours so there is reason for law enforcement to act correctly in the first instance, but the absence of such language might encourage frivolous or temporary use of such devices.
Section 109: Protecting Privacy
Section 109 strikes the lowered penalties for certain first time offenses who intercept private communications from the penalties laid out under 18 U.S.C. 2511(4)(b). Section 109 also increases the penalties for unlawful access to stored communications for first-time offenders from one year to five, and from two years to ten years for subsequent offensives under 18 U.S.C. 2701(b).
Title II: Office of Science & Technology (OST)
The National Institute of Justice was created to encourage partnership and information sharing between various local and federal enforcement authorities. While there are no clear civil liberties implications in creating a separate entity, there hasn't been sufficient debate to illustrate the need for such an entity. We also believe that § 202(b)(2), which creates an exemption for the OST's public-private Advisory Groups from the Federal Advisory Committee Act, is inappropriate because it restricts public access to the Advisory Group's deliberations.
Recommendations
Section 101: The Sentencing Commission should review sentencing guidelines for cyber crime to make them consistent with guidelines for other criminal activity. There should be a provision that makes information technology producers liable for weak security in their products.
Section 102: Strike §102 or amend proposal to ensure that emergency disclosures can only be made to a narrow class of government entities. Additionally, create a means for public and judicial oversight of emergency disclosure activities along with creating a notice provision for suspects.
Section 106: Criminals using computers should receive penalties commensurate with penalties for crimes perpetrated through other means the use of a computer as an instrumentality should not be the basis for elevated sentencing. We recommend reviewing the penalties, particularly for reckless behavior, with a view to correct any disproportionate treatment of computer crimes.
Section 107: Strike §107 or at least strike the provision for civil penalties for communication providers who choose to protect their customer's private communications.
Section 108: Strike §108 or else craft a narrower class of activities where emergency installation of pen register or trap and trace devices is permissible. Also modify language so that in the event of an emergency installation, the enforcement authorities should believe that, with due diligence, the installation will receive court permission.
Section 109: Review the current enforcement of the provision in section 2701(b) before further increases in the proposed punishment. The Transactional Records Access Clearinghouse offers extensive information about the current enforcement of the Computer Fraud and Abuse Act. [4]
Title II: Do not make OST Advisory Groups exempt from Federal Advisory Committee Act in § 202(b)(2)
We appreciate your consideration of our views. We would be pleased to meet with you or your staff if you have any questions.
Sincerely yours,
/s/
Marc Rotenberg
Executive Director
/s/
Mihir Kshirsagar
IPIOP Policy Fellow
[1] As per the amendment proposed on February 12, 2002, available at http://www.techlawjournal.com/cong107/cybersecurity/hr3482_20020214.asp.
[2] A Nation Online, Department of Commerce Report, available at http://www.esa.doc.gov/508/esa/nationonline.htm.
[3] Chad Terhune, Canadian Officials Did Research On Anthrax Before U.S. Attacks, Wall Street Journal, December 12, 2001.
[4] http://trac.syr.edu.