Rep. Schiff and Rep. Chabot Introduce Bill to Expand 1030

May 14, 2007. Rep. Adam Schiff (D-CA), Rep. Steve Chabot (R-OH) and others introduced HR 2290, the "Cyber-Security Enhancement Act of 2007".

The bill would make numerous changes to 18 U.S.C. 1030, which pertains to "Fraud and related activity in connection with computers". It would further the prosecution of creators and users of botnets. It would add  1030 to the list of predicate offenses under the RICO statute. It would also increase criminal penalties and forfeitures, and authorize the appropriation of additional funds for investigations and prosecutions of computer related crimes.

Rep. Adam Schiff

Rep. Schiff (at right), stated in a release that "Criminals are increasingly using new technologies to prey upon their victims ... As they adapt to these new opportunities to defraud consumers, we must develop better ways to track down the perpetrators and put them away. This legislation will help protect American consumers and businesses from the costly effects of cyber crime and identity theft."

Rep. Chabot stated in the same release that "High tech cyber-criminals are taking advantage of significant gaps in federal criminal statutes ... We must modernize our laws to reflect the rapid technological advancements that make it relatively easy to hijack control of computers, steal personal identities and commit computer fraud."

Robert Holleyman, head of the Business Software Alliance (BSA), stated in a release that "For too long. cyber criminals have taken advantage of legal blind spots and an under-resourced law enforcement community to brazenly threaten online confidence and security ... This legislation will give law enforcement updated and improved tools to combat what has become a growing, organized criminal enterprise."

RICO. The Racketeering Influenced and Corrupt Organizations (RICO) statute, which is codified at 18 U.S.C. 1961, et seq., criminalizes certain acts associated with "a pattern of racketeering activity".

1961(B) defines the term "racketeering activity" to mean "any act which is indictable under any of the following provisions ...". It them enumerates a long list of sections.

HR 2290 would 1030 to this list of offenses that can service a predicate for RICO prosecutions.

Cyber Extortion. 1030(a)(7) currently provides that "Whoever ... with intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer".

Section 5 of the bill would add to the end of this the phrase "or to access without authorization or exceed authorized access to a protected computer".

That is, currently the cyber extortion section only applies to threats to cause damage to a computer. HR 2290 would add threats to merely access a computer.

Conspiracy. 1030 prohibits various acts that are in the nature of unauthorized access to computers.  1030 also currently prohibits "attempts" to violate the basic prohibitions. Section 6 of HR 2290 would also prohibit "conspiracy" to violate.

Obtaining ID Numbers, Routing Codes, and Access Devices. Currently, 1030(a)(2) provides that "Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (A) information contained in a financial record of a financial institution, or of a card issuer ... (B) information from any department or agency of the United States; or (C) information from any protected computer if the conduct involved an interstate or foreign communication ... shall be punished ...".

Section 2 of HR 2290 would add a new subsection (D), "a unique electronic identification number, address or routing code, or access device (as defined in section 1029(e)(1)), from a protected computer". (Parentheses in original.)

Interstate Communication and Commerce Requirements. The above quoted  1030(a)(2)(C) references "an interstate or foreign communication". Section 3 of HR 2290 removes this language.

Also, currently, the definition of a "protected computer", at 1030(e)(2)(B), requires that the protected computer be "used in interstate or foreign commerce or communication". Section 3 of HR 2290 would relax this requirement. In would switch from "used in" to "affecting".

For example, any computer with an internet connection would be "affecting" interstate or foreign commerce.

Botnets. Botnet is a slang term of recent origin used to describe a collection of software robots that reside on a collection of compromised computers, almost always without the authority or knowledge of the owners or operators, that are controlled remotely for various nefarious purposes. The compromised computers are often referred to as zombies. The purposes for forming botnets include sending spam, running denial of service attacks, committing click fraud, and spyware.

The broadest prohibition of  1030 is found in  1030(a)(5).  1030(a)(5)(A) lists the criminal acts, while  1030(a)(5)(B) lists the requisite resulting damage to protected computers.

1030(a)(5)(A) covers "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer", "intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage", and "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage".

Then (a)(5)(B) enumerates five types of damage that are sufficient to sustain a prosecution. Several are specialized types of damage (government or health care computers, resulting in physical injury, or creating a threat to public safety). The fifth type of damage is broad, but requires a minimum loss of $5,000.

Section 9 of HR 2290 would add a sixth type of damage, "damage affecting ten or more protected computers during any 1-year period". The damage could be of any kind. The damage need not have any minimum monetary value. This would extend the reach of  1030(a)(5) to anyone who creates, herds, or takes over even the smallest of botnets. It would also reach a range of other activity not now prohibited by the statute.

This new section, in combination with the new conspiracy section, would enable both prosecutors and private litigants to pursue those who conspire to use these botnets.

Private Right of Action.  1030, at subsection (g), currently provides a provide right of action. However, it is not as broad as the range of criminal prohibitions. It currently provides, in part, that "Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B)."

An initial question is whether HR 2290, by adding the new subsection (a)(5)(B)(vi) -- "damage affecting ten or more protected computers during any 1-year period" -- broadens the private right of action.  1030(g) references (a)(5)(B)(i)-(v), but not (vi). HR 2290 does not add (vi) to 1030(g). This is likely merely a drafting oversight that will be addressed by amendment, or addressed as a technical and conforming amendment by staff, during the mark up process. However, it is also possible that Rep. Schiff intends that there be no private right of action associated with damaging "ten or more computers".

If there were a private right of action based upon the new subsection (vi), some businesses lacking malicious or nefarious motives might be subjected to private lawsuits initiated by law firms seeking financial gain. The availability of injunctions under  1030(g) would provide leverage for obtaining settlements. In contrast, federal prosecutors motivated by a desire to shut down criminal operations would be less likely to bring criminal prosecutions in connection with legitimate business models.

Next, the RICO statute, at 18 U.S.C. 1964(c), contains a private right of action. HR 2290, by adding  1030 as a predicate offense for RICO actions, also allows private RICO actions to be brought based upon violations of  1030.

The purposes of this bill stated by Rep. Schiff and Rep. Chabot are to strengthen federal prosecutors' hands in charging criminals who hijack control of computers, steal personal identities, and defraud consumers.

However, allegations of violation of  1030 also arise in the context of some employer employee disputes regarding employees' use of computers assigned to them where the conduct at issue falls far short of hijacking, theft, and fraud. This bill would also increase the power of employers to sue and threaten to sue employees and former employees for conduct such as running applications on their computers that their employers assert violates company policy.

Also, if botnet activity does give rise to a private right of action, then the bill would increase the ability of advertisers and web site operators to deal with click fraud, and a wide range of plaintiffs to deal with spam, adware, spyware, and other conduct.

Funding. The bill would also authorize the appropriation of additional funds to the Secret Service, Federal Bureau of Investigation (FBI), and the Department of Justice's (DOJ) Criminal Division to "investigate and prosecute criminal activity involving computers". Each agency would be authorized to have appropriated $10 Million for each of fiscal years 2007 through 2011 -- a total of $150 Million.

The wording may be significant. This authorization is not restricted to investigation and prosecution of cyber security crimes. The wording is sufficiently broad to enable the agencies to spend the appropriations on other computer related crimes, such as criminal online copyright infringement and criminal possession of pornography. Indeed, the language of HR 2290 would not even require that any of the increased funding go to cyber security crimes.

If the bill were adopted as currently drafted, and appropriators followed through with appropriations, then the copyright industries would likely lobby for the funds to be spent on online infringement cases, while anti-porn groups would lobby for the funds to be spend on their preferred cases.

Perhaps it should be noted that Rep. Schiff represents a Los Angeles area district and is a leading advocate of the movie and music industries' copyright related interests.

Spyware. HR 2290 does not directly address spyware. However, there is a related bill, HR 1525, the "Internet Spyware (I-SPY) Prevention Act of 2007", that the House is likely to approve on Tuesday, May 22, 2007. HR 1525 would not amend  1030. Rather, it would create a new  1030A.

The structure and prohibition of the new  1030A would be similar to that of  1030. HR 2290 would amend  1030, but not the new  1030A (if it is enacted into law).

HR 1525 would provide first that "Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and intentionally uses that program or code in furtherance of another Federal criminal offense shall be fined under this title or imprisoned not more than 5 years, or both."

Second, HR 1525 would provide that,

"Whoever intentionally accesses a protected computer without authorization, or exceeds authorized access to a protected computer, by causing a computer program or code to be copied onto the protected computer, and by means of that program or code--
   (1) intentionally obtains, or transmits to another, personal information with the intent to defraud or injure a person or cause damage to a protected computer; or
   (2) intentionally impairs the security protection of the protected computer with the intent to defraud or injure a person or damage a protected computer;
shall be fined under this title or imprisoned not more than 2 years, or both."

If both HR 2290 and HR 1525 were enacted into law, then one category of computer crimes ( 1030), but not the other ( 1030A), could serve as a predicate offense under the RICO statute. Also, one category of computer crimes ( 1030) would also extend to attempts and conspiracies, while the other would not.

For a summary of HR 1525, see story titled "House Crime Subcommittee Approves Spyware Bill" in TLJ Daily E-Mail Alert No. 1,573, May 2, 2007.

Legislative Process. The other original cosponsors of HR 2290 are Rep. William Delahunt (D-MA), Rep. Dan Lungren (R-CA), Rep. Artur Davis (D-AL), Rep. Julia Carson (D-IN), Rep. Bob Goodlatte (R-VA), Rep. Anna Eshoo (D-CA), Rep. Bob Wexler (D-FL), Rep. Darrell Issa (R-CA), Rep. Linda Sanchez (D-CA), Rep. Mike McCaul (R-TX), and Rep. Bennie Thompson (D-MS).

The bill was referred to the House Judiciary Committee (HJC). Rep. Schiff and Rep. Chabot are members.