6.5 Changes to Existing Laws

Since the tragic events of September 11, 2001, the U.S. Congress has enacted legislation in the USA Patriot Act that has strengthened or amended many of the laws relating to computer crime and electronic evidence. In this section, we review some of the more important changes that have been made to the laws [5] in the United States. In the final sections of this chapter, we discuss the topics of investigations and ethics.

6.5.1 Authority to Intercept Voice Communications

Under previous law, investigators could not obtain a wiretap order to intercept wire communications (those involving the human voice) for violations of the Computer Fraud and Abuse Act (18 U.S.C. § 1030). For example, in several investigations, hackers have stolen teleconferencing services from a telephone company and used this mode of communication to plan and execute hacking attacks. The new amendment changed this by adding felony violations of the Fraud and Abuse Act to the list of offenses for which a wire-tap could be obtained; however, this provision will expire on December 31, 2005, unless Congress mandates otherwise .

6.5.2 Obtaining Voice-Mail and other Stored Voice Communications

The Electronic Communications Privacy Act (ECPA) governed law enforcement access to stored electronic communications (such as e-mail), but not stored wire communications (such as voice-mail). Instead, the wiretap statute governed such access because the legal definition of "wire communication" included stored communications, requiring law enforcement to use a wiretap order (rather than a search warrant) to obtain unopened voice communications. Thus, law enforcement authorities were forced to use a wire-tap order to obtain voice communications stored with a third-party provider, but they could use a search warrant if that same information were stored on an answering machine inside a criminal's home. This system created an unnecessary burden for criminal investigations. Stored voice communications possess few of the sensitivities associated with real-time interception of telephones, making the extremely burdensome process of obtaining a wiretap order unreasonable.

Moreover, the statutory framework mainly envisions a world in which technology-mediated voice communications (such as telephone calls) are conceptually distinct from nonvoice communications (such as faxes, pager messages, and e-mail). To the limited extent that Congress acknowledged that data and voice might coexist in a single transaction, it did not anticipate the convergence of these two kinds of communications that is typical of today's telecommunications networks. With the advent of Multipurpose Internet Mail Extensions (MIME) and similar features, an e-mail may include one or more attachments consisting of any type of data, including voice recordings. As a result, a law enforcement officer seeking to obtain a suspect's unopened e-mail from an Internet Service Provider (ISP) by means of a search warrant had no way of knowing whether the inbox messages include voice attachments (i.e., wire communications), which could not be compelled using a search warrant. This situation necessitated changes to the existing wiretap procedures.

6.5.3 Changes to Wiretapping Procedures

An amendment was written that altered the way in which the wiretap statute and the ECPA apply to stored voice communications. The amendment deleted "electronic storage" of wire communications from the definition of "wire communication" and inserted language to ensure that stored wire communications are covered under the same rules as stored electronic communications. Thus, law enforcement can now obtain such communications using the procedures set out in Section 2703 (such as a search warrant) rather than those in the wiretap statute (such as a wiretap order). This provision will expire on December 31, 2005, unless Congress mandates otherwise.

6.5.4 Scope of Subpoenas for Electronic Evidence

The government must use a subpoena to compel a limited class of information, such as the customer's name , address, length of service, and means of payment under existing law. Before the amendments enacted with the USA Patriot Act , however, the list of records investigators could obtain with a sub-poena did not include certain records (such as credit card number or other form of payment for the communication service) relevant to determining a customer's true identity. In many cases, users register with ISPs using false names . In order to hold these individuals responsible for criminal acts committed online, the method of payment is an essential means of determining true identity. Moreover, many of the definitions used within were technology-specific , relating primarily to telephone communications. For example, the list included "local and long distance telephone toll billing records," but did not include parallel terms for communications on computer networks, such as "records of session times and durations." Similarly, the previous list allowed the government to use a subpoena to obtain the customer's "telephone number or other subscriber number or identity," but did not define what that phrase meant in the context of Internet communications.

Amendments to existing law expanded the narrow list of records that law enforcement authorities could obtain with a subpoena. The new law includes "records of session times and durations," as well as "any temporarily assigned network address." In the Internet context, such records include the Internet Protocol (IP) address assigned by the provider to the customer or subscriber for a particular session, as well as the remote IP address from which a customer connects to the provider. Obtaining such records will make the process of identifying computer criminals and tracing their Internet communications faster and easier.

Moreover, the amendments clarify that investigators may use a subpoena to obtain the "means and source of payment" that a customer uses to pay for his or her account with a communications provider, "including any credit card or bank account number." In addition to being generally helpful, this information will prove particularly valuable in identifying users of Internet services where a company does not verify its users' biographical information.

6.5.5 Clarifying the Scope of the Cable Act

Previously, the law contained several different sets of rules regarding privacy protection of communications and their disclosure to law enforcement, one governing cable service, [6] one applying to the use of telephone service and Internet access, [7] and one called the pen register and trap and trace statute. [8] Before the amendments enacted, the Cable Act set out an extremely restrictive system of rules governing law enforcement access to most records possessed by a cable company. For example, the Cable Act did not allow the use of subpoenas or even search warrants to obtain such records. Instead, the cable company had to provide prior notice to the customer (even if he or she were the target of the investigation), and the government had to allow the customer to appear in court with an attorney and then justify to the court the investigative need to obtain the records. The court could then order disclosure of the records only if it found by "clear and convincing evidence" ”a standard greater than probable cause or even a preponderance of the evidence ”that the subscriber was "reasonably suspected" of engaging in criminal activity. This procedure was completely unworkable for virtually any criminal investigation.

The restrictive nature of the Cable Act caused grave difficulties in criminal investigations because today, unlike in 1984 when Congress passed the act, many cable companies offer not only traditional cable programming services, but also Internet access and telephone service. In recent years , some cable companies have refused to accept subpoenas and court orders pursuant to the pen/trap statute and the ECPA, noting the seeming inconsistency of these statutes with the Cable Act's harsh restrictions. Treating identical records differently depending on the technology used to access the Internet made little sense. Moreover, these complications at times delayed or even ended important investigations.

When this restrictive legislation was amended in the USA Patriot Act , congress clarified the matter, stating that the ECPA, the wiretap statute, and the pen/trap and trace statute all govern disclosures by cable companies that relate to the provision of communication services such as telephone and Internet service. The amendment preserves the act's primacy with respect to records revealing what ordinary cable television programing a customer chooses to purchase, such as particular premium channels or pay-per-view shows. Thus, in a case where a customer receives both Internet access and conventional cable television service from a single cable provider, a government entity can use legal process under the ECPA to compel the provider to disclose only those customer records relating to Internet service, but could not compel the cable company to disclose those records relating to viewer television usage of premium channels, adult channels, and so on.

6.5.6 Emergency Disclosures by Communications Providers

Previous law relating to voluntary disclosures by communication service providers was inadequate for law enforcement purposes in two respects. First, it contained no special provision allowing communications providers to disclose customer records or communications in emergencies. If, for example, an ISP independently learned that one of its customers was part of a conspiracy to commit an imminent terrorist attack, prompt disclosure of the account information to law enforcement could save lives. Because providing this information did not fall within one of the statutory exceptions, however, an ISP making such a disclosure could be sued in civil courts. Second, before the USA Patriot Act , the law did not expressly permit a provider to voluntarily disclose noncontent records (such as a subscriber's login records) to law enforcement for purposes of self-protection, even though providers could disclose the content of communications for this reason. Moreover, as a practical matter, communications service providers must have the right to disclose to law enforcement the facts surrounding attacks on their systems. For example, when an ISP's customer hacks into the ISP's network, gains complete control over an e-mail server, and reads or modifies the e-mail of other customers, the provider must have the legal ability to report the complete details of the crime to law enforcement.

The USA Patriot Act corrected both of these inadequacies. The law was changed to permit, but not require, a service provider to disclose to law enforcement either content or noncontent customer records in emergencies involving an immediate risk of death or serious physical injury to any person. This voluntary disclosure, however, does not create an affirmative obligation to review customer communications in search of such imminent dangers. The amendment here also changed the ECPA to allow providers to disclose information to protect their rights and property. All of these changes are scheduled to expire on December 31, 2005, unless Congress mandates otherwise.

6.5.7 Pen Register and Trap and Trace Statute

The pen register and trap and trace statute (the pen/trap statute) governs the prospective collection of noncontent traffic information associated with communications, such as the phone numbers dialed by a particular telephone. Section 216 of the USA Patriot Act updates the pen/trap statute in three important ways: (1) the amendments clarify that law enforcement may use pen/trap orders to trace communications on the Internet and other computer networks; (2) pen/trap orders issued by federal courts now have a nationwide effect; and (3) law enforcement authorities must file a special report with the court whenever they use a pen/trap order to install their own monitoring device on computers belonging to a public provider.

6.5.8 Intercepting Communications of Computer Trespassers

Under prior law, the wiretap statute allowed computer owners to monitor the activity on their machines to protect their rights and property. This changed when Section 217 of the USA Patriot Act was enacted. It was unclear whether computer owners could obtain the assistance of law enforcement in conducting such monitoring. This lack of clarity prevented law enforcement from assisting victims to take the natural and reasonable steps in their own defense that would be entirely legal in the physical world. In the physical world, burglary victims may invite the police into their homes to help them catch burglars in the act of committing their crimes. The wiretap statute should not block investigators from responding to similar requests in the computer context simply because the means of committing the burglary happen to fall within the definition of a "wire or electronic communication" according to the wiretap statute.

Because providers often lack the expertise, equipment, or financial resources required to monitor attacks themselves, they commonly have no effective way to exercise their rights to protect themselves from unauthorized attackers . This anomaly in the law created, as one commentator has noted, a "bizarre result," in which a "computer hacker's undeserved statutory privacy right trumps the legitimate privacy rights of the hacker's victims." To correct this problem, the amendments in Section 217 of the USA Patriot Act allow victims of computer attacks to authorize persons "acting under color of law" to monitor trespassers on their computer systems. Also added was a provision in which law enforcement may intercept the communications of a computer trespasser transmitted to, through, or from a protected computer. Before monitoring can occur, however, four requirements must be met:

The owner or operator of the protected computer must authorize the interception of the trespasser's communications.
The person who intercepts the communication must be lawfully engaged in an ongoing investigation. Both criminal and intelligence investigations qualify, but the authority to intercept ceases at the conclusion of the investigation.
The person acting under color of law must have reasonable grounds to believe that the contents of the communication to be intercepted will be relevant to the ongoing investigation.
Investigators may intercept only the communications sent or received by trespassers. Thus, this section would only apply where the configuration of the computer system allows the interception of communications to and from the trespasser and not the interception of nonconsenting users authorized to use the computer.

The USA Patriot Act created a definition of a "computer trespasser." Such trespassers include any person who accesses a protected computer without authorization. In addition, the definition explicitly excludes any person "known by the owner or operator of the protected computer to have an existing contractual relationship with the owner or operator for access to all or part of the computer." For example, certain Internet service providers do not allow their customers to send bulk unsolicited e- mails (or "spam"). Customers who send spam would be in violation of the provider's terms of service, but would not qualify as trespassers because they are authorized users and because they have an existing contractual relationship with the provider. These provisions will expire on December 31, 2005, unless Congress mandates otherwise.

6.5.9 Nationwide Search Warrants for E-Mail

Previous law required the government to use a search warrant to compel a communications or Internet service provider to disclose unopened e-mail less than six months old. Rule 41 of the Federal Rules of Criminal Procedure required that the "property" (the e-mails) to be obtained must be "within the district " of jurisdiction of the issuing court. For this reason, some courts had declined to issue warrants for e-mail located in other districts. Unfortunately, this refusal placed an enormous administrative burden on districts where major ISPs are located, such as the Eastern District of Virginia and the Northern District of California, even though these districts had no relationship with the criminal acts being investigated. In addition, requiring investigators to obtain warrants in distant jurisdictions slowed time-sensitive investigations.

The amendment added in the USA Patriot Act has changed this situation in order to allow investigators to use warrants to compel records outside of the district in which the court is located, just as they use federal grand jury subpoenas and orders. This change enables courts with jurisdiction over investigations to compel evidence directly, without requiring the intervention of agents , prosecutors, and judges in the districts where major ISPs are located. This provision will expire on December 31, 2005, unless Congress mandates otherwise.

6.5.10 Deterrence and Prevention of Cyberterrorism

Several changes were made in Section 814 of the USA Patriot Act that improve the Computer Fraud and Abuse Act. This section increases penalties for hackers who damage protected computers (from a maximum of 10 years to a maximum of 20 years). It clarifies the mens rea required for such offenses to make explicit that a hacker need only intend damage, not necessarily inflict a particular type of damage. It also adds a new offense for damaging computers used for national security or criminal justice purposes, and expands the coverage of the statute to include computers in foreign countries so long as there is an effect on U.S. interstate or foreign commerce. It now counts state convictions as prior offenses for the purpose of recidivist sentencing enhancements, and it allows losses to several computers from a hacker's course of conduct to be aggregated for purposes of meeting the $5,000 jurisdictional threshold. We discuss the most significant of these changes in the following sections.

Raising Maximum Penalty for Hackers

Under previous law, first-time offenders could be punished by no more than 5 years' imprisonment, whereas repeat offenders could receive up to 10 years. Certain offenders, however, can cause such severe damage to protected computers that this five-year maximum did not adequately take into account the seriousness of their crimes. For example, David Smith pled guilty to releasing the Melissa virus that damaged thousands of computers across the Internet. Although Smith agreed, as part of his plea, that his conduct caused more than $80 million worth of loss (the maximum dollar figure contained in the Sentencing Guidelines), experts estimate that the real loss was as much as 10 times that amount. Had the new laws been in effect at the time of Smith's sentencing, he would most likely have received a much harsher sentence .

Eliminating Mandatory Minimum Sentences

Previous law set a mandatory sentencing guideline of a minimum of six months' imprisonment for any violation of the Computer Fraud and Abuse Act , as well as for accessing a protected computer with the intent to defraud. Under new amendments in the USA Patriot Act , the maximum penalty for violations for damaging a protected computer increased to 10 years for first offenders and 20 years for repeat offenders. Congress chose, however, to eliminate all mandatory minimum guidelines sentencing for Section 1030 ( Computer Fraud and Abuse Act ) violations.

Hacker's Intent versus Degree of Damages

Under previous law, an offender had to "intentionally [cause] damage without authorization." Section 1030 of the Computer Fraud and Abuse Act defined "damage" as impairment to the integrity or availability of data, a program, a system, or information that met the following criteria:

Caused loss of at least $5,000;
Modified or impairs medical treatment;
Caused physical injury; or
Threatened public health or safety.

The question arose, however, whether an offender must intend the $5,000 loss or other special harm, or whether a violation occurs if the person only intends to damage the computer, which in fact ends up causing the $5,000 loss or harming the individuals. Congress never intended that the language contained in the definition of "damage" would create additional elements of proof of the actor's mental state. Moreover, in most cases, it would be almost impossible to prove this additional intent. Now, under new law, hackers need only intend to cause damage, not inflict a particular consequence or degree of damage. The new law defines "damage" to mean "any impairment to the integrity or availability of data, a program, a system or information." Under this clarified structure, in order for the government to prove a violation, it must show that the actor caused damage to a protected computer and that the actor's conduct caused either loss exceeding $5,000, impairment of medical records, harm to a person, or threat to public safety.

Aggregating Damage Caused by a Hacker

Previous law was unclear about whether the government could aggregate the loss resulting from damage an individual caused to different protected computers in seeking to meet the jurisdictional threshold of $5,000 in loss. For example, an individual could unlawfully access five computers on a network on 10 different dates ”as part of a related course of conduct ”but cause only $1,000 loss to each computer during each intrusion.

If previous law were interpreted not to allow aggregation, then that person would not have committed a federal crime at all because he or she had not caused more than $5,000 worth of damage to any particular computer. Under the new law, the government may now aggregate "loss resulting from a related course of conduct affecting one or more other protected computers" that occurs within a one-year period in proving the $5,000 jurisdictional threshold for damaging a protected computer.

Damaging Computers Used for National Security or Criminal Justice Purposes

Previously, the Computer Fraud and Abuse Act contained no special provisions that would enhance punishment for hackers who damage computers used in furtherance of the administration of justice, national defense, or national security. Thus federal investigators and prosecutors did not have jurisdiction over efforts to damage criminal justice and military computers where the attack did not cause more than $5,000 in loss (or meet one of the other special requirements). Yet these systems serve critical functions and merit felony prosecutions even where the damage is relatively slight . Furthermore, an attack on computers used in the national defense that occur during periods of active military engagement are particularly serious ”even if they do not cause extensive damage or disrupt the war-fighting capabilities of the military ”because they divert time and attention away from the military's proper objectives. Similarly, disruption of court computer systems and data could seriously impair the integrity of the criminal justice system. Under new provisions, a hacker violates federal law by damaging a computer "used by or for a government entity in furtherance of the administration of justice, national defense, or national security," even if that damage does not result in provable loss greater than $5,000.

"Protected Computer" and Computers in Foreign Countries

Before the law was changed, "protected computer" was defined as a computer used by the federal government or a financial institution, or one "which is used in interstate or foreign commerce." The definition did not explicitly include computers outside of the United States. Because of the interdependency and availability of global computer networks, hackers from within the United States are increasingly targeting systems located entirely outside of this country. The old statute did not explicitly allow for prosecution of such hackers. In addition, individuals in foreign countries frequently route communications through the United States, even as they hack from one foreign country to another. In such cases, their hope may be that the lack of any U.S. victim would either prevent or discourage U.S. law enforcement agencies from assisting in any foreign investigation or prosecution .

The USA Patriot Act amends the definition of "protected computer" to make clear that this term includes computers outside of the United States so long as they affect "interstate or foreign commerce or communication of the United States." By clarifying the fact that a domestic offense exists, the United States can now use speedier domestic procedures to join in international hacker investigations. Because these crimes often involve investigators and victims in more than one country, fostering international law enforcement cooperation is essential. In addition, the amendment creates the option of prosecuting such criminals in the United States. Because the United States is urging other countries to ensure that they can vindicate the interests of U.S. victims for computer crimes that originate in their nations, this provision will allow the United States to reciprocate in kind.

Counting State Convictions as "Prior Offenses"

Under previous law, the court at sentencing could, of course, consider the offender's prior convictions for state computer crime offenses. State convictions, however, did not trigger the recidivist sentencing provisions of the Computer Fraud and Abuse Act , which double the maximum penalties available under the statute.

The new law alters the definition of " conviction " so that it includes convictions for serious computer hacking crimes under state law (i.e., state felonies where an element of the offense is "unauthorized access, or exceeding authorized access, to a computer").

Definition of Loss

Calculating "loss" is important when the government seeks to prove that an individual caused more than $5,000 loss in order to meet the jurisdictional requirements found in the Computer Fraud and Abuse Act . Yet existing law had no definition of "loss." The only court to address the scope of the definition of "loss" adopted an inclusive reading of what costs the government may include. In United States v. Middleton , 231 F.3d 1207, 1210-11 (9th Cir. 2000), the court held that the definition of loss includes a wide range of harms typically suffered by the victims of computer crimes, including the costs of responding to the offense, conducting a damage assessment, restoring the system and data to their condition before the offense, and any lost revenue or costs incurred because of interruption of service. In the new law, the definition used in the Middleton case was adopted.

Development of Cybersecurity Forensic Capabilities

The USA Patriot Act requires the U.S. Attorney General to establish such regional computer forensic laboratories as he or she considers appropriate and to provide support for existing computer forensic laboratories to enable them to provide certain forensic and training capabilities. The provision also authorizes spending money to support those laboratories.