S. 2448 was first put on the agenda for consideration by this Committee on May 18th, the week before our May 25th hearing on the issue of cyber-security. Over the past five months, the Chairman has indicated that he wished to work with me and other colleagues to address some of the serious concerns we had with the first iteration of this bill as it was originally introduced.

I am pleased that we were able to reach a consensus and move forward with this legislation. Computer security and privacy are important issues for e-commerce and for our national security. This is twin-track progress against computer crime: more tools at the federal level and more resources for local computer crime law enforcement. The fact that this is a bipartisan effort is good for technology policy. I wish that Congress had also tackled online privacy in this session, but that will now be punted into the next congressional session. We must make it a priority next year.

Many of us have worked on these issues for years. In 1984, we passed the Computer Fraud and Abuse Act to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In 1994, the Violent Crime Control and Law Enforcement Act included the Computer Abuse Amendments which I authored to make illegal the intentional transmission of computer viruses.

In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met. In the 105th Congress, Senators Kyl and I also worked together on criminal copyright amendments that became law.

In this Congress, I have sponsored legislation with Senators DeWine and Abraham, the Computer Crime Enforcement Act, S. 1314, to set up a $25 million grant program within the U.S. Department of Justice for states to tap for improved education, training, enforcement and prosecution of computer crimes. This Committee at long last reported that uncontroversial, bipartisan bill on September 21st.

We need to be constantly vigilant to keep our computer crime laws up-to-date as an important backstop and deterrent. But we need to do so carefully to ensure that our efforts to help do not instead harm online commerce, security and privacy. I have expressed my concerns about provisions in the original bill introduced by Senators Hatch and Schumer, and the substitute amendment addresses or eliminates those problematic provisions.

As introduced, S. 2448 Would Have Over-Federalized Minor Computer Abuses. Currently, federal jurisdiction exists for a variety of computer crimes if, and only if, such criminal offenses result in at least $5,000 of aggregate damage or cause another specified injury, such as the impairment of medical treatment, physical injury to a person or a threat to public safety. S. 2448 would have eliminated the $5,000 jurisdictional threshold and thereby criminalized a variety of minor computer abuses, regardless of whether any significant harm results. As America Online correctly noted in a June, 2000 letter, “eliminating the $5,000 threshold for both criminal and civil violations would risk criminalizing a wide range of essentially benign conduct and engendering needless litigation....” Similarly, the Internet Alliance commented in a June, 2000 letter that “[c]omplete abolition of the limit will lead to needless federal prosecution of often trivial offenses that can be reached under state law. ...”

Specifically, the bill would amend 1030(a)(5)(A) (sending transmissions intending to cause damage), and 1030(a)(5)(B)(intentionally accessing computer and recklessly causing damage) and to eliminate the now-existing jurisdictional triggers and to criminalize as misdemeanors all such offenses, whether or not they cause $5,000 loss or other specified injury.

In my view, those provisions were overkill. Our federal laws do not need to reach each and every minor, inadvertent and harmless computer abuse – after all, each of the 50 states has its own computer crime laws. Rather, our federal laws need to reach those offenses for which federal jurisdiction is appropriate.

Prior Congresses have declined to over-federalize computer offenses and sensibly determined that not all computer abuses warrant federal criminal sanctions. When the computer crime law was first enacted in 1984, the House Judiciary Committee reporting the bill stated:

“the Federal jurisdictional threshold is that there must be $5,000 worth of benefit to the defendant or loss to another in order to concentrate Federal resources on the more substantial computer offenses that affect interstate or foreign commerce.” (H.Rep. 98-894, at p. 22, July 24, 1984).

Similarly, the Senate Judiciary Committee under the chairmanship of Senator Thurmond, rejected suggestions in 1986 that “the Congress should enact as sweeping a Federal statute as possible so that no computer crime is potentially uncovered.” (S. Rep. 99-432, at p. 4, September 3, 1986).

For example, if an overly-curious college sophomore checks a professor’s unattended computer to see what grade he is going to get and accidently deletes a file or a message, current Federal law does not make that conduct a crime. That conduct may be cause for discipline at the college, but not for the FBI to swoop in and investigate. Yet, under the original S. 2448, as introduced, this unauthorized access to the professor’s computer would have constituted a federal crime.

Let us look at another example of a teenage hacker, who plays a trick on a friend by modifying the friend’s vanity Web page. Under current law, no federal crime has occurred. Yet, under the original S. 2448, as introduced, this conduct would have constitutes a federal crime.

The Hatch-Leahy-Schumer substitute addresses those federalism concerns by retaining the $5,000 jurisdictional threshold in current law.

The substitute amendment makes other improvements to the original bill and current law, as summarized below.

+ The substitute amendment eliminates titles II, III, IV and V of the original bill about which various problems had been raised, and is limited to title I on “Cyber-hacking.”

+ The substitute eliminates a proposed change to the Computer Fraud and Abuse statute, 18 U.S.C. § 1030(a)(3) (prohibits intentional access without authorization to computers exclusively used by the government) that would have extended this prohibition to government employees. The result of such an extension would be that a federal worker who plays a computer game at work in violation of an agency rule and accidently puts a virus on the system would have ben subject to federal felony punishment. Rather than make such an ill-considered change, the substitute retains current law.

+Consistent with the changes to the Computer Fraud and Abuse statute, 18 U.S.C. § 1030(a)(5), originally proposed in the Leahy Internet Security Act, S. 2430, the substitute amendment (1) retains the $5,000 jurisdictional threshold for federal jurisdiction over garden variety computer crimes so that minor computer abuses are not federal crimes; (2) modifies the definitions of “damage” and “loss” to cover aggregated harm to multiple computers; and (3) limits civil damage actions for violations of this section to exclude actions for the negligent design or manufacture of computer hardware, software or firmware.

+With respect to juveniles, the substitute amendment eliminates a provision in the original bill that would have made a separate federal crime of using a juvenile to commit a computer crime. This proposed new crime would have been superfluous since a person who engages in such conduct would already be subject to enhanced penalties for using a minor. In addition, the substitute would permit federal prosecutors to try juveniles as juveniles in federal court for only the most serious felony computer crimes, rather than the proposal in the original bill that would have authorized such prosecutions against juveniles for any felony computer crime.

+The substitute amendment would allow a judge as part of the punishment for a defendant convicted of a computer crime to exercise his or her discretion to make the defendant ineligible for federal financial assistance to attend a post-secondary school, rather than the original proposal to make ineligibility for such financial assistance mandatory and to cover such educational assistance in prison.

+The substitute amendment would change current law, which imposes a 6-month mandatory minimum sentence for any conviction of the computer crime law, by eliminating that mandatory minimum term of incarceration for misdemeanor and non-serious felony computer crimes. While the Leahy bill, S. 2430, eliminated the mandatory minimum entirely, the substitute is an improvement over current law.

+The substitute would require the Attorney General to make the head of the Computer Crime and Intellectual Property (CCIP) section within the Justice Department’s Criminal Division a “Deputy Assistant Attorney General,” which is not a Senate-confirmed position, in order to highlight the increasing importance and profile of this position. This provision also includes an authorization of appropriations of $5,000,000 to CCIP. This authorization is consistent with an amendment I originally proposed, but was not accepted, to Sen. Specter’s FISA bill, S. 2089, reported by the Committee on May 23rd , and with a request I have made by letter, dated May 30th, for such an appropriation to be included in the CJS appropriations bill for fiscal year 2001.

+Finally, the substitute amendment authorizes $100,000,000 for the FBI to establish a “National Cyber Crime Technical Support Center” and ten regional computer forensic labs. This new authorization would complement the Leahy-DeWine computer crime grant bill, S. 1314, which authorizes $25,000,000 for forensic computer training for State and local law enforcement. That bill, S. 1314, was favorably reported by the Judiciary Committee last month.

Overall, the Hatch-Leahy-Schumer substitute amendment reflects a sound compromise. I regret that we were unable to make more progress on legislative efforts to safeguard our privacy from both private sector and government eavesdroppers and snoops, and look forward to that debate in next year.

# # # # #