20 December 2000: Add source and date of Kopel report.
19 December 2000: Add Congressional Record excerpts on Senate debate and text of Amendment 4366 to H.R. 46.
19 December 2000. Thanks to B.
The National Review
15 December 2000
By Dave Kopel of the Independence Institute
Congress may adjourn today but not before inflicting a series of blows on civil liberties and federalism. As is usual for end-of-the-session assaults on civil liberties, the plan is to speed the new laws through as attachments to some innocuous law, before most people in Congress have time to notice.
The only real chance for stopping this plan lies in House and Senate leadership (especially the House) being flooded with phone calls objecting to yet another sneak attack on the Bill of Rights.
At issue is H.R. 46, a seemingly harmless bill titled "Public Safety Medal of Valor." The bill sets up a federal board to award federal Medals of Valor to policemen, federal agents, and the like. But Congress, unlike many state legislatures, does not operate under a constitutional requirement that a bill's subject matter and title be the same. And it turns out that there's much more in this bill than just medals for firefighters. What the bill does is:
Expand federal asset forfeiture.
Provide special additional punishments for people who use encryption.
Federalize juvenile crimes, which are properly matters for state governments to address.
The House committee report on the bill, of course, only discusses medals for police officers and not any of the unrelated material which is being added in the closing hours of Congress. The unrelated, dangerous, material comes mostly from the never-passed H.R. 2448.
These new provisions were added to H.R. 46 on October 24, 2000, by the Senate. (See Congressional Record page 10913).
Section 304 of the "Medal of Valor" bill provides for "Criminal and Civil Forfeiture for Computer Fraud and Abuse." Although federal forfeiture laws have been partially reformed, they are still massively weighted in favor of the government, and allow the government to seize property from people who have never been convicted of a crime.
H.R. 46 would expand federal forfeiture law to include various computer crimes, and allow the forfeiture of any personal property used "to commit or to facilitate the commission of such violation." So the federal government could seize every computer you own, before you have even been charged let alone convicted of a computer crime.
Section 308 of the bill provides federal wiretapping authority over people suspected of committing various computer crimes allowing the interception of "wire, oral, and electronic communications relating to computer fraud and abuse." So if the federal government asks for a warrant (and wiretap warrants are almost never denied), not only could federal agents read your e-mail (an "electronic communication"), they could also put listening devices in every room in your house.
If a teenager were suspected of computer hacking (even hacking which caused no real damage, but which allegedly posed "a threat to public health"), then H.R. 46 would allow the government to wiretaps the parents' telephone. The average telephone wiretap results in the interception of 1,971 conversations, according to the Wiretap Report for 1999 (Published by the administrative office of the United States Courts).
Current federal wiretap authority stems from the Wiretap Act of 1968. President Lyndon B. Johnson was very concerned about the dangers of wiretapping--perhaps because he personally had ordered some abusive wiretaps; so the president opposed proposals to create federal wiretap power.
Eventually, he accepted the Wiretap Act as part of a larger compromise to allow passage of the Gun Control Act of 1968. Part of the compromise was that wiretap powers would be invoked only for certain enumerated and particularly dangerous offenses. These were crimes involving espionage, treason, violence, or organized crime.
Unfortunately, in the following three decades, the number of suspected offenses for which wiretapping is allowed has quadrupled, to over 100. Among these offenses are making false statements on student-loan applications or passport applications. 18 U.S.C. sec. 2516(1).
Now, H.R. 46 would expand wiretapping to include a wide variety of computer crimes, many of which are relatively minor.
Why Wiretaps Are Especially Dangerous
When the Fourth Amendment was written, the Founders expected that all searches and seizures would be controlled by an important type of checks and balances. Whenever a person was searched, he would know about the search; government agents would enter his home or business, look around, and take property away.
The victim of the search would necessarily know that he had been searched. He would have every incentive to use all legal means to ensure that the search was conducted properly, according to the warrant, and that the warrant itself was properly issued. After the search, he would be able to seek various forms of redress, including filing a lawsuit, if any part of the search had been improper.
Wiretaps, however, destroy this important check that safeguards the Fourth Amendment. Under current federal law, wiretaps-unlike every other kind of search-may be conducted in secret. 18 U.S.C. sec. 2518.
The law allows delay of months and sometimes-indefinite delay in notifying a person that she has been subjected to wiretaps. Thus, the most important element of the Fourth Amendment's checks and balances the desire of the person being searched to protect her privacy is eliminated.
Moreover, ordinary search warrants must specifically describe what will be searched for, and where the search will be conducted. So if the police are looking for a stolen car, they will check the garage, but not rummage through a person's bedroom drawers.
Wiretaps, in contrast, more closely resemble the Writs of Assistance, which provoked the American Revolution. When a wiretap is placed on a phone, the police listen to every conversation, since they cannot tell in advance whether the people will talk about a subject related to the wiretap warrant, or about something else.
Technically, the police are required to stop listening when they are sure that the conversation is not about the alleged crime involving the wiretap. But in practice, it is very difficult to ensure that this requirement is obeyed. Even the most conscientious police wiretapper cannot help overhearing many innocent conversations, since he cannot foresee what the parties will talk about. In recent years, there have been about two million innocent conservations per year overheard as a result of federal and state wiretaps, according to the Wiretap Report.
Unfortunately, while wiretaps are subject to fewer checks and balances than ordinary searches, they are considerably more invasive and destructive to security and privacy. Supreme Court Justice Louis Brandeis explained:
The evil incident to invasion of the privacy of the telephone is far greater than that involved in tampering with the mails. Whenever a telephone line is tapped, the privacy of the persons at both ends of the line is invaded, and all conversations between them upon any subject, and although proper, confidential, and privileged, may be overheard.
Moreover, the tapping of one man's telephone line involves the tapping of the telephone of every other person whom he may call, or who may call him. As a means of espionage, writs of assistance and general warrants are but puny instruments of tyranny and oppression when compared with wire-tapping. (Olmstead v. United States, 277 U.S. 438 (1928)(Brandeis, J., dissenting))
Earlier this year, the Clinton administration promised that there would be no more wiretapping bills until privacy reforms were enacted such as a requirement that the police have probable cause before obtaining cell-phone records which disclose your location. Nevertheless, H.R. 46 is moving forward, and contains nothing to improve privacy protection.
Special Punishment for Encryption
Section 310 provides enhanced (more severe) sentencing for computer criminals who use encryption. But as the ACLU points out, we don't provide extra punishment for burglars who wear gloves, or embezzlers who use paper shredders. So why provide extra punishment simply because a criminal uses encryption? The obviously answer, the ACLU notes, is because enhanced punishment "stigmatizes the use of encryption, suggesting that it is somehow worse to use this method to conceal a crime than to use other methods."
Federalizing Juvenile Crime
Although Congress nearly passed a mammoth bill in 1999 to federalize juvenile crime, the issue of juvenile justice (like most other criminal justice issues) is properly a matter for states. Section 306 of H.R. 46 would allow federal courts to hear juvenile delinquency cases involving alleged teenage computer criminals.
But there's no reason to believe that federal courts are better than state courts in dealing with 14-year-olds accused of hacking. Notably, every state has some kind of juvenile justice program, to provide appropriate treatment to rehabilitate juveniles.
The federal government does not. Besides, federal courts are already so overwhelmed with drug cases that there is no reason to burden them further with juvenile matters that belong in state court.
H.R. 46 required "unanimous consent." But the bill remains a threat under procedures which allow suspension of the rules, or as an attachment to the omnibus spending bill.
Thanks to S.
[Congressional Record: December 15, 2000 (Senate)] [Page S11886-S11890] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr15de00pt2-144] PUBLIC SAFETY OFFICER MEDAL OF VALOR ACT OF 2000 Mr. STEVENS. Mr. President, I ask unanimous consent that the Judiciary Committee be discharged from further consideration of H.R. 46 and the Senate proceed to its immediate consideration. The PRESIDING OFFICER. Without objection, it is so ordered. The clerk will report the bill by title. The assistant legislative clerk read as follows: A bill (H.R. 46) to provide a national medal for public safety officers who act with extraordinary valor above and beyond the call of duty. There being no objection, the Senate proceeded to consider the bill. Mr. LEAHY. Mr. President, today we consider three bipartisan measures offered together as a package: the Public Safety Officer Medal of Valor Act, H.R. 46; the Computer Crime Enforcement Act, which I introduced as S. 1314, on July 1, 1999, with Senator DeWine and is now also co- sponsored by Senators Robb, Hatch and Abraham; and a Hatch-Leahy- Schumer ``Internet Security Act'' amendment. I thank my colleagues for their hard work on these pieces of legislation, each of which I will discuss in turn. I support the Public Safety Officer Medal of Valor Act. I cosponsored the Stevens bill, S. 39, to establish a Public Safety Medal of Valor. In April and May, 1999, I made sure that the Senate acted on Senator Stevens' bill, S. 39. On April 22, 1999, the Senate Judiciary Committee took up that measure in regular order and reported it unanimously. At that time I congratulated Senator Stevens and thanked him for his leadership. I noted that we had worked together on a number of law enforcement matters and that the senior Senator from Alaska is a stalwart supporter of the men and women who put themselves at risk to protect us all. I said that I looked forward to enactment of this measure and to seeing the extraordinary heroism of our police, firefighters and correctional officers recognized with the Medal of Valor. On May 18, 1999, I was privileged to be on the floor of the Senate when we proceeded to consider S. 39 and passed it unanimously. I took that occasion to commend Senator Stevens and all who had worked so hard to move this measure in a timely way. That was over one year ago, during National Police Week last year. The measure was sent to the House where it lay dormant for the rest of last year and most of this one. The President of the United States came to Capitol Hill to speak at the Law Enforcement Officers Memorial Service on May 15, 2000, and said on that occasion that if Congress would not act on the Medal of Valor, he was instructing the Attorney General to explore ways to award such recognition by Executive action. Unfortunately, these calls for action did not waken the House from its slumber on this matter and the House of Representatives refused to pass the Senate-passed Medal of Valor bill. Instead, over the past year, the House has insisted that the Senate take up, fix and pass the House-passed version of this measure if it is to become law. House members have indicated that they are now prepared to accept most of the Senate-passed text, but insist that it be enacted under the House bill number. In order to get this important measure to the President, that is what we are doing today. We are discharging the House-passed version of that bill, H.R. 46, from the Judiciary Committee, adopting a complete substitute, and sending it back to the House. I have worked with Senator Hatch, Senator Stevens and others to perfect the final version of this bill. We have crafted bipartisan improvements to ensure that the Medal of Valor Board will worked effectively and efficiently with the National Medal of Valor Office within the Department of Justice. Our legislation establishes both of these entities and it is essential that they work well together to design the Medal of Valor and to create the criteria and procedures for recommendations of nominees for the award. The men and women who will be honored by the Medal of Valor for their brave deeds deserve nothing less. The information age is filled with unlimited potential for good, but it also creates a variety of new challenges for law enforcement. A recent survey by the FBI and the Computer Security Institute found that 62 percent of information security professionals reported computer security breaches in the past year. These breaches in computer security resulted in financial losses of more than $120 million from fraud, theft of [[Page S11887]] information, sabotage, computer viruses, and stolen laptops. Computer crime has become a multi-billion dollar problem. Many of us have worked on these issues for years. In 1984, we passed the Computer Fraud and Abuse Act to criminalize conduct when carried out by means of unauthorized access to a computer. In 1986, we passed the Electronic Communications Privacy Act (ECPA), which I was proud to sponsor, to criminalize tampering with electronic mail systems and remote data processing systems and to protect the privacy of computer users. In 1994, the Violent Crime Control and Law Enforcement Act included the Computer Abuse Amendments which I authored to make illegal the intentional transmission of computer viruses. In the 104th Congress, Senators Kyl, Grassley and I worked together to enact the National Information Infrastructure Protection Act to increase protection under federal criminal law for both government and private computers, and to address an emerging problem of computer-age blackmail in which a criminal threatens to harm or shut down a computer system unless their extortion demands are met. In the 105th Congress, Senators Kyl and I also worked together on criminal copyright amendments that became law to enhance the protection of copyrighted works online. The Congress must be constantly vigilant to keep the law up-to-date with technology. The Computer Crime Enforcement Act, S. 1314, and the Hatch-Leahy-Schumer ``Internet Security Act'' amendment are part of that ongoing effort. These complementary pieces of legislation reflect twin-track progress against computer crime: More tools at the federal level and more resources for local computer crime enforcement. The fact that this is a bipartisan effort is good for technology policy. But make no mistake about it: even with passage of this legislation, there is more work to be done--both to assist law enforcement and to safeguard the privacy and other important constitutional rights of our citizens. I wish that the Congress had also tackled online privacy in this session, but that will now be punted into the next congressional session. The legislation before us today does not attempt to resolve every issue. For example, both the Senate and the House held hearings this session about the FBI's Carnivore program. Carnivore is a computer program designed to advance criminal investigations by capturing information in Internet communications pursuant to court orders. Those hearings sparked a good debate about whether advances in technology, like Carnivore, require Congress to pass new legislation to assure that our private Internet communications are protected from government over- reaching while protecting the government's right to investigate crime. I look forward to our discussion of these privacy issues in the next Congress. The Computer Crime Enforcement Act is intended to help states and local agencies in fighting computer crime. All 50 states have now enacted tough computer crime control laws. They establish a firm groundwork for electronic commerce, an increasingly important sector of the nation's economy. Unfortunately, too many state and local law enforcement agencies are struggling to afford the high cost of enforcing their state computer crime statutes. Earlier this year, I released a survey on computer crime in Vermont. My office surveyed 54 law enforcement agencies in Vermont--43 police departments and 11 State's attorney offices--on their experience investigating and prosecuting computer crimes. The survey found that more than half of these Vermont law enforcement agencies encounter computer crime, with many police departments and state's attorney offices handling 2 to 5 computer crimes per month. Despite this documented need, far too many law enforcement agencies in Vermont cannot afford the cost of policing against computer crimes. Indeed, my survey found that 98 percent of the responding Vermont law enforcement agencies do not have funds dedicated for use in computer crime enforcement. My survey also found that few law enforcement officers in Vermont are properly trained in investigating computer crimes and analyzing cyber-evidence. According to my survey, 83 percent of responding law enforcement agencies in Vermont do not employ officers properly trained in computer crime investigative techniques. Moreover, my survey found that 52 percent of the law enforcement agencies that handle one or more computer crimes per month cited their lack of training as a problem encountered during investigations. Without the necessary education, training and technical support, our law enforcement officers are and will continue to be hamstrung in their efforts to crack down on computer crimes. I crafted the Computer Crime Enforcement Act, S. 1314, to address this problem. The bill would authorize a $25 million Department of Justice grant program to help states prevent and prosecute computer crime. Grants under our bipartisan bill may be used to provide education, training, and enforcement programs for local law enforcement officers and prosecutors in the rapidly growing field of computer criminal justice. Our legislation has been endorsed by the Information Technology Association of America and the Fraternal Order of Police. This is an important bipartisan effort to provide our state and local partners in crime-fighting with the resources they need to address computer crime. The Internet Security Act of 2000 makes progress to ensure that we are properly dealing with the increase in computer crime. I thank and commend Senators Hatch and Schumer for working with me and other Members of the Judiciary Committee to address some of the serious concerns we had with the first iteration of their bill, S. 2448, as it was originally introduced. Specifically, as introduced, S. 2448 would have over-federalized minor computer abuses. Currently, federal jurisdiction exists for a variety of computer crimes if, and only if, such criminal offenses result in at least $5,000 of damage or cause another specified injury, including the impairment of medical treatment, physical injury to a person or a threat to public safety. S. 2448, as introduced, would have eliminated the $5,000 jurisdictional threshold and thereby criminalized a variety of minor computer abuses, regardless of whether any significant harm resulted. For example, if an overly-curious college sophomore checks a professor's unattended computer to see what grade he is going to get and accidently deletes a file or a message, current Federal law does not make that conduct a crime. That conduct may be cause for discipline at the college, but not for the FBI to swoop in and investigate. Yet, under the original S. 2448, as introduced, this unauthorized access to the professor's computer would have constituted a federal crime. Another example is that of a teenage hacker, who plays a trick on a friend by modifying the friend's vanity Web page. Under current law, no federal crime has occurred. Yet, under the original S. 2448, as introduced, this conduct would have constituted a federal crime. As America Online correctly noted in a June, 2000 letter, ``eliminating the $5,000 threshold for both criminal and civil violations would risk criminalizing a wide range of essentially benign conduct and engendering needless litigation. . . .'' Similarly, the Internet Alliance commented in a June, 2000 letter that ``[c]omplete abolition of the limit will lead to needless federal prosecution of often trivial offenses that can be reached under state law. . . .'' Those provisions were overkill. Our federal laws do not need to reach each and every minor, inadvertent and harmless computer abuse--after all, each of the 50 states has its own computer crime laws. Rather, our federal laws need to reach those offenses for which federal jurisdiction is appropriate. Prior Congresses have declined to over-federalize computer offenses as originally proposed in S. 2448, as introduced, and sensibly determined that not all computer abuses warrant federal criminal sanctions. When the computer crime law was first enacted in 1984, the House Judiciary Committee reporting the bill stated: The Federal jurisdictional threshold is that there must be $5,000 worth of benefit to the defendant or loss to another in order to concentrate Federal resources on the more substantial computer offenses that affect [[Page S11888]] interstate or foreign commerce. (H.Rep. 98-894, at p. 22, July 24, 1984). Similarly, the Senate Judiciary Committee under the chairmanship of Senator Thurmond, rejected suggestions in 1986 that ``the Congress should enact as sweeping a Federal statute as possible so that no computer crime is potentially uncovered.'' (S. Rep. 99-432, at p. 4, September 3, 1986). The Hatch-Leahy-Schumer substitute amendment to S. 2448, which was reported unanimously by the Judiciary Committee on October 5th, addresses those federalism concerns by retaining the $5,000 jurisdictional threshold in current law. That Committee-reported substitute amendment, with the additional refinements reflected in the Hatch-Leahy-Schumer Internet Security Act amendment to H.R. 46, which the Senate considers today, makes other improvements to the original bill and current law, as summarized below. First, titles II, III, IV and V of the original bill, S. 2448, about which various problems had been raised, are eliminated. For example, title V of the original bill would have authorized the Justice Department to enter into Mutual Legal Assistance Treaties (MLAT) with foreign governments that would allow the Attorney General broad discretion to investigate lawful conduct in the U.S. at the request of foreign governments without regard to whether the conduct investigated violates any Federal computer crime law. In my view, that discretion was too broad and troubling. Second, the amendment includes an authorization of appropriations of $5 million to the Computer Crime and Intellectual Property (CCIP) section within the Justice Department's Criminal Division and requires the Attorney General to make the head of CCIP a ``Deputy Assistant Attorney General,'' which is not a Senate-confirmed position, in order to highlight the increasing importance and profile of this position. This authorized funding level is consistent with an amendment I sponsored and circulated to Members of the Judiciary Committee to improve S. 2448 and am pleased to see it incorporated into the Internet Security Act amendment to H.R. 46. Third, the amendment modifies section 1030 of title 18, United States Code, in several important ways, including providing for increased and enhanced penalties for serious violations of federal computer crime laws, clarifying the definitions of ``loss'' to ensure that the full costs to a hacking victim are taken into account and of ``protected computer'' to facilitate investigations of international computer crimes affecting the United States, and preserving the existing $5,000 threshold and other jurisdictional prerequisites for violations of section 1030(a)(5)--i.e., no Federal crime has occurred unless the conduct (1) causes loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value, (2) impairs the medical care of another person, (3) causes physical injury to another person, (4) threatens public health or safety, or (5) causes damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security. The amendment clarifies the precise elements of the offense the government must prove in order to establish a violation by moving these prerequisites from the current definition of ``damage'' to the description of the offense. In addition, the amendment creates a new category of felony violations where a hacker causes damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security. Currently, the Computer Fraud and Abuse Act provides for federal criminal penalties for those who intentionally access a protected computer or cause an unauthorized transmission to a protected computer and cause damage. ``Protected computer'' is defined to include those that are ``used in interstate or foreign commerce.'' See 18 U.S.C. 1030(e)(2)(B). The amendment would clarify the definition of ``protected computer'' to ensure that computers which are used in interstate or foreign commerce but are located outside of the United States are included within the definition of ``protected computer'' when those computers are used in a manner that affects interstate or foreign commerce or communication of this country. This will ensure that our government will be able to conduct domestic investigations and prosecutions against hackers from this country who hack into foreign computer systems and against those hacking though the United States to other foreign venues. Moreover, by clarifying the fact that a domestic offense exists, the United States will be able to use speedier domestic procedures in support of international hacker cases, and create the option of prosecuting such criminals in the United States. The amendment also adds a definition of ``loss'' to the Computer Fraud and Abuse Act. Current law defines the term ``damage'' to include impairment of the integrity or availability of data, programs, systems or information causing a ``loss aggregating at least $5,000 in value during any 1-year period to one or more individuals.'' See 18 U.S.C. Sec. 1030(e)(8)(A). The new definition of ``loss'' to be added as section 1030(e)(11) will ensure that the full costs to victims of responding to hacking offenses, conducting damage assessments, restoring systems and data to the condition they were in before an attack, as well as lost revenue and costs incurred because of an interruption in service, are all counted. This statutory definition is consistent with the definition of ``loss'' appended by the U.S. Sentencing Commission to the Federal Sentencing Guidelines (see U.S.S.G. Sec. 2B1.1 Commentary, Application note 2), and will help reconcile procedures by which prosecutors value loss for charging purposes and by which judges value loss for sentencing purposes. Getting this type of true accounting of ``loss'' is important because loss amounts can be used to calculate restitution and to determine the appropriate sentence for the perpetrator under the sentencing guidelines. Fourth, section 303(e) of the Hatch-Leahy-Schumer Internet Security Act amendment to H.R. 46 clarifies the grounds for obtaining damages in civil actions for violations of the Computer Fraud and Abuse Act. Current law authorizes a person who suffers ``damage or loss'' from a violation of section 1030 to sue the violator for compensatory damages or injunctive or other equitable relief, and limits the remedy to ``economic damages'' for violations ``involving damage as defined in subsection (e)(8)(A),'' relating to violations of 1030(a)(5) that cause loss aggregating at least $5,000 during any 1-year period. Current law does not contain a definition of ``loss,'' which is being added by this amendment. To take account of both the new definition of ``loss'' and the incorporation of the requisite jurisdictional thresholds into the description of the offense (rather than the current definition of ``damage''), the amendment to subsection (g) makes several changes. First, the amendment strikes the reference to subsection (e)(8)(A) in the current civil action provision and retains Congress' previous intent to allow civil plaintiffs only economic damages for violations of section 1030(a)(5) that do not also affect medical treatment, cause physical injury, threaten public health and safety or affect computer systems used in furtherance of the administration of justice, the national defense or national security. Second, the amendment clarifies that civil actions under section 1030, and not just 1030(a)(5), are limited to conduct that involves one of the factors enumerated in new subsection (a)(5)(B), namely, the conduct (1) causes loss to 1 or more persons during any 1-year period aggregating at least $5,000 in value, (2) impairs the medical care of another person, (3) causes physical injury to another person, (4) threatens public health or safety, or (5) causes damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security. This clarification is consistent with judicial constructions of the statute, requiring proof of the $5,000 loss threshold as a prerequisite for civil suit, for example, under subsection 1030(a)(2)(C). See, e.g., America Online, Inc. v. LCGM, Inc., 46 F.Supp. 2d 444, 450 (E.D. Va. 1998) (court granted summary judgment on claim under 1030(a)(2)(C), stating, ``[p]laintiff asserts that as a result of defendants' actions, it suffered damages exceeding $5,000, the statutory threshold requirement''). [[Page S11889]] While proof of ``loss'' is required, this amendment preserves current law that civil enforcement of certain violations of section 1030 is available without requiring proof of ``damage,'' which is defined in the amendment to mean ``any impairment to the integrity or availability of data, a program, a system, or information.'' In fact, only subsection 1030(a)(5) requires proof of ``damage''; civil enforcement of other subsections of this law may proceed without such proof. Thus, only the factors enumerated in new subsection (a)(5)(B), and not its introductory language referring to conduct described in subsection (a)(5)(A), constitute threshold requirements for civil suits for violations of section 1030 other than subsection 1030(a)(5). Finally, the amendment adds a new sentence to subsection 1030(g) clarifying that civil actions may not be brought ``for the negligent design or manufacture of computer hardware, computer software, or firmware.'' The Congress provided this civil remedy in the 1994 amendments to the Act, which I originally sponsored with Senator Gordon Humphrey, to enhance privacy protection for computer communications and the information stored on computers by encouraging institutions to improve computer security practices, deterring unauthorized persons from trespassing on computer systems of others, and supplementing the resources of law enforcement in combating computer crime. [See The Computer Abuse Amendments Act of 1990: Hearing Before the Subcomm. On Technology and the Law of the Senate Comm. On the Judiciary, 101st Cong., 2nd Sess., S. Hrg. 101-1276, at pp. 69, 88, 92 (1990); see also Statement of Senator Humphrey, 136 Cong. Rec. S18235 (1990) (``Given the Government's limited capacity to pursue all computer crime cases, the existence of this limited civil remedy will serve to enhance deterrence in this critical area.'')]. The ``new, civil remedy for those harmed by violations of the Computer Fraud and Abuse Act'' was intended to ``boost the deterrence of the statute by allowing aggrieved individuals to obtain relief.'' [S. Rep. No. 101-544, 101st Cong., 2d Sess., p. 6-7 (1990); see also Statement of Senator Leahy, 136 Cong. Rec. S18234 (1990)]. We certainly and expressly did not want to ``open the floodgates to frivolous litigation.'' [Statement of Senator Leahy, 136 Cong. Rec. S4614 (1990)]. At the time the civil remedy provision was added to the Computer Fraud and Abuse Act, this Act contained no prohibition against negligently causing damage to a computer through unauthorized access, reflected in current law, 18 U.S.C. Sec. 1030(a)(5)(C). That prohibition was added only with subsequent amendments made in 1996, as part of the National Information Infrastructure Protection Act. Nevertheless, the civil remedy has been interpreted in some cases to apply to the negligent manufacture of computer hardware or software. See, e.g., Shaw v. Toshiba America Information Systems, Inc., NEC, 91 F.Supp. 2d 926 (E.D. TX 1999) (court interpreted the term transmission to include sale of computers with a minor design defect). The Hatch-Leahy-Schumer Internet Security Act amendment to subsection 1030(g) is intended to ensure that the civil remedy is a robust option for private enforcement actions, while limiting its applicability to negligence cases that are more appropriately governed by contractual warranties, state tort law and consumer protection laws. Fifth, sections 304 and 309 of the Hatch-Leahy-Schumer Internet Security Act amendment to H.R. 46 authorize criminal forfeiture of computers, equipment, and other personal property used to violate the Computer Fraud and Abuse Act, as well as real and personal property derived from the proceeds of computer crime. Property, both real and personal, which is derived from proceeds traceable to a violation of section 1030, is currently subject to both criminal and civil forfeiture. See 18 U.S.C. Sec. 981(a)(1)(C) and 982(a)(2)(B). Thus, the amendment would clarify in section 1030 itself that forfeiture applies and extend the application of forfeiture to property that is used or intended to be used to commit or to facilitate the commission of a computer crime. In addition, to deter and prevent piracy, theft and counterfeiting of intellectual property, the section 309 of the amendment allows forfeiture of devices, such as replicators or other devices used to copy or produce computer programs to which counterfeit labels have been affixed. The criminal forfeiture provision in section 304 specifically states that only the ``interest of such person,'' referring to the defendant who committed the computer crime, is subject to forfeiture. Moreover, the criminal forfeiture authorized by Sections 304 and 309 is made expressly subject to Section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970, but subsection (d) of section 413 is expressly exempted from application to Section 304 and 309. That subsection (d) creates a rebuttable presumption of forfeiture in favor of the government where a person convicted of a felony acquired the property during the period that the crime was committed or within a reasonable time after such period and there was no likely source for such property other than the criminal violation. Thus, by making subsection (d) inapplicable, Sections 304 and 309 make it more difficult for the government to prove that the property should be forfeited. Sixth, unlike the version reported by the Judiciary Committee, the amendment does not require that prior delinquency adjudications of juveniles for violations of the Computer Fraud and Abuse Act be counted under the definition of ``conviction'' for purposes of enhanced penalties. This is an improvement that I urged since juvenile adjudications simply are not criminal convictions. Juvenile proceedings are more informal than adult prosecutions and are not subject to the same due process protections. Consequently, counting juvenile adjudications as a prior conviction for purposes of the recidivist sanctions under the amendment would be unduly harsh and unfair. In any event, prior juvenile delinquency adjudications are already subject to sentencing enhancements under certain circumstances under the Sentencing Guidelines. See, e.g., U.S.S.G. Sec. 411.2(d) (upward adjustments in sentences required for each juvenile sentence to confinement of at least sixty days and for each juvenile sentence imposed within five years of the defendant's commencement of instant offense). Seventh, the amendment changes a current directive to the Sentencing Commission enacted as section 805 of the Antiterrorism and Effective Death Penalty Act of 1996, P.L. 104-132, that imposed a 6-month mandatory minimum sentence for any conviction of the sections 1030(a)(4) or (a)(5) of title 18, United States code. The Administration has noted that ``[i]n some instances, prosecutors have exercised their discretion and elected not to charge some defendants whose actions otherwise would qualify them for prosecution under the statute, knowing that the result would be mandatory imprisonment.'' Clearly, mandatory imprisonment is not always the most appropriate remedy for a federal criminal violation, and the ironic result of this ``get tough'' proposal has been to discourage prosecutions that might otherwise have gone forward. The amendment eliminates that mandatory minimum term of incarceration for misdemeanor and less serious felony computer crimes. Eighth, section 310 of the amendment directs the Sentencing Commission to review and, where appropriate, adjust sentencing guidelines for computer crimes to address a variety of factors, including to ensure that the guidelines provide sufficiently stringent penalties to deter and punish persons who intentionally use encryption in connection with the commission or concealment of criminal acts. The Sentencing Guidelines already provide for enhanced penalties when persons obstruct or impede the administration of justice, see U.S.S.G. Sec. 3C1.1, or engage in more than minimal planning, see U.S.S.G. Sec. 2B1.1(b)(4)(A). As the use of encryption technology becomes more widespread, additional guidance from the Sentencing Commission would be helpful to determine the circumstances when such encryption use would warrant a guideline adjustment. For example, if a defendant employs an encryption product that works automatically and transparently with a telecommunications service or software product, an enhancement for use of encryption may not be appropriate, while the deliberate use of [[Page S11890]] encryption as part of a sophisticated and intricate scheme to conceal criminal activity and make the offense, or its extent, difficult to detect, may warrant a guideline enhancement either under existing guidelines or a new guideline. Ninth, the Hatch-Leahy-Schumer Internet Security Act amendment to H.R. 46 would eliminate certain statutory restrictions on the authority of the United States Secret Service ("Secret Service''). Under current law, the Secret Service is authorized to investigate offenses under six designated subsections of 18 U.S.C. Sec. 1030, subject to agreement between the Secretary of the Treasury and the Attorney General: subsections (a)(2)(A) (illegally accessing a computer and obtaining financial information); (a)(2)(B) (illegally accessing a computer and obtaining information from a department or agency of the United States); (a)(3) (illegally accessing a non-public computer of a department or agency of the United States either exclusively used by the United States or used by the United States and the conduct affects that use by or for the United States); (a)(4) (accessing a protected computer with intent to defraud and thereby furthering the fraud and obtaining a thing of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in a one-year period); (a)(5) (knowingly causing the transmission of a program, information, code or command and thereby intentionally and without authorization causing damage to a protected computer; and illegally accessing a protected computer and causing damage recklessly or otherwise); and (a)(6) (trafficking in a password with intent to defraud). Under current law, the Secret Service is not authorized to investigate offenses under subsection (a)(1) (accessing a computer and obtaining information relating to national security with reason to believe the information could be used to the injury of the United States or to the advantage of a foreign nation and willfully retaining or transmitting that information or attempting to do so); (a)(2)(C) (illegally accessing a protected computer and obtaining information where the conduct involves an interstate or foreign communication); and (a)(7) (transmitting a threat to damage a protected computer with intent to extort). The Internet Security Act removes these limitations on the authority of the Secret Service and authorizes the Secret Service to investigate any offense under Section 1030 relating to its jurisdiction under 18 U.S.C. Sec. 3056 and subject to agreement between the Secretary of the Treasury and the Attorney General. This provision also makes clear that the FBI retains primary authority to investigate offenses under subsection 1030(a)(1). Prior to 1996 amendments to the Computer Fraud and Abuse Act, the Secret Service was authorized to investigate all violations of Section 1030. According to the 1996 Committee Reports of the 104th Congress, 2nd Session, the 1996 amendments attempted to concentrate the Secret Service's jurisdiction on certain subsections considered to be within the Secret Service's traditional jurisdiction and not grant authority in matters with a national security nexus. According to the Administration, which first proposed the elimination of these statutory restrictions in connection with transmittal of its comprehensive crime bill, the ``21st Century Law Enforcement and Public Safety Act,'' however, these specific enumerations of investigative authority ``have the potential to complicate investigations and impede interagency cooperation.'' (See Section-by-section Analysis, SEC. 3082, for ``21st Century Law Enforcement and Public Safety Act''). The current restrictions, for example, risk hindering the Secret Service from investigating ``hacking'' into White House computers or investigating threats against the President that may be delivered by such a ``hacker,'' and fulfilling its mission to protect financial institutions and the nation's financial infrastructure. The provision thus modifies existing law to restore the Secret Service's authority to investigate violations of Section 1030, leaving it to the Departments of Treasury and Justice to determine between them how to allocate workload and particular cases. This arrangement is consistent with other jurisdictional grants of authority to the Secret Service. See, e.g., 18 U.S.C. Sec. Sec. 1029(d), 3056(b)(3). Tenth, section 307 of the Hatch-Leahy-Schumer Internet Security Act amendment would provide an additional defense to civil actions relating to preserving records in response to government requests. Current law authorizes civil actions and criminal liability for unauthorized interference with or disclosures of electronically stored wire or electronic communications under certain circumstances. 18 U.S.C. Sec. Sec. 2701, et seq. A provision of that statutory scheme makes clear that it is a complete defense to civil and criminal liability if the person or entity interfering with or attempting to disclose a communication does so in good faith reliance on a court warrant or order, grand jury subpoena, legislative or statutory authorization. 18 U.S.C. Sec. 2707(e)(1). Current law, however, does not address one scenario under which a person or entity might also have a complete defense. A provision of the same statutory scheme currently requires providers of wire or electronic communication services and remote computing services, upon request of a governmental entity, to take all necessary steps to preserve records and other evidence in its possession for a renewal period of 90 days pending the issuance of a court order or other process requiring disclosure of the records or other evidence. 18 U.S.C. Sec. 2703(f). Section 2707(e)(1), which describes the circumstances under which a person or entity would have a complete defense to civil or criminal liability, fails to identify good faith reliance on a governmental request pursuant to Section 2703(f) as another basis for a complete defense. Section 307 modifies current law by addressing this omission and expressly providing that a person or entity who acts in good faith reliance on a governmental request pursuant to Section 2703(f) also has a complete defense to civil and criminal liability. Finally, the bill authorizes construction and operation of a National Cyber Crime Technical Support Center and 10 regional computer forensic labs that will provide education, training, and forensic examination capabilities for State and local law enforcement officials charged with investigating computer crimes. The section authorizes a total of $100 million for FY 2001, of which $20 million shall be available solely for the 10 regional labs and would complement the state computer crime grant bill, S. 1314, with which this bill is offered. Amendment No. 4366 (Purpose: To enhance computer crime enforcement and Internet security, and for other purposes) Mr. STEVENS. Mr. President, Senator Hatch has an amendment which is at the desk. The PRESIDING OFFICER. The clerk will report. The assistant legislative clerk read as follows: The Senator from Alaska [Mr. Stevens], for Mr. Hatch, proposes an amendment numbered 4366. (The text of the amendment is printed in today's Record under ``Amendments Submitted.'') Mr. STEVENS. Mr. President, I ask unanimous consent that the amendment be agreed to. The PRESIDING OFFICER. Without objection, it is so ordered. The amendment (No. 4366) was agreed to. Mr. STEVENS. Mr. President, I ask unanimous consent that the bill, as amended, be read the third time and passed, the motion to reconsider be laid upon the table, the amendment to the title be agreed to, and any statements relating to the bill be printed in the Record. The PRESIDING OFFICER. Without objection, it is so ordered. The bill (H.R. 46), as amended, was read the third time and passed. The title was amended so as to read: To provide a national medal for public safety officers who act with extraordinary valor above and beyond the call of duty, to enhance computer crime enforcement and Internet security, and for other purposes. ____________________ -------------------------------------------------------------------------- [Congressional Record: December 15, 2000 (Senate)] [Page S11931-S11936] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] [DOCID:cr15de00pt2-204] AMENDMENTS SUBMITTED PUBLIC SAFETY OFFICER MEDAL OF VALOR ACT OF 1999 ______ HATCH AMENDMENT NO. 4366 Mr. STEVENS (for Mr. Hatch) proposed an amendment to the bill (H.R. 46) to provide for a national medal for public safety officers who act with extraordinary valor above and beyond the call of duty; as follows: Strike all after the enacting clause and insert the following: TITLE I--PUBLIC SAFETY MEDAL OF VALOR SECTION 101. SHORT TITLE. This title may be cited as the ``Public Safety Officer Medal of Valor Act of 2000''. SEC. 102. AUTHORIZATION OF MEDAL. After September 1, 2001, the President may award, and present in the name of Congress, a Medal of Valor of appropriate design, with ribbons and appurtenances, to a public safety officer who is cited by the Attorney General, upon the recommendation of the Medal of Valor Review Board, for extraordinary valor above and beyond the call of duty. The Public Safety Medal of Valor shall be the highest national award for valor by a public safety officer. SEC. 103. MEDAL OF VALOR BOARD. (a) Establishment of Board.--There is established a Medal of Valor Review Board [[Page S11932]] (hereinafter in this title referred to as the ``Board''), which shall be composed of 11 members appointed in accordance with subsection (b) and shall conduct its business in accordance with this title. (b) Membership.-- (1) Members.--The members of the Board shall be individuals with knowledge or expertise, whether by experience or training, in the field of public safety, of which-- (A) two shall be appointed by the majority leader of the Senate; (B) two shall be appointed by the minority leader of the Senate; (C) two shall be appointed by the Speaker of the House of Representatives; (D) two shall be appointed by the minority leader of the House of Representatives; and (E) three shall be appointed by the President, including one with experience in firefighting, one with experience in law enforcement, and one with experience in emergency services. (2) Term.--The term of a Board member shall be 4 years. (3) Vacancies.--Any vacancy in the membership of the Board shall not affect the powers of the Board and shall be filled in the same manner as the original appointment. (4) Operation of the board.-- (A) Chairman.--The Chairman of the Board shall be elected by the members of the Board from among the members of the Board. (B) Meetings.--The initial meeting of the Board shall be conducted within 90 days of the appointment of the last member of the Board. Thereafter, the Board shall meet at the call of the Chairman of the Board. The Board shall meet not less often than twice each year. (C) Voting and rules.--A majority of the members shall constitute a quorum to conduct business, but the Board may establish a lesser quorum for conducting hearings scheduled by the Board. The Board may establish by majority vote any other rules for the conduct of the Board's business, if such rules are not inconsistent with this title or other applicable law. (c) Duties.--The Board shall select candidates as recipients of the Medal of Valor from among those applications received by the National Medal Office. Not more often than once each year, the Board shall present to the Attorney General the name or names of those it recommends as Medal of Valor recipients. In a given year, the Board shall not be required to select any recipients but may not select more than 5 recipients. The Attorney General may in extraordinary cases increase the number of recipients in a given year. The Board shall set an annual timetable for fulfilling its duties under this title. (d) Hearings.-- (1) In general.--The Board may hold such hearings, sit and act at such times and places, administer such oaths, take such testimony, and receive such evidence as the Board considers advisable to carry out its duties. (2) Witness expenses.--Witnesses requested to appear before the Board may be paid the same fees as are paid to witnesses under section 1821 of title 28, United States Code. The per diem and mileage allowances for witnesses shall be paid from funds appropriated to the Board. (e) Information From Federal Agencies.--The Board may secure directly from any Federal department or agency such information as the Board considers necessary to carry out its duties. Upon the request of the Board, the head of such department or agency may furnish such information to the Board. (f) Information To Be Kept Confidential.--The Board shall not disclose any information which may compromise an ongoing law enforcement investigation or is otherwise required by law to be kept confidential. SEC. 104. BOARD PERSONNEL MATTERS. (a) Compensation of Members.--(1) Except as provided in paragraph (2), each member of the Board shall be compensated at a rate equal to the daily equivalent of the annual rate of basic pay prescribed for level IV of the Executive Schedule under section 5315 of title 5, United States Code, for each day (including travel time) during which such member is engaged in the performance of the duties of the Board. (2) All members of the Board who serve as officers or employees of the United States, a State, or a local government, shall serve without compensation in addition to that received for those services. (b) Travel Expenses.--The members of the Board shall be allowed travel expenses, including per diem in lieu of subsistence, at rates authorized for employees of agencies under subchapter I of chapter 57 of title 5, United States Code, while away from their homes or regular places of business in the performance of service for the Board. SEC. 105. DEFINITIONS. In this title: (1) Public safety officer.--The term ``public safety officer'' means a person serving a public agency, with or without compensation, as a firefighter, law enforcement officer, or emergency services officer, as determined by the Attorney General. For the purposes of this paragraph, the term ``law enforcement officer'' includes a person who is a corrections or court officer or a civil defense officer. (2) State.--The term ``State'' means each of the several States of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Commonwealth of the Northern Mariana Islands. SEC. 106. AUTHORIZATION OF APPROPRIATIONS. There are authorized to be appropriated to the Attorney General such sums as may be necessary to carry out this title. SEC. 107. NATIONAL MEDAL OF VALOR OFFICE. There is established within the Department of Justice a national medal of valor office. The office shall provide staff support to the Board to establish criteria and procedures for the submission of recommendations of nominees for the Medal of Valor and for the final design of the Medal of Valor. SEC. 108. CONFORMING REPEAL. Section 15 of the Federal Fire Prevention and Control Act of 1974 (15 U.S.C. 2214) is amended-- (1) by striking subsection (a) and inserting the following new subsection (a): ``(a) Establishment.--There is hereby established an honorary award for the recognition of outstanding and distinguished service by public safety officers to be known as the Secretary's Award For Distinguished Public Safety Service (`Secretary's Award').''; (2) in subsection (b)-- (A) by striking paragraph (1); and (B) by striking ``(2)''; (3) by striking subsections (c) and (d) and redesignating subsections (e), (f), and (g) as subsections (c), (d), and (e), respectively; and (4) in subsection (c), as so redesignated-- (A) by striking paragraph (1); and (B) by striking ``(2)''. SEC. 109. CONSULTATION REQUIREMENT. The Board shall consult with the Institute of Heraldry within the Department of Defense regarding the design and artistry of the Medal of Valor. The Board may also consider suggestions received by the Department of Justice regarding the design of the medal, including those made by persons not employed by the Department. TITLE II--COMPUTER CRIME ENFORCEMENT SEC. 201. SHORT TITLE. This title may be cited as the ``Computer Crime Enforcement Act''. SEC. 202. STATE GRANT PROGRAM FOR TRAINING AND PROSECUTION OF COMPUTER CRIMES. (a) In General.--Subject to the availability of amounts provided in advance in appropriations Acts, the Office of Justice Programs shall make a grant to each State, which shall be used by the State, in conjunction with units of local government, State and local courts, other States, or combinations thereof, to-- (1) assist State and local law enforcement in enforcing State and local criminal laws relating to computer crime; (2) assist State and local law enforcement in educating the public to prevent and identify computer crime; (3) assist in educating and training State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multijurisdictional task forces. (b) Use of Grant Amounts.--Grants under this section may be used to establish and develop programs to-- (1) assist State and local law enforcement in enforcing State and local criminal laws relating to computer crime; (2) assist State and local law enforcement in educating the public to prevent and identify computer crime; (3) educate and train State and local law enforcement officers and prosecutors to conduct investigations and forensic analyses of evidence and prosecutions of computer crime; (4) assist State and local law enforcement officers and prosecutors in acquiring computer and other equipment to conduct investigations and forensic analysis of evidence of computer crimes; and (5) facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer crimes with State and local law enforcement officers and prosecutors, including the use of multijurisdictional task forces. (c) Assurances.--To be eligible to receive a grant under this section, a State shall provide assurances to the Attorney General that the State-- (1) has in effect laws that penalize computer crime, such as penal laws prohibiting-- (A) fraudulent schemes executed by means of a computer system or network; (B) the unlawful damaging, destroying, altering, deleting, removing of computer software, or data contained in a computer, computer system, computer program, or computer network; or (C) the unlawful interference with the operation of or denial of access to a computer, computer program, computer system, or computer network; (2) an assessment of the State and local resource needs, including criminal justice resources being devoted to the investigation and enforcement of computer crime laws; and [[Page S11933]] (3) a plan for coordinating the programs funded under this section with other federally funded technical assistant and training programs, including directly funded local programs such as the Local Law Enforcement Block Grant program (described under the heading ``Violent Crime Reduction Programs, State and Local Law Enforcement Assistance'' of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 (Public Law 105-119)). (d) Matching Funds.--The Federal share of a grant received under this section may not exceed 90 percent of the costs of a program or proposal funded under this section unless the Attorney General waives, wholly or in part, the requirements of this subsection. (e) Authorization of Appropriations.-- (1) In general.--There is authorized to be appropriated to carry out this section $25,000,000 for each of fiscal years 2001 through 2004. (2) Limitations.--Of the amount made available to carry out this section in any fiscal year not more than 3 percent may be used by the Attorney General for salaries and administrative expenses. (3) Minimum amount.--Unless all eligible applications submitted by any State or unit of local government within such State for a grant under this section have been funded, such State, together with grantees within the State (other than Indian tribes), shall be allocated in each fiscal year under this section not less than 0.75 percent of the total amount appropriated in the fiscal year for grants pursuant to this section, except that the United States Virgin Islands, American Samoa, Guam, and the Northern Mariana Islands each shall be allocated 0.25 percent. (f) Grants to Indian Tribes.--Notwithstanding any other provision of this section, the Attorney General may use amounts made available under this section to make grants to Indian tribes for use in accordance with this section. TITLE III--INTERNET SECURITY SEC. 301. SHORT TITLE. This title may be cited as the ``Internet Security Act of 2000''. SEC. 302. DEPUTY ASSISTANT ATTORNEY GENERAL FOR COMPUTER CRIME AND INTELLECTUAL PROPERTY. (a) Establishment of Position.--(1) Chapter 31 of title 28, United States Code, is amended by inserting after section 507 the following new section: ``Sec. 507a. Deputy Assistant Attorney General for Computer Crime and Intellectual Property ``(a) The Attorney General shall appoint a Deputy Assistant Attorney General for Computer Crime and Intellectual Property. ``(b) The Deputy Assistant Attorney General shall be the head of the Computer Crime and Intellectual Property Section (CCIPS) of the Department of Justice. ``(c) The duties of the Deputy Assistant Attorney General shall include the following: ``(1) To advise Federal prosecutors and law enforcement personnel regarding computer crime and intellectual property crime. ``(2) To coordinate national and international law enforcement activities relating to combatting computer crime. ``(3) To provide guidance and assistance to Federal, State, and local law enforcement agencies and personnel, and appropriate foreign entities, regarding responses to threats of computer crime and cyber-terrorism. ``(4) To serve as the liaison of the Attorney General to the National Infrastructure Protection Center (NIPC), the Department of Defense, the National Security Agency, and the Central Intelligence Agency on matters relating to computer crime. ``(5) To coordinate training for Federal, State, and local prosecutors and law enforcement personnel on laws pertaining to computer crime. ``(6) To propose and comment upon legislation concerning computer crime, intellectual property crime, encryption, electronic privacy, and electronic commerce, and concerning the search and seizure of computers. ``(7) Such other duties as the Attorney General may require, including duties carried out by the head of the Computer Crime and Intellectual Property Section of the Department of Justice as of the date of the enactment of the Internet Security Act of 2000.''. (2) The table of sections at the beginning of such chapter is amended by inserting after the item relating to section 507 the following new item: ``507a. Deputy Assistant Attorney General for Computer Crime and Intellectual Property.''. (b) First Appointment to Position of Deputy Assistant Attorney General.--(1) The individual who holds the position of head of the Computer Crime and Intellectual Property Section (CCIPS) of the Department of Justice as of the date of the enactment of this title shall act as the Deputy Assistant Attorney General for Computer Crime and Intellectual Property under section 507a of title 28, United States Code, until the Attorney General appoints an individual to hold the position of Deputy Assistant Attorney General for Computer Crime and Intellectual Property under that section. (2) The individual first appointed as Deputy Assistant Attorney General for Computer Crime and Intellectual Property after the date of the enactment of this title may be the individual who holds the position of head of the Computer Crime and Intellectual Property Section of the Department of Justice as of that date. (c) Authorization of Appropriations for CCIPS.--There is hereby authorized to be appropriated for the Department of Justice for fiscal year 2001, $5,000,000 for the Computer Crime and Intellectual Property Section of the Department for purposes of the discharge of the duties of the Deputy Assistant Attorney General for Computer Crime and Intellectual Property under section 507a of title 28, United States Code (as so added), during that fiscal year. SEC. 303. DETERRENCE AND PREVENTION OF FRAUD, ABUSE, AND CRIMINAL ACTS IN CONNECTION WITH COMPUTERS. (a) Clarification of Protection of Protected Computers.-- Subsection (a)(5) of section 1030 of title 18, United States Code, is amended-- (1) by inserting ``(i)'' after ``(A)''; (2) by redesignated subparagraphs (B) and (C) as clauses (ii) and (iii), respectively, of subparagraph (A); (3) by adding ``and'' at the end of clause (iii), as so redesignated; and (4) by adding at the end the following new subparagraph: ``(B) whose conduct described in clause (i), (ii), or (iii) of subparagraph (A) caused (or, in the case of an attempted offense, would, if completed, have caused)-- ``(i) loss to 1 or more persons during any 1-year period (including loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value; ``(ii) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals; ``(iii) physical injury to any person; ``(iv) a threat to public health or safety; or ``(v) damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security;''. (b) Protection from Extortion.--Subsection (a)(7) of that section is amended by striking ``, firm, association, educational institution, financial institution, governmental entity, or other legal entity,''. (c) Penalties.--Subsection (c) of that section is amended-- (1) in paragraph (2)-- (A) in subparagraph (A)-- (i) by inserting ``except as provided in subparagraph (B),'' before ``a fine''; (ii) by striking ``(a)(5)(C)'' and inserting ``(a)(5)(A)(iii)''; and (iii) by striking ``and'' at the end; (B) in subparagraph (B), by inserting ``or an attempt to commit an offense punishable under this subparagraph,'' after ``subsection (a)(2),'' in the matter preceding clause (i); and (C) in subparagraph (C), by striking ``and'' at the end; (2) in paragraph (3)-- (A) by striking ``, (a)(5)(A), (a)(5)(B),'' both places it appears; and (B) by striking ``(a)(5)(C)'' and inserting ``(a)(5)(A)(iii)''; and (3) by adding at the end the following new paragraph: ``(4)(A) a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection (a)(5)(A)(i), or an attempt to commit an offense punishable under this subparagraph; ``(B) a fine under this title, imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(5)(A)(ii), or an attempt to commit an offense punishable under this subparagraph; and ``(C) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection (a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to commit an offense punishable under this subparagraph, that occurs after a conviction for another offense under this section.''. (d) Definitions.--Subsection (e) of that section is amended-- (1) in paragraph (2)(B), by inserting ``, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States'' before the semicolon; (2) in paragraph (7), by striking ``and'' at the end; (3) by striking paragraph (8) and inserting the following new paragraph (8): ``(8) the term `damage' means any impairment to the integrity or availability of data, a program, a system, or information;'' (4) in paragraph (9), by striking the period at the end and inserting a semicolon; and (5) by adding at the end the following new paragraphs: ``(10) the term `conviction' shall include a conviction under the law of any State for a crime punishable by imprisonment for more than 1 year, an element of which is unauthorized access, or exceeding authorized access, to a computer; ``(11) the term `loss' means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service; and ``(12) the term `person' means any individual, firm, corporation, educational institution, financial institution, governmental entity, or legal or other entity.''. (e) Damages in Civil Actions.--Subsection (g) of that section is amended-- [[Page S11934]] (1) by striking the second sentence and inserting the following new sentences: ``A suit for a violation of this section may be brought only if the conduct involves one of the factors enumerated in clauses (i) through (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages.''; and (2) by adding at the end the following new sentence: ``No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.''. SEC. 304. CRIMINAL FORFEITURE FOR COMPUTER FRAUD AND ABUSE. Section 1030 of title 18, United States Code, as amended by section 303 of this Act, is further amended-- (1) by redesignating subsection (h) as subsection (i); and (2) by inserting after subsection (g) the following new subsection (h): ``(h)(1) The court, in imposing sentence on any person convicted of a violation of this section, shall order, in addition to any other sentence imposed and irrespective of any provision of State law, that such person forfeit to the United States-- ``(A) the interest of such person in any personal property that was used or intended to be used to commit or to facilitate the commission of such violation; and ``(B) any property, whether real or personal, constituting or derived from any proceeds that such person obtained, whether directly or indirectly, as a result of such violation. ``(2) The criminal forfeiture of property under this subsection, any seizure and disposition thereof, and any administrative or judicial proceeding relating thereto, shall be governed by the provisions of section 413 of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853), except subsection (d) of that section.''. SEC. 305. ENHANCED COORDINATION OF FEDERAL AGENCIES. Subsection (d) of section 1030 of title 18, United States Code, is amended to read as follows: ``(d)(1) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section relating to its jurisdiction under section 3056 of this title and other statutory authorities. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General. ``(2) The Federal Bureau of Investigation shall have primary authority to investigate offenses under subsection (a)(1) for any cases involving espionage, foreign counterintelligence, information protected against unauthorized disclosure for reasons of national defense or foreign relations, or Restricted Data (as that term is defined in section 11 y. of the Atomic Energy Act of 1954 (42 U.S.C. 2014(y)), except for offenses affecting the duties of the United States Secret Service pursuant to section 3056(a) of this title.''. SEC. 306. ADDITIONAL DEFENSE TO CIVIL ACTIONS RELATING TO PRESERVING RECORDS IN RESPONSE TO GOVERNMENT REQUESTS. Section 2707(e)(1) of title 18, United States Code, is amended by inserting after ``or statutory authorization'' the following: ``(including a request of a governmental entity under section 2703(f) of this title)''. SEC. 307. FORFEITURE OF DEVICES USED IN COMPUTER SOFTWARE COUNTERFEITING AND INTELLECTUAL PROPERTY THEFT. (a) In General.--Section 2318(d) of title 18, United States Code, is amended-- (1) by inserting ``(1)'' before ``When''; (2) in paragraph (1), as so designated, by inserting ``, and of any replicator or other device or thing used to copy or produce the computer program or other item to which the counterfeit labels have been affixed or which were intended to have had such labels affixed'' before the period; and (3) by adding at the end the following: ``(2) The forfeiture of property under this section, including any seizure and disposition of the property, and any related judicial or administrative proceeding, shall be governed by the provisions of section 413 (other than subsection (d) of that section) of the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. 853).''. (b) Conforming Amendment.--Section 492 of such title is amended in the first undesignated paragraph by striking ``or 1720,'' and inserting ``, 1720, or 2318''. SEC. 308. SENTENCING DIRECTIVES FOR COMPUTER CRIMES. (a) Amendment of Sentencing Guidelines Relating to Certain Computer Crimes.--Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the Federal sentencing guidelines and, if appropriate, shall promulgate guidelines or policy statements or amend existing policy statements to address-- (1) the potential and actual loss resulting from an offense under section 1030 of title 18, United States Code (as amended by this title); (2) the level of sophistication and planning involved in such an offense; (3) the growing incidence of offenses under such subsections and the need to provide an effective deterrent against such offenses; (4) whether or not such an offense was committed for purposes of commercial advantage or private financial benefit; (5) whether or not the defendant involved a juvenile in the commission of such an offense; (6) whether or not the defendant acted with malicious intent to cause harm in committing such an offense; (7) the extent to which such an offense violated the privacy rights of individuals harmed by the offense; and (8) any other factor the Commission considers appropriate in connection with any amendments made by this title with regard to such subsections. (b) Amendment of Sentencing Guidelines Relating to Certain Computer Fraud and Abuse.--Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the Federal sentencing guidelines to ensure that any individual convicted of a violation of section 1030(a)(5)(A)(ii) or 1030(a)(5)(A)(iii) of title 18, United States Code (as amended by section 303 of this Act), can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment. (c) Amendment of Sentencing Guidelines Relating to Use of Encryption.--Pursuant to its authority under section 994(p) of title 28, United States Code, the United States Sentencing Commission shall amend the Federal sentencing guidelines and, if appropriate, shall promulgate guidelines or policy statements or amend existing policy statements to ensure that the guidelines provide sufficiently stringent penalties to deter and punish persons who intentionally use encryption in connection with the commission or concealment of criminal acts sentenced under the guidelines. (d) Emergency Authority.--The Commission may promulgate the guidelines or amendments provided for under this section in accordance with the procedures set forth in section 21(a) of the Sentencing Act of 1987, as though the authority under that Act had not expired. SEC. 309. ASSISTANCE TO FEDERAL, STATE, AND LOCAL COMPUTER CRIME ENFORCEMENT AND ESTABLISHMENT OF NATIONAL CYBER CRIME TECHNICAL SUPPORT CENTER. (a) National Cyber Crime Technical Support Center.-- (1) Construction required.--The Director of the Federal Bureau of Investigation shall provide for the construction and equipping of the technical support center of the Federal Bureau of Investigation referred to in section 811(a)(1)(A) of the Antiterrorism and Effective Death Penalty Act of 1996 (Public Law 104-132; 110 Stat. 1312; 28 U.S.C. 531 note). (2) Naming.--The technical support center constructed and equipped under paragraph (1) shall be known as the ``National Cyber Crime Technical Support Center''. (3) Functions.--In addition to any other authorized functions, the functions of the National Cyber Crime Technical Support Center shall be-- (A) to serve as a centralized technical resource for Federal, State, and local law enforcement and to provide technical assistance in the investigation of computer-related criminal activities; (B) to assist Federal, State, and local law enforcement in enforcing Federal, State, and local criminal laws relating to computer-related crime; (C) to provide training and education for Federal, State, and local law enforcement personnel regarding investigative technologies and forensic analyses pertaining to computer- related crime; (D) to conduct research and to develop technologies for assistance in investigations and forensic analyses of evidence related to computer-related crimes; (E) to facilitate and promote efficiencies in the sharing of Federal law enforcement expertise, investigative technologies, and forensic analysis pertaining to computer- related crime with State and local law enforcement personnel, prosecutors, regional computer forensic laboratories, and multijurisdictional computer crime task forces; and (F) to carry out such other activities as the Director considers appropriate. (b) Development and Support of Computer Forensic Activities.--The Director shall, in consultation with the heads of other Federal law enforcement agencies, take appropriate actions to develop at least 10 regional computer forensic laboratories, and to provide support, education, and assistance for existing computer forensic laboratories, in order that such computer forensic laboratories have the capability-- (1) to provide forensic examinations with respect to seized or intercepted computer evidence relating to criminal activity; (2) to provide training and education for Federal, State, and local law enforcement personnel and prosecutors regarding investigations, forensic analyses, and prosecutions of computer-related crime; (3) to assist Federal, State, and local law enforcement in enforcing Federal, State, and local criminal laws relating to computer-related crime; (4) to facilitate and promote the sharing of Federal law enforcement expertise and information about the investigation, analysis, and prosecution of computer-related crime with State and local law enforcement personnel and prosecutors, including the use of multijurisdictional task forces; and (5) to carry out such other activities as the Attorney General considers appropriate. (c) Authorization of Appropriations.-- (1) Authorization.--There is hereby authorized to be appropriated for fiscal year [[Page S11935]] 2001, $100,000,000 for purposes of carrying out this section, of which $20,000,000 shall be available solely for activities under subsection (b). (2) Availability.--Amounts appropriated pursuant to the authorization of appropriations in paragraph (1) shall remain available until expended. Amend the title to read as follows: ``To provide a national medal for public safety officers who act with extraordinary valor above and beyond the call of duty, to enhance computer crime enforcement and Internet security, and for other purposes.''. ______