Criminal Justice Section
Criminal Justice Magazine
Volume 17 Issue 2
Computer Crimes and the USA PATRIOT Act
By Ellen S. Podgor
"Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" is the full title of the USA PATRIOT Act (Patriot Act), but the content appears to go far beyond fighting terrorism. This is particularly true with respect to computer crimes.
Discussions of the Patriot Act seldom focus on the effect this legislation will have in fighting computer crime. People either express delight at law enforcement’s increased ability to use surveillance tools like roving wiretaps or they lament the decrease in civil liberties resulting from new monitoring now permitted under this Act.
Yet within the Patriot Act are important changes that will increase prosecutorial power in fighting computer crimes. Specifically, the Act references the Computer Fraud and Abuse Act (18 U.S.C. § 1030) with both procedural and substantive changes that may significantly influence future prosecutions. There are also changes that will make it easier for law enforcement to investigate computer crimes. Although many changes speak to fighting terrorism and specifically cyberterrorism, the title and purpose of the Patriot Act are the only apparent limits to these modifications. As such, the statutory changes are likely to extend beyond these titles to include acts of fraud, identity theft, and other activities that are common forms of computer crimes. Some of the new procedural changes are permanent; however, lacking congressional action, some changes will expire under sunset provisions on December 31, 2005.
Although not directly focused on computer crimes, the Patriot Act includes changes to several procedural-related statutes that are likely to aid in prosecuting computer-related activity. For example, under certain circumstances grand jury information can now be shared and customer records can be disclosed. These procedural enhancements are not directly tied to computer crimes, but are likely to assist law enforcement in investigating and prosecuting them.
Prior to the Patriot Act, Internet service providers were limited in their ability to provide information to law enforcement. The Act expands the circumstances under which service providers can now notify law enforcement of suspicious information, as, for example, when the service provider "reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay."
In addition to generic changes, the Patriot Act contains two procedural modifications that directly focus on computer activity. First, it specifically adds felony acts related to the Computer Fraud and Abuse Act in the list of predicates that can serve as the basis for receiving authority to intercept wire, oral, and electronic communications. A second procedural change that directly targets computer crimes is found in a section that authorizes the interception of computer trespasser communications.
With the permission of the owner or operator of a "protected computer," a term defined in the computer fraud statute, law enforcement may now intercept communications to and from the computer trespasser when the "person acting under color of law has reasonable grounds to believe that the contents of the computer trespasser’s communications will be relevant to the investigation." A new statutory provision specifically defines "computer trespassers." This provision will likely increase law enforcement’s role in hacking cases.
The Act recognizes the need to increase computer tools for investigating cybercrime. Section 816 of the Patriot Act—titled the "Development and Support of Cybersecurity Forensic Capabilities"—calls for the U.S. attorney general to establish regional computer forensic laboratories. These laboratories are for "training and educating" "federal, state, and local law enforcement" in their investigations of computer crimes. It appears from the wording of this section that these new investigative tools are not limited to cyberterrorism, but are meant to cover all computer-related crime.
The Patriot Act also increases the types of law enforcement individuals who may now be a part of investigations for some computer crimes. Prior to the new legislation, the Secret Service was allowed to participate in some, but not all, of the investigations of different computer offenses listed within the Computer Fraud and Abuse Act. As a result of the new law, the investigative powers of the Secret Service are extended to include all offenses within the computer fraud and abuse statute. Primary authority, however, is provided to the Federal Bureau of Investigation for offenses such as those related to espionage and foreign intelligence (18 U.S.C. § 1030(d)(2)).
There are several substantive criminal law changes within the Patriot Act that are directly related to the prosecution of computer crimes. These can be found in sections pertaining to money laundering, defining the federal crime of terrorism, and revising the computer fraud statute.
Money laundering.One of the key money laundering statutes, 18 U.S.C. § 1956, finds a new, specified unlawful activity in its addition of crimes related to computer fraud and abuse under 18 U.S.C. § 1030. This section in the USA Patriot Act does not limit the money laundering charges to cases of terrorism or to specific provisions within the computer fraud and abuse statute. It merely includes this new form of a specified unlawful activity by name and statute number, without placing any limits on what type of computer activity can form the basis of a specified unlawful activity for purposes of money laundering. This means that we may now see money-laundering charges as an additional count in some indictments that were previously limited to charges of computer fraud.
Defining computer crimes as acts of terrorism.The definition of terrorism has been a subject of significant international debate, but from a domestic perspective the term is defined in 18 U.S.C. § 2332(b) (acts of terrorism transcending national boundaries). The second part of the definition relies upon criminal violations that are specifically listed in the statute. Prior to the Patriot Act, computer crimes were not among the offenses upon which a charge of terrorism could be based. Now terrorism can now be premised upon some of the conduct provisions within the computer fraud and abuse statute. The fact that all types of computer criminality listed in the Computer Fraud and Abuse Act are not included in the Patriot Act demonstrates that there was an effort made to limit the definition of computer terrorism to acts involving espionage and cyberterrorism. Acts that recklessly cause damage, or just cause damage, will not be a sufficient basis for claiming that it constitutes terrorism. To meet the definition of terrorism, a computer crime will require that the action be knowingly committed and the damage intentional. The fact that Congress decided to include certain computer crimes as acts of terrorism is an indication that cyberterrorism is a concern of the highest magnitude.
Revising the computer fraud statute. Since Congress passed the Computer Fraud and Abuse Statute (18 U.S.C. § 1030) in 1984, there have been several amendments to its language. As it exists today, it provides for the prosecution of seven different types of computer-related conduct. The different forms of conduct listed in the statute each specify a mens rea and basis for jurisdiction. Some of the different activities covered by this statute are electronic espionage, intentionally accessing a computer without authorization, browsing in a government computer, acts of theft from protected computers, trafficking in passwords, and extortion conduct related to computers. The substance of many of these provisions remains unchanged by the Patriot Act.
The Patriot Act does, however, include several modifications to 18 U.S.C. § 1030. The changes are in section 814 of the Patriot Act, titled "Deterrence and Prevention of Cyberterrorism." These modifications relate to the scope of the statute, definitions, and penalties. There are also technical modifications that concern the structure of the statute. Some of these changes are far removed from terrorism concerns. For example, there is an amendment to the civil provisions of the computer fraud and abuse statute that now excludes civil actions based upon "negligent design or manufacture of computer hardware, computer software, or firmware."
The following looks at some of the key changes that the Patriot Act makes to the Computer Fraud and Abuse Act. A description of other provisions can be found in the U.S. Department of Justice Computer Crime and Intellectual Property Section’s Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001 (www.cybercrime.gov/PatriotAct.htm).
Among the changes include the fact that the government can now prosecute extraterritorial computer crimes. One modification expands the scope of the statute and is found in a section that redefines a "protected computer" to include those that are located outside the United States. This language provides extraterritorial jurisdiction whenever the term "protected computer" is used in the statute. Surprisingly, however, it does not limit extraterritoriality to acts of national security or terrorism. As such, computer acts involving acts of fraud that are unrelated to terrorism may be the subject of a United States prosecution even when the computer is located outside the country. It is only required that the protected computer be "used in a manner that affects interstate or foreign commerce or communication of the United States."
In light of the breadth of this new provision, particularly since computer activity operates worldwide, courts may need to consider whether this new provision is applied in keeping with international law. The Restatement (Third) of Foreign Relations Law § 403 lists considerations that one can use in determining the reasonableness of the jurisdiction to prescribe. If prosecutors decide to pursue extraterritorial prosecutions, issues of comity may be at the forefront of the discussion.
The Act also redefines "damage" and "loss." Prior to the Patriot Act, the definition of "damage" included four possible circumstances, such as causing loss aggregating to $5,000 in a year, causing physical injury to any person, and threatening public health and safety. These have been relocated as part of the substantive crime under section (a)(5), which involves "the transmission of a program, information, code, or command" or "intentionally accessing of a protected computer without authorization." The Patriot Act adds another element to the list of conduct upon which action can be premised: "damage affecting a computer system used by or for a government entity in furtherance of the administration of justice, national defense, or national security." "Damage," a term still listed in the definition section of this statute, is defined as "any impairment to the integrity or ability of data, a program, a system, or information."
The net result of this amendment is that prosecutors will now have to prove the result of the conduct as opposed to relying on a jury instruction that merely defines damage as one of four possibilities. They will, however, have an added basis for proceeding when the result is related to national security or defense. Although this provision appears to be in keeping with the focus of the Act—to stop terrorism—the fact that it includes computer systems "used by or for a government entity in furtherance of the administration of justice" can have far-reaching effects that go well beyond what is commonly considered terrorism. Court interpretations may prove helpful here in reining in this language.
Prosecutors may have an easier road in proving "loss," a term that is now specifically defined within the statute. Loss now includes "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." The breadth of this definition will probably make it relatively easy for prosecutors to meet the $5,000 required level.
The Patriot Act greatly increases the penalties for those who cause damage to protected computers. These penalties are not restricted to completed offenses, but rather include attempts. It is now possible that a first-time offender, who intentionally causes damage, will receive a penalty of 10 years, and a repeat offender, who either intentionally or recklessly causes damage, will receive a penalty of 20 years. Additionally, one can become a repeat offender as a result of a state conviction that exceeds a year and involves "unauthorized access, or exceeding unauthorized access, to a computer." The Patriot Act also includes an "[a]mendment of sentencing guidelines relating to certain computer fraud and abuse," that instructs the U.S. Sentencing Commission to adjust the guidelines "to ensure that any individual convicted of a violation of section 1030 title 18, United States Code, can be subjected to appropriate penalties, without regard to any mandatory minimum term of imprisonment."
There is nothing new or shocking about the fact that many of the provisions in the Patriot Act have no direct relevance to terrorism, cyberterrorism, or protection of the government or individuals from future acts like those experienced on September 11. It is common that congressional acts include provisions with no relevance to the main purpose and title of the act. What may be unique here are the speed at which the Patriot Act was passed and the purpose for the haste. One wonders whether it was necessary, in light of these extenuating circumstances, to include provisions with far-reaching effects beyond terrorism.
With new investigative tools, relaxed procedural requirements, and extended substantive crimes, it is likely that computer prosecutions will reach a higher level than has been seen in the past. It is also likely that many of these new provisions will open the door to questions that will require judicial interpretation. With technology proceeding at a pace that is faster than the laws that seek to control it, the revisions in the Patriot Act may be back on the congressional writing table faster than other modifications contained within this new legislation. We can already see signs of this happening in the recent proposed Cyber Security Enhancement Act of 2001, proposed legislation that aims to increase penalties beyond those already provided for in the Patriot Act.
Ellen S. Podgor , a professor of law at Georgia State University College of Law in Atlanta, Georgia, is coauthor of White Collar Crime: Law & Practice (J. Israel & P. Borman, West, 1996), White Collar Crime in a Nutshell 2d Ed. (J. Israel, West, 1997); and International Criminal Law: Cases and Materials (E. Wise, Lexis 2000).