Cybercrime and punishment

by Mark D Rasch

Much has been written about the new anti-terrorism legislation passed by 
Congress and signed by President Bush, particularly as it respects the 
ability of the government to conduct surveillance on email, voice-mail, and 
other electronic communications. However, too little attention has been 
paid to other provisions of the legislation, particularly a significant 
change to the definition of the types of computers protected under federal 
law.

An amendment to the definition of a "protected computer" for the first time 
explicitly enables US. law enforcement to prosecute computer hackers 
outside the United States in cases where neither the hackers nor their 
victims are in the U.S, provided only that packets related to that activity 
travelled through US computers or routers.

This remarkable amendment is to the Computer Fraud and Abuse Act, which 
Congress enacted in 1984 to prohibit conduct that damages a "Federal 
interest computer", defined at the time as "a computer owned or used by the 
United States Government or a financial institution," or, "one of two or 
more computers used in committing the offence, not all of which are located 
in the same [US] State."

The Department of Justice (DOJ) ... views the [2001] amendment as more than 
a mere clarification of existing law, but as an expansion of US 
jurisdiction to permit, for the first time, the United States to prosecute 
cases where both the attacker and the victim are located outside the United 
States, and to apply US substantive and procedural law to such 
international activity.

The recent Council of Europe Cybercrime Treaty encourages countries to make 
computer crime an offence within their own borders, and to cooperate on 
international investigations of computer crime.

The expanded statute, and the DOJ policy guidance, would permit the U.S. to 
impose its law on the Internet generally, without the need to show damage 
or trespass to a U.S. computer, merely on the basis of packets being 
inadvertently routed through U.S. computers.

This represents and unwarranted and dangerous expansion of sovereignty, and 
will invariably result in more turf battles with foreign law enforcement 
agencies, rather than fewer.

Under the Department of Justice's interpretation of this legislation, a 
computer hacker in Frankfurt Germany who hacks into a computer in Cologne 
Germany could be prosecuted in the Eastern District of Virginia in 
Alexandria if the packet related to the attack travelled through America 
Online's computers

Moreover, the United States would reserve the right to demand that the 
extradition of the hacker even if the conduct would not have violated 
German law, or to, as it has in other kinds of cases, simply remove the 
offender forcibly for trial.

What is perhaps the most troubling about this legislation, in addition to 
the lack of any debate or focus on it, is the fact that the Department of 
Justice manual simply says that this unprecedented power will be used in 
"appropriate cases."

The Department of Justice provides no guidance to prosecutors or citizens 
of the world what kinds of cases it will deem to be "appropriate" for the 
expanded jurisdiction.

Every country has the right to protect its own citizens, property and 
interests. No country has the right to impose its will, its values, its 
mores or laws on conduct that occurs outside its borders even if they may 
have a tangential effect on that country. The new legislation permits the 
U.S. government to do just that, and is unwise and unwarranted.

Mark D Rasch, JD, is the Vice President for Cyberlaw at Predictive Systems 
Inc in Reston, Virginia, a computer security and network design consulting 
firm. Prior to joining Predictive Systems, He was the head of the US 
Department of Justice Computer Crime Unit and prosecuted a series of high 
profile computer crime cases from 1984 to 1991.

* * *

The Internet Anti-Fascist (abridged)