First, a couple caveats, I am not a lawyer and I have read only select portions of the Task Force's report. That being said, I have a couple questions/comments on the report. First some background information from the text of the report itself.
In Appendix F: Text of the Amendment to 18 U.S.C. § 1030(a)(2), the report proposes that the text of item (C) be changed. The intent of the change is to remove the requirement that the attacker use interstate or foreign communications in compromising a system. The original text of item C (with some additional text in brackets for context):
[ whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains- ]
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
The proposed change would remove the phrase "if the conduct involved an interstate or foreign communication".
By searching on the web, I found a copy of Title 18 Section 1030 at:
According to this link, 18 U.S.C. § 1030(e)(2) defines the term "protected computer" as a computer used exclusively by the US Government or a financial institution or which is used in interstate or foreign commerce or communication.
My comment/questions:
1. Does this leave a gap in the federal legislation where a computer that is used for intrastate commerce/communication is not covered? Examples of such a computer might include a server used by a division of a company where that division does no business outside of the state in which it is located or a state government server.
2. Will this require federal prosecutors to prove that the computers that were the target of the attack were engaged in interstate or foreign commerce even when the attacker who perpetrated the attack using interstate or foreign communication services?
3. Given the constraints under which the U.S. Congress operates, would it be possible to further modify this definition to remove this requirement?
I have a few more questions/comments on the ability of the proposed legislative changes to fully address the gaps identified in the report related to keystroke loggers and spyware, but I will save those for another follow up.
In Appendix F: Text of the Amendment to 18 U.S.C. § 1030(a)(2), the report proposes that the text of item (C) be changed. The intent of the change is to remove the requirement that the attacker use interstate or foreign communications in compromising a system. The original text of item C (with some additional text in brackets for context):
[ whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains- ]
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
The proposed change would remove the phrase "if the conduct involved an interstate or foreign communication".
By searching on the web, I found a copy of Title 18 Section 1030 at:
http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001030----000-.html
According to this link, 18 U.S.C. § 1030(e)(2) defines the term "protected computer" as a computer used exclusively by the US Government or a financial institution or which is used in interstate or foreign commerce or communication.
My comment/questions:
1. Does this leave a gap in the federal legislation where a computer that is used for intrastate commerce/communication is not covered? Examples of such a computer might include a server used by a division of a company where that division does no business outside of the state in which it is located or a state government server.
2. Will this require federal prosecutors to prove that the computers that were the target of the attack were engaged in interstate or foreign commerce even when the attacker who perpetrated the attack using interstate or foreign communication services?
3. Given the constraints under which the U.S. Congress operates, would it be possible to further modify this definition to remove this requirement?
I have a few more questions/comments on the ability of the proposed legislative changes to fully address the gaps identified in the report related to keystroke loggers and spyware, but I will save those for another follow up.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/487/1903#1903