-Caveat Lector-
From
http://www.theregister.co.uk/content/6/23036.html
}}}>Begin
US assumes global cyber-police authority
By Mark Rasch
Posted: 27/11/2001 at 10:32 GMT
Much has been written about the new anti-terrorism legislation passed
by Congress and signed by President Bush, particularly as it respects
the ability of the government to conduct surveillance on email, voice-
mail, and other electronic communications. However, too little
attention has been paid to other provisions of the legislation,
particularly a significant change to the definition of the types of
computers protected under federal law.
An amendment to the definition of a "protected computer" for the
first time explicitly enables U.S. law enforcement to prosecute
computer hackers outside the United States in cases where neither the
hackers nor their victims are in the U.S., provided only that packets
related to that activity traveled through U.S. computers or routers.
This remarkable amendment is to the Computer Fraud and Abuse Act,
which Congress enacted in 1984 to prohibit conduct that damages a
"Federal interest computer," defined at the time as "a computer owned
or used by the Unit
ed States Government or a financial institution," or, "one of two or more computers
used in committing the offense, not all of which are located in the same State."
Evolution of the 'Protected Computer'
Under that initial definition, if a hacker in the U.S. broke into a computer in a
foreign country (or vice versa), because the computers were not all located in the
same state, a federal offense would have been committed.
If, however, the victim computer and the hacker's computer were both located in the
same state, this would be a purely "intrastate" offense, punishable by the state or
local government. (A purely intrastate offense could
also be prosecuted federally if the victim computer was used by the federal
government or a federally insured institution, or if any computer involved in the
offense was located in another state.)
This limitation represented a conscious effort by the U.S. Congress to limit the scope
of federal crimes to those with a truly interstate reach.
In 1994, Congress replaced the term "Federal interest computer" with the phrase
"computer used in interstate commerce or communication." In 1996, Congress amended the
law once again, defining a new term, "protected comput
er," and concomitantly expanding the number of computers that the statute "protected."
The 1996 amendments defined a protected computer as one that is "exclusively for the
use of a financial institution or the United Stat
es Government, or, in the case of a computer not exclusively for such use, used by or
for a financial institution or the United States Government and the conduct
constituting the offense affects that use by or for the fin
ancial institution or the Government; or which is used in interstate or foreign
commerce or communication."
In the new anti-terrorism legislation, Congress once again expanded the scope of
federal jurisdiction over computer crimes. Section 814 of the PATRIOT bill added to
the definition of a protected computer an explicit provi
sion stating that federal law precludes activities involving "a computer located
outside the United States that is used in a manner that affects interstate or foreign
commerce or communication of the United States."
Congress did not require that the effect on interstate or foreign commerce or
communication be substantial, or even, for that matter, measurable.
Almost immediately after the legislation was signed, the Department of Justice issued
a guidance paper to instruct thousands of federal prosecutors how to use the new
statute. The guidance noted that:
Because of the interdependency and availability of global computer networks, hackers
from within the United States are increasingly targeting systems located entirely
outside of this country. The [previous] statute did no
t explicitly allow for prosecution of such hackers. In addition, individuals in
foreign countries frequently route communications through the United States, even as
they hack from one foreign country to another. In such c
ases, their hope may be that the lack of any U.S. victim would either prevent or
discourage U.S. law enforcement agencies from assisting in any foreign investigation
or prosecution.
... Section 814 of the Act amends the definition of "protected computer" to make clear
that this term includes computers outside of the United States so long as they affect
"interstate or foreign commerce or communication
of the United States." 18 U.S.C. § 1030(e)(2)(B). By clarifying the fact that a
domestic offense exists, the United States can now use speedier domestic procedures to
join in international hacker investigations. As these
crimes often involve investigators and victims in more than one country, fostering
international law enforcement cooperation is essential.
In addition, the amendment creates the option, where appropriate, of prosecuting such
criminals in the United States. Since the U.S. is urging other countries to ensure
that they can vindicate the interests of U.S. victim
s for computer crimes that originate in their nations, this provision will allow the
U.S. to provide reciprocal coverage.
The Department of Justice therefore views the amendment as more than a mere
clarification of existing law, but as an expansion of U.S. jurisdiction to permit, for
the first time, the United States to prosecute cases where
both the attacker and the victim are located outside the United States, and to apply
U.S. substantive and procedural law to such international activity.
International Law
Computer crime in general, and computer hacking in particular, has always been
recognized as a uniquely trans-national offense. Hackers from anywhere in the world
can engage in activities that will affect computers outsid
e of the country from which they originate. Moreover, computer viruses, worms and
other malicious code do not respect international boundaries, and can damage
information or computers located in countries far remote from
those where the hacker is located.
Interestingly, when a hacker in Singapore released the "I Love You" virus affecting
computers all over the world, only the U.S. FBI traveled to Singapore to investigate.
When the "Melissa" virus swept across the planet, n
o foreign law enforcement officials descended on New Jersey to prosecute David Smith,
the author of the virus, nor were any such officials publicly invited to participate.
Nevertheless, these cases demonstrate an important principle of international law --
the so-called "protective principle." Every nation has the right to extend the scope
of its law beyond its borders to protect the rights
and property of its own nationals. An attack on a U.S. citizen abroad may violate
U.S. law. A gunshot from Canada that kills a person in the United States may properly
be prosecuted in the United States. A hacker who att
acks a computer in the United States from a foreign country violates U.S. law, and it
is entirely appropriate that the United States should have the authority to protect
itself from such attacks. Whether the U.S. will tak
e the lead in such investigations or not will depend not so much on law, but on
international politics.
The recent Council of Europe Cybercrime Treaty encourages countries to make computer
crime an offense within their own borders, and to cooperate on international
investigations of computer crime.
In its interpretation of the need for the unprecedented expansion of U.S. sovereignty,
the Department of Justice asserts that U.S. law enforcement agencies would not
investigate cases of computer crime where the victim an
d targets are located outside the United States, not because of the lack of any
authority to do so, but because, of a lack of will. In fact, there is much truth to
this assertion. Many law enforcement agencies see no reas
on to assist foreign governments' investigations where there is no likelihood that
they will obtain a conviction within the country.
However, the appropriate response to this reluctance is to encourage domestic law
enforcement agencies to assist their foreign brethren voluntarily, not to expand the
scope of domestic law to permit prosecution within the
United States of what is essentially a foreign offense.
When Reach Exceeds Grasp
Congress' authority to criminalize conduct generally is derived from Article I of the
Constitution, which, among other things allows the legislature to regulate interstate
and foreign commerce. The statute is broad and al
lows the protection of the instrumentalities and channels of interstate or foreign
commerce. In 1995 the Supreme Court noted that Congress' power was limited though to
regulate those activities that "substantially affect"
interstate commerce and not merely those where the affect is tangential.
The distinction is crucial. Clearly if a U.S. computer or computer network is shut
down, attacked, penetrated, or prevented from properly functioning as a result of
foreign hacking activity, the protective principle of in
ternational law should properly permit a U.S. prosecution.
Where the affect on U.S. computer networks is slight -- to the point of non-existence
-- the U.S. should not impose its law on the activity.
The new statute requires no threshold of damage or even effect on U.S. computers to
trigger U.S. sovereignty. The vast majority of Internet traffic travels through the
United States, with more than half of the traffic tra
veling through Northern Virginia alone. The mere fact that packets relating to the
criminal activity travel through the United States should not be enough to trigger
U.S. jurisdiction, even though such traffic would "affe
ct" international commerce, albeit infinitesimally.
The expanded statute, and the DOJ policy guidance, would permit the U.S. to impose its
law on the Internet generally, without the need to show damage or trespass to a U.S.
computer, merely on the basis of packets being in
advertently routed through U.S. computers. This represents and unwarranted and
dangerous expansion of U.S. sovereignty, and will invariably result in more turf
battles with foreign law enforcement agencies, rather than fe
wer.
Under the Department of Justice's interpretation of this legislation, a computer
hacker in Frankfurt Germany who hacks into a computer in Cologne Germany could be
prosecuted in the Eastern District of Virginia in Alexandr
ia if the packet of related to the attack traveled through America Online's computers.
Moreover, the United States would reserve the right to demand that the extradition of
the hacker even if the conduct would not have vi
olated German law, or to, as it has in other kinds of cases, simply remove the
offender forcibly for trial.
What is perhaps the most troubling about this legislation, in addition to the lack of
any debate or focus on it, is the fact that the Department of Justice manual simply
says that this unprecedented power will be used in
"appropriate cases." The Department of Justice provides no guidance to prosecutors or
citizens of the world what kinds of cases it will deem to be "appropriate" for the
expanded jurisdiction.
The Department of Justice has no procedures in place to mandate high-level DOJ review
before such power can be used. A prosecutor in Boise may therefore decide to go after
a Norwegian hacker for hacking a computer in Oslo
, if the packets "affected" interstate commerce, and the prosecutor
thinks it "appropriate."
Every country has the right to protect its own citizens, property and
interests. No country has the right to impose its will, its values,
its mores or laws on conduct that occurs outside its borders even if
they may have a tangential effect on that country. The new
legislation permits the U.S. government to do just that, and is
unwise and unwarranted.
© 2001 SecurityFocus.com, all rights reserved.
Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive
Systems, Inc. in Reston, Virginia, a computer security and network
design consulting firm. Prior to joining Predictive Systems, Mr.
Rasch was the head of the U.S. Department of Justice Computer Crime
Unit and prosecuted a series of high profile computer crime cases
from 1984 to 1991.
End<{{{
~~~~~~~~~~~~~~~
Forwarded as information only; no endorsement to be presumed
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
In accordance with Title 17 U.S.C. section 107, this material
is distributed without charge or profit to those who have
expressed a prior interest in receiving this type of information
for non-profit research and educational purposes only.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
The only real voyage of discovery consists not in seeking
new landscapes but in having new eyes. -Marcel Proust
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
"Do not believe in anything simply because you have heard it. Do not believe
simply because it has been handed down for many generations. Do not
believe in anything simply because it is spoken and rumored by many. Do
not believe in anything simply because it is written in Holy Scriptures. Do not
believe in anything merely on the authority of Teachers, elders or wise men.
Believe only after careful observation and analysis, when you find that it
agrees with reason and is conducive to the good and benefit of one and all.
Then accept it and live up to it."
The Buddha on Belief, from the Kalama Sutta
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
A merely fallen enemy may rise again, but the reconciled
one is truly vanquished. -Johann Christoph Schiller,
German Writer (1759-1805)
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
It is preoccupation with possessions, more than anything else, that
prevents us from living freely and nobly. -Bertrand Russell
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
"Everyone has the right...to seek, receive and impart
information and ideas through any media and regardless
of frontiers."
Universal Declaration of Human Rights
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
"Always do sober what you said you'd do drunk. That will
teach you to keep your mouth shut."
--- Ernest Hemingway
<A HREF="http://www.ctrl.org/";>www.ctrl.org</A>
DECLARATION & DISCLAIMER
==========
CTRL is a discussion & informational exchange list. Proselytizing propagandic
screeds are unwelcomed. Substance—not soap-boxing—please! These are
sordid matters and 'conspiracy theory'—with its many half-truths, mis-
directions and outright frauds—is used politically by different groups with
major and minor effects spread throughout the spectrum of time and thought.
That being said, CTRLgives no endorsement to the validity of posts, and
always suggests to readers; be wary of what you read. CTRL gives no
credence to Holocaust denial and nazi's need not apply.
Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://peach.ease.lsoft.com/archives/ctrl.html
<A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of
[EMAIL PROTECTED]</A>
http:[EMAIL PROTECTED]/
<A HREF="http:[EMAIL PROTECTED]/";>ctrl</A>
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]
To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]
Om
