Skip to main content

EFFector - Volume 14, Issue 27 - ALERT: Hackers Could Get Life in Prison, No Parole, Under "Anti-Terrorism" Bill

   EFFector       Vol. 14, No. 27       Sep. 27, 2001     editors@eff.org

   A Publication of the Electronic Frontier Foundation     ISSN 1062-9424

    In the 187th Issue of EFFector (now with over 29,200 subscribers!):

     * ALERT: Hackers Could Get Life in Prison, No Parole, Under
       "Anti-Terrorism" Bill
     * Administrivia

   For more information on EFF activities & alerts: http://www.eff.org/

   To join EFF or make an additional donation:
     http://www.eff.org/support/
   EFF is a member-supported nonprofit. Please sign up as a member today!
     _________________________________________________________________

ALERT: Hackers Could Get Life in Prison, No Parole, Under "Anti-Terrorism" Bill

  Act Today and Ask Your Legislators to Remove Dangerous Provisions

    Electronic Frontier Foundation ACTION ALERT

    (Issued: Wednesday, September 27, 2001 / Deadline: Friday, October 7, 2001,
    unless extended)

  Introduction:

   San Francisco, California - The Electronic Frontier Foundation (EFF)
   today condemned portions of the Anti-Terrorism Act (ATA) currently
   under consideration in Congress which would treat all computer
   trespass as terrorism (in addition to other provisions we oppose, such
   as vast expansion of surveillance authority).

   "Treating low-level computer crimes as terrorist acts is not an
   appropriate response to recent events," said EFF Executive Director
   Shari Steele. "A relatively harmless online prankster should not face
   a potential life sentence in prison."

   The ATA includes provisions that dramatically increase the penalties
   for acts that have no apparent relationship to terrorism. For
   instance, the bill would add low-level computer intrusion, already a
   crime under other laws, to the list of "federal terrorism offenses,"
   creating penalties of up to life imprisonment, adding broad
   pre-conviction asset seizure powers and serious criminal threats to
   those who "materially assist" or "harbor" individuals suspected of
   causing minimal damage to networked computers.

   Attorney General John Ashcroft asked Congress last week to pass the
   ATA, formerly known as the Mobilization Against Terrorism Act (MATA),
   with less than one week of consideration.

   EFF believes the ATA would radically tip the United States system of
   checks and balances, giving the government unprecedented authority to
   surveil American citizens with little judicial or other oversight.

  What YOU Can Do Now:

     * Contact your own legislators about the ATA/MATA and related bills
       AS SOON AS POSSIBLE. Call them, and fax and/or e-mail the EFF
       letter below (or your own) today. Postal mail will be too slow on
       this issue. Feel free to use this letter verbatim, or modify it as
       you wish. Let them know that you do not believe liberty must be
       sacrified for security. Please be polite and concise, but firm.
       For information on how to contact your legislators and other
       government officials, see EFF's "Contacting Congress and Other
       Policymakers" guide at:
         http://www.eff.org/congress.html
       and see also the links below.
     * Join EFF! For membership information see:
         http://www.eff.org/support/

  Sample Letter:

   Use this sample letter to YOUR legislators or modify it, and send to
   their Washington fax and e-mail, which you can get this from Project
   Vote Smart:
     http://www.vote-smart.org/vote-smart/data.phtml?dtype=C&style=
   or the House:
     http://www.house.gov/house/MemberWWW.html
   and Senate:
     http://www.senate.gov/senators/index.cfm
   websites. You can also look up your Representative with this form:

   Enter your Zip Code and State in the fields below and click on Submit.
   ZIP _____ +4 ____(if required) State [Choose One..........] Submit

     Dear Sen./Rep. [Surname]

     I write as a constituent to express my gravest concern over aspects
     of the Congressional response to the tragedies of September 11.
     While I share your grief and anger in no uncertain terms, I do not
     believe that sacrificing essential liberties in a vain hope of
     improving security is good for America or the world. Security can
     be improved without privacy invasion, and we cannot win an attack
     on freedom by attacking that freedom ourselves.

     I urge you to work to remove from anti-terrorism bills any
     provisions that call for expanded wiretap powers or online
     monitoring, warrantless pen register or trap and trace authority,
     censorship, restrictions on encryption, warrantless "fishing
     expeditions" in student or other records, or redefinition of minor
     computer crimes as terrorism. While there is a need for a
     Congressional response to terrorism, vast expansion of the powers
     of law enforcement and intelligence agencies to invade privacy is
     not an appropriate part of that response.

     Presently these bills and draft bills include A-G Ashcroft's
     Anti-Terrorism Act (ATA); Sen. Leahy's Uniting and Strengthening of
     America Act (USAA); Rep. Smith's Public Safety and Cyber Security
     Enhancement Act (PSCSEA, H.R. 2915); Sen. Hatch's Combating
     Terrorism Act (CTA, amendment S.A. 1562 to bill H.R. 2500); and
     Sen. Graham's Intelligence to Prevent Terrorism Act (IPTA, S.
     1448), and Sen. Gregg's draft anti-encryption legislation.

     The United States should not take steps toward becoming a police
     state, or otherwise undermine our own freedom in the name of
     defending that freedom from terrorist attack, or the terrorists
     have already won. I also object to provisions being passed in
     response to terrorism but which have nothing to do with terrorism,
     such as "emergency" wiretaps against simple computer crime
     incidents and the abuse of grand juries as tools for intelligence
     agencies, and undermining of the very encryption that helps secure
     our communications infrastructure from further attack. This is a
     time for careful consideration, not for passing legislation without
     debate or careful consideration of the consequences.

     Sincerely,

     [Your name & address]

   (Be sure to correct the salutation - use EITHER Sen. or Rep., and use
   the correct name. If you are writing to a committee member [and he/she
   is not your legislator], remove "as a constituent" from first
   sentence.)

  Non-US Activists

   Non-US readers can probably have little impact on the US Congress's
   votes on these matters, and could even affect them negatively. Your
   best course of action is to contact your own
   legislators/parliamentarians and urge them to avoid similar policies
   in your own country.

  Privacy Campaign:

   This drive to contact your legislators about unprecedented wiretap
   power expansion is part of a larger campaign to highlight how
   extensively companies and governmental agencies subject us to
   surveillance and share and use personal information online & offline,
   and what you can do about it.

   Check the EFF Privacy Now! Campaign website regularly for additional
   alerts and news:
     http://www.eff.org/privnow/

  Background:

   EFF again urges Congress to act with deliberation and approve only
   measures that are effective in preventing terrorism while protecting
   the freedoms of Americans.

   "The theme of freedom in the face of terrorist attacks should include
   a focus on measures that preserve rather than diminish our civil
   liberties," said EFF Exec. Dir. Shari Steele.

   The DOJ's own analysis of another particularly egregious provision of
   the ATA points out that "United States prosecutors may use against
   American citizens information collected by a foreign government even
   if the collection would have violated the Fourth Amendment."

   "Operating from abroad, foreign governments could do the dirty work of
   spying on the communications of Americans worldwide. US protections
   against unreasonable search and seizure won't matter," commented EFF
   Senior Staff Attorney Lee Tien.

   Additional provisions of the proposed Anti-Terrorism Act include the
   following measures:

   * make it possible to obtain e-mail message header information,
   Internet user web browsing patterns, and "stored" voicemail without a
   wiretap order;

   * eviscerate controls on Title III roving wiretaps;

   * permit law enforcement to disclose information obtained through
   wiretaps to any employee of the Executive branch;

   * reduce restrictions on domestic investigations under the Foreign
   Intelligence Surveillance Act (FISA);

   * permit grand juries to provide information to the US intelligence
   community;

   * permit the President to designate any "foreign-directed individual,
   group, or entity," including any United States citizen or
   organization, as a target for FISA surveillance;

   * prevent people from providing "expert advice" to terrorists;

   * extends federal DNA database to every person convicted of a federal
   terrorism offense which includes low-level computer intrusions;

   * other provisions, whether or not related to online civil liberties.

   The scope of the Computer Fraud and Abuse Act's Sect. 1030(a)(5)(A) is
   especially broad, dangerously so even before the ATA would attempt to
   redefine violations of this section as "terrorism". It criminalizes
   the following:

     (5)(A) [one who] knowingly causes the transmission of a program,
     information, code, or command, and as a result of such conduct,
     intentionally causes damage without authorization, to a protected
     computer [is in violation of the statute];

   Several civil cases have construed this language. For example, in Shaw
   v. Toshiba America Information Systems, Inc., 91 F.Supp.2d 926
   (E.D.Tex.,1999.), defendant knowingly distributed laptop computers
   containing disk drives with faulty microcode that allowed unwanted
   corruption/deletion of data. The court squarely held that
   manufacturers of computer equipment could be reached by Sect.
   1030(a)(5)(A) -- "transmission" includes the design, manufacture,
   creation, distribution, sale, and marketing of floppy-disk controllers
   allegedly made faulty by defective microcode.

   One court has found that placing a cookie on a user's computer to
   monitor websurfing habits could violate Sect. 1030(a)(5)(A). In re
   Intuit Privacy Litigation, 138 F.Supp. 2d 1272 (C.D.Cal. 2001).
   Defendant operated a website that used cookies to track its users, and
   were sued for privacy violations on several theories, including Sect.
   1030. On motion to dismiss, the court found that this conduct fell
   within Sect. 1030(a)(5)(A). (Because the class-action plaintiffs had
   not alleged economic damages, the motion to dismiss was granted, but
   without prejudice, to allow the plaintiffs to make the proper
   allegations.)

   It is clear that any number of activities not initially on the minds
   of legislators when they passed Sect. 1030(a)(5)(a) could eventually
   be held to fall under this statute anyway. No one can predict at this
   early stage what will or will not be considered a violation of this
   provision. Yet the ATA would redefine all present and future
   violations as acts of terrorism, with violators subject to terrible
   penalities, up to and including life in prison without possibility of
   parole.

   Additionally, these changes to the law would remove statutes of
   limitations and become retroactive. This means that any US-based
   computer security professional who, like many in this field, once upon
   a time began as a system cracker or other "black hat" hacker,
   potentially faces criminal prosecution under the ATA.

   If the Department of Justice needs extra laws relating to supposed
   "cyberterrorism", it can seek narrowly-tailored legislation. Simply
   importing virtually all computer crime into the definition of
   terrorism is far too broad and heavy-handed.

   Senator Patrick Leahy has attempted to moderate the ATA through
   introduction of the "Uniting and Strengthening of America Act" (USAA).
   While EFF believes USAA would unnecessarily increase law enforcement
   surveillance powers, it is nowhere near as harmful to civil liberties
   as the Bush administration's proposal.

   For example, the USAA does not increase penalties for low-level
   computer intrusion. The USAA would retain existing restrictions on
   wiretaps, including requiring court orders to obtain voicemail
   messages. However, both the ATA and the USAA would expand FISA to
   include roving wiretaps. The USAA would also permit disclosure of
   Title III wiretaps to intelligence officers, whereas the ATA would
   permit disclosure to any federal employee. The USAA also would require
   a court order for grand juries to provide information to the US
   intelligence community, unlike ATA. Provisions of the ATA permitting
   the President to designate targets for FISA surveillance, preventing
   people from providing "expert advice" to terrorists, and collecting
   foreign intelligence on American citizens are not included in the
   USAA.

   EFF's Steele emphasized, "While it is obviously of vital national
   importance to respond effectively to terrorism, these bills recall the
   McCarthy era in the power they would give the government to scrutinize
   the private lives of American citizens."

   The ATA and USAA bills come in the wake of the Senate's hasty passage
   of the "Combating Terrorism Act" (CTA, amendment S.A. 1562 to
   House-passed bill H.R. 2500) on the evening of September 13 with less
   than 30 minutes of consideration on the Senate floor.

   Another similar bill, called the Public Safety and Cyber Security
   Enhancement Act (PSCSEA), has been drafted for introduction in the
   House, and appears to be a "backup plan" for S.A. 1562; if it does not
   pass as part of H.R. 2500, it can be reintroduced separately in
   slightly different form as a new bill. Sen. Graham's new Intelligence
   to Prevent Terrorism Act (IPTA, S. 1448) raises related issues. Sen.
   Judd Gregg is drafting anti-encryption legislation, as well.

   For bill texts and analyses, see the EFF Surveillance Archive:
     http://www.eff.org/Privacy/Surveillance/

   Why "backdoor" encryption requirements reduce security [PDF]:
     http://www.crypto.com/papers/escrowrisks98.pdf

  About EFF:

   The Electronic Frontier Foundation is the leading civil liberties
   organization working to protect rights in the digital world. Founded
   in 1990, EFF actively encourages and challenges industry and
   government to support free expression, privacy, and openness in the
   information society. EFF is a member-supported organization and
   maintains one of the most linked-to Web sites in the world:
     http://www.eff.org

    Contact:

     Lee Tien, EFF Senior First Amendment Attorney
       tien@eff.org
       +1 415-436-9333 x102

     Will Doherty, EFF Online Activist / Media Relations
       wild@eff.org
       +1 415-436-9333 x111

                                  - end -
     _________________________________________________________________


Administrivia

   EFFector is published by:

   The Electronic Frontier Foundation
   454 Shotwell Street
   San Francisco CA 94110-1914 USA
   +1 415 436 9333 (voice)
   +1 415 436 9993 (fax)
     http://www.eff.org/

   Editors:
   Katina Bishop, EFF Education & Offline Activism Director
   Stanton McCandlish, EFF Technical Director/Webmaster
     editors@eff.org

   To Join EFF online, or make an additional donation, go to:
     http://www.eff.org/support/

   Membership & donation queries: membership@eff.org
   General EFF, legal, policy or online resources queries: ask@eff.org

   Reproduction of this publication in electronic media is encouraged.
   Signed articles do not necessarily represent the views of EFF. To
   reproduce signed articles individually, please contact the authors for
   their express permission. Press releases and EFF announcements &
   articles may be reproduced individually at will.

   To subscribe to or unsubscribe from EFFector via the Web, go to:
     http://www.eff.org/signup/mailserv.html

   To subscribe to EFFector via e-mail, send to majordomo@eff.org a
   message BODY (not subject) of:
     subscribe effector
   The list server will send you a confirmation code and then add you to
   a subscription list for EFFector (after you return the confirmation
   code; instructions will be in the confirmation e-mail).

   To unsubscribe, send a similar message body to the same address, like
   so:
     unsubscribe effector

   (Please ask listmaster@eff.org to manually remove you from the list if
   this does not work for you for some reason.)

   To change your address, send both commands at once, one per line
   (i.e., unsubscribe your old address, and subscribe your new address).

   Back issues are available at:
     http://www.eff.org/effector

   To get the latest issue, send any message to
   effector-reflector@eff.org (or er@eff.org), and it will be mailed to
   you automatically. You can also get, via the Web:
     http://www.eff.org/pub/EFF/Newsletters/EFFector/current.html
     _________________________________________________________________
JavaScript license information