From telecom@eecs.nwu.edu Sun Feb 25 16:34:48 1990 Received: from delta.eecs.nwu.edu by gaak.LCS.MIT.EDU via TCP with SMTP id AA05014; Sun, 25 Feb 90 16:34:41 EST Resent-Message-Id: <9002252134.AA05014@gaak.LCS.MIT.EDU> Received: from RUTGERS.EDU by delta.eecs.nwu.edu id aa25504; 25 Feb 90 13:12 CST Received: from [128.112.129.117] by rutgers.edu (5.59/SMI4.0/RU1.3/3.05) id AA27613; Sun, 25 Feb 90 14:15:20 EST Received: from phoenix.Princeton.EDU by Princeton.EDU (5.58+++/2.29/mailrelay) id AA17856; Sun, 25 Feb 90 14:13:41 EST Received: by phoenix.Princeton.EDU (5.61/1.98) id AA24734; Sun, 25 Feb 90 14:14:57 -0500 To: comp-dcom-telecom@rutgers.edu Path: phoenix!athena!boomer From: Don Alvarez Newsgroups: comp.dcom.telecom Subject: Computer Fraud and Abuse Act Summary: out of date but electronic copy of USC title 18 sec 1030 Message-Id: <14090@phoenix.Princeton.EDU> Date: 25 Feb 90 19:14:55 GMT Sender: news@phoenix.princeton.edu Reply-To: Don Alvarez Organization: Princeton University Lines: 217 Resent-Date: Sun, 25 Feb 90 15:31:16 CST Resent-From: telecom@eecs.nwu.edu Resent-To: ptownson@gaak.LCS.MIT.EDU Status: R Here is a copy of a posting I made on the Computer Fraud and Abuse Act (USC Title 18 Section 1030). The posting was made while a set of ammendments were still under consideration, and I don't have an updated copy of the text. Still, people might find this interesting, and I am submitting it mainly to indicate that all you have to do is go to the library, ask the reference librarian for a little help, and find out for yourself what the laws are. For homework, everyone should go to the library and read The Electronic Communications Privacy Act (PL 99-508, HR 4952), which I don't have an electronic copy of, but which is certainly of interest to Telecom readers. -don -----------------------Begin Included Message------------------------------ Rep. Waly Herger (R-CA) has recently re-introduced the "Computer Virus Eradication Act" as an amendment to U. S. Code Title 18 Section 1030 ("The Computer Fraud and Abuse Act of 1986"). RISKS readers may remember that the earlier form of the Virus Act (then designated HR 5061) was discussed here, and a number of the suggestions made here have been included in the revised bill (designated HR 55). The actual amendments proposed by the bill are fairly short, but I have attempted to include the complete text of title 18 section 1030 (about 3 pages) for context and because that also may be of interest to readers. Please note that the two clauses in section (a)(7) are joined by an "and." Note that anything in mixed upper/lower case is existing U.S. federal law and has been for several years. ***** NOTE: this was hand typed and may contain errors for which ***** ***** no responsibility is assumed by either Don Alvarez or ***** ***** his employer. ***** ***** H.R. 55 consists of a series of amendments and deletions to ***** ***** the existing USC title 18 section 1030. Proposed amendments ***** ***** are in ALL CAPS proposed deletions are [enclosed in square ***** ***** brackets]. I have also flagged each change with several *'s ***** ***** Text of USC title 18 section 1030 taken from Senate Report ***** ***** 99-432 "COMPUTER FRAUD AND ABUSE ACT OF 1986" ***** THE COMPUTER VIRUS ERADICATION ACT OF 1989 101st Congress 1st Session H.R. 55 To amend section 1030 of title 18, United States Code, to provide penalties for persons interfering with the operations of computers through the use of programs containing hidden commands that can cause harm, and for other purposes. In the House of Representatives January 3, 1989 Mr. Herger (for himself and 32 others) introduced the following bill; which was referred to the Committee on the Judiciary TITLE 18: CRIMES AND CRIMINAL PROCEDURE CHAPTER 47 -- FRAUD AND FALSE STATEMENTS Sec. 1030. Fraud and related activity in connection with computers (a) Whoever-- (1) knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data as defined in paragraph r. of section 11 of the Atomic Energy Act of 1954, with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation; (2) intentionally access a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.); or (3) intentionally, without authorization to access any computer of a department or agency of the United States, access such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government's operation of such computer; (4) knowingly and with intent to defraud accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer; (5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby-- (A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period; or (B) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; [or] **** (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if-- (A) such trafficing affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; OR **** (7) KNOWINGLY-- (A) INSERTS INTO A PROGRAM FOR A COMPUTER, OR A COMPUTER ITSELF, INFORMATION OR COMMANDS, KNOWING OR HAVING REASON TO BELIEVE THAT SUCH INFORMATION OR COMMANDS MAY CAUSE LOSS, EXPENSE, OR RISK TO HEALTH OR WELFARE-- (i) TO USERS OF SUCH COMPUTER OR A COMPUTER ON WHICH SUCH PROGRAM IS RUN, OR TO PERSONS WHO RELY ON INFORMATION PROCESSED ON SUCH COMPUTER; OR (ii) TO USERS OF ANY OTHER COMPUTER OR TO PERSONS WHO RELY ON INFORMATION PROCESSED ON ANY OTHER COMPUTER; AND (B) PROVIDES (WITH KNOWLEDGE OF THE EXISTENCE OF SUCH INFORMATION OR COMMANDS) SUCH PROGRAM OR SUCH COMPUTER TO A PERSON IN CIRCUMSTANCES IN WHICH SUCH PERSON DOES NOT KNOW OF THE INSERTION OR ITS EFFECTS; IF INSERTING OR PROVIDING SUCH INFORMATION OR COMMANDS AFFECTS, OR IS EFFECTED OR FURTHERED BY MEANS OF, INTERSTATE OR FOREIGN COMMERCE; (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section. (c) the punishment for an offense under subsection (a) or (b)(1) of this section is-- (1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) OR (a)(7) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) OR (a)(7) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (2)(A) a fine under this title or imprisonment for not mere than one year, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph. (d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General. (e) WHOEVER SUFFERS LOSS BY REASON OF A VIOLATION OF SUBSECTION (a)(7) MAY, IN A CIVIL ACTION AGAINST THE VIOLATOR, OBTAIN APPROPRIATE RELIEF. IN A CIVIL ACTION UNDER THIS SUBSECTION, THE COURT MAY AWARD TO A PREVAILING PARTY A REASONABLE ATTORNEY'S FEE AND OTHER LITIGATION EXPENSES. (f) As used in this section-- (1) the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjuction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; (2) the term "Federal interest computer" means a computer-- (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution's operation or the Government's operation of such computer; or (B) which is one of two or more computers used in committing the offense, not all of which are located in the same State; (3) the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other possession or territory of the United States; (4) the term "financial institution" means-- (A) a bank with deposits insured by the Federal Deposit Insurance Corporation; (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank; (C) an institution with accounts insured by the Federal Savings and Loan Insurance Corporation; (D) a credit union with accounts insured by the National Credit Union Administration; (E) a member of the Federal home loan bank system and any home loan bank; and (F) any institution of the Farm Credit System under the Farm Credit Act of 1971; (G) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934; and (H) the Securities Investor Protection Corporation; (5) the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution; (6) the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter; and (7) the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5. (g) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.