Net Taps Without Warrants?

disappear writes "In the wake of yesterday's threats to cryptography, more ominous news: Wired News reports that a bill permitting warrantless Internet surveilance has been passed by the Senate." This is just part of the expected and unfortunate backlash from tuesday. The terrorists are winning simply because the govt. can use their threat as a blank check to take away our rights. The worst part is that this will do no good whatsoever. Does the govt really think that crypto export restrictions have prevented terrorists from having strong crypto?

Not as bad as it sounds

[Tattva]

This bill is quite limited in its scope, allowing only 48 hours to tap without approval and only for immediate threats to "National Security."

Many civil liberties are restricted during threats to "National Security." Ever heard of martial law and curfews?

Text of the debate and amendment

[jeffw]

Follow these links to read the Text of the Hatch-Feinstein "Combating Terrorism Act of 2001" and the floor debate over the amendment.

Sen. Leahy (D-VT) and Sen. Levin (D-MI) are the only ones asking for restraint and thought before bulling forward with this amendment to the Commerce, State and Justice appropriations bill (which is sure to pass).

FUD from Wired. Notice the "?" in the Headline.

[jazmataz23]

According to NPR, a much more reliable source of political information, this bill merely changes the regulatory jurisdiction of obtaining an electronic "wiretap". Previously, to "tap" an email, the prosecutors had to present the case for the warrant to every judge whose jurisdiction in which the the email passes. Meaning if I send an email from NC to NY judges in both my federal district and the federal district of the recient have to sign off on the warrant, as well as all those servers that pass the message on.

It is still very difficult to get a wiretap warrant, both for email and telephones; the burden of proof is extremely high. Now, I'm not saying illegal wiretaps are not done, but it's still just as difficult to get one legally. I'm not in law enforcement, but I'm also not a paranoiac. Mod me down for both acts of reason.:P

jaz

LOOK AT THE AMENDMENT (Warning: LOTSA legal cites)

[camusflage]

In reality, it's bad. It's not TOTALLY bad. There are SOME protections in place. From the amendment:

(2) EXPANSION OF EMERGENCY CIRCUMSTANCES.--Section 3125(a)(1) of that title is amended--

(A) in subparagraph (A), by striking ``or'' at the end;

(B) in subparagraph (B), by striking the comma at the end and inserting a semicolon; and

(C) by inserting after subparagraph (B) the following new subparagraphs:

``(C) immediate threat to the national security interests of the United States;

``(D) immediate threat to public health or safety; or

``(E) an attack on the integrity or availability of a protected computer which attack would be an offense punishable under section 1030(c)(2)(C) of this title,''.

Yes, this is scary stuff. Pay attention to section (E) and you'll see that it only refers to those crimes which 18USC1030(c)(2)(C) applies. From that section:

(3)(A) a fine under this title or imprisonment for not more
than five years, or both, in the case of an offense under
subsection (a)(4), (a)(5)(A), (a)(5)(B), or (a)(7) of this
section which does not occur after a conviction for another
offense under this section, or an attempt to commit an offense
punishable under this subparagraph; and

Now, let's go looking at (a)(4), (a)(5)(A), (a)(5)(B), or (a)(7), for those of you with clean sheets (if you don't have one, you're hosed, as pretty much anything under 18USC1030 gets punished under (c)(2)(C) if you're a repeat offender, as the other portions of (c)(2)(C) point out):

(4) knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and
by means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value
of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer;
(B) intentionally accesses a protected computer without
authorization, and as a result of such conduct, recklessly causes
damage; or
...
(7) with intent to extort from any person, firm, association,
educational institution, financial institution, government
entity, or other legal entity, any money or other thing of value,
transmits in interstate or foreign commerce any communication
containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section.

Note that (a)(5)(C) was specificially excluded:

(C) intentionally accesses a protected computer without
authorization, and as a result of such conduct, causes damage;

Subtle shading between (a)(5)(B) and (a)(5)(C), but the key is recklessly causing damage versus simply causing damage.

Essentially, going item by item, if you

(4) Steal from (ie, intent to defraud),
(5)(A) 0wN,
(5)(B) Cr4cK, or
(7) trade data for money

then you're open to this, according to the law . Now, all the white hats, and an overwelming majority of the grey hats, can likely agree to these conditions. That being said.. There are enough loopholes here to drive a truck through, and I doubt that prosecutors will take the full time to research those specific sections of 18USC1030 which this newfound power would allow them to use. Three cheers to the first person who beats the "slam dunk" case because a prosecutor got a little too zealous in their wiretap and blows the chain of evidence right at the start.

Now, let's look at what this law does NOT cover from 18USC1030. Let's kick it first with (a)(2) and (a)(3).

(2) intentionally accesses a computer without authorization or
exceeds authorized access, and thereby obtains -
(A) information contained in a financial record of a
financial institution, or of a card issuer as defined in
section 1602(n) of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are
defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et
seq.);
(B) information from any department or agency of the United
States; or
(C) information from any protected computer if the conduct
involved an interstate or foreign communication;
(3) intentionally, without authorization to access any
nonpublic computer of a department or agency of the United
States, accesses such a computer of that department or agency
that is exclusively for the use of the Government of the United
States or, in the case of a computer not exclusively for such
use, is used by or for the Government of the United States and
such conduct affects that use by or for the Government of the
United States;

Wait a second... You can hack (without the non-judicial wiretap, though you're still fux0red under existing law) BANKS, THE GOVERNMENT, AND ANYTHING ELSE, so long as you're not under (a)(4), (a)(5)(A), (a)(5)(B), or (a)(7) as well.

Even further, under (a)(6), also not covered under the Anti-Cyberterrorism amendment, you can keep trading passwords (without the non-judicial wiretap--again, you're fux0red under current law though).

(6) knowingly and with intent to defraud traffics (as defined
in section 1029) in any password or similar information through
which a computer may be accessed without authorization, if -
(A) such trafficking affects interstate or foreign commerce;
or
(B) such computer is used by or for the Government of the
United States;

In all, it's pretty bad, but they could've done worse. If you give ANYONE the legal authority to wiretap without judicial oversight, you're giving a monkey a loaded revolver. In this case, however, the monkey's more likely to shoot itself than it is to shoot you.

ObDisclaimer: I am not a lawyer, but I play one on Slashdot.