Hackers are 'Terrorists' Under Ashcroft's New Act

Carlos writes "Most computer crimes are considered acts of terrorism under John Ashcroft's proposed 'Anti-Terrorism Act,' according to this story on SecurityFocus. The Act would abolish the statute of limitations for computer crime, retroactively, force convicted hackers to give the government DNA samples for a special federal database, and increase the maximum sentence for computer intrusion to life in prison. Harboring or providing advice to a hacker would be terrorism as well. This is on top of the expanded surveillance powers already reported on. The bill could be passed as early as this week. I feel safer already."

Re:Somebody has to say it, but...

[Alan]

Depends on the crime. Cracking a big DB of credit cards yes, but how about reverse engineering say, a copyright'd protocol? Maybe the people who made programs like gaim, gnapster, knaptser, kicq, gnomeicu, etc should get thrown in jail for their evil "hacking"?

I'm not against bad things being a crime, but who gets to define what is a crime or not? And what about when new types of hacking/cracking come out? Maybe windows virus authors should be made criminals? How about websites that use cookies to track you (doubleclick anyone?).

The problem with computers and hacking in general is that it's very hard to narrowly define what is and isn't a crime. Mitnick is a sure sign of this, as is Dimitri. On one side ($$) it's a crime of epic proportions, on the other side it's harmless fun, investigation, proving a point, whatever. This has been a problem since phreaking and probably far before....

List of contacts

[GigsVT]

Judiciary Committee List
Name, party, state, phone, fax, e-mail.

James Sensenbrenner, Chair, R-WI, (202) 225-5101,(202) 225-3190,sensen09@mail.house.gov
Henry Hyde, R-IL, (202) 225-4561, (202) 225-1166.
John Conyers Jr., D-MI, (202) 225-5126, (202) 225-0072,john.conyers@mail.house.gov
George Gekas, R-PA, (202) 225-4315, (202) 225-8440, askgeorge@mail.house.gov
Barney Frank, D-MA, (202) 225-5931, (202) 225-0182
Howard Coble, R-NC, (202) 225-3065, (202) 225-8611, howard.coble@mail.house.gov
Howard Berman, D-CA, (202) 225-4695, (202) 225-3196,Howard.Berman@mail.house.gov
Lamar Smith, R-TX, (202) 225-4236, (202) 225-8628
Rick Boucher, D-VA, (202) 225-3861, (202) 225-0442,ninthnet@mail.house.gov
Elton Gallegly, R-CA, (202) 225-5811, (202) 225-1100
Jerrold Nadler, D-NY, (202) 225-5635, (202) 225-6923, jerrold.nadler@mail.house.gov
Bob Goodlatte, R-VA, (202) 225-5431, (202) 225-9681,talk2bob@mail.house.gov
Bobby Scott, D-VA, (202) 225-8351, (202) 225-8354
Steve Chabot, R-OH, (202) 225-2216, (202) 225-3012
Mel Watt, D-NC, (202) 225-1510, (202) 225-1512, nc12.public@mail.house.gov
Bob Barr, R-GA, (202) 225-2931, (202) 225-2944, barr.ga@mail.house.gov
Zoe Lofgren, D-CA, (202) 225-3072, (202) 225-3336, zoe@lofgren.house.gov
William Jenkins, R-TN, (202) 225-6356, (202) 225-5714
Sheila Jackson Lee, D-TX, (202) 225-3816, (202)225-3317, tx18@lee.house.gov
Christopher Cannon, R-UT, (202) 225-7751, (202)225-5629, cannon.ut03@mail.house.gov
Maxine Waters, D-CA, (202) 225-2201, (202) 225-7854
Lindsey Graham, R-SC, (202) 225-5301, (202) 225-3216
Marty Meehan, D-MA, (202) 225-3411, (202) 226-0771, martin.meehan@mail.house.gov
Spencer Bachus, R-AL, (202) 225-4921, (202) 225-2082
William Delahunt, D-MA, (202) 225-3111, (202)225-5658, william.delahunt@mail.house.gov
John Hostettler, R-IA, (202) 225-4636, (202)225-3284, john.hostettler@mail.house.gov
Robert Wexler, D-FL, (202) 225-3001, (202) 225-5974
Mark Green, R-WI, (202) 225-5665, (202) 225-5729, mark.green@mail.house.gov
Tammy Baldwin, D-W, (202) 225-2906, (202) 225-6942, tammy.baldwin@mail.house.gov
Ric Keller, R-FL, (202) 225-2176, (202) 225-0999
Anthony David Weiner, D-NY, (202) 225-6616, (202)226-7253
Darrell Issa, R-CA, (202) 225-3906, (202) 225-3303
Adam Schiff, D-CA, (202) 225-4176, (202) 225-5828
Melissa Hart, R-PA, (202) 225-2565, (202) 226-2274, melissa.hart@mail.house.gov
Jeff Flake, R-AZ, (202) 225-2635, (202) 226-4386

So let's do something about it

[GrouchoMarx]

OK, a lot of people are crying that the sky is falling, that the jack-booted Nazis are at the gates in Washington (both the East Coast one and the West Coast one), that the totalitarian Big Brother is at hand. Is it? Hell, I don't know, but I'd rather not find out. This is still a democracy, folks, that means YOU have power. Even between elections, you have power. Because politicians, whatever else they are interested in (money, power, actually helping people, getting blowjobs from secretaries), are interested first and foremost in one thing: Getting reelected. Make them think that if they pass something asinine and unconstitutional, that there WILL be repercussions. Yes, scare the bejebers out of your congressman/woman and senator.

It takes TEN letters (dead tree letters, email gets deleted immediately) for a Senatorial office to open an issue. TEN. (According to Illinois Senator Dick Durban.) And regardless of the advertising and commercials that politicians raise huge war chests to fund, on election day it is YOUR VOTE that decides who ends up in DC. (East Coast, you have no say over the West Coast one.)

I'd like to issue a call to everyone who posted something modded up to 3 or above: Write a letter to your representatives with the same level of intelligence and Interesting/Insightful content. Write it once and send it three times, once to your Congressperson, and once to each Senator. Fax it if you'd prefer. (Snail mail and fax are what they like the most.) Keep it to one page. Reference the Constitution. Refer to yourself with your most impressive title. (Professor, Ph.d, Senior Engineer, Graduate Student, Independent Developer) and as a registered voter. In the name of the Tux do not tell them that you don't vote, even if that's the case (in which case you should be ashamed of yourself). Then when the next election rolls around, ignore the commercials, take an hour to do your own research, and vote for the candidate that did not support revoking the 4th Amendment and violating Ex Post Facto. It works. (See also: Former Senator Alan Dixon)

For those of you in countries outside of the US, the same applies to you. The Canadian, British, Australian, French, German, etc. governments are all popularly elected as well. (At least the active parts of the British government, anyway.) Politicians are the same everywhere. The same tactics apply. Use them. If you don't, you have no one to blame but yourselves.

Very disturbing, but not quite as bad as it seems.

[Dr.Dubious+DDQ]

The specific sections of "computer crime" law that appear to be reclassified as "terrorist acts" appear to be only:

1030(a)(1), (a)(4), (a)(5)(A), or (a)(7) (relating to protection of computers)

Which are:

• (a) Whoever -
  (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;[...]
• (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
• (5)
  (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
• (Interestingly, they don't seem to include B and C under this act as "terrorism", which are similar to section A, and are almost identical to each other - I have no idea why they have them. "B" says "(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;". C is word-for-word the same, except without the word "recklessly". ANy idea why they have them both?)
• (7) with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section.

In short, the only "computer crimes" listed as "terrorism" by this act are stealing US Gov't, Inc secrets by computer, maliciously hacking into a system with intent to steal valuables (aside from CPU cycles), and using threats of malicious computer hacking to extort.

The only one that concerns me very much here is 5A - it seems like high-paid corporate lawyers could easy "prove" that for example, if 1337D00D@scriptkiddy.com maliciously hacks into www.microsoft.com and puts a link to his website on the index page, that he's obtained at least $5000 worth of advertisement...

Come to think of it, I'm a little leery of the "or exceeds authorized access" bit in (4) - if one "accesses" a computer to purchase and legally download some proprietary "protected" piece of music or video, and finds a way to convert it to a nonproprietary format for personal use, has one "exceeded authorized access" and is therefore not merely a DMCA Criminal but a full-fledged DMCA Terrorist? It's a bit of a stretch, but I think a wealthy corporation can buy enough lawyer-approved powerpoint slides "proving" this to a non-technical jury...

NOT After Every Hacker

[dragons_flight]

There are only 4 computer related offenses that would be designated under the ATA as "Federal terrorism offenses". Of these 4, the first deals solely with stealing or communicating classified information. The second requires the hacking be used for monetary or material gain beyond just gaining unauthorized access to the computer (unless access is valued over $5000). The third requires that one intentionally cause damage (exceeding $5000, in most cases) to a protected computer, where "protected computer" means US Government, financial institutions, interstate and foreign commerce and communications. The last involves threatening a computer system for purposes of extortion.

This list hardly seems to encompass "most computer crimes". For instance merely accessing or stealing non-classified information is not a terrorist act. Nor does it include breaking encryption ala DMCA. Defacing websites is not a terrorist act unless the computer belongs to one of the above categories and changing the website results in nontrivial financial losses. Writing viruses/worms is not a terrorist act unless you intentionally use it in a way that damages "protected" computers. (From the wording, I wouldn't interpret this to include merely releasing it into the wild, but a judicial ruling would have to clarify that issue). The crimes they are signaling out are pretty significant stuff and not just any old act of hacking. Let's not further contribute to the FUD.


What follows are excerpts of the laws in question:

From The Anti-Terrorism Act of 2001 (Draft 2)
http://www.eff.org/Privacy/Surveillance/20010919_a ta_bill.html

Sec. 309: "...the term 'Federal terrorism offense' means a violation of, or an attempt or conspiracy to violate...1030(a)(1), (a)(4), (a)(5)(A), or (a)(7) (relating to protection of computers)..."

From US Code Title 18, Section 1030
http://www4.law.cornell.edu/uscode/18/1030.html

(a)(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

(a)(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

(a)(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

(a)(7) with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section

Under the same Section, part (d)(e)(2) and (8): (2) the term "protected computer" means a computer -

• (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
• (B) which is used in interstate or foreign commerce or communication;

(8) the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information, that -

• (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;
• (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;
• (C) causes physical injury to any person; or
• (D) threatens public health or safety;

CFAA Applies TO EVERY COMPUTER

[werdna]

Indeed, only crackers who attack "protected systems" (meaning .gov and .mil boxen - not the d00d who hax0rz the average web site) appear to be in line to get their asses handed to them on a silver platter under this Act, and those provisions I can support. (Hell, those are about the only provisions I'd support ;-)

You are so wrong you can't believe it. The CFAA defines a "protected computer" to mean a computer that is used in interstate commerce. This means any computer connected to the internet or a modem.

I have litigated CFAA civil actions, and I am here to tell you that virtually ANY unauthorized access where virtually ANY valuable information is received, or where ANY valuable data is modified or changed is quite arguably sufficient to lay down a prima facie case.

This bill is as bad as you first thought it was.

Re:discover a LAN, go to JAIL

[TheGratefulNet]

I found this text (from 1030(a)(1), (a)(4), (a)(5)(A)):

(5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

so, does this also mean that if I happen to ping some windows box and maybe it crashes when I ping it (that doesn't surprise me, does it surprise you?), and that windows box belongs to some whitehouse bigwig, am I now a terrorist?