[iwar] [fc:Ashcroft's.Global.Internet.Power-Grab]

From: Fred Cohen (fc@all.net)
Date: 2001-11-26 16:37:06


Return-Path: <sentto-279987-3954-1006821326-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 26 Nov 2001 16:38:11 -0800 (PST)
Received: (qmail 32677 invoked by uid 510); 27 Nov 2001 00:35:52 -0000
Received: from n27.groups.yahoo.com (216.115.96.77) by all.net with SMTP; 27 Nov 2001 00:35:52 -0000
X-eGroups-Return: sentto-279987-3954-1006821326-fc=all.net@returns.groups.yahoo.com
Received: from [10.1.1.222] by n27.groups.yahoo.com with NNFMP; 27 Nov 2001 00:35:27 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 27 Nov 2001 00:35:25 -0000
Received: (qmail 67150 invoked from network); 27 Nov 2001 00:35:25 -0000
Received: from unknown (216.115.97.167) by m4.grp.snv.yahoo.com with QMQP; 27 Nov 2001 00:35:25 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 27 Nov 2001 00:35:25 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAR0b6h17812 for iwar@onelist.com; Mon, 26 Nov 2001 16:37:06 -0800
Message-Id: <200111270037.fAR0b6h17812@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Mon, 26 Nov 2001 16:37:06 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Ashcroft's.Global.Internet.Power-Grab]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Ashcroft's Global Internet Power-Grab
A little-noticed provision in the new anti-terrorism act imposes U.S. cyber
crime laws on other nations, whether they like it or not

By Mark Rasch
Nov 25 2001 11:00PM PT

Much has been written about the new anti-terrorism legislation passed by
Congress and signed by President Bush, particularly as it respects the
ability of the government to conduct surveillance on email, voice-mail, and
other electronic communications. However, too little attention has been paid
to other provisions of the legislation, particularly a significant change to
the definition of the types of computers protected under federal law.

An amendment to the definition of a "protected computer" for the first time
explicitly enables U.S. law enforcement to prosecute computer hackers
outside the United States in cases where neither the hackers nor their
victims are in the U.S., provided only that packets related to that activity
traveled through U.S. computers or routers.

This remarkable amendment is to the Computer Fraud and Abuse Act, which
Congress enacted in 1984 to prohibit conduct that damages a "Federal
interest computer," defined at the time as "a computer owned or used by the
United States Government or a financial institution," or, "one of two or
more computers used in committing the offense, not all of which are located
in the same State."

Evolution of the 'Protected Computer'
Under that initial definition, if a hacker in the U.S. broke into a computer
in a foreign country (or vice versa), because the computers were not all
located in the same state, a federal offense would have been committed. If,
however, the victim computer and the hacker's computer were both located in
the same state, this would be a purely "intrastate" offense, punishable by
the state or local government. (A purely intrastate offense could also be
prosecuted federally if the victim computer was used by the federal
government or a federally insured institution, or if any computer involved
in the offense was located in another state.)
'A prosecutor in Boise may go after a Norwegian hacker for hacking a
computer in Oslo, if the packets 'affected' interstate commerce, and the
prosecutor thinks it 'appropriate.''

This limitation represented a conscious effort by the U.S. Congress to limit
the scope of federal crimes to those with a truly interstate reach.

In 1994, Congress replaced the term "Federal interest computer" with the
phrase "computer used in interstate commerce or communication." In 1996,
Congress amended the law once again, defining a new term, "protected
computer," and concomitantly expanding the number of computers that the
statute "protected." The 1996 amendments defined a protected computer as one
that is "exclusively for the use of a financial institution or the United
States Government, or, in the case of a computer not exclusively for such
use, used by or for a financial institution or the United States Government
and the conduct constituting the offense affects that use by or for the
financial institution or the Government; or which is used in interstate or
foreign commerce or communication."

In the new anti-terrorism legislation, Congress once again expanded the
scope of federal jurisdiction over computer crimes. Section 814 of the
PATRIOT bill added to the definition of a protected computer an explicit
provision stating that federal law precludes activities involving "a
computer located outside the United States that is used in a manner that
affects interstate or foreign commerce or communication of the United
States."

Congress did not require that the effect on interstate or foreign commerce
or communication be substantial, or even, for that matter, measurable.

Almost immediately after the legislation was signed, the Department of
Justice issued a guidance paper to instruct thousands of federal prosecutors
how to use the new statute. The guidance noted that:

Because of the interdependency and availability of global computer networks,
hackers from within the United States are increasingly targeting systems
located entirely outside of this country. The [previous] statute did not
explicitly allow for prosecution of such hackers. In addition, individuals
in foreign countries frequently route communications through the United
States, even as they hack from one foreign country to another . In such
cases, their hope may be that the lack of any U.S. victim would either
prevent or discourage U.S. law enforcement agencies from assisting in any
foreign investigation or prosecution.

... Section 814 of the Act amends the definition of "protected computer" to
make clear that this term includes computers outside of the United States so
long as they affect "interstate or foreign commerce or communication of the
United States." 18 U.S.C. § 1030(e)(2)(B). By clarifying the fact that a
domestic offense exists, the United States can now use speedier domestic
procedures to join in international hacker investigations. As these crimes
often involve investigators and victims in more than one country, fostering
international law enforcement cooperation is essential.

In addition, the amendment creates the option, where appropriate, of
prosecuting such criminals in the United States. Since the U.S. is urging
other countries to ensure that they can vindicate the interests of U.S.
victims for computer crimes that originate in their nations, this provision
will allow the U.S. to provide reciprocal coverage.

The Department of Justice therefore views the amendment as more than a mere
clarification of existing law, but as an expansion of U.S. jurisdiction to
permit, for the first time, the United States to prosecute cases where both
the attacker and the victim are located outside the United States, and to
apply U.S. substantive and procedural law to such international activity.

International Law
Computer crime in general, and computer hacking in particular, has always
been recognized as a uniquely trans-national offense. Hackers from anywhere
in the world can engage in activities that will affect computers outside of
the country from which they originate. Moreover, computer viruses, worms and
other malicious code do not respect international boundaries, and can damage
information or computers located in countries far remote from those where
the hacker is located.

Interestingly, when a hacker in Singapore released the "I Love You" virus
affecting computers all over the world, only the U.S. FBI traveled to
Singapore to investigate. When the "Melissa" virus swept across the planet,
no foreign law enforcement officials descended on New Jersey to prosecute
David Smith, the author of the virus, nor were any such officials publicly
invited to participate.

Nevertheless, these cases demonstrate an important principle of
international law -- the so-called "protective principle." Every nation has
the right to extend the scope of its law beyond its borders to protect the
rights and property of its own nationals. An attack on a U.S. citizen abroad
may violate U.S. law. A gunshot from Canada that kills a person in the
United States may properly be prosecuted in the United States. A hacker who
attacks a computer in the United States from a foreign country violates U.S.
law, and it is entirely appropriate that the United States should have the
authority to protect itself from such attacks. Whether the U.S. will take
the lead in such investigations or not will depend not so much on law, but
on international politics.

The recent Council of Europe Cybercrime Treaty encourages countries to make
computer crime an offense within their own borders, and to cooperate on
international investigations of computer crime.

In its interpretation of the need for the unprecedented expansion of U.S.
sovereignty, the Department of Justice asserts that U.S. law enforcement
agencies would not investigate cases of computer crime where the victim and
targets are located outside the United States, not because of the lack of
any authority to do so, but because, of a lack of will. In fact, there is
much truth to this assertion. Many law enforcement agencies see no reason to
assist foreign governments' investigations where there is no likelihood that
they will obtain a conviction within the country.

However, the appropriate response to this reluctance is to encourage
domestic law enforcement agencies to assist their foreign brethren
voluntarily, not to expand the scope of domestic law to permit prosecution
within the United States of what is essentially a foreign offense.

When Reach Exceeds Grasp
Congress' authority to criminalize conduct generally is derived from Article
I of the Constitution, which, among other things allows the legislature to
regulate interstate and foreign commerce. The statute is broad and allows
the protection of the instrumentalities and channels of interstate or
foreign commerce. In 1995 the Supreme Court noted that Congress' power was
limited though to regulate those activities that "substantially affect"
interstate commerce and not merely those where the affect is tangential.

The distinction is crucial. Clearly if a U.S. computer or computer network
is shut down, attacked, penetrated, or prevented from properly functioning
as a result of foreign hacking activity, the protective principle of
international law should properly permit a U.S. prosecution.

Where the affect on U.S. computer networks is slight -- to the point of
non-existence -- the U.S. should not impose its law on the activity.

The new statute requires no threshold of damage or even effect on U.S.
computers to trigger U.S. sovereignty. The vast majority of Internet traffic
travels through the United States, with more than half of the traffic
traveling through Northern Virginia alone. The mere fact that packets
relating to the criminal activity travel through the United States should
not be enough to trigger U.S. jurisdiction, even though such traffic would
"affect" international commerce, albeit infinitesimally.

The expanded statute, and the DOJ policy guidance, would permit the U.S. to
impose its law on the Internet generally, without the need to show damage or
trespass to a U.S. computer, merely on the basis of packets being
inadvertently routed through U.S. computers. This represents and unwarranted
and dangerous expansion of U.S. sovereignty, and will invariably result in
more turf battles with foreign law enforcement agencies, rather than fewer.

Under the Department of Justice's interpretation of this legislation, a
computer hacker in Frankfurt Germany who hacks into a computer in Cologne
Germany could be prosecuted in the Eastern District of Virginia in
Alexandria if the packet of related to the attack traveled through America
Online's computers. Moreover, the United States would reserve the right to
demand that the extradition of the hacker even if the conduct would not have
violated German law, or to, as it has in other kinds of cases, simply remove
the offender forcibly for trial.

What is perhaps the most troubling about this legislation, in addition to
the lack of any debate or focus on it, is the fact that the Department of
Justice manual simply says that this unprecedented power will be used in
"appropriate cases." The Department of Justice provides no guidance to
prosecutors or citizens of the world what kinds of cases it will deem to be
"appropriate" for the expanded jurisdiction.

The Department of Justice has no procedures in place to mandate high-level
DOJ review before such power can be used. A prosecutor in Boise may
therefore decide to go after a Norwegian hacker for hacking a computer in
Oslo, if the packets "affected" interstate commerce, and the prosecutor
thinks it "appropriate."

Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive
Systems Inc. in Reston, Virginia, a computer security and network design
consulting firm. Prior to joining Predictive Systems, Mr. Rasch was the head
of the U.S. Department of Justice Computer Crime Unit and prosecuted a
series of high profile computer crime cases from 1984 to 1991.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Promise to Quit
Nicotrol will help
http://us.click.yahoo.com/5vN8tD/AqSDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST