EFF:

June 7, 2000


The Honorable Orrin G. Hatch
Chairman
Senate Judiciary Committee
224 Dirksen
Washington, DC 20510

Re: S. 2448, Internet Integrity and Critical Infrastructure Protection
Act of 2000

Dear Chairman Hatch:

We are pleased to share with you some further specific comments on
your bill, S. 2448.  We have been grateful for the attention that you
and your staff have shown to privacy concerns.  In particular, your
staff has spent many hours with us going over the bill both before and
after introduction.

Title I

We are concerned that Section 101(b)(3) of S. 2448 would amend the
federal Computer Fraud and Abuse Act, 18 USC Sect. 1030, to make the
most trivial forms of unauthorized computer access a potential federal
crime, by eliminating the $5,000 threshold that currently defines
"damage" in the absence of other specific harms.

The $5,000 threshold is important to the purport of Sect. 1030 because
otherwise the scope of the statute is exceedingly broad.  It was hard
for the drafters of Sect. 1030 to specify what kinds of conduct should
constitute a computer crime.  Consequently, subsection (a)(5)(A) is
very general: it makes it a crime to knowingly cause the transmission
of "information" and as a result intentionally cause damage without
authorization to any computer connected to the Internet.  Under
subsection (e)(8), damage is defined as "any impairment to the
availability of a system."  Sending a single email to someone who
didn't want it impairs the availability of that person's system for
the tiny amount of time it takes to download the message, and every
user who sends a message to someone who didn't want it intentionally
"impairs" the availability of that person's computer for that very
short period of time.  On the other hand, sending many thousands and
thousands of unwanted messages to a system also impairs the
availability of that system, but in a way that should be treated as a
criminal attack.  To make it clear that the latter was a crime but the
former was not, Sect. 1030(a)(5) has a damage requirement and damage
was defined in terms of a $5,000 threshold. (In contrast, subsections
(a)(1) - (4) and (6)-(7) of Sect. 1030 do not have damage
requirements, because the crimes there are more precisely defined.)

We oppose the elimination of the $5,000 threshold.  It will open up a
wide range of common conduct to the threat of criminal prosecution. We
are especially concerned that the authority would be used selectively
and could be used to intimidate those who use the Internet for
political advocacy. The concerns are compounded by the other sections
of S. 2448 that would require forfeiture to the government of the real
and personal property of any person convicted of any violation of
Sect. 1030 as expanded by section 101 and expand wiretap authority by
making all subsections of Sect. 1030  crimes a predicate for wiretaps.

Independently, we are concerned about the implications of forfeiture
of real property "used to facilitate" the commission of an offense
under Sect. 1030.

Suggested changes: On page 7, we would urge you to strike lines 1
through 5.

On page 9, lines 15 and 16, strike "in any property, whether real or
personal," and insert "in any computer equipment."

On page 10, line 11, strike "Any property, whether real or personal,"
and insert "Any computer equipment".


Section 302 -- Satellite TV Subscriber Privacy

We commend you for including Sec. 302, which would prohibit satellite
TV service providers from disclosing information about their customers
and their viewing habits unless the customers have affirmatively
agreed ("opted- in") to such sharing.  This provision extends to
satellite TV viewers some of the privacy protections accorded to cable
TV viewers under 47 USC 551. However, S, 2448 is not as strong as the
Cable Act:  S. 2448 allows disclosure to the government without notice
to the subscriber and an opportunity to object, and sets a lower
relevance standard for government access, thereby giving satellite TV
viewers less protection than existing federal law affords to cable TV
subscribers.   We recommend extending all of the privacy protections
of the Cable Act to satellite.

Suggested change: On page 31, strike lines 6 through 14 and insert "
(I) if the law enforcement agency shows that there is clear and
convincing evidence that the subject of the information is reasonably
suspected of engaging in criminal activity and that the information
sought would be material evidence in the case, and (II) if the subject
of the information is afforded the opportunity to appear and contest
such entity's claim. "

Title IV -- FBI/DOJ authority

CDT endorses the comments of Americans for Computer Privacy, of which
we are a member.  For the sake of completeness, we restate their
comments here

We are concerned that language in Section 402, specifically 402(a)(4),
could be interpreted as giving the FBI the ability (if not the express
authority) to set standards for the computer and telecommunications
industry.  We think subsection (a)(4) unintentionally yet mistakenly
gives such authority. Subsection (a)(5) gives NIPC the authority to
pursue any mission it wishes.

Suggested change: We strongly urges you to eliminate (a)(4) - (5)
altogether and list only the first three purposes, all of which help
delineate an appropriate role for law enforcement.

We share ACP's concerns with a couple of the duties listed for the new
DAAG created in Section 401.  In particular, please note those
sections that would become Sec. 507a(c)(2) and Sec 507a(c)(6).  The
first provision grants the DAAG the power to "coordinate national and
international activities relating to combatting computer crime."  This
grant of authority is too broad.  For example, dictating design
standards or compelling hacker information from companies both
represent "activities relating to combatting computer crime," but the
DAAG should not be given authority -- implied or otherwise -- to carry
out these activities.

Suggested change: To address this problem, we suggest that, after
"international," the words "law enforcement" be inserted.

International assistance

Section 502 permits the Attorney General to disclose information
regarding the activities of U.S. citizens or companies to foreign law
enforcement authorities, even where the activities are legal under
U.S. law.  Section 503(b)(2) of S. 2448 permits the US Attorney
General to provide computer crime evidence to foreign law enforcement
authorities "without regard to whether the conduct investigated
violates any Federal computer crime law."

Suggested change: To make it clear that this Title does not expands
the Justice Department's investigative authority to investigate lawful
conduct in the US at the request of foreign governments, strike
section 503(b)(2), lines 17 through 23 on page 54.

Possible Amendments

We congratulate you on keeping S. 2448  narrow, while at the same time
addressing a range of cyber-crime and e-commerce issues.  We remain
concerned about potential amendments that would introduce new issues,
for which CDT and other interested parties would not have had an
opportunity to review language and strive for consensus.  We stress,
as we did in our testimony, that it is important to proceed
cautiously, as you have, and keep the bill from becoming laden with
other issues that have not been adequately reviewed and refined.

Pen registers for the Internet

Primary among the issues we have feared might be offered as amendments
to S. 2448 is S. 2092, which the Justice Department is urging be added
to S. 2448.

S. 2092 would extend government surveillance authority over the
Internet in broad and ill-defined ways.  It does so with very broad
terminology, stating that the pen register can collect "dialing,
routing, addressing or signaling information," without further
definition. S. 2092 also would give every federal pen register and
trap and trace order nationwide effect, without limit and without
requiring the government to make a showing of need, creating a sort of
"roving pen register."

We have shared our concerns with Senator Schumer and are committed to
working with him to improve his bill.  At this point, we understand
that Sen. Schumer does not intend to offer his bill as an amendment to
S. 2448. A copy of our comments and suggestions on S. 2092 is
enclosed.

Again, we thank you for the care with which you have approached these
difficult issues and for your willingness to make changes to your bill
to accommodate the privacy and civil liberties concerns.  We look
forward to continuing to work with you to develop a consensus bill
that can enjoy widespread support.

Sincerely,



James X. Dempsey
Senior staff counsel