Combatting malicious spyware and privacy violations on the Internet is a big part of CDT’s mission. So CDT supports strong legal tools to pursue bad actors. But we also want to ensure that those tools don’t provide a broad basis for targeting or threatening people who aren’t doing anything nefarious. A provision in a bill approved by the Senate Judiciary Committee yesterday carries that risk.

The bill, S. 2168, includes a variety of reasonable provisions designed to improve the criminal statute against computer intrusions, including raising criminal penalties against spyware purveyors. But one item is problematic.

Specifically, 18 U.S.C. 1030(a)(5) currently criminalizes accessing or transmitting data to a computer on an unauthorized basis, in a manner that causes damage of at least $5,000. The new bill would eliminate the requirement that prosecutors demonstrate that damages are at least $5,000. Under the new bill:

• Violations without the $5,000 damage showing would be prosecutable — though as misdemeanors rather than felonies;
• Felony status would require either a showing of $5,000 in damages, or a showing that 10 or more computers were affected; and
• The private right of action in 1030(g) would be substantially expanded, becoming available not just when there is $5,000 in damage, but also (like felony status) whenever 10 computers have been affected.

The fundamental problem is that the basic conduct prohibited by 1030(a)(5) is potentially very broad. Accessing or transmitting data to a computer could include just about any behavior, as the terms are not defined, and “damage” is defined in an exceedingly broad way: “any impairment to the integrity or availability of data, a program, a system, or information.” Without a $5,000 damage minimum, 1030(a)(5) could sweep very broadly, covering lots of non-fraudulent activities that are common and almost unavoidable on the Internet.

For example, it could cover the sending of a single unwanted email. Suppose I send you an unwanted email. For the short moment that your email program is downloading the unwanted email I have sent you, its availability to download wanted mail is “impaired.” It would be absurd to treat that as criminal, of course, but the law could easily be read to cover it. Other low-grade intrusions, like a teenager sneaking onto his friend’s computer to modify his home page as a joke, could likewise fall within the literal scope of the law if the damage threshold were removed.

True, the government wouldn’t tend to prosecute these kinds of cases. But the ability to do so would give the Department of Justice a huge threat to hold over the people involved in order to secure other cooperation or concessions. And the expanded private right of action could open the door to litigious or harassing behavior by private parties.

That is why the current law includes the $5,000 threshold. With the underlying prohibition so vague and open-ended, it makes sense for criminal liability not to kick in until some concrete harm can be shown. Alternatively, it might make sense to drop the damages threshold in exchange for clarifying other aspects of 1030(a)(5), but that option doesn’t seem to be on the table. For similar reasons, impact on 10 computers is too low a threshold for felony status or private lawsuits; unwanted emails to a mailing list of 10 computers could technically qualify, without any significant damage.

The bottom line is, CDT believes the $5,000 damage threshold is important to guide prosecutorial discretion in enforcing a vague law. And it is significant to note that to get to $5,000, DoJ can cumulate all damages across all affected computers — so getting to $5,000 shouldn’t be that hard, if the activity is of any significant scale.

DoJ has long sought removal of the $5,000 threshold, but Congress has wisely resisted. Yesterday’s approval in Committee suggests that DoJ’s persistence on this issue may finally pay off — keep asking, and eventually you’ll find a Congress that will say “ok.”

This entry was posted on Friday, November 2nd, 2007 at 3:50 pm and is filed under CDT, Consumer Privacy, spyware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.