[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] (Fwd) US assumes global cyber-police authority
- To: debate@lists.fitug.de
- Subject: [FYI] (Fwd) US assumes global cyber-police authority
- From: "Axel H Horns" <horns@ipjur.com>
- Date: Fri, 30 Nov 2001 14:44:36 +0100
- Comments: Sender has elected to use 8-bit data in this message. If problems arise, refer to postmaster at sender's site.
- Delivered-To: mailing list debate@lists.fitug.de
- List-Help: <mailto:debate-help@lists.fitug.de>
- List-Id: <debate.lists.fitug.de>
- List-Post: <mailto:debate@lists.fitug.de>
- List-Subscribe: <mailto:debate-subscribe@lists.fitug.de>
- List-Unsubscribe: <mailto:debate-unsubscribe@lists.fitug.de>
- Mailing-List: contact debate-help@lists.fitug.de; run by ezmlm
- Organization: NONE
- Priority: normal
------- Forwarded message follows -------
Date sent: Wed, 28 Nov 2001 08:41:36 -0500
To: dcsb@ai.mit.edu,
Digital Bearer Settlement List <dbs@philodox.com>,
cryptography@wasabisystems.com
From: "R. A. Hettinga" <rah@shipwright.com>
Subject: US assumes global cyber-police authority
http://www.theregister.co.uk/content/6/23036.html
US assumes global cyber-police authority
By Mark Rasch
Posted: 27/11/2001 at 10:32 GMT
Much has been written about the new anti-terrorism legislation passed
by Congress and signed by President Bush, particularly as it respects
the ability of the government to conduct surveillance on email,
voice-mail, and other electronic communications. However, too little
attention has been paid to other provisions of the legislation,
particularly a significant change to the definition of the types of
computers protected under federal law.
An amendment to the definition of a "protected computer" for the first
time explicitly enables U.S. law enforcement to prosecute computer
hackers outside the United States in cases where neither the hackers
nor their victims are in the U.S., provided only that packets related
to that activity traveled through U.S. computers or routers.
This remarkable amendment is to the Computer Fraud and Abuse Act,
which Congress enacted in 1984 to prohibit conduct that damages a
"Federal interest computer," defined at the time as "a computer owned
or used by the United States Government or a financial institution,"
or, "one of two or more computers used in committing the offense, not
all of which are located in the same State."
Evolution of the 'Protected Computer'
Under that initial definition, if a hacker in the U.S. broke into a
computer in a foreign country (or vice versa), because the computers
were not all located in the same state, a federal offense would have
been committed. If, however, the victim computer and the hacker's
computer were both located in the same state, this would be a purely
"intrastate" offense, punishable by the state or local government. (A
purely intrastate offense could also be prosecuted federally if the
victim computer was used by the federal government or a federally
insured institution, or if any computer involved in the offense was
located in another state.)
This limitation represented a conscious effort by the U.S. Congress to
limit the scope of federal crimes to those with a truly interstate
reach.
In 1994, Congress replaced the term "Federal interest computer" with
the phrase "computer used in interstate commerce or communication." In
1996, Congress amended the law once again, defining a new term,
"protected computer," and concomitantly expanding the number of
computers that the statute "protected." The 1996 amendments defined a
protected computer as one that is "exclusively for the use of a
financial institution or the United States Government, or, in the case
of a computer not exclusively for such use, used by or for a financial
institution or the United States Government and the conduct
constituting the offense affects that use by or for the financial
institution or the Government; or which is used in interstate or
foreign commerce or communication."
In the new anti-terrorism legislation, Congress once again expanded
the scope of federal jurisdiction over computer crimes. Section 814 of
the PATRIOT bill added to the definition of a protected computer an
explicit provision stating that federal law precludes activities
involving "a computer located outside the United States that is used
in a manner that affects interstate or foreign commerce or
communication of the United States."
Congress did not require that the effect on interstate or foreign
commerce or communication be substantial, or even, for that matter,
measurable.
Almost immediately after the legislation was signed, the Department of
Justice issued a guidance paper to instruct thousands of federal
prosecutors how to use the new statute. The guidance noted that:
Because of the interdependency and availability of global computer
networks, hackers from within the United States are increasingly
targeting systems located entirely outside of this country. The
[previous] statute did not explicitly allow for prosecution of such
hackers. In addition, individuals in foreign countries frequently
route communications through the United States, even as they hack from
one foreign country to another. In such cases, their hope may be that
the lack of any U.S. victim would either prevent or discourage U.S.
law enforcement agencies from assisting in any foreign investigation
or prosecution.
... Section 814 of the Act amends the definition of "protected
computer" to make clear that this term includes computers outside of
the United States so long as they affect "interstate or foreign
commerce or communication of the United States." 18 U.S.C. §
1030(e)(2)(B). By clarifying the fact that a domestic offense exists,
the United States can now use speedier domestic procedures to join in
international hacker investigations. As these crimes often involve
investigators and victims in more than one country, fostering
international law enforcement cooperation is essential.
In addition, the amendment creates the option, where appropriate, of
prosecuting such criminals in the United States. Since the U.S. is
urging other countries to ensure that they can vindicate the interests
of U.S. victims for computer crimes that originate in their nations,
this provision will allow the U.S. to provide reciprocal coverage.
The Department of Justice therefore views the amendment as more than a
mere clarification of existing law, but as an expansion of U.S.
jurisdiction to permit, for the first time, the United States to
prosecute cases where both the attacker and the victim are located
outside the United States, and to apply U.S. substantive and
procedural law to such international activity.
International Law
Computer crime in general, and computer hacking in particular, has
always been recognized as a uniquely trans-national offense. Hackers
from anywhere in the world can engage in activities that will affect
computers outside of the country from which they originate. Moreover,
computer viruses, worms and other malicious code do not respect
international boundaries, and can damage information or computers
located in countries far remote from those where the hacker is
located.
Interestingly, when a hacker in Singapore released the "I Love You"
virus affecting computers all over the world, only the U.S. FBI
traveled to Singapore to investigate. When the "Melissa" virus swept
across the planet, no foreign law enforcement officials descended on
New Jersey to prosecute David Smith, the author of the virus, nor were
any such officials publicly invited to participate.
Nevertheless, these cases demonstrate an important principle of
international law -- the so-called "protective principle." Every
nation has the right to extend the scope of its law beyond its borders
to protect the rights and property of its own nationals. An attack on
a U.S. citizen abroad may violate U.S. law. A gunshot from Canada that
kills a person in the United States may properly be prosecuted in the
United States. A hacker who attacks a computer in the United States
from a foreign country violates U.S. law, and it is entirely
appropriate that the United States should have the authority to
protect itself from such attacks. Whether the U.S. will take the lead
in such investigations or not will depend not so much on law, but on
international politics.
The recent Council of Europe Cybercrime Treaty encourages countries to
make computer crime an offense within their own borders, and to
cooperate on international investigations of computer crime.
In its interpretation of the need for the unprecedented expansion of
U.S. sovereignty, the Department of Justice asserts that U.S. law
enforcement agencies would not investigate cases of computer crime
where the victim and targets are located outside the United States,
not because of the lack of any authority to do so, but because, of a
lack of will. In fact, there is much truth to this assertion. Many law
enforcement agencies see no reason to assist foreign governments'
investigations where there is no likelihood that they will obtain a
conviction within the country.
However, the appropriate response to this reluctance is to encourage
domestic law enforcement agencies to assist their foreign brethren
voluntarily, not to expand the scope of domestic law to permit
prosecution within the United States of what is essentially a foreign
offense.
When Reach Exceeds Grasp
Congress' authority to criminalize conduct generally is derived from
Article I of the Constitution, which, among other things allows the
legislature to regulate interstate and foreign commerce. The statute
is broad and allows the protection of the instrumentalities and
channels of interstate or foreign commerce. In 1995 the Supreme Court
noted that Congress' power was limited though to regulate those
activities that "substantially affect" interstate commerce and not
merely those where the affect is tangential.
The distinction is crucial. Clearly if a U.S. computer or computer
network is shut down, attacked, penetrated, or prevented from properly
functioning as a result of foreign hacking activity, the protective
principle of international law should properly permit a U.S.
prosecution.
Where the affect on U.S. computer networks is slight -- to the point
of non-existence -- the U.S. should not impose its law on the
activity.
The new statute requires no threshold of damage or even effect on U.S.
computers to trigger U.S. sovereignty. The vast majority of Internet
traffic travels through the United States, with more than half of the
traffic traveling through Northern Virginia alone. The mere fact that
packets relating to the criminal activity travel through the United
States should not be enough to trigger U.S. jurisdiction, even though
such traffic would "affect" international commerce, albeit
infinitesimally.
The expanded statute, and the DOJ policy guidance, would permit the
U.S. to impose its law on the Internet generally, without the need to
show damage or trespass to a U.S. computer, merely on the basis of
packets being inadvertently routed through U.S. computers. This
represents and unwarranted and dangerous expansion of U.S.
sovereignty, and will invariably result in more turf battles with
foreign law enforcement agencies, rather than fewer.
Under the Department of Justice's interpretation of this legislation,
a computer hacker in Frankfurt Germany who hacks into a computer in
Cologne Germany could be prosecuted in the Eastern District of
Virginia in Alexandria if the packet of related to the attack traveled
through America Online's computers. Moreover, the United States would
reserve the right to demand that the extradition of the hacker even if
the conduct would not have violated German law, or to, as it has in
other kinds of cases, simply remove the offender forcibly for trial.
What is perhaps the most troubling about this legislation, in addition
to the lack of any debate or focus on it, is the fact that the
Department of Justice manual simply says that this unprecedented power
will be used in "appropriate cases." The Department of Justice
provides no guidance to prosecutors or citizens of the world what
kinds of cases it will deem to be "appropriate" for the expanded
jurisdiction.
The Department of Justice has no procedures in place to mandate
high-level DOJ review before such power can be used. A prosecutor in
Boise may therefore decide to go after a Norwegian hacker for hacking
a computer in Oslo, if the packets "affected" interstate commerce, and
the prosecutor thinks it "appropriate."
Every country has the right to protect its own citizens, property and
interests. No country has the right to impose its will, its values,
its mores or laws on conduct that occurs outside its borders even if
they may have a tangential effect on that country. The new legislation
permits the U.S. government to do just that, and is unwise and
unwarranted.
© 2001 SecurityFocus.com, all rights reserved.
Mark D. Rasch, J.D., is the Vice President for Cyberlaw at Predictive
Systems, Inc. in Reston, Virginia, a computer security and network
design consulting firm. Prior to joining Predictive Systems, Mr. Rasch
was the head of the U.S. Department of Justice Computer Crime Unit and
prosecuted a series of high profile computer crime cases from 1984 to
1991.
--
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44
Farquhar Street, Boston, MA 02131 USA "... however it may deserve
respect for its usefulness and antiquity, [predicting the end of the
world] has not been found agreeable to experience." -- Edward Gibbon,
'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List Unsubscribe by sending "unsubscribe
cryptography" to majordomo@wasabisystems.com
------- End of forwarded message -------
--
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de