[Congressional Record: December 7, 2007 (Senate)]
[Page S15032-S15033]
STATEMENTS ON INTRODUCED BILLS AND JOINT RESOLUTIONS
By Mr. FEINGOLD:
S. 2434. A bill to clarify conditions for the interceptions of
computer trespass communications under the USA-PATRIOT Act; to the
Committee on the Judiciary.
Mr. FEINGOLD. Mr. President, I am pleased to introduce the Computer
Trespass Clarification Act of 2007, which would amend and clarify
section 217 of the USA PATRIOT Act. This bill is virtually identical to
a bill I introduced in the 109th Congress.
Section 217 of the Patriot Act addresses the interception of computer
trespass communications. This bill would modify existing law to more
accurately reflect the intent of the provision, and also protect
against invasions of privacy.
Section 217 was designed to permit law enforcement to assist computer
owners who are subject to denial of service attacks or other episodes
of hacking. The original Department of Justice draft of the bill that
later became the Patriot Act included this provision. A section by
section analysis provided by the Department on September 19, 2001,
stated the following:
Current law may not allow victims of computer trespassing
to request law enforcement assistance in monitoring
unauthorized attacks as they occur. Because service providers
often lack the expertise, equipment, or financial resources
required to monitor attacks themselves as permitted under
current law, they often have no way to exercise their rights
to protect themselves from authorized attackers. Moreover,
such attackers can target critical infrastructures and engage
in cyberterrorism. To correct this problem, and help to
protect national security, the proposed amendments to the
wiretap statute would allow victims of computer attacks to
authorize persons ``acting under color of law'' to monitor
trespassers on their computer systems in a narrow class of
cases.
I strongly supported the goal of giving computer system owners the
ability to call in law enforcement to help defend themselves against
hacking. Including such a provision in the Patriot Act made a lot of
sense. Unfortunately, the drafters of the provision made it much
broader than necessary, and refused to amend it at the time we debated
the bill in 2001. As a result, the law now gives the government the
authority to intercept communications by people using computers owned
by others as long as they have engaged in some unauthorized activity on
the computer, and the owner gives permission for the computer to be
monitored--all without judicial approval.
Only people who have a ``contractual relationship'' with the owner
allowing the use of a computer are exempt from the definition of a
computer trespasser under section 217 of the Patriot Act. Many people--
for example, college students, patrons of libraries, Internet cafes or
airport business lounges, and guests at hotels--use computers owned by
others with permission, but without a contractual relationship. They
could end up being the subject of Government snooping if the owner of
the computer gives permission to law enforcement.
My bill would clarify that a computer trespasser is not someone who
has permission to use a computer by the owner or operator of that
computer. It would bring the existing computer trespass provision in
line with the purpose of section 217 as expressed in the Department of
Justice's initial explanation of the provision. Section 217 was
intended to target only a narrow class of people: unauthorized
cyberhackers. It was not intended to give the government the
opportunity to engage in widespread surveillance of computer users
without a warrant.
Another problem is that unless criminal charges are brought against
someone as a result of such surveillance, there would never be any
notice at all that the surveillance has taken place. The computer owner
authorizes the surveillance, and the FBI carries it out.
There is no warrant, no court proceeding, no opportunity even for the
subject of the surveillance to challenge the assertion of the owner
that some unauthorized use of the computer has occurred.
My bill would modify the computer trespass provision in the following
additional ways to protect against abuse, while still maintaining its
usefulness in cases of denial of service attacks and other forms of
hacking.
First, it would require that the owner or operator of the protected
computer authorizing the interception has been subject to ``an ongoing
pattern of communications activity that threatens the integrity or
operation of such computer.'' In other words, the owner has to be the
target of some kind of hacking.
Second, the bill limits the length of warrantless surveillance to 96
hours. This is twice as long as is allowed for an emergency criminal
wiretap. With four days of surveillance, it should not be difficult for
the government to gather sufficient evidence of wrongdoing to obtain a
warrant if continued surveillance is necessary.
Finally, the bill would require the Attorney General to report
annually on the use of Section 217 to the Senate and House Judiciary
Committees. Section 217 was originally subject to the sunset provision
in the Patriot Act and therefore would have expired at the end of 2005.
However, the USA PATRIOT Improvement and Reauthorization Act, which
became law in March 2006, made this provision permanent. Congress needs
to do more oversight of the use of this provision.
The computer trespass provision now in the law as a result of section
217 of the PATRIOT Act leaves open the potential for significant and
unnecessary invasions of privacy. The reasonable and modest changes to
the provision contained in this bill preserve the usefulness of the
provision for investigations of cyberhacking, but reduce the
possibility of government abuse. I urge my colleagues to support the
Computer Trespass Clarification Act.
Mr. President, I ask unanimous consent that the text of the bill be
printed in the Record.
There being no objection, the text of the bill was ordered to be
printed in the Record, as follows:
S. 2434
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Computer Trespass
Clarification Act of 2007''.
SEC. 2. AMENDMENTS TO TITLE 18.
(a) Definitions.--Section 2510(21)(B) of title 18, United
States Code, is amended by--
(1) inserting ``or other'' after ``contractual''; and
[[Page S15033]]
(2) striking ``for access'' and inserting ``permitting
access''.
(b) Interception and Disclosure.--Section 2511(2)(i) of
title 18, United States Code, is amended--
(1) in clause (I), by inserting ``is attempting to respond
to communications activity that threatens the integrity or
operation of such computer and requests assistance to protect
the rights and property of the owner or operator, and'' after
``the owner or operator of the protected computer''; and
(2) in clause (IV), by inserting ``ceases as soon as the
communications sought are obtained or after 96 hours,
whichever is earlier (unless an order authorizing or
approving the interception is obtained under this chapter)
and'' after ``interception''.
(c) Report.--Not later than 60 days after the date of
enactment of this Act, and annually thereafter, the Attorney
General shall submit a report to the Committee on the
Judiciary of the Senate and the Committee on the Judiciary
the House of Representatives on the use of section 2511 of
title 18, United States Code, relating to computer trespass
provisions, as amended by subsection (b), during the year
before the year of that report.
______
