------------------------------ Date: 19 September, 1990 From: Moderators Subject: California Computer Abuse Law revisited ******************************************************************** *** CuD #2.04: File 4 of 7: California Computer Abuse Law *** ******************************************************************** In a previous issue of Computer underground Digest (1.17, File 5), the California revision of Title 13 Sections 502 and 502.7 was described as an example of the potential dangers in "cracking down" on computer hackers. Upper case indicates emphasis that we have added. Title 13 Sect. 502.7: "(a) A person who, knowingly, willfully, and with intent to defraud a person providing telephone or telegraph service, avoids or attempts to avoid, OR AIDS ABETS OR CAUSES ANOTHER TO AVOID the lawful charge, in whole or in part, for telephone or telegraph service by any of the following means is guilty of a misdemeanor or a felony, as provided in subdivision (f):" There follows a list of proscribed means, including charging to non-existence credit cards and tampering with telecom facilities, most of which seem reasonable. One, however, strikes us as potentially dangerous. 502.7 (b) states: "Any person who MAKES, POSSESSES, SELLS, GIVES, OR OTHERWISE TRANSFERS TO ANOTHER, OR OFFERS OR ADVERTISES ANY INSTRUMENT, APPARATUS, OR DEVICE WITH INTENT TO USE IT or with knowledge or reason to believe it is intended to be used to avoid any lawful telephone or telegraph toll charge or to conceal the existence or place of origin of destination of any telephone or telegraph message; or (2) sells, gives, or otherwise transfers to another, or advertises plans or instruments for making or assemblying an instrument, apparatus, or device described in paragraph (1) of this subdivision with knowledge or reason to believe that they MAY BE {emphasis added} used to make or assemble the instrument, apparatus, or device is guilty of a misdemeanor or a felony, as provided in subdivision (f)." The broad wording of this laws would make it illegal to possess information on "boxing" or to possess an autodialer. The problematic language here is "with knowledge or reason to believe it is intended to avoid. . .". We have seen from Operation Sun Devil that, contrary to normal Constitutional procedures, the burden of proof of innocence lies on the "suspect." A BBS operator who puts boxing files in a text section, knowing that some users might try to apply the knowledge illegally, could, under the current philosophy of the Secret Service and others, be indicted. This may seen a remote possibility, but we have seen from recent activity that we simply cannot rely on good faith interpretations of the law by some prosecutors, especially those willing to distort "evidence" to strengthen a case. Further, the term "may be" is unnecessarily vague. Generally, the term means "expressing ability, permission, freedom, possibility, contingency, chance, competence..." (Chambers 20th Century Dictionary, 1972: p. 811). An automobile dealer presumably knows that a customer "may" use a car in the commission of a crime, or "may" drive the car while intoxicated. Yet, it is absurd to consider holding the dealer criminally liable for the sale in the event the customer "may" be able to do so. Our point is that the language of this Bill seems unnecessarily restrictive and open to potential abuses by law enforcement agents, especially those willing to seek "test cases" to test the laws. Californians should write their legislators with their concerns in hopes that the language would be revised in a way that allows legitimate targeting of "real" computer criminals, but reduces the potential for using the law to persecute those for whom less stringent and more productive responses are appropriate. Just as chilling is subdivision (g) of this passage. The language in (g) specifies: Any instrument, apparatus, device, plans, instructions, or written publication described in subdivision (b) or (c) may be seized under warrant or incident to a lawful arrest, and, upon the conviction of a person for a violation of subdivision (a), (b), or (c), the instrument, apparatus, device, plans, instructions, or written publication may be destroyed as contraband by the sheriff of the county in which the person was convicted or turned over to the person providing telephone or telegraph service in the territory in which it was seized. This section seems reasonable to the extent that it specifies confiscation of an illegal "instrument" upon conviction. The problem, however, is the apparent tendency in some states to seize equipment even when indictments are not forthcoming. The wording would seem to offer incentives to agents to secure an arrest as a means to confiscate equipment, even if charges were subsequently dropped. Again, this may seem far-fetched, but the undeveloped state of computer law and the actions of prosecutors in early 1990 leave little room for confidence in good faith interpretation of the wording. Take an example: If a person were to be indicted for posession of an auto-dialer (which generally has but one purpose) pursuant to a search warrant for unrelated reasons, computer equipment could be confiscated. We have seen from the actions of agents that the definition of "equipment" is quite broad, and can include printers, modems, answering machines, or even books and pictures. If the person is convicted of possession, then the equipment could be lost. Again, "common sense," that sixth sense that tells us the world is flat, would tell us that such a possibility seems absurd. However, the zealousness of Sun Devil agents reduces the absurdity to the level of a "could be," and it is because of their actions that we are concerned with this wording. Title 13, Sect 502 (h) provides that: Any computer, computer system, computer network, or any software or data, owned by the defendant, which is used during the commission of any public offense described in this section any computer, owned by the defendant, which is used as a repository for the storage of software or data illegally obtained in violation of this section shall be subject to forfeiture. The chilling aspect of this passage is that is says nothing about conviction. Does "subject to forfeiture" mean that, even if found innocent, one could lose their equipment? A good faith reading suggests that the intent of the language at least implies that a conviction must occur. But, in reading the indictments of Craig Neidorf and Len Rose (neither from California), we should be cautious before assuming that prosecutors will not resort to creative interpretations to file an indictment. We should also be aware that at least one California prosecutor has published statements advocating an aggressive enforcement policy against "hackers" and has advocated responses that he acknowledges are probably unconstitutional. Given the broad interpretation of the law, and considering how companies such as BellSouth have grossly inflated the value of products (such as in the Neidorf case, in which information available for $13 was valued, according to the first indictment, at $79,449, and in the second indictment reduced to $23,900). Given their public statements in the media and the hyperbole of indictments, we cannot assume "good faith" prosecution by law enforcement, and the language of the California Act seems wide open for abuse. Our purpose is not simply to criticize this law, but to use it as an icon for other state and federal law. Some states are revising their laws, and it is crucial that computerists be aware of, and offer input into, their wording to assure that legitimate enforcement needs are met and potential for abuse or misuse removed. There must be a balance, and without public input such a balance is unlikely. We find Jim Warren's article (File 5, following) significant. It suggests that computerists introduce this as an issue in political campaigns as a means of educating both the public and the politicians. ******************************************************************** >> END OF THIS FILE << *************************************************************************** Downloaded From P-80 International Information Systems 304-744-2253 12yrs+