------------------------------ From: Mitch Kapor Subject: Massachusetts Computer Crime Bill Date: Mon, Oct 29, 1990 ******************************************************************** *** CuD #2.10: File 4 of 9: Massachusetts Computer Crime Bill *** ******************************************************************** {The following summary is reprinted with permission from The Well-- Moderators}. Background *********** The EFF has, for the past three months, been involved with an extensive series of events concerning pending legislation in the state of Massachusetts concerning computer crime. Unbeknownst to almost everyone a computer crime bill had passed both houses of the Massachusetts legislature and was sitting on the Governor's desk awaiting signature. The original bill had a number of fundamental flaws, not the least of which was the unproven assumption that a bill which broadly criminalized whole ranges of computer-related activities was even called for. In fact, the bill appeared to operate from the same set of assumptions that we have seen too often in other EFF activities: an untested belief that more regulation is necessarily better and a disregard for the consequences of such an approach in stifling free speech and ordinary commerce. The result was a bill which was both unwise as well as unconstitutional. The bill, while arguably well-intentioned, would have had severe unintended consequences such as making it a criminal act to teach a course in computer security and making a criminal of a software customer who failed to renew a license agreement. In addition, there was virtually no real input into the process which led to the bill's passage, although the formalities were followed. For these reasons the EFF joined with the Software Council in requesting the Governor veto the bill. Through a series of meetings with the Governor, his staff, the Attorney General, the Bar Association, and members of the Council, we were able to work out a compromise. It can be said without exaggeration that the EFF played the key role in this process. Sharon Beckman, in particular, was invaluable in spearheading the legal work, including the drafting of a replacement bill. The Bill Itself ************* The language of the bill now balances property and free speech interests, and is the first such legislation to do so, as far as we know. As such, after its passage, it can serve as model legislation for other states as well as the country as a whole. The preamble of the bill explicitly recognizes that the integrity of computer systems must be protected in a way which does not infringe on the rights of users of computer technology, including freedoms of speech, association, and privacy. In its first provision, the bill makes it a crime to knowingly and without authorization access a controlled computer system with the intention of causing damage and actually cause damage in excess of $10,000. The second provision of the bill is identical to the one above except that it covers activities undertaken with reckless disregard of the consequences as opposed to intent to cause damage and carries a lesser penalty. The bill breaks new ground is in the area of enforcement. Prosecutions may be brought only by the Attorney General and only after guidelines are established regarding the conduct of search and seizure operations. These guidelines must be consistent with the concerns stated in the preamble. The bill also establishes a 17 person commission charged with recommending future legislation in this area. The Task Ahead *************** Now that the Governor has sent a revised bill back to the Legislature, it is up to them. We will be meeting with the Legislative co-sponsors of the bill in the next few weeks to find out where they stand and, we hope, gather their support. Here is the text of the bill itself Proposed text of Mass. Computer Crime Bill Carefully balancing the need to make unlawful entry into computer systems a criminal offense against the need to protect the privacy and First Amendment rights of users of computers has, and remains, a basic tenet guiding Massachusetts efforts to prevent computer crime. To better strike this vital balance, and pursuant to authority vested in me by Article LVI of the Amendments to the Massachusetts Constitution, I am returning for amendment S.1543, "An Act Prohibiting Certain Acts Relative to Computers, Computer Data and Computer Systems". S.1543 would have the unintended effect of restricting access to computers by legitimate users. Such restricted access would inadvertently chill the energy and creativity which are the hallmarks of Massachusetts business and industry. I agree with the bill's sponsors that there is a need for Massachusetts to make more clear that it is a crime to unlawfully enter some one else's computer system and through reckless or intentional behavior cause harm or damage. Therefore, in lieu of vetoing S. 1543, I recommend that it be amended by striking the language of the bill in its entirety and substituting in its place the following: AN ACT PROHIBITING CERTAIN ACTS RELATIVE TO COMPUTERS AND COMPUTER SYSTEMS. Be it enacted by the Senate and House of Representatives in General Court assembled and by the authority of same, as follows: SECTION 1. The General Court hereby finds and declares that the development of computer technology has given rise to new communication, privacy and property interests of importance to individuals, businesses, and government agencies in this Commonwealth. The protection of computer systems is therefore vital to the welfare of individuals and businesses in the Commonwealth. The General court also finds and declares that computers and computer networks have enabled new forms of communication, including electronic publications, electronic bulletin boards, electronic conferences, and electronic mail,m which are protected by fundamental rights, including freedom of speech and association and freedom from unreasonable governmental intrusion. It is the intention of this act to protect the integrity of computer systems without infringing on the rights described above and without impeding the use and development of computer and communications technology. Therefore, the General Laws are hereby amended by inserting after chapter 266 the following chapter: Chapter 266A. SECTION: 1. (A) Whoever knowingly accesses a controlled access computer system knowing such access to be without authorization and knowingly causes the transmission of a program, information, code or command to a computer or computer system, without authorization and intending that such program, information, code or command will damage or cause damage to a computer, computer system, network, information, data or program, or withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data or program, and thereby causes loss or damage to one or more other persons of $10,000 or more shall be punished by imprisonment in a jail or house of correction for not more that 2 1/2 years, or a fine of not more than 25,000 or both. (B) Whoever knowingly accesses a controlled access computer system knowing such access to be without authorization and knowingly causes the transmission of a program, information, code or command to a computer or computer system, without authorization and with reckless disregard of a substantial and unjustifiable risk that such program, information, code or command will damage or cause damage to a computer, computer system, network, information, data or program, or withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system, or network, information, data or program, and thereby causes loss or damage to one or more other persons of $10,000 or more shall be punished by imprisonment in a jail or house of corrections for not more than 1 year, or a fine of not more than $5000, or both. (C) Prosecutions, Investigations, and Reporting by the Attorney General (1) Prosecutions under this section shall be brought only by the Attorney General. (2) Any Application for a warrant to conduct a search or seizure of a computer, computer system, or electronic communication system under this section must be approved by the Attorney General or an Assistant Attorney General. (3) The Attorney General shall, within six months of the effective data of this Act, issue guidelines for the procedures governing the investigation and prosecution of an offense under this section, incorporating in such guidelines a requirement that violations of this section be investigated by methods that are least restrictive of the rights of freedom of speech and association and the right to privacy implicated in computer systems, and least disruptive to legitimate use of computer systems, without jeopardizing compelling law enforcement interests. Such guidelines shall not provide a basis for dismissal of an otherwise proper complaint brought under this sections or for exclusion of evidence that is otherwise admissible in a proceeding under this section. (4) The Attorney General shall collect and compile information on, and report to the General Court annually on, searches, seizures, and prosecutions commenced pursuant to this section. SECTION: 2. There is hereby established a study commission on computer technology and the law. The Commission shall consist of sixteen members who shall serve without compensation. Notwithstanding any provision of section six of chapter two hundred and sixty-eight A to the contrary, the commission shall consist of the attorney general or his designee who shall be chairman, the secretary of the executive office of economic affairs or his designee, the senate chair of the joint committee on criminal justice, the house chair of the joint committee on criminal justice, and twelve persons appointed by the governor, including two representatives from the Massachusetts Software Council and one representative of each of the following organizations, to be selected from a list of recommendations provided by that organization: the Massachusetts Bar Association, the Boston Bar Association, the state council of the AFL-CIO, the Boston Computer Society, and one representative from the computer hardware industry, one r Said Commission shall investigate the legitimate communication, privacy, and property interests of individuals, businesses, and government agencies within this Commonwealth implicated by new computer technologies and shall evaluate the sufficiency of existing Massachusetts law to protect and preserve those interests. The Commission shall report to the General Court the results of its investigation and study, and its recommendations, together with drafts of legislation to carry its recommendations into effect, by filing its report with the clerk of the house of representatives and with the clerk of the senate on or before____. Makes it a felony intentionally to cause harm to a computer or the information stored in it by transmitting a computer program or code (including computer viruses) without the knowledge and authorization of the person responsible for the computer attacked. Makes it a misdemeanor recklessly to cause harm to a computer or the information stored in it by transmitting a computer program or code (including computer viruses) without the knowledge and authorization of the person responsible for the computer attacked. JURISDICTION Covers harm to any computer or program that involves $1,000 worth of damage or tampering with medical records. PENALTY Find and/or imprisonment for up to five years for the felony. Fine and/or imprisonment for up to one yer for the misdemeanor. CIVIL CAUSE OF ACTION Creates a new, civil cause of action for those harmed by a violation of the Act for compensatory or injunctive relief. DEFINITION OF "ACCESS" Defines "access" -- a term used throughout the Computer Fraud and Abuse Act -- to cover the remote transmission of a program to affect a computer or the information stored in it. ******************************************************************** >> END OF THIS FILE << *************************************************************************** Downloaded From P-80 International Information Systems 304-744-2253 12yrs+