Oracle Corporation et al v. SAP AG et al
Filing
657
Declaration of Zachary J. Alinder in Support of 649 MOTION for Partial Summary Judgment filed byOracle International Corporation, Oracle USA Inc.. (Attachments: # 1 Exhibit 1, # 2 Exhibit 2, # 3 Exhibit 3, # 4 Exhibit 4, # 5 Exhibit 5, # 6 Exhibit 6, # 7 Exhibit 7, # 8 Exhibit 8, # 9 Exhibit 9, # 10 Exhibit 10, # 11 Exhibit 11, # 12 Exhibit 12, # 13 Exhibit 13, # 14 Exhibit 14, # 15 Exhibit 15, # 16 Exhibit 16, # 17 Exhibit 17, # 18 Exhibit 18, # 19 Exhibit 19, # 20 Exhibit 20, # 21 Exhibit 21, # 22 Exhibit 22, # 23 Exhibit 23, # 24 Exhibit 24, # 25 Exhibit 25, # 26 Exhibit 26, # 27 Exhibit 27, # 28 Exhibit 28, # 29 Exhibit 29, # 30 Exhibit 30, # 31 Exhibit 31, # 32 Exhibit 32, # 33 Exhibit 33, # 34 Exhibit 34, # 35 Exhibit 35, # 36 Exhibit 36, # 37 Exhibit 37, # 38 Exhibit 38, # 39 Exhibit 39, # 40 Exhibit 40, # 41 Exhibit 41, # 42 Exhibit 42, # 43 Exhibit 43, # 44 Exhibit 44, # 45 Exhibit 45, # 46 Exhibit 46, # 47 Exhibit 47, # 48 Exhibit 48, # 49 Exhibit 49, # 50 Exhibit 50, # 51 Exhibit 51, # 52 Exhibit 52, # 53 Exhibit 53, # 54 Exhibit 54 - 1, # 55 Exhibit 54 - 2, # 56 Exhibit 55, # 57 Exhibit 56, # 58 Exhibit 57, # 59 Exhibit 58, # 60 Exhibit 59, # 61 Exhibit 60, # 62 Exhibit 61, # 63 Exhibit 62, # 64 Exhibit 63, # 65 Exhibit 64, # 66 Exhibit 65, # 67 Exhibit 66, # 68 Exhibit 67, # 69 Exhibit 68, # 70 Exhibit 69, # 71 Exhibit 70, # 72 Exhibit 71, # 73 Exhibit 72, # 74 Exhibit 73, # 75 Exhibit 74, # 76 Exhibit 75, # 77 Exhibit 76, # 78 Exhibit 77, # 79 Exhibit 78, # 80 Exhibit 79, # 81 Exhibit 80, # 82 Exhibit 81, # 83 Exhibit 82, # 84 Exhibit 83, # 85 Exhibit 84, # 86 Exhibit 85, # 87 Exhibit 86, # 88 Exhibit 87, # 89 Exhibit 88, # 90 Exhibit 89, # 91 Exhibit 90, # 92 Exhibit 91, # 93 Exhibit 92, # 94 Exhibit 93, # 95 Exhibit 94, # 96 Exhibit 95, # 97 Exhibit 96, # 98 Exhibit 97, # 99 Exhibit 98, # 100 Exhibit 99, # 101 Exhibit 100, # 102 Exhibit 101, # 103 Exhibit 102, # 104 Exhibit 103, # 105 Exhibit 104, # 106 Exhibit 105, # 107 Exhibit 106, # 108 Exhibit 107, # 109 Exhibit 108, # 110 Exhibit 109, # 111 Exhibit 110, # 112 Exhibit 111, # 113 Exhibit 112, # 114 Exhibit 113, # 115 Exhibit 114, # 116 Exhibit 115, # 117 Exhibit 116, # 118 Exhibit 117)(Related document(s) 649 ) (Howard, Geoffrey) (Filed on 3/3/2010)
<![CDATA[
Oracle Corporation et al v. SAP AG et al
Doc. 657 Att. 111
Case4:07-cv-01658-PJH Document657-112
Filed03/03/10 Page1 of 15
EXHIBIT 111
Dockets.Justia.com
Case4:07-cv-01658-PJH Document657-112
S. REP. 99-432
Filed03/03/10 Page2 of 15
Page 1
S. Rep. No. 432, 99TH Cong., 2ND Sess. 1986, 1986 U.S.C.C.A.N. 2479, 1986 WL 31918, S. REP. 99-432 (Leg.Hist.) *1 *2479 P.L. 99474, COMPUTER FRAUD AND ABUSE ACT OF 1986 DATES OF CONSIDERATION AND PASSAGE House June 3, October 6, 1986 Senate October 1, 3, 1986 House Report (Judiciary Committee) No. 99612, May 22, 1986 [To accompany H.R. 4718] Senate Report (Judiciary Committee) No. 99432, Sept. 3, 1986 [To accompany S. 2281] Cong. Record Vol. 132 (1986) The House bill was passed in lieu of the Senate bill after amending its language to contain much of the text of the Senate bill. The Senate Report is set out below. SENATE REPORT NO. 99432 September 3, 1986 *1 The Committee on the Judiciary, to which was referred the bill (S. 2281) to amend title 18, United States Code, to provide additional penalties for fraud and related activities in connection with access devices and computers, and for other purposes, having considered the same, reports favorably thereon with amendments and recommends that the bill, as amended, do pass. ***** I. GENERAL STATEMENT AND HISTORY OF THE LEGISLATION During the past several years, the Congress has been investigating the problems of computer fraud and abuse to determine whether*2 Federal criminal laws should be revised to cope more effectively with such acts. The Judiciary Committee's concern about these problems has become more pronounced as computers proliferate in businesses and homes across the nation and as evidence mounts that existing criminal laws are insufficient to address the problem of computer crime. For some time, the United States has been in the midst of a technological explosion. The Federal Government alone operates more than 18,000 medium-scale and large-scale computers at some 4,500 different sites, and the Office of Technology Assessment estimates the Government's investment in computers over the past four years at roughly $60 billion. The General Services Administration estimates that there will be 250,000 to 500,000 computers in use by the Federal Government by 1990. Computer use has also become much more widespread among the nation's private sector. In 1978, there were an estimated 5,000 desk-top computers in this country; today there are nearly 5 million. Financial institutions, in particular, rely heavily on computer *2480 communications; for instance, the Bureau of Justice Statistics repor1 ted that in 1983, corporate transfers of funds via computer totaled more than $100 trillion. In addition, more than 100,000 personal computers have been installed in the country's schools, and computers are found in millions of American homes. This technological explosion has made the computer a mainstay of our communications system, and it has brought a great many benefits to the government, to American businesses, and to all of our lives. But it has also
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP. Ca4324:07-cv-01658-PJH 99- se
Document657-112
Filed03/03/10 Page3 of 15 Page 2
created a new type of criminal--one who uses computers to steal, to defraud, and to abuse the property of others. The proliferation of computers and computer data has spread before the nation's criminals a vast array of property that, in many cases, is wholly unprotected against crime. *2 In June 1984, the American Bar Association Task Force on Computer Crime, chaired by Joseph Tompkins, Jr., issued its Report on Computer Crime (hereinafter referred to as the `ABA Report'), a study based upon a 2 survey of approximately 1,000 private organizations and public agencies. The ABA Report found that more 3 than 50 percent of the 283 respondents had been victimized by some form of computer crime, and that more than 25 percent of the respondents had sustained financial losses totaling between an estimated $145 million and 4 $730 million during one twelve-month period. The ABA Report also concluded that computer crime is among 5 the worst white-collar offenses. The Committee agrees but notes particularly that computer crimes pose a threat that is not solely financial in nature. In 1983, for example, a group of adolescents known as the `414 Gang' broke into the computer system at Memorial Sloan-Kettering Cancer Center in New York. In so doing, they gained access to *3 the radiation treatment records of 6,000 past and present cancer patients and had at their fingertips the ability to alter the radiation treatment levels that each patient received. No financial losses were at stake in this case, but the potentially lifethreatening nature of such mischief is a source of serious concern to the Committee. Similarly, so-called `pirate bulletin boards' have sprung up around the country for the sole purpose of exchanging passwords to other people's computer systems. The Richmond (Va.) Times-Dispatch recently reported that three such bulletin boards operating in Virginia carry information on how to break into the computers of the U.S. Defense Department and the Republican National Committee. While financial losses resulting from such pirate bulletin boards may not be imminent, the Committee believes that knowingly trafficking in other people's computer passwords should be proscribed. It is clear that much computer crime can be prevented by those who are potential targets of such conduct. The ABA Report indicated that while the respondents to the survey overwhelmingly supported*2481 a Federal com6 puter crime statute, they also believed that the most effective means of preventing and deterring computer 7 crime is `more comprehensive and effective self-protection by private business' and that the primary responsibility for controlling the incidence of computer crime falls upon private industry and individual users, rather than 8 on the Federal, State, or local governments. The Committee strongly agrees with these views. The Committee also finds that education programs for both computer users and the general public should be undertaken to make young people and others aware of the ethical and legal questions at stake in the use of computers and to deflate the myth that computer crimes are glamorous, harmless pranks. The respondents to the 9 ABA survey indicated strong support for such programs, many of which are underway throughout the nation. The Committee commends those education and security improvement efforts and urges their continuation. *3 At the same time, the Committee finds that Federal criminal penalties for computer crime are an appropriate punishment for certain acts and can serve to deter would-be computer criminals and to reinforce education and security improvement programs. To that end, both the Senate and House have devoted considerable attention to determining how the Federal Government can best approach computer-related crimes. The first Federal computer crime statute was enacted in 1984 as part of P.L. 98473. This is the present 18 U.S.C. 1030, which makes it a felony to access classified information in a computer without authorization and makes it a misdemeanor to access financial records or credit histories in financial institutions or to trespass into a Government computer. Legislation was introduced in both the Senate and House early in the 99th Congress to expand and to amend 18 U.S.C. 1030. On *4 May 23, 1985, the House Subcommittee on Crime held a hearing on H.R. 1001 (introduced by Representative William J. Hughes (D-N.J.) and H.R. 930 (introduced by Representative Bill Nelson (D-Fla.). Representative Bill McCollum, R-Fla., subsequently introduced a computer crime bill, H.R. 3381,
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP. Ca4324:07-cv-01658-PJH 99- se
Document657-112
Filed03/03/10 Page4 of 15 Page 3
at the request of the Department of Justice. The Senate Subcommittee on Criminal Law held a hearing on October 30, 1985, on two computer crime bills: S. 440 (introduced by Senator Paul Trible (R-Va.) and S. 1678 (introduced by Senator Strom Thurmond, (R-S.C., at the request of the Department of Justice). S. 1678 is the Senate companion to H.R. 3381. As a result of the testimony given at both the Senate and House hearings, Senator Trible and Representative Hughes introduced identical computer crime bills (S. 2281 and H.R. 4562) on April 10, 1986. The House Subcommittee on Crime considered H.R. 4562 on April 23, and on April 30 the subcommittee forwarded a clean bill, H.R. 4718, to the Committee on the Judiciary in lieu of H.R 4562. The Committee on the Judiciary ordered H.R. 4718, as amended, reported on May 6 (see House Report 99612), and on June 3 the House passed the bill by voice vote. In the Senate, the Committee on the Judiciary held a hearing on S. 2281 on April 16, 1986. The *2482 Committee ordered the bill, as amended, reported to the Senate on June 12, 1986. Throughout its consideration of computer crime, the Committee has been especially concerned about the appropriate scope of Federal jurisdiction in this area. It has been suggested that, because some States lack comprehensive computer crime statutes of their own, the Congress should enact as sweeping a Federal statute as possible so that no computer crime is potentially uncovered. The Committee rejects this approach and prefers instead to limit Federal jurisdiction over computer crime to those cases in which there is a compelling Federal interest, i.e., where computers of the Federal Government or certain financial institutions are involved, or where the crime itself is interstate in nature. The Committee is convinced that this approach strikes the appropriate balance between the Federal Government's interest in computer crime and the interests and abilities of the States to proscribe and punish such offenses. *4 S. 2281, as reported by the Committee, is a consensus bill aimed at deterring and punishing certain `high-tech' crimes in a manner consistent with the States' own criminal laws in this area. II. DISCUSSION OF COMMITTEE ACTION AND AMENDMENTS On June 12, 1986, the Committee on the Judiciary met and unanimously ordered S. 2281 reported favorably to the full Senate. Several minor amendments were also approved unanimously by the Committee. The first amendment was a technical change to page two, line eight of the bill, made necessary because of the second Committee amendment. That second amendment struck lines 924, relating to unauthorized access of Government computers, on page two, and inserted in their place the language that forms the new subsection 18 U.S.C. 1030(a)(3), as reported. That subsection is explained in detail in the section-by-section analysis of this Report. *5 The third Committee amendment struck the new subsection (a)(5) from S. 2281 as introduced, and replaced it with amended language. In so doing the Committee added to (a)(5) the words `damages, or destroys' to make explicit the subsection's application to acts--such as erasing data--that go beyond mere alteration of information. This amendment also changed `that computer' (as written in the original S. 2281) to `any such Federal interest computer'. The Committee wanted to prevent the possibility that a defense would be raised to the effect that the information that was altered, damaged, or destroyed, was not in the very same computer on to which the offender had signed. The use of `any such Federal interest computer' makes clear that no such defense is possible. This amendment also deleted `another' from the portion of S. 2281 relating to subsection (a)(5); the phrase `one or more others' was inserted in its place. The Committee does not intend that every victim of acts proscribed under (a)(5) must individually suffer a loss of $1,000. Certain types of malicious mischief may cause smaller amounts of damages to numerous individuals, and thereby collectively create a loss of more than $1,000. By using `one or more *2483 others', the Committee intends to make clear that losses caused by the same act may be aggregated for purposes of meeting the $1,000 threshold. Finally, this amendment added to the coverage
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP. Ca4324:07-cv-01658-PJH 99- se
Document657-112
Filed03/03/10 Page5 of 15 Page 4
of the new subsection (a)(5) acts that alter, damage, or destroy computerized medical records, and thereby impair or threaten to impair an individual's medical care. The Committee's rationale for this addition is explained more fully in the section-by-section analysis pertaining to the new 18 U.S.C. 1030(a)(5). The fourth Committee amendment changed `such use' to `the use of the financial institution's operation or the Government's operation of such computer'. This change simply makes clear that a computer that is not used exclusively by the United States Government or by a financial institution, as that term is defined by proposed 18 U.S.C. 1030(e)(4), is a Federal interest computer only to the extent that its use by the Government or the financial institution is affected. This clarification also appears in the Committee's amendment affecting proposed 18 U.S.C. 1030(a)(3). *5 The fifth Committee amendment was merely a technical change made necessary because the sixth Committee amendment added `department of the United States' to the list of terms defined in the bill. III. SECTION-BY-SECTION ANALYSIS The following is a section-by-section analysis of S. 2281, as reported by the Committee on the Judiciary. Section 1 of the bill contains its short title, the `Computer Fraud and Abuse Act of 1986'. Section 2(a)(1) amends 18 U.S.C. 1030(a)(2) to change the scienter requirement from `knowingly' to `intentionally', for two reasons. First, intentional acts of unauthorized access--rather than mistaken, inadvertent, or careless ones--are precisely what the Committee intends to proscribe. Second, the Committee is concerned that the `knowingly' standard in the existing statute might be inappropriate for cases involving computer technology. The Senate's *6 Report on the Criminal Code (Report No. 961396, pg. 33, citing United States v. United 9a States Gypsum Co., 438 U.S. 422, 425 (1978)), states that a person is `said to act knowingly if he is aware `that the result is practically certain to folow from his conduct, whatever his desire may be as to that result." (Footnote omitted.) While appropriate to many criminal statutes, this standard might not be sufficient to preclude liability on the part of those who inadvertently `stumble into' someone else's computer file or computer data. This is particularly true in those cases where an individual is authorized to sign onto and use a particular computer, but subsequently exceeds his authorized access by mistakenly entering another computer file or data that happens to be accessible from the same terminal. Because the user had `knowingly' signed onto that terminal in the first place, the danger exists that he might incur liability for his mistaken access to another file. This is so because, while he may not have desired that result, i.e., the access of another*2484 file, it is possible that a trier of fact will infer that the user was `practically certain' such mistaken access could result from his initial decision to access the computer. The substitution of an `intentional' standard is designed to focus Federal criminal prosecutions on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another. Again, this will comport with the Senate Report on the Criminal Code, which states that "intentional' means more than that one voluntarily engaged in conduct or caused a result. Such conduct or the causing of the result must have been the person's conscious objective.' (Footnote omitted.) Section 2(a)(2) deletes from the existing 18 U.S.C. 1030(a)(2) the phrase `as such terms are defined in the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.),'. The terms to which that phrase is applicable, `financial institution' and `financial record,' are defined in section (2)(g) of S. 2281. *6 The premise of 18 U.S.C. 1030(a)(2) will remain the protection, for privacy reasons, of computerized credit records and computerized information relating to customers' relationships with financial institutions. This protection is imperative in light of the sensitive and personal financial information contained in such computer files. However, by referring to the Right to Financial Privacy Act, the current statute limits its coverage to financial institution customers who are individuals, or are partnerships with five or fewer partners. The Committee intends S. 2281 to extend the same privacy protections to the financial records of all customers--individual, part-
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP. Ca4324:07-cv-01658-PJH 99- se
Document657-112
Filed03/03/10 Page6 of 15 Page 5
nership, or corporate--of financial institutions. The Department of Justice has expressed concerns that the term `obtains information' in 18 U.S.C. 1030(a)(2) makes that subsection more than an unauthorized access offense, i.e., that it might require the prosecution to 10 prove asportation of the data in question. Because the premise of this subsection is privacy protection, the Committee wishes to make clear that `obtaining information' in this context includes mere observation of the data. Actual asportation, in the sense of physically removing the data from its original*7 location or transcribing the data, need not be proved in order to establish a violation of this subsection. Section 2(b) of S. 2281 provides a substitute for the present 18 U.S.C. 1030(a)(3), and is designed to accomplish several goals. First, it will change the scienter requirement from `knowingly' to `intentionally'. The same explanation offered for section 2(a)(1) is applicable here. Second, section 2(b) will clarify the present 18 U.S.C. 1030(a)(3), making clear that it applies to acts of simple trespass against computers belonging to, or being used by or for, the Federal Government. The Department of Justice and others have expressed concerns about whether the present subsection covers acts of mere trespass, i.e., unauthorized access, or whether it requires a further showing that the information perused was 11 `used, modified, destroyed, or disclosed.' To alleviate those concerns, the Committee*2485 wants to make clear that the new subsection will be a simple trespass offense, applicable to persons without authorized access to Federal computers. The Committee wishes to be very precise about who may be prosecuted under the new subsection (a)(3). The Committee was concerned that a Federal computer crime statute not be so broad as to create a risk that government employees and others who are authorized to use a Federal Government computer would face prosecution for acts of computer access and use that, while technically wrong, should not rise to the level of criminal conduct. At the same time, the Committee was required to balance its concern for Federal employees and other authorized users against the legitimate need to protect Government computers against abuse by `outsiders.' The Committee struck that balance in the following manner. *7 In the first place, the Committee has declined to criminalize acts in which the offending employee merely `exceeds authorized access' to computers in his own department (`department' is defined in section 2(g) of S. 2281). It is not difficult to envision an employee or other individual who, while authorized to use a particular computer in one department, briefly exceeds his authorized access and peruses data belonging to the department that he is not supposed to look at. This is especially true where the department in question lacks a clear method of delineating which individuals are authorized to access certain of its data. The Committee believes that administrative sanctions are more appropriate than criminal punishment in such a case. The Committee wishes to avoid the danger that every time an employee exceeds his authorized access to his department's computers--no matter how slightly--he could be prosecuted under this subsection. That danger will be prevented by not including `exceeds authorized access' as part of this subsection's offense. In the second place, the Committee has distinguished between acts of unauthorized access that occur within a department and those that involve trespasses into computers belonging to another department. The former are not covered by subsection (a)(3); the latter are. Again, it is not difficult to envision an individual who, *8 while authorized to use certain computers in one department, is not authorized to use them all. The danger existed that S. 2281, as originally introduced, might cover every employee who happens to sit down, within his department, at a computer terminal which he is not officially authorized to use. These acts can also be best handled by administrative sanctions, rather than by criminal punishment. To that end, the Committee has constructed its amended version of (a)(3) to prevent prosecution of those who, while authorized to use some computers in their department, use others for which they lack the proper authorization. By precluding liability in purely `insider' cases such as these, the Committee also seeks to alleviate concerns raised by Senators Mathias and Leahy that
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP. Ca4324:07-cv-01658-PJH 99- se
Document657-112
Filed03/03/10 Page7 of 15 Page 6
the existing statute casts a wide net over `whistleblowers,' who disclose information they have gleaned from a government computer. Senators Mathias and Leahy first expressed their concerns in 1984 *2486 about the effect of the current statute on whistleblowers. Their concerns were embodied in S. 610, a bill they introduced early in the 99th Congress. (See, Statements by Senator Mathias and Senator Leahy, Congressional Record of March 7, 1985; pp. S 27282730. See also their `Additional Views' in this report.) The Committee has thus limited 18 U.S.C. 1030(a)(3) to cases where the offender is completely outside the Government, and has no authority to access a computer of any agency or department of the United States, or where the offender's act of trespass is interdepartmental in nature. The Committee does not intend to preclude prosecution under this subsection if, for example, a Labor Department employee authorized to use Labor's computers accesses without authorization an FBI computer. An employee who uses his department's computer and, without authorization, forages into data belonging to another department, is engaged in conduct directly analagous to an `outsider' tampering with Government computers. In both cases, the user is wholly lacking in authority to access or use that department's computer. The Committee believes criminal prosecution should be available in such cases. *8 The Committee acknowledges that in rare circumstances this may leave serious cases of intradepartmental trespass free from criminal prosecution under (a)(3). However, the Committee notes that such serious acts may be subject to other criminal penalties if, for example, they violate trade secrets laws or 18 U.S.C. 1030(a)(1), (a)(4), (a)(5), or (a)(6), as proposed in this legislation. The Committee believes this to be the best means of balancing the legitimate need to protect the Government's computers against the need to prevent unwarranted prosecutions of Federal employees and others authorized to use Federal computers. The third goal of Section 2(b) is to clarify subsection (a)(3) to make clear that one trespassing in a computer used only part-time by the Federal Government need not be shown to have affected the operation of the government as a whole. The Department of Justice has expressed concerns that the present subsection's language could be construed to require a showing that the offender's conduct harmed the overall operation of the Government 12 and that this would be an exceedingly difficult task for Federal prosecutors. *9 Accordingly, Section 2(b) will make clear that the offender's conduct need only affect the use of the Government's operation of the computer in question. Section 2(c) substitutes the phrase `exceeds authorized access' for the more cumbersome phrase in present 18 U.S.C. 1030(a)(1) and (a)(2), `or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend'. The Committee intends this change to simplify the language in 18 U.S.C. 1030(a)(1) and (2), and the phrase `exceeds authorized access' is defined separately in Section (2)(g) of the bill. Section (2)(d) adds three new offenses to 18 U.S.C. 1030. The new subsection 1030(a)(4) to be created by this bill is designed to penalize thefts of property via computer that occur as part of a scheme *2487 to defraud. It will require a showing that the use of the computer or computers in question was integral to the intended fraud and was not merely incidental. It has been suggested that the Committee approach all computer fraud in a manner that directly tracks the existing mail fraud and wire fraud statutes. However, the Committee was concerned that such an approach might permit prosecution under this subsection of acts that do not deserve classification as `computer fraud.' The Committee was concerned that computer usage that is wholly extraneous to an intended fraud might nevertheless be covered by this subsection if the subsection were patterned directly after the current mail fraud and wire fraud laws. If it were so paterned, the subsection might be construed as covering an individual who had devised a scheme or artifice to defraud solely because he used a computer to keep records or to add up his potential `take' from the crime. The Committee does not believe that a scheme or artifice to defraud should fall under the ambit of subsection (a)(4) merely because the offender signed onto a computer at some point near to the com-
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP. Ca4324:07-cv-01658-PJH 99- se
Document657-112
Filed03/03/10 Page8 of 15 Page 7
mission or execution of the fraud. While such a tenuous link might be covered under current law where the instrumentality used is the mails or the wires, the Committee does not consider that link sufficient with respect to computers. To be prosecuted under this subsection, the use of the computer must be more directly linked to the intended fraud. That is, it must be used by an offender without authorization or in excess of his authorization to obtain property of another, which property furthers the intended fraud. Likewise, this subsection may be triggered by conduct that can be shown to constitute an attempted offense. *9 This approach is designed, in part, to help distinguish between acts of theft via computer and acts of computer trespass. In intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into that computer system. If that is all he obtains, the offense should properly be treated as a simple trespass. But because the offender has obtained the small bit of information needed to get into the computer system, the danger exists that his and every other computer trespass could be treated as a theft, punishable as a felony under this subsection. A similar problem arises from recommendations made to the Committee that every act of unauthorized access to a `Federal interest computer' be treated as theft of computer time, *10 punishable under this subsection as part of a scheme to defraud. The Committee agrees that the mere use of a computer or computer service has a value all its own. Mere trespasses onto someone else's computer system can cost the system provider a `port' or access channel that he might otherwise be making available for a fee to an authorized user. At the same time, the Committee believes it is important to distinguish clearly between acts of fraud under (a)(4), punishable as felonies, and acts of simple trespass, punishable in the first instance as misdemeanors. That distinction would be wiped out were the Committee to treat every trespass as an attempt to defraud a service provider of computer time. One simply cannot trespass into another's computer without occupying a portion of the time that that computer service is available. Thus, *2488 that suggested approach would treat every act of unauthorized entry to a Federal interest computer--no matter how brief--as an act of fraud, punishable at the felony level. The Committee does not believe this is a proper approach to this problem. For that reason, the Committee has excluded from coverage under this subsection those instances where `the object of the fraud and the thing obtained consists only of the use of the computer.' However, the Committee agrees that lost computer time resulting from repeated or sustained trespasses can reach a level of seriousness sufficient to warrant Federal prosecution. The Committee believes such instances are more appropriately punished under the provision of the new subsection (a)(5) relating to preventing authorized use of a computer. A more detailed explanation of the Committee's intent respecting lost computer time is contained in the analysis for (a)(5). The Committee remains convinced that there must be a clear distinction between computer theft, punishable as a felony, and computer trespass, punishable in the first instance as a misdemeanor. The element in the new paragraph (a)(4), requiring a showing of an intent to defraud, is meant to preserve that distinction, as is the requirement that the property wrongfully obtained via computer furthers the intended fraud. The new felony created by this subsection limits its jurisdiction to `Federal interest computers.' These are defined in Section (2)(g) of the bill as computers used by the Federal Government or by financial institutions, or as computers located in different States. *10 The scienter requirement for this subsection, `knowingly and with intent to defraud,' is the same as the standard used for 18 U.S.C. 1029 relating to credit card fraud. The new subsection 1030(a)(5) to be created by the bill is designed to penalize those who intentionally alter, damage, or destroy certain computerized data belonging to another. The `intentional' standard is the same as that employed in Section 2(a)(1) and 2(b)(1) of the bill. Like the new subsection 18 U.S.C. 1030(a)(3), this subsection will be aimed at `outsiders,' i.e., those lacking authorization to access any Federal interest computer. It will penalize alteration, damage, or destruction in two circumstances. The first is those which cause a loss to the victim or victims totalling $1,000 or more in any single year period. The Committee believes this threshold is ne-
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP. Ca4324:07-cv-01658-PJH 99- se
Document657-112
Filed03/03/10 Page9 of 15 Page 8
cessary to prevent the bringing of felony-level charges against every individual who modifies another's computer data. Some *11 modifications or alterations, while constituting `damage' in a sense, do not warrant felonylevel punishment, particularly when almost no effort or expense is required to restore the affected data to its original condition. The $1,000 valuation has been reasonably calculated by the Committee to preclude felony punishment in those cases, while preserving the option of felony punishment in cases involving more serious alteration, damage, or destruction. In many instances where the requisite dollar amount cannot be shown, misdemeanor-level penalties will remain available against the offender under subsections 1030(a)(2) or 1030(a)(3). The Department of Justice has suggested that the concept of `loss' embodied in this subsection not be limited to the costs of *2489 actual repairs. The Committee agrees and intends that other expenses accruing to the victim--such as lost computer time and the cost of reprogramming or restoring data to its original condition--be permitted to count toward the $1,000 valuation. The Committee wishes to leave no doubt that it intends lost computer time to be covered by this subsection. Once again, the Committee recognizes the inherent value of using computer time or of occupying a portion of the time that a computer service is made available. Many commercial services obtain revenue by charging authorized subscribers for the amount of time they are using the service. An unauthorized user can therefore impose substantial costs on the service provider by tying up one channel of access--a channel that the provider might otherwise be leasing at a profit to an authorized subscriber. The Committee recognizes this danger, and intends subsection (a)(5) to cover cases where an offender, having obtained unauthorized access to the computer, prevents authorized use of such a computer by occupying an access channel or `port' that is in demand by authorized subscribers. In the preceding discussion of subsection (a)(4), the Committee made clear that acts of trespass causing a loss of computer time should not be treated as acts of fraud for purposes of that subsection. However, it is clear that lost computer time can impose significant costs on providers of computer services. Where those costs total more than $1,000 in any one-year period, the Committee believes prosecution should be available under this subsection. *11 Likewise, the Committee intends that certain network communications costs be permitted to count toward the $1,000 valuation; a summary of a recent incident best illustrates this area. Often, a telecommunications firm (called the host company) will allow users from all other the country to access its computers by dialing a phone number that is local to the user. A second company (called a network company) will provide the service that connects the user, via phone lines, to the host company's computer, thus acting as a bridge between the two. The fee for the network company's service is often paid by the host company itself. In the incident under discussion, an unauthorized user programmed his computer to make repeated, automatic calls to the host company's computers in an effort to break into these computers. The effort to break in failed, but the user's automatic dialing mechanism made repeated use of the network company's communications service. In turn, the network company billed the host company for the time during which the unauthorized user had accessed its communications line. This *12 is obviously unfair to the host company. Where billings to a host company for incidents such as this exceed $1,000 in a one-year period, the Committee believes they should be subject to prosecution under this subsection. Similarly, the Committee is concerned that authorized users of computer services might incur substantial costs as a result of relying on information contained in a database that has been tampered with. For example, an individual who invests in a stock, after having read a computerized market analysis that had been altered to make it appear the stock's potential had improved, has clearly *2490 incurred a cost. The Committee intends that those costs also be permitted to count toward the $1,000 valuation. The second circumstance in which this subsection will penalize alteration, damage, or destruction is in connection with data relating to medical care and treatment. The Sloan-Kettering case discussed earlier in this report is but one example of computer crimes directed at altering medical treatment records. Where such conduct impairs or potentially impairs an individual's medical care, the Committee does not believe a showing of $1,000
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP.Ca-se2 :07-cv-01658-PJH 99 43 4
Document657-112
Filed03/03/10 Page10 of 15 Page 9
in financial losses is necessary. Tampering with computerized medical treatment records, especially given the potentially life-threatening nature of such conduct, is serious enough to warrant punishment without a showing of pecuniary loss to the victim or victims. The Committee also wishes to make clear that convictions are attainable under this subsection without a showing that the victim was actually given an incorrect or harmful treatment, or otherwise suffered as a result of the changed medical record. That his examination, diagnosis, treatment, or care was potentially changed or impaired is sufficient to warrant prosecution under this subsection. Two other important concerns have also been expressed to the Committee regarding the reach of the new subsection (a)(5). The first is that it might cover authorized `repairs' to a computer system because `alteration' of the data is part of the gravamen of the offense, and repairs presumably can involve altering data. It is not the Committee's intent to criminalize properly authorized repair activities. For example, this section does not prohibit employees of communications common carriers from engaging in activities that are necessary to the repair of the carrier's service. The Committee believes that the requirement in subsection (a)(5) that alterations occur after an unauthorized access is sufficient in itself to preclude its application to authorized repairs but wishes to leave no doubt that authorized repair activities are not covered by (a)(5). *12 The second concern is that (a)(5) might be construed as criminalizing the use in computer leasing services of automatic termination devices or so-called `time bombs'. Frequently, a provider of computer services will build into his program a mechanism that automatically terminates the service if a user fails to pay his bill for the service on time. Concerns have been expressed that the provider might be considered liable under (a)(5) for having `prevented authorized use' of the service. That is not the Committee's intent. Having failed to pay his bill for the Committee service, the delinquent user is no longer an `authorized user' of the service, and termination of his access to the service is not an offense under this subsection. *13 The new subsection 1030(a)(6) to be created by the bill is a misdemeanor offense aimed at penalizing conduct associated with `pirate bulletin boards,' where passwords are displayed that permit unauthorized access to others' computers. It will authorize prosecution of those who, knowingly and with intent to defraud, traffic in such computer passwords. If those elements are present--and if the password in question would enable unauthorized access to a Federal Government computer, or if the trafficking affects interstate or foreign commerce--this subsection may be invoked. The concept of *2491 `traffic' means to transfer, or otherwise dispose of, to another, or to obtain control of with intent to transfer or dispose of such passwords; the concept was borrowed from 18 U.S.C. 1029 relating to credit card offenses. The Committee also wishes to make clear that `password', as used in this subsection, does not mean only a single word that enables one to access a computer. The Committee recognizes that a `password' may actually be comprised of a set of instructions or directions for gaining access to a computer and intends that the word `password' be construed broadly enough to encompass both single words and longer more detailed explanations on how to access others' computers. Section 2(e) eliminates the specific conspiracy offense in the present law. The Committee intends that such conduct be governed by the general conspiracy offense in 18 U.S.C. 371. Section 2(f) conforms the `fine' provisions of 18 U.S.C. 1030 and this bill with the general fine provisions of the Criminal Fine Enforcement Act of 1984. It also contains the penalty provisions for the two new felony provisions (5 years first offense, 10 years second offense) and one new misdemeanor/felony provision (one year first offense, 10 years second offense). Section (2)(g) establishes definitions for a `Federal interest computer,' `State', `financial institution', `financial record', the term `exceeds authorized access,' and the term `department of the United States', all of which are self-explanatory. The only committee note is that obtaining information as encompassed in the definition for `exceeds authorized access' would include observing information as we discussed under Section 2(a)(2) supra. *13 Section 2(h) conforms the exception for proper law enforcement and intelligence activity in the computer
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP.Ca-se2 :07-cv-01658-PJH 99 43 4
Document657-112
Filed03/03/10 Page11 of 15Page 10
crime bill with the credit card legislation in 18 U.S.C. 1029(f). Finally, the Committee wishes to make two general observations that apply to each of the computer crime offenses amended or created by S. 2281. First, the Committee recognizes the necessity that computerized information be considered `property' for purposes of Federal criminal law. To date, computer users for providers of computer services have had to wrestle with a criminal justice system that in many respects is ill-equipped to handle their needs. Computer technology simply does not fit some of the older, more traditional legal approaches to theft or abuse of property. For example, computer data may be `stolen' in the sense that it is copied by an unauthorized user, even though the original data has not been removed or altered in any way. As long ago as 1983, the Department of Justice stated that: *14 Any enforcement action in response to criminal conduct indirectly or directly related to computers must rely upon a statutory restriction dealing with some other offense. This requires the law enforcement officer, initially the agent, and then the prosecutor, to attempt to create a `theory of prosecution' that somehow fits what may be the square peg of computer fraud into the round hole of *2492 theft, embezzlement or even the 13 illegal conversion of trade secrets. These enforcement problems can largely be overcome by recognizing computerized information as property. The Congress began that recognition by enacting the Computer Fraud and Abuse Act of 1984. The Committee intends S. 2281 to affirm the government's recognition of computerized information as property. Secondly, the Committee wishes to make clear its intent to distinguish between conduct that is completely inadvertent and conduct that is initially inadvertent but later becomes an intentional crime. It has been suggested that this is a difficult line to draw in the area of computer technology because of the possibility of mistakenly accessing another's computer files. Nevertheless, the Committee would expect one whose access to another's computer files or data was truly mistaken to withdraw immediately from such access. If he does not and instead deliberately maintains unauthorized access after a non-intentional initial contact, then the Committee believes prosecution is warranted. The individual's intent may have been formed after his initial, inadvertent access. But his is an intentional crime nonetheless, and the Committee does not wish to preclude prosecution in such instances. IV. AGENCY VIEWS In its testimony on April 16, 1986, the Department of Justice supported S. 2281, although it recommended 14 several amendments to the bill. The Committee adopted some of those recommendations, including an amendment clarifying the degree to which the offense in subsection 1030(a)(3) must affect the operation of the Government computer in question. Many of the Department's recommendations were incorporated into the Committee's report on S. 2281. V. CONGRESSIONAL BUDGET OFFICE STATEMENT *14 U.S. CONGRESS, CONGRESSIONAL BUDGET OFFICE, Washington, DC, June 25, 1986. Hon. STROM THURMOND, Chairman, Committee on the Judiciary, U.S. Senate, Washington, DC. DEAR MR. CHAIRMAN: The Congressional Budget Office has reviewed S. 2281, the Computer Fraud and Abuse Act of 1986, as ordered*15 reported by the Senate Committee on the Judiciary, June 12, 1986. We estimate that no significant cost to the Federal Government, and no cost to State or local governments would result from enactment of this bill.
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP.Ca-se2 :07-cv-01658-PJH 99 43 4
Document657-112
Filed03/03/10 Page12 of 15Page 11
S. 2281 makes a number of amendments to Section 1030 of Title 18 of the United States Code, dealing with computer fraud and related activity. These amendments include several changes in the standards determining violations of the law. The bill extends the *2493 existing Federal privacy protection of computerized financial information to cover all such records of financial institutions, as defined in the bill, and clarifies the prohibition against unauthorized access of computers used by the U.S. government. S. 2281 also creates three new offenses involving theft in the form of unauthorized computer access with the intent to defraud, malicious damage through unauthorized computer access, and trafficking in computer passwords with the intent to defraud. The provisions governing fines for new and existing offenses would be made to conform with the Criminal Fine Enforcement Act of 1984. Based on information from the Department of Justice, we expect that S. 2281 would provide a more specific statute on which to base the investigation and prosecution of these activities, which the Department is currently undertaking under other authority. Enactment of the bill is not expected to result in a significant change in the government's law enforcement practices or expenditures. If you wish further details on this estimate, we will be pleased to provide them. With best wishes, Sincerely, RUDOLPH G. PENNER. VI. REGULATORY IMPACT STATEMENT Pursuant to paragraph 11(b), rule XXVI, of the Standing Rules of the Senate, the Committee has concluded that the bill will have no direct regulatory impact. The bill encourages, but does not require, the agencies and departments of the Federal Government to develop clear rules and sanctions regulating the use of Government computers by employees and other authorized individuals. The bill also encourages other owners and users of Federal interest computers to establish clear statements of the scope of authority for those who use the Federal interest computers. ***** *20 VIII. ADDITIONAL VIEWS OF MESSRS. MATHIAS AND LEAHY We are pleased to join with our colleagues on the Judiciary Committee in reporting S. 2281, the Computer Fraud and Abuse Act of 1986. The authors of the legislation have effectively carried out a delicate and complex task. The result is a bill that offers an appropriate Federal response to the real and growing problem of computer crime. *15 The committee's report on S. 2281 thoroughly describes the scope of that problem, and the details of that response. As the report notes, this bill builds upon the computer crime legislation enacted in the closing days of the 98th Congress. We wish to emphasize that S. 2281 not only refines and extends the computer crime provisions of Public Law 98473, it also refocuses that legislation on its principal objectives, and minimizes the likelihood that it will be misused to cut back on the American public's right to know about the activities of its government. *2494 As enacted in 1984, the provision now codified as section 1030(a)(3) of title 18 makes it a crime to `knowingly use . . . or disclose information in [any] computer . . . operated for or on behalf of the Government of the United States,' when the defendant gains access to the computer without authorization or his conduct exceeds the scope of his authorization. By its literal terms, this provision sweeps in all computerized government information, including documents that must, under the Freedom of Information Act, be disclosed to any member of the public upon proper request. Section 1030(a)(3) also glosses over the reality that the existence or exact
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP.Ca-se2 :07-cv-01658-PJH 99 43 4
Document657-112
Filed03/03/10 Page13 of 15Page 12
scope of a government employee's authority to access a particular computerized data base is not always free from doubt. Under these circumstances, any employee asked to release data that must be disclosed under the FOIA would be understandably reluctant to do so unless assured of the precise contours of his authorization to access it. An incorrect assertion of authorization could expose the employee to prosecution and imprisonment. Any prudent employee would resolve doubts against disclosure, a conclusion directly contrary to the principles of open government underlying the FOIA. Motivated by these concerns arising from provisions of the House-passed computer crime bill, the Senate, on the next-to-last day of the 98th Congress, unanimously approved our amendment to the bill which narrowed the sweeping provisions of the disclosure offense under section 1030(a)(3). Unfortunately, in the rush toward adjournment, the House never acted on the Senate amendment to this bill. Instead, the free-standing computer crime legislation was overtaken by a continuing appropriations resolution, to which had been appended hundreds of pages of crime legislation, including portions of the unamended House computer crime bill. Thus, in a particularly graphic lesson in the shortcomings of legislation by *21 rider, section 1030(a)(3) was signed into law, despite the Senate's unanimous view that its scope was too broad. The bill we now report, unlike its predecessor, has had the benefit of nearly 2 years of careful scrutiny and study by the Subcommittee on Criminal Law. Among the many improvements that it would make is a complete revision of section 1030(a)(3). The revised provision includes three salutary features that minimize the possibility that this computer crime legislation could be misused to weaken the Freedom of Information Act, or to impose unnecessary obstacles to the public's right to know about government activities. *16 First, the mental state required to establish a violation of revised section 1030(a)(3) is increased from `knowingly' to `intentionally.' As the committee report points out, the `intentional' standard precludes criminal liability for inadvertent acts of unauthorized access. Instead, it is `designed to focus Federal criminal prosecutions on those who evince a clear intent to enter, without proper authorization, computer files or data belonging to another.' Second, S. 2281 would eliminate coverage for authorized access that aims at `purposes to which such authorization does not extend.' This removes from the sweep of the statute one of the murkier grounds of liability, under which a Federal employee's access to computerized data might be legitimate in some circumstances, but criminal in other (not clearly distinguishable) circumstances*2495 that might be held to exceed his authorization. As the committee report points out, administrative sanctions should ordinarily be adequate to deal with real abuses of authorized access to Federal computers (assuming, of course, that no other provision of section 1030 is violated). Like the heightened scienter requirement, this change serves to minimize the likelihood that a Federal employee, uncertain about the scope of his authority, would face a Hobson's choice between the disclosure mandates of FOIA and the criminal sanctions of title 18. Finally, revised section 1030(a)(3) would not apply to access by a Federal employee of computers of that employee's own agency. This exclusion recognizes the reality that computer access rules for employees within a single agency are rarely as clear as rules governing access by outsiders to that agency's computers. Revised section 1030(a)(3) would provide prosecutors a clear, workable rule, regardless of the intricacies of a particular agency's computer access policies: absent a fraudulent motive, an employee could not be prosecuted for simple `trespass' into one of his agency's own computers. Like any bright-line rule, this one does not conform perfectly to the behavior it addresses. To treat employees of other agencies as `outsiders' for the purposes of this statute may, in an exceptional instance, work some hardship. The committee report notes that the revised subsection may, on rare occasions, prove underinclusive; as well, it may be overinclusive in unusual cases. The fact is that many Federal agency data bases are separated from those of sister agencies not by well-defined walls, but by permeable membranes. Information sharing may become computer sharing without formal protocols of authorization. Access by one who appears to be an
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP.Ca-se2 :07-cv-01658-PJH 99 43 4
Document657-112
Filed03/03/10 Page14 of 15Page 13
`outsider' to the agency may be not only excusable, but helpful to the agency's mission. *22 But certainly this imprecision can be accommodated. Just as other criminal sanctions may well be at hand in cases that fall through the net of the revised subsection (a)(3), so administrative sanctions--and, of course, the discretion not to prosecute--will remain available for those cases of interdepartmental unauthorized access that do not justify prosecution. *17 S. 2281's revisions to section 1030(a)(3) do not track the approach adopted by the Senate in 1984, and embodied in our bill in this Congress, S. 610, for correcting the course set by the 1984 computer crime legislation. Both the 1984 Senate amendment, and S. 610, focused on the disclosure aspect of the offense created by section 1030(a)(3), and sought to exclude from the offense information whose disclosure ought not to be discouraged. Because the revised subsection is a simple trespass offense, rather than one requiring disclosure or some other act beyond access to the data, our earlier approach to the problem is now less apposite. We think the balance struck by S. 2281 on this issue is reasonable. It largely ameliorates our concern about the effect of section 1030(a)(3) on the free flow of government information to the American people. It goes far toward restoring the incentive for Federal employees to comply voluntarily with the Freedom of Information Act in their dealings with requests*2496 for computerized government information. At the same time, it gives the Government an adequate prosecutorial tool for deterring and punishing unauthorized access to sensitive Government information by those who have no colorable claim of a right to obtain it outside proper channels. In this and other aspects, S. 2281 constitutes a real improvement on existing computer crime law. The Subcommittee on Criminal Law, under Senator Laxalt's leadership, and its House counterpart, the Subcommittee on Crime, have crafted well-considered and constructive legislation, and we are pleased to support it. 1 Bureau of Justice Statistics, Report on Electronic Funds Transfer Fraud, March 1985, NCJ96666. 2 Report on Computer Crime; Task Force on Computer Crime, Section of Criminal Justice, American Bar Association; June 1984) 3 Ibid., pp. 1618, Table 12. 4 Ibid., p. 38. 5 Ibid., pp. 3640. 6 Ibid., p. 44. 7 Ibid., p. 23, Table 17. 8 Ibid., p. 11, Table 8. 9 Ibid., p. 23, Table 17. 9a. 98 S.Ct. 2864, 57 L.Ed.2d 854. 10 Statement of Victoria Toensing, Deputy Assistant Attorney General, Criminal Division; before the Senate Judiciary Committee, April 16, 1986. 11 Ibid. 12 Ibid.
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
S. REP.Ca-se2 :07-cv-01658-PJH 99 43 4
Document657-112
Filed03/03/10 Page15 of 15Page 14
13 Statement by John C. Keeney, Deputy Assistant Attorney General, Criminal Division; before the Senate Subcommittee on Oversight of Government Management, Committee on Governmental Affairs; October 26, 1983. 14 See, Statement of Victoria Toensing, Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice, before the Senate Judiciary Committee; April 16, 1986. S. Rep. No. 432, 99TH Cong., 2ND Sess. 1986, 1986 U.S.C.C.A.N. 2479, 1986 WL 31918, S. REP. 99-432 (Leg.Hist.) END OF DOCUMENT
© 2010 Thomson Reuters. No Claim to Orig. US Gov. Works.
]]>
