[Congressional Record Volume 150, Number 106 (Thursday, September 9, 2004)]
[Senate]
[Page S9036]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. FEINGOLD:
  S. 2783. A bill to clarify conditions for the interceptions of 
computer trespass communications under the USA-PATRIOT Act; to the 
Committee on the Judiciary.
  Mr. FEINGOLD. Mr. President, I am pleased to introduce the Computer 
Trespass Clarification Act of 2004, which would amend and clarify 
section 217 of the USA-PATRIOT Act. Section 217 addresses the 
interception of computer trespass communications. This bill would 
modify existing law to more accurately reflect the intent of the 
provision, and also protect against invasions of privacy.
  Section 217 was designed to permit law enforcement to assist computer 
owners who are subject to denial of service attacks or other episodes 
of hacking. The original Department of Justice draft of the bill that 
later became the PATRIOT Act included this provision. A section-by-
section analysis provided by the Department on September 19, 2001, 
stated the following:
       Current law may not allow victims of computer trespassing 
     to request law enforcement assistance in monitoring 
     unauthorized attacks as they occur. Because service providers 
     often lack the expertise, equipment, or financial resources 
     required to monitor attacks themselves as permitted under 
     current law, they often have no way to exercise their rights 
     to protect themselves from unauthorized attackers. Moreover, 
     such attackers can target critical infrastructures and engage 
     in cyberterrorism. To correct this problem, and help to 
     protect national security, the proposed amendments to the 
     wiretap statute would allow victims of computer attacks to 
     authorize persons ``acting under color of law'' to monitor 
     trespassers on their computer systems in a narrow class of 
     cases.

  I strongly supported the goal of giving computer system owners the 
ability to call in law enforcement to help defend themselves against 
hacking. Including such a provision in the PATRIOT Act made a lot of 
sense. Unfortunately, the drafters of the provision made it much 
broader than necessary, and refused to amend it at the time we debated 
the bill in 2001. As a result, the law now gives the government the 
authority to intercept communications by people using computers owned 
by others as long as they have allegedly engaged in some unauthorized 
activity on the computer, and the owner gives permission for the 
computer to be monitored.
  Only people who have a ``contractual relationship'' with the owner 
allowing the use of a computer are exempt from the definition of a 
computer trespasser under section 217 of the PATRIOT Act. Many people--
for example, college students, patrons of libraries, Internet cafes or 
airport business lounges, and guests at hotels--use computers owned by 
others with permission, but without a contractual relationship. They 
could end up being the subject of government snooping if the owner of 
the computer gives permission to law enforcement.
  My bill would clarify that someone who has been given permission to 
use a computer by the owner or operator of that computer is not a 
computer trespasser. It would bring the existing computer trespass 
provision in line with the purpose of section 217 as expressed in the 
Department of Justice's initial explanation of the provision. Section 
217 was intended to target only a narrow class of people: unauthorized 
cyberhackers. It was not intended to give the government the 
opportunity to engage in widespread surveillance of computer users 
without a warrant.
  We don't know, of course, whether such surveillance is taking place. 
Unless criminal charges are brought against someone as a result of such 
surveillance, there would never be any notice at all that the 
surveillance has taken place. The computer owner authorizes the 
surveillance, and the FBI carries it out. There is no warrant, no court 
proceeding, no opportunity even for the subject of the surveillance to 
challenge the assertion of the computer owner that some unauthorized 
use of the computer has occurred.
  The Computer Trespass Clarification Act would modify the computer 
trespass provision to protect against abuse, while still maintaining 
its usefulness in cases of denial of service attacks and other forms of 
hacking.
  First, it would require that the owner or operator of the protected 
computer authorizing the interception has been subject to 
``communications activity that threatens the integrity or operation of 
such computer.'' In other words, the owner has to be the target of some 
kind of hacking.
  Second, the bill would clarify that to be excluded from the 
definition of computer trespasser, a person who has permission to use a 
computer does not need to have a contractual relationship granting that 
permission.
  Third, the bill limits the length of warrant-less surveillance to 96 
hours. This is twice as long as is allowed for an emergency wiretap. 
With four days of surveillance, it should not be difficult for the 
government to gather sufficient evidence of wrongdoing to obtain a 
warrant if continued surveillance is necessary.
  In addition, the bill would require the Attorney General to annually 
report on the use of Section 217 to the Senate and House Judiciary 
Committees. Section 217 is one of the provisions that is subject to the 
sunset provision in the PATRIOT Act and will expire at the end of 2005. 
We in the Congress need to do more oversight of the use of this and 
other provisions of the PATRIOT Act in order to evaluate their 
effectiveness.
  The computer trespass provision now in the law as a result of section 
217 of the PATRIOT Act leaves open the possibility for significant and 
unnecessary invasions of privacy. The reasonable and modest changes to 
the provision contained in this bill preserve the usefulness of the 
provision for investigations of cyberhacking, but reduce the 
possibility of abuse. We must continually seek to balance the need for 
effective tools to fight crime and terrorism and the civil liberties of 
our citizens. The Computer Trespass Clarification Act strikes the right 
balance and I urge my colleagues to support it.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 2783

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Computer Trespass 
     Clarification Act of 2004''.

     SEC. 2. AMENDMENTS TO TITLE 18.

       (a) Definitions.--Section 2510(21)(B) of title 18, United 
     States Code, is amended by--
       (1) inserting ``or other'' after ``contractual''; and
       (2) striking for ``for access'' and inserting ``permitting 
     access''.
       (b) Interception and Disclosure.--Section 2511(2)(i) of 
     title 18, United States Code, is amended--
       (1) in clause (I), by inserting after ``the owner or 
     operator of the protected computer'' the following: ``is 
     attempting to respond to communications activity that 
     threatens the integrity or operation of such computer and 
     requests assistance to protect rights and property of the 
     owner or operator, and''; and
       (2) in clause (IV), by inserting after ``interception'' the 
     following: ``ceases as soon as the communications sought are 
     obtained or after 96 hours, whichever is earlier, unless an 
     interception order is obtained under this chapter, and''.
       (c) Report.--The Attorney General shall annually report to 
     the Committees on the Judiciary of the Senate and the House 
     of Representatives on the use of section 2511 of title 18, 
     United States Code, relating to computer trespass provisions 
     as amended by subsection (b).
                                 ______