[Congressional Record Volume 151, Number 12 (Tuesday, February 8, 2005)]
[Senate]
[Pages S1133-S1134]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. FEINGOLD:
  S. 318. A bill to clarify conditions for the interceptions of 
computer trespass communications under the USA-PATRIOT Act; to the 
Committee on the Judiciary.
  Mr. FEINGOLD. Mr. President, I am pleased to introduce the Computer 
Trespass Clarification Act of 2005, which would amend and clarify 
section 217 of the USA-PATRIOT Act. This bill is virtually identical to 
a bill I introduced in the 108th Congress, S. 2783.
  Section 217 of the PATRIOT Act addresses the interception of computer 
trespass communications. This bill would modify existing law to more 
accurately reflect the intent of the provision, and also protect 
against invasions of privacy.
  Section 217 was designed to permit law enforcement to assist computer 
owners who are subject to denial of service attacks or other episodes 
of hacking. The original Department of Justice draft of the bill that 
later became the PATRIOT Act included this provision. A section by 
section analysis provided by the Department on September 19, 2001, 
stated the following: ``Current law may not allow victims of computer 
trespassing to request law enforcement assistance in monitoring 
unauthorized attacks as they occur. Because service providers often 
lack the expertise, equipment, or financial resources required to 
monitor attacks themselves as permitted under current law, they often 
have no way to exercise their rights to protect themselves from 
unauthorized attackers. Moreover, such attackers can target critical 
infrastructures and engage in cyberterrorism. To correct this problem, 
and help to protect national security, the proposed amendments to the 
wiretap statute would allow victims of computer attacks to authorize 
persons `acting under color of law' to monitor trespassers on their 
computer systems in a narrow class of cases.''
  I strongly supported the goal of giving computer system owners the 
ability to call in law enforcement to help defend themselves against 
hacking. Including such a provision in the PATRIOT Act made a lot of 
sense. Unfortunately, the drafters of the provision made it much 
broader than necessary, and refused to amend it at the time we debated 
the bill in 2001. As a result, the law now gives the government the 
authority to intercept communications by people using computers owned 
by others as long as they have engaged in some unauthorized activity on 
the computer, and the owner gives permission for the computer to be 
monitored--all without judicial approval.
  Only people who have a ``contractual relationship'' with the owner 
allowing the use of a computer are exempt from the definition of a 
computer trespasser under section 217 of the PATRIOT Act. Many people--
for example, college students, patrons of libraries, Internet cafes or 
airport business lounges, and guests at hotels--use computers owned by 
others with permission, but without a contractual relationship. They 
could end up being the subject of government snooping if the owner of 
the computer gives permission to law enforcement.
  My bill would clarify that a computer trespasser is not someone who 
has permission to use a computer by the owner or operator of that 
computer. It would bring the existing computer trespass provision in 
line with the purpose of section 217 as expressed in the Department of 
Justice's initial explanation of the provision. Section 217 was 
intended to target only a narrow class of people: Unauthorized

[[Page S1134]]

cyberhackers. It was not intended to give the government the 
opportunity to engage in widespread surveillance of computer users 
without a warrant.
  I should note that there is no specific evidence that the provision 
is being abused. But, of course, unless criminal charges are brought 
against someone as a result of such surveillance, there would never be 
any notice at all that the surveillance has taken place. The computer 
owner authorizes the surveillance, and the FBI carries it out. There is 
no warrant, no court proceeding, no opportunity even for the subject of 
the surveillance to challenge the assertion of the owner that some 
unauthorized use of the computer has occurred.
  My bill would modify the computer trespass provision in the following 
ways to protect against abuse, while still maintaining its usefulness 
in cases of denial of service attacks and other forms of hacking.
  First, it would require that the owner or operator of the protected 
computer authorizing the interception has been subject to ``an ongoing 
pattern of communications activity that threatens the integrity or 
operation of such computer.'' In other words, the owner has to be the 
target of some kind of hacking.
  Second, the bill limits the length of warrantless surveillance to 96 
hours. This is twice as long as is allowed for an emergency wiretap. 
With four days of surveillance, it should not be difficult for the 
government to gather sufficient evidence of wrongdoing to obtain a 
warrant if continued surveillance is necessary.
  Finally, the bill would require the Attorney General to annually 
report on the use of Section 217 to the Senate and House Judiciary 
Committees. Section 217 is one of the provisions that is subject to the 
sunset provision in the PATRIOT Act and will expire at the end of 2005. 
We in the Congress need to do more oversight of the use of this and 
other provisions of PATRIOT Act in order to evaluate their 
effectiveness.
  The computer trespass provision now in the law as a result of section 
217 of the PATRIOT Act leaves open the possibility for significant and 
unnecessary invasions of privacy. The reasonable and modest changes to 
the provision contained in this bill preserve the usefulness of the 
provision for investigations of cyberhacking, but reduce the 
possibility of government abuse. We must continually seek to balance 
the need for effective tools to fight crime and terrorism against the 
civil liberties of our citizens. The Computer Trespass Clarification 
Act strikes the right balance, and I urge my colleagues to support it.
  I ask unanimous consent that the text of the bill be printed in the 
Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                 S. 318

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Computer Trespass 
     Clarification Act of 2005''.

     SEC. 2. AMENDMENTS TO TITLE 18.

       (a) Definitions.--Section 2510(21)(B) of title 18, United 
     States Code, is amended by--
       (1) inserting ``or other'' after ``contractual''; and
       (2) striking ``for access'' and inserting ``permitting 
     access''.
       (b) Interception and Disclosure.--Section 2511(2)(i) of 
     title 18, United States Code, is amended--
       (1) in clause (I), by inserting after ``the owner or 
     operator of the protected computer'' the following: ``is 
     attempting to respond to communications activity that 
     threatens the integrity or operation of such computer and 
     requests assistance to protect rights and property of the 
     owner or operator, and''; and
       (2) in clause (IV), by inserting after ``interception'' the 
     following: ``ceases as soon as the communications sought are 
     obtained or after 96 hours, whichever is earlier, unless an 
     interception order is obtained under this chapter, and''.
       (c) Report.--The Attorney General shall, within 60 days of 
     enactment and annually thereafter, report to the Committees 
     on the Judiciary of the Senate and the House of 
     Representatives on the use during the previous year of 
     section 2511 of title 18, United States Code, relating to 
     computer trespass provisions as amended by subsection (b).
                                 ______