[Congressional Record Volume 153, Number 187 (Friday, December 7, 2007)]
[Senate]
[Pages S15032-S15033]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. FEINGOLD:
  S. 2434. A bill to clarify conditions for the interceptions of 
computer trespass communications under the USA-PATRIOT Act; to the 
Committee on the Judiciary.
  Mr. FEINGOLD. Mr. President, I am pleased to introduce the Computer 
Trespass Clarification Act of 2007, which would amend and clarify 
section 217 of the USA PATRIOT Act. This bill is virtually identical to 
a bill I introduced in the 109th Congress.
  Section 217 of the Patriot Act addresses the interception of computer 
trespass communications. This bill would modify existing law to more 
accurately reflect the intent of the provision, and also protect 
against invasions of privacy.
  Section 217 was designed to permit law enforcement to assist computer 
owners who are subject to denial of service attacks or other episodes 
of hacking. The original Department of Justice draft of the bill that 
later became the Patriot Act included this provision. A section by 
section analysis provided by the Department on September 19, 2001, 
stated the following:

       Current law may not allow victims of computer trespassing 
     to request law enforcement assistance in monitoring 
     unauthorized attacks as they occur. Because service providers 
     often lack the expertise, equipment, or financial resources 
     required to monitor attacks themselves as permitted under 
     current law, they often have no way to exercise their rights 
     to protect themselves from authorized attackers. Moreover, 
     such attackers can target critical infrastructures and engage 
     in cyberterrorism. To correct this problem, and help to 
     protect national security, the proposed amendments to the 
     wiretap statute would allow victims of computer attacks to 
     authorize persons ``acting under color of law'' to monitor 
     trespassers on their computer systems in a narrow class of 
     cases.

  I strongly supported the goal of giving computer system owners the 
ability to call in law enforcement to help defend themselves against 
hacking. Including such a provision in the Patriot Act made a lot of 
sense. Unfortunately, the drafters of the provision made it much 
broader than necessary, and refused to amend it at the time we debated 
the bill in 2001. As a result, the law now gives the government the 
authority to intercept communications by people using computers owned 
by others as long as they have engaged in some unauthorized activity on 
the computer, and the owner gives permission for the computer to be 
monitored--all without judicial approval.
  Only people who have a ``contractual relationship'' with the owner 
allowing the use of a computer are exempt from the definition of a 
computer trespasser under section 217 of the Patriot Act. Many people--
for example, college students, patrons of libraries, Internet cafes or 
airport business lounges, and guests at hotels--use computers owned by 
others with permission, but without a contractual relationship. They 
could end up being the subject of Government snooping if the owner of 
the computer gives permission to law enforcement.
  My bill would clarify that a computer trespasser is not someone who 
has permission to use a computer by the owner or operator of that 
computer. It would bring the existing computer trespass provision in 
line with the purpose of section 217 as expressed in the Department of 
Justice's initial explanation of the provision. Section 217 was 
intended to target only a narrow class of people: unauthorized 
cyberhackers. It was not intended to give the government the 
opportunity to engage in widespread surveillance of computer users 
without a warrant.
  Another problem is that unless criminal charges are brought against 
someone as a result of such surveillance, there would never be any 
notice at all that the surveillance has taken place. The computer owner 
authorizes the surveillance, and the FBI carries it out.
  There is no warrant, no court proceeding, no opportunity even for the 
subject of the surveillance to challenge the assertion of the owner 
that some unauthorized use of the computer has occurred.
  My bill would modify the computer trespass provision in the following 
additional ways to protect against abuse, while still maintaining its 
usefulness in cases of denial of service attacks and other forms of 
hacking.
  First, it would require that the owner or operator of the protected 
computer authorizing the interception has been subject to ``an ongoing 
pattern of communications activity that threatens the integrity or 
operation of such computer.'' In other words, the owner has to be the 
target of some kind of hacking.
  Second, the bill limits the length of warrantless surveillance to 96 
hours. This is twice as long as is allowed for an emergency criminal 
wiretap. With four days of surveillance, it should not be difficult for 
the government to gather sufficient evidence of wrongdoing to obtain a 
warrant if continued surveillance is necessary.
  Finally, the bill would require the Attorney General to report 
annually on the use of Section 217 to the Senate and House Judiciary 
Committees. Section 217 was originally subject to the sunset provision 
in the Patriot Act and therefore would have expired at the end of 2005. 
However, the USA PATRIOT Improvement and Reauthorization Act, which 
became law in March 2006, made this provision permanent. Congress needs 
to do more oversight of the use of this provision.
  The computer trespass provision now in the law as a result of section 
217 of the PATRIOT Act leaves open the potential for significant and 
unnecessary invasions of privacy. The reasonable and modest changes to 
the provision contained in this bill preserve the usefulness of the 
provision for investigations of cyberhacking, but reduce the 
possibility of government abuse. I urge my colleagues to support the 
Computer Trespass Clarification Act.
  Mr. President, I ask unanimous consent that the text of the bill be 
printed in the Record.
  There being no objection, the text of the bill was ordered to be 
printed in the Record, as follows:

                                S. 2434

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Computer Trespass 
     Clarification Act of 2007''.

     SEC. 2. AMENDMENTS TO TITLE 18.

       (a) Definitions.--Section 2510(21)(B) of title 18, United 
     States Code, is amended by--
       (1) inserting ``or other'' after ``contractual''; and

[[Page S15033]]

       (2) striking ``for access'' and inserting ``permitting 
     access''.
       (b) Interception and Disclosure.--Section 2511(2)(i) of 
     title 18, United States Code, is amended--
       (1) in clause (I), by inserting ``is attempting to respond 
     to communications activity that threatens the integrity or 
     operation of such computer and requests assistance to protect 
     the rights and property of the owner or operator, and'' after 
     ``the owner or operator of the protected computer''; and
       (2) in clause (IV), by inserting ``ceases as soon as the 
     communications sought are obtained or after 96 hours, 
     whichever is earlier (unless an order authorizing or 
     approving the interception is obtained under this chapter) 
     and'' after ``interception''.
       (c) Report.--Not later than 60 days after the date of 
     enactment of this Act, and annually thereafter, the Attorney 
     General shall submit a report to the Committee on the 
     Judiciary of the Senate and the Committee on the Judiciary 
     the House of Representatives on the use of section 2511 of 
     title 18, United States Code, relating to computer trespass 
     provisions, as amended by subsection (b), during the year 
     before the year of that report.
                                 ______