Developments in Criminal Liability and the Internet

R. Christopher Cook, Steven M. Davis, and Heather Newton* JONES DAY WASHINGTON, D.C.

The past several years have seen important changes affecting the intersection between criminal law and the Internet. At a time when the nation is struggling with how best to counter the threat of terrorism at home and abroad, legislators have provided law enforcement with powerful new tools to investigate and prosecute potential threats. With the growth of the Internet and worldwide communications, these laws have implications for those in the telecommunications, data storage, banking, and other high-technology industries. The most visible legislative trend in recent years was the effort of lawmakers to broaden criminal penalties while simultaneously reducing the government’s burden of proof in a variety of areas. The Patriot Act is a prime example of such an approach. As discussed below, the Patriot Act’s comprehensive approach has updated a variety of areas of criminal law to deal with the technological changes and challenges wrought by the Internet’s rapid development. Not all of Congress’s efforts have been successful. In the area of Internet content regulation, legislation has faced constitutional challenges, many successful. Some criminal laws have been successful in updating existing prohibitions, such as the ban on distribution or creation of child pornography. Other efforts have failed, including attempts to protect minors from accessing pornographic materials.

THE USA PATRIOT ACT Congress passed the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“Patriot Act”), Pub. L. No. 107-56, in the wake of the September 11, 2001, terrorist attacks on the United States. Both the Senate and the House of Representatives passed the Patriot Act by overwhelming margins, but the surveillance and search powers authorized by the law have since been criticized as overbroad. In the years since the Patriot Act was enacted, over 300 municipalities and four states—Alaska, Hawaii, Maine, and Vermont—have passed resolutions against the law. In addition, the Patriot Act has also faced judicial scrutiny. In January 2004, a federal judge ruled that a portion of the Patriot Act that bars giving expert advice or assistance to groups designated as international terrorist organizations is impermissibly vague, in violation of the First and Fifth Amendments.1 This ruling was the first court decision to strike down a provision of the law. The Patriot Act has also faced other constitutional challenges. The American Civil Liberties Union (“ACLU”) filed suit in federal court on behalf of various organizations that allege that they or their members have been targets of investigations conducted under Section 215 of the Patriot Act.2 The organizations include an Arab-American civil rights organization, a Muslim community group that operates a mosque and school, and a refugee center. Even under the Patriot Act, the government continues to need at least a warrant and probable cause to access private records. Since 1978, federal agents have been able to obtain a secret warrant when investigating matters relating to foreign intelligence under the Foreign Intelligence Surveillance Act (“FISA”). 50 USC §§ 1801 et seq. Such warrants are issued by a special federal court in Washington, D.C., with top-secret security clearances. 50 §§ USC 1861, 1803(a). Section 215 of the Patriot Act amended the FISA by lowering the proof intelligence

* R. Christopher Cook is a Partner in the Corporate Criminal Investigations Section of Jones Day in Washington, D.C. Steven M. Davis is an associate at Jones Day in Washington, D.C. Heather Newton is a student at Georgetown University Law Center, J.D. expected February 2005. Special thanks to Summer Associates Mark P. Hadley and Tom Bednar. 1 Humanitarian Law Project, et al., v. Ashcroft, et al., 352 F3d 382 (9th Cir 2003). 2 Muslim Community Association of Ann Arbor v. Ashcroft, 2003 ILRWeb (P&F) 2212, No. 03-72913 (ED Mich July 30, 2003).

© 2004, Pike & Fischer, Inc. 1 PIKE & FISCHER INTERNET LAW & REGULATION officers must submit before being entitled to obtain a warrant from this court. Under Section 215, the FBI can seek an order requiring the production of “any tangible thing,” which may include books, records, papers, and other documents, from anyone for investigations involving foreign intelligence or international terrorism. Before passage of the Patriot Act, agents were required to show probable cause that items were sought pursuant to an investigation of a person involved in criminal activity or of a foreign agent or foreign power. 50 USC §1861(b)(2). Under Section 215 of the Patriot Act, intelligence officers need only certify to the FISA Court that the records are “sought for” an ongoing foreign intelligence investigation conducted to protect against international terrorism for the court to issue the order. In Muslim Community Association of Ann Arbor v. Ashcroft, the ACLU charged that the “sought for” standard in Section 215 of the Patriot Act fails to meet the warrant and probable-cause requirements set out by the Fourth Amendment, and that the scope of information that government officials could access without Fourth Amendment safeguards chills free expression in violation of the First Amendment. A decision in this case is still pending. In another challenge to Section 215 of the Patriot Act, the Electronic Privacy Information Center (“EPIC”), the ACLU, and various libraries and booksellers’ organizations submitted a Freedom of Information Act (“FOIA”) request to the FBI on October 23, 2003, seeking information about the scope and implementation of Section 215. The FBI denied expedited processing, and EPIC and the ACLU filed suit in federal court seeking the immediate release of the requested records. On May 10, 2004, a U.S. district judge ordered the FBI to process the request expeditiously.3 The FBI released some records in June 2004, with more documents scheduled for release in the subsequent months. In spite of these challenges, the Patriot Act remains viable law. The Patriot Act addresses a wide variety of substantive legal areas and, as a whole, updates and broadens the scope of numerous statutes that relate to criminal liability and the Internet. The Patriot Act’s impact on Internet activity was most significant in three areas: search and seizure, disclosures by communications service providers, and computer security. The Patriot Act contains a sunset provision which terminates many of its provisions on December 31, 2005. Thereafter, the Patriot Act’s authority pursuant to those provisions remains in effect only to investigations begun or to offenses that occurred before that date. The provisions of the Patriot Act that will sunset include sections authorizing wiretapping in computer fraud and abuse cases, seizure of voicemail messages pursuant to warrants, emergency disclosure of electronic surveillance, pen register/trap and trace authority pursuant to the FISA, interception of computer trespasser communications, and nationwide service of search warrants for electronic evidence. The sunset provision does not apply to the expansion of pen register/trap and trace authority to monitoring Internet usage; expansion of law enforcement authority over cable providers, or to expanded scope of subpoenas for electronic evidence. Search and Seizure The Patriot Act has significantly impacted the area of search and seizure law. The Act provides for a wide variety of changes to existing laws—amendments that make investigations easier and provide the government with broad new powers. Prior to the Act’s passage, technological convergence between voice and data communications and storage had led to significant difficulties for investigators. Because of historical accident, electronically-stored voice messages were entitled to greater protection than similarly stored text messages. The Electronic Communications Privacy Act (ECPA) governed access to stored electronic communications (i.e., e-mail) but not to stored wire communications (i.e., voice messages). See 18 USC §2703 et seq. Access to wire communications stored with third parties was instead covered by the wiretap statute and therefore required that investigators obtain a wiretap order, as opposed to a search warrant, before accessing such stored voice communications. See 18 USC §2510(1). Wiretap orders, of course, are much more difficult to obtain than search warrants and require a detailed application to a judicial officer. Not surprisingly, the government sought to reduce this burden to the comparatively easy task of obtaining a search warrant from a judicial officer. This argument was not without merit. Traditionally, the seizure of real-time communications implicates greater privacy concerns than does seizure of stored communications. With e-mails, for example, the government already was subject to greater restrictions when intercepting messages during transmission. See 18 USC §§ 2703(a), 2518. Additionally, the separate requirements for seizure of stored e-mails and voice messages did not account for the merging of data and voice communications brought about by developing technology. For example, MIME (Multipurpose Internet Mail Extensions) technology allowed e-mail to include both voice and video recordings.

3 ACLU and EPIC v. Department of Justice, Civil Action No. 03-2522 (D DC).

Thus, the government argued, investigators had no way of knowing whether an unopened e-mail seized pursuant to a valid search warrant would contain stored voice data for which a wiretap order would have been required. Section 209 of the Patriot Act resolved this dilemma by altering the way in which stored wire communications are treated. See Patriot Act §209. The Act amends the ECPA to include stored wire communications under that statute’s procedures while striking the “electronic storage” portion of §2510. See id. Law enforcement officials can now seize such stored communications via a search warrant even if it includes a voice communication. Section 209 will expire on December 31, 2005. Another substantial change wrought by the Patriot Act is the resolution of a conflict between the Cable Act, 47 USC §551, the ECPA, the Wiretap statute, and the pen register and trap and trace statute, 18 USC §3121 et seq. Numerous courts have noted the inherent conflict between these statutes. See, e.g., In re Application of the United States of America for an Order Pursuant to 18 USC §2703(d), 8 ILR (P&F) 507, 157 F Supp 2d 286, 290 (SD NY 2001) (citing cases). The conflict arose when cable companies began to offer Internet and telephone service. The Cable Act severely restricts access to information concerning a cable subscriber. The Act states that, before obtaining information about a cable subscriber from a cable service provider, the government must apply for a court order and offer “clear and convincing evidence” that the subscriber is “reasonably suspected” of engaging in criminal activity and that the information sought would be material to the case. 47 USC §551(h). The Act also provides that the subject identified by such information must be “afforded the opportunity to appear and contest” such a claim. See id. §551(h)(2). In contrast, the ECPA requires that a provider of electronic communications service not disclose the existence of a court order requiring production of personal information about a customer or subscriber. See 18 USC §2705(b). Some cable companies refused to comply with subpoenas issued under other statutes that sought to obtain customer records because of the Cable Act’s restrictions and their inconsistency with these other statutes, most notably the conflict between the notice provisions of the Cable Act and the ECPA.4 The Patriot Act amends the Cable Act to make clear that, where a given subscriber receives both cable and Internet service from a provider, the Cable Act applies with regard to the provision of traditional cable television services, and the ECPA and other statutes govern disclosures relating to communications services. See Patriot Act §211; 47 USC §551(c)(2)(D). In other words, after the Patriot Act, while a customer’s selection of video programming from a cable operator continues to be subject to the greater protections of the Cable Act, that customer’s records relating to Internet services are now clearly subject to disclosure to a governmental entity under the ECPA. On a related subject, the Patriot Act also modifies the pen register and trap and trace statute to reflect the realities of modern electronic communications. The Act resolves any ambiguity regarding the statute’s application to electronic, as opposed to telephonic, communications. Section 216 of the Act updates the statutory language to apply to a variety of modern electronic communications and the evolving methods used to monitor those communications. See Patriot Act §216.5 For example, instead of applying only to a “telephone line,” the Act broadens the law to apply to “the telephone line or other facility to which the pen register or trap and trace device is to be attached or applied.” See 18 USC §3123(b)(1)(A). These facilities could include cellular phones, Internet addresses, or other modern communications methods unforeseen in the original statute. Thus, under Section 216, government agencies may obtain a court order to use pen registers and trap and trace devices to capture routing and addressing information used in Internet communications. By their descriptive nature, Internet addresses may reveal information about the content of web sites that an Internet user visits, even though Section 216 does not authorize the capture of content of any wire or electronic communication. Additionally, under Section 216, federal law enforcement can now obtain pen register and trap and trace orders with nationwide effect. In the past, investigations were hampered by the geographic and jurisdictional restrictions on installing such devices—each service provider and geographic region through which a communication passed arguably required a new court order from a local federal court. The Patriot Act seeks to remedy this problem by giving federal judges the authority to require necessary assistance from any communications provider in the United States.6 See Patriot Act §216; 18 USC §3123(a)(1). A court need not have geographic jurisdiction to issue these

4 See, e.g., In re Application of the United States of America For an Order Pursuant to 18 USC §2703(d), 8 ILR (P&F) 536, 158 F Supp 2d 644, 647-48 (D Md 2001) (recognizing conflict and noting that there is little authority addressing it) (citing cases). 5 Additionally, the Patriot Act reaffirms that, while pen register and trap and trace devices may access any and all non- content information in electronic communications, they may not intercept any content from such communications. 6 Because a communication may be carried by a variety of service providers, subsequent providers for a given communication will frequently be unknown at the time the order issues. The statute provides, therefore, that “[w]henever such

© 2004, Pike & Fischer, Inc. 3 PIKE & FISCHER INTERNET LAW & REGULATION new orders. Due to the nationwide scope of the orders, a given court must merely have subject matter jurisdiction over the offense being investigated. See 18 USC §3127(2)(A). Section 216 is not scheduled to sunset on December 31, 2005. Section 214 of the Patriot Act makes several adjustments to the procedures that authorize the use of pen register/trap and trace devices pursuant to FISA. FISA authorized applications for the use of such devices to acquire information from the wire communications of suspects relevant to a foreign intelligence or international terrorism investigation, and required investigators to make an additional certification that the communications being monitored were likely related to terrorist activity. Section 214 of the Patriot Act authorizes the use of FISA pen register/trap and trace devices for both wire and electronic communications—including Internet usage, e-mail addresses, and URL identifiers—and drops the certification requirement. Now, law enforcement officers must only show that the information they seek is relevant to an ongoing criminal investigation. Section 214 does require, however, that a FISA pen register/trap and trace devices may not be used to investigate a U.S. person solely on activities protected by the First Amendment to the U.S. Constitution. Section 214 is scheduled to expire on December 31, 2005. Moreover, the Patriot Act authorizes courts to issue nationwide search warrants for e-mail. Under the ECPA, the government must obtain a search warrant, rather than just a subpoena, when seeking to compel production of unopened e-mail that is less than six months old. See 18 USC §2703(a). Under the pre-Patriot Act system, numerous courts refused to issue such warrants for e-mail located outside their geographic jurisdiction. See Fed. R. Crim. P. 41(a) (granting authority to issue warrants “within the district”). Not surprisingly, the government believed that this geographic limitation constituted an unnecessary administrative burden and risked slowing time- sensitive investigations. In response to these concerns, the Patriot Act amends the ECPA to allow the use of warrants under that statute even outside the issuing court’s district. See Patriot Act §220; see e.g., 18 USC §2703(a) (allowing nationwide e-mail search warrants). The authority under Section 220 terminates on December 31, 2005, except with respect to crimes or potential crimes that occurred before that date. Pursuant to Section 219, however, Section 220’s provisions will not sunset in cases of international or domestic terrorism. Disclosures by Communications Service Providers The Patriot Act also has a significant impact on the information that communications service providers may voluntarily disclose. First, the Act amends the ECPA to handle separately those disclosures that Internet service providers (ISPs) may make voluntarily and those that they are required to make by law. Section 2702 now covers all voluntary disclosures by service providers, and Section 2703 covers only compulsory disclosures. See Patriot Act §212; 18 USC §§ 2702-03. The Act also permits a communication service provider to disclose to law enforcement both message content and non-content customer records in emergency situations involving an imminent danger of death or serious physical injury.7 See Patriot Act §212.8 Finally, the ECPA, as amended, allows service providers to disclose voluntarily non-content records to law enforcement in order to ensure the “protection of the rights or property of the provider of that service.”9 18 USC §2702(c)(3). The ECPA provides for both civil and criminal remedies for disclosures which violate that Act’s provisions.10 See 18 USC §§ 2701(b), 2707. Suppression of the invalidly disclosed information, however, does not appear to be available to criminal defendants under the ECPA. See, e.g., United States v. Kennedy, 4 ILR (P&F) 527, 81 F Supp 2d 1103, 1110 (D Kan 2000). The statute not only fails to speak to the suppression of information in a court proceeding, but specifically states that the “remedies and sanctions described in [the ECPA] are the only judicial an order is served on any person or entity not specifically named in the order, upon request of such person or entity, the attorney for the Government or law enforcement or investigative officer that is serving the order shall provide written or electronic certification that the order applies to the person or entity being served.” 18 USC §3123(a)(1). 7 The language of the statute, however, is permissive and does not create any affirmative duty on the part of the service provider to review customer communications to find such threats. See 18 USC §2702(b). 8 This exception has since been expanded even further, however. See infra (discussing the Cyber Security Enhancement Act). 9 Previously, the ECPA permitted service providers to voluntarily disclose the content of communications only to protect themselves. The amendment remedies this inconsistency. 10 This is not to suggest that civil remedies are available when a provider acts pursuant to a court order. In fact, Section 815 of the Patriot Act supplements the existing defenses to damage actions based on a violation of the ECPA. The Act amends the ECPA to clarify that “statutory authorization” defense includes reliance on a government request to preserve electronic evidence under Section 2703(f). See 18 USC §2707(e)(1).

4 © 2004, Pike & Fischer, Inc. DEVELOPMENTS IN CRIMINAL LIABILITY AND THE INTERNET remedies and sanctions for nonconstitutional violations” of the Act. See 18 USC §2708. The Cable Act, discussed above, also speaks only of civil remedies and also does not provide for exclusion of evidence. See 47 USC §551(f); Kennedy, 81 F Supp 2d at 1110. Under both statutes, however, violators are potentially liable for actual damages, punitive damages, and attorney’s fees. See id.; 18 USC §2707. The Patriot Act also expands the information that government investigators can obtain from a “provider of electronic communication service” via subpoena. Patriot Act §210. In the past, investigators could obtain the customer’s name, address, length of service, and payment method by subpoena. Other records, such as credit card numbers, were available only by obtaining a search warrant. The government contended, however, that many users registered with ISPs by submitting false name and address information, and that a user’s payment information was the only source of uncovering a user’s true identity. In addition, a user’s billing records often provided investigators with valuable information about the user’s financial accounts. Congress agreed and, in Section 210 of the Patriot Act, broadened the scope of subscriber information that investigators may obtain from electronic communications service providers to include a customer’s means and source of payment. Section 210 will not sunset on December 31, 2005. In addition, although §2703(c) of the ECPA listed records that investigators could obtain by subpoena relating to telephone usage, the statute failed to enumerate the corresponding terms for electronic communications. To cure these perceived problems, the Patriot Act amends §2703 to permit subpoenas covering temporarily assigned network addresses; session records, including times and duration; and any credit card or bank information used to pay for service. See 18 USC §§ 2703(c)(2), 2703(c)(2)(F). Computer Security The Patriot Act also increased the number of tools available to law enforcement officials to investigate computer trespassers. Section 217 of the Patriot Act defines a computer trespasser as a person who accesses a protected computer without authorization, although a person with an existing contractual relationship with the owner or operator of the computer is not included in the definition’s scope. A computer trespasser, sometimes called a hacker, attempts to gain unauthorized access (or access that exceeds authorization) to computer networks in order to read, copy, alter, or destroy information. Traditionally, hacking has been prosecuted under the Computer Fraud and Abuse Act (“CFAA”) as amended by the National Information Infrastructure Protection Act of 1996. 18 USC §1030. The Patriot Act, however, has made several important changes to the CFAA regarding the investigation and prosecution of hackers. In the past, law enforcement’s efforts to investigate computer hacking crimes were hampered because prior law prohibited anyone from intentionally intercepting or disclosing the contents of any intercepted communications without complying with the wiretap requirements of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (“Title III”). See 18 USC §§ 2510-2522. Section 202 of the Patriot Act adds the computer fraud and abuse offenses identified in CFAA to the list of predicate offenses for which wiretaps may be ordered under Title III. Section 202 will sunset on December 31, 2005. In addition, Section 217 allows ISPs to authorize law enforcement officials to monitor trespassers on their computer systems, which enables the government to intercept the electronic communication of a computer trespasser without a court order. Further, Section 217 establishes that because a computer trespasser accesses a protected computer without authorization, the trespasser has no reasonable expectation of privacy in any communication on the protected computer. A “protected computer” is defined broadly in the CFAA, and includes any computer used in interstate or foreign commerce or communication.11 Because almost all computers are used to access the Internet to engage in interstate and/or foreign communication, such computers may fall within the reach of the Patriot Act. Section 217’s provisions are significant because the law allows searches to take place with the consent of the system owner, but prevents the computer trespasser from obtaining notice that the communications were intercepted or from asserting standing to challenge the activity, such as through a suppression proceeding. However, Section 217 does include an exception prohibiting surveillance of a person who is either known by the owner of the protected computer or who has an existing contractual relationship with the owner to access all or part of the protected computer. Section 217 will sunset on December 31, 2005. In addition, Section 814 of the Patriot Act amends the CFAA with regard to the criminal penalties applicable to computer fraud and abuse offenses. Under the CFAA, a hacker faced a penalty of five years for a first offense, but the Patriot Act raised the penalty to

11 More specifically, a “protected computer” is a computer that is used by “a financial institution or the United States Government” or a computer used in “interstate or foreign commerce or communications.” 18 USC §1030(e)(2). Although the CFA initially did not explicitly include computers outside the United States, the Patriot Act definition also encompasses foreign computers, provided that those computers “affect[ ] interstate or foreign commerce or communications of the United States.” Id.

© 2004, Pike & Fischer, Inc. 5 PIKE & FISCHER INTERNET LAW & REGULATION ten years. In addition, the maximum prison sentence available for repeat offenders had been ten years.12 The Patriot Act raises the maximum penalty for hacking to twenty years. See 18 USC §1030(c)(4). The Act, however, eliminates mandatory minimum sentences for §1030 violations. See id. Further, Section 808 of the Patriot Act adds certain computer fraud and abuse offenses to the list of violations that may constitute a federal crime of terrorism. Perhaps the most significant amendment to the CFAA for practitioners is the provision of the Patriot Act that lowers the government’s burden of proof with regard to intent. Before these changes to the CFAA, hackers were subject to criminal prosecution only if they “intentionally cause[] damage [to a protected computer] without authorization.” 18 USC §1030(a)(5)(A)(i). Damage was defined as impairment that (1) caused at least $5,000 loss; (2) modified or impaired medical treatment; (3) caused physical injury; or (4) threatened public health or safety. This language left open the question of whether the statute required an intent to impose a specific $5,000 loss or a general intent to inflict injury that caused over $5,000 in actual damages. This ambiguity provided fertile ground to challenge government prosecutions. The Patriot Act resolves this conflict. As amended by the Act, the CFAA now provides that an offender need only generally intend to cause damage to a protected computer and that the damage to the computer exceed $5,000. See 18 USC §1030(a)(5). The Patriot Act also makes the $5,000 jurisdictional requirement an explicit part of the offense. Additionally, the Act redefines “damage” as “any impairment.” 18 USC §1030(e)(8). The Patriot Act also enabled prosecutors to satisfy more easily the $5,000 jurisdictional requirement of the CFAA by allowing prosecutors to aggregate losses. Prior to the CFAA’s amendment, courts had required the government to prove $5,000 in damage to a single computer. See, e.g., Thurmond v. Compaq Computer Corp., 8 ILR (P&F) 389, 171 F Supp 2d 667, 680-81 (ED Tex 2001).13 The Patriot Act amends the CFAA to permit prosecutors to aggregate such losses in establishing the $5,000 jurisdictional threshold. See 18 USC §1030(a)(5)(B)(i). The Patriot Act also clarifies the definition of “loss” under the CFAA. Prior to the amendments wrought by the Patriot Act, courts had been left to determine a reasonable definition for “loss.” Courts differed on exactly how inclusive this definition should be and on what expenses or costs would be included in determining whether the $5,000 threshold had been met. Compare United States v. Middleton, 7 ILR (P&F) 55, 231 F3d 1207, 1210-11 (9th Cir 2000) (adopting an inclusive standard covering a wide range of harms) with Thurmond, 171 F Supp 2d at 682- 83 (rejecting plaintiffs’ attempt to include cost of legal expert in determining amount of “loss”). Congress has now answered this dispute with a broad definition of “loss,” thereby reducing further the government’s burden of proof. The Patriot Act amends the CFAA to define “loss” as including “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” See 18 USC §1030(e)(11). Finally, the Patriot Act adds several new provisions to the CFAA that relate directly to national security concerns. Ironically, the CFAA did not specifically cover attacks on criminal justice or military computer systems unless the damage done was greater than $5,000. Given the overall purpose of the Patriot Act and the environment in which it was enacted, such a change was absolutely necessary according to the government. Thus, the Patriot Act adds §1030(a)(5)(B)(v) to the CFAA, which creates new offenses for hackers who damage a government computer used “in furtherance of the administration of justice, national defense, or national security” regardless on the amount of damage done. 18 USC §1030(a)(5)(B)(v); Section 814 of the Patriot Act.

12 The maximum sentence under §1030 for first-time offenders was five years. This maximum, it was argued, failed to account for the seriousness of some of these crimes, such as the distribution of computer viruses. The creator of the “Melissa” virus, for instance, which likely caused hundreds of millions of dollars in damages, was eligible to receive only a five-year maximum sentence because he was a first-time offender. See A Virus Writer Heads to Prison, available at http://www.wired.com/news/politics/0,1283,52261,00.html (May 2, 2002) (last visited June 28, 2004). 13 Statements by several Justice Department officials also indicate that aggregation under §1030(a)(5)(A) was not permitted. For example, Attorney General Reno noted, “[W]e may need to strengthen the Computer Fraud and Abuse Act by closing a loophole that allows computer hackers who have caused a large amount of damage to a network of computers to escape punishment if no individual computer sustained over $5,000 worth of damage.” Hearing Before the Subcomm. on Commerce Justice and State; Judiciary and Related Agencies of the Senate Comm. on Appropriations, 106th Cong. (2000) (Statement of Janet Reno, Attorney General of the United States, “Cybercrime”), available at 2000 WL 11068228, at *7; see also Internet Denial of Service Attacks and Federal Response: Joint Hearing of Crime Subcomm. of the House Judiciary Comm. and the Criminal Justice Oversight Comm. of the Sen. Judiciary Comm., 106th Cong. (2000) (Testimony of Eric Holder, Esq., United States Deputy Attorney General) (noting potential problems with prosecutions).

THE CYBER SECURITY ENHANCEMENT ACT OF 2002 The changes brought about by the Patriot Act were not the only major change in Internet crime-related legislation in recent years. The Cyber Security Enhancement Act of 2002 (“CSEA”) was enacted on November 22, 2002, as part of the Homeland Security Act of 2002. Pub. L. 107-296, Title II, §225. The statute is one of the most comprehensive computer-related crime laws enacted in years and, in effect, broadens several provisions of the Patriot Act. First, the CSEA amends 18 USC §1030(c) to allow for increased criminal penalties when a hacker “knowingly or recklessly causes or attempts to cause” death or serious bodily injury through a cyber attack. §225(c). Second, the CSEA expands the ISP emergency disclosure provisions created in the Patriot Act. As discussed above, the Patriot Act created a narrow exception to the general rule that investigators obtain a warrant before obtaining the contents of communications from an ISP.14 The CSEA, however, broadens that exception. The CSEA alters 18 USC §2702(b)(8) to allow ISPs to disclose such information “to a federal, state, or local governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure of the information without delay of communications relating to the emergency.” §225(d). These changes are significant on a number of fronts. First, the Act provides for disclosures to a “governmental entity” and does not restrict them to only law enforcement as did the Patriot Act. Second, imminent danger is no longer required; any danger of death or serious physical injury is sufficient. Finally, the CSEA lowers the burden on ISPs considering disclosing communications content; they no longer must have a “reasonable belief,” but merely a “good faith” belief. In addition, the CSEA expands the definition of emergency situations in which law enforcement investigators may use pen registers and trap and trace devices without prior court approval. Previously, in emergencies government authorities could install pen register or trap and trace devices for forty-eight hours while court authorization is sought. The CSEA expands the list of situations during which such emergency measures could be used by adding (1) immediate threats to national security interests and (2) ongoing attacks on protected computers. See id. §225(i); 18 USC §3125(a)(1)(C), (D). Finally, the CSEA provides for increased penalties for individuals who access a stored communication without authorization. §225(j)(2). The previous penalty structure treated as misdemeanors such privacy invasions as an employee who acted without authority to read an e-mail that had not yet been opened by its recipient and was stored on a company server. Violators faced a maximum of six months, or one year imprisonment if the unauthorized access was used for financial gain. The CSEA amends 18 USC §2701(b) to raise the maximum criminal penalties to one year imprisonment, or to five years for violators with intent to cause damage or to benefit financially, with heightened penalties for repeat offenders. The penalties established by the CSEA function in addition to the penalties created by the Federal Wiretap Act and the Computer Fraud and Abuse Act.

INTERNET CONTENT—CHILD PORNOGRAPHY Congress has enacted a variety of criminal laws relating to the production and distribution of online pornography, so as to restrict minors’ access to such content.15 Civil liberties groups have raised successive challenges to these statutes, leaving Congress’s success on this front somewhat mixed. In 1997, the Supreme Court invalidated, in part, Congress’s first attempt to protect minors from exposure to pornographic materials on the Internet. In Reno v. American Civil Liberties Union, 1 ILR (P&F) 1, 521 US 844 (1997), the Court held that two sections of the Communications Decency Act of 1996 (“CDA”) violated the First Amendment. The CDA attempted to protect minors from harmful material on the Internet, in part, by criminalizing the “knowing” transmission of “obscene or indecent” material to a recipient under the age of 18 (47 USC §223(a)(1)(B)(ii)) and by prohibiting the sending or display to a person under 18 of “patently offensive” sexual or

14 ISPs are permitted to share this information with law enforcement agencies if the “provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.” 18 USC §2702(c)(4). 15 The federal prohibition on pornographic images of children is contained in 18 USC §2256(8)(A). While, generally, pornography can only be banned if it is obscene, pornography depicting children may be proscribed even when it is not obscene because of the State’s interest in the protection of children. See New York v. Ferber, 458 US 747, 758-59 (1982) (upholding a prohibition on the distribution of child pornography, as well as its production, because those acts are “intrinsically related” to the sexual abuse of children).

© 2004, Pike & Fischer, Inc. 7 PIKE & FISCHER INTERNET LAW & REGULATION excretory acts (47 USC §223(d)). The Reno court invalidated the section of the CDA dealing with “patently offensive displays” (§223(d)) and the “indecent transmission” portion of §223(a), but otherwise left intact the Act’s prohibitions of obscene materials. See Reno, 521 US at 864-85. After the Supreme Court struck down those sections of the CDA, Congress again attempted to address the exposure of minors to indecent materials on the Internet by enacting the Child Online Protection Act (“COPA”) in 1998. Pub. L. No. 105-277. That law would penalize web site operators that allow children to view pornography— even if those materials are legal and protected under the First Amendment. See 47 USC §231. COPA violators could face fines of up to $50,000 per violation (with each day potentially constituting an additional violation) and up to six months in prison. See id. §231(a)(1). The COPA, intended to avoid the constitutional pitfalls encountered by the CDA, differs from the previous law in three main ways. It applies only to material displayed on the Internet, covers only commercial communications, and restricts only “material that is harmful to minors.” 47 USC §231(a)(1). COPA, in determining what materials are “harmful to minors,” requires the application of “contemporary community standards.”16 47 USC §231(e)(6)(A). Almost immediately after its passage in October 1998, however, a challenge to the statute resulted in an injunction preventing any enforcement of COPA.17 The challenge was appealed to the Third Circuit, which affirmed the preliminary injunction imposed by the District Court, but on different grounds—that COPA’s use of the “contemporary community standards” test for identifying “harmful” material rendered the statute substantially overbroad.18 In May 2002, the U.S. Supreme Court held that COPA’s reliance on “contemporary community standards” did not, by itself, render the statute overbroad. See Ashcroft v. ACLU, 10 ILR (P&F) 536, 535 US 564, 584-86 (2002). The court did, however, reverse the Third Circuit on only this very narrow ground and remanded the case, while leaving the preliminary injunction still in place.19 On remand, the Third Circuit affirmed the injunction, finding that the ACLU had established a substantial likelihood of establishing that COPA did not satisfy strict scrutiny analysis under the First Amendment and that the statute was overbroad. ACLU v. Ashcroft, 13 ILR (P&F) 183, 322 F3d 240, 251, 266 (3d Cir 2003) (“Ashcroft II”). Specifically, the court first found that, due to the nature of the Internet, where speakers or exhibitors cannot limit their speech or exhibits geographically, “the statute effectively limits the range of permissible material under the statute to that which is deemed acceptable only by the most puritanical communities. This limitation by definition burdens speech otherwise protected under the First Amendment for adults as well as for minors living in more tolerant settings.” Id. at 252. Further, the court noted that COPA fails to consider the context in which the allegedly violative material is found. See id. at 252-53. The court also found that COPA’s affirmative defenses unnecessarily burden adult access to constitutionally protected expression and that blocking and filtering technology provide a less-restrictive method of protecting minors from harmful material. See id. at 257-65. The court relied on many of these same reasons in declaring COPA overbroad. See id. at 266. In February 2001, the Department of Justice had filed a petition for certiorari [8 ILR (P&F) 2016] asking the U.S. Supreme Court to reverse the decision of the Third Circuit. On June 29, 2004, the U.S. Supreme Court upheld the injunction against enforcement of COPA. Ashcroft v. ACLU, 16 ILR (P&F) 1, 72 USLW 4649 (US June 29, 2004) (No. 03-218). Accordingly, the Court found that implementation of the law potentially chills the exercise of speech and that the government failed to establish at this preliminary stage of the case that there were no less restrictive alternatives to COPA. The Court sent the case back to the district court for trial to give the government a chance to prove that the law does not impermissibly restrict protected speech. The majority reasoned that there may have been technological advances in the five years since a federal judge blocked the law that would allow adults to view and purchase material that is legal for them while preventing children from accessing such material. Id. The Child Pornography Prevention Act of 1996 (CPPA), Pub. L. No. 104-208, went a step beyond the CDA and expanded the federal prohibition on child pornography to “virtual child pornography.” See 18 USC §2256(8)(B) (prohibiting any material that “is, or appears to be, of a minor engaging in sexually explicit conduct.”) (emphasis added); see also 18 USC §2256(8)(D) (prohibiting the production or distribution of such materials). In 2002, the

16 This test is drawn from the U.S. Supreme Court case Miller v. California, 413 US 15 (1973), which set forth the three- part test for assessing whether material is obscene and therefore unprotected by the First Amendment. See id. at 24. 17 See American Civil Liberties Union (ACLU) v. Reno, 1 ILR (P&F) 272, 31 F Supp 2d 473, 499 (ED Pa 1999) (imposing injunction because the statute was unlikely to survive strict scrutiny). 18 See ACLU v. Reno, 5 ILR (P&F) 454, 217 F3d 162, 173-80 (3d Cir 2000). 19 Justice Thomas noted that the Court did not “express any view as to whether COPA suffers from substantial overbreadth for other reasons, whether the statute is unconstitutionally vague, or whether the District Court correctly concluded that the statute likely will not survive strict scrutiny analysis . . .” See Ashcroft, 535 US at 585.

Supreme Court held that the CPPA was overbroad and unconstitutional. See Ashcroft v. Free Speech Coalition (FSC), 10 ILR (P&F) 265, 122 S Ct 1389 (2002). The court found two fatal flaws in the CPPA. First, §2256(8)(B) was found to be overbroad because it extended to images that were not obscene and because the speech prohibited by the CPPA lacked the proximate link to sexual abuse of children found in actual—as opposed to virtual—child pornography. See FSC, 122 S Ct at 1398-1402.20 Second, the promotion and distribution portion of the CPPA, §2256(8)(D), was also substantially overbroad because the determination of whether the material was prohibited turned on “how the speech is presented, not on what is depicted.” See FSC, 122 S Ct at 1405-06.21 While the above statutes, designed to protect minors from viewing pornographic images or attempt to limit the creation of “virtual” child pornography, have met with considerable difficulty, statutes aimed at limiting the use of the Internet to traffic in actual child pornography have been more successful. One such statute is the Protection of Children Against Sexual Exploitation Act. See 18 USC §2252(a); see also United States v. Bender, 2002 ILRWeb (P&F) 1475, 290 F3d 1279, 1287 (2002) (affirming upward departure from sentencing guidelines for conviction under §2252(a)), cert. denied, 123 S Ct 571 (2002). This Act prohibits the knowing transportation (by any method, including the Internet) in interstate commerce of “any visual depiction . . . of a minor engaging in sexually explicit conduct” or receiving such a depiction with knowledge that it has been so transported. Id. Violators face fines and prison terms of up to 40 years. See §2252(b).

SPAM Spam is generally considered to be unsolicited commercial e-mail.22 Spam messages are typically transmitted in bulk to large lists of e-mail addresses. In recent years, the burden on e-mail users of receiving unwanted spam has led to popular pressure for a legislative remedy. In response to this outcry, Congress passed in December 2003 the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”). 15 USC §§ 7701 et seq. Under CAN-SPAM, unsolicited commercial messages may not contain a false or misleading subject line or header information. In addition, such messages must include a valid notice that the message is an advertisement or solicitation, an opt-out notice, and a valid postal address of the sender. 15 USC §7704(a). Enforcement of CAN- SPAM is largely overseen by the Federal Trade Commission (“FTC”), state attorneys general, and ISPs. 15 USC §§ 7705, 7706. However, CAN-SPAM gives the Department of Justice the authority to enforce its criminal sanctions. Under the law, each violation of CAN-SPAM’s provisions is subject to fines of up to $11,000. Additional fines and criminal sanctions may be imposed upon commercial e-mailers for “harvesting” e-mail addresses from web sites or web services or relaying e-mails through a computer or network without authorization. CAN-SPAM provides the FTC with general authority to issue regulations to implement the Act’s requirements, and also directs the FTC to initiate further proceedings to employ some of its provisions. For instance, CAN-SPAM directed the FTC to adopt a rule requiring a mark or notice to be included in spam that contains sexually oriented material within 120 days after passage of the Act. 16 CFR Part 316. After a period of public comment, the FTC adopted a rule that as of May 19, 2004, senders of spam messages that contain sexually oriented material must include the warning “SEXUALLY-EXPLICIT:” in the subject line, or face fines.23 In addition, CAN-SPAM directed the FTC to report to Congress within six months on possible implementation of a National Do Not Email registry. 15 USC §§ 7708, 7712. The FTC reported to Congress on June 15, 2004, that a national registry would not reduce the amount of spam consumers receive and could not be enforced effectively.24

20 The court determined that the CPPA was inconsistent with Miller v. California, 413 US 15 (1973), because the materials criminalized by the CPPA need not appeal to prurient interests. See FSC, 122 US at 1399-1400. The CPPA was also not supported by the Ferber case because it, unlike the material in Ferber, “prohibits speech that records no crime and creates no victims in its production.” Id. at 1402. 21 Section 2256(8)(D) prohibited depictions of sexually explicit activities that were “advertised, promoted, presented, described, or distributed in such a manner that conveys the impression that the material is or contains a visual depiction of a minor engaging in sexually explicit conduct.” 22 See FEDERAL TRADE COMMISSION, “What’s in Your In-Box?,” (Apr. 2002), available at http://www.ftc.gov/bcp/conline/- pubs/alerts/inbxalrt.htm (last visited July 12, 2004). 23 See FEDERAL TRADE COMMISSION, “FTC Adopts Rule That Requires Notice That Spam Contains Sexually-Explicit Material,” (Apr. 13, 2004), available at http://www.ftc.gov/opa/2004/04/adultlabel.htm (last visited July 12, 2004). 24 See FEDERAL TRADE COMMISSION, “New System to Verify Origins of E-Mail Must Emerge Before ‘Do Not Spam’ List Can Be Implemented, FTC Tells Congress,” (June 15, 2004), available at http://www.ftc.gov/opa/2004/06/canspam2.htm (last visited July 12, 2004).

The FTC also reported that efforts to fight spam should focus on creating e-mail authentication systems that would prevent spammers from evading anti-spam filters and detection by law enforcement officials. CAN-SPAM has received some criticism from state lawmakers because, although some states had enacted prohibitions against spam, CAN-SPAM preempts most of those state laws. 15 USC §7707. Most notably, legislation was approved in California in September 2003 to implement an opt-in rule for e-mail advertising, but the prohibition was preempted by CAN-SPAM.25

INTERNATIONAL COLLABORATION On November 8, 2001, the Council of Europe adopted the Convention on Cybercrime, and, later that same month, several States, including the United States, signed the Convention. The Convention was formally opened for signatures on November 23, 2001, in Budapest, Hungary. To date, 38 countries have signed the Convention, including the United States, Japan, Germany, and Great Britain. The Convention will enter into force on July 1, 2004, after being ratified by six States: Albania, Croatia, Estonia, Hungary, Lithuania, and Romania. The Convention has not been ratified by the U.S. President George W. Bush submitted the Convention to the U.S. Senate for deliberation on whether to render its advice and consent for ratification. The Senate Committee on Foreign Relations held an initial hearing to consider the Convention on June 17, 2004. The Convention on Cybercrime is the first of its kind, and seeks to improve the ability of States to fight computer crime by establishing a “common criminal policy aimed at the protection of society against cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation.” Convention on Cybercrime, Preamble. This agreement recognizes the truly international nature of the Internet, and the concomitant problems of regulation and attendant enforcement that an interconnected world presents.26 The Convention has three principal goals: (1) harmonizing the substantive criminal law elements of computer- related offenses internationally, (2) providing for domestic criminal procedural powers needed for the investigation and prosecution of such offenses, and (3) establishing a speedy and effective regime of international cooperation. See Explanatory Report to the Convention on Cybercrime (ETS No. 185) ¶16 (adopted November 8, 2001). From a substantive perspective, the Convention defines a variety of acts in an effort to establish those acts as uniform criminal offenses under each signatory’s domestic law.27 It requires the criminalization of such activities as hacking (including the production, sale, or distribution of hacking tools) and offenses relating to child pornography, and it expands criminal liability for intellectual property violations. See Convention, Ch. II, §1. The Convention includes provisions requiring that signatories develop domestic procedures for the expedited preservation of stored computer data, the expedited preservation and partial disclosure of traffic (communications) data, systems search and seizure, and real-time data interception. For example, law enforcement authorities must be granted the power to compel an ISP to monitor a person’s activities online in real time. See id. Finally, the Convention attempts to improve international cooperation relating to cybercrime by considering such crimes as extraditable offenses, by permitting one nation’s legal authorities to access computer-based data for another country, and by calling for a round-the- clock international investigative contact network. See id. Ch. III.

CONCLUSION The confluence of technological growth and national security concerns has led to significant changes in the realm of criminal law and the Internet. While technology has improved the standard of living and made innumerable other contributions in the United States, it has also aided criminals and terrorists. The government has attempted to respond to these new dangers through a variety of new laws. Predictably, these laws affect the

25 See Grant Gross, State Spam Laws and the New CAN-SPAM, (Feb. 27, 2004), available at http://reviews.infoworld.- com/article/04/02/27/09FEspamstates_1.html?security (last visited July 12, 2004). 26 Critics note, however, that a truly effective regulatory and enforcement system requires significantly more State signatories to the Convention. This problem is well illustrated by the “I Love You” virus (which caused millions of dollars of damage worldwide in 2000), whose Filipino author has not been prosecuted due to a lack of applicable laws. See Archick, Cybercrime: The Council of Europe Convention at 3 (Apr. 26, 2002), available at http://www.fas.org/irp/crs/RS21208.pdf (last visited July 12, 2004). 27 Defined offenses include: illegal access, illegal interception, system interference, misuse of devices, computer-related forgery, computer-related fraud, offenses related to child pornography, and offenses related to infringements of copyright and related rights. See Convention, Ch. II, §1 arts. 2-10.

Internet. The growth of that medium and the ever-evolving technology associated with it ensure that lawmakers will continue to face new challenges regarding criminal law and the Internet. ______