 I'm also here with my colleague, Bill Riley. He's also with Dwayne Morrison-Hexer. He has a sophisticated technology and computer background. He founded the first online secure website in Denmark in a prior life and here we go. By the way, if you want to have any further detailed information on us or some of our work, we recently published a law review article on cyber crime legal issues. You can find that at my website, synradlaw.com. That's S-I-N-R-O-D-L-A-W.com. The article is there along with the weekly cyber law column that I write as well as other information. Today we're going to provide you with an overview of the Computer Fraud and Abuse Act. That is the primary statute in this country that deals with computer criminal issues. We've also brought along 200 handouts, which obviously are not enough. The blue handouts that give you the most relevant portions of the statute. By the way, you can find out more information about the statute at the website I gave you a moment ago. This statute was enacted in 1986. Computer crime was perceived as a growing issue in the mid-1980s and Congress essentially had a choice. Congress either could have attempted to update traditional criminal laws such as burglary while engrafting onto them computer crime provisions or it could write an entirely new statute, which it decided to do, as I mentioned in 1986. This turned out to be a wise choice at least in the view of Congress and lawyers because the statute flexibly can be amended over time and frankly has been amended several times since 1986, for example, related to issues of criminal intent and the like. The statute was most recently amended in 1996 and there are some further proposed amendments currently pending in Congress that Bill will be speaking with you about shortly. There are seven major features of the statute in terms of creating potential criminal liability and I'll go through these in a little more detail in a moment, but let me just tick them off for you. These are also contained in the handouts, which some of you have. The first potential item of criminal activity has to do with espionage. The next is improperly obtaining information. Next is improper access to government computers. That's a biggie. Next has to do with fraud. The next one is transmission of a program, information, code, or a command which causes damage and we'll be talking about the definition of damage because that's important as to whether or not you've actually committed a crime. When I say you, I use that term loosely and generically. I'm not looking at anybody in particular out here. And then we also have extortion. The statute also creates potential civil liability. If someone is guilty of a statutory violation, they also can be sued for that conduct in court and they can be hit with economic damages and requests for injunctive relief. As a side note, at times it is perceived that some perpetrators of cyber crime don't have deep pockets. They don't have financial resources. So what do victims do in terms of getting recompense? For example, in the context of distributed denial of service attacks, some of the attacks were perpetrated through zombie sites and now that there's been quite a bit of publicity regarding the massive DDoS attacks in February, an argument could be made against a zombie site for not having taken reasonable protective measures to protect its systems. And at the instant an attack travels through a zombie site, that zombie site might be on the receiving end of a civil lawsuit under the theory of negligence. I also want to mention that there are now being written special internet related insurance policies. Traditional insurance policies generally cover losses to tangible physical property. That's not normally the case when you have losses of data in cyberspace and these new policies are being written to cover cyber crimes and other issues on the internet. Interestingly, a federal judge in Arizona recently held that pure data loss can be covered under traditional insurance policies because the Computer Fraud and Abuse Act, which I'm talking about today, equates data loss with damage to property. And that was an interesting decision because it was an insurance case that followed a criminal statute as opposed to insurance coverage precedent. It's not entirely clear yet how or whether Congress wanted the statute to apply to commercial enterprises. And I'll just point out one quick example. Real Jukebox was just sued in a class action lawsuit. The allegation is that the Real Jukebox software, which plays music on a computer, snooped on the plaintiffs once they installed the software on their computers. The allegation is that each time someone ran the Real Jukebox software program, information allegedly was sent surreptitiously to Real Network's computers. Such information allegedly included, one, the type of computer format the music is stored in, two, the quality level of the recordings, three, the class member's musical preferences, and four, the type of portable music player, if any, the class member has connected to the computer. The plaintiffs are claiming that Real Network's violated a certain section of the statute, and I'll be going through this in a moment, by taking information from their computers that exceeded Real Network's proper authorization. We will see how this one plays out, pardon the pun. So let's get down to the real need of the statute. And you can see this in the handout, but the first provision is section A1 having to do with espionage. And this part of the statute is triggered if someone knowingly accesses a computer and obtains information that the United States government has deemed highly sensitive, such as information relating to national defense and foreign relation issues, and then willfully communicates that information to somebody else who does not have authorization to have that information, who will willfully fails to give the information back to the federal government upon request. What's the penalty? Up to 10 years in prison for a first defense and up to 20 years if it's a repeat offense. So Congress obviously takes this one fairly seriously. The next problem that I mentioned has to do with wrongfully obtaining information, and this is subsection A2 of the statute. This part of the statute is triggered if someone intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information. It's fairly open. The penalty for this is up to one year in prison and up to 10 years for repeat offender. If this was done for purposes of commercial advantage or private financial gain, the first defense can be up to five years in prison as opposed to one year. Section A3 deals with accessing a government computer. Here the statute is triggered if someone intentionally without authorization simply accesses the United States computer. There's no further requirement. You don't have to obtain information or do anything with it. You simply gain access to a government computer. So this one is triggered like a hair trigger. And the first defense can be up to one year in prison and a repeat offense can be up to 10 years in prison. Next is subsection A4 under the statute. This has to do with fraud. And this part of the statute is triggered if someone with intent to defraud accesses a protected computer and furthers the intended fraud by obtaining anything of value unless, and this part is carved out of the statute, this activity consists only of the use of the computer, only of the use of the computer and the value of such use is not more than $5,000 in a one year period. So minor activity if you will is not part of the triggering aspect of this part of the statute. Next is subsection A5 and I know I'm going through a laundry list here. I'm almost done. Thank you for bearing with me. It has to do with hacking, viruses and denial of service. And this part of the statute is triggered by someone knowingly causing the transmission of a program, information, code or a command which intentionally causes damage to a protected computer. This can land you in jail for five years on a first offense or 10 years if it's a repeat offense. Moving down a level, this part of the statute creates a penalty for doing the same thing but recklessly causing damage as opposed to intentionally causing damage. Same penalty however, five years or 10 years for a repeat offense. And then finally, the same type of conduct whether it's intentional or reckless or not, if you just happen to do it with no intent whatsoever and you do cause damage, you still can find yourself in jail up to one year for a first offense and again 10 years for a repeat offense. Section A6 of the statute is triggered when someone knowingly and with the intent to defraud, traffics in passwords. This can create a prison term of one year for a first offense and 10 years for a repeat offense. And then last but not least is part of the statute dealing with extortion and if someone with the intent to extort anything of value communicates any sort of message which contains a threat to cause damage to a protected computer, you're in the hot seat, five years for a first offense, 10 years for a repeat offense. Now the provision dealing with hacking, viruses, denial of service and extortion keys off on the word damage and I mentioned that a moment ago. Damage is defined in the statute as $5,000 in losses in a given year or harm to the provision of medical care, creating physical injury or threatening public health or safety. So if you're not dealing with medical care, physical injury or health or safety, you're not causing statutory damage if the harm you cause, again, generically you, is less than $5,000. So the quantification of a loss is quite important under the statute. And as Bill will discuss later on, there are some proposed amendments to touch on that particular issue. All right, so where do we go from here in this discussion? You've heard all the legal gobbledygook from the statute. We thought we'd try to bring it on home with some hypothetical examples. We're first going to discuss three different types of hacks that could trigger different parts of the statute. The first one is a basic root-level hack. And by the way, I'll do a little footnote right now. I don't purport to be a technical expert like many of you are here. I'm a lawyer, but I'll do the best I can. Bill has some of more expertise than I do on the technical matters. But again, he'd certainly say something that's not absolutely perfect as a matter of technology. Please forgive us. We were trained elsewhere. The first one is a basic root-level hack. Here, the perpetrator plants a sniffer, browses private files, erases log tracks, places a back door, and gives passwords to friends. So we're setting up a few hurdles here, and we'll see how they trigger the statute. The second hack we're going to look at, you have someone creating a web page that contains code that can exploit, for example, vulnerabilities in ActiveX. And then the third hack we're going to look at deals with someone who is authorized, but it cedes his authorization, penetrates a system, encrypts some files, and then tries to extort money from corporate management for the decrypting key. Then, if time permits, we're going to look at criminal liability for distributed denial of service attacks and the launch of malicious worms. Finally, we're going to touch on the legislative proposals to amend the statute, and we're going to talk about what's happening legally in the rest of the world on the cyber crime front. Without further ado, I'm now going to turn it over to Bill, and he's going to spin the first factual hypothetical for you. Thank you. I'm going to set up the basic techniques that Bob is our hypothetical perpetrator, for lack of a better word. He uses to get himself into all kinds of trouble. And I'm not going to go into the real details of exploits you guys are going to hear enough about that about the other breakout sessions throughout the weekend, but I want to walk you quickly through the various things that trigger the different areas of this dynamic statute, because it really is. It's actually very broad and encompassing, and it's actually getting much more of that way of the past, the intended legislation that's going on in Washington. Some of the things that he's doing in this way, it's maybe not the most realistic way, but I just want to be able just for illustration purposes to be able to show you what different parts of the statute are triggered. So also in my part, you don't have to take notes, because Eric's going to cover the exact same points the way that I do it. So the first one, as Eric mentioned, is the traditional hack, which is a remote penetration of a third party's computer. And so in this hack, what Bob he's going to exploit an old send mail 883 bug, and so he's going to sign on for a trial shell account at an ISP and with the shell access, he's going to tell them that into the shell account and enter a series of commands to exploit the send mail program. He's going to create a link to the ETC slash password directory, and he's going to get hopefully for Bob a password free account. And once he has root access, his next objective is to download any passwords that might be located on the system, and then of course the next thing he's going to do is he's going to plant a sniffer, and he's going to plant a sniffer to listen to all the TCP IP network traffic. And so in this scenario, Bob's going to get about 5,000 web accesses, and within that he's going to control he's going to be able to get some UU encoded passwords. And then so once he's on root access, he decides to take a tour through the server, and he starts looking to see if anyone on the server might have been done enough to be able to leave credit card information, for example, like in a CGI M directory. And he's also looking around for hidden files and hidden directories. Then of course he's going to want to leave a digital footprint all over the server, so he's going to locate the real log file and carefully erase his tracks. And of course he doesn't want all of his hardware to go away, so he's going to plant a backdoor on the system. And then finally, Bob passwords is going to decrypt him, and he's going to email them to several of his friends and have free of charge. So Eric's going to explain about the trouble that Bob just got himself into. The trouble with Bob. Okay. Let's talk about Bob and what he's done. Has Bob been a bad boy? We'll find out. All right. If the computer that Bob accessed is private or a protected computer which essentially in the statute is defined as any computer that is used in interstate or foreign commerce, basically any computer hooked up to the internet, then Bob could have some criminal liability. If he gained the information for commercial advantage, or if the information is part of a larger criminal act, or if the value of the information exceeded $5,000, then good old Bob could be liable for a felony in up to five years in the slammer. Otherwise Bob still might face some misdemeanor liability. If we're dealing with Bob and a governmental computer, he certainly is likely, certainly likely, he certainly was liable for a misdemeanor at least, even if he does not obtain any information. I went over that a little bit earlier. If Bob obtained the information from a computer that was operated by a financial institution, then he also is most likely criminal liable for a misdemeanor. There are special protections put into the statute for financial institutions. Can everybody hear me okay? All right. Now let's talk about Bob and planting a sniffer. This probably is a serious violation of section A5A if the damage caused is over $5,000. The damage can be calculated in a number of ways. It could include the amount of engineering time needed to deal with the situation down time and harm to the sniffer, excuse me, to the system. Not to the sniffer. Finally, at a minimum, it is a misdemeanor to plant a sniffer because the information was obtained without authorization. Now let's talk about Bob's browsing at private files. Again, if we're dealing with a government computer and sensitive information, there are some harsh penalties in place. Congress did not take lightly the issue of tampering with government secrets. And if this is the case, old Bob could have a prison term of up to ten years if with knowledge he transmitted a governmental secret information to others or refused to give back the information upon demand. If the information is not sensitive, but Bob nevertheless went ahead and browsed files, he's likely committed a misdemeanor unless the information exceeds $5,000 or he did this for commercial gain. Then he's in the realm of felonies, excuse me. This is all in the governmental computer context. In terms of a private computer, Bob is going to find himself criminally liable if his activity is furthered and intended fraud or if he obtained anything of value. Now it's sometimes worthwhile to look at some of the cases that have interpreted the statute to see how the statutes were playing out in real life. One case I point to is called United States versus Zubinski. It's C-Z-U-B-I-N-S-K-Y. And this case deals with what constitutes anything of value under the fraud section of the statute, section A4. In that particular case, Zubinski worked for an IRS office. He then conducted numerous unauthorized searches of IRS files in a spare time. The court held, not surprisingly, that this exceeded the scope of his authorized access. However, the court concluded that Zubinski did not obtain anything of value because he merely viewed the information and he did nothing with it. Therefore, in this particular case, his felony conviction was reversed and this was one client that was happy with his attorney. It does happen once in a while. Another case I want to point to is AOL versus LCGM. Now remember under section G of the statute private civil lawsuits can be filed against people alleged to have violated the Computer Fraud and Abuse Act. In this particular case, AOL used section A2C of the statute having to do with improper access and gaining of information against LCGM. LCGM was alleged to have sent unsolicited bulk email, otherwise known affectionately as spam, to AOL subscribers. LCGM admitted to maintaining an AOL membership and using the membership to harvest AOL email messages. As such, LCGM violated the Terms of Service and exceeded the scope of its authorization. The court held that LCGM did violate the statute by obtaining information from AOL's protected computer system. AOL did not get damages in that case, but did receive injunctive relief preventing this type of practice from going forward in the future. Okay, now getting back to Bill's hypothetical what about erasing log tracks and placing a backdoor? If the erasing of the log tracks and placing the backdoor was part of a fraudulent scheme, then Bob probably is looking at a felony and time in prison. When Bob erased the server access logs, he's damaged the system, and if then the question comes down to whether the damage caused was over $5,000. And we talked about that monetary threshold before. One more case here, which I think you might find interesting is US versus Sablon, S-A-B-L-A-N. This is a mid-1990s case, which explored issues of intent under the statute. Sablon worked for a bank in Guam and had been recently dismissed from her employment. After a night on the town, she left the bar, entered the bank through an unlocked door and using her old password, she entered onto the system and destroyed some files. She argued that she didn't intend to cause any damage to the files and therefore did not meet the intent element of section A5. How many people here think that she succeeded with this argument? Well, let's see what happened. The court held that intent refers to intent to access, not intent to damage and therefore she was off the hook. This part of the statute has since been amended and it does require intent to cause damage to the files and the like. Now, what about giving passwords to friends? Here Bob will be liable if the court finds that he knowingly and with intent to defraud traffic than passwords. The term traffic simply means that Bob or anyone else has passed on passwords to somebody else. Alright, now let's turn to the next hypothetical and I turn it over to Bill. Okay, this is a this has never been litigated before and the government hasn't brought any actions against it so it's purely hypothetical but in this scenario we're going to look at the criminal liability for posting an exploitive web page that can allow the web page author to execute local files on the visitor's computer and it's a really unique look at the flexibility of 10 and 30 because what happens if you post a website and with the malicious code and somebody goes to you, it's kind of like a reverse hack so what's the liability? It's because the hacker doesn't specifically target his victim and nor does he directly penetrate the victim's computer but rather the victim visits the web page himself and downloads the file if several conditions are met then it can potentially violate the integrity of the victim's computer. So the way this one works is the hacker constructs a malicious help file and places it in the location that's accessible by the victim which causes the help file to be loaded and then embedded shortcuts, executed without interaction from the victim, the guy who visited the website. So the hacker causes the compiled HTML help file to be opened through the active scripting show help column in the Internet Explorer and so by using the show help active scripting column conjunction with the shortcuts that are embedded in the malicious help file, Bob here is able to execute all the programs and activate controls of this choice. So, what's the liability here? There's a sage wallower in the office and the audience right now could you please come up for an important message? Thanks. You heard about the terrorists that hijacked a plane full of lawyers and they were sitting on the tarmac and terrorists said, if you don't meet my demand for $5 million, I'm going to start releasing the attorneys. I'll break things up a little bit. All right, we're back to Bob. Bob, in terms of the scenario that Bill just painted, Bob may be liable for the mere, well, Bob tripping over my own tongue here, Bob may not be liable simply for the mere passive posting of a malicious website because what if nobody visits the site? The statute primarily concerns itself with the unauthorized acquisition of information damaged computer systems or fraudulent activity where something of value has been obtained. A passive website does none of these things. But what if the site is no longer passive and it's visited and a file is secretly placed on a victim's computer access of a government computer as we've seen is enough to trigger the statute. So, if someone in the government goes to the website and then something secretly placed on a government computer, Bob's got trouble. If we're dealing with a non-governmental computer, there is still potential criminal liability and even tort liability. There's what's called the trust pass to Chattel's civil theory which basically is a common form of a trust pass where this guy right here takes my notebook and I've got valuable information there. That's a trust pass. The theory of trust pass is now becoming part of cyber law. How many people here are familiar with the eBay versus Bitters Edge case that was recently decided in San Jose but Bitters Edge is an aggregator auction site that brings together multiple auction sites in one place so that people can simultaneously at these different sites and eBay sued Bitters Edge arguing that the way Bitters Edge crawled onto the eBay servers and extracted information that was essentially a trust pass and the court agreed that case was shooting up like a rocket on appeal. Getting back to Bob, if the malicious code affects a medically oriented computer or threatens public safety then irrespective of dollar amount of damage, Bob could find himself guilty of a felony and in prison for five years. By launching malicious code from the website as Bill's pointed out you can't necessarily reduce your risk by choosing which computers are affected. As we previously discussed the owner of a computer often affects the criminal liability whether you're dealing with the government or not for example. So there you have it. If information is obtained from a private computer as part of this practice, again Bob could place at least a misdemeanor based on the sections we previously discussed. Now let's go to the scenario where someone has authorized access but it's ceded that authorization. Okay this is one of the most common things that happens. They say 60 to 70% of all corporate intrusions are done by people who exceed their authority. Bob here now is an employee at a large consulting company and consulting company uses Mabel network. However the network security is really lax and Mabel's interior detection system has not been turned on. So what Hacker does he goes to a terminal that's in an unoccupied office and he's going to use a program called Mabel BFH and it's going to try and run a series of passwords like A, A, A, B, A, C until eventually with Bob's left he's going to be able to at least eventually get a password he can access the system. And so once he logs on in a different name then he's going to place a keystroke logger in the work station's path and collect the passwords in the logger file. And so once he has access to several different passwords then he thinks it's going to be pretty interesting to start combing through the personal emails of his coworkers. And then he thinks well I can actually make some money here so using his mobile files. And so he's going to access critical files and encrypt the directories and he wants to be able to sell the decrypting key to management for 50,000 bucks in this case. So to do this he has to get a sysadmin access and he's going to use a program called NW hack to execute a really blunt attack and of course it's not to make the changes at this point but he just wants to be able to get access. And what he's going to do is he's going to just briefly plant a back door so he can come back later. And so a few days later he's going to go back into the system and he's going to encrypt the directories and he's going to send surprise management a demand for a 50,000 dollars for the decrypting key. So Eric's going to explain to me the trouble that Bob's got himself into now. One more lawyer joke show here straight to Bob. Lawyer dies. I know you're sad. Lawyer dies. He doesn't go to heaven. What a shock. Lawyer's in that other region very warm down there and he meets Satan and says well for bad news is yes you're in hell but you have three choices. You can go into cave number one, cave number two or cave number three for eternity. Lawyer says well I don't know anything about the caves. Will you show me around? Sure, I'll give you a guided tour. Lawyer's shown the first cave and in the first cave you have a lawyer that's being drawn in quarter repeatedly indefinitely. The lens being torn apart put back together doesn't look very pleasant. Lawyer says I got to take a pass on cave number one. I don't like that action at all. Cave number two, he looks in and there's a lawyer who's being incinerated constantly over and over again being burned up. Lawyer's not too pleased with that prospect and takes a pass on cave number two and crosses his fingers and just hopes and prays that cave number three will be a little bit better. I won't go into any graphic detail here but in cave number three there's a lawyer with Monica Lewinsky and our lawyer we'll call him Bob says well cave number three looks okay and Satan please put me into cave number three and so Satan says okay fine, Monica it turns out come on in, Lawyer, take the place. Can't what you pay for. Alright we are back to Bob. Bill makes a very good point and that is insider threats to computer security really are the greatest threats. I'm not sure corporate America is fully aware of that yet. There's so much concern about outsiders hacking in but studies have shown recent studies and these are actually cited in the law review article that Bill and I wrote that most actual cyber crimes committed by insiders. Let's go back to Zubinski case with reference to Bob. If the employee is only looking at files the employee may not face liability under the section of the statute that deals with loss of something of value and remember how the court decided that particular case. However if an employee is looking at private emails this could be deemed obtaining information under one of the sub-sessions that I read to you and that could be enough to trigger criminal liability. This particular legal theory hasn't played out fully and we'll see where that goes. In terms of Bob changing passwords to critical data that appears to appear falsely within the statute that I read to you earlier and Bob could have a felony violation there in a prison term of up to five years. If Bob changes password access on a computer and they could threaten public safety or medical services then the prosecution in that particular instance would not need to meet the $5,000 damage threshold. However in this particular scenario it is likely that the $5,000 requirement is met because of the amount of ransom money that's being asked for here. There's got to be some sort of how do you say a linkage between the dollar amounts. In terms of demanding the $2,000 in exchange for the password this could be a violation very likely a violation of subsection A7 of the statute. Again that talks about acting with the intent to extort from any person any money or thing of value by threatening to cause damage to a protected computer. And now we're on to DDoS of Tax and Mr. Bill Welley. Let's do that one and skip over the worms too quickly. I'll just deal with this really quickly and I'll probably put you familiar with the distributed denial service attacks that happened in that February. But the question is what's the criminal liability then for distributed denial service. And so what Bob wants to do is he just wants to be able to say to large scale distributed denial service attack and using for example this one is Dockle Drop which I'm sure everybody is familiar with. And so in the mass intrusion phase he's going to use his tools to be able to put the root compromise numbers of computers for the daemons and then he's going to control several masters using those encrypting inclinings and so what he's going to do is he's basically going to use the daemons to launch a large number of packets flooding against the targeted victims really make this very simple and short. In terms of unhauling a typical denial service attack and planting the masters and daemons at this stage the hackers penetration has satisfied part of the elements of section A5 of the statute because he's caused the transmission of a program. But again we need to see some damage being caused under this part of the statute and that hasn't happened yet. However once the daemons launch a large number of packet flooding or other attacks against the targeted victims and the damages ensues and can be quite phenomenal and the statute is there and from no liability can follow. We're going to skip over worm launches. I know you're terribly disappointed but what can we do? We have some time constraints here. We're next going to talk about proposed changes to the statute bursting over that quickly then I will tell you what's going on in the rest of the world quickly and then we'll wrap up. What if a bob is in Iraq that's a very good question and that's going to go to comment made in a moment about the harmonization of laws internationally so if I can hold on and get to that in a moment. Thank you. I don't know if you're familiar with what's going on in Washington right now but there's two major bills that are working through the Senate and actually they're in the House Judiciary Committee right now that will dramatically change the way 1030A is being played out. The one is I don't know if you know the numbers but it's S2448 by Orrin Hatch and the other one is S2092 by John Kyle and I think one of the major changes that they're making to the code here is if you can look on this little thing here they've underneath the hacking and the virus in denial of service. What the thing is is they have the definition here that has to be intentionally causes damage in order to be able to invoke and the damage is $5,000 for the liability but damage a lot of times you know if you're just accessing information or of course you've had a difficult time trying to determine what is damage so what they're doing is actually the first part that they're changing here is a little bit strange but one is if the defendant used or attempted to use a person less than 18 years of age to commit the offense and that's a felony that's going to be very serious but also the here is what they've done is they've changed the definition from damage to loss so if the offense causes a loss it's supposed to damage and to one more people during the one year period it causes $5,000 of damage and that's the same thing but the definition for loss is really broad it says that it means that any reasonable cost to any victim which is obviously wide open including the cost of responding to the offense conducting a damage assessment and restoring the data program system or information to its condition prior to the offense and any revenue lost costs incurred or other consequential damages incurred because of the interruption of the service obviously you can see it's going to be very easy to meet the $5,000 threshold now if these bills go through and another interesting part is this is pretty controversial and only one of the two bills have this thing and this is about they're trying to liberalize the trap and trace orders the way it works right now is if the Fed went to start investigating and working upstream trying to find out who did what and within each jurisdiction they have to go to the court and they have to apply for a trap and trace order and of course if you're going through multiple jurisdictions then it really really impedes the investigation because by the time they get all the way upstream the information might be gone and it could be a delay of a week or so so what they want to do is they want to be able to have sort of like a one stop shop so the FBI or the federal investigators all they have to do is just go to one judge and you get a blanket trap and trace order to run anywhere within the jurisdiction of the US and that's a pretty big one now also what they've done is they're recommending for the damage hold of you know the $5,000 what they're recommending is that if it's $5,000 more it's a felony but if it's $5,000 unless they're still going to be able to get you with a misdemeanor so even though they have a much easier definition for the term loss it's going to be a lot easier to be able to prosecute and another thing here that under current federal law the federal authorities are not able to prosecute juveniles under any computer including well underneath $10,30 and what this would do is that the proposed bills is they would allow at the discretion of their attorney general to allow juveniles to be prosecuted for the more serious offenses and the one thing to consider with this is as Eric said that the recidivist or the repeat offenders can really can get a boost for example if it's a one year penalty if they repeat offenders it goes up to 10 years but what they're doing with juveniles is that if you commit a crime and you're 14 years old and then you commit another one of 20 that's going to be considered your juvenile crimes are going to be considered as part of the repeat sentencing and let's see oh then another one this is pretty important is they allowing allowing the pets basically to confiscate any equipment that was used in the attack so there ain't enough to get me to allow just part of the statute okay and this final part of the talk has to do with what's going on in the rest of the world and we'll get to what if Bob is in Iraq strange name Bob living in Iraq but it could happen there have been efforts to harmonize cyber crime laws internationally the G8 nations met in Paris about a month or two ago and this was to the top of their agenda creating consistent laws from one country to the next assisting one another in terms of tracking down cyber criminals trying to make it such that there aren't any digital safe havens in the world that is the goal there whether you like it or not we all saw what happened with the love bug emanating out of the Philippines and at the time the Philippines did not have any cyber laws to deal with particular crime and that caused quite a bit of attention among nations and they've now been discussing things this is posed as going to be discussed further in Okinawa as the G8 is meeting right now the Council of Europe is drafting a convention on cyber crime trying to create uniformity between European countries on this front and there should be a report on December 31st but if Bob is in Iraq and Iraq doesn't have laws that deal with activities we've discussed today possibly Bob walks and as long as he doesn't show up in this country he's not governed by the computer fraud and abuse act interestingly I just read a couple blurbs this morning worthy of note US law enforcement officials I believe yesterday told the House panel that more than 100 countries currently still do not have any cyber crime laws so these are the digital safe havens also you can hear about Carnivore and the FBI well in some ways Carnivore has just been legalized and legitimated in the United Kingdom legislation allowing the British government to track emails and to seize encrypted internet communications just past the final hurdle in parliament this week so summing up be careful out there no matter which side you're on as a lawyer again I apologize for that but I have to say that this does not constitute specific legal advice if you have any particular questions that pertain to yourself or others please do seek counsel from somebody with expertise in your particular area of concern thank you very much for having us today