BILL ANALYSIS Ó AB 195 Page 1 Date of Hearing: April 7, 2015 ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION Gatto, Chair AB 195 (Chau) - As Amended April 6, 2015 SUBJECT: Unauthorized access to computer systems SUMMARY: Prohibits the solicitation of another person to commit or assist in the commission of a variety of crimes related to the unauthorized access of computer systems. Specifically, this bill: 1)Provides that every person who intentionally solicits another to commit any of a number of specified computer crimes shall be punished by imprisonment in a county jail for a period not to exceed six months, with every subsequent violation by that same person being punished by imprisonment not to exceed one year. 2)Provides that every person who intentionally offers to solicit assistance for another to commit any of a number of specified computer crimes, which includes persons operating websites that offer to assist others in locating 'hacking services', shall be punished by imprisonment in a county jail for a period not to exceed six months, with every subsequent violation by that same person being punished by imprisonment not to exceed one year. 3)Defines "hacking services" as assistance in the unauthorized access to computers, computer systems, or data in violation of specified computer crimes. AB 195 Page 2 4)Specifies that these new offenses shall be proven by the testimony of one witness and corroborating circumstances. 5)Makes other technical or non-substantive amendments. EXISTING LAW: 1)Provides general punishments for solicitation of another to commit crimes, as specified. (Penal Code (PC) Section 653f.) 2)Punishes the following offenses by a fine not exceeding $10,000, by a sentenced felony jail term of 16 months, two years or three years, or both; or as a misdemeanor by a fine not exceeding $5,000, by imprisonment in a county jail not exceeding one year, or both: (PC 502(d)(1)) a) Any person who knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either devise or execute any scheme or artifice to defraud, deceive, or extort, or wrongfully control or obtain money, property, or data. (PC 502(c)(1)) b) Any person who knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (PC 502(c)(2)) c) Any person who knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network. (PC 502(c)(4)) AB 195 Page 3 d) Any person who knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network. (PC 502(c)(5)) e) Any person who knowingly and without permission disrupts or causes the disruption of government computer services or denies or causes the denial of government computer services to an authorized user of a government computer, computer system, or computer network. (PC 502(c)(10)) f) Any person who knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a public safety infrastructure computer system computer, computer system, or computer network. (PC 502(c)(11)) g) Any person who knowingly and without permission disrupts or causes the disruption of public safety infrastructure computer system computer services or denies or causes the denial of computer services to an authorized user of a public safety infrastructure computer system computer, computer system, or computer network. (PC 502(c)(12)) 1)Punishes any person who knowingly and without permission uses or causes to be used computer services, as specified. (PC 502(c)(3), (d)(2)) 2)Punishes any person who knowingly and without permission AB 195 Page 4 provides or assists in providing a means of accessing a computer, computer system, or computer network, as specified. (PC 502(c)(6), (d)(3)) 3)Punishes any person who knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network, as specified. (PC 502(c)(7), (d)(3)) 4)Punishes any person who knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or public safety infrastructure computer, computer system, or computer network, as specified (PC 502(c)(11), (d)(3)) 5)Punishes any person who knowingly introduces any computer contaminant into any computer, computer system, or computer network, as specified. (PC 502(c)(8), (d)(4)) 6)Punishes any person who knowingly introduces any computer contaminant into any public safety infrastructure computer system computer, computer system, or computer network, as specified. (PC 502(c)(14), (d)(4)) 7)Punishes any person who knowingly and without permission uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damages or causes damage to a computer, computer data, computer system, or computer network, as specified. (PC 502 (c)(9), (d)(5)) FISCAL EFFECT: Unknown AB 195 Page 5 COMMENTS: 1)Purpose of this bill . This bill is intended to explicitly prohibit the solicitation of another to commit a variety of computer-related crimes. The impetus for this measure stems from the growth in 'hackers-for-hire' websites where individuals can pay to have hackers gain unauthorized access to computer systems. This measure is author-sponsored. 2)Author's statement . According to the author, "In recent years, we have seen the growth of so called Hacker-for-Hire websites where individuals solicit hackers to perform certain projects. These websites work in different ways. Some work by requiring the person to submit a description of the hacking job along with contact information. The website then sets up a time to connect the person with a hacker over the phone or video-conferencing to complete the process. Other websites work by creating a platform that allows customers to register and post projects on the website for different hackers to bid on. The websites then hold the money in an escrow account until both parties agree that the transaction has been completed. The website then takes a commission from each transaction and releases the money." "Hacker-for-Hire projects range from recovering lost passwords to tracking stolen devices. But some of these websites also provide a platform for individuals seeking illegal hacking services from less than ethical hackers, such as installing spyware on devices and gaining access to the email and social media accounts of unsuspecting victims. AB 195 protects individual privacy by cracking down on websites that assist in the solicitation of a hacker to illegally access a computer network..." 3)Cybercrime and hacking-for-hire. It is without question that cybercrime (Internet-related criminal activity) has become a major issue for consumers and law enforcement. The Federal AB 195 Page 6 Bureau of Investigation's Internet Crime Complaint Center received over 262,000 complaints in 2013, crimes reflecting an adjusted dollar loss of more than $781 million - losses that were 49% higher than those tallied in 2012 ($581 million). Cybercrime can lead to a wide variety of problems for consumers and businesses, including damage or destruction of property, identity theft, theft of intellectual property, breach notices, bad publicity, and a loss of personal privacy. On January 15, 2015, the New York Times published an article entitled "Need Some Espionage Done? Hackers Are for Hire Online" that discusses the growing online market for the services of skilled computer programmers, or 'hackers'. For example, the article examines a website called Hacker's List that aims to match hackers with people who need a wide variety of difficult, and sometimes illegal, tasks performed - such as gaining access to email accounts, tracking stolen devices, taking down unflattering photos, installing spyware on another's device, or gaining access to a company database. For example, Hacker's List had an entry from a man in Sweden willing to pay $2000 for someone to break into his landlord's website, and a woman in California offered to pay $500 for someone to hack her boyfriend's email and social media accounts to determine if he was cheating on her. According to the article, in less than three months of operation, over 500 hacking jobs have been put out to bid on the site. Other websites operate in a similar fashion, allowing people to post projects and coordinate with hackers, with payment being held in escrow until the job is completed. The author points out that under current law it is already a crime to solicit another to commit certain crimes, such as bribery, kidnapping, and robbery, among others. And it is already a crime for someone to knowingly hack into another's computer network without permission. However, as the statute has not kept pace with technology, it is not explicitly a crime to solicit someone to knowingly and without permission hack into a computer network. In response, AB 195 would explicitly make it a crime to intentionally solicit someone to knowingly and without permission commit any of 14 enumerated computer crimes. This AB 195 Page 7 bill would make any violation punishable by imprisonment not to exceed six months, with subsequent violations punishable by imprisonment not to exceed one year. 4)Existing law pertaining to cybercrime . The underlying law prohibiting computer-related crimes affected by this bill prohibits an individual from knowingly committing the following acts: (1) accessing and altering, damaging, deleting, destroying, or otherwise using any data, computer, computer system, or computer network in order to execute fraud or obtain money or property; (2) knowingly accessing, copying or using data taken from a computer, computer system, or computer network; (3) using computer services; (4) adding, altering, damaging, deleting, or destroying any data, computer, computer system, or computer network; (5) disrupting or denying computer services to an authorized user of a computer, computer system, or computer network; (6) providing a means of accessing a computer, computer system, or computer network to commit a crime; (7) accessing without permission any computer, computer system, or computer network; (8) introducing any computer contaminant into any computer, computer system, or computer network; (9) using the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of one or more electronic mail messages or posts and thereby damaging a computer, computer data, computer system, or computer network; (10) disrupting or denying government computer services to an authorized user; (11) adding, altering, damaging, deleting, or destroying any data on a public safety infrastructure computer, computer system, or computer network; (12) disrupting public safety infrastructure computer services or denying computer services to an authorized user of a public safety infrastructure computer, computer system, or computer network; (13) providing a means of accessing a computer, computer system, or public safety infrastructure computer system computer, computer system, or computer network without authorization; and, (14) introducing any computer contaminant into any public safety infrastructure computer, computer system, or computer network. AB 195 Page 8 5)Arguments in support . The Los Angeles County Board of Supervisors states, "AB 195 would?make it a crime to solicit someone to knowingly and without permission gain access to a computer network. The County's computer networks contain vital information about County finances, employees, and residents, and must be protected to prevent unauthorized access, which could lead to identity theft, financial crimes, and fraud. AB 195 would give law enforcement officers additional tools to combat unauthorized access to the County's information technology infrastructure." 6)Related Legislation : AB 32 (Waldron) adds an additional fine not to exceed $10,000 for each digital image of a person's body parts that were acquired as a result of an unauthorized access to a computer system. This bill is currently pending in the Assembly Public Safety Committee. SB 30 (Gaines) prohibits the theft of a motor vehicle by commandeering its operating system, with penalties ranging from three years imprisonment to a $1000 fine and six months imprisonment depending on whether or not the vehicle's value exceeds $950. This bill is currently pending in the Senate Public Safety Committee. 7)Prior Legislation : AB 1642 (Waldron), Chapter 379, Statutes of 2014, specified the penalties for any person who disrupts or causes the disruption of, adds, alters, damages, destroys, provides or assists in providing a means of accessing, or introduces any computer contaminant into a "government computer system" or a "public safety infrastructure computer system," as specified, and changes and adds the definition of specified terms. 8)Double-referral . This bill was double-referred to the Assembly Public Safety Committee, where it was heard on March 17, 2015 and passed on a 6-0 vote. AB 195 Page 9 REGISTERED SUPPORT / OPPOSITION: Support California District Attorneys Association California Public Defenders Association Los Angeles County Board of Supervisors Los Angeles County Sheriff's Department Opposition None received. Analysis Prepared by: Hank Dempsey/P. & C.P./(916) 319-2200