BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                     AB 195


                                                                    Page  1


          Date of Hearing:  April 7, 2015


                ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION


                                    Gatto, Chair


          AB  
                         195 (Chau) - As Amended  April 6, 2015


          SUBJECT:  Unauthorized access to computer systems


          SUMMARY:  Prohibits the solicitation of another person to commit  
          or assist in the commission of a variety of crimes related to  
          the unauthorized access of computer systems.  Specifically, this  
          bill:  


          1)Provides that every person who intentionally solicits another  
            to commit any of a number of specified computer crimes shall  
            be punished by imprisonment in a county jail for a period not  
            to exceed six months, with every subsequent violation by that  
            same person being punished by imprisonment not to exceed one  
            year.

          2)Provides that every person who intentionally offers to solicit  
            assistance for another to commit any of a number of specified  
            computer crimes, which includes persons operating websites  
            that offer to assist others in locating 'hacking services',  
            shall be punished by imprisonment in a county jail for a  
            period not to exceed six months, with every subsequent  
            violation by that same person being punished by imprisonment  
            not to exceed one year.

          3)Defines "hacking services" as assistance in the unauthorized  
            access to computers, computer systems, or data in violation of  
            specified computer crimes.









                                                                     AB 195


                                                                    Page  2


          4)Specifies that these new offenses shall be proven by the  
            testimony of one witness and corroborating circumstances.

          5)Makes other technical or non-substantive amendments. 

          EXISTING LAW:

          1)Provides general punishments for solicitation of another to  
            commit crimes, as specified.   (Penal Code (PC) Section 653f.)  
             

          2)Punishes the following offenses by a fine not exceeding  
            $10,000, by a sentenced felony jail term of 16 months, two  
            years or three years, or both; or as a misdemeanor by a fine  
            not exceeding $5,000, by imprisonment in a county jail not  
            exceeding one year, or both:  (PC 502(d)(1)) 

             a)   Any person who knowingly accesses and without permission  
               alters, damages, deletes, destroys, or otherwise uses any  
               data, computer, computer system, or computer network in  
               order to either devise or execute any scheme or artifice to  
               defraud, deceive, or extort, or wrongfully control or  
               obtain money, property, or data.  (PC 502(c)(1))

             b)   Any person who knowingly accesses and without permission  
               takes, copies, or makes use of any data from a computer,  
               computer system, or computer network, or takes or copies  
               any supporting documentation, whether existing or residing  
               internal or external to a computer, computer system, or  
               computer network.  (PC 502(c)(2)) 





             c)   Any person who knowingly accesses and without permission  
               adds, alters, damages, deletes, or destroys any data,  
               computer software, or computer programs which reside or  
               exist internal or external to a computer, computer system,  
               or computer network. (PC 502(c)(4)) 










                                                                     AB 195


                                                                    Page  3



             d)   Any person who knowingly and without permission disrupts  
               or causes the disruption of computer services or denies or  
               causes the denial of computer services to an authorized  
               user of a computer, computer system, or computer network.   
               (PC 502(c)(5)) 

             e)   Any person who knowingly and without permission disrupts  
               or causes the disruption of government computer services or  
               denies or causes the denial of government computer services  
               to an authorized user of a government computer, computer  
               system, or computer network.  (PC 502(c)(10))





             f)   Any person who knowingly accesses and without permission  
               adds, alters, damages, deletes, or destroys any data,  
               computer software, or computer programs which reside or  
               exist internal or external to a public safety  
               infrastructure computer system computer, computer system,  
               or computer network.  (PC 502(c)(11)) 



             g)   Any person who knowingly and without permission disrupts  
               or causes the disruption of public safety infrastructure  
               computer system computer services or denies or causes the  
               denial of computer services to an authorized user of a  
               public safety infrastructure computer system computer,  
               computer system, or computer network.  (PC 502(c)(12)) 



          1)Punishes any person who knowingly and without permission uses  
            or causes to be used computer services, as specified.  (PC  
            502(c)(3), (d)(2)) 



          2)Punishes any person who knowingly and without permission  








                                                                     AB 195


                                                                    Page  4


            provides or assists in providing a means of accessing a  
            computer, computer system, or computer network, as specified.   
            (PC 502(c)(6), (d)(3))



          3)Punishes any person who knowingly and without permission  
            accesses or causes to be accessed any computer, computer  
            system, or computer network, as specified.  (PC 502(c)(7),  
            (d)(3)) 



          4)Punishes any person who knowingly and without permission  
            provides or assists in providing a means of accessing a  
            computer, computer system, or public safety infrastructure  
            computer, computer system, or computer network, as specified   
            (PC 502(c)(11), (d)(3)) 



          5)Punishes any person who knowingly introduces any computer  
            contaminant into any computer, computer system, or computer  
            network, as specified.  (PC 502(c)(8), (d)(4))



          6)Punishes any person who knowingly introduces any computer  
            contaminant into any public safety infrastructure computer  
            system computer, computer system, or computer network, as  
            specified.  (PC 502(c)(14), (d)(4)) 



          7)Punishes any person who knowingly and without permission uses  
            the Internet domain name or profile of another individual,  
            corporation, or entity in connection with the sending of one  
            or more electronic mail messages or posts and thereby damages  
            or causes damage to a computer, computer data, computer  
            system, or computer network, as specified.  (PC 502 (c)(9),  
            (d)(5)) 
          FISCAL EFFECT:  Unknown








                                                                     AB 195


                                                                    Page  5




          COMMENTS:  


           1)Purpose of this bill  .  This bill is intended to explicitly  
            prohibit the solicitation of another to commit a variety of  
            computer-related crimes.  The impetus for this measure stems  
            from the growth in 'hackers-for-hire' websites where  
            individuals can pay to have hackers gain unauthorized access  
            to computer systems.  This measure is author-sponsored. 



           2)Author's statement  .  According to the author, "In recent  
            years, we have seen the growth of so called Hacker-for-Hire  
            websites where individuals solicit hackers to perform certain  
            projects.  These websites work in different ways.  Some work  
            by requiring the person to submit a description of the hacking  
            job along with contact information.  The website then sets up  
            a time to connect the person with a hacker over the phone or  
            video-conferencing to complete the process.  Other websites  
            work by creating a platform that allows customers to register  
            and post projects on the website for different hackers to bid  
            on.  The websites then hold the money in an escrow account  
            until both parties agree that the transaction has been  
            completed.  The website then takes a commission from each  
            transaction and releases the money." 

          "Hacker-for-Hire projects range from recovering lost passwords  
            to tracking stolen devices. But some of these websites also  
            provide a platform for individuals seeking illegal hacking  
            services from less than ethical hackers, such as installing  
            spyware on devices and gaining access to the email and social  
            media accounts of unsuspecting victims.  AB 195 protects  
            individual privacy by cracking down on websites that assist in  
            the solicitation of a hacker to illegally access a computer  
            network..."

           3)Cybercrime and hacking-for-hire.   It is without question that  
            cybercrime (Internet-related criminal activity) has become a  
            major issue for consumers and law enforcement.  The Federal  








                                                                     AB 195


                                                                    Page  6


            Bureau of Investigation's Internet Crime Complaint Center  
            received over 262,000 complaints in 2013, crimes reflecting an  
            adjusted dollar loss of more than $781 million - losses that  
            were 49% higher than those tallied in 2012 ($581 million).   
            Cybercrime can lead to a wide variety of problems for  
            consumers and businesses, including damage or destruction of  
            property, identity theft, theft of intellectual property,  
            breach notices, bad publicity, and a loss of personal privacy.

          On January 15, 2015, the New York Times published an article  
            entitled "Need Some Espionage Done? Hackers Are for Hire  
            Online" that discusses the growing online market for the  
            services of skilled computer programmers, or 'hackers'.  For  
            example, the article examines a website called Hacker's List  
            that aims to match hackers with people who need a wide variety  
            of difficult, and sometimes illegal, tasks performed - such as  
            gaining access to email accounts, tracking stolen devices,  
            taking down unflattering photos, installing spyware on  
            another's device, or gaining access to a company database.   
            For example, Hacker's List had an entry from a man in Sweden  
            willing to pay $2000 for someone to break into his landlord's  
            website, and a woman in California offered to pay $500 for  
            someone to hack her boyfriend's email and social media  
            accounts to determine if he was cheating on her.  According to  
            the article, in less than three months of operation, over 500  
            hacking jobs have been put out to bid on the site.  Other  
            websites operate in a similar fashion, allowing people to post  
            projects and coordinate with hackers, with payment being held  
            in escrow until the job is completed. 

          The author points out that under current law it is already a  
            crime to solicit another to commit certain crimes, such as  
            bribery, kidnapping, and robbery, among others.  And it is  
            already a crime for someone to knowingly hack into another's  
            computer network without permission. However, as the statute  
            has not kept pace with technology, it is not explicitly a  
            crime to solicit someone to knowingly and without permission  
            hack into a computer network. 

          In response, AB 195 would explicitly make it a crime to  
            intentionally solicit someone to knowingly and without  
            permission commit any of 14 enumerated computer crimes.  This  








                                                                     AB 195


                                                                    Page  7


            bill would make any violation punishable by imprisonment not  
            to exceed six months, with subsequent violations punishable by  
            imprisonment not to exceed one year.
                                    
           4)Existing law pertaining to cybercrime  .  The underlying law  
            prohibiting computer-related crimes affected by this bill  
            prohibits an individual from knowingly committing the  
            following acts: (1) accessing and altering, damaging,  
            deleting, destroying, or otherwise using any data, computer,  
            computer system, or computer network in order to execute fraud  
            or obtain money or property; (2) knowingly accessing, copying  
            or using data taken from a computer, computer system, or  
            computer network; (3) using computer services; (4) adding,  
            altering, damaging, deleting, or destroying any data,  
            computer, computer system, or computer network; (5) disrupting  
            or denying computer services to an authorized user of a  
            computer, computer system, or computer network; (6) providing  
            a means of accessing a computer, computer system, or computer  
            network to commit a crime; (7) accessing without permission  
            any computer, computer system, or computer network; (8)  
            introducing any computer contaminant into any computer,  
            computer system, or computer network; (9) using the Internet  
            domain name or profile of another individual, corporation, or  
            entity in connection with the sending of one or more  
            electronic mail messages or posts and thereby damaging a  
            computer, computer data, computer system, or computer network;  
            (10) disrupting or denying government computer services to an  
            authorized user; (11) adding, altering, damaging, deleting, or  
            destroying any data on a public safety infrastructure  
            computer, computer system, or computer network; (12)  
            disrupting public safety infrastructure computer services or  
            denying computer services to an authorized user of a public  
            safety infrastructure computer, computer system, or computer  
            network; (13) providing a means of accessing a computer,  
            computer system, or public safety infrastructure computer  
            system computer, computer system, or computer network without  
            authorization; and, (14) introducing any computer contaminant  
            into any public safety infrastructure computer, computer  
            system, or computer network.
          










                                                                     AB 195


                                                                    Page  8


          5)Arguments in support  .  The Los Angeles County Board of  
            Supervisors states, "AB 195 would?make it a crime to solicit  
            someone to knowingly and without permission gain access to a  
            computer network.  The County's computer networks contain  
            vital information about County finances, employees, and  
            residents, and must be protected to prevent unauthorized  
            access, which could lead to identity theft, financial crimes,  
            and fraud.  AB 195 would give law enforcement officers  
            additional tools to combat unauthorized access to the County's  
            information technology infrastructure."



           6)Related Legislation  :  AB 32 (Waldron) adds an additional fine  
            not to exceed $10,000 for each digital image of a person's  
            body parts that were acquired as a result of an unauthorized  
            access to a computer system.  This bill is currently pending  
            in the Assembly Public Safety Committee.

            SB 30 (Gaines) prohibits the theft of a motor vehicle by  
            commandeering its operating system, with penalties ranging  
            from three years imprisonment to a $1000 fine and six months  
            imprisonment depending on whether or not the vehicle's value  
            exceeds $950.  This bill is currently pending in the Senate  
            Public Safety Committee. 


          


           7)Prior Legislation  :  AB 1642 (Waldron), Chapter 379, Statutes  
            of 2014, specified the penalties for any person who disrupts  
            or causes the disruption of, adds, alters, damages, destroys,  
            provides or assists in providing a means of accessing, or  
            introduces any computer contaminant into a "government  
            computer system" or a "public safety infrastructure computer  
            system," as specified, and changes and adds the definition of  
            specified terms.  

           8)Double-referral  .  This bill was double-referred to the  
            Assembly Public Safety Committee, where it was heard on March  
            17, 2015 and passed on a 6-0 vote.








                                                                     AB 195


                                                                    Page  9




          REGISTERED SUPPORT / OPPOSITION:


          Support


          California District Attorneys Association
          California Public Defenders Association
          Los Angeles County Board of Supervisors 
          Los Angeles County Sheriff's Department


          Opposition


          None received.


          Analysis Prepared  
          by:              Hank Dempsey/P. & C.P./(916) 319-2200