BILL ANALYSIS �Ó
AB 195
Page 1
Date of Hearing: April 7, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Gatto, Chair
AB
195 (Chau) - As Amended April 6, 2015
SUBJECT: Unauthorized access to computer systems
SUMMARY: Prohibits the solicitation of another person to commit
or assist in the commission of a variety of crimes related to
the unauthorized access of computer systems. Specifically, this
bill:
1)Provides that every person who intentionally solicits another
to commit any of a number of specified computer crimes shall
be punished by imprisonment in a county jail for a period not
to exceed six months, with every subsequent violation by that
same person being punished by imprisonment not to exceed one
year.
2)Provides that every person who intentionally offers to solicit
assistance for another to commit any of a number of specified
computer crimes, which includes persons operating websites
that offer to assist others in locating 'hacking services',
shall be punished by imprisonment in a county jail for a
period not to exceed six months, with every subsequent
violation by that same person being punished by imprisonment
not to exceed one year.
3)Defines "hacking services" as assistance in the unauthorized
access to computers, computer systems, or data in violation of
specified computer crimes.
�
AB 195
Page 2
4)Specifies that these new offenses shall be proven by the
testimony of one witness and corroborating circumstances.
5)Makes other technical or non-substantive amendments.
EXISTING LAW:
1)Provides general punishments for solicitation of another to
commit crimes, as specified. (Penal Code (PC) Section 653f.)
2)Punishes the following offenses by a fine not exceeding
$10,000, by a sentenced felony jail term of 16 months, two
years or three years, or both; or as a misdemeanor by a fine
not exceeding $5,000, by imprisonment in a county jail not
exceeding one year, or both: (PC 502(d)(1))
a) Any person who knowingly accesses and without permission
alters, damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer network in
order to either devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or
obtain money, property, or data. (PC 502(c)(1))
b) Any person who knowingly accesses and without permission
takes, copies, or makes use of any data from a computer,
computer system, or computer network, or takes or copies
any supporting documentation, whether existing or residing
internal or external to a computer, computer system, or
computer network. (PC 502(c)(2))
c) Any person who knowingly accesses and without permission
adds, alters, damages, deletes, or destroys any data,
computer software, or computer programs which reside or
exist internal or external to a computer, computer system,
or computer network. (PC 502(c)(4))
�
AB 195
Page 3
d) Any person who knowingly and without permission disrupts
or causes the disruption of computer services or denies or
causes the denial of computer services to an authorized
user of a computer, computer system, or computer network.
(PC 502(c)(5))
e) Any person who knowingly and without permission disrupts
or causes the disruption of government computer services or
denies or causes the denial of government computer services
to an authorized user of a government computer, computer
system, or computer network. (PC 502(c)(10))
f) Any person who knowingly accesses and without permission
adds, alters, damages, deletes, or destroys any data,
computer software, or computer programs which reside or
exist internal or external to a public safety
infrastructure computer system computer, computer system,
or computer network. (PC 502(c)(11))
g) Any person who knowingly and without permission disrupts
or causes the disruption of public safety infrastructure
computer system computer services or denies or causes the
denial of computer services to an authorized user of a
public safety infrastructure computer system computer,
computer system, or computer network. (PC 502(c)(12))
1)Punishes any person who knowingly and without permission uses
or causes to be used computer services, as specified. (PC
502(c)(3), (d)(2))
2)Punishes any person who knowingly and without permission
�
AB 195
Page 4
provides or assists in providing a means of accessing a
computer, computer system, or computer network, as specified.
(PC 502(c)(6), (d)(3))
3)Punishes any person who knowingly and without permission
accesses or causes to be accessed any computer, computer
system, or computer network, as specified. (PC 502(c)(7),
(d)(3))
4)Punishes any person who knowingly and without permission
provides or assists in providing a means of accessing a
computer, computer system, or public safety infrastructure
computer, computer system, or computer network, as specified
(PC 502(c)(11), (d)(3))
5)Punishes any person who knowingly introduces any computer
contaminant into any computer, computer system, or computer
network, as specified. (PC 502(c)(8), (d)(4))
6)Punishes any person who knowingly introduces any computer
contaminant into any public safety infrastructure computer
system computer, computer system, or computer network, as
specified. (PC 502(c)(14), (d)(4))
7)Punishes any person who knowingly and without permission uses
the Internet domain name or profile of another individual,
corporation, or entity in connection with the sending of one
or more electronic mail messages or posts and thereby damages
or causes damage to a computer, computer data, computer
system, or computer network, as specified. (PC 502 (c)(9),
(d)(5))
FISCAL EFFECT: Unknown
�
AB 195
Page 5
COMMENTS:
1)Purpose of this bill . This bill is intended to explicitly
prohibit the solicitation of another to commit a variety of
computer-related crimes. The impetus for this measure stems
from the growth in 'hackers-for-hire' websites where
individuals can pay to have hackers gain unauthorized access
to computer systems. This measure is author-sponsored.
2)Author's statement . According to the author, "In recent
years, we have seen the growth of so called Hacker-for-Hire
websites where individuals solicit hackers to perform certain
projects. These websites work in different ways. Some work
by requiring the person to submit a description of the hacking
job along with contact information. The website then sets up
a time to connect the person with a hacker over the phone or
video-conferencing to complete the process. Other websites
work by creating a platform that allows customers to register
and post projects on the website for different hackers to bid
on. The websites then hold the money in an escrow account
until both parties agree that the transaction has been
completed. The website then takes a commission from each
transaction and releases the money."
"Hacker-for-Hire projects range from recovering lost passwords
to tracking stolen devices. But some of these websites also
provide a platform for individuals seeking illegal hacking
services from less than ethical hackers, such as installing
spyware on devices and gaining access to the email and social
media accounts of unsuspecting victims. AB 195 protects
individual privacy by cracking down on websites that assist in
the solicitation of a hacker to illegally access a computer
network..."
3)Cybercrime and hacking-for-hire. It is without question that
cybercrime (Internet-related criminal activity) has become a
major issue for consumers and law enforcement. The Federal
�
AB 195
Page 6
Bureau of Investigation's Internet Crime Complaint Center
received over 262,000 complaints in 2013, crimes reflecting an
adjusted dollar loss of more than $781 million - losses that
were 49% higher than those tallied in 2012 ($581 million).
Cybercrime can lead to a wide variety of problems for
consumers and businesses, including damage or destruction of
property, identity theft, theft of intellectual property,
breach notices, bad publicity, and a loss of personal privacy.
On January 15, 2015, the New York Times published an article
entitled "Need Some Espionage Done? Hackers Are for Hire
Online" that discusses the growing online market for the
services of skilled computer programmers, or 'hackers'. For
example, the article examines a website called Hacker's List
that aims to match hackers with people who need a wide variety
of difficult, and sometimes illegal, tasks performed - such as
gaining access to email accounts, tracking stolen devices,
taking down unflattering photos, installing spyware on
another's device, or gaining access to a company database.
For example, Hacker's List had an entry from a man in Sweden
willing to pay $2000 for someone to break into his landlord's
website, and a woman in California offered to pay $500 for
someone to hack her boyfriend's email and social media
accounts to determine if he was cheating on her. According to
the article, in less than three months of operation, over 500
hacking jobs have been put out to bid on the site. Other
websites operate in a similar fashion, allowing people to post
projects and coordinate with hackers, with payment being held
in escrow until the job is completed.
The author points out that under current law it is already a
crime to solicit another to commit certain crimes, such as
bribery, kidnapping, and robbery, among others. And it is
already a crime for someone to knowingly hack into another's
computer network without permission. However, as the statute
has not kept pace with technology, it is not explicitly a
crime to solicit someone to knowingly and without permission
hack into a computer network.
In response, AB 195 would explicitly make it a crime to
intentionally solicit someone to knowingly and without
permission commit any of 14 enumerated computer crimes. This
�
AB 195
Page 7
bill would make any violation punishable by imprisonment not
to exceed six months, with subsequent violations punishable by
imprisonment not to exceed one year.
4)Existing law pertaining to cybercrime . The underlying law
prohibiting computer-related crimes affected by this bill
prohibits an individual from knowingly committing the
following acts: (1) accessing and altering, damaging,
deleting, destroying, or otherwise using any data, computer,
computer system, or computer network in order to execute fraud
or obtain money or property; (2) knowingly accessing, copying
or using data taken from a computer, computer system, or
computer network; (3) using computer services; (4) adding,
altering, damaging, deleting, or destroying any data,
computer, computer system, or computer network; (5) disrupting
or denying computer services to an authorized user of a
computer, computer system, or computer network; (6) providing
a means of accessing a computer, computer system, or computer
network to commit a crime; (7) accessing without permission
any computer, computer system, or computer network; (8)
introducing any computer contaminant into any computer,
computer system, or computer network; (9) using the Internet
domain name or profile of another individual, corporation, or
entity in connection with the sending of one or more
electronic mail messages or posts and thereby damaging a
computer, computer data, computer system, or computer network;
(10) disrupting or denying government computer services to an
authorized user; (11) adding, altering, damaging, deleting, or
destroying any data on a public safety infrastructure
computer, computer system, or computer network; (12)
disrupting public safety infrastructure computer services or
denying computer services to an authorized user of a public
safety infrastructure computer, computer system, or computer
network; (13) providing a means of accessing a computer,
computer system, or public safety infrastructure computer
system computer, computer system, or computer network without
authorization; and, (14) introducing any computer contaminant
into any public safety infrastructure computer, computer
system, or computer network.
�
AB 195
Page 8
5)Arguments in support . The Los Angeles County Board of
Supervisors states, "AB 195 would?make it a crime to solicit
someone to knowingly and without permission gain access to a
computer network. The County's computer networks contain
vital information about County finances, employees, and
residents, and must be protected to prevent unauthorized
access, which could lead to identity theft, financial crimes,
and fraud. AB 195 would give law enforcement officers
additional tools to combat unauthorized access to the County's
information technology infrastructure."
6)Related Legislation : AB 32 (Waldron) adds an additional fine
not to exceed $10,000 for each digital image of a person's
body parts that were acquired as a result of an unauthorized
access to a computer system. This bill is currently pending
in the Assembly Public Safety Committee.
SB 30 (Gaines) prohibits the theft of a motor vehicle by
commandeering its operating system, with penalties ranging
from three years imprisonment to a $1000 fine and six months
imprisonment depending on whether or not the vehicle's value
exceeds $950. This bill is currently pending in the Senate
Public Safety Committee.
7)Prior Legislation : AB 1642 (Waldron), Chapter 379, Statutes
of 2014, specified the penalties for any person who disrupts
or causes the disruption of, adds, alters, damages, destroys,
provides or assists in providing a means of accessing, or
introduces any computer contaminant into a "government
computer system" or a "public safety infrastructure computer
system," as specified, and changes and adds the definition of
specified terms.
8)Double-referral . This bill was double-referred to the
Assembly Public Safety Committee, where it was heard on March
17, 2015 and passed on a 6-0 vote.
�
AB 195
Page 9
REGISTERED SUPPORT / OPPOSITION:
Support
California District Attorneys Association
California Public Defenders Association
Los Angeles County Board of Supervisors
Los Angeles County Sheriff's Department
Opposition
None received.
Analysis Prepared
by: Hank Dempsey/P. & C.P./(916) 319-2200