BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON PUBLIC SAFETY
                             Senator Loni Hancock, Chair
                                2015 - 2016  Regular 

          Bill No:    AB 195        Hearing Date:    June 9, 2015    
          
           ----------------------------------------------------------------- 
          |Author:    |Chau                                                 |
          |-----------+-----------------------------------------------------|
          |Version:   |April 6, 2015                                        |
           ----------------------------------------------------------------- 
           ----------------------------------------------------------------- 
          |Urgency:   |No                     |Fiscal:    |Yes              |
           ----------------------------------------------------------------- 
           ----------------------------------------------------------------- 
          |Consultant:|JM                                                   |
          |           |                                                     |
           ----------------------------------------------------------------- 


                  Subject:  Unauthorized Access to Computer Systems



          HISTORY

          Source:   Author

          Prior Legislation:AB 1642 (Waldron), Chapter 379, Statutes of  
          2014


          Support:  Association for Los Angeles Deputy Sheriffs;  
                    California College and University Police Chiefs'  
                    Association; California District Attorneys  
                    Association; California Public Defenders Association;  
                    Los Angeles County Board of Supervisors; Los Angeles  
                    County District Attorney's Office; Los Angeles County  
                    Sheriff's Department; Los Angeles Police Protective  
                    League; Riverside Sheriffs Association 

          Opposition:Legal Services for Prisoners with Children;  
          Electronic Frontier Foundation

          Assembly Floor Vote:                 75 - 0


          PURPOSE








          AB 195  (Chau )                                            Page  
          2 of ?
          
          
          The purposes of this bill are to 1) include specified computer  
          offenses in the list of target crimes in the offense of  
          solicitation of another person to commit a crime; 2) define  
          offering to solicit assistance for a person to violate specified  
          computer cries as a form of criminal solicitation. 

          Existing law:  

          Defines the criminal offense of solicitation of another to  
          commit one of a list of target crimes.  (Pen. Code  653f.)   
          Solicitation involves the following elements, penalties and  
          evidentiary rules:

                 Solicitation includes the following elements:

                  o         The defendant requested or solicited another  
                    person to commit the target offense. 
                  o         The defendant intended that the crime be  
                    committed.
                  o         The other person received the solicitation  
                    actual words or terms used to encourage someone to  
                    commit the crime.  

                 Solicitation of any one the following offenses is an  
               alternate felony-misdemeanor, punishable by imprisonment in  
               a county jail for up to one year, a fine of up to $1,000,  
               or both, or, pursuant to Penal Code Section 1170,  
               subdivision (h), to an executed felony jail term of 16  
               months, 2 or 3 years and a fine of up to $10,000: 

                  o         Carjacking
                  o         Robbery
                  o         Burglary
                  o         Grand theft and forgery
                  o         Receiving stolen property
                  o         Extortion
                  o         Perjury and subornation of perjury
                  o         Kidnapping
                  o         Arson
                  o         Assault with a deadly weapon or by means of  
                    force likely to produce great bodily injury
                  o         Dissuading a witness by the use of force or a  
                    threat of force, upon, or testifying at, any trial,  
                    proceeding, or inquiry authorized by law, shall be  








          AB 195  (Chau )                                            Page  
          3 of ?
          
          
                    punished by imprisonment in a county jail for not more  
                    than one year, or by a fine of not more than ten  
                    thousand dollars ($10,000), or the amount which could  
                    have been assessed for commission of the offense  
                    itself, whichever is greater, or by both the fine and  
                    imprisonment. Pen. Code  653f, subd. (a),):

                 Solicitation of murder is a felony, punishable by a  
               prison term of three, six or nine years and a fine of up to  
               $10,000.  (Pen. Code  653f, subd. (b).)

                 Solicitation of the commission by force or violence of  
               rape, sodomy, oral copulation, sexual penetration, lewd  
               conduct or a sex crime in concert is a felony, punishable  
               by imprisonment in the state prison for two, three, or four  
               years and a fine of up to $10,000.  (Pen. Code  653f,  
               subd. (c).)

                 Solicitation of specified crimes involving drug commerce  
               is a misdemeanor, punishable by imprisonment in a county  
               jail for up to six months, a fine of up to $1,000, or both.  
                A subsequent conviction of this offense is an alternate  
               felony-misdemeanor, punishable by imprisonment in a county  
               jail for up to one year, a fine of up to $1,000, or both,  
               or by exceeding six months.  (Pen. Code  653f, subd. (d).)

                 Solicitation of Medi-Cal or health care eligibility  
               fraud is a misdemeanor, punishable by imprisonment in a  
               county jail for up to six months, a fine of up to $1,000,  
               or both.  A subsequent conviction of this offense is an  
               alternate felony-misdemeanor, punishable by imprisonment in  
               a county jail for up to one year, a fine of up to $1,000,  
               or both, or by exceeding six months.  (Pen. Code  653f,  
               subd. (e).)

                 Proof of solicitation of drug commerce requires the  
               testimony of one witness and corroborating evidence.  (Pen.  
               Code  653f, subd. (f).)

                 Proof of solicitation of murder, sex crimes, kidnapping,  
               robbery, carjacking, arson, specified financial or theft  
               crimes, assault or dissuading a witness requires the  
               testimony of at least two witnesses and corroborating  
               evidence. (Pen. Code  653f, subd. (f).)








          AB 195  (Chau )                                            Page  
          4 of ?
          
          

          Defines numerous computer or electronic data offenses and  
          imposes a wide range of penalties based on the seriousness of  
          the offense or extent of harm caused by the defendant by a fine  
          not exceeding $10,000, by a sentenced felony jail term of 16  
          months, two years or three years, or both, or as a misdemeanor  
          by a fine not exceeding $5,000, by imprisonment in a county jail  
          not exceeding one year, or both:

                 Any person who knowingly accesses and without permission  
               alters, damages, deletes, destroys, or otherwise uses any  
               data, computer, computer system, or computer network in  
               order to devise or execute any scheme or artifice to  
               defraud, deceive, or extort, or wrongfully control or  
               obtain money, property or data.

                 Any person who knowingly accesses and without permission  
               takes, copies or makes use of any data from a computer,  
               computer system, or computer network, or takes or copies  
               any supporting documentation, whether existing or residing  
               internal or external to a computer, computer system, or  
               computer network.

                 Any person who knowingly accessing and without  
               permission adds, alters, damages, deletes, or destroys any  
               data, computer software, or computer programs which reside  
               or exist internal or external to a computer, computer  
               system, or computer network.

                 Any person who knowingly and without permission  
               disrupting or causing the disruption of computer services  
               or denies or causes the denial of computer services or  
               denies or causes the denial of computer services to an  
               authorized user of a computer, computer system, or computer  
               network. 

                 Disrupting or improperly accessing a government of  
               public safety computer systems, data or software is  
               separately defined, but subject to the same penalties as  
               other such crimes. (Pen. Code  502, subds. (c) and  
               (d)(1).)

          Provides that any person who knowingly and without permission  
          uses or causes to be used computer services shall be punished as  








          AB 195  (Chau )                                            Page  
          5 of ?
          
          
          follows:

                 For the first violation that does not result in injury,  
               and where the value of the computer services used does not  
               exceed $950, by a fine not exceeding $5,000, by  
               imprisonment in a county jail not exceeding one year, or by  
               both that fine and imprisonment; and

                 For any violation that results in a victim expenditure  
               in an amount more than $5,000 or in an injury, if the value  
               of the computer services used exceeds $950, or for any  
               second or subsequent violation, by a fine not exceeding  
               $10,000, by imprisonment pursuant to realignment for 16  
               months, or two or three years, or by both that fine and  
               imprisonment, or by a fine not exceeding $5,000, by  
               imprisonment in a county jail not exceeding one year, or by  
               both that fine and imprisonment.  (Pen. Code  502, subds.  
               (c) and (d)(2).)

          Punishes any person who knowingly and without permission  
          provides or assists in providing a means of accessing, accesses,  
          or causes to be accessed a computer, computer system, or  
          computer network as follows:

                 For a first violation that does not result in injury, an  
               infraction punishable by a fine not exceeding $1,000;

                 For any violation that results in a victim expenditure  
               in an amount not more than $5,000, or for a second or  
               subsequent violation, by a fine not exceeding $5,000, by  
               imprisonment in a county jail not exceeding one year, or by  
               both that fine and imprisonment; and

                 For any violation that results in a victim expenditure  
               in an amount more than $5,000, by a fine not exceeding ten  
               thousand dollars $10,000, by imprisonment pursuant to  
               realignment for 16 months, or two or three years, or by  
               both that fine and imprisonment, or by a fine not exceeding  
               $5,000, by imprisonment in a county jail not exceeding one  
               year, or by both that fine and imprisonment.  (Pen. Code   
               502, subds. (c) and (d)(3).)

          Punishes any person who knowingly introduces any computer  
          contaminant into any computer, or computer system, or computer  








          AB 195  (Chau )                                            Page  
          6 of ?
          
          
          network as follows:

                 For a first violation that does not result in injury, a  
               misdemeanor punishable by a fine not exceeding $5,000, by  
               imprisonment in a county jail not exceeding one year, or by  
               both that fine and imprisonment; and

                 For any violation that results in injury, or for a  
               second or subsequent violation, by a fine not exceeding  
               $10,000, by imprisonment in a county jail not exceeding one  
               year, or by imprisonment pursuant to realignment, or by  
               both that fine and imprisonment.  (Pen. Code  502 subds.  
               (c) and (d)(4).)

          Punishes any person who knowingly and without permission uses  
          the Internet domain name of another individual, corporation, or  
          entity in connection with the sending of one or more electronic  
          mail messages, and thereby damages or causes damage to a  
          computer, computer system, or computer network as follows:

                 For a first violation that does not result in injury, an  
               infraction punishable by a fine not more than $1,000; and

                 For any violation that results in injury, or for a  
               second or subsequent violation, by a fine not exceeding  
               five thousand dollars ($5,000), or by imprisonment in a  
               county jail not exceeding one year, or by both that fine  
               and imprisonment.  (Pen. Code  502, subds. (c) and  
               (d)(5).)

          This bill:

          Provides that every person who, with the intent that the crime  
          be committed, solicits another to commit one of a number of  
          specified computer crimes shall be punished by imprisonment in a  
          county jail for a period not to exceed six months. Every  
          subsequent violation of this subdivision by that same person  
          shall be punished by imprisonment in a county jail not exceeding  
          one year. 

          Provides that every person who, with the intent that the crime  
          be committed, offers to solicit assistance for another to  
          conduct activities in violation of a number of specified  
          computer crimes shall be punished by imprisonment in a county  








          AB 195  (Chau )                                            Page  
          7 of ?
          
          
          jail for a period not to exceed six months. Every subsequent  
          violation of this subdivision by that same person shall be  
          punished by imprisonment in a county jail not exceeding one  
          year. 

                 This offense - offering to solicit assistance for the  
               purpose of committing a computer crime - applies to a  
               person who operates the website that offers to assist  
               others in locating hacking services.

                 For purposes of this crime, "hacking services" means  
               assistance in the unauthorized access to computers,  
               computer systems, or computer data in violation of  
               specified computer crimes.

          Provides that solicitation of a computer crime, or offering to  
          assist others in committing a computer crime, shall be proved by  
          the testimony of one witness and corroborating evidence.

                    RECEIVERSHIP/OVERCROWDING CRISIS AGGRAVATION

          For the past eight years, this Committee has scrutinized  
          legislation referred to its jurisdiction for any potential  
          impact on prison overcrowding.  Mindful of the United States  
          Supreme Court ruling and federal court orders relating to the  
          state's ability to provide a constitutional level of health care  
          to its inmate population and the related issue of prison  
          overcrowding, this Committee has applied its "ROCA" policy as a  
          content-neutral, provisional measure necessary to ensure that  
          the Legislature does not erode progress in reducing prison  
          overcrowding.   

          On February 10, 2014, the federal court ordered California to  
          reduce its in-state adult institution population to 137.5% of  
          design capacity by February 28, 2016, as follows:   

                 143% of design bed capacity by June 30, 2014;
                 141.5% of design bed capacity by February 28, 2015; and,
                 137.5% of design bed capacity by February 28, 2016. 

          In February of this year the administration reported that as "of  
          February 11, 2015, 112,993 inmates were housed in the State's 34  
          adult institutions, which amounts to 136.6% of design bed  
          capacity, and 8,828 inmates were housed in out-of-state  








          AB 195  (Chau )                                            Page  
          8 of ?
          
          
          facilities.  This current population is now below the  
          court-ordered reduction to 137.5% of design bed capacity."(  
          Defendants' February 2015 Status Report In Response To February  
          10, 2014 Order, 2:90-cv-00520 KJM DAD PC, 3-Judge Court, Coleman  
          v. Brown, Plata v. Brown (fn. omitted).

          While significant gains have been made in reducing the prison  
          population, the state now must stabilize these advances and  
          demonstrate to the federal court that California has in place  
          the "durable solution" to prison overcrowding "consistently  
          demanded" by the court.  (Opinion Re: Order Granting in Part and  
          Denying in Part Defendants' Request For Extension of December  
          31, 2013 Deadline, NO. 2:90-cv-0520 LKK DAD (PC), 3-Judge Court,  
          Coleman v. Brown, Plata v. Brown (2-10-14).  The Committee's  
          consideration of bills that may impact the prison population  
          therefore will be informed by the following questions:

              Whether a proposal erodes a measure which has contributed  
               to reducing the prison population;
              Whether a proposal addresses a major area of public safety  
               or criminal activity for which there is no other  
               reasonable, appropriate remedy;
              Whether a proposal addresses a crime which is directly  
               dangerous to the physical safety of others for which there  
               is no other reasonably appropriate sanction; 
              Whether a proposal corrects a constitutional problem or  
               legislative drafting error; and
              Whether a proposal proposes penalties which are  
               proportionate, and cannot be achieved through any other  
               reasonably appropriate remedy.


          COMMENTS

          1.Need for This Bill

          According to the author:

               Today, we live in a digitally connected world where  
               our devices are connected to the internet. This  
               includes our phones, cars and appliances; all of which  
               perform functions that were once exclusive to our  
               computers.  This new form of digital access has also  
               spawned a new type of criminal, one who can invade our  








          AB 195  (Chau )                                            Page  
          9 of ?
          
          
               homes by breaking into our computer networks from  
               afar.  These cybercrimes range from breaking into  
               someone's computer network to steal financial  
               information to other crimes such as corporate  
               espionage, fraud, and extortion.

               Under current law, it is a crime to solicit another to  
               commit certain crimes, such as bribery, kidnapping,  
               and robbery. In addition, it is a crime for someone to  
               knowingly hack into another's computer network without  
               permission. However, it is not a crime to solicit  
               someone to knowingly and without permission hack into  
               a computer network or smartphone. 

               Cybercrimes have greater and longer lasting effects on  
               victims than many other crimes, because the personal  
               information stolen can result in identify theft,  
               fraud, and personal embarrassment, all of which could  
               take years to recover from, if ever. The FBI's  
               Internet Crime Complaint Center reported that in 2013  
               it received over 200,000 consumer complaints about  
               online scams, which resulted in a loss of over 781  
               million dollars; an almost 50% increase from the year  
               before. 

               We have recently seen the growth of so called  
               Hacker-for-Hire websites.  Some of these websites work  
               by requiring a person to submit a description of the  
               hacking job along with contact information. The  
               website then sets up a time to connect the person with  
               a hacker over the phone or video-conferencing. Others  
               websites create a platform for customers to register  
               and post hacker projects for bid. The website then  
               holds the money in an escrow account until the parties  
               agree that the transaction has been completed and  
               takes a commission from each transaction.   
               Hacker-for-Hire projects range from recovering lost  
               passwords to tracking stolen devices.  But some of  
               these websites also allow individuals to seek illegal  
               hacking services from less than ethical hackers, such  
               as installing spyware and gaining access to the email  
               and social media accounts of unsuspecting victims. 

               AB 195 would make it a crime to solicit someone to  








          AB 195  (Chau )                                            Page  
          10 of ?
          
          
               knowingly and without permission gain access to a  
               computer network or smartphone.  This includes  
               offering to obtain or assist in locating hacking  
               services. The bill would also clarify that a computer  
               network includes smartphones. This bill would make any  
               violation punishable by imprisonment not to exceed six  
               months. Any subsequent violation would be punishable  
               by imprisonment not to exceed one year.

          2.Solicitation of a Crime in Contrast with an Attempted Crime 

          An attempt to commit a crime includes the elements of a specific  
          intent to commit a crime and a direct, but unsuccessful step  
          towards commission of the crime.  Mere preparation to commit a  
          crime is not an attempt. Solicitation is the requesting of  
          another person to commit a crime, with the intent that the crime  
          be committed.  The crime of solicitation has been committed at  
          that point.  The crime need not be committed and the person  
          solicited need not prepare to commit the crime or take steps  
          towards its commission.  

          3.Argument in Support

          According to the California Public Defenders Association:

               Existing law establishes various crimes related to  
               computer services and systems.  Existing law makes it  
               a crime to knowingly, and without permission, access,  
               cause to be accessed, or provide or assist in  
               providing, a means of accessing a computer, computer  
               system, computer network, or computer data in  
               violation of prescribed provisions and defines related  
               terms?Computing technology has expanded greatly in the  
               last few years.  With the introduction of the  
               smartphone, computer technology advanced with a device  
               that is highly portable, yet gives one computing power  
               that heretofore required large, often cumbersome,  
               equipment.  Essentially, it put the power of computers  
               into one's pocket.  With the proliferation of  
               smartphones, and their ever-growing capabilities, more  
               private data is carried on the person.  Given this  
               incredible increase in technology, it only makes sense  
               to include smartphones as devices that can be the  
               target of illicit hacking and data transmission.








          AB 195  (Chau )                                            Page  
          11 of ?
          
          

          4.Argument in Opposition

          According to the Electronic Frontier Foundation:

               Our primary concern with AB 195 is that it would  
               criminalize the offering of technical assistance in  
               accessing computers or data, which the bill deems to  
               be "hacking services."  Such services are often wholly  
               legitimate; as the author himself states, such  
               services include "recovering lost passwords to  
               tracking stolen devices."  As written, however, we  
               believe AB 195 makes it very hard to such legitimate  
               services to be offered.

               What the statute fails to recognize is the vast array  
               of "hacking services" that are beneficial and indeed  
               critical to the computer security industry. Take for  
                                            example, so-called "penetration testing" services,  
               also called pen testing. Penetration testing is a  
               procedure where an information security professional  
               is hired to attempt to hack into a network, using the  
               same tools and techniques as a criminal hacker. The  
               resulting report is used, not for crime, but to secure  
               the network.  As written, the bill could criminalize  
               linking to sites that offer such services.  Although  
               there is an intent requirement, the statutory language  
               specifically calls out a website that "offer[s] to  
               assist others in locating hacking services," which  
               undoubtedly includes penetration testing.  The intent  
               requirement would not prevent a constitutionally  
               impermissible chilling effect on those seeking to list  
               or compare penetration services. 



                                      -- END -





          









          AB 195  (Chau )                                            Page  
          12 of ?