BILL ANALYSIS �Ó
SENATE COMMITTEE ON PUBLIC SAFETY
Senator Loni Hancock, Chair
2015 - 2016 Regular
Bill No: AB 195 Hearing Date: June 9, 2015
-----------------------------------------------------------------
|Author: |Chau |
|-----------+-----------------------------------------------------|
|Version: |April 6, 2015 |
-----------------------------------------------------------------
-----------------------------------------------------------------
|Urgency: |No |Fiscal: |Yes |
-----------------------------------------------------------------
-----------------------------------------------------------------
|Consultant:|JM |
| | |
-----------------------------------------------------------------
Subject: Unauthorized Access to Computer Systems
HISTORY
Source: Author
Prior Legislation:AB 1642 (Waldron), Chapter 379, Statutes of
2014
Support: Association for Los Angeles Deputy Sheriffs;
California College and University Police Chiefs'
Association; California District Attorneys
Association; California Public Defenders Association;
Los Angeles County Board of Supervisors; Los Angeles
County District Attorney's Office; Los Angeles County
Sheriff's Department; Los Angeles Police Protective
League; Riverside Sheriffs Association
Opposition:Legal Services for Prisoners with Children;
Electronic Frontier Foundation
Assembly Floor Vote: 75 - 0
PURPOSE
�
AB 195 (Chau ) Page
2 of ?
The purposes of this bill are to 1) include specified computer
offenses in the list of target crimes in the offense of
solicitation of another person to commit a crime; 2) define
offering to solicit assistance for a person to violate specified
computer cries as a form of criminal solicitation.
Existing law:
Defines the criminal offense of solicitation of another to
commit one of a list of target crimes. (Pen. Code § 653f.)
Solicitation involves the following elements, penalties and
evidentiary rules:
Solicitation includes the following elements:
o The defendant requested or solicited another
person to commit the target offense.
o The defendant intended that the crime be
committed.
o The other person received the solicitation
actual words or terms used to encourage someone to
commit the crime.
Solicitation of any one the following offenses is an
alternate felony-misdemeanor, punishable by imprisonment in
a county jail for up to one year, a fine of up to $1,000,
or both, or, pursuant to Penal Code Section 1170,
subdivision (h), to an executed felony jail term of 16
months, 2 or 3 years and a fine of up to $10,000:
o Carjacking
o Robbery
o Burglary
o Grand theft and forgery
o Receiving stolen property
o Extortion
o Perjury and subornation of perjury
o Kidnapping
o Arson
o Assault with a deadly weapon or by means of
force likely to produce great bodily injury
o Dissuading a witness by the use of force or a
threat of force, upon, or testifying at, any trial,
proceeding, or inquiry authorized by law, shall be
�
AB 195 (Chau ) Page
3 of ?
punished by imprisonment in a county jail for not more
than one year, or by a fine of not more than ten
thousand dollars ($10,000), or the amount which could
have been assessed for commission of the offense
itself, whichever is greater, or by both the fine and
imprisonment. Pen. Code § 653f, subd. (a),):
Solicitation of murder is a felony, punishable by a
prison term of three, six or nine years and a fine of up to
$10,000. (Pen. Code § 653f, subd. (b).)
Solicitation of the commission by force or violence of
rape, sodomy, oral copulation, sexual penetration, lewd
conduct or a sex crime in concert is a felony, punishable
by imprisonment in the state prison for two, three, or four
years and a fine of up to $10,000. (Pen. Code § 653f,
subd. (c).)
Solicitation of specified crimes involving drug commerce
is a misdemeanor, punishable by imprisonment in a county
jail for up to six months, a fine of up to $1,000, or both.
A subsequent conviction of this offense is an alternate
felony-misdemeanor, punishable by imprisonment in a county
jail for up to one year, a fine of up to $1,000, or both,
or by exceeding six months. (Pen. Code § 653f, subd. (d).)
Solicitation of Medi-Cal or health care eligibility
fraud is a misdemeanor, punishable by imprisonment in a
county jail for up to six months, a fine of up to $1,000,
or both. A subsequent conviction of this offense is an
alternate felony-misdemeanor, punishable by imprisonment in
a county jail for up to one year, a fine of up to $1,000,
or both, or by exceeding six months. (Pen. Code § 653f,
subd. (e).)
Proof of solicitation of drug commerce requires the
testimony of one witness and corroborating evidence. (Pen.
Code § 653f, subd. (f).)
Proof of solicitation of murder, sex crimes, kidnapping,
robbery, carjacking, arson, specified financial or theft
crimes, assault or dissuading a witness requires the
testimony of at least two witnesses and corroborating
evidence. (Pen. Code § 653f, subd. (f).)
�
AB 195 (Chau ) Page
4 of ?
Defines numerous computer or electronic data offenses and
imposes a wide range of penalties based on the seriousness of
the offense or extent of harm caused by the defendant by a fine
not exceeding $10,000, by a sentenced felony jail term of 16
months, two years or three years, or both, or as a misdemeanor
by a fine not exceeding $5,000, by imprisonment in a county jail
not exceeding one year, or both:
Any person who knowingly accesses and without permission
alters, damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer network in
order to devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or
obtain money, property or data.
Any person who knowingly accesses and without permission
takes, copies or makes use of any data from a computer,
computer system, or computer network, or takes or copies
any supporting documentation, whether existing or residing
internal or external to a computer, computer system, or
computer network.
Any person who knowingly accessing and without
permission adds, alters, damages, deletes, or destroys any
data, computer software, or computer programs which reside
or exist internal or external to a computer, computer
system, or computer network.
Any person who knowingly and without permission
disrupting or causing the disruption of computer services
or denies or causes the denial of computer services or
denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer
network.
Disrupting or improperly accessing a government of
public safety computer systems, data or software is
separately defined, but subject to the same penalties as
other such crimes. (Pen. Code § 502, subds. (c) and
(d)(1).)
Provides that any person who knowingly and without permission
uses or causes to be used computer services shall be punished as
�
AB 195 (Chau ) Page
5 of ?
follows:
For the first violation that does not result in injury,
and where the value of the computer services used does not
exceed $950, by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
For any violation that results in a victim expenditure
in an amount more than $5,000 or in an injury, if the value
of the computer services used exceeds $950, or for any
second or subsequent violation, by a fine not exceeding
$10,000, by imprisonment pursuant to realignment for 16
months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment. (Pen. Code § 502, subds.
(c) and (d)(2).)
Punishes any person who knowingly and without permission
provides or assists in providing a means of accessing, accesses,
or causes to be accessed a computer, computer system, or
computer network as follows:
For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding $1,000;
For any violation that results in a victim expenditure
in an amount not more than $5,000, or for a second or
subsequent violation, by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
For any violation that results in a victim expenditure
in an amount more than $5,000, by a fine not exceeding ten
thousand dollars $10,000, by imprisonment pursuant to
realignment for 16 months, or two or three years, or by
both that fine and imprisonment, or by a fine not exceeding
$5,000, by imprisonment in a county jail not exceeding one
year, or by both that fine and imprisonment. (Pen. Code §
502, subds. (c) and (d)(3).)
Punishes any person who knowingly introduces any computer
contaminant into any computer, or computer system, or computer
�
AB 195 (Chau ) Page
6 of ?
network as follows:
For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
$10,000, by imprisonment in a county jail not exceeding one
year, or by imprisonment pursuant to realignment, or by
both that fine and imprisonment. (Pen. Code § 502 subds.
(c) and (d)(4).)
Punishes any person who knowingly and without permission uses
the Internet domain name of another individual, corporation, or
entity in connection with the sending of one or more electronic
mail messages, and thereby damages or causes damage to a
computer, computer system, or computer network as follows:
For a first violation that does not result in injury, an
infraction punishable by a fine not more than $1,000; and
For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
five thousand dollars ($5,000), or by imprisonment in a
county jail not exceeding one year, or by both that fine
and imprisonment. (Pen. Code § 502, subds. (c) and
(d)(5).)
This bill:
Provides that every person who, with the intent that the crime
be committed, solicits another to commit one of a number of
specified computer crimes shall be punished by imprisonment in a
county jail for a period not to exceed six months. Every
subsequent violation of this subdivision by that same person
shall be punished by imprisonment in a county jail not exceeding
one year.
Provides that every person who, with the intent that the crime
be committed, offers to solicit assistance for another to
conduct activities in violation of a number of specified
computer crimes shall be punished by imprisonment in a county
�
AB 195 (Chau ) Page
7 of ?
jail for a period not to exceed six months. Every subsequent
violation of this subdivision by that same person shall be
punished by imprisonment in a county jail not exceeding one
year.
This offense - offering to solicit assistance for the
purpose of committing a computer crime - applies to a
person who operates the website that offers to assist
others in locating hacking services.
For purposes of this crime, "hacking services" means
assistance in the unauthorized access to computers,
computer systems, or computer data in violation of
specified computer crimes.
Provides that solicitation of a computer crime, or offering to
assist others in committing a computer crime, shall be proved by
the testimony of one witness and corroborating evidence.
RECEIVERSHIP/OVERCROWDING CRISIS AGGRAVATION
For the past eight years, this Committee has scrutinized
legislation referred to its jurisdiction for any potential
impact on prison overcrowding. Mindful of the United States
Supreme Court ruling and federal court orders relating to the
state's ability to provide a constitutional level of health care
to its inmate population and the related issue of prison
overcrowding, this Committee has applied its "ROCA" policy as a
content-neutral, provisional measure necessary to ensure that
the Legislature does not erode progress in reducing prison
overcrowding.
On February 10, 2014, the federal court ordered California to
reduce its in-state adult institution population to 137.5% of
design capacity by February 28, 2016, as follows:
143% of design bed capacity by June 30, 2014;
141.5% of design bed capacity by February 28, 2015; and,
137.5% of design bed capacity by February 28, 2016.
In February of this year the administration reported that as "of
February 11, 2015, 112,993 inmates were housed in the State's 34
adult institutions, which amounts to 136.6% of design bed
capacity, and 8,828 inmates were housed in out-of-state
�
AB 195 (Chau ) Page
8 of ?
facilities. This current population is now below the
court-ordered reduction to 137.5% of design bed capacity."(
Defendants' February 2015 Status Report In Response To February
10, 2014 Order, 2:90-cv-00520 KJM DAD PC, 3-Judge Court, Coleman
v. Brown, Plata v. Brown (fn. omitted).
While significant gains have been made in reducing the prison
population, the state now must stabilize these advances and
demonstrate to the federal court that California has in place
the "durable solution" to prison overcrowding "consistently
demanded" by the court. (Opinion Re: Order Granting in Part and
Denying in Part Defendants' Request For Extension of December
31, 2013 Deadline, NO. 2:90-cv-0520 LKK DAD (PC), 3-Judge Court,
Coleman v. Brown, Plata v. Brown (2-10-14). The Committee's
consideration of bills that may impact the prison population
therefore will be informed by the following questions:
Whether a proposal erodes a measure which has contributed
to reducing the prison population;
Whether a proposal addresses a major area of public safety
or criminal activity for which there is no other
reasonable, appropriate remedy;
Whether a proposal addresses a crime which is directly
dangerous to the physical safety of others for which there
is no other reasonably appropriate sanction;
Whether a proposal corrects a constitutional problem or
legislative drafting error; and
Whether a proposal proposes penalties which are
proportionate, and cannot be achieved through any other
reasonably appropriate remedy.
COMMENTS
1.Need for This Bill
According to the author:
Today, we live in a digitally connected world where
our devices are connected to the internet. This
includes our phones, cars and appliances; all of which
perform functions that were once exclusive to our
computers. This new form of digital access has also
spawned a new type of criminal, one who can invade our
�
AB 195 (Chau ) Page
9 of ?
homes by breaking into our computer networks from
afar. These cybercrimes range from breaking into
someone's computer network to steal financial
information to other crimes such as corporate
espionage, fraud, and extortion.
Under current law, it is a crime to solicit another to
commit certain crimes, such as bribery, kidnapping,
and robbery. In addition, it is a crime for someone to
knowingly hack into another's computer network without
permission. However, it is not a crime to solicit
someone to knowingly and without permission hack into
a computer network or smartphone.
Cybercrimes have greater and longer lasting effects on
victims than many other crimes, because the personal
information stolen can result in identify theft,
fraud, and personal embarrassment, all of which could
take years to recover from, if ever. The FBI's
Internet Crime Complaint Center reported that in 2013
it received over 200,000 consumer complaints about
online scams, which resulted in a loss of over 781
million dollars; an almost 50% increase from the year
before.
We have recently seen the growth of so called
Hacker-for-Hire websites. Some of these websites work
by requiring a person to submit a description of the
hacking job along with contact information. The
website then sets up a time to connect the person with
a hacker over the phone or video-conferencing. Others
websites create a platform for customers to register
and post hacker projects for bid. The website then
holds the money in an escrow account until the parties
agree that the transaction has been completed and
takes a commission from each transaction.
Hacker-for-Hire projects range from recovering lost
passwords to tracking stolen devices. But some of
these websites also allow individuals to seek illegal
hacking services from less than ethical hackers, such
as installing spyware and gaining access to the email
and social media accounts of unsuspecting victims.
AB 195 would make it a crime to solicit someone to
�
AB 195 (Chau ) Page
10 of ?
knowingly and without permission gain access to a
computer network or smartphone. This includes
offering to obtain or assist in locating hacking
services. The bill would also clarify that a computer
network includes smartphones. This bill would make any
violation punishable by imprisonment not to exceed six
months. Any subsequent violation would be punishable
by imprisonment not to exceed one year.
2.Solicitation of a Crime in Contrast with an Attempted Crime
An attempt to commit a crime includes the elements of a specific
intent to commit a crime and a direct, but unsuccessful step
towards commission of the crime. Mere preparation to commit a
crime is not an attempt. Solicitation is the requesting of
another person to commit a crime, with the intent that the crime
be committed. The crime of solicitation has been committed at
that point. The crime need not be committed and the person
solicited need not prepare to commit the crime or take steps
towards its commission.
3.Argument in Support
According to the California Public Defenders Association:
Existing law establishes various crimes related to
computer services and systems. Existing law makes it
a crime to knowingly, and without permission, access,
cause to be accessed, or provide or assist in
providing, a means of accessing a computer, computer
system, computer network, or computer data in
violation of prescribed provisions and defines related
terms?Computing technology has expanded greatly in the
last few years. With the introduction of the
smartphone, computer technology advanced with a device
that is highly portable, yet gives one computing power
that heretofore required large, often cumbersome,
equipment. Essentially, it put the power of computers
into one's pocket. With the proliferation of
smartphones, and their ever-growing capabilities, more
private data is carried on the person. Given this
incredible increase in technology, it only makes sense
to include smartphones as devices that can be the
target of illicit hacking and data transmission.
�
AB 195 (Chau ) Page
11 of ?
4.Argument in Opposition
According to the Electronic Frontier Foundation:
Our primary concern with AB 195 is that it would
criminalize the offering of technical assistance in
accessing computers or data, which the bill deems to
be "hacking services." Such services are often wholly
legitimate; as the author himself states, such
services include "recovering lost passwords to
tracking stolen devices." As written, however, we
believe AB 195 makes it very hard to such legitimate
services to be offered.
What the statute fails to recognize is the vast array
of "hacking services" that are beneficial and indeed
critical to the computer security industry. Take for
example, so-called "penetration testing" services,
also called pen testing. Penetration testing is a
procedure where an information security professional
is hired to attempt to hack into a network, using the
same tools and techniques as a criminal hacker. The
resulting report is used, not for crime, but to secure
the network. As written, the bill could criminalize
linking to sites that offer such services. Although
there is an intent requirement, the statutory language
specifically calls out a website that "offer[s] to
assist others in locating hacking services," which
undoubtedly includes penetration testing. The intent
requirement would not prevent a constitutionally
impermissible chilling effect on those seeking to list
or compare penetration services.
-- END -
�
AB 195 (Chau ) Page
12 of ?