BILL ANALYSIS ��
SENATE COMMITTEE ON PUBLIC SAFETY
Senator Loni Hancock, Chair A
2013-2014 Regular Session B
1
6
4
AB 1649 (Waldron) 9
As Amended April 1, 2014
Hearing date: June 10, 2014
Penal Code
JM:mc
DAMAGE OR UNAUTHORIZED ACCESS TO COMPUTERS AND COMPUTER SYSTEMS
SPECIFICALLY DEFINING CRIMES INVOLVING GOVERNMENT SYSTEMS
HISTORY
Source: San Diego County District Attorney's Office
Prior Legislation: AB 2727 (Wesson) - Ch. 635, Stats. 2000
AB 451 (Maddox) - Ch. 254, Stats. 1999
AB 1629 (Miller) - Ch. 863, Stats. 1998
Support: California District Attorneys Association; California
Municipal Utilities Association; California State
Sheriffs' Association; Taxpayers for Improving Public
Safety
Opposition:California Public Defenders Association; Electronic
Frontier Foundation
Assembly Floor Vote: Ayes 76 - Noes 0
KEY ISSUE
SHOULD THE RELATED CRIMES CONCERNING HARM TO OR UNAUTHORIZED ACCESS
(More)
�
AB 1649 (Waldron)
Page 2
OF A COMPUTER, COMPUTER SYSTEM OR DATA BE SPECIFICALLY APPLIED TO
GOVERNMENT OR PUBLIC SAFETY COMPUTERS OR COMPUTER SYSTEMS?
PURPOSE
The purpose of this bill is to 1) specifically and separately
provide that the crimes and penalties for unauthorized access of
or damage to a computer, computer system or data shall apply to
government and public safety infrastructure computers, computer
systems and data; and 2) to update and augment relevant
statutory terms.
Existing law punishes the following offenses by a fine not
exceeding $10,000, by a sentenced felony jail term of 16 months,
two years or three years, or both, or as a misdemeanor by a fine
not exceeding $5,000, by imprisonment in a county jail not
exceeding one year, or both:
Any person who knowingly accesses and without permission
alters, damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer network in
order to devise or execute any scheme or artifice to
defraud, deceive, or extort, or wrongfully control or
obtain money, property or data;
Any person who knowingly accesses and without permission
takes, copies or makes use of any data from a computer,
computer system, or computer network, or takes or copies
any supporting documentation, whether existing or residing
internal or external to a computer, computer system, or
computer network;
Any person who knowingly accessing and without
permission adds, alters, damages, deletes, or destroys any
data, computer software, or computer programs which reside
or exist internal or external to a computer, computer
system, or computer network; and
Any person who knowingly and without permission
disrupting or causing the disruption of computer services
(More)
�
AB 1649 (Waldron)
Page 3
or denies or causes the denial of computer services or
denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer
network. (Pen. Code � 502, subds. (c) and (d)(1).)
Existing law punishes any person who knowingly and without
permission uses or causes to be used computer services as
follows:
For the first violation that does not result in injury,
and where the value of the computer services used does not
exceed $950, by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
For any violation that results in a victim expenditure
in an amount more than $5,000 or in an injury, if the value
of the computer services used exceeds $950, or for any
second or subsequent violation, by a fine not exceeding
$10,000, by imprisonment pursuant to realignment for 16
months, or two or three years, or by both that fine and
imprisonment, or by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment. (Pen. Code � 502, subds.
(c) and (d)(2).)
Existing law punishes any person who knowingly and without
permission provides or assists in providing a means of
accessing, accesses, or causes to be accessed a computer,
computer system, or computer network as follows:
For a first violation that does not result in injury, an
infraction punishable by a fine not exceeding $1,000;
For any violation that results in a victim expenditure
in an amount not more than $5,000, or for a second or
subsequent violation, by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
For any violation that results in a victim expenditure
in an amount more than $5,000, by a fine not exceeding ten
thousand dollars $10,000, by imprisonment pursuant to
(More)
�
AB 1649 (Waldron)
Page 4
realignment for 16 months, or two or three years, or by
both that fine and imprisonment, or by a fine not exceeding
$5,000, by imprisonment in a county jail not exceeding one
year, or by both that fine and imprisonment. (Pen. Code �
502, subds. (c) and (d)(3).)
Existing law punishes any person who knowingly introduces any
computer contaminant into any computer, or computer system, or
computer network as follows:
For a first violation that does not result in injury, a
misdemeanor punishable by a fine not exceeding $5,000, by
imprisonment in a county jail not exceeding one year, or by
both that fine and imprisonment; and
For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
$10,000, by imprisonment in a county jail not exceeding one
year, or by imprisonment pursuant to realignment, or by
both that fine and imprisonment. (Pen. Code � 502 subds.
(c) and (d)(4).)
Existing law punishes any person who knowingly and without
permission uses the Internet domain name of another individual,
corporation, or entity in connection with the sending of one or
more electronic mail messages, and thereby damages or causes
damage to a computer, computer system, or computer network as
follows:
For a first violation that does not result in injury, an
infraction punishable by a fine not more than $1,000; and
For any violation that results in injury, or for a
second or subsequent violation, by a fine not exceeding
five thousand dollars ($5,000), or by imprisonment in a
county jail not exceeding one year, or by both that fine
and imprisonment. (Pen. Code � 502, subds. (c) and
(d)(5).)
Existing law creates an exemption to the violation of the
provisions above for any person who accesses his or her
employer's computer system, network, program or data when acting
(More)
�
AB 1649 (Waldron)
Page 5
within the scope of lawful employment. (Pen. Code � 502, subd.
(h)(1).)
Existing law allows an exemption for a person using computer
services without permission and outside his or her employment if
the acts do not cause an injury, as defined, to the employer or
another, provided that the value of supplies or computer
services used does not exceed $250. (Pen. Code � 502 subd.
(h)(2).)
Existing law requires the forfeiture of computer equipment where
the defendant:
Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any data,
computer, computer system, or computer network in order to
either (i) devise or execute any scheme or artifice to
defraud, deceive, or extort or (ii) wrongfully control or
obtain money, property, or data;
Knowingly accesses and without permission takes, copies,
or makes use of any data from a computer, computer system,
or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or
external to a computer, computer system, or computer
network;
Knowingly and without permission uses or causes to be
used computer services;
Knowingly accesses and without permission adds, alters,
damages, deletes, or destroys any data, computer software,
or computer programs which reside or exist internal or
external to a computer, computer system, or computer
network;
Knowingly and without permission disrupts or causes the
disruption of computer services or denies or causes the
denial of computer services to an authorized user of a
computer, computer system, or computer network;
Knowingly and without permission provides or assists in
providing a means of accessing a computer, computer system,
or computer network in violation of specified law;
Knowingly and without permission accesses or causes to
(More)
�
AB 1649 (Waldron)
Page 6
be accessed any computer, computer system, or computer
network;
Knowingly introduces any contaminant into any computer,
computer system, or computer network; and
Knowingly and without permission uses the Internet
domain name of another individual, corporation, or entity
in connection with the sending of one or more electronic
mail messages, and thereby damages or causes damage to a
computer, computer system, or computer network. (Pen. Cod,
� 502.01, subd. (c).)
Existing law punishes as vandalism every person who maliciously
defaces with graffiti or other inscribed material, damages, or
destroys any real or personal property not his or her own, in
cases other than those specified by state law as follows:
If the amount of defacement, damage, or destruction is
$400 or more, by imprisonment pursuant to realignment or in
a county jail not exceeding one year, by a fine of not more
than $10,000, or if the amount of defacement, damage, or
destruction is $10,000 or more, by a fine of not more than
$50,000, or by both that fine and imprisonment;
If the amount of defacement, damage, or destruction is
less than $400, by imprisonment in a county jail not
exceeding one year, by a fine of not more than $1,000, or
by both that fine and imprisonment; and
If the amount of defacement, damage, or destruction is
less than $400, and the defendant has been previously
convicted of vandalism or affixing graffiti or other
inscribed material, as specified, by imprisonment in a
county jail for not more than one year, by a fine of not
more than $5,000, or by both that fine and imprisonment.
(Pen. Code � 594.)
This bill specifically and separately provides that the various
crimes and penalties applicable to unauthorized use of, access
to or harm to a computer, computer system or data apply to
government and public safety infrastructure computers, systems
and data.
(More)
�
AB 1649 (Waldron)
Page 7
This bill adds "cause input to, cause output from, or cause data
processing with" within the meaning of "access" to a computer or
computer system.
This bill includes "remote systems" and "mobile devices" within
the meaning of "computer network".
This bill includes "Internet services, electronic mail services,
or electronic message services" within the definition of
"computer services."
This bill defines "government computer system" to mean any
computer system, or part thereof, that is owned, operated, or
used by any federal, state, or local governmental entity.
This bill defines "public safety infrastructure computer system"
to mean any computer system, or part thereof, that is necessary
for the health and safety of the public including computer
systems owned, operated, or used by drinking water and
wastewater treatment facilities, hospitals, emergency service
providers, telecommunication companies, and gas and electric
utility companies.
RECEIVERSHIP/OVERCROWDING CRISIS AGGRAVATION
For the last several years, severe overcrowding in California's
prisons has been the focus of evolving and expensive litigation
relating to conditions of confinement. On May 23, 2011, the
United States Supreme Court ordered California to reduce its
prison population to 137.5 percent of design capacity within two
years from the date of its ruling, subject to the right of the
state to seek modifications in appropriate circumstances.
Beginning in early 2007, Senate leadership initiated a policy to
hold legislative proposals which could further aggravate the
prison overcrowding crisis through new or expanded felony
prosecutions. Under the resulting policy, known as "ROCA"
(which stands for "Receivership/ Overcrowding Crisis
Aggravation"), the Committee held measures that created a new
felony, expanded the scope or penalty of an existing felony, or
(More)
�
AB 1649 (Waldron)
Page 8
otherwise increased the application of a felony in a manner
which could exacerbate the prison overcrowding crisis. Under
these principles, ROCA was applied as a content-neutral,
provisional measure necessary to ensure that the Legislature did
not erode progress towards reducing prison overcrowding by
passing legislation, which would increase the prison population.
In January of 2013, just over a year after the enactment of the
historic Public Safety Realignment Act of 2011, the State of
California filed court documents seeking to vacate or modify the
federal court order requiring the state to reduce its prison
population to 137.5 percent of design capacity. The State
submitted that the, ". . . population in the State's 33 prisons
has been reduced by over 24,000 inmates since October 2011 when
public safety realignment went into effect, by more than 36,000
inmates compared to the 2008 population . . . , and by nearly
42,000 inmates since 2006 . . . ." Plaintiffs opposed the
state's motion, arguing that, "California prisons, which
currently average 150% of capacity, and reach as high as 185% of
capacity at one prison, continue to deliver health care that is
constitutionally deficient." In an order dated January 29,
2013, the federal court granted the state a six-month extension
to achieve the 137.5 % inmate population cap by December 31,
2013.
The Three-Judge Court then ordered, on April 11, 2013, the state
of California to "immediately take all steps necessary to comply
with this Court's . . . Order . . . requiring defendants to
reduce overall prison population to 137.5% design capacity by
December 31, 2013." On September 16, 2013, the State asked the
Court to extend that deadline to December 31, 2016. In
response, the Court extended the deadline first to January 27,
2014, and then February 24, 2014, and ordered the parties to
enter into a meet-and-confer process to "explore how defendants
can comply with this Court's June 20, 2013, Order, including
means and dates by which such compliance can be expedited or
accomplished and how this Court can ensure a durable solution to
the prison crowding problem."
(More)
�
AB 1649 (Waldron)
Page 9
The parties were not able to reach an agreement during the
meet-and-confer process. As a result, the Court ordered
briefing on the State's requested extension and, on February 10,
2014, issued an order extending the deadline to reduce the
in-state adult institution population to 137.5% design capacity
to February 28, 2016. The order requires the state to meet the
following interim and final population reduction benchmarks:
143% of design bed capacity by June 30, 2014;
141.5% of design bed capacity by February 28, 2015; and,
137.5% of design bed capacity by February 28, 2016.
If a benchmark is missed the Compliance Officer (a position
created by the February 10, 2016 order) can order the release of
inmates to bring the State into compliance with that benchmark.
In a status report to the Court dated May 15, 2014, the state
reported that as of May 14, 2014, 116,428 inmates were housed in
the State's 34 adult institutions, which amounts to 140.8% of
design bed capacity, and 8,650 inmates were housed in
out-of-state facilities.
The ongoing prison overcrowding litigation indicates that prison
capacity and related issues concerning conditions of confinement
remain unresolved. While real gains in reducing the prison
population have been made, even greater reductions may be
required to meet the orders of the federal court. Therefore,
the Committee's consideration of ROCA bills -bills that may
impact the prison population - will be informed by the following
questions:
Whether a measure erodes realignment and impacts the
prison population;
Whether a measure addresses a crime which is directly
dangerous to the physical safety of others for which there
is no other reasonably appropriate sanction;
Whether a bill corrects a constitutional infirmity or
legislative drafting error;
Whether a measure proposes penalties which are
(More)
�
AB 1649 (Waldron)
Page 10
proportionate, and cannot be achieved through any other
reasonably appropriate remedy; and,
Whether a bill addresses a major area of public safety
or criminal activity for which there is no other
reasonable, appropriate remedy.
COMMENTS
1. Need for This Bill
According to the author:
AB 1649 will separately define computer crimes
involving government systems such as websites and
phone lines that are utilized by hospitals, schools,
cities, and many other organizations. Separately
defining such crimes against government entities will
allow us to track and document the extent of such
crimes, which appear to be increasing.
Cyber criminals often target government computer
systems, resulting in tampering, interferences, or
damages. Numerous incidents have occurred that have
compromised the privacy, safety, and personal
information of many individuals. For example in 2013,
a caller to a San Diego emergency room threatened the
dispatcher that he would paralyze the hospital's phone
service if she didn't pay him the amount demanded.
Shortly after, the emergency room's phone lines went
silent for nearly 48 hours, affecting the
communication services. Recently, another case arose
when a California State University Sacramento employee
website was breached, where Social Security and
Driver's License numbers of 1,800 employees could have
been accessed.
AB 1649 also updates definitions and terminology
relevant to computer crimes. The law must reflect the
rapid changes in technology. Otherwise, outdated or
incomplete definitions in computer crime statutes
(More)
�
AB 1649 (Waldron)
Page 11
could allow computer crime perpetrators to escape
prosecution and conviction. Further, jurors could be
confused if definitions and terms are not accurate and
complete.
2. Practical Application of This Bill
The Assembly Public Safety Committee analysis discussed
incidents that prompted introduction of this bill. In one
incident a San Diego hospital's telephone system was paralyzed
by a hacker and in another a computer attack targeted the San
Diego County Registrar of Voters. It appears that no one was
prosecuted in either of these information system breaches, even
though such actions are crimes under existing law. This raises
the issue of the reasons the attacks were not
fully investigated and prosecuted. The San Diego County
District Attorney's Office explained to the Assembly Committee
that there was no prosecution in the hospital incident because
the hospital did not report the case. The District Attorney's
Office suspects that a common reason for the underreporting of
these types of breaches is because entities might not want to
bring attention to the issue. The attacks would reveal
vulnerability in their systems, and the entities would like to
avoid oversight in notifying patients, customers and other
affected parties about potential unauthorized dissemination of
their sensitive information, as is required by law. (Civ. Code
� 1798.82). The San Diego County Registrar of Voters' Office
did not report the hack into its system, because the office was
unaware that it was a prosecutable crime. (Ibid.)
(More)
�
3. Extent of Computer and Computer System Crimes Involving
Government and Law Enforcement Computers, Systems and Data
The most reliable data available are rough figures provided by
the California Highway Patrol (CHP), which investigates attacks
on state computer systems. CHP data shows that there were 10
convictions in 2012 and 4 convictions in 2013 of possible Penal
Code section 502 violations. Currently, the state does not
track how many defendants are being charged with or convicted of
violating Penal Code � 502, so policymakers do not have firm
data available that shows the scope and scale of these crimes.
Creating separate offenses specific to computer attacks on
government computer systems and public safety infrastructure
systems will allow California to track to what extent these
attacks are taking place and if they are increasing, decreasing,
or remaining constants and will allow the Legislature to make
policy decisions using concrete data instead of relying on
anecdotes and conjectures. However, the data on dispositions of
these arrests, particularly as concerns convictions and
sentences, is generally incomplete.
4. Changes to Definitions and Terms in Computer Crimes
This bill includes numerous changes and additions to relevant
terms and definitions in the computer, data collection and
related crimes. These new definitions and terms demonstrate the
rapid change in electronics and data technology. Incorrect or
inadequate descriptions of devices, data and related technology
could interfere with a prosecutor's ability to obtain
convictions against cyber criminals. For example, if a new
method of unauthorized access to data is developed and the law
does not adequately include a description of this activity, a
defendant might successfully argue to a jury or court that his
conduct was not criminal. In particular, where a criminal
statute describes prohibited conduct with detail and
specificity, a defendant could argue that the Legislature only
intended that conduct specifically described in the statute be
defined as criminal. This argument would be based on the maxim
of statutory construction that the inclusion of numerous
(More)
�
AB 1649 (Waldron)
Page 13
specific items or conduct in a statute implies the exclusion of
those that are not listed. The great detail and complexity of
the computer crimes statutes make such an argument likely.
5. Opposition Concerns
Computer crimes may be unique in that virtually all of our
activities are done through or monitored by computers that
connect to the Internet. Connected computers and mobile devices
control or affect our cars, office computers, cell phones and
even household appliances that can be controlled remotely,
including televisions and even coffee makers. Laws that do not
clearly distinguish between causing harm to computer systems and
causing harm that happens to involve a computer in some way
could be overly broad and confusing.
The Electronic Frontier Foundation (EFF) opposes the bill. EFF
argues that the bill and existing law define computer-related
crimes and impose penalties that are fully covered in California
and federal law. EFF also argues that the existing computer
crime statute - Penal Code Section 502 - is also duplicative of
many existing California crimes, such as identity theft,
larceny, fraud and extortion. EFF argues that the number and
extent of laws concerning computer treats technology as
suspicious and sweeps in too much innocuous Internet conduct.
EFF is correct in noting that much of the conduct made criminal
by Section 502 can be prosecuted and punished under other penal
statutes. However, overlapping crimes and penalties are very
common in California criminal law. California law even includes
an often used rule that a defendant can be convicted of any
number of crimes that a single act or transaction violates, but
only punished for the more serious offense.
The federal government and a state are entirely different
jurisdictions for purposes of criminal law. Many federal
criminal laws duplicate or overlap state laws. Some examples
�
AB 1649 (Waldron)
Page 14
include drug crimes, child pornography, human trafficking, and
others. Federal civil rights violation crimes can apply to
conduct covered by California law, including murder and other
offenses.
The California Public Defenders Association also opposes the
bill, largely arguing that the provisions of the bill and
existing law are unconstitutionally vague, such that an ordinary
person cannot determine what the law prohibits. CPDA uses the
example of the term "damage" in the context of e-mails. CPDA
argues that the law, as amended by this bill, could be
interpreted to mean that using another's e-mail account to send
an unauthorized message as causing damage. However, existing
law refers to damage to a computer, computer system, computer
system or computer network. The bill amends this provision to
include damage to "computer data." It appears unlikely that the
unauthorized use of another's e-mail account to simply send a
message could be described as damaging data. The bill, however,
could be amended to specify that sending a message, per se, does
not constitute damage to a computer, computer system, computer
data or network.
***************