The many sides of the debate surfaced in testimony before the House Judiciary Committee's Crime subcommittee Tuesday, as that panel considered the Cyber Security Enhancement Act of 2001.
The bill, proposed by House Science Committee Chairman Sherwood Boehlert, R-N.Y., and Rep. Lamar Smith, R-Texas, is a move to clarify sections of the USA Patriot Act that would give the government authority to increase the penalties for crimes such as hacking, computer fraud and the advertising of illegal devices.
The bill also provides new guidelines to help determine sentencing, including whether an offense "was committed for purposes of commercial advantage or private financial benefit" or "involved a computer used by the Government in furtherance of national defense, national security, or the administration of justice," as the bill states.
Cybercrime is a notoriouslyarea, and legislation involving privacy has become increasingly since the government passed the USA Patriot Act last fall, as it moved to tighten security after the Sept. 11 terrorist attacks.
John G. Malcolm, deputy assistant attorney general, said the Department of Justice "strongly supports" the amendments to the Cyber Security Enhancement Act and pushed for even stricter guidelines that would enable prosecution for bodily injury or death that hackers caused even "recklessly." Current legislation calls for penalty in the case of an intent to cause injury.
Microsoft attorney Susan Kelley Koeppen urged the government to support the legislation. Koeppen, who has also been a federal prosecutor in the Justice Department's Computer Crime and Intellectual Property Section, argued for stiffer penalties based on arguments that cybercrimes are not accorded the severity they deserve.
"These attacks are genuine 'weapons of mass disruption,'" Koeppen said, citing the havoc wreaked in the past year or so after the I Love You and Code Red virus attacks. "While our society does not tolerate people breaking in to brick-and-mortar homes and business, we inexplicably seem to have more tolerance for computer break-ins," she said.
While measures focused on worms, viruses and other such threats drew widespread support, greater debate arose regarding Section 102 of the bill, which calls for Internet service providers to give up information to the government in "emergency situations."
Alan Davidson, associate director at the Center for Democracy and Technology, called the provision "overly broad" and said it would "eviscerate important privacy protections in current law."
Davidson, who has been one of the strongest critics of the USA Patriot Act, also said the provisions in Section 102 would "threaten the privacy of communication."
Davidson said service providers would face a "Hobbesian choice: Either turn over sensitive private communications of subscribers without any court order, or say no to a government request." He added that smaller service providers lack the legal resources to assess whether the government's request is truly a matter of "life or limb."
Clint N. Smith, president of the United States Internet Service Providers Association, whose members include America Online, EarthLink, eBay and Verizon Online, supported the bill. "Service providers and law enforcement agencies form an essential partnership in fighting cybercrime," Smith said.
All parties agreed that the bill would be an improvement over the ambiguities of the USA Patriot Act, which leaves ISPs to determine whether a threat is "immediate" and relevant actions "reasonable."
The new bill "allows ISPs to act on a 'good faith'" rather than saddling them with such an ambiguous clause and will "encourage ISPs to promptly report threats of death or personal injury to law enforcement," Smith said.
The provisions in the USA Patriot Act "are to this date still not fully understood," said Davidson, who likewise praised Congress for attempting to clear up the ambiguity.