Computing and the Law

        By Claudia Lynch, Benchmarks Editor (lynch@unt.edu)

        This article appeared in the March/April 1995 issue ob Benchmarks (Vol. 16, No.2). It has been slightly edited for this issue.

        When I first wrote about this topic in the summer of 1993, I noted that "computing for the masses is a relatively recent phenomenon."1 In fact, "the original IBM PC was only introduced in 1981, which was the same year that BITNET became operational. ARPANET (parent of the Internet) started in 1969, but it wasn't used by the general public until after 1983, when it split into two networks, ARPANET and MILNET." One should not be surprised, then, that the laws relating to the use of computers and computer networks are still evolving.

        Laws dealing with computers and their uses are often confusing, conflicting, and/or not very well thought out (see previous article of this issue for examples). The purpose of this issue of Benchmarks, therefore, is the same as it was when we focused on "Computing and the Law" in 1993 and again in 1995 - to make you aware that there are legal issues involved with computer usage.

        University Policy

        The University Policy Manual, Volume II Administrative and Fiscal has a section on computers that contains various policy statements about computer usage on campus. According to the "Computer Resources Security Policy" statement (August 23, 1991, pg. 1 of 7):

        All use of computer resources is subject to federal and state regulations and laws, including, but not limited to: The Texas Computer Crimes Statute (Section 1, Title 7, Chapter 33 of the Texas Penal Code); Federal Copyright Law, Title 17, Section 117; and the Family Educational Rights and Privacy Act of 1974.

        "Computing resources" are defined as "any and all computerized institutional data, computer hardware assets, and computer software assets owned or licensed by the university."2

        It's a Privilege

        The University defines access to computer resources as a privilege. The "Computer Resources Security Policy," University Policy Manual, Volume II Administrative and Fiscal (August 23, 1991, page 3 of 7), states that:

        User's of university computer resources must not abuse or allow others to abuse their access to university computer resources.
         Access to the university computer resource of any computer installation must be approved by the management of that computer installation. All individuals authorized to use university computer resources are responsible for all usage of their logon access and should keep their passwords confidential to protect university computer resources.
         Users may not access University computer resources without appropriate authorization and then only for purposes for which their access is authorized.
         Any attempt to access or to assist in the access of university computer resources via an unauthorized means is a violation of this policy and may subject the perpetrator(s) to sanctions hereunder.

        Furthermore, this same document lists the following responsibilities of individual employees and/or students:

        • a. All individuals, whether faculty, staff employees or students, may be required to sign a confidentiality agreement upon receiving the privilege of using university computer resources.
        • b. All individuals must comply with university computer resource policies and standards.
        • c. All individuals authorized to use university computer resources are responsible for all usage of their logon access and should keep their passwords confidential to protect university computer resources.
        • d. All individuals who use wide-area network services (such as BITNET or the Internet) provided via university computer resources shall abide by the policies of those networks.
        • e. All individuals shall not attempt to access university computer resources for which they have no authorization.

        Sanctions

        The following sanctions are in place, should one violate University computer resource policies ("Computer Resources Security Policy," University Policy Manual, Volume II Administrative and Fiscal, August 23, 1991, page 6 of 7).

        • 6.1 Penalties for violation of this policy range from loss of computer resource usage privileges to dismissal from the university, prosecution, and/or civil action. Each case will be determined separately on its merits. Referrals for legal action will be made through the Office of the General Counsel.
        • 6.2 If the offender is a faculty member, his or her supervisor (usually the department chair) shall initially recommend to the dean and thereafter to the Provost the appropriate sanction. When termination is recommended, the faculty member may appeal to the University Review Committee or to the University Tenure Committee, whichever is appropriate per the University of North Texas Faculty Handbook.
        • 6.3 If the offender is a staff member, the procedures to be followed are those specified in the "Discipline and Discharge Policy" of the University of North Texas Personnel Policy Manual.
        • 6.4 If the offender is a student, the procedures to be followed are those specified in the "Code of Student Conduct and Discipline" as printed in the University of North Texas Student Guidebook. If the student in violation of this policy is also an employee of the university, sanctions may include termination of employment.

        Federal and State Computer Crime Laws

        The laws listed on the following pages are currently being used to decide whether a computer crime has been committed either at the federal level or in the state of Texas. People can also be charged with criminal activity by violating various other Federal statutes with regard to copyright infringement, wire fraud, patent infringement and a host of other related laws (this is where things get messy).

        Federal Law

        UNITED STATES CODE SERVICE

        THIS SECTION IS CURRENT THROUGH 102 P.L. 82, APPROVED 08/06/91 ***

        TITLE 18 - CRIMES AND CRIMINAL PROCEDURE

        PART I. CRIMES

        CHAPTER 47. FRAUD AND FALSE STATEMENTS

        18 USCS @ 1030 (1991)

        @1030. Fraud related activity in connection with computers

        • (a) Whoever-
          1. knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y[(y)][.] of section 11 of the Atomic Energy Act of 1954 [42 USCS @ 2014(y)], with the intent or reason to believe that such information so obtained is to be used to the injury of the United States, or to the advantage of any foreign nation;
          2. intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
          3. intentionally, without authorization to access any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government's operation of such computer;
          4. knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer;
          5. intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby-
            • (A) causes loss to one or more others of a value aggregating $ 1,000 or more during any one year period; or
            • B) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or
          6. knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if-
            • (A) such trafficking affects interstate or foreign commerce; or
            • (B) such computer is used by or for the Government of the United States; shall be punished as provided in subsection (c) of this section.
        • (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.
        • (c) The punishment for an offense under subsection (a) or (b) of this section is-

          1. (A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

            (B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under such subsection; or an attempt to commit an offense punishable underthis subparagraph; and

          2. (A) a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

            (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

          3. (A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which does not occur after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph; and

            (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4) or (a)(5) of this section which occurs after a conviction for another offense under such subsection, or an attempt to commit an offense punishable under this subparagraph.

        • (d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.
        • (e) As used in this section-
          1. the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;
          2. the term "Federal interest computer" means a computer -
            • (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects the use of the financial institution's operation or the Government's operation of such computer; or
            • (B) which is one of two or more computers used in committing the offense, not all of which are located in the same State;
          3. the term "State" includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;
          4. the term "financial institution" means-
            • (A) an institution, with deposits insured by the Federal Deposit Insurance Corporation;
            • (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;
            • (C) a credit union with accounts insured by the National Credit Union Administration;
            • (D) a member of the Federal home loan bank system and any home loan bank;
            • (E) any institution of the Farm Credit System under the Farm Credit Act of 1971;
            • (F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;
            • (G) the Securities Investor Protection Corporation;
            • (H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978 [12 USCS @ 3101(1), (3)]); and
            • (I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act.
          5. the term "financial record" means information derived from any record held by a financial institution pertaining to a customer's relationship with the financial institution;
          6. the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter; and
          7. the term "department of the United States" means the legislative or judicial branch of the Government or one of the executive department enumerated in section 101 of title 5.
        • (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

        HISTORY: (Added Oct. 12, 1984, P.L. 98-473, Title II, Ch XXI, @ 2102(a), 98 Stat. 2190; Oct. 16, 1986, P.L. 99-474, @ 2, 100 Stat. 1213; Nov. 18, 1988, P.L. 100-690, Title VII, Subtitle B, @ 7065, 102 Stat. 4404; As amended Aug. 9, 1989, P.L. 101-73, Title IX, Subtitle F, @ 962(a)(5), 103 Stat. 502; Nov. 29, 1990, P.L. 101-647, Title XII, @ 1205(e), Title XXV, Subtitle I, @ 2597(j), Title XXXV, @ 3533, 104 Stat. 4831, 4910, 4925.)

        The following amendment, passed on September 13, 1994 as part of the Violent Crime Control Act (PL103-322), changed portions of Title 18 USC sec 1030 text (cited on the previous two pages).

        TITLE XXIX - COMPUTER CRIME

        SEC. 290001. COMPUTER ABUSE AMENDMENTS ACT OF 1994.

      • (a) Short Title. - This subtitle may be cited as the "Computer Abuse Amendments Act of 1994".
      • (b) Prohibition. - Section 1030(a)(5) of title 18, United States Code, is amended to read as follows:
        • "(5)(A) through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if -
        • "(i) the person causing the transmission intends that such transmission will -
          • "(I) damage, or cause damage to, a computer, computer system, network, information, data, or program; or
          • "(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data or program; and
        • "(ii) the transmission of the harmful component of the program, information, code, or command -
          • "(I) occurred without the authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and
          • "(II)(aa) causes loss or damage to one or more other persons of value aggregating $1,000 or more during any 1-year period; or
          • "(bb) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals; or
        • "(B) through means of a computer used in interstate commerce or communication, knowingly causes the transmission of a program, information, code, or command to a computer or computer system -
          • "(i) with reckless disregard of a substantial and unjustifiable risk that the transmission will -
            • "(I) damage, or cause damage to, a computer, computer system, network, information, data or program; or "
            • (II) withhold or deny or cause the withholding or denial of the use of a computer, computer services, system, network, information, data or program; and
          • "(ii) if the transmission of the harmful component of the program, information, code, or command -
            • "(I) occurred without the authorization of the persons or entities who own or are responsible for the computer system receiving the program, information, code, or command; and
            • "(II)(aa) causes loss or damage to one or more other persons of a value aggregating $1,000 or more during any 1-year period; or
            • "(bb) modifies or impairs, or potentially modifies or impairs, the medical examination, medical diagnosis, medical treatment, or medical care of one or more individuals;".
      • (c) Penalty. - Section 1030(c) of title 18, United States Code is amended-
        1. in paragraph (2)(B) by striking "and" after the semicolon;
        2. in paragraph (3)(A) by inserting "(A)" after "(a)(5)";
        3. in paragraph (3)(B) by striking the period at the end thereof and inserting "; and"; and (4) by adding the following new paragraph:

          "(4) a fine under this title or imprisonment for not more than 1 year, or both, in the case of an offense under subsection (a)(5)(B)."

      • (d) Civil Action. - Section 1030 of title 18, United States Code, is amended by adding at the end thereof the following new subsection:

        "(g) Any person who suffers damage or loss by reason of a violation of the section, other than a violation of subsection (a)(5)(B), may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations of any subsection other than subsection (a)(5)(A)(ii)(II)(bb) or (a)(5)(B)(ii)(II)(bb) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage."

      • (e) Reporting Requirements. - Section 1030 of title 18 United States Code, is amended by adding at the end the following new subsection:

        "(h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under section 1030(a)(5) of title 18, United States Code.".

      • (f) Prohibition. - Section 1030(a)(3) of title 18, United States Code, is amended by inserting "adversely" before "affects the use of the Government's operation of such computer".

      State Law

      BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS SECTION 1, Title 7,

      Penal Code, is amended by adding Chapter 33 to read as follows: CHAPTER 33. COMPUTER CRIMES Section 33.01. DEFINITIONS

      In this chapter:

      1. 'Communications common carrier' means a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of communications and who receives compensation from persons who use that system.
      2. 'Computer' means an electronic device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device. 'Computer' includes a network of two or more computers that are interconnected to function or communicate together.
      3. 'Computer program' means an ordered set of data representing coded instructions or statements that when executed by a computer cause the computer to process data or perform specific functions.
      4. 'Computer security system' means the design, procedures, or other measures that the person responsible for the operation and use of a computer employs to restrict the use of the computer to particular persons or uses or that the owner or licensee of data stored or maintained by a computer in which the owner or licensee is entitled to store or maintain the data employs to restrict access to the data.
      5. 'Data' means a representation of information, knowledge, facts, concepts, or instructions that is being prepared or has been prepared in a formalized manner and is intended to be stored or processed, is being stored or processed, or has been stored or processed, in a computer. Data may be embodied in any form, including but not limited to computer printouts, magnetic storage media, and punchcards, or may be stored internally in the memory of the computer.
      6. 'Electric utility' has the meaning assigned by Subsection (c), Section 3, Public Utility Regulatory Act (article 1446c, Vernon's Texas Civil Statutes).

      Section 33.02.

      BREACH OF COMPUTER SECURITY

      • (a) A person commits an offense if the person:
        1. uses a computer without the effective consent of the owner of the computer or a person authorized to license access to the computer and the actor knows that there exists a computer security system intended to prevent him from making that use of the computer; or
        2. gains access to data stored or maintained by a computer without the effective consent of the owner or licensee of the data and the actor knows that there exists a computer security system intended to prevent him from gaining access to that data.
      • (b) A person commits an offense if the person intentionally or knowingly gives a password, identifying code, personal identification number, or other confidential information about a computer security system to another person without the effective consent of the person employing the computer security system to restrict the use of a computer or to restrict access to data stored or maintained by a computer.
      • (c) An offense under this section is a Class A misdemeanor.

      Section 33.03. HARMFUL ACCESS

      • (a) A person commits an offense if the person intentionally or knowingly:
        1. causes a computer to malfunction or interrupts the operation of a computer without the effective consent of the owner of the computer or a person authorized to license access to the computer; or
        2. alters, damages, or destroys data or a computer program stored, maintained, or produced by a computer, without the effective consent of the owner or licensee of the data or computer program.
      • (b) An offense under this section is:
        1. a Class B misdemeanor if the conduct did not cause any loss or damage or if the value of the loss or damage caused by the conduct is less than $200;
        2. a Class A misdemeanor if the value of the loss or damage caused by the conduct is $200 or more but less than $2,500; or
        3. a felony of the third degree if the value of the loss or damage caused by the conduct is $2,500 or more.

        Section 33.04. DEFENSES.

        It is an affirmative defense to prosecution under Sections 33.02 and 33.02 of this code that the actor was an officer, employee, or agent of a communications common carrier or electric utility and committed the proscribed act or acts in the course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the communications common carrier or electric utility.

        Section 33.05 ASSISTANCE BY ATTORNEY GENERAL.

        The attorney general, if requested to do so by a prosecuting attorney, may assist the prosecuting attorney in the investigation or prosecution of an offense under this chapter or of any other offense involving the use of a computer.

        SECTION 2. This Act takes effect September 1, 1985.

        SECTION 3. The importance if this legislation and the crowded condition of the calendars in both houses create an emergency and an imperative public necessity that the constitutional rule requiring bills to be read on three separate days in each house be suspended, and this rule is hereby suspended.

        1"Computing and the Law,"Benchmarks Volume 14, No. 4, Summer 1993, page 1.

        2"Computer Resources Security Policy" statement (August 23, 1991, pg. 2 of 7) in the University Policy Manual, Volume II Administrative and Fiscal.

        Previous Article <== ==> Next Article

        If you have problems or questions about this server, please contactme as soon as possible. You can send mail to the following address:www@unt.edu