That provision, contained in the Patriot Act of 2001, stipulates the owner of a computer, trespassed by hackers, can give law officers the permission they need to intercept the trespasser's communications. No changes were made to Section 105 of the bill dealing with computer trespass by the House Judiciary Committee Wednesday during final markup of the bill.
Committee Chairman Rep. James Sensenbrenner Jr., R-Wis., agreed to work with committee Democrats to review whether the language in the section was too far-reaching. The request came from Rep. Howard Berman, D-Mass.
"This provision seems to allow a nonjudicially supverised tap of the home telephone of the unauthorized computer user. It allows (law enforcement) to read the e-mails of the unauthorized computer user or monitor their Web surfing," Berman said. "It is a terrible overreach."
As crafted, the bill states that a computer trespasser means a "person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to, through or from the protected computer."
"The bill permits an ISP or owner of a protected computer to ask law enforcement agencies to monitor communications of whomever the owner of the computer suspects has been trespassing," said Maureen Dorney, a partner at the law firm Gray Cary in Palo Alto, Calif. "(Law enforcement) could act on the say-so of owners without any judicial monitoring."
The Patriot Act is a House version of the Bush administration's Anti-Terrorism Act sent to the Hill two weeks ago by U.S. Attorney General John Ashcroft. Both houses of Congress are scrambling to craft their own anti-terrorism packages and much of that effort is directed at retrofitting laws to meet changing technological circumstances.
Besides generally symbolizing a worrisome departure from the notion that law enforcement needs judicial approval to intercept personal communications, experts like Mikal Condon of the Electronic Privacy Information Center said the provision's language is unacceptably broad.
"There are a lot of provisions that people on first reading don't really notice," Condon said. "But people have to take a second look. My concern is that many terms are unclear and it's the lack of definition that gives us concern. It's just too vague."
"The bill targets anyone who gains 'unauthorized access' to a computer system, but what does 'unauthorized access' mean?" said Jim Dempsey, deputy director of the Center for Democracy and Technology in Washington. "We're worried it could be used to cover activities that violate an ISP's terms of service for example."
Dempsey said such activities might not normally constitute crimes for which law enforcement could land judicial approval to intercept private communications.
Dempsey also said the bill offers no time limits on how long authorities can conduct surveillance.
He said the provision was intended for situations where there is an urgent need to identify a hacker and stop a computer attack.
"But that's not what the provision says," he said. "It says nothing about urgency or on-going attack or activities that threaten the operation or integrity of the computer system."
While overshadowed by more controversial anti-terrorism proposals, such as proposed expansions of federal wiretap authority, the so-called computer trespasser provision adds fuel to fears that security needs will tread upon civic freedoms.
"What concerns me about the computer trespass provision, and the bill as a whole, is the speed with which we are moving to adjust these laws," Dorney said. "It doesn't leave time for proper reflection."