The Identity Theft Task Force appointed by President Bush and headed by embattled attorney general Alberto Gonzales wants to close a loophole in a federal computer crime law that's letting slick computer intruders escape federal prosecution merely by doing no harm.
One of the recommendations in the 120-page task force report (.pdf) released Monday would eliminate the $5,000 minimum damage threshold for prosecuting a computer crime at the federal level. Ostensibly, this is because botnet-wielding identity thieves aren't causing enough financial harm to qualify for federal attention under those standards. This seems improbable, to say the least. Stanford Law Student Jon Novotny calls out the proposal:
I've never known prosecutors to have trouble establishing the $5,000 loss when they want to -- old timers will remember when they claimed Kevin Mitnick inflicted $80 million in losses just by looking at Sun's Solaris source code. Moreover, it's already a federal crime to crack a computer and steal information of any kind, even if there's zero financial loss, provided "the conduct involved an interstate or foreign communication."
But wait! The task force wants to eliminate that last part as well, because it hates the Commerce Clause, and because identity thieves sometimes act locally. Here's the example in the report:
Though this evildoer is unnamed, the only incident that matches is the 2003 case of North Carolina security consultant Clayton Taylor Dillard, who accessed the wi-fi network at Raleigh-based Wake Internal Medicine Consultants, downloaded patient insurance forms, and sent them to a local TV station -- resulting in the hospital belatedly securing its network.
The fact that the Gonzales task force is pointing to a case like this suggests it's using the real problem of identity theft to win a broad, unfocused increase in prosecutorial power. We'll know that they're taking ID theft seriously when they propose prosecuting the hospital instead of the whistleblower.
Related on THREAT LEVEL:
