HB 338 - CRIMES INVOLVING TECHNOLOGY OR I.D. CHAIRMAN KOTT announced that the next item of business would be HOUSE BILL NO. 338, "An Act relating to crimes involving computers, access devices, other technology, and identification documents; relating to the crime of criminal impersonation; relating to crimes committed by the unauthorized access to or use of communications in electronic storage; and providing for an effective date." [The bill was sponsored by the House Rules Committee by request of the Governor.] CHAIRMAN KOTT noted that at one point he had brought this issue up to one of the drafters, who had said it is covered elsewhere. He said he wants to hear why it is a good idea now. He called on Ms. Carpeneti to present the bill on behalf of the Governor. Number 0250 ANNE CARPENETI, Assistant Attorney General, Legal Services Section- Juneau, Criminal Division, Department of Law, came forward to explain HB 338. She noted that when thinking about so-called cybercrime, one only has to listen to the news to realize that how people commit crimes is expanding, if not changing, with new technology. That is what interests the Governor in bringing the statutes up-to-date a bit, especially to address so-called identity theft, which has now reached Alaska. MS. CARPENETI recounted how a Ketchikan woman's credit card and Social Security numbers were obtained over the Internet by a Seattle-area woman, who then opened a bank account, got checks printed, opened accounts at department stores, and actually bought a car with a $6,000 check, at minimum. The Ketchikan woman discovered it six months later when she went to open an account and got a bad credit report; when trying to deal with Seattle-area police, however, she found she wasn't really considered the victim. The problem with Alaska's statutes now is that in terms of criminal impersonation, the person whose identity is taken isn't the victim; rather, the victims are the credit card companies, banks and department stores that are victims of criminal theft. The perpetrator hasn't been charged yet in the case just described, Ms. Carpeneti noted, although the woman had continued buying things with the preprinted checks until the supply ran out. MS. CARPENETI explained that the foregoing is one issue addressed by the bill. It makes criminal impersonation in the first degree a class B felony. The elements of the offense are to take a person's piece of identification, open an account with the intent to defraud, and thereby damage the financial reputation of a person. The person whose identity is used is the victim of the crime, and can proceed to report it to the police. Ms. Carpeneti told members: In terms of prosecution and jurisdiction, our courts have held that if the harm occurs in the state of Alaska, we can prosecute if the person is not here. That's not to say that we're going to catch these people. And the problem of cybercrime is really a global problem. It's not just Alaska. It's not just the United States. It's all over the world. MS. CARPENETI related how at a cybercrime convention a month ago, one eye-opening real-time presentation involved an investigator who identified herself as a 12-year-old girl on the Internet and went into various chatrooms. Ms. Carpeneti said it was appalling what happened, and one can only imagine what would happen to an actual child doing that. The other part of the presentation was the second investigator trying to figure out the whereabouts of the people talking to the allegedly 12-year-old girl; those people, it turned out, were using servers all over the world. MS. CARPENETI emphasized that investigation of people perpetrating these crimes is a lot bigger than HB 338. However, the reason for introducing the bill is so that when they do catch these people, Alaska's statutes are up-to-date and more useful than they currently are. She pointed out that Alaska's statutes are in pretty good shape, but the criminal impersonation provision makes it a class A misdemeanor to defraud people in another's name, and it still doesn't address the issue of who is the victim of the crime. This bill does that, with criminal impersonation in the first degree. Number 0489 MS. CARPENETI cited examples where the bill brings some of Alaska's statutes up-to-date. Where a statute says theft of a credit card, fraudulent use of a credit card or obtaining a credit card by fraudulent means, the bill amends it to say "access device." Therefore, it isn't just the actual card that people carry around, but is the number on the card, the phone number or the personal identification number (PIN), for example, which can be stolen from someone and used to defraud them or someone else. That is one of the cleanups. MS. CARPENETI next brought attention to the "falsifying business records" provision, which makes it illegal to go in without authorization and change business records by adding false information, taking away correct information or failing to put in information where there is a duty to do so. This also adds "electronic records" to the definition of "business records." In terms of deceptive business practices, that crime is really criminal consumer protection offenses, false advertising; it is made a class A misdemeanor in the statutes. Ms. Carpeneti indicated HB 338 changes the penalty to a class C felony if it is done via computer or a computer system or network. People who perpetrate these crimes by computer have a much bigger audience and base of victims, she pointed out. MS. CARPENETI reported that the bill also expands the criminal use of a computer, a class C felony, to include additional behavior such as adding misleading information; right now, it prohibits adding false information. It would also include damaging a person's financial reputation or getting personal information that one isn't authorized to get. Ms. Carpeneti offered to address specific details of that section. She told members the bill also does some minor clarifying amendments. In terms of child pornography, for example, it clarifies the law to provide that if one produces an electronic depiction of a child engaged in these various acts already talked about, that is included in the definition of child pornography. MS. CARPENETI concluded by saying the bill has three parts. It is a little ground breaking with the new criminal impersonation statute, and then it brings the statutes up-to-date regarding the way crimes are committed now. She pointed out that the Court of Appeals had decided recently that the credit card number is included in the fraudulent use of a credit card, but the court didn't expand that to various other access devices such as a bank card for obtaining money or telephone access cards. This bill expands the definitions so that if people steal those and use them to defraud someone, the state can prosecute. Number 0626 CHAIRMAN KOTT asked whether this bill addresses introduction of a computer virus that affects a computer and causes it to crash. MS. CARPENETI affirmed that. CHAIRMAN KOTT asked how the state would follow through on that in terms of the origination of the virus. MS. CARPENETI said that is the problem, as far as catching the person who did it. In addition to having the statutes up-to-date, the state needs investigators who are trained to figure out who did it. She pointed out the fiscal note from the Department of Public Safety (DPS) requesting training and equipment for investigators to learn how to do that. Although a couple of people in the state are good at that now, more are needed. Noting that the DPS could describe what they do, she stated her understanding that their techniques involve taking a whole computer and copying the information, leaving what was originally found on the computer. Untrained people may easily lose evidence, she pointed out. Number 0707 CHAIRMAN KOTT asked whether it would be a class C felony if someone came into his office and wiped out the hard drive. He indicated it would be under Section 11. MS. CARPENETI affirmed that and agreed it is in Section 11. She noted that under paragraph (a)(6) on page 5, for example, that applies even if a person has access to the computer but has exceeded the authorized access and has introduced instructions, programs or other information that disrupts, disables or destroys a computer system. CHAIRMAN KOTT asked whether removing information on the hard drive by using a keystroke, for example, would be included in the phrase "introduces instructions" [page 5, line 17]. MS. CARPENETI affirmed that that is what it was intended to mean. Number 0771 REPRESENTATIVE GREEN referred to page 3, line 30 [obtaining an access device or identification document by fraudulent means, which would be a class A misdemeanor.] He asked whether the level of that crime has been reduced. MS. CARPENETI answered that in a way, yes, because obtaining an access device by fraudulent means was a class C felony under "theory one and two," and under "theory three," it was a class A misdemeanor. It is changed to a class A misdemeanor because theft of a credit card is a class A misdemeanor. As described in the sectional analysis she had provided, the provision for fraudulent use of a credit card is changed so that the penalties conform to theft penalties; if the bill were adopted, it would be a class B felony to use an access device and obtain property in excess of $25,000. So getting the device would be the same as stealing it, and then use of it is changed a little so that the penalties are in line with the theft penalties. Number 0851 REPRESENTATIVE GREEN referred to the top of page 7, expressing uncertainty about what to do if one accidentally picks up a communication through a satellite feed, for example. He asked whether he would be guilty of a violation in that case. MS. CARPENETI said she doesn't believe so, because it would be an accident. "You wouldn't have accessed it in terms of going and getting it without authorization," she added. "It would have just been sent to you." REPRESENTATIVE GREEN asked whether that is understood. MS. CARPENETI said she thinks so. She pointed out that AS 42.20 has specific statutes. She suggested the possibility of looking at it and maybe particularly providing, for this behavior, that accidental receipt isn't included in an offense. REPRESENTATIVE GREEN referred to the phrase "divulge the existence" on page 7, line 5. He asked whether, if a person had picked up information accidentally, that would exonerate another person who then divulged its existence. MS. CARPENETI said she believes so; she offered to check that. She stated that in AS 42.20, for other types of interception of communications, it isn't a crime if it is accidental. Number 0941 REPRESENTATIVE MURKOWSKI pointed out that this dovetails nicely with Representative Brice's bill [HB 354, just heard]. She asked whether Ms. Carpeneti, in drafting this, had looked at going in the direction of that bill as far as "trolling" on the Internet and the necessity to provide certain protections. MS. CARPENETI answered that they had been thinking more of theft- type offenses when drafting this. However, upon viewing it, [HB 354] did seem to fit nicely into crimes committed through technology. REPRESENTATIVE MURKOWSKI suggested this might be a good place to put the idea. Number 1007 REPRESENTATIVE ROKEBERG expressed concern about substituting "access device" for "credit card." He asked whether that has any currency as legal terminology now. MS. CARPENETI explained that when drafting it, she looked at the federal law that has a similar definition, which she believes she followed. She pointed out that the legislature could delete things they don't want in the definition. REPRESENTATIVE ROKEBERG voiced concern about clarity here. As a legislator, he knows to go back to the definitions, but the average person may not know that. In Section 5, for example, where perhaps it is more appropriate, it says "access device or identification document." He noted that both of those terms are defined. He inquired about other terms such as "access identification device." MS. CARPENETI agreed maybe the term "access device" is "New Age." She said she would think about it to see if she can find something more meaningful. REPRESENTATIVE ROKEBERG said PIN numbers are referred to here, but not specifically; he surmised those would be included in identification documents. MS. CARPENETI explained that she considered the PIN as being included in the access device definition. Although a PIN has identification aspects, "document" is really defined as a paper document rather than a number. She asked whether Representative Rokeberg was saying they should state "PIN - personal identification number" so it is absolutely clear. REPRESENTATIVE ROKEBERG said he just had a little trouble with "access device." Number 1170 REPRESENTATIVE ROKEBERG turned attention to page 4, Section 10, deceptive business practices. He expressed his understanding that this adds to the existing statute and raises the penalty if it includes using a computer. MS. CARPENETI affirmed that. REPRESENTATIVE ROKEBERG commented that one uses a computer in almost every business practice anymore. He asked whether there is a particular point here. MS. CARPENETI answered that the point is that deceptive business practices perpetrated over the Internet or via computer have a much bigger audience than a sign in a grocery store misrepresenting the availability of a sale item, for example. REPRESENTATIVE ROKEBERG suggested a cash register could be called a computer, resulting in a class C felony. MS. CARPENETI pointed out that "computer" is defined in Alaska's statutes. REPRESENTATIVE ROKEBERG asked whether a hand-held "Palm Pilot" would be included, for example. MS. CARPENETI indicated she would like to read the statute again. Number 1251 REPRESENTATIVE ROKEBERG drew attention to page 5, subsection (a). He said it seems they are on the edge of disallowing any type of "cookie" to be placed on a person's hard drive or even on a server. He indicated a cookie is a code or file implanted onto a person's hard drive that allows a down-line server to recognize an individual and create data specifically for that person. Cookies are put in without people's knowledge now. He said he is a little uncomfortable about prohibiting things. Number 1395 REPRESENTATIVE MURKOWSKI brought up the issue of telephone scams where technically the access device or number hasn't been stolen or forged but was inadvertently provided because someone was misled. MS. CARPENETI said she believes that would be covered by "obtaining an access device by fraudulent means." Once that number was obtained, if it were used fraudulently to obtain goods or services, the case could be prosecuted as fraudulent use of an access device, depending on the circumstances. Number 1500 REPRESENTATIVE ROKEBERG pointed out that the "cookie" problem is actually in Section 17, which relates to electronic storage. He indicated it seems Section 17 would prohibit the implanting of cookies, which occurs without people's knowledge and which many people may want. MS. CARPENETI asked whether Representative Rokeberg was saying there is a problem with this statute. REPRESENTATIVE ROKEBERG stated that it is right on the edge and there is "a de facto lack of affirmative authorization on the establishment of some of these types of methodologies." He alluded to policy questions arising from the use of "cookies" [because there is a potential for misuse by those who implant them], but indicated he doesn't believe addressing that issue is the intent of the bill. MS. CARPENETI clarified that the intent of this section is to prohibit people from getting into other people's e-mail or voice mail. She offered to talk with Representative Rokeberg about it and to find a "cookie" expert. Number 1735 BLAIR McCUNE, Deputy Director, Public Defender Agency, Department of Administration, testified via teleconference from Anchorage. He said he thinks what Representative Rokeberg was saying about the possible overbreadth of the bill is his own main concern. The way "access device" is defined was troubling to his agency as well. He can understand the need to include more than just the physical card these days. However, it seems the definition should create the bundle of information necessary to do a financial transaction, rather than just individual parts of it. This would make having a Social Security number alone be an "access device," for example. Furthermore, to use a credit card number over the phone, one needs the number plus the expiration date. He restated the need to get at that packet of information, rather than individual items, which may include something as innocuous as one's residence address. MR. McCUNE reported that the other main problem is the relationship between the harm caused and the level of offense. He referred to Section 6, criminal impersonation in the first degree, and making this a class B felony. If someone is fooling around with a computer and doing things they shouldn't be doing, that is bad, he agreed; however, how bad it is depends on the ultimate level of harm, not just that a computer has been used. Mr. McCune said he believes that applies to Section 9 and 10 as well. As pointed out, other business practices can be worse than those using a computer. He emphasized that the relationship to the harm should be looked at carefully and worked out before this goes on. MR. McCUNE advised the committee that his agency has similar concerns with Sections 11, 17 and 18 regarding people who have exceeded their authorized access to obtain personal information. In his own office, for example, people may have stretched the limit of authorized access in getting some file. Making it against the law to do those kinds of things, even though it is a class A misdemeanor, is pretty troubling. Mr. McCune expressed hope that more work can be done on the bill to narrow it down. Number 2045 REPRESENTATIVE ROKEBERG stated his understanding that the Public Defender Agency doesn't get involved in domestic relations cases. MR. McCUNE answered no. The closest they come to that is representing parents in child-in-need-of-aid (CINA) cases, where social workers become involved with the families. Number 2098 DAVID HUDSON, Lieutenant, Division of Alaska State Troopers, Department of Public Safety (DPS), testified via teleconference from Anchorage on behalf of the DPS. He said the department certainly looks forward to this bill's passage. They recognize that enforcement of "computer crimes" and related criminal activity is extremely difficult now. As technology advances and changes, there have been a multitude of incidents in which the DPS has been hampered. Certainly, some definitions in the bill will be advantageous to the DPS, such as the change from "credit cards" to "access devices," as will utilizing numbers and names. LIEUTENANT HUDSON said certainly some things on the Internet today are accessed by using a person's name and Social Security number. From a law enforcement perspective, as Ms. Carpeneti had said, it is very difficult. It is a learning process for the DPS. They must stay on top of this regarding specialties and specialists. Training is continually evolving in society today for determining how to investigate these crimes. Department personnel aren't experts in these areas by any means, he pointed out, and technology is advancing in leaps and bounds. Lieutenant Hudson mentioned proactive formats regarding bills and laws to be able to access some of this information and study it, and hopefully to be able to solve future assistance needs in Alaska. He concluded by restating that the DPS looks forward to this bill moving forward. Number 2226 REPRESENTATIVE ROKEBERG asked how many DPS personnel work in this area now, and with what kinds of support and equipment. LIEUTENANT HUDSON answered that right now they have a white-collar crime section headquartered in Anchorage, with one sergeant and two troopers, to his belief. He indicated their equipment isn't as technologically advanced as what they see youngsters using across the nation, however, and they need to advance on that level. That section's specialties cover a wide range; other than computer crime, they also deal with gaming, fraud and accounting issues, for example. Lieutenant Hudson expressed with certainty that the department isn't as up-to-date as training would allow through various courses conducted by federal and commercial crime investigation units. LIEUTENANT HUDSON reported that the DPS has some other police officers around the state, and a young officer at the University of Alaska Fairbanks security office is doing some very good work and is recognized statewide for some of his knowledge regarding computer-related crimes; furthermore, the Anchorage Police Department has personnel working on this. They try to get those people together as often as possible to learn from one another. He agreed with Ms. Carpeneti that it involves a multitude of things, including trying to teach personnel how to save potential evidence in computers when they come across computers in drug-related conspiracies and other crimes of that nature. "It's a very widespread effort, and we probably don't have as many people as we would like specializing in this area," Lieutenant Hudson concluded. Number 2406 REPRESENTATIVE ROKEBERG asked whether one person in the entire force could be categorized as a "computer geek" who really knows what he is doing. LIEUTENANT HUDSON said the sergeant in the white-collar crime section is probably the best-trained person in this area. However, they recently researched some other training that he or some of his subordinates could attend, to help bring them in line in this direction. Lieutenant Hudson emphasized that technology is advancing so rapidly that the department will probably always be in a catch-up position. REPRESENTATIVE ROKEBERG asked whether the DPS can access the Federal Bureau of Investigation (FBI) for support in the Anchorage area. LIEUTENANT HUDSON affirmed that. [Although not on tape, it was recorded in the log notes.] TAPE 00-19, SIDE A Number 0046 ROBERT BUTTCANE, Juvenile Probation Officer, Youth Corrections, Division of Family and Youth Services, Department of Health and Social Services, testified via teleconference from Anchorage in support of HB 338. He indicated the department views this, in a sense, as a preemptive proposal that would help hold delinquent offenders accountable when they cause harm to others through the use of computers or electronic technologies. He sees it as an opportunity to establish standards for appropriate or inappropriate use of these modern technologies. MR. BUTTCANE spoke strongly in favor of the use of the term "access device," in particular. In delinquency casework, they have had trouble holding accountable young offenders who have taken other people's ATM [automated teller machine] cards, for example, because an ATM card isn't a credit card and has no intrinsic value. In those instances, the department has had to resort to other things that are more indirect, such as theft of lost or mislaid property. Using "access device" in the definition under theft in the third degree, rather than "credit card," would give the department the opportunity to say to a young person who takes somebody else's ATM card that it is stolen property with a value of more than $50 and less than $500, and that it is not okay. MR. BUTTCANE reported that the same holds true when someone steals another's computer system password. Although there hadn't been a number of those cases referred to the department in the delinquency system, there have been discussions with school personnel. In Anchorage, at least, there have been two occasions where students gained access to parts of the school system's computer; in one case, access was to a teacher's personal electronic files, and in other case, access was to an area that would have led to grades, had the student been able to continue. MR. BUTTCANE recognized that some of that behavior is already included under existing statutes, but said expansion of the criminal use of a computer is a preemptive step. Although the bill itself may need some more work, trying to deal with these technologies is difficult. "Having this in place I think will support us in finding our way in what is correct and what is incorrect," he concluded, indicating the desire to work on this bill and move forward on it. Number 0325 CHAIRMAN KOTT, noting that nobody else had signed up to testify, closed public testimony. He asked Representative Rokeberg whether he still has concerns about the "cookie" problem. REPRESENTATIVE ROKEBERG affirmed that. He referred to Mr. McCune's testimony and Section 10, deceptive business practices. He said he believes the department is looking to make a higher standard of criminal offense, turning it into a class C felony, if there is use of the Internet, not a computer. He restated concern about having a cash register be considered a computer, so that if a clerk who had intentionally overcharged somebody for merchandise could be guilty of a class C felony for a $2 crime. He noted that Mr. McCune had echoed his own concerns about Sections 17 and 18. REPRESENTATIVE ROKEBERG also voiced concern about how the language should be drafted to ensure that it doesn't hinder technology. Although the legislature certainly should keep the interests of consumers and individuals in mind foremost, he said they shouldn't interrupt "e-commerce" by passing legislation that has a chilling effect on it. He said he doesn't feel qualified to make a suggestion but isn't comfortable with the direction being taken in some of these sections. However, there is a need for this legislation; if the courts use a strict reading of "credit card," for example, that needs to be fixed as soon as possible. The troopers also need some help and should have a "geek" on hand, which would cost $145,000 out of the $250,000 fiscal note for the bill; he commented that it seems pretty justifiable. Representative Rokeberg stated concern that the bill is omnibus legislation. Number 0599 CHAIRMAN KOTT asked whether there were further comments. He announced the intention of trying to address Representative Rokeberg's concerns and to work with the Public Defender Agency on a couple of the issues brought up. He informed members that HB 338 would be held over.