SENATE JUDICIARY COMMITTEE March 3, 2000 1:40 p.m. MEMBERS PRESENT Senator Robin Taylor, Chairman Senator Rick Halford, Vice-Chairman Senator John Torgerson MEMBERS ABSENT Senator Dave Donley Senator Johnny Ellis COMMITTEE CALENDAR SENATE BILL NO. 259 "An Act relating to criminal impersonation." -HEARD AND HELD PREVIOUS SENATE COMMITTEE ACTION SB 259 - See Judiciary Committee minutes dated 2-21-00. WITNESS REGISTER Ms. Anne Carpeneti Department of Law PO Box 110300 Juneau, Alaska 99811-0300 POSITION STATEMENT: Supports SB 259 Mr. Blair McCune Public Defender 900 West 5th Avenue, #200 Anchorage, Alaska 99501 POSITION STATEMENT: Testified on SB 259 ACTION NARRATIVE TAPE 00-11, SIDE A Number 001 CHAIRMAN ROBIN TAYLOR called the Judiciary Committee meeting to order at 1:40 p.m. and brought up SB 259 as the first order of business. SB 259-THEFT OF IDENTITY SENATOR TORGERSON moved to adopt CSSB 259, version I. There being no objection, the motion carried. MS. ANNE CARPENETI, representing the Criminal Division of the Department of Law (DOL), stated DOL is in support of CSSB 259. The bill contains many of the provisions DOL feels is important in bringing the Alaska statutes up to date in terms of theft of identity. The bill changes "theft of an act of a credit card" to "theft of an access devise," allowing theft of numbers as well as the theft of a credit card and other devices. CSSB 259 also changes "fraudulent use of a credit card" to "fraudulent use of an access device" for the same reason. Fraudulent use of an access devise is conduct where a person obtains property by fraudulent means using an access devise. The penalty scheme is changed to reflect that of theft, so that fraudulent use of an access devise where property or services are obtained in the amount over $25,000 is a class B felony. The bill changes other parts of the statutes, in terms of obtaining credit cards by fraudulent means, to include obtaining an access devise or identification (ID) document by fraudulent means. Criminal impersonation in the first degree addresses the situation where an individual is victimized by another person who has obtained a document or number, then opens accounts, buys goods, obtains credit cards, opens bank accounts, etc., harming the financial reputation of the owner of the identity. Criminal impersonation in the second degree is thereby created which provides that it is a class A misdemeanor. "Business record" is amended to include "recordings" and expands the crime of criminal use of the computer. This involves hacking into a computer or exceeding authorization to use a computer, acquiring personal information and adding it to the system so it will either harm or enhance a persons record. Number 362 CHAIRMAN TAYLOR asked for clarification of the word "aural" which is in the title of the bill and throughout the document. MS. CARPENETI responded it was added by legislative affairs, the drafter was probably trying to put the statute in conformity with other similar statutes. She said she would research the question and provide the committee with an answer. SENATOR TORGERSON asked why "credit card" is being removed from the bill and is replaced with "access devise." MS. CARPENETI answered the term "access devise" gives a broader definition. MR. BLAIR MCCUNE, Deputy Director for the Public Defender Agency, stated he is concerned about the breadth of the bill. A few principals should be kept in mind when looking at something like this. First of all, normal commercial activity or computer practices over the Internet should not be outlawed. Second, because these are property crimes the penalty of the offense should be related to the actual harm caused. Financial and property crimes should to linked to a value for the type of theft or loss in monetary terms. Third, mental state should be carefully worded so that things done by mistake or for curiosity or just poking around are not made illegal. The law should be for things done knowingly and with intent to defraud. MR. MCCUNE said there are no problems with sections 1 and 2. In section 3 the wording "access devise" gives the public defender some concern. The definition on page 6 includes any type of ID number, such as a drivers license, social security number, bank account number, or credit card number that is capable of being used, alone or in conjunction with another access devise. This is getting at data that might be collected in the course of normal commercial activity and could possibly be considered an access devise. MR. MCCUNE is not too concerned with the theft statute because it has "intent to permanently deprive another person of property." Section 4, subsection (b), does a good job of linking the harm to some kind of value or property that a person loses--this is key, and he hopes it will be a guiding principal. Mr. McCune said subsection 5 has an over breadth problem because the definition of "access devise" is too broad. An access devise can be a drivers license number, social security number or something along these lines instead of a credit card. MR. MCCUNE is not concerned with subsections 2 and 3 because they say "with intent to defraud." Section 6, subsection 2, deals with criminal impersonation in the first degree--the damage does not quantify for the crime. Section 10 makes deceptive business practices a class C felony if a computer is used. Computers are used so much in business practice that it might be better to link the crime with either "value" or "harm caused," rather than the fact that a computer has been used. It should not be a class C felony if the value lost is $50.00. Section 11 is a very complicated and broad statute. People tend to exceed access just out of curiosity, this should be taken into consideration. The public defender would like "intent to defraud" or "intent to commit a crime" used more in this bill. Number 983 CHAIRMAN TAYLOR asked if section 11, subsection (a), "A person commits the offense of criminal use of a computer if, having no right to do so or any reasonable ground to believe the person has such a right, the person knowingly accesses, [OR] causes to be accessed, or exceeds the person's authorized access to a computer, computer system, computer program, computer network, or any part of a computer system or network, and, as a result of or in the course of that access," will give the law some leverage when dealing with the type of crime that is commonly referred to as the "APSIN scandal?" MR. MCCUNE responded he does not know, but it might. Number 1233 CHAIRMAN TAYLOR commented that under existing state law this offense is a class A misdemeanor and under federal law it is a felony. MR. MCCUNE stated that almost every phrase in the federal law begins with "knowingly and with intent to defraud," and ends with "obtains of anything of value aggregating $1,000 or more during that period," giving the law a tight mental state and value. MR. MCCUNE remarked that Washington, being the technological capitol, has a statute on computer trespass in the first degree which is simple, direct and easy to understand. A class C felony is created if a person is in a computer without access and intentionally gains access to the system, and then intentionally commits another crime. In Alaska this is a class A misdemeanor. MR. MCCUNE noted the federal law has a similar definition of access devise but it is directed more toward financial accounts, than social security numbers. CHAIRMAN TAYLOR asked where Mr. McCune would like the intent language changed. MR. MCCUNE answered that in the fraudulent use of an access devise "intent to defraud" should be added and a value should also be added. Section 5 is a concern, and "knowingly and intent to defraud" needs to be added to section 1. Section 6 has a lack of value related to the harm, and a class B felony should not be considered if there is a quick fix for the damage done. Number 1355 MS. ANNE CARPENETI stated she is concerned about putting "culpable mental state," and "knowingly with intent to defraud," in one act. Two culpable mental states should not be in one act because one includes the other. Culpable mental state is very difficult to prove because "knowing conduct," "criminal negligent conduct" and "reckless conduct" have to be proven. MS. CARPENETI said the reason a dollar amount was not added to section 6 is because it is hard to quantify a financial reputation. The person whose identity is stolen is not now considered the victim, the vendor is the victim. Loss of identity is a continuing offense and a number cannot be put on that damage. The state will have to prove that the person has a stolen identification document or access devise for the purpose of opening an account, obtaining an access devise, or obtaining property and services, and that the financial reputation of the other person has been damaged. Number 1497 SENATOR HALFORD asked if a class B felony will be created if a person obtains a false ID, buys alcohol and leaves without paying the bill. MS. CARPENETI responded she is not sure, but it is not the intent of SB 259 to make this type of crime a class B felony. SENATOR HALFORD asked if there is a provision for changing the victim's social security number. Number 1892 MR. MCCUNE stated that the term "need knowingly" would be needed with "intent to defraud" under Alaska law. The language "with intent to defraud" covers mental state, making it intentional fraud. SENATOR HALFORD said section 11 adds "or misleading" to the existing statutory language without a definition of "or misleading." Because this is subjective language, it should either be defined or left out. SENATOR HALFORD would also like to know if a crime is created if something has been encrypted, without authorization, in a computer system a person has access to. MS. CARPENETI stated this will only apply if a person is encrypting data they have no authorization to encrypt. It has to be proven that a person has no right to do so or have any reason to believe they have the right to get access to this information and encrypt or decrypt the information. Number 2102 SENATOR TORGERSON asked if a person can be tried with this law if they enhance information for personal gain. MS. CARPENETI answered that in order for it to be covered under CSSB 259, a person would have to go into their bank account data and enhance their record--actually going in and changing the bank computer. SENATOR HALFORD stated that the historical interpretation of a social security number has been destroyed and if this is the core number that created the problem for theft of identity, something needs to be done to fix the problem. SENATOR TORGERSON stated this is public information that is being misused and he asked if there can be a misinterpretation without there being a misuse. CHAIRMAN TAYLOR stated he does not think a social security number is public information. There being not further business to come before the committee, CHAIRMAN TAYLOR adjourned the meeting at 2:29 p.m.