Subject: RISKS DIGEST 13.17 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 25 February 1992 Volume 13 : Issue 17 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: California data-privacy/comp.crime bill [PART ONE] (Jim Warren) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP domain folks. REQUESTS please to RISKS-Request@CSL.SRI.COM. Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 13, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Mon, 17 Feb 92 19:19:18 PST From: autodesk!megalon!jwarren@fernwood.mpk.ca.us (Jim Warren) Subject: California data-privact/comp.crime bill [PART ONE] This includes the full text of legislation that was introduced Feb. 10th in the California State Senate by a senior member of that body, the Chair of the Senate Judiciary Committee, Senator Bill Lockyer of Southern Alameda County. This copy of the bill plus staff background comments is being uploaded within days of its availability in Senate offices. SB1447 TOPICS Sec.1: "Privacy Act of 1992", Senate Bill 1447 (Lockyer, Privacy) Sec.2: Driver's licenses: Use of human-readable and magstripe information Sec.3: Privacy: Rights of employees and prospective employees Sec.4: Computer crime laws: Modifications Sec.5: Automatic vehicle identification [AVI] systems: Control of uses CONTENTS OF THIS CONTRIBUTION [words/chars] [PART ONE -- RISKS-13.17] Introductory comments and details of notation conventions [757/5191] Reformatted verbatim text of the Feb. 10th bill [3227/21285] [PART TWO -- RISKS-13.18] Background notes prepared by Sen. Lockyer's assistant [2465/15546] [If printed, the entire contribution is approximately 12 pages.] REPORTEDLY A LEGISLATIVE "FIRST" This effort in "electronic democracy" may be the first time that state legislation has been distributed online, for access by the general public, at the same time it becomes available to legislators and their staff. A senior member of the Senate computer system's technical staff reportedly said they have never-before down-loaded a machine-readable copy of initial legislation onto a personal computer for redistribution on public computer networks. Furthermore, Sen. Lockyer's Legislative Assistant responsible for the bill said he knows of no prior instance where legislative staff have gone online on public nets to seek citizen input and discussion about new legislation. SOURCES OF ORIGINAL DOCUMENTS & INFORMATION Mr. Ben Firschein is the Legislative Assistant to Sen. Lockyer who is handling this bill: Office of Senator Bill Lockyer Room 2032, State Capitol Sacramento CA 95814 Mr. Firschein/916-445-6671, main number/916-445-5957, email/** Formatted, binary, machine-readable versions of this text will be available on the WELL, the Whole Earth 'Lectronic Link. The WELL is a public teleconferencing system located in Sausalito, California, accessible via the Internet; voice/415-332-4335, 2400-baud data/7-E-1/415-332-6106. For read- only access instructions, SEND A REQUEST TO: jwarren@well.sf.ca.us. ** -- Mr. Firschein will be online on the WELL within a week or so. You may request his email address, also, from jwarren@well.sf.ca.us. There will be four read-only files: A. The original file that was down-loaded from the Senate's legislative computer system in WordPerfect format on a PC-compatible diskette. B. The above file, converted to a Word-5.0 Macintosh format, with pagination approximating the printed copies of the bill available from the legislative offices. C. Background information, explanations and mention of some alternatives, prepared by Mr. Firschein, in original WordPerfect format for PC-compatibles. D. That backgrounder file, converted to Word-5.0 Macintosh format. REPRESENTING LEGISLATION-IN-PROGRESS: A NOTATION PROBLEM In the California Senate, printed legislation-in-progress uses the following conventions: When stating new legislation, *plain-text* states PROPOSED law. When *amending* current law, *plain-text* states the CURRENT law, and *strike-thru text* indicates current law to be deleted while *underscored* or *italicized* text represents wording to be added to those current statutes. Deletions and additions represented by strike-thru and underlining or italics *amend* current law. But, the basic ASCII character-set -- and a great many older terminals and computer printers -- have no strike-thru, italics or underlining. So, here is how that unavailable notation is represented in this document: [[ annotation ]] -- explanatory comments by "uploader" Jim Warren all capitals -- originally bold-face text; no legislative meaning Unless stated as amending current law: plain-text -- text of new legislation, proposed to be new law When stated as amending current law: plain-text -- text of current law to remain unchanged << strikethru >> -- text in current law, proposed for deletion {{ underscore }} -- text proposed to be added to current law. THE BEGINNING ... The introduction of this legislation in the Senate is the beginning of a lengthy process or review and revision by amendment, prior to its possible passage into law. Please send your comments and suggestions about the legislation -- and about the Senate staff's active cooperation in making it publicly available, online -- to Mr. Firschein and Sen. Lockyer. --Jim Warren, 345 Swett Rd., Woodside CA 94062; voice/415-851-7075, fax/415-851-2814, email/jwarren@well.sf.ca.us -or- jwarren@autodesk.com [ for identification purposes, only: contributing editor, MicroTimes; Chair, First Conference on Computers, Freedom & Privacy (March, 1991); and member, Board of Directors, Autodesk, Inc.; blah blah blah ] ===================== verbatim text of the legislation ===================== "THE PRIVACY ACT OF 1992" -- CALIFORNIA STATE SENATE BILL No. 1447 Introduced by Senator Lockyer February 10, 1992 An act to add Section 1799.4 to the Civil Code, to add Section 2805 to the Labor Code, to amend Section 502 of the Penal Code, and to amend Section 27565 of the Streets and Highways Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST [[**** The Legislative Counsel's Digest is NOT part of the bill. It is only a summary prepared by the legislature's legal counsel. ****]] SB 1447, as introduced, Lockyer. Privacy. (1) Existing law prohibits the disclosure of specified information by business entities which perform bookkeeping services and by persons providing video cassette sales or rental services. This bill would provide that a business entity that obtains information from a consumer's driver's license or identification card shall not sell the information or use it to advertise goods or services, without consent. (2) Existing law prohibits employers from making or enforcing rules or policies forbidding or preventing employees from engaging or participating in politics, and from controlling the political activities or affiliations of employees. This bill would provide that any employer shall be liable to an employee or prospective employee for damages caused by subjecting the employee to discipline or discharge, or denying employment to a prospective employee, on account of the exercise by that person of privacy rights guaranteed by the California Constitution. (3) Existing law sets forth definitions and penalties for specified computer-related crimes. This bill would require the owner or lessee of any computer, computer system, computer network, computer program, or data, as specified, to report to a local law enforcement agency any known violations of the provisions described above. The bill would also provide that any person who recklessly stores or maintains data in a manner which enables a person to commit acts leading to a felony conviction under the provisions described above, shall be liable to each injured party for a specified civil penalty. The bill would make related changes. (4) Existing law requires the Department of Transportation to develop and adopt functional specifications and standards for an automatic vehicle identification system to be used in toll facilities, as specified. This bill would provide that a vehicle owner shall have the choice of being billed after using the facility, or of prepaying tolls, in which case the department or any privately owned entity operating a toll facility shall issue an account number to the vehicle owner which is not derived from the vehicle owner's name, address, social security number, or specified other sources, and would prohibit the keeping of any record of this information. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. This act shall be known and may be cited as the Privacy Act of 1992. SEC. 2. Section 1799.4 is added to the Civil Code, to read: 1799.4. A business entity that obtains information from a consumer's driver's license or identification card for its business records or for other purposes shall not sell the information or use it to advertise goods or services, without the written consent of the consumer. SEC. 3. Section 2805 is added to the Labor Code, to read: 2805. (a) Any employer, including any state or local governmental entity or instrumentality thereof, shall be liable to an employee or prospective employee for damages caused by either of the following: (1) Subjecting the employee to discipline or discharge on account of the exercise by the employee of privacy rights guaranteed by Section 1 of Article I of the California Constitution, provided the activity does not substantially interfere with the employee's bona fide job performance or working relationship with the employer. (2) Denying employment to a prospective employee on account of the prospective employee's exercise of privacy rights guaranteed by Section 1 of Article I of the California Constitution. (b) Damages awarded pursuant to this section may include punitive damages, and reasonable attorney's fees as part of the costs of the action. If the court decides that an action for damages was brought without substantial justification, the court may award costs and reasonable attorney's fees to the employer. SEC. 4. Section 502 of the Penal Code is amended to read: [[**** Note that this would AMEND current law. ****]] 502. (a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data. (b) For the purposes of this section, the following terms have the following meanings: (1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network. (2) "Computer network" means any system which provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities. (3) "Computer program or software" means a set of instructions or statements, and related data, that when executed in actual or modified form, cause a computer, computer system, or computer network to perform specified functions. (4) "Computer services" includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network. (5) "Computer system" means a device or collection of devices, including support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, one or more of which contain computer programs, electronic instructions, input data, and output data, that performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control. (6) "Data" means a representation of information, knowledge, facts, concepts, computer software, computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device. (7) "Supporting documentation" includes, but is not limited to, all information, in any form, pertaining to the design, construction, classification, implementation, use, or modification of a computer, computer system, computer network, computer program, or computer software, which information is not generally available to the public and is necessary for the operation of a computer, computer system, computer network, computer program, or computer software. (8) "Injury" means any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access. (9) "Victim expenditure" means any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, deleted, damaged, or destroyed by the access. (10) "Computer contaminant" means any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, which are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network. (c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense: (1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data. (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (3) Knowingly and without permission uses or causes to be used computer services. (4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network. (5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network. (6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section. (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. (8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network. (d) (1) Any person who violates any of the provisions of paragraph (1), (2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (2) Any person who violates paragraph (3) of subdivision (c) is punishable as follows: (A) For the first violation which does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (B) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000) or in an injury, or if the value of the computer services used exceeds four hundred dollars ($400), or for any second or subsequent violation, by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows: (A) For a first violation which does not result in injury, an infraction punishable by a fine not exceeding two hundred fifty dollars ($250). (B) For any violation which results in a victim expenditure in an amount not greater than five thousand dollars ($5,000), or for a second or subsequent violation, by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (C) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000), by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. [[**** Use of << STRIKETHRU >> and {{ UNDERSCORE }} begins, hereafter. ****]] (e) (1) In addition to any other civil remedy available, {{ any injured party, including but not limited to }} the owner or lessee of the computer, computer system, computer network, computer program, or data may bring a civil action against any person convicted under this section for compensatory damages, including {{ consequential or incidental damages. In the case of the owner or lessee of the computer, computer system, computer network, computer program, or data, damages may include, but are not limited to,}} any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access. << For >> [[**** Yes, that was a struck-thru "For" ending that paragraph. ****]] {{ (2) Any person who recklessly stores or maintains data in a manner which enables a person to commit acts leading to a felony conviction under this section shall be liable to each injured party for a civil penalty of ten thousand dollars ($10,000), up to a maximum of fifty thousand dollars ($50,000). Failure to report a previous violation of this section to a local law enforcement agency pursuant to subdivision (f) may constitute evidence of recklessness }} {{ (3) For }} the purposes of actions authorized by this subdivision, the conduct of an unemancipated minor shall be imputed to the parent or legal guardian having control or custody of the minor, pursuant to the provisions of Section 1714.1 of the Civil Code. << (2) >> {{ (4) }} In any action brought pursuant to this subdivision the court may award reasonable attorney's fees to a prevailing party. << (3) >> {{ (5) }} A community college, state university, or academic institution accredited in this state is required to include computer-related crimes as a specific violation of college or university student conduct policies and regulations that may subject a student to disciplinary sanctions up to and including dismissal from the academic institution. This paragraph shall not apply to the University of California unless the Board of Regents adopts a resolution to that effect. (f) {{ The owner or lessee of any computer, computer system, computer network, computer program, or data shall report to a local law enforcement agency, including the police, sheriff, or district attorney, any known violations of this section involving the owner or lessee's computer, computer system, computer network, computer program, or data. The reports shall be made within 60 days after the violations become known to the owner or lessee. }} {{ (g) }} This section shall not be construed to preclude the applicability of any other provision of the criminal law of this state which applies or may apply to any transaction, nor shall it make illegal any employee labor relations activities that are within the scope and protection of state or federal labor laws. << (g) >> {{ (h) }} Any computer, computer system, computer network, or any software or data, owned by the defendant, which is used during the commission of any public offense described in subdivision (c) or any computer, owned by the defendant, which is used as a repository for the storage of software or data illegally obtained in violation of subdivision (c) shall be subject to forfeiture, as specified in Section 502.01. << (h) >> {{ (i) }} (1) Subdivision (c) does not apply to any person who accesses his or her employer's computer system, computer network, computer program, or data when acting within the scope of his or her lawful employment. (2) Paragraph (3) of subdivision (c) does not apply to any employee who accesses or uses his or her employer's computer system, computer network, computer program, or data when acting outside the scope of his or her lawful employment, so long as the employee's activities do not cause an injury, as defined in paragraph (8) of subdivision (b), to the employer or another, or so long as the value of supplies and computer services, as defined in paragraph (4) of subdivision (b), which are used do not exceed an accumulated total of one hundred dollars ($100). << (i) >> {{ (j) }} No activity exempted from prosecution under paragraph (2) of subdivision << (h) >> {{ (i) }} which incidentally violates paragraph (2), (4), or (7) of subdivision (c) shall be prosecuted under those paragraphs. << (j) >> {{ (k) }} For purposes of bringing a civil or a criminal action under this section, a person who causes, by any means, the access of a computer, computer system, or computer network in one jurisdiction from another jurisdiction is deemed to have personally accessed the computer, computer system, or computer network in each jurisdiction. << (k) >> {{ (l) }} In determining the terms and conditions applicable to a person convicted of a violation of this section the court shall consider the following: (1) The court shall consider prohibitions on access to and use of computers. (2) Except as otherwise required by law, the court shall consider alternate sentencing, including community service, if the defendant shows remorse and recognition of the wrongdoing, and an inclination not to repeat the offense. SEC. 5. Section 27565 of the Streets and Highways Code is amended to read: [[** NOTE: This is another amendment, with strikethrus and underscores. **]] 27565. (a) The Department of Transportation, in cooperation with the district and all known entities planning to implement a toll facility in this state, shall develop and adopt functional specifications and standards for an automatic vehicle identification system, in compliance with the following objectives: (1) In order to be detected, the driver shall not be required to reduce speed below the applicable speed for the type of facility being used. (2) The vehicle owner shall not be required to purchase or install more than one device to use on all toll facilities, but may be required to have a separate account or financial arrangement for the use of these facilities. (3) The facility operators shall have the ability to select from different manufacturers and vendors. The specifications and standards shall encourage multiple bidders, and shall not have the effect of limiting the facility operators to choosing a system which is able to be supplied by only one manufacturer or vendor. (b) {{ The vehicle owner shall have the choice of prepaying tolls, or being billed after using the facility. If the vehicle owner prepays tolls: (1) The department or any privately owned entity operating a toll facility shall issue an account number to the vehicle owner. The account number shall not be derived from the vehicle owner's name, address, social security number, or driver's license number, or the vehicle's license number, vehicle identification number, or registration. (2) Once an account has been established and an account number has been given to the vehicle owner, neither the department nor the privately owned facility shall keep any record of the vehicle owner's name, address, social security number, or driver's license number, or the vehicle's license number, vehicle identification number, or registration. (3) The vehicle owner may make additional prepayments by specifying the account number and furnishing payment. }} {{ (c) }} Any automatic vehicle identification system purchased or installed after January 1, 1991, shall comply with the specifications and standards adopted pursuant to subdivision (a). {{ (d) Any automatic vehicle identification system purchased or installed after January 1, 1993, shall comply with the specifications and standards adopted pursuant to subdivisions (a) and (b). }} [[**** END OF SB 1447, DATED FEBRUARY 10, 1992 ****]] [PART TWO IS IN RISKS-13.18.] ------------------------------ End of RISKS-FORUM Digest 13.17 ************************