RD11 - Annual Report on the Findings and Recommendations of the Joint Commission on Technology and Science


Executive Summary:
JOINT COMMISSION ON TECHNOLOGY AND SCIENCE

Created by the 1997 General Assembly through House Bill 2138, the Joint Commission on Technology and Science (JCOTS) is a permanent legislative commission charged to study all aspects of technology and science, to promote the development of technology and science in the Commonwealth of Virginia through sound public policies, and to report its findings annually to the Governor and the General Assembly (See Chapter 11 of Title 30 of the Code of Virginia, § 30-85 et seq.).

JCOTS’ 2004-2005 work plan identified four issues for study through the establishment and work of advisory committees co-chaired by JCOTS members: Computer Crimes, Integrated Government, Nanotechnology, and Privacy. The work plan also identified new issues to be introduced at Commission meetings through testimony and presentations -- computer forensics and computer security -- as well as other issues to be monitored throughout the year, including privacy of personal information in court documents, taxes on Internet sales, and biometrics on identity cards.

JCOTS adopted the findings and recommendations of its advisory committees and submitted them to the General Assembly for consideration.

Joint Advisory Committee on Computer Crimes

JCOTS and the Virginia State Crime Commission combined their studies of the Computer Crimes Act and created a Joint Legislative Task Force and a Joint Advisory Committee. The Joint Advisory Committee on Computer Crimes was charged with examining the statutory basis for computer crimes and related laws in the Code of Virginia, including a determination of the appropriate definitions and elements constituting offenses, and recommending any necessary amendments in light of modern activities and technologies. The Committee and Task Force received briefings on the history of computer crimes legislation in the Commonwealth and the structure of the Computer Crimes Act.

Concerned that defining the specific threats would lead to almost immediate obsolescence and would provide a road map to the bad actors, the Task Force and Advisory Committee agreed to focus on the "bad actors" with a "bad motive" that do a “bad action.” They identified nine specific threats: (i) phishing, spoofing, and disguising one’s identity; (ii) bots and zombies; (iii) spyware and adware; (iv) viruses and worms; (v) falsifying certifications, seals, or other credentials; (vi) spam; (vii) identity theft; (viii) hacking and defacing websites, networks, and databases; and (ix) denial of service attacks. The Task Force and Advisory Committee focused on those threats not already covered in the Code.

The groups condensed and simplified the definitions, basing many of them on those of the Uniform Computer Information Transactions Act. Not wanting the Act to treat all devices with computer chips as computers, the Task Force voted to limit the coverage to general purpose, programmable computers. The proposed bill also requires that a person actually know or have reason to know that he was without authority, as opposed to merely acting without permission or right. Mitigating the impact of this final change, the crimes of computer fraud and personal trespass by computer would no longer require that a person take the underlying actions without authority.

To handle bots and zombies, the bill adds a provision to the computer trespass statute that criminalizes installing software without authorization. The bill also adds a subsection to address viruses and worms that do not harm computers, but hinder their ability to operate peripheral devices (e.g., grocery scanners, security cameras, and environmental sensors). In addition, the bill addresses using a computer to obtain computer information without authority. Finally, to avoid criminalizing innocent or innocuous activities, the Task Force added a requirement that for an act to be actionable as Computer Trespass, a person must act with malicious intent.

The Computer Crimes Act criminalizes invading another person’s computer, stealing information, and examining certain personal information without authority. However, in recent years, the phenomena of phishing and spoofing, or faking an identity to gather personal information, have tricked people into revealing the information themselves. In some cases, perpetrators trick computer users into downloading software that takes the information automatically. Therefore, the proposal criminalizes using a computer with fraudulent intent to obtain, access, or record identifying information, as defined by the identity theft statute (excluding name and birth date). Just trying to trick someone into revealing identifying information would be a crime; actually tricking them is not necessary.

The proposal also specifically criminalizes using a computer to circumvent computer security measures. Finally, it clarifies that all property regardless of type can be stolen or embezzled.

Though JCOTS expressed concern over the number of new felonies created by the proposal, it adopted the proposal as drafted by a vote of four to one with one abstention.

Advisory Committee on Integrated Government

The Advisory Committee on Integrated Government was charged with exploring the issues created or enhanced by the transformation of government in the electronic age. The Committee continued focusing on the state of information technology (IT) procurement in the Commonwealth, including briefings on the Virginia Information Technologies Agency’s (VITA) Project Management Division and VITA’s procurement reform efforts. In addition, the Committee received briefings on and discussed certified electronic mail, electronics recycling, the development of the Commonwealth's strategic plan for communications interoperability, and outsourcing and offshoring. Finally, the Committee addressed competing provisions dictating electronic meetings requirements for public bodies.

The Committee voted to recommend four proposals introduced by VITA. The first would eliminate a preference in the Virginia Public Procurement Act for competitive sealed bidding over competitive negotiation. The second would allow public bodies to purchase information technology and telecommunications goods and services from online public auctions and through cooperative procurement arrangements with approval of the Chief Information Officer. The third would authorize VITA to conduct an Alternative Dispute Resolution Pilot Project. The final would allow public bodies to hold closed meetings to discuss records already exempt from public disclosure relating to the Public-Private Education Facilities and Infrastructure Act.

Finally, the Committee discussed JCOTS' Pilot Project, an exemption to the Virginia Freedom of Information Act that applies to meetings held via videoconference. The Pilot Project is due to sunset on July 1, 2005. Working with a FOIA Council subcommittee, the Committee proposed reconciling the provisions in the Freedom of Information Act and the Acts of Assembly to create one set of requirements for electronic meetings. However, unlike the FOIA proposal, the Committee proposed retaining the current Acts of Assembly provisions that enable a quorum to be distributed across remote sites and do not require that remote sites be open to the public.

Believing that procurement reforms beyond technology were outside its mandate, JCOTS declined to adopt the Committee’s first proposal that would eliminate the preference of competitive sealed bidding over competitive negotiation. JCOTS conformed the electronic communications meetings bill to the FOIA Council proposal by retaining the current FOIA requirements for a physical quorum and remote sites open to the public. JCOTS adopted the remaining recommendations without amendment.

Advisory Committee on Nanotechnology

Pursuant to House Joint Resolution 120, JCOTS established the Advisory Committee on Nanotechnology and charged it with identifying nanotechnology research and economic development opportunities for the Commonwealth and considering the efficacy of creating a statewide, comprehensive and coordinated strategy to secure additional federal research and development funds and to boost commercial activity. Nanotechnology presents major new economic development opportunities, especially with the federal government’s recent authorization of almost $3.7 billion in government funding for research and development. The Committee received briefings on an overview of nanotechnology, on other states’ and the federal government’s approaches to promoting nanotechnology development, and on a proposed prototyping facility that could help to bridge the gap between basic research and the commercial market.

While the Committee made no formal legislative recommendations, it focused on three key areas: commercialization (bridging the gap between research and commercialization), education, and financing (including business development and incentives). The Committee agreed that the Commonwealth should establish a more permanent body to continue discussions about nanotechnology in the Commonwealth. Adopting this recommendation, JCOTS agreed to include nanotechnology in its 2005-2006 work plan.

Advisory Committee on Privacy

The Advisory Committee on Privacy was charged with (i) reviewing current privacy laws and practices as they pertain to information and (ii) proposing policies and guidelines for public bodies to evaluate the use of potentially invasive technologies when determining whether to support their use financially or to authorize or prohibit their use. To evaluate the use of potentially invasive technologies, the Committee received briefings on a number of technologies, including facial recognition, radio frequency identification, and event data recorders. The Committee also received briefings on using biometrics to identify people and measures to protect the privacy of certain personal information in court records.

As part of its study, the Committee discussed several bills referred to JCOTS by the House Committee on Science and Technology during the 2004 Session. The Committee discussed House Bill No. 1304 (Patron – Lingamfelter) on balancing civil liberties and law enforcement’s use of potentially invasive technologies; House Bill No. 697 (Patron – Morgan) on event data recorders; House Bill No. 753 (Patron - May) on the misuse of social security numbers; and House Bill No. 543 (Patron - May) on limiting the use of unique identifying numbers in public records. The Committee also discussed proposals to create a FOIA exemption for unique identifying numbers; eliminate social security numbers from new land records; restrict personal identification information that can be required as a condition of accepting a negotiable instrument; and require state agencies and businesses to disclose breaches of databases to any resident of the Commonwealth whose unencrypted personal information may have been acquired by an unauthorized person.

The Committee adopted three recommendations. The first recommendation, based on HB 753, would prohibit making the social security number available to the general public and printing the number on an identification card. The proposal also would remove the number from state employees’ insurance identification cards and prohibit suppliers from using the social security number when a consumer requests that his driver's license number be used. The second recommendation adopts the court clerks’ request to extend by two years the sunset on their posting restrictions as set out in § 2.2-3808.2. The third recommendation adopts DMV’s request for a study on the use of biometrics for identification.

With little change, JCOTS adopted the first two recommendations. Because JCOTS does not need a resolution to conduct a study, it declined to adopt the third recommendation and instead, agreed to include a biometrics study its 2005-2006 work plan.

Finally, JCOTS discussed and adopted a legislative proposal that would require manufacturers and lessors of motor vehicles that contain devices that record performance or operation information to provide notice of such devices to purchasers and lessees.