The legislature finds that the rapid pace of technological change and information computerization in the digital age generates a never ending sequence of anxiety inducing reports highlighting how the latest device or innovation is being used to harm consumers. The legislature finds that this generates an ongoing pattern of legislation being proposed to regulate each new technology. The legislature finds that a more systemic approach is needed to better protect consumers and address these rapidly advancing technologies. The legislature finds that the application of traditional criminal enforcement measures that apply long-standing concepts of trespass, fraud, and theft to activities in the electronic frontier has not provided the essential clarity, certainty, and predictability that regulators, entrepreneurs, and innovators need. The legislature finds that an integrated, comprehensive methodology, rather than a piecemeal approach, will provide significant economic development benefits by providing certainty to the innovation community about the actions and activities that are prohibited. Therefore, the legislature intends to create a new chapter of crimes to the criminal code to punish and deter misuse or abuse of technology, rather than the perceived threats of individual technologies. This new chapter of crimes has been developed from an existing and proven system of computer security threat modeling known as the STRIDE system.
The legislature intends to strike a balance between public safety and civil liberties in the digital world, including creating sufficient space for white hat security research and whistleblowers. The state whistleblower and public record laws prevent this act from being used to hide any deleterious actions by government officials under the guise of security. Furthermore, this act is not intended to criminalize activity solely on the basis that it violates any terms of service.
The purpose of the Washington cybercrime act is to provide prosecutors the twenty-first century tools they need to combat twenty-first century crimes.
[ 2016 c 164 § 1; ]
This act may be known and cited as the Washington cybercrime act.
[ 2016 c 164 § 2; ]
The definitions in this section apply throughout this chapter unless the context clearly requires otherwise.
"Access" means to gain entry to, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of electronic data, data network, or data system, including via electronic means.
"Cybercrime" includes crimes of this chapter.
"Data" means a digital representation of information, knowledge, facts, concepts, data software, data programs, or instructions that are being prepared or have been prepared in a formalized manner and are intended for use in a data network, data program, data services, or data system.
"Data network" means any system that provides digital communications between one or more data systems or other digital input/output devices including, but not limited to, display terminals, remote systems, mobile devices, and printers.
"Data program" means an ordered set of electronic data representing coded instructions or statements that when executed by a computer causes the device to process electronic data.
"Data services" includes data processing, storage functions, internet services, email services, electronic message services, website access, internet-based electronic gaming services, and other similar system, network, or internet-based services.
"Data system" means an electronic device or collection of electronic devices, including support devices one or more of which contain data programs, input data, and output data, and that performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control. This term does not include calculators that are not programmable and incapable of being used in conjunction with external files.
"Electronic tracking device" means an electronic device that permits a person to remotely determine or monitor the position and movement of another person, vehicle, device, or other personal possession. As used in this definition, "electronic device" includes computer code or other digital instructions that once installed on a digital device, allows a person to remotely track the position of that device.
"Identifying information" means information that, alone or in combination, is linked or linkable to a trusted entity that would be reasonably expected to request or provide credentials to access a targeted data system or network. It includes, but is not limited to, recognizable names, addresses, telephone numbers, logos, HTML links, email addresses, registered domain names, reserved IP addresses, user names, social media profiles, cryptographic keys, and biometric identifiers.
"Malware" means any set of data instructions that are designed, without authorization and with malicious intent, to disrupt computer operations, gather sensitive information, or gain access to private computer systems. "Malware" does not include software that installs security updates, removes malware, or causes unintentional harm due to some deficiency. It includes, but is not limited to, a group of data instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to infect other data programs or data, consume data resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the data, data system, or data network.
"White hat security research" means accessing a data program, service, or system solely for purposes of good faith testing, investigation, identification, and/or correction of a security flaw or vulnerability, where such activity is carried out, and where the information derived from the activity is used, primarily to promote security or safety.
"Without authorization" means to knowingly circumvent technological access barriers to a data system in order to obtain information without the express or implied permission of the owner, where such technological access measures are specifically designed to exclude or prevent unauthorized individuals from obtaining such information, but does not include white hat security research or circumventing a technological measure that does not effectively control access to a computer. The term "without the express or implied permission" does not include access in violation of a duty, agreement, or contractual obligation, such as an acceptable use policy or terms of service agreement, with an internet service provider, internet website, or employer. The term "circumvent technological access barriers" may include unauthorized elevation of privileges, such as allowing a normal user to execute code as administrator, or allowing a remote person without any privileges to run code.
A person is guilty of computer trespass in the first degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another; and
The access is made with the intent to commit another crime in violation of a state law not included in this chapter; or
The violation involves a computer or database maintained by a government agency.
Computer trespass in the first degree is a class C felony.
[ 2016 c 164 § 4; ]
A person is guilty of computer trespass in the second degree if the person, without authorization, intentionally gains access to a computer system or electronic database of another under circumstances not constituting the offense in the first degree.
Computer trespass in the second degree is a gross misdemeanor.
[ 2016 c 164 § 5; ]
A person is guilty of electronic data service interference if the person maliciously and without authorization causes the transmission of data, data program, or other electronic command that intentionally interrupts or suspends access to or use of a data network or data service.
Electronic data service interference is a class C felony.
[ 2016 c 164 § 6; ]
A person is guilty of spoofing if he or she, without authorization, knowingly initiates the transmission, display, or receipt of the identifying information of another organization or person for the purpose of gaining unauthorized access to electronic data, a data system, or a data network, and with the intent to commit another crime in violation of a state law not included in this chapter.
Spoofing is a gross misdemeanor.
[ 2016 c 164 § 7; ]
A person is guilty of electronic data tampering in the first degree if he or she maliciously and without authorization:
[Empty]
Alters data as it transmits between two data systems over an open or unsecure network; or
Introduces any malware into any electronic data, data system, or data network; and
[Empty]
Doing so is for the purpose of devising or executing any scheme to defraud, deceive, or extort, or commit any other crime in violation of a state law not included in this chapter, or of wrongfully controlling, gaining access to, or obtaining money, property, or electronic data; or
The electronic data, data system, or data network is maintained by a governmental [government] agency.
Electronic data tampering in the first degree is a class C felony.
[ 2016 c 164 § 8; ]
A person is guilty of electronic data tampering in the second degree if he or she maliciously and without authorization:
Alters data as it transmits between two data systems over an open or unsecure network under circumstances not constituting the offense in the first degree; or
Introduces any malware into any electronic data, data system, or data network under circumstances not constituting the offense in the first degree.
Electronic data tampering in the second degree is a gross misdemeanor.
[ 2016 c 164 § 9; ]
A person is guilty of electronic data theft if he or she intentionally, without authorization, and without reasonable grounds to believe that he or she has such authorization, obtains any electronic data with the intent to:
Devise or execute any scheme to defraud, deceive, extort, or commit any other crime in violation of a state law not included in this chapter; or
Wrongfully control, gain access to, or obtain money, property, or electronic data.
Electronic data theft is a class C felony.
[ 2016 c 164 § 10; ]
A person who, in the commission of a crime under this chapter, commits any other crime may be punished for that other crime as well as for the crime under this chapter and may be prosecuted for each crime separately.
[ 2016 c 164 § 11; ]
**
A person commits the crime of cyberstalking if, without lawful authority and under circumstances not amounting to a felony attempt of another crime:
The person knowingly and without consent:
Installs or monitors an electronic tracking device with the intent to track the location of another person; or
Causes an electronic tracking device to be installed, placed, or used with the intent to track the location of another person; and
[Empty]
The person knows or reasonably should know that knowledge of the installation or monitoring of the tracking device would cause the other person reasonable fear;
The person has notice that the other person does not want to be contacted or monitored by him or her; or
The other person has a protective order in effect protecting him or her from the person.
[Empty]
It is not a defense to the crime of cyberstalking that the person was not given actual notice that the other person did not want the person to contact or monitor him or her; and
It is not a defense to the crime of cyberstalking that the person did not intend to frighten, intimidate, or harass the other person.
[Empty]
Except as provided in (b) of this subsection, a person who cyberstalks another person is guilty of a gross misdemeanor.
A person who cyberstalks another person is guilty of a class C felony if any of the following applies:
The person has previously been convicted in this state or any other state of any crime of harassment, as defined in RCW 9A.46.060, of the same victim or members of the victim's family or household or any person specifically named in a protective order;
There is a protective order in effect protecting the victim from contact with the person;
The person has previously been convicted of a gross misdemeanor or felony stalking offense for stalking another person;
The person has previously been convicted of a gross misdemeanor or felony cyberstalking offense for cyberstalking another person;
v.(A) The victim is or was a law enforcement officer; judge; juror; attorney; victim advocate; legislator; community corrections officer; employee, contract staff person, or volunteer of a correctional agency; court employee, court clerk, or courthouse facilitator; or employee of the child protective, child welfare, or adult protective services division within the department of social and health services; and
(B) The person cyberstalked the victim to retaliate against the victim for an act the victim performed during the course of official duties or to influence the victim's performance of official duties; or
vi. The victim is a current, former, or prospective witness in an adjudicative proceeding, and the person cyberstalked the victim to retaliate against the victim as a result of the victim's testimony or potential testimony.
The provisions of this section do not apply to the installation, placement, or use of an electronic tracking device by any of the following:
A law enforcement officer, judicial officer, probation or parole officer, or other public employee when any such person is engaged in the lawful performance of official duties and in accordance with state or federal law;
The installation, placement, or use of an electronic tracking device authorized by an order of a state or federal court;
A legal guardian for a disabled adult or a legally authorized individual or organization designated to provide protective services to a disabled adult when the electronic tracking device is installed, placed, or used to track the location of the disabled adult for which the person is a legal guardian or the individual or organization is designated to provide protective services;
A parent or legal guardian of a minor when the electronic tracking device is installed, placed, or used to track the location of that minor unless the parent or legal guardian is subject to a court order that orders the parent or legal guardian not to assault, threaten, harass, follow, or contact that minor;
An employer, school, or other organization, who owns the device on which the tracking device is installed and provides the device to a person for use in connection with the person's involvement with the employer, school, or other organization and the use of the device is limited to recovering lost or stolen items; or
The owner of fleet vehicles, when tracking such vehicles. For the purposes of this section, "fleet vehicle" means any of the following:
One or more motor vehicles owned by a single entity and operated by employees or agents of the entity for business or government purposes;
Motor vehicles held for lease or rental to the general public; or
Motor vehicles held for sale, or used as demonstrators, test vehicles, or loaner vehicles, by motor vehicle dealers.
[ 2021 c XXX § 3; ]**