Location of the Perpetrator (Outside or Within US)

As shown in figures 3 and 4, if the initial computer intrusion is identified as coming from outside the United States, the DOD does not violate any US laws by tracing the computer attack back to its source. However, if at any point during the trace back, the intrusion uses a computer system located within the US, DOD officials are not authorized by US law under the Privacy Act to obtain information from that system. At this point, appropriate law enforcement agencies would have to acquire court orders to obtain further information leading to the identification of the perpetrator.