House Bill Would Beef Up Controversial Hacking Law
CREDIT: Fer Gregory/Shutterstock.com
The House Judiciary Committee is circulating a draft bill that would drastically strengthen the controversial Computer Fraud and Abuse Act, the same law that many digital-law and security experts say should be weakened or overhauled in the wake of the suicide of online activist Aaron Swartz.
The draft bill, meant to be a starting point for further discussion among committee members, could expand the definitions of existing digital crimes, add a new subsection to the criminal statutes established by the CFAA and create a federal law mandating data-breach notifications that would supersede all state laws.
It could also subject computer fraud to the RICO statutes, equating hackers with organized crime, and give the government the right to sue defendants for property deemed to be obtained through or used to commit computer fraud.
The CFAA has been revised at least seven times since it was first enacted in 1984. In most instances, definitions of crimes have been expanded and penalties made stiffer.
Reaction to the latest draft revision came swiftly today (March 25).
"This proposal is a giant leap in the wrong direction and demonstrates a disturbing lack of understanding about computers, the Internet and the modern economy," said David Segal, executive director of Washington, D.C., advocacy group Demand Progress, in a statement sent to the media.
"Already the outdated Consumer Fraud and Abuse Act is used by overzealous lawyers to prosecute routine computer activity," Segal said. "If enacted, this proposal could end computer-security research in the United States and drive innovation and creativity overseas."
As a preliminary draft, the bill does not bear authorship, and no committee member has been assigned to sponsor it. Proposed amendments and changes to the CFAA are offered only as possibilities, and their inclusion is not an indicator of their chances of becoming law.
The draft discussion bill comes about two months after committee chairman Bob Goodlatte, R-Fla., pledged to review the CFAA following Swartz's Jan. 11 suicide.
"We're looking at what occurred in specific instances and what needs to done to make sure that the law isn't abused," Goodlatte told reporters on Jan. 22, according to The Hill.
Tough sentences for arguably minor crimes
Swartz, 26, was facing the possibility of decades in prison for rapidly downloading millions of academic-journal articles from a paid archive to which he had authorized access.
Swartz had been indicted on 13 criminal counts centering on the CFAA and had reportedly turned down a plea agreement that would have sent him to prison for seven years.
Last week, hacker and Internet "troll" Andrew "Weev" Auernheimer, 27, began serving a 41-month sentence after being convicted under the CFAA.
Auernheimer and an associate had collected private email addresses from an unprotected public AT&T website and had then given the list of email addresses to a journalist.
Digital-rights experts have argued that the CFAA's definition of unauthorized access to a protected computer is dangerously vague; many actions normally committed by computer-security researchers or even journalists could constitute crimes.
Earlier this month, CNET columnist Declan McCullagh showed how the first implementation of the CFAA was written as a reaction to the 1983 Matthew Broderick movie "WarGames," in which a teenage hacker dials into NORAD and almost triggers a nuclear war.
Experts argue that prosecutors deliberately confuse computer-security terms in bringing charges against defendants using the CFAA.
Former "most wanted hacker" Kevin Mitnick said that in the 1990s, prosecutors told the judge in his case that Mitnick could start a nuclear war by whistling launch codes into a pay phone.
Last week, Auernheimer's prosecutors told his judge they didn't understand computers, even as they recommended a stiffer sentence — because Auernheimer did understand them.
A bigger club to hit you with
The eventual bill would amend Section 1030 of U.S. criminal code, which was created by the CFAA. As currently written, the draft would alter 1030 to state that an attempt to commit computer fraud would be punished as "for the completed offense."
That means that even if an act of computer fraud were to be unsuccessful, the act could be punishable as if the fraud had succeeded.
The draft includes a clause that would completely overhaul the section of the CFAA regarding maximum punishments, while increasing some potential sentences and fines.
For example, the maximum sentence for computer fraud resulting in financial loss of more than $5,000 would be raised from five to 20 years.
The draft would also expand the definition of "exceeds unauthorized access" so that a crime can be deemed to have been committed "even if the accessor may be entitled to obtain or alter the same information in the computer for other purposes."
That clause may be a direct strike at a 2011 federal appeals court ruling in U.S. v. Nosal, which ruled that employees of a company can't be prosecuted under the CFAA for violating company computer-use policies.
Other courts have found that the CFAA does apply in such situations. Last November, two Boston College business professors argued that reversing the Nosal ruling could mean, for example, that the CFAA could be used to prosecute employees for checking Facebook from the office.
The draft would add computer fraud to the list of crimes covered by the Racketeer Influenced and Corrupt Organizations Act, or RICO statutes.
Passage of that clause could make membership in a hacking crew or organization such as Anonymous or LulzSec akin to being a member of the Mafia. It could make communication or friendship with any member of those hacking groups, for example via email or Twitter, tantamount to membership in the groups.
Following a conviction, the current law regarding computer fraud entitles the government to seize property obtained through or used to commit the crime; the draft would give the government the right to sue a defendant for such property in a civil court.
Critical infrastructure and data breaches
The two new sections would greatly expand the scope of the CFAA to cover data breaches and attacks upon critical infrastructure.
Section 1030A would cover digital attacks upon computers used to maintain and regulate critical-infrastructure systems, defined here as vital gas, oil, electrical, water, transportation, financial, banking and telecommunication systems, as well as emergency services and essential government operations.
The critical-infrastructure section was apparently proposed by the Obama administration, which has been pressing for increased communications among government agencies and private owners of critical infrastructure.
The White House was also a strong backer of the Cyber Security Act of 2012, which would have mandated digital-security standards for private critical-infrastructure facilities, but which could not overcome a Republican filibuster in the Senate.
A corresponding House bill, the Cyber Intelligence Sharing and Protection Act, would create legal avenues for private companies to share data with the government, but the White House threatened to veto the bill after it passed the House last year. (It was recently reintroduced.)
The draft amendments to the CFAA would also create a federal law mandating that companies or other entities suffering a data breach notify affected customers or members within two weeks, except in such cases where notification "would impede a civil or criminal investigation" or "would threaten national or homeland security."
In the case of a "major security breach," one involving 10,000 or more individuals or information pertaining to the federal government, the company or entity would have to notify the FBI within 72 hours of learning of the breach.
The proposed federal law would supersede any existing state data-breach laws, which vary widely. It would not, however, supersede existing federal laws regarding data breaches at financial or insurance firms (the Gramm–Leach–Bliley Act of 1999) or at medical providers (the Health Insurance Portability and Accountability Act of 1996).