Rather Than Fix The CFAA, House Judiciary Committee Planning To Make It Worse… Way Worse

from the are-they-just-fucking-with-us? dept

So, you know all that talk about things like Aaron’s Law and how Congress needs to fix the CFAA? Apparently, the House Judiciary Committee has decided to raise a giant middle finger to folks who are concerned about abuses of the CFAA. Over the weekend, they began circulating a “draft” of a “cyber-security” bill that is so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA. Rather than fix the CFAA, it expands it. Rather than rein in the worst parts of the bill, it makes them worse. And, from what we’ve heard, the goal is to try to push this through quickly, with a big effort underway for a “cyberweek” in the middle of April that will force through a bunch of related bills. You can see the draft of the bill here (or embedded below. Let’s go through some of the pieces.

Adds computer crimes as a form of racketeering

The bill adds to the current definition of “racketeering activity” so that it would now link back to the CFAA, such that if you are found to violate the CFAA as part of an activity that involves a variety of other crimes, you can now also be charged with racketeering. More specifically, if you look at that long list of related statutes in the definition to 18 USC 1961 (1), it will also include: “‘section 1030 (relating to fraud and related activity in connection with computers).” Basically, this just gives the DOJ yet another tool to use against “computer criminals” when they want to bring the hammer down on someone they don’t like. Not only could you be charged with computer fraud, but now racketeering as well. Because, you know, all you hackers are just like the Mob.

Expanding the ways in which you could be guilty of the CFAA — including making you just as guilty if you plan to “violate” the CFAA than if you actually did so

Section 103 of the proposed bill makes a bunch of “changes” to the CFAA, almost all of which expand the CFAA, rather than limit it. For example, they make a small change to subsection (b) in 18 USC 1030 (the CFAA) such that it will now read:

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

All they did was add the “for the completed offense,” to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something (“conspires to commit”) that violates the CFAA shall now be punished the same as if they had “completed” the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become. Now if you talk with others about the possibility of violating a terms of service — say, talking to your 12 year old child about helping them sign up for Facebook even though the site requires you to be 13 — you may have already committed a felony that can get you years in jail. That seems fair, right?

Ratchets up many of the punishments

They change around a bunch of the “penalties” that you can get for various CFAA infractions, shaking up a variety of things and basically raising the maximum sentences available for certain infractions.

A very, very minor adjustment to limit “exceeding authorized access.”

This one is a very, very tiny step in the right direction, but just barely. Under the old CFAA, “accessing a computer without authorization” and “exceeding authorized access” were lumped together as a a form of breaking the law. The new bill keeps the basic terms of accessing a computer without authorization the same and just ever so slightly trims back the “crime” of exceeding authorized access. Now, to violate the law by “exceeding” authorized access, you’d have to get access to “information from any protected computer” (or financial institution or US gov’t agency) and the “value” of that info would need to be over $5,000 (who determines that?) and the access had to have been “committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information” and was committed “in furtherance of any criminal act.”

While it’s good to see them ever so slightly roll back the issue of “exceeding authorized access,” it still seems broad enough that all sorts of activities that shouldn’t be seen as criminal would easily get lumped in here by aggressive prosecutors. Rather than “streamlining” the bill and getting rid of the ridiculous “exceeds authorized access” trigger — as folks like Orin Kerr have suggested — this tends to just muddle matters even more.

Update: On second look, it turns out that this initial analysis was wrong. This part is worse too! More details here, but basically all those “and” statements are actually “or” which actually push back on how the courts have interpreted the CFAA… and make it worse

And… at the same time, they do something else to make “exceeding unauthorized access” worse. Which brings us to:

Expanding the definition of “exceeding authorized access” in a very dangerous way

That’s because the new bill says that you can exceed authorized access: “even if the accesser may be entitled to obtain or alter the same information in the computer for other purposes.” Yes, read that again. Even if you are allowed to obtain info via your authorization on your computer, they’re now saying that if you use that information in a way that runs afoul of the info above, you can be found to have exceeded authorized access.

Make it easier for the federal government to seize and forfeit anything

We’ve seen how federal seizure and forfeiture laws are frequently abused to seize goods, which the government claims are used in the commission of a crime (even if they never charge anyone for the crime). And we’ve seen, with cases like the Dajaz1 case, how the government will use such tools to take and censor websites on no actual basis. And now the CFAA will make it even easier for the government to do such things. It amends the existing sections to basically expand what can be forfeited, because it’s not like the government hasn’t abused that one before…

The rest of the bill deals with two other things: first a section on “cybersecurity” which includes punishment for those damaging “critical infrastructure” computers, another section that tells the courts to figure out how secure their computers are, and finally a part that creates a “National Cyber Investigative Joint Task Force,” to be led by the FBI, because they’re an unbiased party.

The final part of the bill relates to “breach notifications.” A number of states already have various laws in place that require companies and websites that have data breaches to inform impacted users. This creates a federal law that supersedes those state laws. You can read the details, but basically companies will have to let people (and other companies) know of such breaches within a short period of time — unless there are law enforcement or national security reasons to delay such notification. It also requires companies to tell the FBI or Secret Service of certain kinds of breaches. If companies don’t do this, they can be fined between $500,000 and $1 million — but only by the DOJ (i.e., individuals or companies can’t go after organizations for screwing this up).

Those last two sections are really somewhat unrelated to the rest of the CFAA parts. But the CFAA parts are troubling. Rather than fixing the law, they’re expanding it so that computer “crimes” can be hit with racketeering charges, and expanding the general language and punishments for part of the bill. This is not a good thing. The fact that this is being passed around by the House Judiciary Committee suggests that it’s likely to be backed by HJC chair Bob Goodlatte, which is unfortunate. You would have hoped that Goodlatte and others on the HJC would recognize that now is the time to fix the CFAA, not to make it worse.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Rather Than Fix The CFAA, House Judiciary Committee Planning To Make It Worse… Way Worse”

Subscribe: RSS Leave a comment
Ninja (profile) says:

Goodlatte seems to be involved in a lot of bad stuff (he did use SOPA as some sort of key point to his campaign if memory serves).

In any case, do we need any more evidence that the US is no different from any dictatorship out there? In fact it’s worse because it disguises its true intentions as some fake democracy and ‘freedom fighter’.

It’s really sad.

Mark Harrill (profile) says:

Re: Thoughtcrime?

I was going to say the same thing based on this section:

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

So if I read this right, if I sit around with my friends and we talk about robbing a physical bank location (for example), we haven’t committed a crime UNTIL we try to rob the bank. On the other hand if we talk about robbing a bank via its website, we have already committed a crime just by talking?

Anonymous Coward says:

Re: Re: Thoughtcrime?


Now let’s apply the “Might as well be hanged for a sheep as a lamb” principle. If you happen to have an idle conversation about robbing a bank via its website and you are already held liable for robbing said bank, there is very little reason to not go ahead and actually commit it.

Brandon Rinebold (profile) says:

Re: Re: Thoughtcrime?

No. You would only be guilty of it if one of your buddies actually does rob them via their website.

The goal of raqueteering laws is to be able to punish people who help plan and organize crimes without actively committing them directly. The lack of such laws made it effectively impossible to take down the organized crime families because all the really important people never did anything illegal themselves and there were always more desperate mooks to handle the dangerous work regardless of how many were arrested.

Terry (profile) says:

Re: Re: Thoughtcrime?

no that isn’t what the law says and I’m guessing you don’t understand what it means to conspire. If you and your buddy are sitting at lunch and he says to you ‘Wouldn’t be fun to rob that bank over there, we should do it’, guess what that’s not a crime. However if you and your buddy get together plan out the robbery, get plans to the bank, stake it out and get schedules, but ski masks, steal a get away car and set a time to do it….guess what you conspired to rob the bank you you just broke the law. If you you get pulled over on the way to the bank and the police see the ski masks and bank plans in the back seat and after talking to you find out you were on your way to rob the bank then you are going to jail even though you didn’t rob the bank.

Anonymous Coward says:

seems to me that the government want to put everyone in jail except those it doesn’t want in jail. i find it so hard to understand where the purposes of the USA went wrong, who started the downward spiral and why no one is trying to stop it from becoming a modern day ‘Fascist Germany’. what on earth is wrong with these politicians? why do they think that everyone has to be classed as or actually is a criminal? if they are so scared that this is the case, why dont they go to live in a country that already is or acts as they want? why dont those that elected the ones pushing for this crap do something about it?

Anonymous Coward says:

Re: Re:

Its all about the generation gap.

The young and the old have quarreled since the stone age, its nothing new.

However, since the invention of the computer, and the meteoric rise of technology in such a short time, this gap has been greatly widened.

Perhaps at no time in human history has there been a greater divide between young and old. The old legacy players and the politicians are downright terrified of technology, terrified because they do not understand it.

The Old Man in The Sea says:

Re: Re: Generation gap - what a load of rot

It has nothing whatsoever to do with whether or not you are young or old. I have children and grand-children and I have better relationship with them today than I would have had two decades ago.

This is fully about who your paymaster is.

These turkeys are paid to do whatsoever their paymasters want and in this case it is all about control and power.

I live in a country that was built on convicts and as far as most of our governmental structures are concerned the majority of the population still is. Your nation is only just catching up.

You stopped being the land of the free decades ago, you are only just seeing the obvious results of that process now. If you think this is bad now, just wait for what is coming.

This is the obvious reaction to the little tantrum raised over the SOPA et al bills. You are quite bluntly being told to be good little children, be quiet and go to your rooms, they don’t want to hear anymore from you naughty little brats. Those who are in control think they know better than anyone else. Everyone else is considered ignorant and are children in their eyes.

Anonymous Coward says:

Re: Re: Re: Generation gap - what a load of rot

I think that you are missing something:

Sure politicians, follow their paymasters, but who do the paymasters follow? They follow power, and the fear of losing that power to that which they do not understand.

Its already well known that those running the organizations at the top tend to be: older, out of touch, ignorant of technology, and unwilling to admit their mistakes (looking at you Chris Dodd). Of course this is hardly universal, but is more common than it should be.

Despite being “The old man in the sea” you seem to be a rather enlightened individual, and what you say is true, the generation gap is not the whole story, but its a good chunk of it.

Doc Savage says:

Re: Re: Re: Generation gap - what a load of rot

You are absolutely correct. This new administration is only exacerbating what was started by the previous administration. Sad thing is, that it really doesn’t matter who is the head of our country. The president is only a mouth piece anymore. The last two we’ve had have not been leaders.

It’s not too late for us to take back and right the ship. I do fear though that this may come to a second civil war.

I love the rhetoric of the people claiming about “facist Germany”. Those are generally the people that voted for the idiots that are running and doing this. Left or Right, we need to clean house.

Anonymous Coward says:

Re: Re: Re:

what is more frightening than them not understanding it is that they still control access to it. anyone that questions them are hit by changes in law like we are seeing now. they are definitely trying to make things worse and it is out of revenge for people, including some senators, having the gall to question the existing laws! this behaviour is no different to the entertainment industries. the total fear of what they dont understand being enhanced by the locking down and prevention of everyone from progressing, even adapting or changing things! pathetic! stupid old farts want deposing as soon as possible! i just hope that when elections come around, people vote more wisely than they have up til now and get some freshh blood into the fold!!

Anonymous Coward says:

Re: Re: Re: Re:

Congress essentially is the entertainment industry, Hollywood probably has de-facto control over 1/2 to 2/3 of seats in both the house and the senate. They also hold considerable sway over the supreme court, and the executive (and the cabinet-level departments) is/are practically their mouthpiece.

Mabye I’m full of sh#t, actually, I hope I am, because its staggering to me just how much control they have.

MonkeyFracasJr (profile) says:

Re: Re: Re:

I must agree with several others here, it is not a generational issue. What I think you were attempting to describe is an opposition of two world views. I agree that largely the two views are composed of people of different generations, but the views are not a result of their generations. Some have pointed out the for many the worldview they have chosen is a result of where they derive their livelihood.

To sum up; To be old or young, by itself, does not give you a worldview for or against technology.

Anonymous Coward says:

Re: Re: Re: Re:

Now that I’ve been thoroughly refuted… I think I can see your point, there are plenty of younger people who are just as clueless, and vice-versa.

Maybe, its more about how technology is perceived by those not in the know. Certainly Hollywood has had a hand in this, real hackers for instance are usually not anything like their counterparts in the movies and TV-shows. However things like that help to spread the notion that computers are scary, and hackers are going to take over the world.

Furthermore, people who are proficient at IT tend not to choose to become lawyers or politicians. So we end up with people in charge of technology, who do not understand it and have a distorted view of it.

In the end, its a trade off: If we had a congress of nothing but programmers, we would never have a problem with IT or copyright. However, congress’s handling of other issues would be a mess. So we have a government of people in the middle of the road, without too much specialized knowledge in one area.

The problem is that its difficult to comprehend rapidly-changing technology without specialized knowledge.

phatkhat (profile) says:

Re: Re: Re:

I think you might be on to something, but there’s more to it than that. LOL, I’m old – I used a Wang back in the 80s. Learned to use a computer running on DOS, and my first home computer had 2 5-1/4 floppy drives and no hard drive. (I put one in.) When Windows came out, I didn’t like it – liked my DOS, LOL. Had more control.

But enough with war stories. Not ALL old people are technophobic. I keep up with computers really well, though I admit my smart phone is smarter than I am at times. I love technology, and what it allows us to do – as do many other old progressives.

Please don’t drive more wedges. There are enough already. It is going to take all of us – old, young, black, white, brown, male, female, straight and LGBT – to try to turn the ship around, and it isn’t gonna be easy.

It isn’t, I think, that the old white boy club is technophobic themselves, but rather, that they see a weapon in the hands of the rest of us. Could the Arab Spring have happened without cell phones and social networking? They want to preempt that power, and it has more to do with being a 1%er than being old, I think.

My 2 cents worth from an old lady, LOL.

anarcho (profile) says:

Re: Why Don't The Ones Who Elected...

“… why dont those that elected the ones pushing for this crap do something about it?”

The fact of the matter is that the ones who elected are not the ones with the power, in the sense of pulling electoral levers, etc. It is moneyed interest that made these ones elected visible and electable, the ones who voted for them were just given a choice between several sold out to big money options. They do not serve you, and the reason why they are doing this is that those with the moneyed interest expect them to “protect” their interest.

Second, all of this CFAA fervor is the result of some pulling back the curtain on the “wizard.” They fear for their positions and powers, because their positions and powers have always relied on screwing the American Public behind “closed doors” so to speak – but recently their dirty underwear has been displayed for everyone to see. What is the dirty underwear? What I have been writing about, how they do not serve you – the pipe dream is over, even the very pretense of serving the people is dead. Game over – no more ability to solely serve that moneyed interest in darkness (or shade), the sunlight has been turned on and the vampires are self-destructing. But they want to keep the game going, even if it means the total destruction of anything that ever resembled the United States (because a lot of it was BS). They have to criminalize to make their attack on the American people look like they are fighting a “crime wave,” and not destroying the peoples displeasure and dissent – because that is what exposing them was all about. Now you can either wake up, you know, like Neo in the Matrix or opt for blissful enslaved ignorance –


Anonymous Coward says:

Re: Re:

What the hell’s going on? Everything.

They’re becoming everything they’re declaring war on (not to mention what their ancestors killed): Iran, North Korea, Syria, etc. When I wake up every morning, I always wonder if I’m still in the USA and not any of these countries. It’s telling when yesterday’s human rights violation became today’s standard procedure.

Their empire is sinking, and their attempts at disarming the populace (if this gun ban doesn’t work, then this ammo shortage will) and the desire to turn everyone into criminals overnight (did you pay with cash? you might be a terrorist) are obvious signs.

And the worst part: they want you to take you with them.

Anonymous Coward says:

I’m reminded of the Dilbert cartoon where you’re given two choices. The choice you want to pass and the extremely bad choice to reject so you give the appearance of choice.
First we have a bad bill that they want to pass but critics reject, so they present an even worse bill so the critics can feel better about the lesser bad bill passing.


anonymouse says:


Are all of these laws eventually going to backfire, i mean you cant have the majority of the population declared criminals , that will just not resolve some of the smaller problems n the internet. There will eventually be a backlash to this, people will demand that all laws that are just crazy like this one be stricken from the law books. Remember it only takes one person to get people behind him to create a change.

Anonymous Coward says:

Re: Re: ?????????

“Off topic: I just watched Firefox (1982), and the inspection at the airport and subway just looked similar to a TSA inspection ^^.”

(Drifting further off-topic): I’ve been using Firefox all morning and I haven’t noticed anything weird of that nature.

What extensions are you using?

Anonymous Coward says:

Re: Re: Re: Re:

1) I use Google doc to keep a list of all the people who’ve paid protection money to me and my crew.

This is a regular protection racket it just happens to use a computer, it is already covered by law and needs no additional protection. (the crime would be no different if I logged it all with a pen and paper instead of the internet)

2) I use a password that should have been revoked when I left my previous employer to access records.

Oooops I violated a badly worded IT security bill, I have not been collecting protection money this time but due to the vaguely worded bill a prosecutor may go after me for hacking crimes + a racketeering charge.

Dave Xanatos (profile) says:

Re: Re: Re:3 Re:

Yes. But you are already ignoring someone who, against his better judgement I’m guessing, gave you serious replies.

Besides, burden of proof is on you. Explain why racketeering laws should be applied to crimes that used a computer irrespective of their relation to what was previously regarded as racketeering. Use examples based in reality, please.

Anonymous Coward says:

Re: Re: Re: Re:

  1. Racketeers are racketeering. They don’t use computers. They can be charged with racketeering.
  2. Other racketeers are also racketeering. They use computers. They can be still charged with racketeering.
  3. People who aren’t racketeers are not racketeering. They use computers. They cannot be charged with racketeering.

    This is the current state of affairs. The CFAA would replace the word “cannot” in example #3 with the word “can”.

Wally (profile) says:

Re: Re: Re: Re:

After reading the draft most of those provisions are reasonable. IF you are a security firm and people pay you for protection, that is already covered by current applicable laws pertaining to racketeering. If you use your security force in a criminal way, that is racketeering. It should be fairly obvious whether or not a cyber security firm or a sysadmin aren’t violating the law. The problem is that there are security firms, such as CyberDefender, who racketeer online through fraud and the only way to currently punish them is to fine such businesses. No jail time at all.

Josh in CharlotteNC (profile) says:

Re: Re: Re:

These businesses still operate because the only thing that could stop them from scamming people online does not currently exist in any other applicable business laws.

And adding racketeering to the CFAA will fix that?

Here’s a news flash for you. The virus scams are already committing fraud. The FTC goes after them already for that, and occasionally can track them down well enough to prosecute. Many still exist not because we lack laws to go after them for violating, but because there are so many and can be so difficult to track down.

Wally (profile) says:

Re: Re: Re: Re:

Currently all the FTC can do is basically slap them on the wrist and fine them. They get minimal sentences because they are using computers and all theses people have to do to get away with (without getting jail time) it is to claim that they are online entrepreneurs. This problem makes peole think that everything online is a scam and hurts business for those who have a code of ethics and do not scam their customers. It shouldn’t be that difficult to try to prove your practice is legitimate online.

Section 106 of this draft was inserted by the Attorney General’s office and the outrage that I think that should be focused. The DOJ is asking for jurisdiction over the internet….and wants their own task force outside the NSA and the US Secret Service. They want their own power in it and that alone is what concerns me.

Val says:

Re: Re:

Come on, really now? Do you really think having a legal machine gun, even in every single American home will be anything but a minor setback to a military as big and well armed as the US Army. If your gov wants to completely take over your lives it will do so in the same manner it has been doing it for the last decade or two – slowly smothering you while whispering comforting words in your ear, until you have no strength to struggle and give in.

Anonymous Coward says:

Re: They are scared

I figured that out around the time they rushed through that bill that let them order the army to attack civilians.

I can’t wrap my head around the way these politicians’ minds work. They know everyone hates them for what they’re doing, but they keep doing it. They’d rather wallow in paranoia than give up control.
What’s the point of having absolute power if you can’t get a good night’s sleep?

artp (profile) says:

Re: Re: Too late

It has happened before.




I remember walking around DC looking at all the tanks and half-tracks and soldiers on every traffic circle.

I stopped by Kent State this last summer on my way back from my son’s graduation. There is a bullet hole in a sculpture on the campus from a round fired by the National Guard. What I never realized before is that the hole is in an I-beam that is approximately one quarter inch thick. It was a .30 caliber magnum round. It was used against US citizens who were also students, and some of whom were not yet adults. I think the legal age then was 21, so most of them were minors.

Those who do not fight for freedom will lose it.

RadialSkid (profile) says:

Re: Re: Re:2 Too late

I don’t know of a .30 Magnum pistol cartridge. The FBI were issued .38 Specials and .357 Magnums at the time…specifically, the Smith & Wesson models 10 and 19.

The National Guard troops at Kent State were using M1 Garand rifles, which were chambered for .30-06 Springfield. This is the type of round embedded in the statue artp mentioned.

Wally (profile) says:

Re: Re: Re:3 Too late

Damn you are correct….the story about the blind audiophile is true…I got the caliber of an FBI issued .38 Special revolver 🙂 The first shot fired almost sounded like a cannon and I know from personal experience that the Ohio National Gaurd troops were issued .30-06 rifles. They are much louder than what one would hear from the comparative pop of a .38 pistol.

Wally (profile) says:

Re: Re: Re:4 Too late

You’re picking on an honest mistake. I watched one of those National Geographic specials on TV concerning Kent State. I had trouble remembering the exact gun so I gave my best guess. RadialSkid primered my memory and in Ohio, in the 1960s and 1970s, the FBI field agents were issued .38 specials…which happen to be revolver pistols. On the Kent State footage there is a sound just before the Ohio National Guard starts firing…a sort of puffing/popping sound. That is not a .30-06 (30 ott. 6), it’s the .38 special and it was a unique, slightly higher grained custom order of the .38 special.

Anonymous Coward says:

Like many RICO beefs the government brings against people it all depends on the circumstances.
Take for example Aaron Swartz it would be impossible to build a RICO case against him for actions over a 10 year period.

That aside I don’t think that the feds need any more laws to go after people than they already have.
Further I think that many of the laws should be rescinded if they are not used except sporadically to inflict prosecutorial scorched earth actions.

Wally (profile) says:

On a more serious note about racketeering online, I should point out that this only makes it illegal for businesses such as Doublemyspeed and pretty much any other CyberDefender operation to operate. The current law only extends to business practice laws that have nothing to do with computers. That is why CyberDefender still exists.

It makes it tougher on anyone trying to scam another person but the way it is written….it seemingly also makes this new bit open to abuse.

Racketeering, by definition, is making money from crimes committed while operating a legitimate business and using said business as a front for said criminal activities.

Just for an example, assuming abuse of power doesn’t happen, WiseGeek has a pretty good explanation:

Many criminal acts can be included in this category, including theft and fraud against businesses or individuals. Governments can be victimized by racketeering by groups that counterfeit money and trade in untaxed alcohol. Providing illegal services, such as prostitution or drug trafficking, are also a form of racket. Racketeering also takes place among legitimate businesses or labor unions, where it is sometimes referred to as white-collar crime, and can include acts such as extortion and money laundering.


So any program run by Cyberdefender like MyCleanPC or DoubleMySpeed are affected. That is only an example.

Anonymous Coward says:

This is comical. They KNOW this bill is bad and know that no one wants it. I don’t think they’re serious but it does make a statement and it’s: “If you thought SOPA was bad trust us we can do MUCH worse.”

It’s a scare tactic but we should sound the horn none the less to remind them that we won’t take this lying down.

Anonymous Coward says:

It seems like this laughable piece of FUD:

Now if you talk with others about the possibility of violating a terms of service — say, talking to your 12 year old child about helping them sign up for Facebook even though the site requires you to be 13 — you may have already committed a felony that can get you years in jail. That seems fair, right?

Is contradicted by this:

The new bill keeps the basic terms of accessing a computer without authorization the same and just ever so slightly trims back the “crime” of exceeding authorized access. Now, to violate the law by “exceeding” authorized access, you’d have to get access to “information from any protected computer” (or financial institution or US gov’t agency) and the “value” of that info would need to be over $5,000 (who determines that?) and the access had to have been “committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information” and was committed “in furtherance of any criminal act.”

By the way, you forgot to shriek: “This will break the internet”. Otherwise, it’s a FUD masterpiece.

Anonymous Coward says:

Re: Re: Re:

I’m saying that signing up an underaged kid for a Facebook account is not this:

accessing “information from any protected computer” (or financial institution or US gov’t agency) and the “value” of that info would need to be over $5,000 (who determines that?) and the access had to have been “committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information” and was committed “in furtherance of any criminal act.

Maybe you can explain how it is; Masnick has failed miserably.

Anonymous Coward says:

Re: Re: Re:2 Re:

You are fucking nuts. How does this apply to the 12 year old on Facebook (and the parent they conspired with:

access had to have been “committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information” and was committed “in furtherance of any criminal act.

Isochronous says:

Re: Re:

Well, except they misinterpreted that second section. If you review the current text of the law and the way it’s been interpreted, those passages without conjunctions have been interpreted as “or” instead of “and.” The bolded AND bits were added by the author of this article, as they do not appear in the original legislation. Following the precedent of the cases that have used the CFAA, it’s more likely that the passage would be interpreted as:

You’d have to get access to “information from any protected computer” OR the “value” of that info would need to be over $5000 OR the access had to have been “committed for purposes of obtaining sensitive or non-public information of an entity or another individual…” OR was committed “in furtherance of any criminal act.”

Wally (profile) says:

Subsection 2 paragraph (j) (on page 9) merely protects the rights of the individuals who unwittingly or unknowingly set up their computers to carry out attacks. So only one person can be charged at a time. It also makes it illegal to pay people to run hacks against other businesses…..something that Direct TV had done for years….

Page 10 Line 14 through Page 11 Line 10 makes DDOS attacks illegal when they disrupt critical systems pertaining to various businesses.

Page 11 Line 8 onwards involve disruption in communications on government computers.

These suggestions are clearly started and pertains to nothing thus far that Aaron Swartz actually did. This is the same Judiciary oversight committee who grilled attorney General Eric Eric Holder. Their job is to look at the rights of businesses and individuals on all sides when new laws are being drafted.

Page 12 protects the rights of individuals who have been convicted of other unrelated crimes in the past….even if you are on probation for other crimes, this sentencing process will only pertain to violations of the CFAA. You cannot get punished double time. However, if you are on probation concerning a violation of the CFAA, it is treated as a normal probationary hearing where you make your case to the judge as to the necessity of violating your probation. This brings the CFAA to modern law.

Those are all fine…however….Section 106 of this draft (Page 13 Line 20) is in fact the evil bit written in by the attorney general’s office. The FBI is the current task force and are far more reliable and reasonable than the DOJ. The Judiciary Oversight Committee is getting Eric Holder’s middle finger here.

The issue I have with Title II Subsection 201 (Page 14 line 3) is that it is a mess in diagnosis. It is clearly needed because neither Apple nor Google (does this make me a Microsoft fanboy because I criticized both my “beloved” Apple and Google at the same time??) have been entirely good at reporting security flaws to their customers when they are discovered. While the demand for transparency is generally good, it is also terribly bad because 14 days is sometimes not enough to thoroughly check out a problem. Android’s various security flaws (if any) are usually found and fixed by users of Android and what compounds the problem is that these security holes in Android, at times, have been on the manufacturer’s instruction set (the Samsung Galaxy S3’s Xenos Processor was a notable issue). Apple’s issue was complacency and was a major problem until the Flashback virus appeared, but they still don’t understand these issues as well.

This all seems just fine until Title 1 section 106 onward…that is the only thing I have major issues with that I have had the energy to look through so far. Section 106 gives the Attorney General too much power, and Title II makes proper security disclosure impossible (14 days to report??? Seriously???).

Lurker Keith says:

I know how to stop this!

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

I know an easy way to stop this! We have to point this out to someone Congress will listen to.

Stay w/ me…

Since just thinking about violating the CFAA would be a crime, wouldn’t this affect writers? (they have to think like the bad guys for TV & movies — this would probably affect the next Oceans or Bond movie) Let’s point that out to the MPAA, that plots would be covered, & let them take care of this for us?

Hollywood has to be good for something, even if we have to engineer that something.

Wally (profile) says:

Re: I know how to stop this!

Ian Flemming made a really good point in Bond though (and predicted the future somewhat eerily enough). In a nutshell this an age where we are striving to share our lives with the ENTIRE FREAKING WORLD. There are those waiting in the shadows who will take advantage of us. We need shadows to fight them, otherwise it leaves us vulnerable.

Anonymous Coward says:

Well what do you expect from a House that wasn’t chosen by a majority of the American people?

Democrats running for the house got over a million more votes then republicans running for the house, even if you exclude all races where a candidate ran unopposed because the district was so badly gerrymandered. Yet republicans have around a 20 seat majority, just what the people wanted right?

It’s only fitting that such a house would decide “screw the American people and what they want” on CFAA.

Alpha Crucis Radio (user link) says:

I wonder if this could be what kills the VPN and proxy industry without any specific law banning VPN.

There are some corporate network admins that have not only wanted to criminalise bypassing the corporate firewall and/or looking at banned websites, but also want to crminalise VPN or proxy providers who services just happen to be used to conceal internet activity from the boss. Basically, there those who do not want CDA 230 and/or DMCA 512 to apply, if a service is used by someone at work. I used to lock horns with the denizens of comp.security.firewalls over this.

And this would also apply to VPN and proxy providers outside the US, if some of the netowrk admins that used to inhabit comp.security.firewalls had their why.

This would be something nearly impossible for VPN and proxy providers to police, particularly if the content being accessed is otherwise lawful.

They would also, if they had their way, outlaw web sites blocking, at the firewall level, filtering vendors from accessing and categorising sites for blocking lists. I do that now with my online radio station, so that it is not blocked in most workplaces. Might we see something like that in the new CFAA?

So don’t be surprised if some of this ends up in the new CFAA.

Alpha Crucis Radio (user link) says:

Re: Re:

As an aside, I run a public HTTP proxy and a VPN, using SoftEther, but I block porn, gambling, warez, P2P filesharing, and hate speech. Bascically, I allow people to get past corporate firewalls so they can get internet radio, becuase I see nothing wrong with internet radio at work, as long as your work is getting done. In short I provide a way to get past corporate firewalls, but also block content that is definitely inappropriate the workplace, such as the afforementioned categories I block.

I would not be surprised if the the new CFAA were to make me a felon just for merely providing the service.

Brandon Rinebold (profile) says:

Re: Re: Re:

The issue with Internet radio is that it often runs over port 80 and therefore is excessively difficult to QoS efectively so that it does not interfere with other users on the network that acre trying to complete critical business functions.

Sysadmins wouldn’t mind it so much if they’d run on a port that could conveniently be deprioritized but the current setup means they’re competing for bandidth with all of your actual business traffic.

At a bit over 64kb/s each, just 2 people on pandora can cripple a T1 line costing >$200/mo for 1.44mb/s.

Lincoln (profile) says:

So, you left out the most important part of this story: the names of the dumbfucks on the House Judiciary Committee.

Government is Evil!!!! Government is Evil!!!

Is techdirt owned by CNN, MSNBC, ABC, FOX, or NBC? Because you’ve followed precisely in their footsteps of providing all the information except what matters: WHO IS RESPONSIBLE. This can always be tied to name(s), but no one seems to give a shit about accountability in this country anymore.

. . . .but let jus a keep on a blamin’ the guvment

Anonymous Coward says:

Re: Re:

I disagree, who is involved there is not important at all.

It doesn’t matter who it is, the next batch of politicians would have done the same thing also.


Because there is a system in place that perpetuates the “old ways”, there is a system in place that more often than not leads to this kinds of actions.

So no, you can change the politicians all you want, if you didn’t change the support they count on it to make those decisions you changed nothing at all.

Politicians are sacrificial tokens, what you want is to find the ones behind it.

allen (profile) says:

Anti Whistle-Blower

This administration, despite being Democratic, is tougher on “whistle-blowers” than any other administration. This is the primary reason that not one politician has been indicted since Elizabeth Warren’s investigation began. Not one has even been questioned. Mr. Bernanke and Mr. Geithner should be on the stand answering the question of how MERS came to control 2/3 of the mortgages due for registration on county records in the U.S. Why, after New York courts have determined that these transactions are illegal, haven’t any mortgages been voided? Why has the Foreclosure Review Committee determined that it would be too burdensome to review these cases individually? Could it be that MERS has generated more mortgages than there are properties? The courts found the 67m illegal mortgages have been generated by MERS. The census say that there are only 75m mortgages in the U.S.

Anonymous Coward says:

Small government at work

It’s worth remembering that the current House Judiciary Committee, as is true of all current House committees, is controlled by the Republican Party, as is the House itself. So next time you hear that the Republican Party is the “party of small government”, you’ll know just how hard to laugh.

Emily Collins (user link) says:

Good Luck...

Even if Congress scales it back, Obama would never sign a bill that would restrict his power in any way, shape, manner or form.

He’ll be able to use this to go after political opponents, which is why you can expect it to pass both chambers and be signed into law as-is.

The one thing both parties agree upon is that there should be no limit to the power of almighty government and politicians who think they’re God.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...