Rather Than Fix The CFAA, House Judiciary Committee Planning To Make It Worse… Way Worse
from the are-they-just-fucking-with-us? dept
So, you know all that talk about things like Aaron’s Law and how Congress needs to fix the CFAA? Apparently, the House Judiciary Committee has decided to raise a giant middle finger to folks who are concerned about abuses of the CFAA. Over the weekend, they began circulating a “draft” of a “cyber-security” bill that is so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA. Rather than fix the CFAA, it expands it. Rather than rein in the worst parts of the bill, it makes them worse. And, from what we’ve heard, the goal is to try to push this through quickly, with a big effort underway for a “cyberweek” in the middle of April that will force through a bunch of related bills. You can see the draft of the bill here (or embedded below. Let’s go through some of the pieces.
Adds computer crimes as a form of racketeering
The bill adds to the current definition of “racketeering activity” so that it would now link back to the CFAA, such that if you are found to violate the CFAA as part of an activity that involves a variety of other crimes, you can now also be charged with racketeering. More specifically, if you look at that long list of related statutes in the definition to 18 USC 1961 (1), it will also include: “‘section 1030 (relating to fraud and related activity in connection with computers).” Basically, this just gives the DOJ yet another tool to use against “computer criminals” when they want to bring the hammer down on someone they don’t like. Not only could you be charged with computer fraud, but now racketeering as well. Because, you know, all you hackers are just like the Mob.
Expanding the ways in which you could be guilty of the CFAA — including making you just as guilty if you plan to “violate” the CFAA than if you actually did so
Section 103 of the proposed bill makes a bunch of “changes” to the CFAA, almost all of which expand the CFAA, rather than limit it. For example, they make a small change to subsection (b) in 18 USC 1030 (the CFAA) such that it will now read:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.
All they did was add the “for the completed offense,” to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something (“conspires to commit”) that violates the CFAA shall now be punished the same as if they had “completed” the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become. Now if you talk with others about the possibility of violating a terms of service — say, talking to your 12 year old child about helping them sign up for Facebook even though the site requires you to be 13 — you may have already committed a felony that can get you years in jail. That seems fair, right?
Ratchets up many of the punishments
They change around a bunch of the “penalties” that you can get for various CFAA infractions, shaking up a variety of things and basically raising the maximum sentences available for certain infractions.
A very, very minor adjustment to limit “exceeding authorized access.”
This one is a very, very tiny step in the right direction, but just barely. Under the old CFAA, “accessing a computer without authorization” and “exceeding authorized access” were lumped together as a a form of breaking the law. The new bill keeps the basic terms of accessing a computer without authorization the same and just ever so slightly trims back the “crime” of exceeding authorized access. Now, to violate the law by “exceeding” authorized access, you’d have to get access to “information from any protected computer” (or financial institution or US gov’t agency) and the “value” of that info would need to be over $5,000 (who determines that?) and the access had to have been “committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information” and was committed “in furtherance of any criminal act.”
While it’s good to see them ever so slightly roll back the issue of “exceeding authorized access,” it still seems broad enough that all sorts of activities that shouldn’t be seen as criminal would easily get lumped in here by aggressive prosecutors. Rather than “streamlining” the bill and getting rid of the ridiculous “exceeds authorized access” trigger — as folks like Orin Kerr have suggested — this tends to just muddle matters even more.
Update: On second look, it turns out that this initial analysis was wrong. This part is worse too! More details here, but basically all those “and” statements are actually “or” which actually push back on how the courts have interpreted the CFAA… and make it worse
And… at the same time, they do something else to make “exceeding unauthorized access” worse. Which brings us to:
Expanding the definition of “exceeding authorized access” in a very dangerous way
That’s because the new bill says that you can exceed authorized access: “even if the accesser may be entitled to obtain or alter the same information in the computer for other purposes.” Yes, read that again. Even if you are allowed to obtain info via your authorization on your computer, they’re now saying that if you use that information in a way that runs afoul of the info above, you can be found to have exceeded authorized access.
Make it easier for the federal government to seize and forfeit anything
We’ve seen how federal seizure and forfeiture laws are frequently abused to seize goods, which the government claims are used in the commission of a crime (even if they never charge anyone for the crime). And we’ve seen, with cases like the Dajaz1 case, how the government will use such tools to take and censor websites on no actual basis. And now the CFAA will make it even easier for the government to do such things. It amends the existing sections to basically expand what can be forfeited, because it’s not like the government hasn’t abused that one before…
The rest of the bill deals with two other things: first a section on “cybersecurity” which includes punishment for those damaging “critical infrastructure” computers, another section that tells the courts to figure out how secure their computers are, and finally a part that creates a “National Cyber Investigative Joint Task Force,” to be led by the FBI, because they’re an unbiased party.
The final part of the bill relates to “breach notifications.” A number of states already have various laws in place that require companies and websites that have data breaches to inform impacted users. This creates a federal law that supersedes those state laws. You can read the details, but basically companies will have to let people (and other companies) know of such breaches within a short period of time — unless there are law enforcement or national security reasons to delay such notification. It also requires companies to tell the FBI or Secret Service of certain kinds of breaches. If companies don’t do this, they can be fined between $500,000 and $1 million — but only by the DOJ (i.e., individuals or companies can’t go after organizations for screwing this up).
Those last two sections are really somewhat unrelated to the rest of the CFAA parts. But the CFAA parts are troubling. Rather than fixing the law, they’re expanding it so that computer “crimes” can be hit with racketeering charges, and expanding the general language and punishments for part of the bill. This is not a good thing. The fact that this is being passed around by the House Judiciary Committee suggests that it’s likely to be backed by HJC chair Bob Goodlatte, which is unfortunate. You would have hoped that Goodlatte and others on the HJC would recognize that now is the time to fix the CFAA, not to make it worse.