Experts Scratching Their Heads At House Judiciary's Awful CFAA Reform Proposal
from the why-would-they-do-this? dept
On Monday, we broke the news of the House Judiciary Committee circulating a terrible bill that would make the Computer Fraud and Abuse Act (CFAA) much worse, rather than better. It would expand definitions and make it even easier for the Justice Department to go after people for harmless activity. In fact, even the part we originally thought might fix one of the worst parts of the CFAA actually makes it worse.
Now that the bill has been out a few days, various experts on the CFAA are scratching their heads about why the House Judiciary Committee is even bothering with this draft bill. As Orin Kerr notes, this seems to be a basic rehash of the DOJ’s attempt 2 years ago to expand the CFAA. He suggests (and we agree) that the Judiciary Committee stop taking DOJ language from 2011 and start dealing in the present, and deal with the very real problems with the CFAA, and not just with a DOJ who wants more power.
They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)
[….] This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.
Of course, when we brought up similar examples in our original post, people said we were overreacting. Hmm. Meanwhile Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security is similarly stumped by the direction of the reform.
My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return. Most notably the bill would make violations of the CFAA predicate acts for a RICO criminal charge — what this means is that if you engage in just two instances of violating the CFAA, then you are engaged in a pattern of racketeering, with substantial criminal penalties and .. .since the criminal definitions translate directly to civil liability .. a very significant possibility of a “bet the company” civil suit. Not a move designed to foster innovation, I think.
Hopefully, the House Judiciary Committee goes back to the drawing board on this, and takes a closer look at things like Aaron’s Law, which is being developed to cut back on the excesses of the CFAA, rather than expand them.