Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime
from the that's-not-good dept
You may have heard about the recent high-profile, malicious hack of Target’s point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the “anti-hacking” law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it’s not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn’t get this kind of DOJ wishlist through without hiding it.
Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act — a bill he’s tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California’s) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.
The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of “reforms” to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It’s basically part of the DOJ’s wishlist, changing the CFAA to make you guilty of violating the law if you merely “conspire or attempt to commit” the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term “for the completed offense” so that the CFAA now reads:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.
Right now, the law does not include those four words. Why is that a big change? As we explained last year:
All they did was add the “for the completed offense,” to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something (“conspires to commit”) that violates the CFAA shall now be punished the same as if they had “completed” the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.
While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it’s not just the TOS issue that concerns so many people about the CFAA.
The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It’s ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.