Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime

from the that's-not-good dept

You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.

Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.

The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.
Right now, the law does not include those four words. Why is that a big change? As we explained last year:
All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.
While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.

The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.

Filed Under: aaron swartz, cfaa, conspiracy, criminal, data breach, patrick leahy
Companies: target

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Anonymous Coward, 9 Jan 2014 @ 3:41pm

    You know what I find insanely stupid in all this? There is no requirement that if the federal government gets hacked they have to tell anyone anything. Nor if you look does it include the federal government in this bill. This bill is about states.

    Given the reports about ACA (Obamacare) having never been built with security in mind, this becomes seriously important. In order to sell ACA this particular topic has been sidelined into silence. And what about the NSA gathering up all this data and then turning it over to other agencies with the admonishment they can't be used as the source? Given their tools, that is hacking; dishing out malware at targeted computers/individuals.

    Senator Leahy once again shows his real colors in all this. It's about covering the governments ass not about security. When you can't find another charge, claim conspiracy to hack as a catch all dealing with computers. This makes me very uneasy. I use element Q to get rid of annoying javascript and other undesirable items on web pages I view. It does nothing to the original site, as all changes are temporary and on my computer only. Removing blocks to view the public site until you activate javascript doesn't float. Yet it is likely under prosecutor expansion it could one day be illegal with this vague law.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.