from the fix-the-cfaa dept
Swartz, of course, tragically took his own life in the midst of this legal battle, after facing tremendous pressure from the DOJ to take a plea deal as a felon, even as Swartz was sure he had done nothing illegal or wrong. Since then, there have been a few attempts to update the CFAA to block this kind of abuse, but they have been blocked at every turn by a DOJ that actually wants to make the law even worse. This includes the White House's latest proposal for CFAA reform, which would actually make more things a felony under the CFAA, and could drastically increase sentencing for things that many of us don't think should be a crime at all -- such as tweeting out a list of worst passwords on the internet.
Outgoing Attorney General Eric Holder has done his best to ignore or downplay any suggestion that his Justice Department abused the CFAA in going after Swartz. And it looks like his likely replacement is trying to do the same.
Senator Al Franken questioned nominee Loretta Lynch about Swartz and the CFAA and got back a response that is basically her avoiding the question. She doesn't say anything about Swartz, but goes off on some FUD about the dangers of malicious hackers and how the DOJ needs the tools to fight spyware. She then claims that the newly proposed CFAA changes are okay because they only increase the possible maximum sentences, but not the minimums, leaving things up to the discretion of judges (and prosecutors):
Question 1. The Computer Fraud and Abuse Act (CFAA) has received attention for its potentially harsh penalties. In 2013, I wrote a letter to the Department of Justice expressing my concern about the way in which Aaron Swartz was aggressively prosecuted under the CFAA, and associating myself with a similar letter by Senator Cornyn. The Department’s response was, in short, that the prosecution of Swartz was consistent with the Act. Since then we have heard many people – from all over the political spectrum – call for reform of the CFAA. Recently, the White House announced a proposal to amend the Act. Some have characterized the proposal as a step in the wrong direction, noting – for example – that it would increase certain sentences. What is your assessment of these criticisms, and what is your opinion of the proposal?This, of course, misses the point. First, it assumes that longer sentences are somehow going to do anything to diminish the likelihood of malicious attacks. It won't. This is such a total braindead law enforcement view of things: that if only there were greater punishment it would scare the "bad people" out of doing what they're going to do. That's never really worked, and especially not in this area, where the law is being abused to go after people who don't think they're actually doing anything wrong.
RESPONSE: I believe that the Department of Justice has a responsibility to protect Americans from invasions of their privacy and security by prosecuting and deterring computer crimes. Accordingly, we must ensure that the CFAA, like all of our tools, remains up-to-date and reflects the changes in the way that cybercrimes are committed, changes that have occurred in the decades since it was first enacted. For example, I understand that the Administration’s proposals include provisions designed to facilitate the prosecution of those who traffic in stolen American credit cards overseas, to enable the Department to dismantle botnets that victimize hundreds of thousands of computers at a time, and to deter the sale of criminal “spyware.”
With respect to the sentencing provisions contained in those proposals, I believe it is appropriate to ensure that, in the event a defendant is convicted of a hacking offense, the sentencing court has the authority to impose a sentence that fits the crime. For example, the enormous harm caused by the massive thefts of Americans’ personal financial data from retailers illustrates the need to ensure that the maximum sentences available are adequate to deter the worst offenders. As the level of harm caused by the worst cybercrimes increases, I support increasing the maximum penalties available to punish those crimes to a level commensurate with similar crimes, such as mail fraud or wire fraud.
It is also important to understand that these statutory maximum sentences do not control what sentence is appropriate for less significant offenses under the CFAA. In many criminal prosecutions, including prosecutions under the CFAA of all but the most serious offenses, the statutory maximum penalty has little or no impact on the sentencing of convicted defendants. Instead, in each case, prosecutors make individualized sentencing recommendations, and judges make individualized decisions, based on such factors as the facts of the case, the offender’s history, and the U.S. Sentencing Guidelines.
Finally, I note that the Administration’s 2015 proposal does not include any new mandatory minimum sentences, and I support the decision not to seek any such new sentences in the CFAA at this time.
Second, it just plays up the FUD that "bad stuff is happening" so "something must be done." But it ignores how vague the law is and how it's wide open to abuse. A good law enforcement official would ask for clearer laws that more narrowly target actual bad behavior, rather than celebrating a broad and vague law that can be, and is, widely abused just to rack up more DOJ headlines and "victories."