If The DOJ Gets Its Way, Tweeting Out A List Of The 'Worst Passwords On The Internet' Will Be A Felony
from the because-our-prisons-aren't-at-maximum-capacity dept
Retweet if you want to go to jail! And not regular county jail, but federal prison!
Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane. http://t.co/njE8368lxU— Nate Cardozo (@ncardozo) January 20, 2015
In case you can't read/see the tweet, it says:
Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane.(The link goes to a Techcrunch article featuring SplashData's list of the "worst passwords on the internet.")
The DOJ has offered up its preferred version [pdf link] of the CFAA (Computer Fraud and Abuse Act) -- under the ridiculous name of "Updated Law Enforcement Tools" -- and it indeed would make this sort of thing an instant felony.
Here's the wording change that does it [strikethrough for deletions; bold for additions]:
(6) knowingly andThe DOJ removes intent and replaces it with feelings. Sharing a list of common (and stupid) passwords could be construed as "willfully trafficking" passwords while "knowing" a "protected computer" could be "accessed without authorization."
with intent to defraudwillfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking; if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
And that thing about federal prison I opened the post with? That's the way the DOJ wants it. The CFAA currently allows for misdemeanor charges under certain circumstances. But this proposal does away with that. Instead of a misdemeanor-to-3 year sentence range, punishments start at 3 years and escalate to a 10-year cap. Unless, of course, your hacking is part of the commission of another felony, in which case the government proposes it should get to double dip (at minimum). Here's Orin Kerr's take on that part of the proposal:
Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, “unless such violation would be based solely on obtaining the information without authorization or in excess of authorization.” On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?As if we didn't have enough people in prison already, the DOJ proposal mandates felony charges and provides prosecutorial options to ensure very few defendants walk away with short sentences.
But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three. State criminal codes often mirror the federal criminal code. That raises a question: If Congress makes it a crime to commit an act “in furtherance of” a different crime, does the existence of overlapping crimes mean that a person’s conduct violates the first crime because it was “in furtherance of” the second? This is a particular problem because every state has unauthorized access crimes a lot like the CFAA. We saw this in the Auernheimer case, where prosecutors argued that the misdemeanor federal unauthorized access alleged in that case should be a felony because it was “in furtherance of” New Jersey’s nearly identical state unauthorized access law.
The proposal also asks users to perform mind-reading when accessing anything computer-based.
(6) “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information inGoing back to the Weev case, Andrew Auernheimer obviously knew AT&T would not "authorize" his access of supposedly private information, even if all he did was alter URL components to achieve this. Now, companies' security failures can be weaponized against those who discover them -- making it highly unlikely that flaws and holes will be pointed out to those who can actually close them. Why risk a few years in federal prison (remember: no misdemeanors) just because some entity decided to shoot the messenger rather than thank them for their help?
(A) that the accesser is not entitled
soto obtain or alter; or
(B) for a purpose that the accesser knows is not authorized by the computer owner;