Rather Than Fix The CFAA, House Judiciary Committee Planning To Make It Worse... Way Worse

from the are-they-just-fucking-with-us? dept

Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.

This one is a very, very tiny step in the right direction, but just barely. Under the old CFAA, "accessing a computer without authorization" and "exceeding authorized access" were lumped together as a a form of breaking the law. The new bill keeps the basic terms of accessing a computer without authorization the same and just ever so slightly trims back the "crime" of exceeding authorized access. Now, to violate the law by "exceeding" authorized access, you'd have to get access to "information from any protected computer" (or financial institution or US gov't agency) and the "value" of that info would need to be over $5,000 (who determines that?) and the access had to have been "committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information" and was committed "in furtherance of any criminal act."



While it's good to see them ever so slightly roll back the issue of "exceeding authorized access," it still seems broad enough that all sorts of activities that shouldn't be seen as criminal would easily get lumped in here by aggressive prosecutors.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

So, you know all that talk about things like Aaron's Law and how Congress needs to fix the CFAA? Apparently, the House Judiciary Committee has decided to raise a giant middle finger to folks who are concerned about abuses of the CFAA. Over the weekend, they began circulating a "draft" of a "cyber-security" bill that is so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA. Rather than fix the CFAA, it expands it. Rather than rein in the worst parts of the bill, it makes them worse. And, from what we've heard, the goal is to try to push this through quickly, with a big effort underway for a "cyberweek" in the middle of April that will force through a bunch of related bills. You can see the draft of the bill here (or embedded below. Let's go through some of the pieces.The bill adds to the current definition of "racketeering activity" so that it would now link back to the CFAA, such that if you are found to violate the CFAA as part of an activity that involves a variety of other crimes, you can nowbe charged with racketeering. More specifically, if you look at that long list of related statutes in the definition to 18 USC 1961 (1), it will also include: "‘section 1030 (relating to fraud and related activity in connection with computers)." Basically, this just gives the DOJ yet another tool to use against "computer criminals" when they want to bring the hammer down on someone they don't like. Not only could you be charged with computer fraud, but now racketeering as well. Because, you know, all you hackers are just like the Mob.Section 103 of the proposed bill makes a bunch of "changes" to the CFAA, almost all of whichthe CFAA, rather than limit it. For example, they make a small change to subsection (b) in 18 USC 1030 (the CFAA) such that it will now read:All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAAnow be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become. Now if you talk with others about the possibility of violating a terms of service -- say, talking to your 12 year old child about helping them sign up for Facebook even though the site requires you to be 13 -- you may havecommitted a felony that can get you years in jail. That seems fair, right?They change around a bunch of the "penalties" that you can get for various CFAA infractions, shaking up a variety of things and basically raising the maximum sentences available for certain infractions.Rather than "streamlining" the bill and getting rid of the ridiculous "exceeds authorized access" trigger -- as folks like Orin Kerr have suggested -- this tends to just muddle matters even more.And... at the same time, they do something else to make "exceeding unauthorized access" worse. Which brings us to:That's because the new bill says that you can exceed authorized access: "even if the accesser may be entitled to obtain or alter the same information in the computer for other purposes." Yes, read that again. Even if you areto obtain info via your authorization on your computer, they're now saying that if you use that information in a way that runs afoul of the info above, you can be found to have exceeded authorized access.We've seen how federal seizure and forfeiture laws are frequently abused to seize goods, which the government claims are used in the commission of a crime (even if they never charge anyone for the crime). And we've seen, with cases like the Dajaz1 case , how the government will use such tools to take and censor websites on no actual basis. And now the CFAA will make it even easier for the government to do such things. It amends the existing sections to basically expand what can be forfeited, because it's not like the government hasn't abused that one before...The rest of the bill deals with two other things: first a section on "cybersecurity" which includes punishment for those damaging "critical infrastructure" computers, another section that tells the courts to figure out how secure their computers are, and finally a part that creates a "National Cyber Investigative Joint Task Force," to be led by the FBI, because they're an unbiased party.The final part of the bill relates to "breach notifications." A number of states already have various laws in place that require companies and websites that have data breaches to inform impacted users. This creates a federal law that supersedes those state laws. You can read the details, but basically companies will have to let people (and other companies) know of such breaches within a short period of time -- unless there are law enforcement or national security reasons to delay such notification. It also requires companies to tell the FBI or Secret Service of certain kinds of breaches. If companiesdo this, they can be fined between $500,000 and $1 million -- but only by the DOJ (i.e., individuals or companies can't go after organizations for screwing this up).Those last two sections are really somewhat unrelated to the rest of the CFAA parts. But the CFAA parts are troubling. Rather than fixing the law, they're expanding it so that computer "crimes" can be hit with racketeering charges, and expanding the general language and punishments for part of the bill. This is not a good thing. The fact that this is being passed around by the House Judiciary Committee suggests that it's likely to be backed by HJC chair Bob Goodlatte, which is unfortunate. You would have hoped that Goodlatte and others on the HJC would recognize that now is the time to fix the CFAA, not to make it worse.

Filed Under: bob goodlatte, cfaa, cybersecurity, data breach, house judiciary committee, punishment, racketeering