If The DOJ Gets Its Way, Tweeting Out A List Of The 'Worst Passwords On The Internet' Will Be A Felony

from the because-our-prisons-aren't-at-maximum-capacity dept

Retweet if you want to go to jail! And not regular county jail, but federal prison!



Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane. http://t.co/njE8368lxU — Nate Cardozo (@ncardozo) January 20, 2015

Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane.

(6) knowingly and with intent to defraud willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking; if—



(A) such trafficking affects interstate or foreign commerce; or



(B) such computer is used by or for the Government of the United States;

Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, “unless such violation would be based solely on obtaining the information without authorization or in excess of authorization.” On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?



But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three. State criminal codes often mirror the federal criminal code. That raises a question: If Congress makes it a crime to commit an act “in furtherance of” a different crime, does the existence of overlapping crimes mean that a person’s conduct violates the first crime because it was “in furtherance of” the second? This is a particular problem because every state has unauthorized access crimes a lot like the CFAA. We saw this in the Auernheimer case, where prosecutors argued that the misdemeanor federal unauthorized access alleged in that case should be a felony because it was “in furtherance of” New Jersey’s nearly identical state unauthorized access law.

(6) “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the such computer—



(A) that the accesser is not entitled so to obtain or alter; or



(B) for a purpose that the accesser knows is not authorized by the computer owner;

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

In case you can't read/see the tweet, it says:(The link goes to a Techcrunch article featuring SplashData's list of the "worst passwords on the internet.")The DOJ has offered up its preferred version [ pdf link ] of the CFAA (Computer Fraud and Abuse Act) -- under the ridiculous name of "Updated Law Enforcement Tools" -- and it indeed would make this sort of thing an instant felony.Here's the wording change that does it [strikethrough for deletions; bold for additions]:The DOJ removes intent and replaces it with. Sharing a list of common (and stupid) passwords could be construed as "willfully trafficking" passwords while "knowing" a "protected computer" could be "accessed without authorization."And that thing about federal prison I opened the post with? That's the way the DOJ wants it. The CFAA currently allows for misdemeanor charges under certain circumstances. But this proposal does away with that. Instead of a misdemeanor-to-3 year sentence range, punishmentsat 3 years and escalate to a 10-year cap. Unless, of course, your hacking is part of the commission of another felony, in which case the government proposes it should get to double dip (at minimum). Here's Orin Kerr's take on that part of the proposal As if we didn't have enough people in prison already, the DOJ proposal mandates felony charges and provides prosecutorial options to ensure very few defendants walk away with short sentences.The proposal also asks users to perform mind-reading when accessing anything computer-based.Going back to the Weev case , Andrew Auernheimer obviouslyAT&T would not "authorize" his access of supposedly private information, even if all he did was alter URL components to achieve this. Now, companies' security failures can be weaponized against those who discover them -- making it highly unlikely that flaws and holes will be pointed out to those who can actually close them. Why risk a few years in federal prison (remember: no misdemeanors) just because some entity decided to shoot the messenger rather than thank them for their help?

Filed Under: cfaa, doj, felony, obama administration, passwords