



Computer-security researchers fear President Barack Obama’s proposed changes to federal hacking laws could put them out of business, could make computers less secure overall, and could put some of them — and maybe even you — in prison.

"Under the new proposal, sharing your HBO GO password with a friend would be a felony," Nate Cardozo, an attorney with the Electronic Frontier Foundation in San Francisco, told an audience of researchers and IT pros Saturday (Jan. 17) at ShmooCon 2015, a security conference held annually in Washington, D.C.

MORE: 5 Worst Security Fails of 2014

Obama showcased the proposals in his State of the Union address Wednesday night (Jan. 20). The changes to the Computer Fraud and Abuse Act (CFAA), first implemented in 1984, might make many commonplace security-research practices — and media reporting on those practices — federal crimes. Even sharing passwords for online accounts would potentially be punishable.

"Believe what you’ve heard" about Obama’s proposals, Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, warned this past Friday (Jan. 16) at ShmooCon 2015.

Follow Yahoo Tech on Facebook for more tech news!

The proposed changes to the CFAA and related laws, posted online by the White House early last week, would broaden the definition of computer crime and stiffen penalties for existing crimes, including doubling the maximum penalty for many violations from 10 years to 20 years.

Hacker gangsters

It would also subject computer fraud to the Racketeer Influenced and Corrupt Organizations Act (RICO) of 1970 — a law designed to charge Mafia bosses with crimes committed by their underlings, but now broadly applied in both criminal and civil cases against all manner of organizations.

The RICO addition is likely directed at the type of organized cybercrime that emanates from Russia and other former Soviet-bloc countries, but if it becomes law, it could just as easily be applied to anyone affiliated with any kind of suspected hacking group.

"Even if you don’t do any of this, you can still be guilty if you hang around with people who do," said Robert Graham, CEO of Errata Security in Atlanta, in a blog posting last Wednesday (Jan. 14). “Hanging out in an IRC chat room giving advice to people now makes you a member of a ‘criminal enterprise,’ allowing the FBI to sweep in and confiscate all your assets without charging you with a crime.”

Throw Steve Jobs in jail

The White House proposal also places electronic “intercepting devices” in the same category as terrorist weapons training and chemical weapons, making their “manufacture, distribution, possession and advertising” a crime. Any such devices, and property bought with the proceeds from the sale of such devices, would be subject to seizure.

But while the heading of that section implies that its target is “spying devices,” the legal language never specifies exactly what such a intercepting device might be. A regular laptop running Firefox with the Wi-Fi sniffing Firesheep extension might qualify — as would the “blue boxes” for making free long-distance telephone calls that Steve Jobs and Steve Wozniak sold to fellow college students before they built the first Apple computer.

"Had hacking laws been around [then]," Graham wrote, "the founders of Apple might’ve still been in jail today, serving out long sentences for trafficking in illegal access devices."

If you click this, you might be a criminal

To illustrate the unwanted consequences of Obama’s proposal, Graham created a hypothetical scenario.

"Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://www.nytimes.com/i/employees.txt," he tweeted last Wednesday (Jan. 14).

That wasn’t true — the New York Times didn’t suffer such a breach.

"This is a fictional tweet, to show how retweeting/clicking a link like this can be illegal under Obama’s proposed laws," Graham added.

Yet lists of stolen login credentials from similar breaches are often posted in public forums online — and subsequently linked to by security researchers discussing the breaches and media outlets covering the news.

In his own tweet Wedneday (Jan. 20), EFF’s Cardozo linked to a real story on TechCrunch listing the “worst passwords of 2014,” then pointed out that what he’d done could be felonious.