Friday, January 16, 2015

On Tuesday, President Obama introduced a legislative proposal on privacy and data security that seeks to strengthen and clarify law enforcement’s ability to investigate and prosecute cybercrimes.

The first section of the proposed legislation would expand the definition of “racketeering activity” under the Racketeering Influenced and Corrupt Organizations (“RICO”) Act to include felony offenses under the Computer Fraud and Abuse Act (“CFAA”)—the federal anti-hacking statute. The second section would amend existing law to deter “the development and sale of computer and cell phone spying devices.” The third section proposes substantial changes intended to modernize the CFAA. Finally, the proposal’s fourth section is aimed at strengthening the government’s ability to disrupt and shut down botnets—networks of computers often deployed to commit crimes, such as spreading malware.

Although much of the proposal is modeled off a similar proposal advanced by the White House in 2011, there are key differences, including making clear that it is a crime to access a computer in breach of a use restriction, while at the same time limiting the scope of liability for such access to cases that the Administration believes are serious enough to warrant prosecution under the CFAA.

Updating and Expanding the RICO Act to Include CFAA Offenses

The White House proposal would include felony violations of the CFAA in the definition of “racketeering activity” under the RICO Act. This would provide for increased penalties for cybercrimes and afford prosecutors the ability to more easily charge certain members of organized criminal groups engaged in computer network attacks and related cybercrimes.

Deterring the Development and Sale of Computer and Cell Phone Spying Devices

The White House proposal seeks to deter the development and sale of computer and cell phone spying devices by instituting two changes. First, the legislative proposal would amend 18 U.S.C. § 1956 to “enabl[e] appropriate charges for defendants who engage in money laundering to conceal profits from the sale of surreptitious interception devices.” Second, it would amend 18 U.S.C. § 2513 “to allow for the criminal and civil forfeiture proceeds from the sale of surreptitious interception devices and property used to facilitate the crime.” This would expand the scope of section 2513, which currently provides for the forfeiture of only the surreptitious devices themselves.

Modernizing the CFAA

According to the White House, the goal of the proposal’s third section is to “enhance [the CFAA’s] effectiveness against attackers on computers and computer networks, including those by insiders.” The proposed legislation contains several key amendments to various CFAA provisions:

First, the proposal would make access in violation of certain use restrictions an illegal act under the CFAA by amending the definition of “exceeds authorized access” to include instances in which a user accesses a computer with authorization to obtain or alter information “for the purpose that the accessor knows is not authorized by the computer owner.” Language of this sort would address, at least in part, an existing circuit split on the meaning of the language “exceeds authorized access,” as used in the CFAA. Some commentators, however, have questioned whether the proposed language will resolve the current ambiguity over the CFAA’s reach. For example, if an employee accessed a computer for a non-work-related purpose, it would be obvious that the employee would be violating the CFAA (as amended by the White House’s proposed language) if there were a written policy that states “company computers can be accessed only for work-related purposes.” However, if a non-employee accessed the computer, there may not be a clear violation of the CFAA because the non-employee is not bound by—and thus would not be breaching—the employer’s policy. As a result, the courts may still have disagreements about the scope of the phrase “exceeds authorized access” even with the new language.

The White House’s proposal would also add a new provision to the CFAA by amending 18 U.S.C. § 1030(a)—the subsection of the CFAA that lists the punishable offenses under the statute. The added provision would provide new threshold requirements for criminal offenses resulting from users exceeding their authorized access. The proposal would punish a user who “intentionally exceeds authorized access to a protected computer, and thereby obtains information from such computer” if one of three conditions are met: “(i) the value of the information obtained exceeds $5,000; (ii) the offense was committed in furtherance of any felony violation of the laws of the United States or of any State, unless such violation would be based solely on obtaining the information without authorization or in excess of authorization; or (iii) the protected computer is owned or operated by or on behalf of a governmental entity.” While courts must still interpret the meaning of these conditions, they provide a clearer framework for prosecution of offenses under the statute and, in theory, would constrain the government’s ability to prosecute individuals under the CFAA for minor offenses.

Additionally, the White House proposal would amend the CFAA “to enable the prosecution of the sale of a ‘means of access’ such as a botnet.” Further, instead of requiring the government to prove “intent to defraud” under this subsection (the intent standard applicable to violations motived by financial gain), the legislation would require prosecutors only to establish “willfulness,” so as to criminalize unlawful trafficking of access to “other types of wrongdoing perpetrated using botnets” and not just password and similar information.

The proposal would also enhance CFAA penalties and enforcement mechanisms by raising penalties for circumventing technological barriers to access a computer (e.g., hacking into or breaking into a computer), and by making such violations felonies carrying a prison term of up to ten years. This is a significant change from the current law, which allows for either a misdemeanor or a felony carrying a maximum prison term of only five years. The proposal would also create civil forfeiture procedures, “clarify that the ‘proceeds’ forfeitable [under the CFAA] are gross proceeds, as opposed to net proceeds,” and in appropriate circumstances, allow for the forfeiture of real property used to facilitate offenses under the statute. And the proposal would clarify “that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses.”

Shutting Down Botnets

Finally, the legislative proposal would add to existing civil remedies by explicitly providing courts with the authority to issue injunctions aimed at disrupting or shutting down botnets. Under the proposal, the Attorney General would be authorized to seek injunctive relief under 18 U.S.C. § 1345 if the government can show that the criminal conduct alleged would affect 100 or more protected computers during a one-year period. Criminal conduct under the proposal would include “denying access to or operation of the computers [denial of services attacks], installing unwanted software on the computers [malware], using the computers without authorization, or obtaining information from the computers without authorization.” The legislation would also protect from liability individuals or entities that comply with courts orders and would allow courts to order the government to reimburse those individuals or entities for costs directly incurred in complying with such orders.

This post was written with contributions from Jim Garland.