This summer, Senator Sheldon Whitehouse introduced an amendment to the flawed Cyber Information Sharing Act (CISA) that would make it even worse, by expanding the broken Computer Fraud and Abuse Act (CFAA). EFF has proposed common sense changes to this federal anti-hacking law, many of which were included in “Aaron's law,” recently reintroduced. While CISA was delayed by strong grassroots opposition over the summer, it looks likely to move soon—bad amendments and all. That’s why we’re urging people to take action and tell the Senate to vote no on this and any other dangerous CFAA changes.
CFAA is already broken
The CFAA makes it illegal to intentionally access a computer without authorization or in excess of authorization. But much of what we do online every day—from storing photos in the cloud to watching movies to using social networks to buying a plane ticket—involves accessing other people’s computers, often with a password. The CFAA does not explain what "without authorization" actually means. Overzealous prosecutors have gone so far as to argue that the CFAA criminalizes violations of private agreements like an employer's computer use policy or a web site's terms of service, and have taken advantage of this lack of clarity by bringing criminal charges that aren't really about hacking a computer, but instead about doing things on a computer network that the owner doesn’t like.
A tragic example is the misguided prosecution of activist Aaron Swartz under the CFAA. Aaron committed suicide while facing criminal charges with penalties up to thirty-five years in prison, all for using MIT's computer network to download millions of academic articles from the online archive JSTOR, allegedly without "authorization."
The changes proposed to the CFAA by Senator Whitehouse would give prosecutors and network owners even more ways to abuse the law.
New crimes, less judicial oversight
Whitehouse's amendment would create a new felony crime for damaging a “critical infrastructure computer” “during and in relation to a felony violation of section 1030.” The new provision is redundant, and worsens the CFAA’s already draconian penalties. It also inappropriately strips judges of their ability to determine what kind of sentence is appropriate for the specific individual before them. It prohibits judges from imposing probation instead of jail; and forces them to impose the “aggravated damage” sentence (which has a maximum of 20 years) consecutively to any other sentence imposed, prohibiting the judge from reducing the other sentence to make up for the consecutive sentence it must impose for the “aggravated damage.”
Tailor-made to help indiscriminate prosecution
The amendment would make it much easier to prosecute anyone for trafficking in passwords or similar information through which a computer may be “accessed without authorization.” The amendment changes the mental state required to simply “knowing such conduct to be wrongful,” whatever that means. We think this section is unconstitutionally vague because unlike other mental states well known in criminal law, including the one current in the CFAA—“intent to defraud”—there’s no legal precedent or language in the legislation that explains what “knowing such conduct to be wrongful” means.
A threat to security research
In addition to lowering the mental state required for trafficking in passwords, the amendment would expand the trafficking prohibition to include any “means of access.” This could potentially threaten legitimate security research, by including the critical penetration testing software used by researchers and security consultants. And what about a security researcher disclosing a vulnerability at a conference? Will the DOJ argue the exploit is a "means of access" and that the researcher knew the testing of the exploit was wrongful? In a time when security research is more important than ever, these are just some of the unintended consequences of broadening the CFAA.
A New Weapon: Injunctions
Finally, this amendment would allow the Attorney General to file a civil suit for an injunction (a court order) to stop potential violations of the CFAA that would affect 100 or more computers. While this provision is ostensibly aimed at those who build botnets, the language is very broad, allowing the government to seize computers or other hardware—particularly concerning since attempts to fight botnets in the past through court orders have negatively affected thousands of innocent users. The government would not be required to file criminal charges under the CFAA immediately, or even eventually, and would not have to ever prove that you actually violated the law.
EFF and other advocates are already telling Congress that this amendment must not pass. If you agree, take a few minutes to email your Senators and tell them to vote no on this and any amendments that will worsen the CFAA.