Today a wide range of organizations from across the political spectrum—including EFF—sent a letter to the Senate protesting Sen. Sheldon Whitehouse's proposed draconian Computer Fraud and Abuse Act amendment to the "cybersecurity" surveillance bill CISA.
Since the death of activist and Internet pioneer Aaron Swartz three years ago, people from across the political spectrum have urged Congress to reform the CFAA, given its harsh penalties for "crimes" that result in little or no economic harm as well as the Justice Department's interpretation of terms of use violations that leaves virtually every Internet user a criminal.
Rep. Zoe Lofgren and Sen. Ron Wyden have been working hard on crafting reform and EFF has already published its own proposed fixes to the CFAA. We urge the Senate to vote against this amendment and work with Rep. Lofgren and outside groups to reform the CFAA.
The CFAA should not engulf security researchers, innovators, and everyday Internet users. It should instead be used for its original, intended purpose: to go after malicious criminals who could cause real harm and economic damage.
You can read the full text of the letter and download a copy of the PDF version below.
We, the undersigned civil liberties and privacy groups, and security experts, write in opposition to the proposed amendment (No. 2626) from Senator Whitehouse to the Cybersecurity Information Sharing Act (“CISA”) that would expand the Computer Fraud and Abuse Act (“CFAA”).
Amendment No. 2626 would alter the CFAA in dangerous and unpredictable ways.
First, the amendment would expand the existing prohibition in the CFAA against selling passwords to any “means of access” without clarifying how the law applies to legitimate computer security research, such as paid researchers who identify and disclose software vulnerabilities. Second, the amendment includes a requirement that empowers government to obtain injunctions that can force companies to hack computer users for a wide range of activity unrelated to botnets, though the provision is ostensibly directed at stopping botnets. Third, the amendment would create a broad new criminal violation for damaging critical infrastructure, which is already illegal under the CFAA.
The Whitehouse amendment fails to address ambiguity in current law that has led to the use of the CFAA to prosecute valuable security research, levy disproportionate penalties, and criminalize ordinary Internet activity. We are united in our view that, at the very least, any amendment to the CFAA be subject to full and open debate and must not be tacked on to CISA, itself a highly controversial and complex piece of legislation.
The amendment would exacerbate existing problems with the CFAA and enable prosecution of behaviors that are not malicious computer trespasses or hacking, which was the original and appropriate target of the CFAA. Worse, these changes are being rushed through Congress without adequate debate over the far-reaching effects of its provisions. .