The Computer Fraud and Abuse Act (CFAA), the federal “anti-hacking” statute, is long overdue for reform. The 1986 law—which was prompted in part by fear generated by the 1983 technothriller WarGames—is vague, draconian, and notoriously out of touch with how we use computers today. Unfortunately, Sens. Sheldon Whitehouse and Lindsey Graham are on a mission to make things worse. They've proposed (for the second time) legislation that fails to address any of the CFAA’s problems while simply creating more confusion. And they may try to sneak their proposal through as an amendment to the Email Privacy Act—the very same sneaky tactic they tried last year.
Their latest proposal is ostensibly directed at stopping botnets. It's even named it the “Botnet Prevention Act of 2016.” But the bill includes various provisions that go far beyond protecting against attacks by zombie computers:
First, the bill would expand the CFAA’s existing prohibition against selling passwords to trafficking in any "means of access." The broadening is unnecessary and misguided, as other statutes—like the U.S. code section concerned fraud in connection with access devices—already cover what the authors seem to be targeting. The bill also doesn't define "means of access," another sign of its poor drafting. With no guidance, it’s unclear how broadly prosecutors or courts will apply this provision. The provision could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities.
Second, the bill empowers government officials to obtain court orders to force companies to hack computer users for a wide range of activity completely unrelated to botnets. What's worse is that the bill allows the government to do this without any requirement of notice to non-suspect or innocent customers or companies, including botnet victims. It's understandable that the government does not want to tip off potential suspects, but those not suspected of committing any crime should be notified when their computers are part of a criminal investigation.
Third, the bill would create a new felony offense of damaging "critical infrastructure." But this conduct, too, is already captured under the CFAA’s existing provisions. The section is yet another classic example of overcriminalization and redundancy—especially at a time when Congress is debating a significant decriminalization bill. And although “critical infrastructure” may sound limited, the definition in the bill tracks the Department of Homeland Security’s definition, which includes software companies and ISPs. Plus, given the provision’s steep penalties and limits on judges’ discretion to reduce sentences or allow sentences to run concurrently (rather than back-to-back), it will simply give prosecutors even more leverage to force defendants into plea deals.
These changes would only increase—not alleviate—the CFAA’s harshness, overbreadth, and confusion.
As noted, this isn’t the senators' first attempt to take the CFAA in the wrong direction. Last year, they tried to slip similarly terrible measures through Congress via an amendment to the notorious Cybersecurity Information Sharing Act of 2015 (CISA). Sens. Whitehouse and Graham’s proposal was ultimately not included in CISA, which Whitehouse blamed on the "pro-botnet" caucus, but in reality, it’s because a lot of people—including a lot of EFF supporters—spoke out against the egregious CFAA amendment.
The senators’ proposal has no grounding in what would actually keep us—or our computers—safe. Rather, it seems motived by the same vague fears of a hypothetical computer takeover that overtook Congress (after watching a clip from WarGames) back in 1986. In that way, Whitehouse and Graham may be keeping true to the CFAA’s roots. But now it’s time to focus on reality.
Just as last year, EFF will oppose the senators' proposal—in whatever form it takes. What we need is reform that reigns in the CFAA, not a measure that makes things worse.