EFF and over a dozen other organizations are urging U.S. lawmakers to oppose a dangerous bill proposed by Sens. Sheldon Whitehouse and Lindsey Graham that would make the already-flawed Computer Fraud and Abuse Act (CFAA) worse. The joint letter sent Wednesday explains that the legislation fails to address any of the CFAA’s problems while simply creating more confusion. Although the proposal is ostensibly directed at stopping botnets, it includes various provisions that go far beyond protecting against such attacks. 

The senators proposed an almost identical bill last year. And just like last year, they may try to sneak their proposal through as an amendment to the Email Privacy Act. Last year, the tried this tactic with the Cybersecurity Information Sharing Act of 2015, but they ultimately failed due to widespread opposition.

Since the death of activist and Internet pioneer Aaron Swartz three and a half years ago, people from across the political spectrum have urged Congress to reform the CFAA. It’s an outdated and draconian law, with harsh penalties for “crimes” that result in little or no economic harm. And the Justice Department has interpreted the statute’s vague language to criminalize violations of terms of use—an interpretation that turns virtually every Internet user into a criminal.

Sens. Whitehouse and Graham’s proposal will take things in the wrong direction. The CFAA should be reigned in, not expanded, to make sure it is used for the purpose originally intended by Congress: to target malicious criminals who break into computer systems and cause real harm and economic damage.

That’s why we joined our friends in asking the Senate to oppose the Whitehouse/Graham proposal—whether as a standalone bill or as an amendment to the Email Privacy Act.

You can read the full text of the letter below (footnotes omitted) or access a PDF of the original letter here.

June 1, 2016

Dear Senator,

We, the undersigned civil liberties and privacy groups, oppose the Botnet Prevention Act of 2016 (S. 2931), both as a standalone bill and an amendment to S. 356. The proposal would expand the activities covered by the Computer Fraud and Abuse Act ("CFAA") and create new authority for the government to hack computers that could result in severe collateral damage, and would give users no recourse if their systems are harmed. Without major changes, the legislation could stifle much needed security research.

The proposal would expand the existing prohibition in the CFAA against selling passwords to any “means of access.” The provision could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities. In addition, the proposal would create a broad new criminal violation and harsh penalties for damaging “critical infrastructure” computers. The scope of critical infrastructure has been broadly interpreted by the Department of Homeland Security, and because hacking associated computers is already illegal under the CFAA, such an addition is unnecessary.

Further, the proposal may empower the government to obtain injunctions to force companies to hack user devices, or allow the government itself to do the hacking. It also fails to require notice of any potential targeting of non-suspect or innocent consumers, such as botnet victims. Though the provision is ostensibly directed at stopping botnets, it could apply to a wide range of unrelated activities. For example, activist organizations frequently target for outreach hundreds of devices as part of campaign activities, but without intent to cause damage. The proposed changes, in conjunction with pending changes to Rule 41 of the Federal Rules of Criminal Procedure currently before Congress, represent a vast expansion of the scope of both government hacking and government mandated hacking in response to the threat of botnets. Given the potential impact on botnet victims, security and privacy experts have questioned the broader impact of such tactics.

Finally, the proposal fails to address ambiguity in current law that has led to the use of the CFAA to prosecute security researchers, levy disproportionate penalties, and criminalize ordinary Internet activity. The proposal will exacerbate the CFAA’s existing problems and enable prosecution of behaviors well beyond malicious computer trespasses or hacking, which were the original and appropriate targets of the CFAA.

Accordingly, we urge you to oppose the Botnet Prevention Act of 2016 in any form. If you have any questions, please contact Drew Mitnick, Policy Counsel at Access Now, who will communicate with the other signers.

Sincerely,

Access Now

Advocacy for Principled Action in Government

American Civil Liberties Union

American Library Association

Center for Democracy and Technology

Demand Progress

Electronic Frontier Foundation

Free Press Action Fund

Liberty Coalition

OpenMedia.org

R Street

Restore the Fourth

RootsAction.org

New America’s Open Technology Institute

Related Issues

Computer Fraud And Abuse Act Reform

Related Updates

Pilot inside of a yellow mecha
Deeplinks Blog by Aaron Jue | August 3, 2021

Flex Your Power. Own Your Tech.

Just as a good hacker sees worlds of possibility in plastic, metal, and pixels, we must all envision and work for a future that’s better than what we’re given. This week, EFF is celebrating the Las Vegas computer security conferences virtually and putting our annual mystery-filled DEF CON t-shirt online.
A cat shown writing a program to hack into a can of cat food.
Deeplinks Blog by Aaron Mackey, Kurt Opsahl | June 3, 2021

Van Buren is a Victory Against Overbroad Interpretations of the CFAA, and Protects Security Researchers

The Supreme Court’s Van Buren decision today overturned a dangerous precedent and clarified the notoriously ambiguous meaning of “exceeding authorized access” in the Computer Fraud and Abuse Act, the federal computer crime law that’s been misused to prosecute beneficial and important online activity. The decision is a victory...