Sometimes bad things get even worse. 

The news out of Washington is that when Congress comes back into session in September, Senator Sheldon Whitehouse will try to add some bad Computer Fraud and Abuse Act (CFAA) amendments onto the already awful cybersecurity bill.

EFF has long been critical of the CFAA, especially after the horribly misguided prosecution of our friend Aaron Swartz. EFF proposed common sense changes to the law and many of them were included in “Aaron's law,” recently reintroduced. We had hoped that Congress would embrace Aaron’s law as a first step to stem the ongoing problem of overzealous prosecutors misusing the current CFAA. There is increasing recognition across the political spectrum that the endless ratcheting up of criminal penalties is highly problematic, especially for nonviolent offenses such as those created by the CFAA. These overburden our taxpayer-supported prison system and lead to prosecutors pressuring people into accepting unfair plea agreements. President Obama has joined with Senate Republicans in calling for reconsideration of this approach and the CFAA should be high on the list of statutes that should have penalty schemes reconsidered and reduced.

Unfortunately, it seems that the spate of recent data and security breaches that put the Cybersecurity Information Sharing Act (CISA) on a political fast track has encouraged Congress to ignore CFAA reform and instead consider dangerous and unnecessary CFAA expansion. The Whitehouse amendment that may be introduced in September is less sweeping than an earlier proposal from Whitehouse and Senator Lindsey Graham, but it’s still bad.

First, the amendment would add an entirely new provision that increases criminal penalties by 20 years for persons convicted of existing CFAA felonies that cause or would result in ''aggravated damage to a critical infrastructure computer." This "aggravated damage" provision is appallingly vague, because it’s unclear what counts as “critical infrastructure” in the first place. The statutory definition at 42 U.S.C. § 5195c(e) could be read to include almost any system: “the term ‘critical infrastructure’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” People subject to this vague provision are also ineligible for probation.

Second, the amendment changes the mental state required for trafficking in passwords or similar information through which a computer may be “accessed without authorization”—an already controversial and problematic phrase under (a)(6) of the CFAA. It also removes this charge from the one-year penalty limit for first offenders, meaning that one violation can bring the hammer down. Under Senator Whitehouse’s amendment the mental state required is reduced from “knowingly and with intent to defraud”  to merely whether the person knew “such conduct to be wrongful.” Whatever that means (and we don’t), it’s obviously broader than the requirement that someone have intent to defraud. We’re told that this is intended to stop trafficking in botnets, but whatever its intention, it’s going to make it easier to prosecute anyone and increase the penalties they face. The new provision would also require that the person had “reason to know” that a protected computer would be accessed or damaged “without authorization” in violation of the CFAA by such trafficking, but that doesn’t really add anything to the standard.

We cannot stress enough that these changes will not help us against actual cybercrime. They won’t harden our computer systems or protect Americans from truly malicious actors. Instead, it will just give prosecutors more power to threaten more people with more prison time under the already vague underlying law. Senator Whitehouse should take this time during the recess to check out Aaron's law and the work EFF and others have done. The CFAA must be reformed, but not in the way he proposes.