Senators Graham and Whitehouse are circulating draft cybercrime legislation, with several provisions modifying the Computer Fraud and Abuse Act (CFAA) – 18 USC 1030, the primary anti-hacking law of the United States. Politico posted a draft of the bill earlier this week (behind its paywall). The draft bill is called the “International Cybercrime Prevention Act of 2015″ and aims to crack down on theft of trade secrets and malicious hacking. Overall, the draft bill would exacerbate, not eliminate, the harshness, over breadth, and confusion with the CFAA.
Reportedly, Senators Graham and Whitehouse want to attach their draft bill to the Cybersecurity Information Sharing Act (CISA), which CDT opposes. Senate Leadership hopes to bring CISA up for a vote within the next three weeks. CFAA is certainly worthy of a revamp, but the CFAA is complex and sensitive – and therefore its reform deserves a broader public debate than that timeline would allow.
The CFAA is both broad and vague – prohibiting individuals from accessing computers and obtaining information without authorization, exceeding an individual’s authorized access to a computer, or impairing the integrity of a computer without authorization. These terms – such as “exceeds authorized access” – cover a wide range of ordinary behaviors that are not normally associated with malicious hacking. For example, an employee has authorized access to a computer for work purposes, but courts wrestle with whether the employee “exceeds authorized access” by using the computer for non-work purposes. Should authorization to use computers – in the context of an anti-hacking law with strict criminal and civil penalties – rest solely on terms of service and other statements? Should “obtaining information” include merely viewing information on a computer screen? CDT does not think so, and the overall trend in appellate courts has been to interpret the CFAA more narrowly to avoid criminalizing ordinary, victimless, or innovative uses of computers and information. [For more information on the CFAA’s over breadth, check out this material from EFF.]
There are several items worth noting in this draft bill, but I’ll focus on only a few here.
Codifies CFAA violations based on statements and agreements
The draft Graham/Whitehouse bill would create civil and criminal liability for individuals that use information for purposes that the owner of the computer containing the information does not authorize. [Page 6, line 8 of the draft.] The draft bill would also restrict persons from obtaining information that the person is “not entitled to obtain.” These restrictions on access and use of information cannot be based solely on terms of service or contractual obligations. However this is not a meaningful protection since terms of service and a press release, verbal warning, or a tweet could overcome the “solely” requirement. The draft does not require that the information used or obtained be private or that the computer owner safeguard the information with any technological protection measure, only that the information must exceed $10k in value or be owned by a government public health or safety agency.
Under this provision, the computer owner can rely entirely on website notices and other statements to prohibit use and access to information that is publicly or widely available. This provision would take a step back from current law in the 9th and 4th Circuits, which held (in the Nosal and Miller cases, respectively) that the CFAA does not extend to violations of use restrictions, and that a person must circumvent a technological access barrier in order to violate the CFAA’s prohibition on “exceeds authorized access.”
CDT believes the Nosal case draws a sensible line and that encouraging computer owners to use technological protection measures would enhance cybersecurity more than relying on terms of service and contracts. CDT recommends requiring that the provision’s prohibition on access and use of information be based on circumventing a technological access barrier, and not terms of service, contractual obligations, or other statements. Aaron’s Law, sponsored by Reps. Lofgren and Sensenbrenner, as well as Sens. Wyden and Paul, would make this change.
In addition, CDT believes the bill should clarify what it means to “obtain information.” Merely viewing information on a screen (which technically involves your computer obtaining a temporary copy of the information) should not suffice. We recommend that “obtain information” involve unauthorized reproduction or misappropriation, excluding transient or incidental copies, to the extent that laws against copyright violation and theft of trade secrets do not already prohibit unauthorized copying.
Authorizes government-approved hacking to stop CFAA violations
The draft bill would allow the government to obtain court orders directing private entities to hack computers violating or about to violate the CFAA. [Page 4, line 16.] The heading of the section suggests this authority is directed at shutting down botnets, but the language itself is not limited to botnets. Instead, this hacking authority can be used for any violation of CFAA that would “affect” 100 or more computers. The draft bill does not specify what sorts of actions the government can take against violators, leaving open the potential for intentionally rendering the offending computer inoperative, forcing software updates on the computer, or redirecting the computer’s Internet traffic. Although the CFAA generally prohibits hacking, this provision would provide immunity to parties that hack pursuant to the court orders obtained by the government, even if the hack causes collateral damage.
CDT has reservations about enabling more hacking – or “countermeasures” with external effect – by the private sector because of the potential to undermine cybersecurity generally and cause unintended harm to innocent computer users. This provision should be struck from the bill before it is introduced. If this proposed authority is not struck , CDT believes it should at least be narrowed to clearly apply only to botnets. Botnets, as the term is generally used, are composed of computers compromised with malware whose computing power is then used in a fashion that the owner does not authorize. Since the system integrity of the botnet computers are compromised by the botnet malware, the computers are “damaged” per the CFAA’s definition of “damage,” and persons damaging the computers in this manner are violating a particular part of the CFAA: 1030(a)(5)(A). Therefore, CDT recommends that the draft bill’s provision apply to persons “violating or about to violate subsection 1030(a)(5)(A) in a manner that damages 100 or more computers.” Similar language was proposed in Sec. 103 of Sen. Leahy’s Consumer Privacy Protection Act of 2015.
Computers that are part of a botnet are usually victims of a CFAA violation, not willing participants in the botnet. Damaging the victimized computers under this provision could affect other innocent individuals – such as denying access to a hospital computer containing patient information because the hospital’s computer was unwittingly part of a botnet. To mitigate damage to systems of innocent users and businesses, CDT recommends limiting the actions authorized under this provision to those that would “solely affect persons violating or about to violate Sec. 1030(a)(5)(A).” Similar language was proposed in Sec. 103 of Sen. Leahy’s Consumer Privacy Protection Act of 2015.
The draft bill raises penalties for CFAA violations generally. Raising CFAA penalties will lead to disproportionate punishments for pedestrian violations, exacerbating the law’s over-criminalization problem. Because many violations of CFAA can be victimless or of low severity, CDT believes it is important to ensure the statute keeps penalties balanced.
The draft bill would apply civil forfeiture to CFAA violations. [Page 9, line 13.] Civil forfeiture enables the government to seize property (such as houses, computer equipment, or domain names) indirectly connected with a crime – even if the property owner is not convicted of a crime. Civil forfeiture has been abused repeatedly in the past and there is a movement afoot to reform it. We recommend applying civil forfeiture, if at all, only to the assets of foreign suspects that the government has difficulty prosecuting. Forfeiture should not apply to US defendants in the absence of a conviction.
The draft would also raise the base maximum imprisonment terms of several broad CFAA violations. For example, the base max of 1030(a)(2) violations would be raised from 5 to 10 years [Page 7, line 8.], and the base max of 1030(a)(4) violations are raised from 5 to 20 years. [Page 7, line 16.] These particular CFAA provisions are noteworthy because they are so broad that they potentially criminalize such behavior as violating terms of service or spoofing a MAC address. The penalty enhancements in the draft bill are of dubious deterrent value since CFAA penalties are almost universally viewed as harsh already. CDT recommends a careful public review on whether current penalties are indeed inadequate.
The draft also makes felonious violations of CFAA a Racketeer Influenced and Corrupt Organizations Act (RICO) predicate. [Page 3, line 7.] RICO liability would encompass anyone who is part of an “enterprise” – which includes any union or association of people – and who participates directly or indirectly in the conduct of the “enterprise” through violations of CFAA. In the online context, “associations of people” are very easy to form – think of all those people who put on a Guy Fawkes mask and hang out on 4chan. Current laws on conspiracy can already convict individuals participating in group criminal acts, so it’s unclear why RICO is needed for CFAA, unless the goal is to mete out harsher punishments – RICO carries a max imprisonment term of 20 years, while conspiracy carries a max of five years. While RICO is an effective legal instrument against criminal groups, the breadth of RICO would enhance the risk that individuals with tenuous affiliation to unauthorized hacking would be subject to severe penalties.
Don’t rush it
The Computer Fraud and Abuse Act was passed nearly three decades ago. Like ECPA, the CFAA is out of step with how technology is used today. It is inevitable that computers will become even more closely interwoven with daily life, connecting our household items and even our physical bodies, so laws on computer access and use will increasingly play a part in ordinary activities. As a result, CFAA charges could well become much more prevalent for commonplace crimes in the future.
It is positive that Senators Graham and Whitehouse have begun examining ways to update the CFAA, but the changes proposed in this draft bill would largely make the CFAA more unbalanced and confusing. Rather than rush through this draft bill as an amendment to CISA, which is already riddled with problems, Senators Graham and Whitehouse should undertake a nuanced public discussion about how best to overhaul the CFAA.