Lawmakers Say CFAA Is Too Hard On Hackers

GovTechGuy writes "A number of lawmakers are using the death of Internet activist Aaron Swartz to speak out against the Justice Department's handling of the case, and application of the Computer Fraud and Abuse Act. The controversy surrounding the Swartz case could finally give activists the momentum they need to halt the steady increase in penalties for even minor computer crimes."

Their Fear is the problem

[sensationull]

The main problem is that the law makers still have no clue about computers or technology in general. They hear 'hacker' and think that every kid with a computer in their room can launch a nuclear attack. This is why they try to execute anyone who knows more than them. Their narrow minded fear.

Re:Their Fear is the problem

[SJHillman]

They couldn't find the documentation on national security, so they showed WarGames to Congress instead.

Re:Their Fear is the problem

[Charliemopps]

No they don't. They open their freezer to get some ice for their scotch, see a fat wad of cash wrapped in a zip-lock bag, smile to themselves, and then make a note to call the RIAA in the morning to confirm their support for the upcoming legislation. Your government is completely bought and paid for... by Corporations, Trade groups, Unions, special interest groups... etc... they only way to change this is to get the hackers together, hire their own lobbyist and start paying off the government just like everyone else. And no, I'm not kidding.

Re:Their Fear is the problem

[endus]

I completely agree with you. The legislation isn't even set up in a paranoid or ignorant fashion...it's set up to impose insane penalties on anyone who dares to violate IP laws.

I'm not opposed to the idea of IP or profiting off the information-based products you build (though the current system is obviously broken) but the laws impose penalties which are clearly out of line with the scope of the crime. Most often, people liberating information and sharing it gets it into the hands of people who probably would never have paid for it anyway. I don't doubt that there is some impact to a company from a breach like that, but it's not as damaging as the penalties suggest it is.

Taking someone's trade secrets and giving them to a competitor? Yea, that's corporate espionage and it's a Big Deal. Even stealing the source code of a closed source product and putting that online is a relatively Big Deal because competitors will tend to get a hold of it and use it to their advantage. However, what Swartz did is not going to have the same impact to the organization that was breached.

The laws should exist, but they should be written to impose reasonable penalties based on the scope of the crime. Maybe there's some ignorance on the part of lawmakers there, but it's willful ignorance which comes directly from the fact that companies are paying them for the legislation to be passed.

Re:Their Fear is the problem

[Runaway1956]

Oh, my! "Get the hackers together". Good luck with that. We gots white hats, we gots black hats, we gots grays in various shades - I'll bet if I were to go looking, I could find some fruitcake rainbow hats hiding in their closets. We have so many different motivations for "hacking". We have so many categories of ethics involved. Hackers getting together? Hell, man, even WHITE HAT hackers flirt with existing law, and need to keep their identities secret.

So, who you gonna call? Hack Busters? Hmmmm - I think I have Hack Busters site here somewhere - - - https://www.eff.org/

No need to reinvent the wheel. Let's just maybe redesign it, fund it, and put it on the road. What we need are sane internet laws, and the EFF is in pursuit of that goal already. They may not represent "hackers" specifically, but they are in a position to attract various sorts of hackers.

It would be great if only ten or fifteen percent of "hackers" were to join the EFF, and send small donations. At the same time, they need to make their voices heard, and explain why they are joining. "I'm a part time hacker, and some of the laws scare the shit out of me!" It matters little if the hacker just reverse engineers games for his own use, or he's pen-testing networks without authorization. They are still hackers, and they need protection from draconian nonsense laws.

Re:Their Fear is the problem

I completely agree with you. The legislation isn't even set up in a paranoid or ignorant fashion...it's set up to impose insane penalties on anyone who dares to violate IP laws.

This is now extremely obvious in Europe.

To make your point:

- Rape a child in Sweden, 100.000 SEK damages (recent sentence)
- Offer pirated TV content, 37.000.000 SEK in damages (recent sentence)

Anyone who fails to see that the law is now in service of the rich media corporations must be blind or otherwise impaired.

Still missing the point a bit?

[whydavid]

If this were a Chinese-American hacker stealing schematics from Raytheon we'd all be happy to see the harshest threats/penalties applied. The issue here was bullying at the DOJ. You can't fix that with a few tweaks to the law, and if you lower maximum penalties you will find yourself regretting it when someone actually does do something worthy of those maximum penalties. And if you close these holes, aren't they just going to find others? You have issues with behaviors/attitudes at DOJ that need to be fixed, not just a few sentences in a statute. So, sure, maybe they should tweak the laws a bit; but how does that fix the oversight issues? Seems like a nice way to convince everyone they "did something" without actually fixing the issue.

Re:Still missing the point a bit?

[Sique]

If this were a Chinese-American hacker stealing schematics from Raytheon we'd all be happy to see the harshest threats/penalties applied. The issue here was bullying at the DOJ. You can't fix that with a few tweaks to the law, and if you lower maximum penalties you will find yourself regretting it when someone actually does do something worthy of those maximum penalties.

But then he gets not prosecuted for stealing scientific articles, but for transmitting weapon secrets to foreign powers -- independently of the means to get his hands on said documents. Your argument seems to be that we need to have harsh penalties for wielding a knife, because someone may stab a person with a dagger.

Re:Still missing the point a bit?

[elucido]

If this were a Chinese-American hacker stealing schematics from Raytheon we'd all be happy to see the harshest threats/penalties applied. The issue here was bullying at the DOJ. You can't fix that with a few tweaks to the law, and if you lower maximum penalties you will find yourself regretting it when someone actually does do something worthy of those maximum penalties. And if you close these holes, aren't they just going to find others? You have issues with behaviors/attitudes at DOJ that need to be fixed, not just a few sentences in a statute. So, sure, maybe they should tweak the laws a bit; but how does that fix the oversight issues? Seems like a nice way to convince everyone they "did something" without actually fixing the issue.

Those penalties wont stop people from doing it. If it's a cyberwar and nation states are sponsoring it then no amount of harsh penalties will have any affect. If it's not that then the harsh penalties will have the wrong effect on the wrong people.

Being tough doesn't really DO anything. It's all about looking tough but it doesn't DO anything but hurt people so you can look a certain way to some other people. Looking tough is the problem. The solution to this problem is REALLY simple. The solution is a tigher and better hacker community. If the US government wants patriotic hackers then it's up to them to actually promote that kind of hacker community and you aren't going to promote that by persecuting hackers. You promote that by rewarding the heroes and patriots (which never seems to happen). When a hacker does something heroic or patriotic he or she is rewarded with a jail penalty, a blacklisting from the industry, loss of the right to own a gun, to vote, etc.

Charges against Ortiz?

So when will we see charges pressed against Carmen M. Ortiz? There has to be some law which covers harassing someone to the point of suicide.

Re:Why...

[Sique]

He violated Terms of Service of JSTOR. And he took responsibility for it (by handing over his HD to JSTOR and admitting what he did). Everything else is overboarding prosecution and trying to boost one's career at the expense of someone vulnerable.

In the DoJ's defense

[MikeRT]

The CFAA would be an afterthought in that case. The amount of export and national security felonies he'd have committed would be enough to probably make the CFAA not make the cut on the (IIRC) 15 count limit of charges the Federal Rules of Criminal Procedure allow to be brought at once.

Re:Make the penalties lighter?

[Sique]

Then he should be prosecuted for what he actually did. You seem to conflate the means to commit a crime with the crime itself. If you stab a person in the back, you get persecuted for murdering a person, not for wielding a knife.

It's willful ignorance not fear.

[elucido]

They don't even care about the hacker community. They don't even understand what the hacker community is or what it's about. They view all hackers as cyber terrorists and criminals. They view anyone with certain skills are criminal. You can't even get a CEH certification and put it on your resume without getting funny looks and having people think you're a criminal. They view Slashdot as a place where e-terrorists and criminals go to talk about their cyber wizardry.

Seriously, hackers are like warlocks and witches and the only thing the governments want to do is persecute them all. They wont work with hackers, they wont let hackers help them without threatening to ruin their lives or using harsh bullying tactics. Hackers who don't cooperate with them seem to end up charged with rape, child porn, or just a bunch of bullshit charges that prosecutors can find to leverage on them to try to break them.

Why are hackers treated so bad if hackers are so important to the whole cyberwarfare scenario? Hackers no matter how patriotic they are get treated like criminals and terrorists and because of this no patriotic hacker community can try to survive.

Do what the Chinese government does: fight dirty

[benjfowler]

Even since Operation Sundevil, the US has had this COMPLETELY counterproductive policy of hounding talented crackers out of existence, rather than nurturing their talent. Utterly stupid, IMHO, and frankly, the people responsible for creating and enforcing this stupid policy should be ashamed of themselves.

The Chinese have this 'thousand grains of sand' thing they do, where they nurture a huge and thriving computer underground (rather than turning them all in involuntary organ donors as they would). They're sent out to smash and grab everything they can from the West, where anything garnered is processed through a specially designed intelligence gathering system, where useful material is routed to local companies and government decision makers.

Granted, the Chinese Communist Party has no morals, but we are in the world we live in, and we have to do the same to compete. I guarantee that if I had any kind of policy input anywhere, I'd be doing exactly this.

At the end of the day, we have a choice: we can either fight with all the tools in our arsenal and shape the world in the West's image -- a relatively peaceful prosperous and moral place. Or we can let the Chinese Communist Party turn it into a quasi-criminal dictatorial dystopia. It's really our choice. In any case, it's the height of suicidal stupidity to fight our enemies with our hands tied behind our backs.

Re:Do what the Chinese government does: fight dirt

[elucido]

Even since Operation Sundevil, the US has had this COMPLETELY counterproductive policy of hounding talented crackers out of existence, rather than nurturing their talent. Utterly stupid, IMHO, and frankly, the people responsible for creating and enforcing this stupid policy should be ashamed of themselves.

The Chinese have this 'thousand grains of sand' thing they do, where they nurture a huge and thriving computer underground (rather than turning them all in involuntary organ donors as they would). They're sent out to smash and grab everything they can from the West, where anything garnered is processed through a specially designed intelligence gathering system, where useful material is routed to local companies and government decision makers.

Granted, the Chinese Communist Party has no morals, but we are in the world we live in, and we have to do the same to compete. I guarantee that if I had any kind of policy input anywhere, I'd be doing exactly this.

At the end of the day, we have a choice: we can either fight with all the tools in our arsenal and shape the world in the West's image -- a relatively peaceful prosperous and moral place. Or we can let the Chinese Communist Party turn it into a quasi-criminal dictatorial dystopia. It's really our choice. In any case, it's the height of suicidal stupidity to fight our enemies with our hands tied behind our backs.

Here is the problem. The USA does compete but treats it's hackers and crackers like trash and although I cannot say China is any better, the USA has the tools to do much better than this. The USA still controls the internet itself. The USA could basically get the vast majority and practically all the best hackers and crackers on their side. The USA kinda does this but does it in a way which makes the hacker community hate or fear the US government. Fear can get people to cooperate with you but too much and they hate, the US government likes to use fear, threats, etc.

In the case of Aaron Swartz the US government was willing to use threats to try to scare him into submission. Why not appeal to some of the better emotions? On top of that, if there really is some cyber war and the situation is so desperate and there really aren't people with enough skill then the people who show any sort of talent at all shouldn't be put in prison. In World War 2 the Italian Mafia was recruited by the CIA to fight the fascists. In this example these were criminals but the point is, the US was always the most dirty of dirty at war, it's just the current iteration of the US government is secretly still dirty but in public trying to put on this impression of "tough on crime" and hatred of hackers which makes no logical sense. Ultimately these hackers CAN support the US war operations so demonizing them for what?

There has to be a clear separation between cyber-criminal and hacker. Hackers care about ethics and want to support what they believe is right whether they think it's the USA (patriotism) or social justice. Cybercriminals just want to make money and hack for the sake of hacking.

Re:Make the penalties lighter?

[wienerschnizzel]

Then he should be prosecuted for what he actually did. You seem to conflate the means to commit a crime with the crime itself. If you stab a person in the back, you get persecuted for murdering a person, not for wielding a knife.

No. You get prosecuted for murder, attempted murder, conspiracy to commit a murder, wielding a knife, trespassing, aggravated assault, unlicensed practice of surgery, jaywalking, wearing blue jeans on Sunday and 25 other remotely applicable transgressions and ridiculous ancient county laws.

Re:It's time for a workers government

[Nexus7]

Oh, I missed the memo. Is the revolution here? Is it time to line 'em up against the wall?

But seriously, lawmakers talking of laws being too harsh? Judges releasing people convicted under three-strikes in California? For America with its chart-topping prison population numbers, that's revolutionary enough.

Steady increase

[Geoffrey.landis]

But seriously, lawmakers talking of laws being too harsh? Judges releasing people convicted under three-strikes in California? For America with its chart-topping prison population numbers, that's revolutionary enough.

Indeed; I think that the problem isn't "the steady increase in penalties for even minor computer crimes," but the gradual increase in penalties for all crimes.

Rather than working on solving more crimes, the justice system seems to be trending toward making penalties harsher for the criminals that they do catch. This is a vicious circle; the harsher the penalties are, the more money we're spending on keeping people incarcerated.

I also find perturbing the technique used by prosecutors of charging people with a vast array of charges with huge possible penalties, so that they will have incentive to plea-bargain down to avoid the worst-case scenario that will be extremely harsh. This may indeed succeed for the prosecutors in getting guilty pleas, and succeed to some extent in saving the expense of trials-- but if some accused people actually are innocent (or even are guilty of minor crimes but not of everything in the book that they've been charged with), it is a failure of justice.

Re:Steady increase

[click2005]

Not all crimes get harsher penalties. Rape & murder get a comparative slap on the wrist these days.

People's lives have no value but cost someone money (even imaginary income) and they throw the book at you.

Re:Steady increase

[anagama]

Except that's not how it works. A plea deal isn't a contract in which you get what you want in exchange for what they want.

Some have blithely said Aaron should just have taken a deal. This is callous. There was great practical risk to Aaron from pleading to any felony. .... More particularly, the court is not constrained to sentence as the government suggests. Rather, the probation department drafts an advisory sentencing report recommending a sentence based on the guidelines. The judge tends to rely heavily on that "neutral" report in sentencing. If Aaron pleaded to a misdemeanor, his potential sentence would be capped at one year, regardless of his guidelines calculation. However, if he plead guilty to a felony, he could have been sentenced to as many as 5 years, despite the government's agreement not to argue for more. Each additional conviction would increase the cap by 5 years, though the guidelines calculation would remain the same. No wonder he didn't want to plead to 13 felonies. Also, Aaron would have had to swear under oath that he committed a crime, something he did not actually believe.

http://cyberlaw.stanford.edu/blog/2013/01/towards-learning-losing-aaron-swartz-part-2

Re:Why...

[Bobfrankly1]

If you punch someone in the face and put them in the hospital, you don't get to say,"Oh, one punch to the face put you in the hospital? You really need to toughen up!" and get out of it. You still get arrested and go to jail.

And yet this is neither a face, nor is a hospital involved. This kind of retarded logic is similar to what corporations use to assign themselves rights that belong to people and not companies. Aaron may have been bringing those servers to a crawl, but he did so by using the websites, not a denial of service attack. By your logic, slashdot readers would be at fault for bringing down websites by simply trying to view their contents. Would you like to be in court for your part in "Slashdot Effect"?

Hackers are the Other

[TheSpoom]

The CFAA has immense penalties for two reasons:

1. Lawmakers look for any excuse to be "tough on crime".
2. Hackers are a small minority group that scare most people.

Combine these two things and one can see that hackers are an "acceptable target" for both the lawmakers and their constituencies, especially with the recent Chinese red scare going on.

Hackers need a PR firm.

Maybe prosecutors will figure this out

[DickBreath]

If you're going to throw the book at someone for a computer 'crime'*, then maybe it should be an e-book instead of a book that is in in dead tree format.


*Especially when it is a 'crime' instead of real crime. You know, real crime, like the kind that involves violence, or the real crimes that occur in boardrooms, wall street and congress.