Draft Computer Fraud and Abuse Act Update Expands Powers and Penalties

Despite calls to limit the Computer Fraud and Abuse Act, it looks like Congress is planning to drastically expand the law and penalties. walterbyrd writes with a few of the major changes listed in the draft bill (22 pages): "Adds computer crimes as a form of racketeering. Expands the ways in which you could be guilty of the CFAA — including making you just as guilty if you plan to 'violate' the CFAA than if you actually did so. Ratchets up many of the punishments. Makes a very, very minor adjustment to limit 'exceeding authorized access.' Expands the definition of 'exceeding authorized access' in a very dangerous way. Makes it easier for the federal government to seize and forfeit anything." TechCrunch also reports rumors that the plan is to push the bill through quickly for approval with a number of other "cybersecurity" bills in mid-April.

Write to your representatives!

[intellitech]

I’m a constituent calling on you to reform the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030. This law contains vague language that broadly criminalizes accessing a computer "without authorization," carries heavy-handed penalties, and shows no regard for whether an act was done to further the public good. We saw how these laws could be abused in the case of Aaron Swartz, a recently-deceased 26-year-old coder and social activist who was hounded by the Justice Department in a relentless and unjust felony prosecution.

The CFAA needs three critical fixes: first, terms of service violations must not be considered crimes. Second, if a user is allowed to access information, it should not be a crime to access that data in a new or innovative way -- which means commonplace computing techniques that protect privacy or help test security cannot be illegal. And finally, penalties must be made proportionate to offenses: minor violations should be met with minor penalties.

While it is too late to intervene on behalf of Aaron, it’s not too late to ensure that this harm is not done to future social justice activists and security researchers. Please hold a Congressional hearing to examine the ongoing abuses of the Computer Fraud and Abuse Act and similar laws, and champion reform so that the potential punishments fit the crimes.

You can write to them easily here: https://www.eff.org/aarons-law

Take the time to add a note to the end of the boilerplate about how you WILL NOT vote for them if they don't act.

Senators and Representatives, even somebody like me who doesn't follow all things politics-related can still see how you vote and how well you represent my interests via http://www.opencongress.org/ , at the very least. Just remember, we are watching.

Re:Needs a new title

[girlintraining]

Well, yeah. They're naming it after him because his death dropped the pants on these asshats. So naturally, they adjusted the law to prevent further de-pantsing events rather than admit that their crappy, over-vague, law which criminalizes basically any use of a computer indirectly led to the death of a talented young man who's crime was basically annoying authorities in the 3rd degree.

Re:4th Branch of Government

[hsmith]

Uh, no. SCOTUS wasn't intended to validate laws. That is a power it took upon itself.

Orin Kerr on draft of new CFAA

[Freddybear]

Orin Kerr from the Volokh Conspiracy has this to say about the "new" draft CFAA:

http://www.volokh.com/2013/03/25/house-judiciary-committee-new-draft-bill-on-cybersecurity-is-mostly-dojs-proposed-language-from-2011/

"Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)

In some ways, the new circulating language is even more severe and harsh than DOJ wanted even in the Lori Drew case. For example, the proposed language would make it a felony crime to violate Terms of Service if the TOS violation:

        (I) involves information that exceeds $5,000 in value;
        (II) was committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information;
        (III) was committed in furtherance of any criminal act in violation United States or of any State, unless such state violation would be based solely on the obtaining of information without authorization or in excess of authorization; or
        (IV) involves information obtained from a computer used by or for a government entity;

This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.

In short, this is a step backward, not a step forward. This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it. "

Re:this just in

[Lothsahn]

Sociology study after study shows that there is significant racial bias in the police force against blacks. Minorities are more likely to get charged with crimes, arrested, and pulled over for committing the same traffic infraction as compared to whites.[1] This bias exists and is real. This is a significant portion of the story.

The other significant portion of the story is that blacks are far more impoverished than whites, on average. " In 2010, 27.4 percent of blacks and 26.6 percent of Hispanics were poor, compared to 9.9 percent of non-Hispanic whites and 12.1 percent of Asians." [2] Poverty has a strong correlation to violent crime and drug use. "Nonviolent drug offenders now account for about one-fourth of all inmates in the United States, up from less than 10 percent in 1980. " [3] This figure does not include crimes which are committed to support a drug addiction.

Interestingly, violent crime rates are similar in impoverished black and white neighborhoods. "The violent crime rate in highly disadvantaged Black areas was 22 per 1,000 residents, not much different from the 20 per 1,000 rate in similar white communities." [4] This means that despite the proven police bias, for violent crimes, only 2 per 1000 more blacks are convicted of violent crimes as compared to whites in impoverished neighborhoods.

In summary... 50 years after Martin Luther King, Jr., we still have significant racial bias in American Culture. However, we have come a long way as compared to even 25 years ago. As we continue to improve as a nation, and treat others not based on their racial makeup, I believe the poverty inequality will begin to equalize in this nation. We still have a big problem with racism in the US. The racism issue is slowly improving, but there are practical and non-racist reasons why the incarceration rates differ so dramatically between whites and blacks. You don't enslave a population of people for hundreds of years and then turn around, snap your fingers, and suddenly have racial, economic, financial, and social equality. Repairing the damage that was done takes time. Now if our prison system could be more interested in healing instead of retribution...



Interesting Note: There is growing evidence that Lead is the cause of the majority of the violent crime. [5] If this is true, this may explain why the violent crime rates are similar--impoverished people are more likely to be exposed to lead, but impoverished blacks are just as likely to be exposed as whites.

[1] http://chicago.cbslocal.com/2012/08/09/blacks-hispanics-still-more-likely-to-get-traffic-tickets-in-illinois/ [2] http://www.npc.umich.edu/poverty/
[3] http://www.nationalreview.com/corner/269208/prison-math-and-war-drugs-veronique-de-rugy
[4] http://researchnews.osu.edu/archive/badcomm.htm
[5] http://www.motherjones.com/environment/2013/01/lead-crime-link-gasoline

Re:Needs a new title

[rtb61]

Those changes are even worse than that. They basically allow the government to seize your home solely upon the basis of a claim of conspiracy of an already arrested person awaiting trial and a reduced sentence. Basically these laws have been written to silence political activist who use computers for any political activity.

Most people use their computers in their homes, their homes provide the facility for using that computer hence, under the law can be confiscated regardless of the lack of any losses or gains, just upon the claims of conspiracy. As conspiracy does not require the evidence of any crimes being committed purely the testimony of an individual seeking a reduced sentence ie. the loss of their homes and many years in prison, you can see how this can be readily abused to target any individual disliked by the current political authority.

Breach of contract is a civil matter but under this Law if the contract is basically on a computer it is a criminal offence. To access the contract you must adhere to the conditions of contract, if you breach the conditions of contract, your access to the contract is now a criminal act. Even more insanely it sets no limits on the 'Terms of Service' of access to computer network. This enables the wordings of "Term of Service' to ensure all users breach the "Terms of Service" in normal use, thus allowing the entity responsible for the "Terms of Service" the power of prosecution over all of it's users.

Straight up this is a political attack targeted at computer geeks and nerds, basically the majority of slashdot users and at silencing them because of their greater political influence in the internet age.