Draft Computer Fraud and Abuse Act Update Expands Powers and Penalties

Despite calls to limit the Computer Fraud and Abuse Act, it looks like Congress is planning to drastically expand the law and penalties. walterbyrd writes with a few of the major changes listed in the draft bill (22 pages): "Adds computer crimes as a form of racketeering. Expands the ways in which you could be guilty of the CFAA — including making you just as guilty if you plan to 'violate' the CFAA than if you actually did so. Ratchets up many of the punishments. Makes a very, very minor adjustment to limit 'exceeding authorized access.' Expands the definition of 'exceeding authorized access' in a very dangerous way. Makes it easier for the federal government to seize and forfeit anything." TechCrunch also reports rumors that the plan is to push the bill through quickly for approval with a number of other "cybersecurity" bills in mid-April.

this just in

[girlintraining]

Extra! Extra! Read all about it! Laws too dense for average citizens to understand, too vague to prevent massive abuse! Please. You're all felons. You haven't been prosecuted because you haven't pissed anyone off enough to become one, but all I need to do is record you going about your daily business for a week, and I'll find enough dirt to keep you locked up for a long time. Every. Last. One of you. Except perhaps the person who can't read this, because they're in a coma, in a hospital bed. And that poor, poor bastard is only avoiding his fate for as long as his bank account continues to pay off his mortgages and student loans. Once the money runs out, yeah... he's gonna be a felon too.

The law has ceased to have any relevance of any kind whatsoever for principled and ethical people. You cannot follow all the laws, you don't even know all of them, and you're not supposed to, and even if you did manage this collossal feat that even our own government can't accomplish with all of its resources... interpreting the law is also a crime. Ha ha. And telling someone else what you've learned? Practicing law without a license... another crime.

We're all criminals. We just haven't been caught.

Re:this just in

[Man+On+Pink+Corner]

Exactly. It's not about being able to arrest everybody. They can't arrest everybody, and they don't want to arrest everybody.

It's about being able to arrest anybody.

Re:this just in

[Lothsahn]

Sociology study after study shows that there is significant racial bias in the police force against blacks. Minorities are more likely to get charged with crimes, arrested, and pulled over for committing the same traffic infraction as compared to whites.[1] This bias exists and is real. This is a significant portion of the story.

The other significant portion of the story is that blacks are far more impoverished than whites, on average. " In 2010, 27.4 percent of blacks and 26.6 percent of Hispanics were poor, compared to 9.9 percent of non-Hispanic whites and 12.1 percent of Asians." [2] Poverty has a strong correlation to violent crime and drug use. "Nonviolent drug offenders now account for about one-fourth of all inmates in the United States, up from less than 10 percent in 1980. " [3] This figure does not include crimes which are committed to support a drug addiction.

Interestingly, violent crime rates are similar in impoverished black and white neighborhoods. "The violent crime rate in highly disadvantaged Black areas was 22 per 1,000 residents, not much different from the 20 per 1,000 rate in similar white communities." [4] This means that despite the proven police bias, for violent crimes, only 2 per 1000 more blacks are convicted of violent crimes as compared to whites in impoverished neighborhoods.

In summary... 50 years after Martin Luther King, Jr., we still have significant racial bias in American Culture. However, we have come a long way as compared to even 25 years ago. As we continue to improve as a nation, and treat others not based on their racial makeup, I believe the poverty inequality will begin to equalize in this nation. We still have a big problem with racism in the US. The racism issue is slowly improving, but there are practical and non-racist reasons why the incarceration rates differ so dramatically between whites and blacks. You don't enslave a population of people for hundreds of years and then turn around, snap your fingers, and suddenly have racial, economic, financial, and social equality. Repairing the damage that was done takes time. Now if our prison system could be more interested in healing instead of retribution...



Interesting Note: There is growing evidence that Lead is the cause of the majority of the violent crime. [5] If this is true, this may explain why the violent crime rates are similar--impoverished people are more likely to be exposed to lead, but impoverished blacks are just as likely to be exposed as whites.

[1] http://chicago.cbslocal.com/2012/08/09/blacks-hispanics-still-more-likely-to-get-traffic-tickets-in-illinois/ [2] http://www.npc.umich.edu/poverty/
[3] http://www.nationalreview.com/corner/269208/prison-math-and-war-drugs-veronique-de-rugy
[4] http://researchnews.osu.edu/archive/badcomm.htm
[5] http://www.motherjones.com/environment/2013/01/lead-crime-link-gasoline

Write to your representatives!

[intellitech]

I’m a constituent calling on you to reform the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030. This law contains vague language that broadly criminalizes accessing a computer "without authorization," carries heavy-handed penalties, and shows no regard for whether an act was done to further the public good. We saw how these laws could be abused in the case of Aaron Swartz, a recently-deceased 26-year-old coder and social activist who was hounded by the Justice Department in a relentless and unjust felony prosecution.

The CFAA needs three critical fixes: first, terms of service violations must not be considered crimes. Second, if a user is allowed to access information, it should not be a crime to access that data in a new or innovative way -- which means commonplace computing techniques that protect privacy or help test security cannot be illegal. And finally, penalties must be made proportionate to offenses: minor violations should be met with minor penalties.

While it is too late to intervene on behalf of Aaron, it’s not too late to ensure that this harm is not done to future social justice activists and security researchers. Please hold a Congressional hearing to examine the ongoing abuses of the Computer Fraud and Abuse Act and similar laws, and champion reform so that the potential punishments fit the crimes.

You can write to them easily here: https://www.eff.org/aarons-law

Take the time to add a note to the end of the boilerplate about how you WILL NOT vote for them if they don't act.

Senators and Representatives, even somebody like me who doesn't follow all things politics-related can still see how you vote and how well you represent my interests via http://www.opencongress.org/ , at the very least. Just remember, we are watching.

Re:Conservative reaction to shooting foot

[Lawrence_Bird]

Well it is most certainly not a congress critter as they are way to stupid to think and write anything 'legal' themselves. So the bigger question is, who has lobbied for the terms in the proposed law?

Orin Kerr on draft of new CFAA

[Freddybear]

Orin Kerr from the Volokh Conspiracy has this to say about the "new" draft CFAA:

http://www.volokh.com/2013/03/25/house-judiciary-committee-new-draft-bill-on-cybersecurity-is-mostly-dojs-proposed-language-from-2011/

"Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)

In some ways, the new circulating language is even more severe and harsh than DOJ wanted even in the Lori Drew case. For example, the proposed language would make it a felony crime to violate Terms of Service if the TOS violation:

        (I) involves information that exceeds $5,000 in value;
        (II) was committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information;
        (III) was committed in furtherance of any criminal act in violation United States or of any State, unless such state violation would be based solely on the obtaining of information without authorization or in excess of authorization; or
        (IV) involves information obtained from a computer used by or for a government entity;

This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.

In short, this is a step backward, not a step forward. This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it. "

Re:Fascist America

[Required+Snark]

The original post has it right, you have it wrong: mega-business has co-opted the government. Every real world example shows this pattern.

The bank bailout of 2008. Even though the banks failed the most basic rules of capitalism, there was no meaningful penalty for institutions or individuals. All the whining about Dodd-Frank regulation is crocodile tears. The big Wall Street firms have not changed in any way. They still engage in appallingly bad behavior because of unbridled greed. JPMorgan just got caught effectively breaking the new regulations and lost $6 billion as a result. There were still casino gambling, but they called it something else. The fallout: nothing. No legal or regulatory action. Dead silence after one day of hearings. Jamie Dimon just got a big vote of confidence from his board, and retains the titles of both CEO and Chairman. He was personally aware of what went on. Yes, at some point an underling will be thrown under the bus and go to jail, but the big crooks are untouched.

DCMA in general and this legislation in particular. It criminalizes the most innocuous actions so that business can crush anyone at any time. This is the government doing the bidding of mega corps.

Fracking. Ever increasing areas of the country are having their water supplies poisoned forever so that Big Oil can make more money. It's worse then Chernobyl or Fukushima, because radioactivity has a half life. Fracking is a irreversible change to geologic structure. It will take geologic time to recover. These are the same companies that were the most profitable businesses in the history of the world in the 2000 decade. They still get obscene tax brakes that go back to 1926.

Monsanto and GM crops. First they said the the manipulated genes would not get into non-GM crops. Then when it happened the courts ruled that the non-GM planing farmers could be sued for stealing their IP. So if GM crops are used in an area, either you plant a different crop, or are forced to use the GM seeds to avoid being sued. The Mafia is envious.

In addition: Big Pharma and Oxycontin. HDMI cables. EULA. "Clean Coal". Mandatory ethanol from corn. Increasing the number of 1-HB visas.

The constant feature is that big business can buy damn near any legislation they want. The government is the enforcement arm of corporations. In the real world the law goes to the highest bidder, and all the money and power resides in corporations. When you blame the government your corporate owners are delighted. They can keep right on going because their disinformation campaign is working perfectly. Any fix requires understanding who is in charge, and you have it completely wrong.

Re:Needs a new title

[rtb61]

Those changes are even worse than that. They basically allow the government to seize your home solely upon the basis of a claim of conspiracy of an already arrested person awaiting trial and a reduced sentence. Basically these laws have been written to silence political activist who use computers for any political activity.

Most people use their computers in their homes, their homes provide the facility for using that computer hence, under the law can be confiscated regardless of the lack of any losses or gains, just upon the claims of conspiracy. As conspiracy does not require the evidence of any crimes being committed purely the testimony of an individual seeking a reduced sentence ie. the loss of their homes and many years in prison, you can see how this can be readily abused to target any individual disliked by the current political authority.

Breach of contract is a civil matter but under this Law if the contract is basically on a computer it is a criminal offence. To access the contract you must adhere to the conditions of contract, if you breach the conditions of contract, your access to the contract is now a criminal act. Even more insanely it sets no limits on the 'Terms of Service' of access to computer network. This enables the wordings of "Term of Service' to ensure all users breach the "Terms of Service" in normal use, thus allowing the entity responsible for the "Terms of Service" the power of prosecution over all of it's users.

Straight up this is a political attack targeted at computer geeks and nerds, basically the majority of slashdot users and at silencing them because of their greater political influence in the internet age.