Experts Scratching Their Heads At House Judiciary's Awful CFAA Reform Proposal

from the why-would-they-do-this? dept

On Monday, we broke the news of the House Judiciary Committee circulating a terrible bill that would make the Computer Fraud and Abuse Act (CFAA) much worse, rather than better. It would expand definitions and make it even easier for the Justice Department to go after people for harmless activity. In fact, even the part we originally thought might fix one of the worst parts of the CFAA actually makes it worse.

Now that the bill has been out a few days, various experts on the CFAA are scratching their heads about why the House Judiciary Committee is even bothering with this draft bill. As Orin Kerr notes, this seems to be a basic rehash of the DOJ's attempt 2 years ago to expand the CFAA. He suggests (and we agree) that the Judiciary Committee stop taking DOJ language from 2011 and start dealing in the present, and deal with the very real problems with the CFAA, and not just with a DOJ who wants more power.

They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)

[....] This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.

Of course, when we brought up similar examples in our original post, people said we were overreacting. Hmm. Meanwhile Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security is similarly stumped by the direction of the reform.

My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return. Most notably the bill would make violations of the CFAA predicate acts for a RICO criminal charge — what this means is that if you engage in just two instances of violating the CFAA, then you are engaged in a pattern of racketeering, with substantial criminal penalties and .. .since the criminal definitions translate directly to civil liability .. a very significant possibility of a “bet the company” civil suit. Not a move designed to foster innovation, I think.

Hopefully, the House Judiciary Committee goes back to the drawing board on this, and takes a closer look at things like Aaron's Law, which is being developed to cut back on the excesses of the CFAA, rather than expand them.

Filed Under: cfaa, cfaa reform, doj, house judiciary committee, orin kerr, paul rosenzweig

Turns Out The One 'Good' Change In CFAA Reform... May Actually Be Bad Too

from the ugh dept

So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse. It added computer crimes as a racketeering issue, increased sentences and made just talking about a potential CFAA violation the equivalent of having committed it. Bad stuff all around. There was one section, however, that we said was slightly good. We noted that they ever so slightly rolled back what would constitute a crime for "exceeding authorized access" listing out a few qualifications that needed to be met -- including that the information obtained was valued over $5,000, that you had to be targeting private information and that the access was done in furtherance of a crime. Based on the bill as written, I had assumed that all of those elements needed to be present to qualify.

However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be "or" statements. They point out that if you look elsewhere in the existing CFAA, you see the same pattern -- with multiple sub-statements that don't have an "or" but which are interpreted as being "or" statements. For example, under section (a)(2)(A), there is no "or" between that and (B), but clearly the CFAA doesn't only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill's clauses are connected by "or" statements, rather than "and."

If this is true, then you could run afoul of "exceeding authorized access" for any one of those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of expanding, not contracting, that clause in the CFAA. That's because at least a few courts have recently rejected broad interpretations of the CFAA around "exceeding authorized access," such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA would create new broad definitions for which prosecutors could use against people claiming "exceeds authorized access."

It seems like this bill really is all bad. On top of everything else, the one area where it "rolled back" something, it may have rolled it "back" to a place which allows for more ambiguity that existing case law.

So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA may encourage them and create more such activity.

Filed Under: cfaa, cfaa reform, exceeds authorized access, hacking

Congress Apparently Uninterested In 'Aaron's Law' To Reform CFAA

from the this-is-a-problem dept

Well, this is rather unfortunate, but perhaps not a surprise. Last week, Politico reported that despite progress on Zoe Lofgren's "Aaron's Law," designed to improve the CFAA, it's unlikely to get any traction in Congress. The CFAA, of course, is the widely abused law that was written decades ago in an attempt to outlaw malicious hacking. The bill was never particularly well-written, and over time as the technology has changed, the CFAA has become wide open to broad interpretations, such that people have faced criminal charges for daring to... disobey a site's terms of service (which they never even read). Aaaron Swartz was charged under the CFAA, hence the reform bill is being called "Aaron's Law." But, even with all the attention that Aaron got, Congress isn't interested yet.

The article doesn't suggest the idea is dead, just that it doesn't have nearly enough support. Part of the reason is that the White House and the DOJ haven't said a word about it -- but, really, is that all that surprising given the complaints they've been receiving about US Attorney Carmen Ortiz's use of the CFAA in the Swartz case? But, even within Congress, the key people who are needed to support the bill have basically said they have more important things to deal with right now. And while there are other important bills on the table, it's a big mistake to not update the CFAA before it is abused again.

Filed Under: aaron swartz, aaron's law, cfaa, cfaa reform, congress, reform