The Department of Justice asked Congress to expand the Computer Fraud and Abuse Act to make it a crime to break terms of service or violate workplace policies.
The U.S. Department of
Justice asked Congress to expand the federal law it relies on to prosecute
computer crimes to cover more offenses and impose stronger penalties. The
proposed changes will also make it possible to prosecute people for lying
Congress needs to revise the
Computer Fraud and Abuse Act (CFAA) and related legislation so that the DOJ can
go after online criminals more effectively, Richard
, deputy section chief of the Computer Crimes division at the DOJ
said at a Nov. 15 hearing before the House Judiciary Committee's Subcommittee
on Crime, Terrorism and Homeland Security. The proposed changes would improve
cyber-security for Americans, critical infrastructure and government systems,
The proposed changes to CFAA
would expand the law's scope by allowing law-enforcement officials to go after
criminals trafficking user identity information other than passwords, such as
biometric data and smart cards, Downing said. The CFAA was not as effective as
it could be because penalties for online offenses were significantly weaker
than penalties for comparable violations offline. Along with tougher penalties,
the law needs to be updated to include attacks on computers other than those
belonging to government and financial institutions, he said.
One of the proposed
amendments to CFAA is controversial. The law must allow "prosecutions
based upon a violation of terms of service or similar contractual agreement with
an employer or provider," Downing said. In other words, CFAA should
consider lying online, such as using a false name when signing up for a
service, to be a federal crime.
"If you criminalize the
use of pseudonyms online, there are profound implications socially and for the
First Amendment," Jeff Schmidt, CEO of security consultancy JAS Global
Advisors, told eWEEK.
The amendment has a lot to
do with the difficulties of attribution, Schmidt said. When investigators are
trying to discover who was at the computer during an incident, or who was
responsible for a malicious act, not being able to get the perpetrator's real
name makes the investigation a bigger challenge, he said. He didn't think the
amendment was proposed to give the CFAA more power or teeth, but rather to help
investigators solve crimes.
CFAA, which criminalizes
"exceeding authorized access" of a computer, was originally passed in
the 1970s with a "decidedly national-security-oriented bent," Schmidt
said. Since then, a slew of amendments have transformed the CFAA into a
"Swiss Army knife" that allowed federal authorities to go after a
broad range of crimes since practically every crime can involve the use of a
computer, he said.
The law has also been used
in a number of civil lawsuits, such as when employers go after former employees
who left the organization with customer lists and other sensitive data.
a law professor at George Washington University, said at the hearing that it
was important to define the CFAA's scope more narrowly so that lying online
doesn't become a federal crime.
"In the Justice
Department's view, the CFAA criminalizes conduct as innocuous as using a fake
name on Facebook or lying about your weight in an online dating profile. That
situation is intolerable. Routine computer use should not be a crime,"
Kerr said in his testimony.
The DOJ was concerned that
narrowing the law to prevent this interpretation would make it difficult for
law enforcement to prosecute individuals who use "their otherwise
legitimate access to a computer system to engage in improper and often
malicious activities," Downing said in his testimony.
"We are concerned that
that restricting the statute in this way would make it difficult or impossible
to deter and address serious insider threats through prosecution," he
Even so, the DOJ is unlikely
to waste its efforts going after trivial cases, according to Downing.
"The DOJ is in no way
interested in bringing cases against people who lie about their age on dating
sites, or anything of the sort. We don't have the time or resources to do
that," he said.
While there was
"validity" to the argument that prosecutors would exercise caution,
Schmidt said he was more concerned about the likelihood of the law being abused
in frivolous civil lawsuits brought against individuals for lying on dating
profiles or social networking sites. The risk wasn't with "federal
misuse," he said.
Former Homeland Security
Department Secretary Michael Chertoff said in his testimony that too much
caution would be counterproductive. "It would not be a triumph of civil
liberties to keep the U.S. government from protecting computers so the Chinese
government could get on our computers," he said.
Another amendment would change the Racketeering Influenced and Corrupt Organizations (RICO) Act to include
cyber-crimes that are currently listed under CFAA. People prosecuted under RICO
for offline crimes generally face fines of up to $25,000 and 20 years in prison
on each count. Malicious activities directed at the confidentiality, integrity
and availability of computers should be covered under RICO, according to the DOJ.