Changes proposed by the Obama Administration to a variety of laws used to prosecute cyber-crime have raised concerns among security professionals and vulnerability researchers, who worry that activities meant to improve security could lead to criminal charges.
In a document published on Jan. 13, the White House presented its legislative proposals to amend a variety of laws, including the Computer Fraud and Abuse Act (CFAA) and the Racketeering Influenced and Corrupt Organizations (RICO) Act, to crack down on what the administration called “an unprecedented threat from rogue hackers as well as organized crime and even state actors.”
The proposed changes could make accessing public documents illegal, if the owner would not have approved; creates stricter punishments for anyone convicted of a cyber-crime; and allows the government to seize assets linked to cyber-crimes, security researchers said.
Calling the proposals a “War on Hackers,” Robert Graham, a researcher with security firm ErrataSec, argued in a blog post that the changes would act as a chilling effect on researchers’ activities.
“Obama’s proposals come from a feeling in Washington, D.C., that more needs to be done about hacking in response to massive data breaches of the last couple years,” Graham wrote. “But they are blunt political solutions, which reflect no technical understanding of the problem.”
The proposed changes to the CFAA come as many in the security community continue to criticize the Department of Justice for its zealous prosecution of Aaron Swartz, a well-known hacker and activist, for his downloading and release of academic journals from JSTOR. In 2012, federal prosecutors charged Swartz with 11 counts of violating the CFAA, which could have led to more than three decades of jail time and up to a $1 million in fines. Swartz committed suicide on Jan. 11, 2013.
In another oft-cited case, federal prosecutors successfully convicted Andrew “weev” Auernheimer of violations of the CFAA when he found a way to collect sensitive information from AT&T’s Website that the company has mistakenly made available.
These two prosecutions show that the CFAA already has problems, which the Obama Administration’s proposal does not fix, Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, a digital-rights group, told eWEEK.
“One of the core problems with the statute is the whole question what is authorization and what does it mean to exceed authorization,” he said. “And if you look at it from the standpoint of that element, it does not seem as though the government makes the law any clearer, and it seems to actually expand the problem.”
Any legislation should make sure not to punish the messenger—those white-hat researchers who are attempting to make systems more secure by pointing out vulnerabilities, Liran Tancman, CEO of security firm CyActive, told eWEEK.
“Considering motive and methods is critical,” he said. “Some researchers publish their findings because their warnings to vendors fall on deaf ears, and they are trying to warn the general public of vulnerabilities.”
In a long analysis of the proposed changes, Orin Kerr, a research professor at the George Washington University Law School, argued that the impact of the changes would be decidedly negative.
“The trend [in the courts] has been toward narrower and—to my mind—more sensible readings of the [CFAA] statute, and I’m relatively optimistic that the narrower readings will prevail if and when the Supreme Court turns to the CFAA,” Kerr argued in an article in The Washington Post. “Given that trend, the status quo mess isn’t necessarily a bad mess. It might be better to do nothing than to open up the CFAA quagmire and see what results.”