The U.S. Department of Justice asked Congress to expand the federal law it relies on to prosecute computer crimes to cover more offenses and impose stronger penalties. The proposed changes will also make it possible to prosecute people for lying online.
Congress needs to revise the Computer Fraud and Abuse Act (CFAA) and related legislation so that the DOJ can go after online criminals more effectively, Richard Downing, deputy section chief of the Computer Crimes division at the DOJ said at a Nov. 15 hearing before the House Judiciary Committee’s Subcommittee on Crime, Terrorism and Homeland Security. The proposed changes would improve cyber-security for Americans, critical infrastructure and government systems, he said.
The proposed changes to CFAA would expand the law’s scope by allowing law-enforcement officials to go after criminals trafficking user identity information other than passwords, such as biometric data and smart cards, Downing said. The CFAA was not as effective as it could be because penalties for online offenses were significantly weaker than penalties for comparable violations offline. Along with tougher penalties, the law needs to be updated to include attacks on computers other than those belonging to government and financial institutions, he said.
One of the proposed amendments to CFAA is controversial. The law must allow “prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider,” Downing said. In other words, CFAA should consider lying online, such as using a false name when signing up for a service, to be a federal crime.
“If you criminalize the use of pseudonyms online, there are profound implications socially and for the First Amendment,” Jeff Schmidt, CEO of security consultancy JAS Global Advisors, told eWEEK.
The amendment has a lot to do with the difficulties of attribution, Schmidt said. When investigators are trying to discover who was at the computer during an incident, or who was responsible for a malicious act, not being able to get the perpetrator’s real name makes the investigation a bigger challenge, he said. He didn’t think the amendment was proposed to give the CFAA more power or teeth, but rather to help investigators solve crimes.
CFAA, which criminalizes “exceeding authorized access” of a computer, was originally passed in the 1970s with a “decidedly national-security-oriented bent,” Schmidt said. Since then, a slew of amendments have transformed the CFAA into a “Swiss Army knife” that allowed federal authorities to go after a broad range of crimes since practically every crime can involve the use of a computer, he said.
The law has also been used in a number of civil lawsuits, such as when employers go after former employees who left the organization with customer lists and other sensitive data.
Orin Kerr, a law professor at George Washington University, said at the hearing that it was important to define the CFAA’s scope more narrowly so that lying online doesn’t become a federal crime.
“In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable. Routine computer use should not be a crime,” Kerr said in his testimony.
The DOJ was concerned that narrowing the law to prevent this interpretation would make it difficult for law enforcement to prosecute individuals who use “their otherwise legitimate access to a computer system to engage in improper and often malicious activities,” Downing said in his testimony.
“We are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution,” he said.
Even so, the DOJ is unlikely to waste its efforts going after trivial cases, according to Downing.
“The DOJ is in no way interested in bringing cases against people who lie about their age on dating sites, or anything of the sort. We don’t have the time or resources to do that,” he said.
While there was “validity” to the argument that prosecutors would exercise caution, Schmidt said he was more concerned about the likelihood of the law being abused in frivolous civil lawsuits brought against individuals for lying on dating profiles or social networking sites. The risk wasn’t with “federal misuse,” he said.
Former Homeland Security Department Secretary Michael Chertoff said in his testimony that too much caution would be counterproductive. “It would not be a triumph of civil liberties to keep the U.S. government from protecting computers so the Chinese government could get on our computers,” he said.
Another amendment would change the Racketeering Influenced and Corrupt Organizations (RICO) Act to include cyber-crimes that are currently listed under CFAA. People prosecuted under RICO for offline crimes generally face fines of up to $25,000 and 20 years in prison on each count. Malicious activities directed at the confidentiality, integrity and availability of computers should be covered under RICO, according to the DOJ.