In recent months, especially in light of Aaron Swartz's suicide and Andrew 'Weev' Aurnheimer's prison sentencing, calls for reform to or disposal of the Computer Fraud and Abuses Act (CFAA) have amplified to a fever pitch. If a draft cybersecurity bill from the House Judiciary Committee is anything to go by, however, these cries for change have fallen on deaf ears.
As noted here, following Swartz's death, Rep. Zoe Lofgren proposed legislation, “Aaron’s law,” which aims to stop the government bringing disproportionate charges in cases like Swartz’s. The draft cybersecurity bill circulating on Capitol Hill since last weekend, unlike Lofgren's, appears to expand the CFAA, not limit it. TechDirt called the proposed bill "so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA."
TechDirt highlights one of the most perturbing suggested amendments includes changing the law such that "conspiring" to commit what might be crimes under the CFAA would amount to actually committing the actual acts:
Section 103 of the proposed bill makes a bunch of "changes" to the CFAA, almost all of which expand the CFAA, rather than limit it. For example, they make a small change to subsection (b) in 18 USC 1030(the CFAA) such that it will now read:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section. All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.
TechDirt also notes that the proposed bill ratchets up the penalties one can receive for CFAA infractions and makes it easier for the government to seize goods
The amended legislation would, however, adjust what it means to break the law by "exceeding authorized access" to a computer -- this is a small step in the right direction. Via TechDirt:
Under the old CFAA, "accessing a computer without authorization" and "exceeding authorized access" were lumped together as a a form of breaking the law. The new bill keeps the basic terms of accessing a computer without authorization the same and just ever so slightly trims back the "crime" of exceeding authorized access... While it's good to see them ever so slightly roll back the issue of "exceeding authorized access," it still seems broad enough that all sorts of activities that shouldn't be seen as criminal would easily get lumped in here by aggressive prosecutors.
Demand Progress, an advocacy group founded by Aaron Swartz, was swift to condemn the content of the draft bill. "This proposal is a giant leap in the wrong direction and demonstrates a disturbing lack of understanding about computers, the internet and the modern economy. Already the outdated Consumer Fraud and Abuse Act is used by overzealous lawyers to prosecute routine computer activity. If enacted this proposal could end computer security research in the United States and drive innovation and creativity overseas,” said executive director David Segal.