DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Heads Up Internet: Time to Kill Another Dangerous CFAA Bill

Posted on May 26, 2016 by Dissent

Jamie Williams writes:

The Computer Fraud and Abuse Act (CFAA), the federal “anti-hacking” statute, is long overdue for reform. The 1986 law—which was prompted in part by fear generated by the 1983 techno­thriller WarGames—is vague, draconian, and notoriously out of touch with how we use computers today. Unfortunately, Sens. Sheldon Whitehouse and Lindsey Graham are on a mission to make things worse. They’ve proposed (for the second time) legislation that fails to address any of the CFAA’s problems while simply creating more confusion. And they may try to sneak their proposal through as an amendment to the Email Privacy Act—the very same sneaky tactic they tried last year.

Their latest proposal is ostensibly directed at stopping botnets. It’s even named it the “Botnet Prevention Act of 2016.” But the bill includes various provisions that go far beyond protecting against attacks by zombie computers:

First, the bill would expand the CFAA’s existing prohibition against selling passwords to trafficking in any “means of access.” The broadening is unnecessary and misguided, as other statutes—like the U.S. code section concerned fraud in connection with access devices—already cover what the authors seem to be targeting. The bill also doesn’t define “means of access,” another sign of its poor drafting. With no guidance, it’s unclear how broadly prosecutors or courts will apply this provision. The provision could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities.

Second, the bill empowers government officials to obtain court orders to force companies to hack computer users for a wide range of activity completely unrelated to botnets. What’s worse is that the bill allows the government to do this without any requirement of notice to non-suspect or innocent customers or companies, including botnet victims. It’s understandable that the government does not want to tip off potential suspects, but those not suspected of committing any crime should be notified when their computers are part of a criminal investigation.

Third, the bill would create a new felony offense of damaging “critical infrastructure.” But this conduct, too, is already captured under the CFAA’s existing provisions. The section is yet another classic example of overcriminalization and redundancy—especially at a time when Congress is debating a significant decriminalization bill. And although “critical infrastructure” may sound limited, the definition in the bill tracks the Department of Homeland Security’s definition, which includes software companies and ISPs. Plus, given the provision’s steep penalties and limits on judges’ discretion to reduce sentences or allow sentences to run concurrently (rather than back-to-back), it will simply give prosecutors even more leverage to force defendants into plea deals.

These changes would only increase—not alleviate—the CFAA’s harshness, overbreadth, and confusion.

As noted, this isn’t the Senators’ first attempt to take the CFAA in the wrong direction. Last year, they tried to slip similarly terrible measures through Congress via an amendment to the notorious Cybersecurity Information Sharing Act of 2015 (CISA). Sen. Whitehouse and Graham’s proposal was ultimately not included in CISA, which Whitehouse blamed on the “pro-botnet” caucus, but in reality, it’s because a lot of people—including a lot of EFF supporters—spoke out against the egregious CFAA amendment.

The Senators’ proposal has no grounding in what would actually keep us—or our computers—safe. Rather, it seems motived by the same vague fears of a hypothetical computer takeover that overtook Congress (after watching a clip from WarGames) back in 1986. In that way, Whitehouse and Graham may be keeping true to the CFAA’s roots. But now it’s time to focus on reality.

Just as last year, EFF will oppose the Senators’ proposal—in whatever form it takes. What we need is reform that reigns in the CFAA, not a measure that makes things worse.

SOURCE: EFF.org


Related:

  • The day after XSS.is forum was seized, it struggles to come back online -- but is it really them?
  • Korea imposes 343 million won penalty on HAESUNG DS for data breach of 70,000 shareholders
  • Paying cyberattackers is wrong, right? Should Taos County's incident be an exception? (1)
  • IVF provider Genea notifies patients about the cyberattack earlier this year.
  • Key figure behind major Russian-speaking cybercrime forum targeted in Ukraine
  • Legal Silence and Chilling Effects: Injunctions Against the Press in Cybersecurity
Category: Commentaries and AnalysesFederalOf Note

Post navigation

← 8th Circuit Upholds Data Breach Coverage for Bank Loss Following Hacker’s Fraudulent Transfer
NI Prison Service: data breach ‘not serious security threat’ →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard
  • Trump Administration Issues AI Action Plan and Series of AI Executive Orders
  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.