I have written previously about cyber security and cyber defense topics that have become more acute in the wake of several large scale attacks on banks and other companies. Unfortunately, law makers in DC are reacting the only way they seem to know how: by further broadening laws that are already overreaching and yet ineffective at the same time. In particular the House Judiciary committee is proposing changes to make the Computer Fraud and Abuse Act (CFAA) even more draconian. As a quick reminder, this is the act under which Aaron Swartz was charged.
Why is the CFAA ineffective? Because most of the attack activity comes from other jurisdictions. Yes, there is some of it here domestically but we have had relatively little problem tracking down folks and applying existing law.
Why is the CFAA overly broad already? Because it elevates terms of service violations to criminal offenses with significant jail penalties. And we all know that nobody reads the Terms of Service and that they tend to include the kitchen sink.
How is this about to get worse? The new draft makes this broadness much worse by adding the possibility of racketeering charges, making intent – not just actual breach – punishable, further increasing penalties and expanding the definition of “exceeding authorized access.” Here is a good summary of the changes.
Why does this matter? Because it is turning activities that many of us engage in nearly every day into crimes and putting a huge damper on important innovation. As an example of the former, I frequently when checking out a startup that has auto-increment ID numbers in their user URLs will see how many users they actually have by trying out higher ID numbers. Under the CFAA this is punishable with jail time. In fact, any kind of manual change to a URL in the browser bar become basically illegal. Now imagine trying to build a new piece of technology that does web scraping or spidering or tries to interact with a site on behalf of a user. Basically, the CFAA makes this kind of innovation illegal.
What should you do? You should head over to FixTheCFAA and sign the petition there. You should separately pick up the phone and call your representatives directly.
