Lawmakers are eyeing a draft of a cyber security bill that could impose more severe punishment for cyber crimes under the Computer Fraud and Abuse Act (CFAA).
On Monday, The Hill blog published a copy of the draft and reported that the bill was “circulating among House Judiciary Committee members.” CFAA is a federal anti-hacking statute long-considered overly punitive and broad by many in the tech community.
“The bill draft would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked,” The Hill blog said. “It would also change existing law so that an attempt at a cyber crime can be punished as harshly as an actual offense.”
The cyber security bill draft proposes that not only committing a computer crime, but conspiring to do so, would be punishable under CFAA. Racketeering, offering a fraudulent service by inciting a need for it - for instance, distributing malware detection "software" that actually downloads spyware - was also added to the list of punishable offenses upheld by CFAA.
The draft also seeks to raise the maximum sentencing imposed by a judge for computer crimes – for instance, charges for accessing and causing damage to a protected computer without authorization were raised from a potential five to 10 year sentence. “Trafficking in passwords,” or sharing login credentials to access a protected computer, would be punishable up to 10 years in prison, under the drafted bill.
Grievances with CFAA's current provisions were magnified after the January suicide of Aaron Swartz, a freedom-of-information activist and computer programmer who faced up to 35 years in prison if found guilty of computer intrusion charges levied against him in 2011.
Swartz, who was also the co-founder of social news website Reddit, allegedly accessed the network of Massachusetts Institute of Technology to download more than four million articles from academic journal database JSTOR – with the goal of making the material freely available.
Following Swartz's death, lawmakers introduced a proposed bill, called “Aaron's Law,” that would amend CFAA to exclude terms of service violations as punishable under the legislation.
Current provisions of the unnamed draft bill, which could potentially amend CFAA, are still in a discussion phase among lawmakers.
UPDATE: In a Tuesday interview with SCMagazine.com, Hanni Fakhoury, staff attorney at the Electronic Frontier Foundation, said that the draft was a "pretty dramatic expansion" from where CFAA currently stands, which "troubled" the nonprofit digital rights advocacy group.
"We've been trying to get the law narrowed and this is going in the exact opposite direction of that," Fakhoury said.
Of particular concern was the draft's proposal to make terms of service violations "explicitly criminal," he added. In April 2012, a 9th U.S. Circuit Court of Appeals in San Francisco upheld this very protection - that employees who violate their organization's user policies do not violate CFAA.
"Much of the language had previously been proposed in 2011 and had been rejected," Fakhoury said of the draft bill. "But it's back. It [would] make terms of service violations explicitly criminal, despite the fact that appellate courts have ruled in opposition."