Yesterday, President Obama announced plans to “modernize” laws supposed to protect innocents from cyber attacks like the one that tore Sony Pictures apart towards the end of last year. But according to security experts, the proposed legislation could be used against anyone with the slightest link to digital crime.
Central to the problems with the recommended updates to the Computer Fraud and Abuse Act (CFAA) are vague terms that could easily be interpreted to prosecute innocents, no matter how weak their links to actual criminal activity. Anyone who “intentionally exceeds authorized access to a protected computer, and thereby obtains information from such computer” could be charged. That sounds acceptable on first inspection, but the definition of “exceeds authorized access” includes using a computer with proper authorization “to obtain or alter information” the relevant party is not entitled to look at, “or for a purpose that the accesser knows is not authorized by the computer owner”.
This muddled legalese would seemingly allow for very broad application by lawyers. Rob Graham, from Errata Security, suggested anyone clicking on a link to leaked data would be deemed in breach of the law. If this was applied to those who rummaged through Sony Pictures’ data, leaked after a catastrophic attack in November, thousands could have been arrested, including your reporter.
But even those who send a link to certain kinds of information, or transmit passwords that aren’t their own, would likely break the CFAA too. Any party who “knowingly and willfully” sent a “password or similar information, or any other means of access” to a computer, “knowing or having reason to know that a protected computer would be accessed or damaged without authorization” would have committed an illegal act, under Obama’s proposals.
Another of Obama’s recommendations could see offenses covered by the CFAA included in prosecutions under the Racketeering Influenced and Corrupt Organizations Act. According to Graham, just being linked to a hacker group would land you in danger of a 20-year prison sentence. As many innocent researchers and interested parties hang around in the same chatrooms and forums as criminal hackers, this could again ensnare many who don’t deserve to have their online activities criminalised.
The US government has seemingly offered some compromises, one being the addition that only those who illegally obtained information worth more than $5,000 could be prosecuted. That should lead to limits on the number of those who could be charged for, say, sending a link to leaked passwords. But it’s easy to ratchet up the value of data, especially if the information provides access to accounts. Not to mention the increase of a maximum penalty for circumventing access controls from five to ten years.
All this isn’t dissimilar from what the law says in the UK. For instance, under the Computer Misuse Act, those who access material they “know” they haven’t been authorised to see can be hit with a six months jail sentence or a £5000 fine. “It was considered poorly thought through at the time… The US is just proposing the same thing. I wish there were more digitally literate folk in parliament,” said professor Alan Woodward WWD -1.68%, a security expert from the University of Surrey.
The CFAA has already caused plenty of consternation amongst professional hackers, better known as penetration testers, who seek to find weaknesses in digital tools to encourage speedy resolutions. Forbes has previously heard complaints from the security community researchers have been threatened with legal action for simply doing their job. “Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals,” Graham said.
“If this comes true, it’s going to have a devastating effect on the offensive security industry, as developing or even just being in possession of a copy of a security testing tool such as Metasploit could potentially be interpreted as conspiracy to commit a crime,” added Andreas Lindh, a consultant for I Secure Sweden.
Others are a little less pessimistic. Jon Oberheide, co-founder of Duo Security, said he didn’t believe the changes would have “a significant impact on researchers’ ability or appetite to do what they do”. “Cyber security law is out-dated and already has a lot of grey area. But the written letter of the law is a minor aspect compared to how that law is put into practice and prosecuted. Security researchers care much more about the implementation of the law than the text,” he told Forbes. “After all, we make a living poking holes in implementations, even if they have secure designs. So unless security researchers start being prosecuted, I don’t think many will blink.”
A number of high profile cases have tested the adequacy of the CFAA. The late freedom of speech and open internet activist Aaron Swartz was prosecuted for downloading files from the Massachusetts Institute of Technology (MIT) he believed should have been open to all. Defenders of Barrett Brown believe he has been kept in jail for simply copying a link related to the breach of US government contractor Stratfor from one chatroom to another.
The security community had hoped the Obama administration would bring more context into hacking laws so researchers and other innocents weren’t implicated by simply going about their normal online lives. But with the stalling of Aaron’s Law, a bill named after Swartz that was supposed to rethink cyber legislation in favour of legitimate research and freedom of information, those hopes had started to fade as of summer 2014. With Obama’s proposals, security professionals’ optimism has all but evaporated. “In short, President Obama’s War on Hackers is a bad thing, creating a Cyber Police State,” added Graham.