Legitimate security researchers, from bug hunters to pen-testers, are buckled in for a bumpy ride as vague language in President Obama’s proposed amendments to the Computer Fraud and Abuse Act (CFAA) is expected to be debated and sorted out as it makes its way through the legislature.
The amendments come with stiffer penalties for those convicted of hacking, with some sentences doubled and some offenses elevated to felonies.
All of this seems in reaction to a miserable stretch of data breaches starting in late 2013 and throughout 2014 culminating with the Sony hack that left a vast amount of valuable company data exposed on the Internet, workstations damaged by malware, and new questions about the ability to properly attribute attack origins.
Electronic Frontier Foundation legislative analyst Mark M. Jaycox said the language has the earmarks of the Justice Department and is similar to amendments proposed in 2011 that were quickly shot down by lawmakers.
“The answer politicians have had in the past to the question of what to do about a big hack is to increase the CFAA, regardless that the hack might already have been covered by the CFAA or mitigated by the [victim] simply patching a server,” Jaycox said. “It’s clear that technologists and computer scientists need to have more impact on policy discussions and White House proposals. Do they have a seat at the table?”
One amendment to the CFAA contains language that is a redefinition of what it means to exceed authorized access. From section six in the amendment: ” ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer (a) that the accesser is not entitled to obtain or alter; or (b) for a purpose that the accesser knows is not authorized by the computer owner.”
The amendments come with stiffer penalties for those convicted of hacking, with some sentences doubled and some convictions elevated to felonies.Tweet
Section (b) broadens the scope of the CFAA considerably.
“I think would arguably include–e.g.–documents or directories that a site owner inadvertently published to the public web that were then discovered by a security researcher, or the pages at URLs that are not linked to anywhere but that could easily be discovered by playing with addresses,” said Kevin Bankston, policy director of New America’s Open Technology Institute.
Orin Kerr, Fred C. Stevenson research professor at The George Washington University Law School, wrote yesterday in the Washington Post that the expanded definition (penalty for which would now be a felony) is problematic.
“A person might know that a purpose is not authorized because the written restriction says so. But think about how this language would apply when the prosecution is based on a norms violation,” Kerr said. “The problem is, when it comes to norms, how do you know what a computer owner has authorized? Is that just a matter of what the computer owner would say if you asked them? Something else?”
Kerr pointed to the prosecution of Andrew Auernheimer, known as Weev, who accessed and scraped user data posted by AT&T from one of its web pages. The prosecution argued that Auernheimer should have deduced that AT&T would not have wanted the data downloaded, while his lawyers argued that by posting it online, AT&T had essentially authorized access to it. Auernheimer’s case was eventually dismissed.
“More broadly, the expansion of ‘exceeding authorized access’ would seem to allow lots of prosecutions under a ‘you knew the computer owner wouldn’t like that’ theory,” Kerr wrote. “And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct.”
EFF’s Jaycox said prior to this amendment, data owners had to be clear about access restrictions.
“Now it’s incumbent upon the researcher who is accessing the information to know what the owner thinks,” Jaycox said. “They have essentially placed a subjective thought process on deciding what conduct is an offense. That is dangerous.”
Jaycox said there are other areas in the amendments that if ratified could give legitimate researchers pause, and “chill” security research. One in particular deals with the trafficking of passwords. As the CFAA is written, today one would have to show an intent to defraud in order to be in violation. “Intent to defraud” has been removed and a violation is no longer a misdemeanor, but a felony, Jaycox said.
“We were shocked by the proposed changes,” Jaycox said, adding that heavyweight proponents of CFAA reform, such as Sen. Ron Wyden and Rep. Jim Sensenbrenner, have called for a decrease in penalties and clarification of the law in order to bring it up to date. “They were the exact opposite of what we proposed and what we have seen proposed by advocates of common sense reform.”