Computer-security researchers fear President Barack Obama’s proposed changes to federal hacking laws could put them out of business, could make computers less secure overall, and could put some of them — and maybe even you — in prison.
"Under the new proposal, sharing your HBO GO password with a friend would be a felony," Nate Cardozo, an attorney with the Electronic Frontier Foundation in San Francisco, told an audience of researchers and IT pros Saturday (Jan. 17) at ShmooCon 2015, a security conference held annually in Washington, D.C.
Obama showcased the proposals in his State of the Union address Wednesday night (Jan. 20). The changes to the Computer Fraud and Abuse Act (CFAA), first implemented in 1984, might make many commonplace security-research practices — and media reporting on those practices — federal crimes. Even sharing passwords for online accounts would potentially be punishable.
"Believe what you’ve heard" about Obama’s proposals, Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, warned this past Friday (Jan. 16) at ShmooCon 2015.
The proposed changes to the CFAA and related laws, posted online by the White House early last week, would broaden the definition of computer crime and stiffen penalties for existing crimes, including doubling the maximum penalty for many violations from 10 years to 20 years.
Hacker gangsters
It would also subject computer fraud to the Racketeer Influenced and Corrupt Organizations Act (RICO) of 1970 — a law designed to charge Mafia bosses with crimes committed by their underlings, but now broadly applied in both criminal and civil cases against all manner of organizations.
The RICO addition is likely directed at the type of organized cybercrime that emanates from Russia and other former Soviet-bloc countries, but if it becomes law, it could just as easily be applied to anyone affiliated with any kind of suspected hacking group.
"Even if you don’t do any of this, you can still be guilty if you hang around with people who do," said Robert Graham, CEO of Errata Security in Atlanta, in a blog posting last Wednesday (Jan. 14). “Hanging out in an IRC chat room giving advice to people now makes you a member of a ‘criminal enterprise,’ allowing the FBI to sweep in and confiscate all your assets without charging you with a crime.”
Throw Steve Jobs in jail
The White House proposal also places electronic “intercepting devices” in the same category as terrorist weapons training and chemical weapons, making their “manufacture, distribution, possession and advertising” a crime. Any such devices, and property bought with the proceeds from the sale of such devices, would be subject to seizure.
But while the heading of that section implies that its target is “spying devices,” the legal language never specifies exactly what such a intercepting device might be. A regular laptop running Firefox with the Wi-Fi sniffing Firesheep extension might qualify — as would the “blue boxes” for making free long-distance telephone calls that Steve Jobs and Steve Wozniak sold to fellow college students before they built the first Apple computer.
Had hacking laws been around [then]," Graham wrote, "the founders of Apple might’ve still been in jail today, serving out long sentences for trafficking in illegal access devices."
If you click this, you might be a criminal
To illustrate the unwanted consequences of Obama’s proposal, Graham created a hypothetical scenario.
"Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://www.nytimes.com/i/employees.txt," he tweeted last Wednesday (Jan. 14).
That wasn’t true — the New York Times didn’t suffer such a breach.
"This is a fictional tweet, to show how retweeting/clicking a link like this can be illegal under Obama’s proposed laws," Graham added.
Yet lists of stolen login credentials from similar breaches are often posted in public forums online — and subsequently linked to by security researchers discussing the breaches and media outlets covering the news.
In his own tweet Wedneday (Jan. 20), EFF’s Cardozo linked to a real story on TechCrunch listing the “worst passwords of 2014,” then pointed out that what he’d done could be felonious.
"Under the DOJ’s CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That’s insane," Cardozo wrote.
If you know you shouldn’t do it, then it’s illegal
The CFAA is built on the concept that “unauthorized access” or “exceeding authorized access” to certain classes of “protected computers” is a crime under certain circumstances. The White House proposal removes the existing qualifications that the accessed computer has to contain financial, personal or government information.
The proposal also expands the definition of acts that “exceed authorized access” to include “for a purpose that the accesser knows is not authorized by the computer owner.” It removes the monetary motive necessary to make unauthorized access a crime by substituting the qualification of “intent to defraud” with the act of merely “willfully” accessing a computer. The proposal adds that “the term ‘willfully’ means intentionally to undertake an act that the person knows to be wrongful.”
Computer-law experts at ShmooCon called those changes the “Weev clause,” after Andrew “Weev” Auernheimer, convicted in 2012 for copying email addresses from hidden pages on an AT&T website. The defense argued that the pages were publicly accessible; the prosecution said Auernheimer should have known that what he did should have been illegal. (The conviction was later overturned for technical reasons.)
Orin Kerr, a nationally recognized expert on computer law, said in a blog post last week that such broadened language only may make an already vague law even more unclear.
"If your employer has a policy that ‘company computers can be accessed only for work-related purposes,’ and you access the computer for personal reasons, then you presumably would be accessing the computer for a purpose that you know the employer has not allowed," Kerr wrote. "The expansion of ‘exceeding authorized access’ would seem to allow lots of prosecutions under a ‘you knew the computer owner wouldn’t like that’ theory."
Such ambiguity may do nothing to clear up confusion about of terms-of-service (ToS) agreements, the legal contracts to which users of most online services must adhere. Some courts have ruled that violations of terms-of-service agreements are violations of the CFAA, and hence crimes.
"The terms of service of the Seventeen magazine website says you have to be 18 to read it," Cardozo said at ShmooCon. "Anyone who is actually 17 and reading Seventeen online would be committing a crime."
"Are ToS violations on government computers a felony?" wondered Hall. "Does that include going over the allocated time limit at a computer at a public library?"
Undermining the future
Josh Corman, a prominent security researcher who leads I Am the Cavalry, a volunteer effort by like-minded pros to beef up security on the flood of Internet-connected “smart” devices, said it was ironic that Obama’s proposals are coming right now.
"Just as we get people interested in vulnerabilities in the Internet of Things,” Corman told Tom’s Guide at ShmooCon, “along comes this revision to the CFAA that makes it harder for us to find those vulnerabilities.”
Because much of computer-security research involves attacking protected systems in order to find chinks in the armor, the researchers worry that their work will have to be restricted and that overall information security will dry up. As a result, the computers, smartphones and other connected gadgets we use every day will no longer be as well tested for security vulnerabilities.
In the past two weeks, Google has disclosed three previously unknown bugs in Microsoft Windows, against Microsoft’s wishes. Obama’s CFAA revision might make such disclosures illegal, because they could constitute trafficking a “means of access” that Google researchers would “[know] or [have] reason to know that a protected computer would be accessed or damaged without authorization.”
"The most important innovators this law would affect are the cybersecurity professionals that protect the Internet," Graham wrote. "If you care about things such as ‘national security’ and ‘cyberterrorism,’ then this should be your biggest fear."