The Hill reports that a draft of language to reform the CFAA is being circulated among House Judiciary Committee members for feedback:
A draft cybersecurity bill circulating among House Judiciary Committee members would stiffen a computer hacking law used to bring charges against Internet activist Aaron Swartz. The bill draft would tighten penalties for cyber crimes and establish a standard for when companies would have to notify consumers that their personal data has been hacked, according to a copy obtained by The Hill.
It would also change existing law so that an attempt at a cyber crime can be punished as harshly as an actual offense.
Such measures could spark concern among advocates outraged over the death of Swartz, the 26-year-old Internet activist and computer programmer who killed himself earlier this year while facing a possible 35-year prison term for hacking. Advocates have called on Congress to make changes to what they say is a draconian law that led to too harsh a prosecution of Swartz.
. . . It’s unclear which Judiciary members are sponsoring the draft bill, which is unnamed. A House Judiciary Committee aide said the bill is still in the early drafting stage and is being circulated to stakeholders for their feedback on possible changes.
They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)
In some ways, the new circulating language is even more severe and harsh than DOJ wanted even in the Lori Drew case. For example, the proposed language would make it a felony crime to violate Terms of Service if the TOS violation:
(I) involves information that exceeds $5,000 in value;
(II) was committed for purposes of obtaining sensitive or non-public information of an entity or another individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, photographs of a sensitive or private nature, trade secrets, or sensitive or non-public commercial business information;
(III) was committed in furtherance of any criminal act in violation United States or of any State, unless such state violation would be based solely on the obtaining of information without authorization or in excess of authorization; or
(IV) involves information obtained from a computer used by or for a government entity;
This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.
In short, this is a step backward, not a step forward. This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it.
Or at least that’s how it seems to me based on a quick read. If I am misreading something, which is always possible when in a hurry, I hope readers will point that out in the comment thread; I’ll be offline for a few hours for Passover but I’ll plan on posting updates/corrections later tonight if necessary.