EFF and over a dozen other organizations are urging U.S. lawmakers to oppose a dangerous bill proposed by Sens. Sheldon Whitehouse and Lindsey Graham that would make the already-flawed Computer Fraud and Abuse Act (CFAA) worse. The joint letter sent Wednesday explains that the legislation fails to address any of the CFAA’s problems while simply creating more confusion. Although the proposal is ostensibly directed at stopping botnets, it includes various provisions that go far beyond protecting against such attacks.
The senators proposed an almost identical bill last year. And just like last year, they may try to sneak their proposal through as an amendment to the Email Privacy Act. Last year, the tried this tactic with the Cybersecurity Information Sharing Act of 2015, but they ultimately failed due to widespread opposition.
Since the death of activist and Internet pioneer Aaron Swartz three and a half years ago, people from across the political spectrum have urged Congress to reform the CFAA. It’s an outdated and draconian law, with harsh penalties for “crimes” that result in little or no economic harm. And the Justice Department has interpreted the statute’s vague language to criminalize violations of terms of use—an interpretation that turns virtually every Internet user into a criminal.
Sens. Whitehouse and Graham’s proposal will take things in the wrong direction. The CFAA should be reigned in, not expanded, to make sure it is used for the purpose originally intended by Congress: to target malicious criminals who break into computer systems and cause real harm and economic damage.
That’s why we joined our friends in asking the Senate to oppose the Whitehouse/Graham proposal—whether as a standalone bill or as an amendment to the Email Privacy Act.
You can read the full text of the letter below (footnotes omitted) or access a PDF of the original letter here.
June 1, 2016
Dear Senator,
We, the undersigned civil liberties and privacy groups, oppose the Botnet Prevention Act of 2016 (S. 2931), both as a standalone bill and an amendment to S. 356. The proposal would expand the activities covered by the Computer Fraud and Abuse Act ("CFAA") and create new authority for the government to hack computers that could result in severe collateral damage, and would give users no recourse if their systems are harmed. Without major changes, the legislation could stifle much needed security research.
The proposal would expand the existing prohibition in the CFAA against selling passwords to any “means of access.” The provision could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities. In addition, the proposal would create a broad new criminal violation and harsh penalties for damaging “critical infrastructure” computers. The scope of critical infrastructure has been broadly interpreted by the Department of Homeland Security, and because hacking associated computers is already illegal under the CFAA, such an addition is unnecessary.
Further, the proposal may empower the government to obtain injunctions to force companies to hack user devices, or allow the government itself to do the hacking. It also fails to require notice of any potential targeting of non-suspect or innocent consumers, such as botnet victims. Though the provision is ostensibly directed at stopping botnets, it could apply to a wide range of unrelated activities. For example, activist organizations frequently target for outreach hundreds of devices as part of campaign activities, but without intent to cause damage. The proposed changes, in conjunction with pending changes to Rule 41 of the Federal Rules of Criminal Procedure currently before Congress, represent a vast expansion of the scope of both government hacking and government mandated hacking in response to the threat of botnets. Given the potential impact on botnet victims, security and privacy experts have questioned the broader impact of such tactics.
Finally, the proposal fails to address ambiguity in current law that has led to the use of the CFAA to prosecute security researchers, levy disproportionate penalties, and criminalize ordinary Internet activity. The proposal will exacerbate the CFAA’s existing problems and enable prosecution of behaviors well beyond malicious computer trespasses or hacking, which were the original and appropriate targets of the CFAA.
Accordingly, we urge you to oppose the Botnet Prevention Act of 2016 in any form. If you have any questions, please contact Drew Mitnick, Policy Counsel at Access Now, who will communicate with the other signers.
Sincerely,
Access Now
Advocacy for Principled Action in Government
American Civil Liberties Union
American Library Association
Center for Democracy and Technology
Demand Progress
Electronic Frontier Foundation
Free Press Action Fund
Liberty Coalition
OpenMedia.org
R Street
Restore the Fourth
RootsAction.org
New America’s Open Technology Institute