Obama to Urge Expanded Prison Terms, Definitions for Hackers
Cybersecurity experts doubt new proposals as 'dangerous,' 'troubling'
President Barack Obama is widely expected to announce proposed changes to cybersecurity legislation in next week's State of the Union address, urging Congress to expand the definition of what makes a hacker a hacker--and to increase prison terms for them.
At issue is the Computer Fraud and Abuse Act (CFAA), which protects computers and cell phones from unauthorized access. The law gained notoriety in 2011 when it was used to prosecute the late activist Aaron Swartz for downloading academic articles from the digital library JSTOR, which charges for subscriptions. Swartz committed suicide in 2013 while under investigation.
The proposed changes (pdf) would increase the maximum penalty for hacking into a computer "in furtherance of a state or federal crime" to 10 years in prison, twice the length of the current maximum penalty; moreover, the law would categorize "whoever... intentionally exceeds authorized access to a computer" as a hacker.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage--if not more, these days--as folks who are involved in more conventional crime," Obama said Tuesday while visiting the National Cybersecurity and Communications Integration Center in Arlington, Virginia.
The proposal comes as a response to this week's cyber attack on the U.S. Central Command's Twitter account, as well as last year's hack into Sony Pictures' computer systems, which released thousands of private files and documents from the company's email servers and which the White House and the Federal Bureau of Investigation blamed on North Korea, despite little evidence.
"It just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families' bank accounts are safe, to make sure that our public infrastructure is safe," Obama said on Wednesday.
But cybersecurity experts say the changes are phrased to prioritize the desires of a computer's owner rather than the actions of the individual using the computer--a "dangerous idea," according to George Washington University law professor and digital crime expert Orin Kerr.
"The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory," Kerr writes in Washington Post. "And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct."
Much of the administration's language in the new proposal is worrisome, Kerr continues. Because every state already has its own unauthorized access laws that are similar to the CFAA, the proposal raises a question, Kerr says: "If Congress makes it a crime to commit an act 'in furtherance of' a different crime, does the existence of overlapping crimes mean that a person's conduct violates the first crime because it was 'in furtherance of' the second?"
"One wonders what the point is: Why not just punish the underlying felony?" Kerr says.
The Electronic Frontier Foundation similarly analyzed the president's proposals, calling them "troubling."
EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien wrote in a blog post on Tuesday:
"[T]he past two years of surveillance disclosures has shown law enforcement certainly doesn't need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, "today [is] a golden age for surveillance. And when it comes to increased criminalization, we've often noted the already excessive--and redundant--penalties for crimes performed with computers.
Swartz's case, Jaycox wrote in an earlier post, "was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred."
Urgent. It's never been this bad.
Dear Common Dreams reader, It’s been nearly 30 years since I co-founded Common Dreams with my late wife, Lina Newhouser. We had the radical notion that journalism should serve the public good, not corporate profits. It was clear to us from the outset what it would take to build such a project. No paid advertisements. No corporate sponsors. No millionaire publisher telling us what to think or do. Many people said we wouldn't last a year, but we proved those doubters wrong. Together with a tremendous team of journalists and dedicated staff, we built an independent media outlet free from the constraints of profits and corporate control. Our mission from the outset was simple. To inform. To inspire. To ignite change for the common good. Building Common Dreams was not easy. Our survival was never guaranteed. When you take on the most powerful forces—Wall Street greed, fossil fuel industry destruction, Big Tech lobbyists, and uber-rich oligarchs who have spent billions upon billions rigging the economy and democracy in their favor—the only bulwark you have is supporters who believe in your work. But here’s the urgent message from me today. It’s never been this bad out there. And it’s never been this hard to keep us going. At the very moment Common Dreams is most needed and doing some of its best and most important work, the threats we face are intensifying. Right now, with just three days to go in our Spring Campaign, we're falling short of our make-or-break goal. When everyone does the little they can afford, we are strong. But if that support retreats or dries up, so do we. Can you make a gift right now to make sure Common Dreams not only survives but thrives? There is no backup plan or rainy day fund. There is only you. —Craig Brown, Co-founder |
President Barack Obama is widely expected to announce proposed changes to cybersecurity legislation in next week's State of the Union address, urging Congress to expand the definition of what makes a hacker a hacker--and to increase prison terms for them.
At issue is the Computer Fraud and Abuse Act (CFAA), which protects computers and cell phones from unauthorized access. The law gained notoriety in 2011 when it was used to prosecute the late activist Aaron Swartz for downloading academic articles from the digital library JSTOR, which charges for subscriptions. Swartz committed suicide in 2013 while under investigation.
The proposed changes (pdf) would increase the maximum penalty for hacking into a computer "in furtherance of a state or federal crime" to 10 years in prison, twice the length of the current maximum penalty; moreover, the law would categorize "whoever... intentionally exceeds authorized access to a computer" as a hacker.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage--if not more, these days--as folks who are involved in more conventional crime," Obama said Tuesday while visiting the National Cybersecurity and Communications Integration Center in Arlington, Virginia.
The proposal comes as a response to this week's cyber attack on the U.S. Central Command's Twitter account, as well as last year's hack into Sony Pictures' computer systems, which released thousands of private files and documents from the company's email servers and which the White House and the Federal Bureau of Investigation blamed on North Korea, despite little evidence.
"It just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families' bank accounts are safe, to make sure that our public infrastructure is safe," Obama said on Wednesday.
But cybersecurity experts say the changes are phrased to prioritize the desires of a computer's owner rather than the actions of the individual using the computer--a "dangerous idea," according to George Washington University law professor and digital crime expert Orin Kerr.
"The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory," Kerr writes in Washington Post. "And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct."
Much of the administration's language in the new proposal is worrisome, Kerr continues. Because every state already has its own unauthorized access laws that are similar to the CFAA, the proposal raises a question, Kerr says: "If Congress makes it a crime to commit an act 'in furtherance of' a different crime, does the existence of overlapping crimes mean that a person's conduct violates the first crime because it was 'in furtherance of' the second?"
"One wonders what the point is: Why not just punish the underlying felony?" Kerr says.
The Electronic Frontier Foundation similarly analyzed the president's proposals, calling them "troubling."
EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien wrote in a blog post on Tuesday:
"[T]he past two years of surveillance disclosures has shown law enforcement certainly doesn't need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, "today [is] a golden age for surveillance. And when it comes to increased criminalization, we've often noted the already excessive--and redundant--penalties for crimes performed with computers.
Swartz's case, Jaycox wrote in an earlier post, "was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred."
President Barack Obama is widely expected to announce proposed changes to cybersecurity legislation in next week's State of the Union address, urging Congress to expand the definition of what makes a hacker a hacker--and to increase prison terms for them.
At issue is the Computer Fraud and Abuse Act (CFAA), which protects computers and cell phones from unauthorized access. The law gained notoriety in 2011 when it was used to prosecute the late activist Aaron Swartz for downloading academic articles from the digital library JSTOR, which charges for subscriptions. Swartz committed suicide in 2013 while under investigation.
The proposed changes (pdf) would increase the maximum penalty for hacking into a computer "in furtherance of a state or federal crime" to 10 years in prison, twice the length of the current maximum penalty; moreover, the law would categorize "whoever... intentionally exceeds authorized access to a computer" as a hacker.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage--if not more, these days--as folks who are involved in more conventional crime," Obama said Tuesday while visiting the National Cybersecurity and Communications Integration Center in Arlington, Virginia.
The proposal comes as a response to this week's cyber attack on the U.S. Central Command's Twitter account, as well as last year's hack into Sony Pictures' computer systems, which released thousands of private files and documents from the company's email servers and which the White House and the Federal Bureau of Investigation blamed on North Korea, despite little evidence.
"It just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families' bank accounts are safe, to make sure that our public infrastructure is safe," Obama said on Wednesday.
But cybersecurity experts say the changes are phrased to prioritize the desires of a computer's owner rather than the actions of the individual using the computer--a "dangerous idea," according to George Washington University law professor and digital crime expert Orin Kerr.
"The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory," Kerr writes in Washington Post. "And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct."
Much of the administration's language in the new proposal is worrisome, Kerr continues. Because every state already has its own unauthorized access laws that are similar to the CFAA, the proposal raises a question, Kerr says: "If Congress makes it a crime to commit an act 'in furtherance of' a different crime, does the existence of overlapping crimes mean that a person's conduct violates the first crime because it was 'in furtherance of' the second?"
"One wonders what the point is: Why not just punish the underlying felony?" Kerr says.
The Electronic Frontier Foundation similarly analyzed the president's proposals, calling them "troubling."
EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien wrote in a blog post on Tuesday:
"[T]he past two years of surveillance disclosures has shown law enforcement certainly doesn't need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, "today [is] a golden age for surveillance. And when it comes to increased criminalization, we've often noted the already excessive--and redundant--penalties for crimes performed with computers.
Swartz's case, Jaycox wrote in an earlier post, "was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred."