
President Barack Obama's new cybersecurity proposal would increase penalties and expand the definition of hackers. (Photo: powtac/flickr/cc)
To donate by check, phone, or other method, see our More Ways to Give page.
President Barack Obama's new cybersecurity proposal would increase penalties and expand the definition of hackers. (Photo: powtac/flickr/cc)
President Barack Obama is widely expected to announce proposed changes to cybersecurity legislation in next week's State of the Union address, urging Congress to expand the definition of what makes a hacker a hacker--and to increase prison terms for them.
At issue is the Computer Fraud and Abuse Act (CFAA), which protects computers and cell phones from unauthorized access. The law gained notoriety in 2011 when it was used to prosecute the late activist Aaron Swartz for downloading academic articles from the digital library JSTOR, which charges for subscriptions. Swartz committed suicide in 2013 while under investigation.
The proposed changes (pdf) would increase the maximum penalty for hacking into a computer "in furtherance of a state or federal crime" to 10 years in prison, twice the length of the current maximum penalty; moreover, the law would categorize "whoever... intentionally exceeds authorized access to a computer" as a hacker.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage--if not more, these days--as folks who are involved in more conventional crime," Obama said Tuesday while visiting the National Cybersecurity and Communications Integration Center in Arlington, Virginia.
The proposal comes as a response to this week's cyber attack on the U.S. Central Command's Twitter account, as well as last year's hack into Sony Pictures' computer systems, which released thousands of private files and documents from the company's email servers and which the White House and the Federal Bureau of Investigation blamed on North Korea, despite little evidence.
"It just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families' bank accounts are safe, to make sure that our public infrastructure is safe," Obama said on Wednesday.
But cybersecurity experts say the changes are phrased to prioritize the desires of a computer's owner rather than the actions of the individual using the computer--a "dangerous idea," according to George Washington University law professor and digital crime expert Orin Kerr.
"The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory," Kerr writes in Washington Post. "And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct."
Much of the administration's language in the new proposal is worrisome, Kerr continues. Because every state already has its own unauthorized access laws that are similar to the CFAA, the proposal raises a question, Kerr says: "If Congress makes it a crime to commit an act 'in furtherance of' a different crime, does the existence of overlapping crimes mean that a person's conduct violates the first crime because it was 'in furtherance of' the second?"
"One wonders what the point is: Why not just punish the underlying felony?" Kerr says.
The Electronic Frontier Foundation similarly analyzed the president's proposals, calling them "troubling."
EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien wrote in a blog post on Tuesday:
"[T]he past two years of surveillance disclosures has shown law enforcement certainly doesn't need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, "today [is] a golden age for surveillance. And when it comes to increased criminalization, we've often noted the already excessive--and redundant--penalties for crimes performed with computers.
Swartz's case, Jaycox wrote in an earlier post, "was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred."
Donald Trump’s attacks on democracy, justice, and a free press are escalating — putting everything we stand for at risk. We believe a better world is possible, but we can’t get there without your support. Common Dreams stands apart. We answer only to you — our readers, activists, and changemakers — not to billionaires or corporations. Our independence allows us to cover the vital stories that others won’t, spotlighting movements for peace, equality, and human rights. Right now, our work faces unprecedented challenges. Misinformation is spreading, journalists are under attack, and financial pressures are mounting. As a reader-supported, nonprofit newsroom, your support is crucial to keep this journalism alive. Whatever you can give — $10, $25, or $100 — helps us stay strong and responsive when the world needs us most. Together, we’ll continue to build the independent, courageous journalism our movement relies on. Thank you for being part of this community. |
President Barack Obama is widely expected to announce proposed changes to cybersecurity legislation in next week's State of the Union address, urging Congress to expand the definition of what makes a hacker a hacker--and to increase prison terms for them.
At issue is the Computer Fraud and Abuse Act (CFAA), which protects computers and cell phones from unauthorized access. The law gained notoriety in 2011 when it was used to prosecute the late activist Aaron Swartz for downloading academic articles from the digital library JSTOR, which charges for subscriptions. Swartz committed suicide in 2013 while under investigation.
The proposed changes (pdf) would increase the maximum penalty for hacking into a computer "in furtherance of a state or federal crime" to 10 years in prison, twice the length of the current maximum penalty; moreover, the law would categorize "whoever... intentionally exceeds authorized access to a computer" as a hacker.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage--if not more, these days--as folks who are involved in more conventional crime," Obama said Tuesday while visiting the National Cybersecurity and Communications Integration Center in Arlington, Virginia.
The proposal comes as a response to this week's cyber attack on the U.S. Central Command's Twitter account, as well as last year's hack into Sony Pictures' computer systems, which released thousands of private files and documents from the company's email servers and which the White House and the Federal Bureau of Investigation blamed on North Korea, despite little evidence.
"It just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families' bank accounts are safe, to make sure that our public infrastructure is safe," Obama said on Wednesday.
But cybersecurity experts say the changes are phrased to prioritize the desires of a computer's owner rather than the actions of the individual using the computer--a "dangerous idea," according to George Washington University law professor and digital crime expert Orin Kerr.
"The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory," Kerr writes in Washington Post. "And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct."
Much of the administration's language in the new proposal is worrisome, Kerr continues. Because every state already has its own unauthorized access laws that are similar to the CFAA, the proposal raises a question, Kerr says: "If Congress makes it a crime to commit an act 'in furtherance of' a different crime, does the existence of overlapping crimes mean that a person's conduct violates the first crime because it was 'in furtherance of' the second?"
"One wonders what the point is: Why not just punish the underlying felony?" Kerr says.
The Electronic Frontier Foundation similarly analyzed the president's proposals, calling them "troubling."
EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien wrote in a blog post on Tuesday:
"[T]he past two years of surveillance disclosures has shown law enforcement certainly doesn't need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, "today [is] a golden age for surveillance. And when it comes to increased criminalization, we've often noted the already excessive--and redundant--penalties for crimes performed with computers.
Swartz's case, Jaycox wrote in an earlier post, "was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred."
President Barack Obama is widely expected to announce proposed changes to cybersecurity legislation in next week's State of the Union address, urging Congress to expand the definition of what makes a hacker a hacker--and to increase prison terms for them.
At issue is the Computer Fraud and Abuse Act (CFAA), which protects computers and cell phones from unauthorized access. The law gained notoriety in 2011 when it was used to prosecute the late activist Aaron Swartz for downloading academic articles from the digital library JSTOR, which charges for subscriptions. Swartz committed suicide in 2013 while under investigation.
The proposed changes (pdf) would increase the maximum penalty for hacking into a computer "in furtherance of a state or federal crime" to 10 years in prison, twice the length of the current maximum penalty; moreover, the law would categorize "whoever... intentionally exceeds authorized access to a computer" as a hacker.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage--if not more, these days--as folks who are involved in more conventional crime," Obama said Tuesday while visiting the National Cybersecurity and Communications Integration Center in Arlington, Virginia.
The proposal comes as a response to this week's cyber attack on the U.S. Central Command's Twitter account, as well as last year's hack into Sony Pictures' computer systems, which released thousands of private files and documents from the company's email servers and which the White House and the Federal Bureau of Investigation blamed on North Korea, despite little evidence.
"It just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families' bank accounts are safe, to make sure that our public infrastructure is safe," Obama said on Wednesday.
But cybersecurity experts say the changes are phrased to prioritize the desires of a computer's owner rather than the actions of the individual using the computer--a "dangerous idea," according to George Washington University law professor and digital crime expert Orin Kerr.
"The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory," Kerr writes in Washington Post. "And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct."
Much of the administration's language in the new proposal is worrisome, Kerr continues. Because every state already has its own unauthorized access laws that are similar to the CFAA, the proposal raises a question, Kerr says: "If Congress makes it a crime to commit an act 'in furtherance of' a different crime, does the existence of overlapping crimes mean that a person's conduct violates the first crime because it was 'in furtherance of' the second?"
"One wonders what the point is: Why not just punish the underlying felony?" Kerr says.
The Electronic Frontier Foundation similarly analyzed the president's proposals, calling them "troubling."
EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien wrote in a blog post on Tuesday:
"[T]he past two years of surveillance disclosures has shown law enforcement certainly doesn't need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, "today [is] a golden age for surveillance. And when it comes to increased criminalization, we've often noted the already excessive--and redundant--penalties for crimes performed with computers.
Swartz's case, Jaycox wrote in an earlier post, "was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred."