President Barack Obama is widely expected to announce proposed changes to cybersecurity legislation in next week's State of the Union address, urging Congress to expand the definition of what makes a hacker a hacker—and to increase prison terms for them.
At issue is the Computer Fraud and Abuse Act (CFAA), which protects computers and cell phones from unauthorized access. The law gained notoriety in 2011 when it was used to prosecute the late activist Aaron Swartz for downloading academic articles from the digital library JSTOR, which charges for subscriptions. Swartz committed suicide in 2013 while under investigation.
The proposed changes (pdf) would increase the maximum penalty for hacking into a computer "in furtherance of a state or federal crime" to 10 years in prison, twice the length of the current maximum penalty; moreover, the law would categorize "whoever... intentionally exceeds authorized access to a computer" as a hacker.
"We want cybercriminals to feel the full force of American justice, because they are doing as much damage—if not more, these days—as folks who are involved in more conventional crime," Obama said Tuesday while visiting the National Cybersecurity and Communications Integration Center in Arlington, Virginia.
The proposal comes as a response to this week's cyber attack on the U.S. Central Command's Twitter account, as well as last year's hack into Sony Pictures' computer systems, which released thousands of private files and documents from the company's email servers and which the White House and the Federal Bureau of Investigation blamed on North Korea, despite little evidence.
"It just goes to show how much more work we need to do, both public and private sector, to strengthen our cybersecurity to make sure that families’ bank accounts are safe, to make sure that our public infrastructure is safe," Obama said on Wednesday.
But cybersecurity experts say the changes are phrased to prioritize the desires of a computer's owner rather than the actions of the individual using the computer—a "dangerous idea," according to George Washington University law professor and digital crime expert Orin Kerr.
"The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory," Kerr writes in Washington Post. "And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct."
Much of the administration's language in the new proposal is worrisome, Kerr continues. Because every state already has its own unauthorized access laws that are similar to the CFAA, the proposal raises a question, Kerr says: "If Congress makes it a crime to commit an act 'in furtherance of' a different crime, does the existence of overlapping crimes mean that a person’s conduct violates the first crime because it was 'in furtherance of' the second?"
"One wonders what the point is: Why not just punish the underlying felony?" Kerr says.
The Electronic Frontier Foundation similarly analyzed the president's proposals, calling them "troubling."
EFF legislative analyst Mark Jaycox and senior staff attorney Lee Tien wrote in a blog post on Tuesday:
"[T]he past two years of surveillance disclosures has shown law enforcement certainly doesn’t need more legal authorities to conduct digital surveillance or prosecute criminals. As former White House Chief Counselor for Privacy Peter Swire said in 2011, "today [is] a golden age for surveillance. And when it comes to increased criminalization, we've often noted the already excessive—and redundant—penalties for crimes performed with computers.
Swartz's case, Jaycox wrote in an earlier post, "was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred."