Here comes another dangerous expansion of government power online
Their latest proposal is ostensibly directed at stopping botnets. It’s even named it the “Botnet Prevention Act of 2016.” But the bill includes various provisions that go far beyond protecting against attacks by zombie computers:
First, the bill would expand the CFAA’s existing prohibition against selling passwords to trafficking in any “means of access.” The broadening is unnecessary and misguided, as other statutes—like the U.S. code section concerned fraud in connection with access devices—already cover what the authors seem to be targeting. The bill also doesn’t define “means of access,” another sign of its poor drafting. With no guidance, it’s unclear how broadly prosecutors or courts will apply this provision. The provision could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities.
Second, the bill empowers government officials to obtain court orders to force companies to hack computer users for a wide range of activity completely unrelated to botnets. What’s worse is that the bill allows the government to do this without any requirement of notice to non-suspect or innocent customers or companies, including botnet victims. It’s understandable that the government does not want to tip off potential suspects, but those not suspected of committing any crime should be notified when their computers are part of a criminal investigation.
Third, the bill would create a new felony offense of damaging “critical infrastructure.” But this conduct, too, is already captured under the CFAA’s existing provisions. The section is yet another classic example of overcriminalization and redundancy—especially at a time when Congress is debating a significant decriminalization bill. And although “critical infrastructure” may sound limited, the definition in the bill tracks the Department of Homeland Security’s definition, which includes software companies and ISPs. Plus, given the provision’s steep penalties and limits on judges’ discretion to reduce sentences or allow sentences to run concurrently (rather than back-to-back), it will simply give prosecutors even more leverage to force defendants into plea deals.
These changes would only increase—not alleviate—the CFAA’s harshness, overbreadth, and confusion.
As noted, this isn’t the Senators’ first attempt to take the CFAA in the wrong direction. Last year, they tried to slip similarly terrible measures through Congress via an amendment to the notoriousCybersecurity Information Sharing Act of 2015 (CISA). Sen. Whitehouse and Graham’s proposal was ultimately not included in CISA, which Whitehouse blamed on the “pro-botnet” caucus, but in reality, it’s because a lot of people—including a lot of EFF supporters—spoke out against the egregious CFAA amendment.
The Senators’ proposal has no grounding in what would actually keep us—or our computers—safe. Rather, it seems motivated by the same vague fears of a hypothetical computer takeover that overtook Congress (after watching a clip from WarGames) back in 1986. In that way, Whitehouse and Graham may be keeping true to the CFAA’s roots. But now it’s time to focus on reality.