CybersecurityProposed changes to CFAA, RICO would criminalize cybersecurity research: Critics

Published 20 January 2015

Cybersecurity professionals are concerned that the White House’s proposed changes to the Computer Fraud and Abuse Act (CFAA) and the Racketeering Influenced and Corrupt Organizations (RICO) Act, could criminalize cybersecurity research. The legislative proposals would make accessing public documents illegal if the documents’ owner would not have approved; create stricter punishments for anyone convicted of a cybercrime; and would allow the government to seize assets connected to cybercrimes. The White House also proposes upgrading hacking to a “racketeering” offense.

Cybersecurity professionals are concerned that the White House’s proposed changes to the Computer Fraud and Abuse Act (CFAA) and the Racketeering Influenced and Corrupt Organizations (RICO) Act, could criminalize cybersecurity research.

On 13 January, the Obama administration proposed to crack down on “an unprecedented threat from rogue hackers as well as organized crime and even state actors.” The legislative proposals would make accessing public documents illegal if the documents’ owner would not have approved; create stricter punishments for anyone convicted of a cybercrime; and would allow the government to seize assets connected to cybercrimes. The White House also proposes upgrading hacking to a “racketeering” offense.

Robert Graham, a researcher with security firm ErrataSec, has called the proposals a “War on Hackers,” claiming the changes would act as a chilling effect on researchers’ activities. “Obama’s proposals come from a feeling in Washington, D.C., that more needs to be done about hacking in response to massive data breaches of the last couple years,” Graham wrote on a blog post. “But they are blunt political solutions, which reflect no technical understanding of the problem.”

The White House’s proposed changes to the CFAA come after a series of high profile cyberattacks on major U.S. firms, but they also come as many in the cybersecurity community continue to criticize the Justice Department’s intense prosecution of Aaron Swartz, a hacker-activist, who downloaded and released academic journals from JSTOR. Swartz was charged in 2012 with eleven counts of violating the CFAA, which could have landed him more than three decades of jail time and up to $1 million in fines. Swartz committed suicide on 11 January 2013.

In another hacking case, federal prosecutors convicted Andrew “weev” Auernheimer for violating the CFAA when he found a way to collect sensitive information from AT&T’s Web site — information the company had mistakenly made available.

Many cybersecurity researchers who oppose the White House’s proposals believe messengers — those researchers who attempt to make systems more secure by pointing out vulnerabilities — should not be punished. Liran Tancman, CEO of security firm CyActive, told eWeek, “considering motive and methods is critical. Some researchers publish their findings because their warnings to vendors fall on deaf ears, and they are trying to warn the general public of vulnerabilities.”

Lee Tien, a senior staff attorney with digital-rights group, the Electronic Frontier Foundation, told eWeek that the Swartz and Auernheimer prosecutions highlight some major faults with the CFAA, which the White House’s proposals fail to solve. “One of the core problems with the statute is the whole question what is authorization and what does it mean to exceed authorization,” he said. “And if you look at it from the standpoint of that element, it does not seem as though the government makes the law any clearer, and it seems to actually expand the problem.”