Aaron Swartz protesting SOPA in 2012, via Wikimedia
You've probably heard mutterings today about the massive Target data breach in which hackers stole the payment information, names, emails, and home addresses of a whopping 70 million customers. Already there are reports that the number of stolen credit cards for sale on the black market is up tenfold. Not a pretty scene.
Breaches like this are why we have laws to protect against legitimate, malicious cybercrime. But things get sticky when politicians take advantage of the fear and media buzz that follow high-profile hacks to push through overly strict legislation. That's seems to be what Sen. Patrick Leahy, chair of the Senate Judiciary Committee, is attempting to do. On the heels of the Target breach he’s introduced a bill that would strengthen the already rather Draconian "anti-hacking" law to make attempted hacking a criminal offense—whether or not you complete the act.
The main focus of the proposed law is protecting private data, and the Senator's been trying to get it passed for years. The problematic section is tucked inside the bill, and concerns the infamous Computer Fraud and Abuse Act. In case you've forgotten, that's the heavy-handed anti-hacking law responsible for the controversial prosecutions of Aaron Swartz, Andrew “weev” Aurenheimer, Matthew Keys, and Jeremy Hammond.
The proposal would amend the law to make “conspiring to commit or attempting to commit” unauthorized access subject to the same harsh penalties as completing the offense. It's a subtle language change that could have pretty serious implications. Already the law is berated for being overly vague and giving the government a powerful weapon to wield against electronic civil disobedience. Broadening its scope is exactly the opposite of what activists have been lobbying for.
When CFAA was first passed in 1986 breaking into computer networks was associated with taking out global infrastructures and possibly destroying the world, a la sci-fi flicks like Hackers and Sneakers. But the vague language, which targets anyone who attempts “access without authorization” or “exceeds authorized access,” is broad enough to include offenses as innocuous as violating a website's terms and conditions. As people have frequently pointed out in attempts to curtail the law, that means technically, things as trivial as lying about your age on Facebook can leave you facing excessively long jail sentences—five years for a first offense, with redundant charges pushing sentences to decades.
After Swartz tragically committed suicide while facing 35 years in prison for exactly that reason, some members of Congress, with support from civil liberties groups and EFF, proposed a bill called Aaron's Law that would more clearly differentiate between minor terms of service violations and major acts of cybercrime, and make penalties more proportional to the offense. And the good news is that Senator Leahy's bill also attempts to add some clarification to this point, so that folks won’t wind up doing hard time for failing to read the fine print before logging into a website. The bill explains, “the purpose of the amendment is to prevent civil claims based on innocuous conduct."
Still it's disheartening to see any attempt to strengthen a law that gives the government an incredible amount of leeway to prosecute web users whose actions it doesn't particularly like. As crucial as it is to protect private data from security breaches like the one Target embarrassingly suffered last month, it shouldn't be used as a pretext to rush through yet another law that threatens civil liberties in the name of security.