President Obama’s proposal to update the computer fraud and abuse act could put white-hat hackers at risk of prosecution as members of organized crime, the SchmooCon hacking conference was told.
Under Obama’s proposal, simply sharing passwords with friends – something hackers do routinely - could be enough to indicate that the person doing the sharing is involved in an organized criminal activity. That would set them up for punishment under the federal law designed to prosecute crime kingpins, the racketeer influenced and corrupt organizations (RICO) act.
“It seems to criminalize sharing information that aids an attack,” Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, a Washington, D.C.-based group lobbying for Internet rights, told the SmooCon hacker conference.
So sharing passwords that are later used to commit a crime could drag the sharer into an organized-crime criminal case, he says.
The proposal would seem to affect hackers who expose flaws in software that are used to exploit systems, such as the release over the past weeks by Google researchers of holes in Microsoft software that were unpatched. “It seems to criminalize sharing information that aids an attack,” even unwittingly, Lorenzo Hall says.
He posed the possibility that someone driving a person to a coffee house where they committed an illegal hack could be considered a member of organized crime. Broadening the law would make the hacker community that tries to expose attack methods so they can be blocked more isolated, he says, afraid to share their intelligence.
The law also beefs up penalties for computer crimes already spelled out in the CFAA, increasing some from five years to 10 and upgrading some misdemeanors to felonies, he says. Some argue that these penalties are already stiff enough and perhaps too aggressive.
Lorenzo Hall referred to the case of Aaron Swartz, a hacker and online activist, who committed suicide in 2013 while facing CFAA charges and others with a maximum penalty of 35 years in prison and $1 million fines for breaking into an MIT network and downloading journal articles. The penalties need to be more proportional to the crimes, he says.
While CFAA may need revisions, they should be made with more careful thought, he says. The upside, he says, is that he thinks it likely that the Democratic president’s proposal won’t get far in a Congress with Republican majorities in both houses.