A group of senators in Washington is trying—for the fourth time—to pass dangerous and misguided language that would amend and expand the Computer Fraud and Abuse Act (CFAA), our nation’s notoriously vague anti-hacking law. The language was first floated in 2015, then again in 2016, and again in 2018. Back in 2018, the language made up a standalone bill, the International Cybercrime Prevention Act, and the Senators have dropped that entire bill into Title IV of the Defending American Security from Kremlin Aggression Act.
Title IV is ostensibly motivated by the threat posed by botnets, but its provisions would have implications far beyond that limited context. What it actually does is unnecessarily expand the CFAA without fixing any of the law’s existing problems. The CFAA already threatens beneficial security research, and Title IV, which increases penalties, will only make that threat worse. It also creates broad new authority for the government to obtain court orders to stop violations of the CFAA, or to order third parties to do so on its behalf. This could result in severe collateral damage, yet Title IV fails to provide any protections or give users any recourse if their systems are harmed.
Senators Whitehouse, Graham, and Blumenthal have included this language as one small section in a hundred-page bill that would do a variety of other things unrelated to botnets, like create a federal department to serve as the lead policy body on issues related to international cybersecurity and Internet freedom, and amend the criminal code to target election interference. This was a bad idea when it was first introduced in 2015, and it’s still a bad idea today—no matter what packaging the senators try to put it into.
Back in 2015, when we opposed the original incarnation of this language, Senator Sheldon Whitehouse accused EFF and other civil liberties organizations as being part of a “hidden pro-botnet, pro-foreign cyber criminal caucus.” That was a ridiculous claim. We are simply well aware of how the CFAA has been abused. The CFAA is already the “worst law in technology,” and this bill would only make it worse, by making it more vague and more draconian. Fighting malicious cybercrime is a noble goal, but we should do so via well-crafted and narrowly-targeted legislation—not via a bill that will threaten beneficial cybersecurity research.
Unnecessary Expansion of the CFAA Without Fixing Any of the Law’s Existing Problems
This language would expand the existing prohibition in the CFAA against selling passwords to selling any “means of access.” Such an expansion is unnecessary and misguided. The government has claimed that this change is necessary to enable prosecution of those selling or renting botnets to malicious actors, but any such behavior would constitute conspiracy to commit a violation of the CFAA. And the CFAA’s prohibitions on unauthorized access already criminalize the creation and use of malicious botnets.
What’s more, the proposed broad language—“means of access”—is in no way limited to the sale or rental of malicious botnets. The bill fails to define “means of access,” and with no guidance, it is unclear how broadly prosecutors or courts will apply this provision. The provision could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities.
This language would also create a broad new criminal violation and harsh penalties for damaging “critical infrastructure” computers. The scope of critical infrastructure has been broadly interpreted by the Department of Homeland Security, which means these harsh penalties could have far-reaching implications—including for the security research community. And because hacking computers is already illegal under the CFAA, this amendment—and its corresponding threat to beneficial security research—is wholly unnecessary.
New Authority for the Government to Obtain Civil Injunctions to Stop Violations of the CFAA With No Protections to Avoid Collateral Damage
This language would also amend 18 U.S.C. § 1345 to give the government new authority to obtain civil injunctions to force companies to stop service, redirect domain names, or take any other actions deemed necessary to stop violations of the CFAA. Though the provision is ostensibly directed at stopping botnets, it could apply to a range of unrelated activities—such as activists who send faxes en masse to hundreds of members of Congress at once.
Significantly, this language fails to require that the government provide notice to innocent consumers who might get caught up in such takeovers, such as botnet victims, or even people who simply use the same services as botnet operators. Millions of Internet users witnessed the damage such lack of notice can cause back in 2014, when Microsoft’s attempt to stop an 18,000-node botnet resulted in termination of Domain Name Service (DNS) to nearly 5,000,000 innocent subdomains—all because Microsoft got an ex parte court order that blocked notice to the DNS provider, No-IP.com. Had the DNS provider received notice, it could have worked with Microsoft to avoid shutting off service for millions of innocent subdomains that were not a part of the botnet.
This language also provides innocent users no recourse if their systems are harmed, and allows companies that assist the government a free pass for any damage caused.
What We Really Need: Reform that Reigns in the CFAA and Protects Security Researchers
EFF will oppose the senators’ misguided proposal—just like we did the last three times this zombie bill was proposed. Whatever they call it, and whatever else they try to attach to it, what we still need is reform that reigns in the CFAA, not a measure that makes things worse.
The proposed changes increase penalties, expand the state’s scope, and threaten the security community—all while failing to address ambiguity in existing law that has chilled security research, resulted in disproportionate penalties, and criminalized ordinary Internet activity. In a world where everyone relies on the Internet for their personal and professional lives, Congress should be doing all it can to encourage good faith security research, which helps keep us all safe. The proposed language would do the opposite.
Categories: Electronic Frontier Foundation