Computer-security researchers fear President Barack Obama’s proposed changes to federal hacking laws could put them out of business, could make computers less secure overall, and could put some of them — and maybe even you — in prison.
“Under the new proposal, sharing your HBO GO password with a friend would be a felony,” Nate Cardozo, an attorney with the Electronic Frontier Foundation in San Francisco, told an audience of researchers and IT pros Saturday (Jan. 17) at ShmooCon 2015, a security conference held annually in Washington, D.C.
Obama showcased the proposals in his State of the Union address Wednesday night (Jan. 20). The changes to the Computer Fraud and Abuse Act (CFAA), first implemented in 1984, might make many commonplace security-research practices — and media reporting on those practices — federal crimes. Even sharing passwords for online accounts would potentially be punishable.
“Believe what you’ve heard” about Obama’s proposals, Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, warned this past Friday (Jan. 16) at ShmooCon 2015.
The proposed changes to the CFAA and related laws, posted online by the White House early last week, would broaden the definition of computer crime and stiffen penalties for existing crimes, including doubling the maximum penalty for many violations from 10 years to 20 years.
It would also subject computer fraud to the Racketeer Influenced and Corrupt Organizations Act (RICO) of 1970 — a law designed to charge Mafia bosses with crimes committed by their underlings, but now broadly applied in both criminal and civil cases against all manner of organizations.
The RICO addition is likely directed at the type of organized cybercrime that emanates from Russia and other former Soviet-bloc countries, but if it becomes law, it could just as easily be applied to anyone affiliated with any kind of suspected hacking group.
“Even if you don’t do any of this, you can still be guilty if you hang around with people who do,” said Robert Graham, CEO of Errata Security in Atlanta, in a blog posting last Wednesday (Jan. 14). “Hanging out in an IRC chat room giving advice to people now makes you a member of a ‘criminal enterprise,’ allowing the FBI to sweep in and confiscate all your assets without charging you with a crime.”
Throw Steve Jobs in jail
The White House proposal also places electronic “intercepting devices” in the same category as terrorist weapons training and chemical weapons, making their “manufacture, distribution, possession and advertising” a crime. Any such devices, and property bought with the proceeds from the sale of such devices, would be subject to seizure.
But while the heading of that section implies that its target is “spying devices,” the legal language never specifies exactly what such a intercepting device might be. A regular laptop running Firefox with the Wi-Fi sniffing Firesheep extension might qualify — as would the “blue boxes” for making free long-distance telephone calls that Steve Jobs and Steve Wozniak sold to fellow college students before they built the first Apple computer.