
Senator Wants to Make the Computer Fraud and Abuse Act Even Easier to Abuse - DiabloD3
https://www.eff.org/deeplinks/2015/09/senator-sheldon-whitehouse-wants-make-computer-fraud-and-abuse-act-even-easier
======
protomyth
This would be Senator Sheldon Whitehouse a Democrat from Rhode Island. Not
likely to have a viable Republican challenger so voters will probably need to
primary him out. He isn't up until 2018. He was unopposed in his 2012 primary.

~~~
jacobolus
> _voters will probably need to primary him out_

Voters are not going to dump Senator Whitehouse over this proposed amendment,
and don’t “probably need” to do anything.

First, in general Senator Whitehouse is great, I’d say among my top 10
favorite Senators (I’m from California, so not a constituent, just a fan).
Second, this EFF blog post has decontextualized and exaggerated the effects of
this change to the point of absurdity. Third, a small proportion of the
general public is worried at all about the CFAA.

~~~
protomyth
I provided the information for those that care about this type of issue.
Regardless of the accuracy of the EFF article, it should of been there on the
EFF page with potential candidates in the district / state that support the
EFF position who could make a run.

Reading the stuff over lunch, I am a bit confused over the EFF's position.

~~~
tptacek
Since Whitehouse is broadly seen as a civil rights ally, and since he won
overwhelmingly in the last election, directing time, attention, and money to a
campaign to oust him in favor of an uncertain alternative (his seat was
previously held by a Republican) seems like a dubious strategy for EFF.

------
francoisdevlin
Am I the only one that's tired of this bills showing up every 3-6 months? What
will it take to stop this type of BS for good... or is that an impossible
dream?

~~~
protomyth
Gather friends, find out the primary sponsor, and primary out / support the
other candidate next time an election cycle happens. Be very vocal and very
clear that any candidate of any party who introduces this type of bill or
toxic amendment will get the same. Do not look at any other issue or political
party affiliation. Make the politicians fear you.

~~~
tremon
And if the primary sponsor is not in your state? I'm not a US citizen, so I'm
not familiar with what "primary out" means.

~~~
protomyth
Primary Out is a term used to describe running a candidate against another to
beat them in the primary. It is generally the only recourse to elect a new
person in a district or state that will not vote for the other party. Eric
Cantor is a prime example of a candidate that was thought safe but was
defeated in a primary because a large group of people took offense to him in
his own party.

[edit: [http://www.ncsl.org/research/elections-and-
campaigns/primary...](http://www.ncsl.org/research/elections-and-
campaigns/primary-types.aspx) explain primaries in various states. tldr: party
selects person via primary (various ways to vote) that gets their name on
general election ballot under that party's name]

~~~
tptacek
This is the second time you've brought up Eric Cantor. Cantor's defeat was a
historic upset that surprised all of Washington despite being the product of
the largest political activism movement of the last decade.

Which is to say that even when you've got the entire Tea Party movement at
your back, it's still so difficult to oust an incumbent in a primary that it's
shocking when it happens.

Whitehouse getting booted over CFAA is approximately as likely as Lessig
winning the Presidency.

~~~
pc86
In fairness, the reason it was shocking was the fact that Rep. Cantor was the
House Majority Leader, arguably one of the half dozen most powerful people in
the country. Not that an incumbent happened to lose in a primary.

~~~
dragonwriter
Right, and to extend that, caucus leadership positions are generally assumed
to be given to members with very secure seats, so them getting unseated in
_any_ circumstance is considered surprising.

(Though, really, it might be reasonable to suspect that they are generally
_more_ vulnerable to primary than general election challenges, unlike most
members -- they are generally people whose seats are secure _for the party_ ,
because that means that they aren't likely to be forced compromise the party's
interests for their own electoral prospects, making them more attractive as
leaders. But the same effect means that they can be more vulnerable to
fragmentation _within_ the party.)

~~~
protomyth
Yep, he wasn't vulnerable in a general election, but was in a primary. There
are quite a few states and districts where this is true.

------
tptacek
It seems clear to me that it's a bad idea to amend criminal law with CISA if
anyone expects CISA to pass (reminder: CISA does not already include criminal
statutes).

But before reading Nadia Kayyali's summary, you'd be well served by reading
the actual amendment, linked at the top of the article. There are 4 proposed
offenses:

1\. "Stopping The Sale Of Americans' Financial Information"

This proposal amends the current text:

    
    
        (h) Any person who, outside the jurisdiction of the United
        States, engages in any act that, if committed within the
        jurisdiction of the United States, would constitute an
        offense under subsection (a) or (b) of this section, shall
        be subject to the fines, penalties, imprisonment, and
        forfeiture provided in this title if—
         
        (1) the offense involves an access device issued, owned,
        managed, or controlled by a financial institution, account
        issuer, credit card system member, or other entity within
        the jurisdiction of the United States; and
         
        (2) the person transports, delivers, conveys, transfers to
        or through, or otherwise stores, secrets, or holds within
        the jurisdiction of the United States, any article used to
        assist in the commission of the offense or the proceeds of
        such offense or property derived therefrom.  
    

To instead read:

    
    
        (h) Any person who, outside the jurisdiction of the United
        States, engages in any act that, if committed within the
        jurisdiction of the United States, would constitute an
        offense under subsection (a) or (b) of this section, shall
        be subject to the fines, penalties, imprisonment, and
        forfeiture provided in this title if the offense involves an
        access device issued, owned, managed, or controlled by a 
        financial institution, account issuer, credit card system member,
        or other entity organized under the laws of the United States,
        or any State, the District of Columbia, or other Territory
        of the United States.
    

Notice that the larger graf in Whitehouse's amendment is essentially (h) and
(1) combined, with a more precise definition for "entity".

I went looking for an explanation of the change and couldn't find one, but my
guess is that it solves a jurisdictional problem that prevented 18 USC 1029
from being deployed in practice.

It is also not clear how this change is "tailor-made to help indiscriminate
prosecution"; if that's the case, it seems like it must also be the case that
the original 18 USC 1029 was as well!

Kayyali is an attorney and should be able to explain the logic here.

2\. "Shutting Down Botnets"

To the existing fraud statute in 18 USC 1345, Whitehouse's amendment would add
a fourth case, following "conspiracy to defraud the US government",
"committing banking law violations", and "committing Federal health care
fraud", that would read:

    
    
        (D) violating or about to violate paragraph (1), (4), (5), or (7) of section 1030(a)
        [the CFAA] where such conduct would affect 100 or more protected computers (as defined
        in section 1030) during any 1-year period, including by denying access to or operation 
        of the computers, installing malicious software on the computers, or using the computers
        without authorization.
    

Essentially, this seems to create a new offense (presumably cross-chargeable
with the CFAA itself, like the wire fraud statutes are) of "CFAAing more than
100 computers in a year".

This seems well-intentioned but overbroad. A change from 100 to 1000 computers
might make more sense. A "knowing" standard, so that you can't be charged for
a single offense that happens to touch 100 computers you didn't know existed,
might also be helpful. It's also a fair argument that we perhaps don't need
new law to clamp down on botnets, which are probably already black-letter
illegal.

3\. "Aggravated Damage To A Critical Infrastructure Computer"

42 USC 5195 defines "critical infrastructure" as _systems and assets, whether
physical or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating impact on
security, national economic security, national public health or safety, or any
combination of those matters._ Whitehouse's bill would attach more severe CFAA
penalties to knowingly damage critical infrastructure, if the attack involved
actually could have impaired critical infrastructure.

Language to this effect has been part of several proposed amendments to CFAA.

Kayyali claims this amendment is "redundant". Presumably, that's because
PATRIOT already defines "critical infrastructure" and the CFAA already
criminalizes any attacks on any computer? Otherwise, I don't see where a
statute exists that would attach greater penalties to attacks that (say) took
down the power grid, or halted trading on exchanges. The location of that
statute in existing law would be a helpful clarification for Kayyali to
provide.

Kayyali invokes CFAA's "draconian penalties". I agree: the penalty mechanism
in CFAA is egregiously broken (indeed, I think it's the only totally broken
part of CFAA). But this particular amendment seems like a poor place to make
that stand, cabined as it is on attacks that citizens in the US would
overwhelmingly want criminalized!

Remember, under Whitehouse's initial proposed language, you have to know
you're attacking the power grid, or the 911 dispatching system, or the NYSE,
_and_ the attack you employ has to be plausible.

4\. "Stopping Trafficking In Botnets"

18 USC 1030 (a)(6), part of the CFAA, currently reads:

    
    
        (6) knowingly and with intent to defraud traffics (as
        defined in section 1029) in any password or similar
        information through which a computer may be accessed without
        authorization, if—
         
        (A) such trafficking affects interstate or foreign commerce;
        or
         
        (B) such computer is used by or for the Government of the
        United States; 
    

Whitehouse would prefer it read instead:

    
    
        (6) knowing such conduct to be wrongful, intentionally trafficks
        in any password or other similar information, or any other means
        of access, further knowing or having reason to know that a 
        protected computer would be accessed or damaged without authorization
        in a manner prohibited by this section as the result of such 
        trafficking.
    

This really pissed Kayyali off, because "knowing such conduct to be wrongful"
is a phrase that appears nowhere else in the US code. That probably does mean
the language would need to be changed. However: the term "knowing" is
plastered all over the US code and has a meaning that appears to stretch all
the way back to Common Law, and "wrongful" has a legal definition ("would
expose you to criminal prosecution").

It's unclear from Kayyali's summary, but given the context, this appears to be
the basis for Kayyali's concern that the amendment will be a "threat to
security research".

Finally, I can't resist pointing out the bogus emotional appeal that leads off
Kayyali's analysis. Kayyali would like you to believe that overzealous
prosecutors can charge you under the CFAA for violating the terms of service
of a website. But of course Kayyali is aware that after _Nosal_ , that
interpretation of CFAA has famously been rejected by the entire Ninth Circuit
and is now unlikely to get much oxygen elsewhere.

~~~
will_brown
I think you did about as respectful of a job of taking a position against EFF
on HN as possible. Keep in mind the EFF is a non-profit that caters to a
certain audience primarily of non-lawyers.

So phrases such as:

"The CFAA does not explain what "without authorization" actually means."

and

"The amendment would make it much easier to prosecute anyone for trafficking
in passwords or similar information through which a computer may be “accessed
without authorization.” The amendment changes the mental state required to
simply “knowing such conduct to be wrongful”"

Sound plenty powerful/logical to the general public who is already inclined to
support the EFF, not realizing: 1. As you mention "knowing" and/or "knowledge"
is not just a term of art in law but an actual legal standard that has been
defined and redefined through case law (same is true of willful, and reckless
in a criminal context); and 2. All law as written (in a vacuum) has very
little interpretation until a set of facts is applied to the law where a court
may interpret the law setting precedent, much like the Nosal case you
highlighted. Just as an analogy, when talking about the 4th Amendment I could
say the Founders wanted us to be free from "unreasonable search and seizures"
and then tell the public how that is ripe for abuse because there is no
definition of "unreasonable" in the Constitution...and I would technically be
right, simultaneously ignoring 100+ years of case law which defines
unreasonable as applied in 1,000's of factual scenarios.

------
BeoShaffer
I tried to fill out the email your congressman form, but it kept telling me I
have to select an option even though I had filled out the whole thing (this
was for the Missouri variant).

------
joesmo
Any bill that proposes any type of mandatory sentencing should be defeated,
regardless of the activities it tries to criminalize. That's simply not
justice. Ideally, the bill's sponsor should be voted out of office ... and
stricken with cancer.

~~~
AnimalMuppet
> ... and stricken with cancer.

Funny, that sounds almost like you're proposing mandatory sentencing...

~~~
jessaustin
Fortunately that sentence is still in the hands of the deity/universe/etc.
Don't give those prosecutors any ideas...

