President Barrack Obama has made proposed changes during the last week to the Computer Fraud and Abuse Act (CFAA) to set up The State of the Union address that was held recently. These changes come in the wake of the Sony Pictures Entertainment hack and aim to enhance penalties for hacking as well as broadening the legal definition of what unauthorized access is as well as making changes to the racketeering laws to apply to online hacking groups.
These changes quickly came under fire from activists, security professionals, and from members of The Congress. These changes are viewed by many as an obvious step backward and may cause a law that was already broad, unusable, unclear, and outdated to become even worse. These modifications could also interfere with security researchers ability to conduct audits of websites, applications, enterprise and private networks, and even hardware.
The job of protecting the internet is a daunting one. It requires a lot of hard working people to invest many long hours mulling over code, web pages, programs, and even hardware to find exploits before criminals do. It is not an easy task, and it is a skill set that few possess. Penetration testers are a critical part of the protection chain, and these new laws may cause that critical link to become weak. Under the proposed regulation changes, these people could end up with criminal charges even if the companies they are researching for authorize them to conduct ethical testing. It is claimed by many researchers that if this proposed law were to somehow pass, they would be forced to step back their efforts or halt them altogether. You can bet that the criminal element, most of who are not even in the United States (and thus out of reach of U.S. law enforcement), would not stop their activities. So in truth, this law could harm the good guys while the criminal element continues to go about business as usual. And their business is booming.
How could this happen? The proposed changes to the law would define unauthorized access very broadly which may not allow for researchers to conduct proper investigations into applications or devices to discover exploits. For example, researchers need to have the ability to test the security of an Android application by violating its Terms of Service (TOS) by attempting to access aspects of an application that are normal unavailable to a user so that they can gain an understanding of how pervasive an exploit is. They will use this information to determine how much of an immediate threat this exploit poses to not only the application itself, but to the users and account holders of said application. You can bet criminals do not mind violating the TOS. Under current law, this act by the researcher, which would be in good faith, may not even be considered criminal but rather civil. The proposed law would change that. Under the proposed law, even violations of TOS could be considered a criminal act and instead of being a misdemeanor, it would be classified as a felony. This is just one possible scenario out of many, but you get the idea of how this could spell trouble for those who sincerely act in good faith with an interest to protect user and application data.
But not all of us are researchers and we do not routinely try to break an application to find how to exploit it or use it for either legitimate or criminal means. We are normal everyday law abiding folk. We love to play jokes on our friends. A good prank is to run over to your friend's computer while your friend is in another room, open their social media and make a funny post. Laughs are always had until you go to jail. That's right, due to the fact these proposed modifications have such a broad definition of unauthorized access you may have just committed a felony. Enjoy your possible three years in jail. Now, it is highly unlikely that you would be sent to jail for such a crime, and even if you did, your punishment and its severity would be open to debate. That is not the only problem; the government would be allowed to seize all of your computers, cellphones, and any other device that you used to pull off your harmless prank. And while all of this may seem draconian, it just goes to show you how dangerous broadly defined laws and terms could be.
This proposed change would also allow for these activities and similar incidents to possibly fall under racketeering charges. If you were to follow a link that was posted publicly to information that was obtained by unauthorized access then you could be considered just as criminally accountable as the person who liberated the information in the first place. If you associate with persons who commit the felonious acts you could also be in trouble. This would include places such as forums or chat rooms where the topic of hacking or methods of online hacking is discussed. This is another facet that scares researchers. Bouncing ideas and sharing information about methods, exploits, and different attack vectors are essential for penetration testers. Cutting off a researcher's ability to share information openly with his colleagues would only hinder security as the criminal element would have no issue violating the law to share information, but researchers would back off as to not violate the law. No ethical security expert wants to be charged with racketeering or any other violation of the law.
These proposed changes to the law by President Barrack Obama are just that; proposals. This modification to the law still has a long way to go and many battles to fight before it becomes law. It is clear that little insight was given by the tech sector when these changes were drafted. Hopefully as it progresses, technology insiders will be able to weigh in more fully to make positive changes and compromises that benefit everyone involved and make the internet a safer, more productive, and spur innovation without the fear of prosecution.