Congress Criminal Justice & the Rule of Law Cybersecurity & Tech

House Judiciary CFAA Bill

Paul Rosenzweig
Tuesday, March 26, 2013, 2:19 PM
The House Judiciary Committee has released a draft cyber bill that would modify the Computer Fraud and Abuse Act.  The bill is on a fast track as the House hopes to have a week of "cyber" legislation in the middle of April to include an R&D bill, FISMA reform and CISPA, in addition to this bill. My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return.  Most notably the

Published by The Lawfare Institute
in Cooperation With
Brookings

The House Judiciary Committee has released a draft cyber bill that would modify the Computer Fraud and Abuse Act.  The bill is on a fast track as the House hopes to have a week of "cyber" legislation in the middle of April to include an R&D bill, FISMA reform and CISPA, in addition to this bill. My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return.  Most notably the bill would make violations of the CFAA predicate acts for a RICO criminal charge -- what this means is that if you engage in just two instances of violating the CFAA, then you are engaged in a pattern of racketeering, with substantial criminal penalties and .. .since the criminal definitions translate directly to civil liability .. a very significant possibility of a "bet the company" civil suit.  Not a move designed to foster innovation, I think. The only modest change that might be viewed as a victory for online activists is the setting of a $5000 valuation floor for criminal charges based upon actions that "exceed authorziation."  I have written about this before and explained why a carve-out that decriminalizes violations of terms of service is a much better option.  But at least the valuation floor would exclude minor ToS charges (like lying about your weight on a dating site) from prosecution, so it's a marginal step in the right direction. [UPDATE:  As my friends at CDT point out, I may have been too quick in reading the draft to laud the $5000 valuation floor as an improvement.  It turns out that the valuation test is only one of several ways in which a ToS violation may result -- and at least one of the other ways would almost certainly be an expansion of the CFAA rather than a contraction.  As Orin Kerr notes, since one clause makes it a crime to violate a ToS to secure non-public information, it would now be a crime to lie about your age on a dating site if you wanted her phone number.  Letting the private sector define a federal crime by defining the ToS is just bad practice -- and this bill doesn't look like it is making it better.] There is more of course -- we will, for example, get a new protected category of "critical infrastructure computers" that include those vital to public health and safety or national security and controlling:
(A) gas and oil production, storage, and delivery systems;
‘‘(B) water supply systems;
‘‘(C) telecommunication networks;
‘‘(D) electrical power delivery systems;
‘‘(E) finance and banking systems;
‘‘(F) emergency services;
‘‘(G) transportation systems and services; and
‘‘(H) government operations that provide essential services to the public
That isn't everything in America ... but it sure is an awful lot.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare