So there's good news, and there's bad news. The good news is that Obama mentioned a sprawling set of cybersecurity initiatives at the State of the Union tonight. The bad news is that they suck.
Improving the country's cybersecurity is important. However, the president's new proposals could act to erode Americans' civil liberties and further muddle our already-vague hacking laws. Plus, you might find yourself unwittingly violating a hacking law if you so much as click on the wrong link. Retweeting unauthorized information could get you into similarly hot water. It's a blunt tool where .
Everything is a "hack"
Obama's cybersecurity proposals are slightly sprawling, but the changes to the Computer Fraud and Abuse Act (CFAA) are particularly alarming. Security entrepreneur Rob Graham summed it up well in an ironic tweet last week:
Would you click that link? If you did, there's a chance that you'd be violating the CFAA. The law already is notoriously vague in its definition of hacking offenses and draconian punishments. However, Obama's proposals manage to make it both more broad and more punitive.
Let's look again at the above tweet. Obama's idea for a revised CFAA calls for expanding the definition of the phrase "exceeds authorized access" of a computer. Exceeding access imply means accessing information "for a purpose that the accesser knows is not authorized by the computer owner." In other words, Obama wants to expand the meaning of hacking to the point that almost anything could fall under its definition.
He also wants to make it a type of racketeering. Graham explains:
Obama proposes upgrading hacking to a "racketeering" offense, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). … If you innocently clicked on the link above, and think you can defend yourself in court, prosecutors can still use the 20-year sentence of a racketeering charge in order to force you to plea bargain down to a 1-year sentence for hacking.
That sounds astounding until you realize how Aaron Swartz faced decades in prison for accessing scholarly articles on MIT's network. This is after the university and the database declined to press charges. Under Obama's proposals, doing less could lead to more prison time.
What we don't know is how strictly these crimes will be enforced; it's unlikely that the U.S. will spend the time and energy to track down and prosecute hundreds of tweeters. But that doesn't make the letter of the proposed law any more agreeable.
The above example is also just the beginning. The remainder of Obama's plan to improve cybersecurity pushes forward some of the more aggressive sides of hacking laws. In The Washington Post, Orin Kerr reflects upon the case of Andrew "weev" Auernheimer and the so-called double-counting issue. This is when the government charges a hacker twice when the unauthorized access occurs "in furtherance of" a different crime.
This happened in the Auernheimer case. Weev accessed a database of customer information that AT&T failed to protect. According to the prosecutors that meant committing a federal misdemeanor "in furtherance of" violating a similar New Jersey law. Weev was ultimately convicted, though that was overturned due to the double-counting issue. Under Obama's proposals, the case would have stood.
But it all comes back to that phrase "exceeding authorized access," the definition of hacking. Kerr writes:
The expansion of "exceeding authorized access" would seem to allow lots of prosecutions under a "you knew the computer owner wouldn't like that" theory. And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct.
It's never a good idea to have subjective laws—or at least laws that enable more subjective interpretations, especially when they hinge on what can be highly technical issues.
This situation creates a really tough environment for security researchers who are actually trying to improve cybersecurity. The CFAA already makes it hard for them to identify and, well, research vulnerabilities. Do we really want to make it tougher?
Expect a backlash
Obama's new cybersecurity proposals don't just seek to deter hackers with broad definitions and harsh punishments. The body of legislation also aims to enable the government to access private consumer data more easily. Think of it as forensic research. If the Feds can get a better understanding of past hacks, they'll be able to trump future hacks. Or at least that's the logic being pushed.
Privacy advocates don't like this one bit. Sharing a shitload of consumer data with government agencies wouldn't necessarily stop future attacks. But does the average American really want the government digging into their Facebook data? Or their Playstation Network data?
Obama does want to improve consumer rights online. He's even pushing for stricter data privacy laws. Part of this initiative calls for anonymous consumer data before it's shared with the government, but more sharing still feels like less privacy. This is almost exactly what CISPA wants to do. CISPA is that god awful cybersecurity bill that's suddenly back in play but the president's already threatened to veto. We already know that a law like CISPA probably would not have stopped the Sony hack. So what's the point of pursing a similar direction, especially when civil liberties advocates think it's a bad idea? That seems like the opposite of consumer rights.
Several aspects of Obama's legislation have already been proposed and shot down, which hopefully means they will be again.
"The Obama Administration is on a roll with proposing legislation that endangers our privacy and security," the Electronic Frontier Foundation's Mark Jaycox and Lee Tien wrote in a blog post. They warned that Obama's cybersecurity bill "looks awfully similar to the now infamous CISPA" and conclude: "All three of [Obama's] bills are recycled ideas that have failed in Congress since their introduction in 2011. They should stay on the shelf."
Let's just call them bad ideas. It's a bad idea to assume that everyone is a hacker. It's a bad idea to come down too hard on harmless offenses. It's a bad idea to weaken Americans' sense of privacy.
Obama has a lot of good ideas about the internet. That community-based internet project that will one day loosen Comcast's stranglehold on the internet—that's a good idea! The president's advice to the FCC on how to secure net neutrality—that's a good idea, too! These cybersecurity proposals? They're all not so good.
Image via AP