The internet community was rocked this week as one of the most important, coveted items in my lifetime finally hit the web. I’m talking, of course, about the Scarlett Johansson nudie pics.
How many people, do you think, while dutifully pecking away at their office keyboards, came across the news in passing? I’m sure millions cautiously looked over their shoulders, checking to see if the coast was clear, before quickly tabbing the grainy shots for future, undisturbed viewing.
What if that action could get you into trouble? No, not getting fired. I mean actual trouble – felony trouble?
How far should cybersecurity legislation go to protect both the private and public sectors? Let us know in the comments.
That’s what many are worrying about this week as the Senate Judiciary Committee debates changes to a 25-year-old bill that deals with cyber-crime.
How do some think we get from cyber-crime legislation to being thrown in jail for sneaking a look at Scarlett Johansson’s tush? First, a little background:
In 1986, the U.S. Congress passed a law, 18 U.S.C. chapter 1030, commonly known as the Computer Fraud and Abuse Act. The law was originally intended to help crack down on computer hacking and help the federal government with cases involving federal computer fraud – especially when it dealt with interstate commerce.
The law has been broadened in its scope multiple times since its passing, most notably in the early 2000s as part of the Patriot Act.
According to the law as it stands right now, here are some punishable offenses –
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains (financial record information, info from any dept of the U.S. government, or info from any “protected computer”)
(4.) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or
(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss.(7.) intent to extort from any person any money or other thing of value, transmits in interstate or foreign commerce any communication containing any – (threat to cause damage or obtain information, or demand for money or other thing of value)
I apologize for the stuffiness, as that was directly from the statue. But there you have it – those are the main offenses as outlined by the Computer Fraud and Abuse Act. And the Justice Department is currently pushing to strengthen the law by broadening the scope a little more.
These changes would also institute stiffer penalties for the “cyber-crimes.”
Stiffer penalties
Right now, the Senate Judiciary Committee is debating a measure that has been held over for the past two days called S. 1151. According to the summary –
A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.
Among other things, this bill would “amend the federal criminal code to make fraud in connection with the unauthorized access of personally identifiable information a predicate for racketeering charges.” Well, there’s your stiffening of penalties.
I’m sure all this talk about security breaches and fraud makes you think about hackers and criminals attempting to access government and financial mainframes – and you would be right. What the Obama administration and the Justice Department want is to protect against electronic crimes that could have a detrimental effect on national security, infrastructure, or business. It’s widely accepted that cyber-threats are at an all-time high.
“Secret Service investigations have shown that complex and sophisticated electronic crimes are rarely perpetrated by a lone individual,” Pablo Martinez, Secret Service Special Agent in Charge told The Hill.
“Online criminals organize in networks, often with defined roles for participants, in order to manage and perpetuate ongoing criminal enterprises dedicated to stealing commercial data and selling it for profit”
I guess that would explain the emphasis on “racketeering” in the stricter penalties.
But that’s not what is getting people worried. The concern comes from perceived “side-effects” – abuses and misuses of the law.
“Exceeding Authorized Access” and the Scarlett Johansson thing
If you notice in the language of the Computer Fraud and Abuse Act, the phrase “exceeds authorized access” pops up a few times. That phrase really worries George Washington University Law professor Orin Kerr.
You see, the penalties for the crimes outlined in the Abuse act that “exceed authorized access” are currently misdemeanors. This new push would make them felonies.
And that’s scary, considering the phrase in question really is as cryptic as it sounds. Judges have been trying to determine exactly what “exceeds authorized access” means for years. Kerr wrote about this in the Wall Street Journal yesterday –
The problem is that a lot of routine computer use can exceed “authorized access.” Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include “terms of use” violations and breaches of workplace computer-use policies.
Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don’t like.
That’s where the Scarlett Johansson pics come into play. If the law is broadened, “exceeding authorized use” could mean breaking terms of use violations at work. So sneaking a look at some NSFW material or posting to Facebook at the wrong time could get you into more trouble than just being fired.
And what about any false claim that you make on the internet. Does that also “exceed authorized use” and break the “terms of service” of certain sites? Say I set up a dummy Facebook account, or use a stock photo for my eDating profile? Am I then commuting a criminal act by misrepresenting myself online?
Sure, jail time for lying about my weight online seems ridiculous – and it is, but the language of the law is concerning. Although federal prosecution for Facebooking at work is unlikely, it’s not out of the realm of possibility that prosecutors could stretch this law to its limits. It’s plausible that we could see some rather ridiculous cases in the future.
Chairman of the Senate Judiciary Committee Patrick Leahy (D-VT) also expressed his concerns about the proposed alterations to the law, saying “We want you [Justice Department] to concentrate on the real cyber-crimes, and not the minor things.”
Kerr closes with the suggestion, one that echoes Leahy –
Real threats to cybersecurity must be prosecuted. Penalties should be stiff. But Congress must narrow the Computer Fraud and Abuse Act before enhancing its penalties
In a nutshell: The law must clear a few thing up before you go and give it real teeth.
The Computer Fraud and Abuse Act in action – The MySpace case
Back in 2008, a case that drew national attention hinged on the Computer Fraud and Abuse Act.
In United States v. Lori Drew, prosecutors attempted to prosecute Lori Drew for violations to that law, but she was ultimately acquitted. The case dealt with a fake MySpace account and how it led a 13-year-old girl to suicide.
Drew, 49, heard that 13-year-old Megan Meier was spreading rumors about her daughter. The two girls had previous been friends, but that relationship had dissolved. After learning of this supposed rumor-spreading, Drew created a MySpace account under the name “Josh Evans.”
Under that identity, she carried out a relationship with Meier online – one that was described as “flirtatious.” After about a month of contact, “Josh Evans” told Meier that the world would be a better place without her. Meier subsequently hung herself.
The Judge in the case granted Drew’s motion of acquittal after the jury deadlocked and was only able to convict her of a misdemeanor violation of the Computer Fraud and Abuse Act. Here’s what he said regarding that –
In his opinion, Judge Wu examined the jury’s misdemeanor conviction by discussing each element of the offense. Judge Wu clarified that a misdemeanor conviction under 18 USC § 1030(a)(2)(C) requires that (1) the defendant intentionally accessed without authorization or exceeded authorized access of a computer, (2) the access of the computer involved an interstate or foreign communication; and (3) by engaging in this conduct, the defendant obtained information from a computer used in interstate or foreign commerce or communication.
Judge Wu found that many courts have held that any computer that provides a web-based application accessible through the internet would satisfy the interstate communication requirement of the second element. In addition, the Judge noted that the third element is met whenever a person using a computer contacts an internet website and reads any part of that website.
The remaining conflict centered on the first element. Specifically, the conflict revolved around the meaning of the undefined term of “unauthorized access.” Judge Wu acknowledged that the government conceded that its only basis for claiming that Drew had intentionally accessed MySpace’s computers without authorization was the creation of the false “Josh Evans” alias in violation of the MySpace Terms of Service. Therefore, Wu reasoned, if a conscious violation of the Terms of Service was not sufficient to satisfy the first element, Drew’s motion for acquittal would have to be granted for that reason alone. However, Judge Wu held that an intentional breach of the MySpace Terms of Service could possibly fit the definition of an unauthorized or exceeding authorization access to MySpace computers.
As you can see, the CFAA is quite the sticky law to navigate through when it comes to real world application. Although he ruled in Drew’s favor, that last part about violating MySpace’s terms of conditions possibly being grounds for “exceeding authorized access” is the part that would have many people worried.
Online attacks and fraud committed via the internet are serious issues. It just seems like there is a debate about how to go about the process of making the laws that deal with them.
What do you think about the current law and the attempts to broaden its scope? Necessary or dangerous? And do you think that the draconian scenarios envisioned by those like Kerr are comically preposterous – or do you think that we could actually see criminal prosecution for Facebook fibbing and workplace indiscretions? Let us know in the comments.