The recent security breach suffered by retail giant Target has led a United States senator to again propose legislation meant to protect personal data. If approved, however, it could also give the courts broad new powers over alleged computer criminals.
Sen. Patrick Leahy (D-Vermont) announced on Wednesday that for the fifth time in nine years he’s offering the Senate a proposal intended to curb cybercrimes like the one last month that effected an estimated 40 million customers during the heart of the holiday shopping season.
That breach, Leahy wrote in a press release this week, “is a reminder that developing a comprehensive national strategy to protect data privacy and cybersecurity remains one of the most challenging and important issues facing our nation.”
“The Personal Data Privacy and Security Act will help to meet this challenge,” he wrote, “by better protecting Americans from the growing threats of data breaches and identity theft.”
Under Leahy’s proposal, companies with databases containing sensitive customer information would be required to establish and implement data privacy and security programs, adopt a “nationwide standard” when it comes to notifying Americans of these types of breaches and institute tough new penalties for people proven to have “intentionally and willfully” concealed evidence of a breach that brought on significant economic damage.
“This is a comprehensive bill that not only addresses the need to provide Americans with notice when they have been victims of a data breach, but that also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place,” the 73-year-old senator said in his statement.
But while Leahy specifically references the cybercrime waged against Target in parading his proposal, the bill as currently written also calls for significant changes to the country’s 1986 hacking law — the likes of which could have colossal consequences for the average computer user if codified in this incarnation.
“The bill also includes the Obama administration’s proposal to update the Computer Fraud and Abuse Act,” Leahy adds in Wednesday’s statement, “so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal penalties, as the underlying offenses.”
Indeed, the senator’s bill includes language identical to that released by the White House in May 2011 when the administration of President Barack Obama proposed changes of their own to the CFAA. In the official section-by-section summary released by the executive branch in tandem to that proposal, the White House said they favored a particular augmentation to the law that “Clarifies that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses.”
“Whoever conspires to commit or attempts to commit an offense under [the CFAA] shall be punished as provided for the completed offense,” the White House wrote then.
“Although the penalty subsection makes explicit reference to violations of the CFAA and attempts to commit them, it does not mention conspiracy specifically,” the Congressional Research Service said when they weighed in on the White House’s proposal that July. “The proposal clarifies any ambiguity by stating that ‘Whoever conspires to commit ... an offense ... shall be punished as provided for the completed offense.’”
Leahy’s latest proposal also calls for that same identical language, and would ensure that convicted computer hackers who are unsuccessful in their actions are punished as severely as more accomplished ones regardless. Additionally, Leahy’s office has also proposed changes to the computer law that would increase the maximum sentence for a first-time offender from 10 years to 20, opening the door for even lengthier prison stints at a time when many activists are decrying the penalties already attached to the CFAA. And given the Justice Department’s broad interpretation of the CFAA in recent years, these changes if adopted could allow federal prosecutors to put away any number of people accused of merely tinkering with IT systems or engaging in their own personal research, all depending on the court’s particular interpretation of a relatively young and still hotly contested cyberlaw.
For downloading scholarly articles in bulk from an online academic journal repository, computer prodigy Aaron Swartz was threatened with 35 years of imprisonment due the current administration’s interpretation of the CFAA. At his funeral last year, father Robert Swartz blamed the federal government for his son’s suicide.
Just last month, American security researcher Jacob Appelbaum accused the US National Security Agency of illegally operating programs that slurp massive amounts of private data off of the internet under the guise of counterterrorism. But should non-government officials attempt to code those programs, he said, a court of law would likely insist on a lifetime of imprisonment.
“It’s so draconian for regular people,” he said of the CFAA, “and the NSA gets to do something like intercepting 7 billion people all day long with no problems. And the rest of us are not even allowed to experiment with improving the security of own our lives without being put in prison or under threat of serious indictment.”
Last March, the House of Representatives Judiciary Committee released a draft proposal that would have changed the CFAA, but again included updates that’d make attempted hacking as dangerous as an actually infiltrating another’s network.
“That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something (‘conspires to commit’) that violates the CFAA shall now be punished the same as if they had ‘completed’ the offense,” TechDirt journalist Mike Masnick wrote after the Judiciary Committee released their proposal. “And, considering just how broad the CFAA is, think about how ridiculous that might become. Now if you talk with others about the possibility of violating a terms of service -- say, talking to your 12 year old child about helping them sign up for Facebook even though the site requires you to be 13 -- you may havealreadycommitted a felony that can get you years in jail. That seems fair, right?”
Those changes might already again be brought up for consideration before Congress as a result of Sen. Leahy’s new proposal, but this time he isn’t selling computer reform or kissing up to the White House: he’s using a recent cyberattacks that directly impacted 40 million Americans to rally support for a bill that would ruin years’ worth of attempts at CFAA reform waged by digital activists.