WASHINGTON -- In advance of Tuesday's State of the Union address, President Barack Obama proposed overhauling a federal law used to prosecute hackers. His suggested revision has come under fire from fellow Democrats and tech experts, who said that it would make a bad law worse, discourage cybersecurity researchers from doing their jobs, and expand penalties even for hacktivists like the late Aaron Swartz, who killed himself while under federal indictment.
The president's measure, which arrived last week after a high-profile cyberattack against Sony Pictures Entertainment, aims to reform the Computer Fraud and Abuse Act by beefing up penalties for hacking offenses and broadening the definition of hacking.
"There are problems with the CFAA as it is. ... What the president's proposal would do would be to actually broaden the act," said Rep. Zoe Lofgren (D-Calif.). "It's the wrong thing to do."
"I have deep concerns about adding any powers or penalties to the CFAA given how poorly this law is applied," said Sen. Ron Wyden (D-Ore.).
Right now, certain hacking crimes start as misdemeanor offenses. Under the new proposal, they would be felonies meriting a minimum three-year sentence. The wording of Obama's proposal also might allow hacking crimes to be "double counted" under overlapping federal and state laws, George Washington University law professor Orin Kerr wrote in The Washington Post.
Federal prosecutors used the CFAA to go after Swartz after he allegedly broke into computer networks at MIT and downloaded an enormous number of academic documents in order to make them more widely available. He was indicted on multiple felony charges. After his death in 2013, The New Yorker called the CFAA "the worst law in technology." A bill dubbed Aaron's Law was introduced by Lofgren and Wyden that year to reform the CFAA, but it went nowhere.
Lofgren described the president's new proposal as the opposite of Aaron's Law. Wyden said, "I co-wrote Aaron’s Law to rein in this law and ensure that the CFAA doesn’t apply, for example, to a mere violation of a website’s terms of service, like lying about your age on Facebook."
Civil liberties advocates and tech experts also point out that it's not just malicious hackers who could be implicated under the revised law. Gabriel Rottman, legislative counsel at the American Civil Liberties Union, said that under Obama's proposal, correctly guessing a password to gain access to a computer would be a felony, whatever the hacker's intent, "which is a problem both as a matter of free expression and privacy, and in terms of creating new and draconian federal crimes."
Marc Rogers, head of security at the hacker conference DefCon, told HuffPost that the information security community is "very concerned" about the proposal and that it was the hot topic at Shmoocon, another hacker convention recently held in Washington.
"This law would essentially make everything I do a criminal offense," Rogers said.
"It will take a broken law and make it even more broken," he added, noting that "it's not going to stop the criminals" but it will "stop a lot of white hats and ethical hackers because they don't want to break the law."
Kyle Wilhoit, senior threat researcher for the Japanese cybersecurity firm Trend Micro, said that while he could not speak on behalf of the company, he believed the president's proposal "could definitely modify the way in which we conduct research." He said that the revision would cut down on the hacking attributions he is able to investigate and could decrease the number of victim notifications he makes.
"The broad terminology in the proposal shows a lack of understanding in my opinion," Wilhoit said.
The revised CFAA would turn hacking into a racketeering offense, which means it could sweep in those who were simply "giving advice to people," Wired wrote. It would also allow the government to seize the individuals' assets before conviction. Lofgren said that it was "bizarre" the proposal would expand civil forfeiture even as the attorney general is moving in the opposite direction in the nondigital world.
"There’s also the concern that the breadth of the proposal could result in politically motivated prosecutions," Rottman said. "Imagine what the Nixon administration could have accomplished in a digital world with a law that allows you to prosecute dissenting hacktivists with a severe federal felony," he added.