So there's good news, and there's bad news. The good news is that Obama mentioned a sprawling set of cybersecurity initiatives at the State of the Union tonight. The bad news is that they suck.
Don't get me wrong: improving the country's cybersecurity is important. However, the president's new proposals stand to stomp all over Americans' civil liberties and further muddle our already vague hacking laws. What does that mean for you? It means you might find yourself unwittingly violating a hacking law if you so much as click on a link. Even retweeting a link could get you into hot water. This doesn't bode well for privacy or free speech.
In the future, everybody is a hacker
Obama's cybersecurity proposals are slightly sprawling, but the changes to the Computer Fraud and Abuse Act (CFAA) are particularly alarming. Security entrepreneur Rob Graham summed it up well in an ironic tweet last week:
Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://t.co/1dLdUXG2tT
— Rob Graham (@ErrataRob) January 14, 2015
Would you click that link? If you did, there's a chance that you'd be violating the CFAA. The law already is notoriously awful for its vague definition of hacking offenses and draconian punishments. However, Obama's proposals manage to make it both more broad and more draconian.
Let's look at the above tweet. Obama's idea for a revised CFAA calls for expanding the definition of the phrase "exceeds authorised access" of a computer. Exceeding access imply means accessing information "for a purpose that the accesser knows is not authorised by the computer owner." In other words, Obama wants to amend the meaning of hacking. He'd even wants to make it a type of racketeering. Graham explains:
Obama proposes upgrading hacking to a "racketeering" offence, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). … If you innocently clicked on the link above, and think you can defend yourself in court, prosecutors can still use the 20-year sentence of a racketeering charge in order to force you to plea bargain down to a 1-year sentence for hacking.
Dang. So clicking a link could mean 20 years in prison? That sounds astounding until you realise how Aaron Swartz faced decades in prison for accessing scholarly articles on MIT's network. This is after the university and the database declined to press charges. Under Obama's proposals, doing less could lead to more prison time.
The new laws are tough
The above example is just the beginning. The remainder of Obama's plan to improve cybersecurity pushes forward some of the more aggressive sides of hacking laws. In The Washington Post, Orin Kerr reflects upon the case of Andrew "weev" Auernheimer and the so-called double-counting issue. This is when the government charges a hacker twice when the unauthorised access occurs "in furtherance of" a different crime.
This happened in the Auernheimer case. Weev simply accessed a database of customer information that AT&T failed to protect. According to the prosecutors that meant committing a federal misdemeanour "in furtherance of" violating a similar New Jersey law. Weev was ultimately convicted and then the conviction was overturned due to the double-counting issue. Obama's proposals, however, open up the opportunity for more cases like this.
But it all comes back to that phrase "exceeding authorised access," the definition of hacking. Kerr writes:
The expansion of "exceeding authorised access" would seem to allow lots of prosecutions under a "you knew the computer owner wouldn't like that" theory. And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct.
It's never a good idea to have subjective laws -- or at least laws that enable more subjective interpretations.
The Sony hack is one thing. Few people would argue that Sony would have liked hackers to come in, steal a bunch of internal documents packed with sensitive information, and then release it all to the public. But this situation creates a really tough situation for security researchers who are actually trying to improve cybersecurity. The CFAA already makes it tough for researchers to identify and, well, research vulnerabilities. Do we really want to make it tougher?
Then there's the privacy problem
Obama's new cybersecurity proposals don't just seek to deter hackers with broad definitions and harsh punishments. The body of legislation also aims to enable the government to access private consumer data more easily. Think of it as forensic research. If the Feds can get a better understanding of past hacks, they will be able to trump future hacks. Or at least that's what Obama thinks.
Privacy advocates don't like this one bit. Sharing a shitload of consumer data with government agencies wouldn't necessarily stop future attacks. But does the average American really want the government digging into their Facebook data? Or their Playstation Network data?
Obama does want to improve consumer rights online. He's even pushing for stricter data privacy laws. Part of this initiative calls for anonymous consumer data before it's shared with the government, but more sharing still feels like less privacy. This is almost exactly what CISPA wants to do. CISPA is that god awful cybersecurity bill that's suddenly back in play but the president's already threatened to veto. We already know that a law like CISPA probably would not have stopped the Sony hack. So what's the point of pursing a similar direction, especially when civil liberties advocates think it's a bad idea? That seems like the opposite of consumer rights.
Obama's had better ideas
We know that a lot of the ideas in Obama's cybersecurity proposals are bad, because we've already seen how they play out in the real world. Along those lines, several aspects of Obama's legislation have already been proposed and shot down.
"The Obama Administration is on a roll with proposing legislation that endangers our privacy and security," the Electronic Frontier Foundation's Mark Jaycox and Lee Tien wrote in a blog post. They warned that Obama's cybersecurity bill "looks awfully similar to the now infamous CISPA" and conclude: "All three of [Obama's] bills are recycled ideas that have failed in Congress since their introduction in 2011. They should stay on the shelf."
Let's just call them bad ideas. It's a bad idea to assume that everyone is a hacker. It's a bad idea to come down too hard on harmless offenses. It's a bad idea to weaken Americans' sense of privacy.
Obama has a lot of good ideas about the internet. That community-based internet project that will one day loosen Comcast's stranglehold on the internet -- that's a good idea! The president's advice to the FCC on how to secure net neutrality -- that's a good idea, too! These cybersecurity proposals? They're just full of bad ideas.
Image via AP