Arguing against an amendment designed to narrow the scope of America’s cyber security laws that was recently accepted by the Senate, the Justice Department’s deputy chief of computer crime on Tuesday told lawmakers that his agency should be given the power to prosecute Web users who violate online “terms of service” or “terms of use” agreements.
In a hearing before the House Judiciary Committee’s subcommittee on crime, terrorism and homeland security, Richard Downing, the Justice Department’s deputy chief of computer crime, testified in part that “customers who intentionally exceed those [terms of service] limitations and obtain access to the business’s proprietary information and the information of other customers” should be eligible for prosecution under U.S. cyber law, according to his prepared statement.
Specifically, Downing and the Justice Department have called upon the House not to approve an amendment already accepted by the Senate Judiciary Committee in September that limits the scope of what’s considered “exceeding authorized access” of a computer under the Computer Fraud and Abuse Act (CFAA).
In fact, quite the opposite: Downing and the Justice Department want to expand the law’s scope and impose harsher sentences on cybercriminals.
As CNET reported, the Justice Department is after an expansion of its powers under CFAA because of what happened when the agency attempted to prosecute Lori Drew, a Missouri mother who created a phony MySpace account to harass her 13-year-old neighbor, who later committed suicide. Drew was in 2008 convicted under CFAA of felony conspiracy and three counts of intentionally accessing a protected computer without authorization.
But the conviction was later overturned in 2009 when a U.S. District Court judge ruled that the prior conviction “criminalizes what would be a breach of contract,” e.g. a civil offense.
As such, Downing attempted to argue that under President Obama, the Justice Department has consistently argued that such “exceeding authorized access” incidents should be criminal offenses.
In his testimony, Downing acknowledged that “some,” (i.e. the district court judge in Drew’s case and various advocacy groups, including the American Civil Liberties Union and the Electronic Frontier Foundation) have said that “terms of service” violations shouldn’t fall under this definition because then many Web users would be potentially subject to criminal prosecution.
In fact, that’s exactly the point argued by another one of the committee’s witnesses.
Orin S. Kerr, the lawyer behind the successful motion to dismiss Drew’s case, testified in favor of restricting CFAA to prevent “terms of service” violations from being, in their own right, criminal.
“Terms of Use can be arbitrary and even nonsensical,” Kerr, a law professor at George Washington University, said. “Anyone can set up a website and announce whatever Terms of Use they like. Perhaps the Terms of Use will declare that only registered Democrats can visit the website; or only people who have been to Alaska; or only people named “Frank.” Under the Justice Department’s interpretation of the statute, all of these Terms of Use can be criminally enforced…I do not see any serious argument why such conduct should be criminal.”
Downing’s testimony countered: “We appreciate this view, but we are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution.”
Another expert witness, Harvard law professor James Baker, argued similarly: “Notwithstanding one frequently cited example (the prosecution of Lori Drew), I do not believe that the case has been made that federal prosecutors have misused the CFAA.”
And Michael Chertoff, the former Secretary of the Homeland Security Department, also weighed in on the side of the Justice Department, saying: “It would not be a triumph of civil liberties to keep the U.S. government from protecting computers so the Chinese government could get on our computers,” FierceGovernmentIT reported.
To support the Justice Department’s view, Downing pointed to three cases that would have “been impaired” if “language restricting the use of terms of service had been enacted into law,” including the prosecution of a police officer who stole data from the he National Crime Information Center database and leaked it to a defense attorney, en employee of Blue Cross Blue Shield of Florida who obtained data on his colleagues, and a case wherein ” seven employees of Vangent Corporation accessed the student loan records of a number of celebrities and well-known political and sports figures, include then-candidate Barack Obama.”
In addition, Downing said that the Justice Department supports “enhanc[ing] penalties” for violators of CFAA.
“For example, the current maximum punishment for a violation of section 1030(a)(4) (computer hacking in furtherance of a crime of fraud) is five years, but the most analogous ‘traditional” statutes,’ 18 U.S.C. §§ 1341 and 1343 (mail and wire fraud), both impose maximum penalties of twenty years,” Downing’s testimony reads.
The House is reportedly mulling introducing legislation to update CFFA, but has yet to do so. Stay tuned.
