Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Senators push for changes in cybercrime law

The U.S. law allows criminal prosecutions for violations of terms of service or computer use policies, critics say

The main U.S. law targeting cybercrime may need to be changed because it has allowed law enforcement agencies to target people who simply violate websites' terms of service or their employers' computer use policies, two senators said Wednesday.

In May, President Barack Obama called for changes to the Computer Fraud and Abuse Act (CFAA), with his focus mostly on increasing the criminal penalties for computer crimes. On Wednesday, however, Democratic Senators Patrick Leahy of Vermont and Al Franken of Minnesota asked Obama administration officials to look at tightening up the law's definition of illegal access to computers.

The U.S. Department of Justice should use discretion when applying the law, Leahy said during a Senate Judiciary Committee hearing on CFAA. "We want you to concentrate on the real cybercrimes, and not the minor things," he told James Baker, the DOJ's associate deputy attorney general.

Under CFAA, employees could be charged with a crime if they access personal email or check the weather online in violation of their companies' computer use policies, Franken said. In two cases, judges have ruled against the DOJ in prosecutions involving terms-of-service or computer-use-policy violations, and it may be time to change the law, Franken said.

"People don't read those policies, and if they do, they can be long and complex and full of fine print," he said.

The Obama administration's proposed changes to the CFAA don't address concerns from several groups about criminal charges for terms-of-service or computer-use-policy violations. The law imposes civil and criminal penalties for people who access protected computers without or in excess of authorization, but does not define authorization.

The DOJ will work with senators about their concerns, but it has brought computer crime charges in "a responsible way," Baker told senators.

However, changes in CFAA's language may open up U.S. companies or government agencies to more insider threats, he added. "The challenge is to address those concerns and, at the same time, not to create a significant loophole" that would allow workers at federal agencies or private companies to steal the personal information of customers, he said.

"This insider case, where somebody violates the rules of their employer in misusing a computer, is a very challenging thing to address," he said.

Critics have pointed to several cases where U.S. residents were charged with crimes for violating terms of service or computer use policies.

In July, the DOJ charged Internet activist Aaron Swartz with wire fraud, computer fraud, unlawfully obtaining information from a protected computer and recklessly damaging a protected computer. Swartz allegedly broke into a computer closet at the Massachusetts Institute of Technology, signed into MIT's broadband network as a guest and downloaded 4.8 million documents provided to MIT by Journal Storage (JSTOR), a nonprofit archive of scientific journals and academic work.

Swartz, a fellow at nearby Harvard University, had access to JSTOR documents through Harvard, and critics have suggested he faces 35 years in prison for violating the MIT and JSTOR terms of service.

In 2008, Missouri woman Lori Drew was indicted on CFAA charges in a California court for using a fake identity in violation of MySpace.com's terms of service. Drew was accused of bullying a 13-year-old girl on MySpace but was acquitted.

On Tuesday, a coalition of groups and Internet activists called on Congress to narrow the language in CFAA before considering additional penalties. Violations of terms of service or computer use policies are not computer crimes, said the groups, including the Center for Democracy and Technology, the American Civil Liberties Union, the Electronic Frontier Foundation and Americans for Tax Reform.

"Our primary concern -- that this will lead to overbroad application of the law -- is far from hypothetical," the group said in a letter to the Judiciary Committee. "Three federal circuit courts have agreed that an employee who exceeds an employer's network acceptable use policies can be prosecuted under the CFAA. At least one federal prosecutor has brought criminal charges against a user of a social network who signed up under a pseudonym in violation of terms of service."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Department of Justice, DOJ, Electronic Frontier Foundation, etwork, FAA, Harvard University, IDG, Massachusetts Institute of Technology, MIT, MySpace.com, Technology
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Aaron Swartz, Al Franken, American Civil Liberties Union, Americans for Tax Reform, Barack Obama, Center for Democracy and Technology, cybercrime, Electronic Frontier Foundation, government, harvard university, James Baker, legal, legislation, Lori Drew, Massachusetts Institute of Technology, MySpace.com, Patrick Leahy, Regulation, security, U.S. Department of Justice, U.S. Senate Judiciary Committee
Latest Blog Posts
Whitepapers
  • Case Study: Svenska Kraftnät safeguards web and ensures communication security with Clearswift
    Energy producers from surrounding countries load power onto the Swedish National Grid’s network, with energy suppliers then paying the Swedish National Grid to load onto their grids for them to sell-on to customers. Using Clearswift’s Email Appliance, and MIMEsweeper for SMTP means that the organisation has safe and resilient email helping them to meet their goal of providing a safe, robust, cost-effective and environmentally sound energy transmission system.
    Learn more »
  • Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
    Service-oriented architecture (SOA) has moved beyond hype to widespread acceptance as an IT strategy for delivering business value. SOA promotes the notion of modularity, providing overwhelming flexibility and superior economics for addressing business demands. However, undertaking the transformation to SOA is not without its challenges. If left unchecked, your inventory of SOA assets will become unmanageable; the reuse of services will diminish in favor of custom development; or even worse, modifications will be made to your existing services that break other business processes. The purpose of SOA governance is to help you ensure that this does not happen. This paper outlines the most compelling reasons for you to establish SOA governance within your organization.
    Learn more »
  • Business Intelligence Best Practices for Dashboard Design
    Even if a dashboard’s appearance looks professional and is aesthetically pleasing, appearances can be deceiving. Although visual design is important, it is also important to ask yourself: Is the data reliable? Is it timely? Is any data missing? Is it consistent across all dashboards?. This paper offers an overview of best practice business intelligence (BI) dashboard design principles and discusses data integration options for getting data into a dashboard.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments