Effort to update computer fraud law draws warning from Justice

The Justice Department on Wednesday told lawmakers that inside attacks could go unpunished if they bow to the concerns of public interest groups and change anti-hacking laws to protect computer users who breach Web terms of service agreements.

The 1986 Computer Fraud and Abuse Act, which is expected to be updated as part of a larger cybersecurity overhaul, currently allows the government to convict people who have violated rules set by employers or service providers for surfing the Web.

In advance of a Senate Judiciary Committee hearing on revising the law, activists from across the ideological spectrum sent a letter to Committee Chairman Sen. Patrick Leahy, D-Vt., and Ranking Member Charles Grassley, R-Iowa, asking lawmakers to remove leeway in the phrase "exceeds authorized access" so that, for instance, employers cannot go after non-criminal personnel who unintentionally run afoul of access rules.

But Justice officials said restricting the wording could let computer crooks off the hook.

"Limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the department handles on a regular basis -- situations where a government employee is given access to sensitive information stored by the State Department, Internal Revenue Service or crime database systems subject to express access restrictions, and then violates those access restrictions to access the database for a prohibited purpose," testified James A. Baker, associate deputy attorney general.

He cautioned that several federal cases could have been lost without the provision. For example, the government was able to prosecute State Department staff for improperly accessing passport records of then Sen. Barack Obama, D-Ill., and Sen. John McCain, R-Ariz., during the 2008 presidential campaign, by breaking the agency's computer access rules.

Likewise, Justice won a conviction under the law against a police officer who obtained sensitive criminal history details from his office database and then leaked the information to a defense investigator in a drug trafficking case. The officer had violated policies that prohibit access to the National Crime Information Center database for non-official purposes.

But public interest groups point to hypothetical and real-world examples of prosecutors wielding the law against social network users.

"The law can be read to encompass not only the malicious hackers and identity thieves the law was intended to cover, but also users who have not engaged in any activity that can or should be considered a 'computer crime,'" wrote representatives from the American Civil Liberties Union, Americans for Tax Reform, the Competitive Enterprise Institute, the Electronic Frontier Foundation and the FreedomWorks Foundation, as well as lawyers and professors.

Whereas handing a photocopied document to a friend would not be a federal crime -- perhaps a contractual violation -- sharing the file online could be considered a crime under current law.

One frequently cited incident is that of a federal prosecutor who brought criminal charges against a MySpace user who signed up under an alias, a breach of the website's terms of service. In that case, a mother whose daughter had a falling out with a 13-year-old girl posed as a teenage boy on MySpace to befriend and then reject the teen. The young girl later committed suicide and the mother was charged with, among other things, violating the computer fraud law.

"If a person assumes a fictitious identity at a party, there is no federal crime," the letter stated. "Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law."

Addressing such concerns, in general, Baker told the committee that "we appreciate this view" but the government is worried that confining the law in the manner advocated "would make it difficult or impossible to deter and address serious insider threats through prosecution."