House lawmakers on Tuesday are slated to mull updating a 1986 anti-hacking law that even ideological opponents agree criminalizes innocent Web surfing. However, when a Senate panel discussed the Computer Fraud and Abuse Act in September, Justice Department officials argued that changing the penalties could let legitimate bad guys off the hook.
At issue is the government's power to convict people who have broken website terms of service agreements. In written testimony released on Monday, Orin S. Kerr, a George Washington University Law School professor, argues that the current law threatens the civil liberties of millions of Americans, like those who fudge information on Facebook and online dating services.
Critics like Kerr want lawmakers to spell out what the law means by "exceeds authorized access" so that employers do not have wiggle room to punish personnel who accidentally breach terms of service agreements. Congress is expected to insert revisions to the law in broader cybersecurity legislation.
But Justice officials have said limiting the law could derail cyberspy trials. At the Senate hearing, James A. Baker, associate deputy attorney general, noted, for example, that the government was able to prosecute State Department staff for improperly accessing passport records of then Sen. Barack Obama, D-Ill., and Sen. John McCain, R-Ariz., during the 2008 presidential campaign, by breaking the agency's computer access rules.
Kerr recommends that Congress rewrite the section of the law in question to exclude Terms of Service violations except in the case of federal employees who handle confidential information.
The Senate Judiciary Committee already has passed an amendment that narrows the law in this way. Kerr's testimony states, "Notably, the language carves out one significant exception. The government can pursue prosecutions for violations of computer use policies used by government employees. This will enable prosecutions when government officials misuse sensitive government databases."
Or, Kerr suggests, lawmakers could limit the law to specific types of information that, if misused, could cause harm. The mandate would only cover, perhaps, data worth more than $5,000, as well as sensitive or private information about a person, such as medical records, diaries and financial records.
Kerr, along with Richard Downing, deputy chief of Justice's computer crime unit, former Homeland Security Secretary Michael Chertoff, and Harvard Law School lecturer James Barker, are scheduled to testify on Tuesday before the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security.
Strange bedfellows, like the American Civil Liberties Union, Americans for Tax Reform, the Competitive Enterprise Institute, the Electronic Frontier Foundation and the FreedomWorks Foundation have co-signed a letter seeking to protect people who accidentally run afoul of site service contracts.
The subject came into focus during the 2008 "MySpace Suicide" case. In that incident, a federal attorney brought criminal charges against a MySpace user who registered under an alias, a breach of the website's terms of service. A mother whose daughter had a falling out with a 13-year-old girl had been impersonating a teenage boy on MySpace to befriend and then reject the teen.
The young girl later killed herself and the mother was charged with, among other things, violating the computer fraud law. Kerr briefed and argued a successful motion to dismiss the case in 2009.