What is the #CFAA?


The Computer Fraud and Abuse Act (CFAA) of 1986 is United States legislation that made it a federal crime to access a protected computer without proper authorization.

Obama’s idea for a revised CFAA calls for expanding the definition of the phrase “exceeds authorised access” of a computer. Exceeding access imply means accessing information “for a purpose that the accesser knows is not authorised by the computer owner.”
In other words, Obama wants to amend the meaning of hacking. He even wants to make it a type of racketeering.

So clicking a link could mean 20 years in prison? That sounds astounding until you realize how Aaron Swartz faced decades in prison for accessing scholarly articles on MIT’s network. This is after the university and the database declined to press charges. Under Obama’s proposals, doing less could lead to more prison time.

Comments about the CFAA

“The CFAA criminalizes many of the wrong sorts of acts – such as sharing information about network weaknesses or releasing hacking code. Many of these techniques are currently used expressly to strengthen cyber-security
“Punishing companies for data breaches is like fining those injured by random gunshots for not wearing a bullet-proof vest as a measure to reduce casualties of gang shooting.”
“The current proposal from the White House only addresses the administrative aspects of cyber-crime enforcement…clarifying what is illegal, etc.,” “But, importantly, it seems to do nothing actually to improve law enforcement cyber capabilities.”
– Mark Kraynak, chief product officer at the network and data-center security firm Imperva.

“Just as we get people interested in vulnerabilities in the Internet of Things, along comes this revision to the CFAA that makes it harder for us to find those vulnerabilities.”
– Josh Corman, I Am the Cavalry security researcher

“To protect our children, I want to make it a 10-year felony to share Netflix passwords.”
– Nate Cardozo, EFF attorney tweeting a boiled down version of Obama’s speech.

“Under the new proposal, sharing your HBO GO password with a friend would be a felony.”
– Nate Cardozo, EFF attorney at the ShmooCon 2015 security conference

“Obama proposes upgrading hacking to a “racketeering” offense, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). Hanging out in an IRC chat room giving advice to people now makes you a member of a “criminal enterprise,” allowing the FBI to sweep in and confiscate all your assets without charging you with a crime.”
– Robert Graham, Errata Security

Links for further reading

Obama’s cybersecurity plan: Share a password, click a link, go to prison as a hacker http://www.computerworld.com/article/2872368/obamas-cybersecurity-plan-share-a-password-click-a-link-go-to-prison-as-a-hacker.html

EFF Statement on President Obama’s Cybersecurity Legislative Proposal https://www.eff.org/deeplinks/2015/01/eff-statement-president-obamas-cybersecurity-legislative-proposal

Updated Administration Proposal: Law Enforcement Provisions http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tools.pdf

President Obama Declares War on Journalism http://theblot.com/president-obama-declares-war-on-journalism-7733377