American Poet John Godfrey Saxe is quoted as saying, “Laws, like sausages, cease to inspire respect in proportion as we know how they are made.”
Well, it’s sausage-making time here in the Nation’s Capital, and it isn’t pretty. Especially for cybersecurity.
That’s because, in their haste and desire to “do something” lawmakers often pass laws or promulgate regulations that both do more harm than good, and more frequently leave open room for prosecutorial and judicial misuse, misinterpretation, and malevolence. And the more pressure there is to “do something” the worse that “something” is.
This doesn’t mean that the lawmakers don’t mean well. Oftentimes they do. It’s just that the meaning of language is so imprecise, and the tools of law, particularly criminal law are so cumbersome that it really becomes the bull in the china shop.
The cybersecurity legislative proposals issued by the White House include things like mandatory minimum sentences, redefinition of computer crime, RICO and other “enhancements” and new definitions of conspiracy and aiding and abetting offenses each of which are good in theory, and horrible in their inevitable implementation.
RICO
The federal RICO law was a 1970 racketeering law designed to allow the U.S. government to prosecute organized criminal activity. You know, like the Mafia.
Indeed, the title itself derives from the 1931 film Little Ceasar, in which the Edward G. Robinson character Ceasar Enrico “Rico” Bandello’s last words are, “”Mother of mercy, is this the end of Rico?”
The President has proposed to include computer crime as what is called a RICO predicate – meaning that people who participate in a “criminal enterprise” which includes computer crime can be subject to RICO criminal prosecution or civil lawsuit.
If computer crime becomes a RICO predicate, both prosecutors or civil litigants can go after anyone who has committed “at least two acts of racketeering activity” meaning two acts of computer crime — within a 10-year period, if this is part of a criminal “enterprise.”
If convicted of RICO, not only are the penalties enhanced (20 years per count) but RICO allows for seizure and forfeiture (civil and criminal) not only of the proceeds of any crime, but of any interest in any business gained through a pattern of “racketeering activity.”
So what’s the big deal? Go after them cybercriminals! Hit em hard!
One problem with RICO – like the cyber crime laws themselves, is that they allow private litigants to go after each other using what are really criminal laws. This makes every potentially injured Plaintiff into a private attorney general.
A couple of employees leave the company taking their emails with them – RICO lawsuit! Seize the new employer’s computers and profits! An employee “exceeds the scope of their authorization to use a computer” twice in 10 years? They’re a Racketeer! It’s a very blunt instrument.
Another problem with RICO is the nature of online “conspiracies” and what the law calls concerted action. A conspiracy is an agreement between people to do something that is a crime.
There has to be an agreement (doesn’t have to be formal, and can be implied through action) to commit a crime. Under the law of conspiracy, each co-conspirator is liable for the actions of the other co-conspirators unless they effectively “withdraw” from the conspiracy.
In that way, an 80-year-old woman asked to take a suitcase across the border (not knowing what’s in it, but with enough knowledge to know that it’s illegal) can be held liable for, and prosecuted as a drug kingpin and as part of a multi-billion dollar drug conspiracy.
RICO makes this even easier for prosecutors by not even requiring proof of an agreement – just an “enterprise” which can be informal concerted activity.
But hackers don’t work that way. Nor do hacktivists. They work together and against each other. It’s clear that the government would want to prosecute carder groups as RICO enterprises – they work together toward a common goal, with each participant brining their own skills to the “enterprise.” And the proceeds and means of the carder networks should be seized and forfeited.
But is Anonymous a RICO conspiracy? Where some kid in Teaneck, N.J. “joins” Anonymous to protest the NYPD, should they be held liable for the much more nefarious acts of some uber-hacker in Bulgaria?
And remember, even if prosecutors use RICO judiciously, you can’t expect Plaintiff’s counsel to do the same. There’s a general rule about suing. If it moves, sue it. If it doesn’t move, move it – then sue it. Hell, the LAPD itself was sued as a criminal enterprise!
And worse, hacktivist groups can be shut down under RICO. Great if you don’t like the message. But groups that engage in civil unrest, that protest anti-Democratic governments, that protest for civil rights, etc. would all be subject to having their assets seized and their groups shut down.
Great if you disagree with them, not so great if you admire their embrace of new technology. Plaintiffs have successfully used RICO to sue pro-life activists protesting abortion rights, and the Supreme Court upheld this use. Again, a blunt instrument.
You see “online” conspiracies are in a real sense different from person to person or face to face enterprises. If you click a link to register a protest (or participate in a DDoS) you can be held liable. I can even imagine using RICO to go after people whose computers are used by Botnet’s, arguing that the Botnet is an “enterprise” and that the infected computer is a means and instrumentality of the enterprise. What’s worse, the government could then seize these infected computers (seize the botnet) and then, having seized it, examine it without a warrant for evidence of other crimes. You see, the problem with these “worst case” scenarios is that they all too often come true.
Confiscation of Surveillance Devices
The federal wiretap law has long made it a crime to engage in unlawful or unauthorized surveillance. The law also permits the government to seize and forfeit “any electronic, mechanical, or other device used, sent, carried, manufactured, assembled, possessed, sold, or advertised in violation of” the wiretap laws.
One problem with this law is that it makes it a crime, and subjects the manufacturer to both prosecution and seizure, for advertising any device that is “primarily useful” for surreptitious interception of communications. Note the words. Surreptitious. Not unlawful or illegal. It is NOT illegal for ME to surreptitiously intercept my infant’s communications through a baby monitor, but it IS illegal to sell the baby monitor because it is primarily useful for the surreptitious interception of the infant’s communications (if you can call them communications.)
The White House wants to compound this problem. It proposes to allow both criminal and civil forfeiture of any devices or proceeds relating to such devices. With all of the debate about the misuse of civil forfeiture, the government continues to seek to expand the scope of the laws.
And forfeiture of computers isn’t forfeiture of computers. It’s forfeiture of information ON those computers. So in a recent case in the Federal Court of Appeals in California, the Court found that where the government seized and forfeited the defendant’s computer on charges of child pornography, it did not have to return the non-pornographic files because doing so would be too difficult.
And this was in a case where the Court ordering the forfeiture was careful to state that ONLY the “contraband” (that is, the child porn itself) was subject to forfeiture. In the electronic evidence context, the government can (has, and will) use the forfeiture laws to seize computers without a warrant NOT because it wants to punish the owner of the computer, but because it wants to look at the contents of a computer without probable cause.
So, for example, if the government believes that a lawyer has used a computer to, say spy on an adversary, the government can “seize” and “forfeit” the lawyer’s computer as an instrumentality of the computer crime.
All of the once privileged data on that computer is now potentially subject to examination, since the government is NOT searching it for possible evidence, but it now OWNS the data because it is on a computer. An analogy would be that I use a file cabinet to hit someone over the head, so the government seizes the file cabinet and all the files inside it. Information is not subject to seizure. Except that the government proposal makes it so.
Computer Crime
The government is once again tinkering with the federal computer crime law – 18 USC 1030. Now it wants to make it an explicit crime to “intentionally exceed authorized access to a… computer, and thereby obtain information from such computer,” if the value of the information exceeds $5,000 or if the exceeding authorized access was in furtherance of some felony.
This “exceeding authorized access” is really really good in theory, and really really bad in practice. It was what was used to prosecute Aaron Swartz for logging into MIT’s library.
Or to prosecute Lori Drew for creating a fake MySpace account. The “limitations” – in furtherance of a felony or based on the “value” of the information accessed is more than 5K are not really limitations.
If I, for example, lie about my height (6’1”) on a dating site, in violation of their Terms of Use, I have “exceeded authorized access” to their network, since I broke the rules.
I then access the site with the millions of subscribers – the value of ALL of the information on the site is calculated by the cost to acquire the data, marketing costs, sales cost, maintenance costs, etc. So it’s now a crime.
And it’s then a crime for kids to lie to get access to sites protected by COPPA, or for employees of a company that allows “business use” of the Internet to access ESPN at work.
The “value” of the current score in the Wizards game is the cost that the NBA charges for the real-time feed, (subject to copyright) not the cost to access the information, which is free.
That points out that computer crimes are, at the end of the day, information crimes. And we can’t really decide what information needs protecting, and why. Tomorrow’s Wall Street Journal has much greater value than today’s – at least until it is published.
Hacker Tools
The legislative proposal would also make it a crime to “willfully traffic” in any “means of access” if you have a “reason to know” that computer “would be accessed or damaged without authorization” as the result of such trafficking.
So if you tell people about a vulnerability, and you know that someone would use that vulnerability to either access or damage a computer, you go to jail. Because telling someone is “trafficking” and a vulnerability is a “means of access.”
That would never happen, right? Except that it already has. For example, security researcher Bret McDanel was prosecuted, sentenced, and served 11 months in jail for telling customers of a “secure” email service that their email was, in fact not secure – even though he never actually exploited any vulnerability.
Or Andrew “Weev” Auernheimer who was prosecuted for exposing a security hole on AT&T’s servers that publicly revealed iPad users’ email addresses. Or for example, high school students who learn and share the wireless password to the High School network face criminal charges. Oh, and guess what else. Share that HBO GO password with a friend so they can watch Game of Thrones? Or Netflix account for House of Cards? You now “willfully traffic” in a “means of access” with a “reason to know” that a computer (Netflix, or HBO’s) will be accessed without authorization.
And with computer crime now a RICO predicate, we don’t have to convince a prosecutor to bring a case. HBO or Netflix can now go after account sharers civilly and get RICO injunctions and treble damages and attorney’s fees. A strategy worthy of Frank Underwood. Or Tywin Lannister (spoiler alert) if he hadn’t met with a crossbow on the toilet. See what I mean by blunt instruments and unintended consequences.
In addition, the law has shades of German Penal Code Section 202(c) which makes it a crime in preparation for the commission of an offense, to “produce, acquire for himself or another, sell, supply to another, disseminate or making otherwise accessible; passwords or other security codes enabling access to data; or software for the purpose of the commission of such an offence.”
The so-called “hacker tools” provision. This might be used to criminalize the dissemination of security information, vulnerability information, or even used against gray hat hackers who try to alert companies of the existence of vulnerabilities, since those are all “methods of access.”
Even the publication of scholarly articles (or as the law would call it, “trafficking”) which discuss vulnerabilities, (or as the law would call it, “means of access”) would be a crime if you have a “reason to know” that the information in the article “would be used” to access a computer without authorization. No longer would you have to have the INTENT to facilitate a crime. Just a reason to know. Bad idea in theory. Worse in practice.
Conspiracies and Completed Offenses
The legislative proposal “ups the ante” for cybercrime conspiracies, punishing those who “agree” to participate in a crime (conspirators) as if the crime had actually occurred, and as if they themselves had committed it.
While this is not uncommon in federal law, the nature of “Internet” conspiracies are such that a minor player may be now held criminally liable for a major event in which they did not even participate. The Internet is all about “concerted activity.”
An real-world example can be seen in the Ferguson protests. Many of the protesters were arrested for crimes like “failure to disburse.”
That’s a form of collective crime. How does one person “disburse?” They are really arrested for standing around while other like-minded people are also standing around.
It is the collective action, which is the crime, but the individual that is charged. On the Internet, concerted activity is treated like a conspiracy. And now, if you are part of the conspiracy, you are liable not only for what the conspirators actually DO, but for what they DIDN’T actually do.
So if there is a protest against ISIS designed to shut down their websites, and you click on the link to participate, even of the DDoS attack doesn’t work, you can be held liable for the entire conspiracy AS IF you had shut down the websites, since that was the object of the conspiracy. Oh, but don’t worry. Prosecutors would never abuse this authority.
Penalty Enhancements
The proposal also seeks to enhance the penalties for computer crime from the current 10 years PER COUNT to 20 years per count, with mandatory minimums, civil and criminal forfeiture, and injunctions against computer crime.
Sure, because those Bulgarians and Chinese are thinking, “Gee, I was going to commit a computer crime when the punishment was only 10 years, but now that it’s 20, I think I will just stop.”
Truth is, the “caps” on computer crime punishment are meaningless. Utterly. Because they relate only to each count. If you “hack” two computers, it’s 10 years per computer. Hack one computer twice – 20 years.
The hard part in prosecuting computer crimes is NOT to get the sentences UP, but to keep them DOWN. In the Aaron Swartz case, prosecutors charged the Defendant with multiple offenses, and then sought to “bargain down” to a plea involving only (I say only) three months incarceration. At least that is what was reported.
But mandatory minimums and enhanced penalties hurt prosecutors more than help them. They deny them the flexibility to treat some computer crimes as “serious” and others as not so serious. And they don’t even really impact sentencing at all.
Sentences are, for the most part (except mandatory minimums) determined by the United States Sentencing Guidelines. You want to “jack” someone’s sentence? Just argue billions in “losses.”
Again with the “value of information” or “cost of investigation” or potential loss. Example – traffic in (email to someone) a single credit card number of an Amex Centurion “Black” Card. It’s never used by anyone. Not cloned, not used. The user finds out, reissues the card. “Loss?” About $35.
But not under the Sentencing Guidelines. The loss could be the entire available credit balance on the card. About a million bucks. Or, with the new conspiracy guidelines, you could be held liable for the million dollars of loss even if the crime isn’t completed. So if you just “agree” to take the credit card, which is never even stolen, prepare to spend the next couple of decades in jail.
Frankly, we really don’t need these penalty enhancements. Or most of these new prosecutorial tools. What we really need is much much better international cooperation and tools to allow investigators to get lawful access to data in other countries in real time, or close to real time.
To make it easy for a judge in Delaware to issue an order which will be instantly recognized by a judge in Denmark, which will then issue its equivalent to a Danish ISP to produce records to the cops in Dover – with all appropriate safeguards and due respect for privacy. And to do that, we need trust AND oversight. Both. Not likely to happen.
What we have here is just sausage. And piles of it.