Justice Dept. Pressing for Changes to Computer Crime Law – ABC News
It’s clearly illegal to hack into someone else’s computer network and steal information from it. But what about a police officer who uses his own department’s computer database to look up women from his past? Or an employee who uses his log-in credentials to download confidential information from his employer?
These are questions that for years have vexed the courts, which have struggled to define the difference between permissible and illegal computer use.
Stung by recent court decisions that have gone against them, Justice Department lawyers are making a fresh push to clarify a computer trespass law that critics malign as overly broad. The 1986 law was intended to punish hackers, but the government has had difficulty applying it to company employees and other insiders who have permission to access a computer — but abuse that right by using the machine in ways they don’t have authorization for.
While the concerns aren’t new, they attracted attention this year after President Barack Obama suggested changes to the Computer Fraud and Abuse Act as part of broader cybersecurity legislation. The Justice Department also has appealed to Congress, which is expected to take up other cybersecurity measures in the coming weeks.
“These are really hard issues of what should the law cover and what should it not cover,” said George Washington University law professor Orin Kerr. “It’s totally understandable that we’re having this discussion and not sure what the answer should be, because this is a new kind of technological problem.”
Critics, including judges, have long expressed concern that people could be prosecuted under the anti-fraud law for computer use that while technically unauthorized is nonetheless benign. An appeals court recently raised the prospect that checking sports scores at work could theoretically lead to prosecution, though the Justice Department says it’s never had any interest in going after that kind of behavior.
Justice Department lawyers have sought to allay those fears by proposing to narrow the standards for prosecution. They’ve proposed limiting the law’s use to circumstances including misuse of a government database, the theft of $5,000 or more, or when the computer access was part of another felony such as blackmailing a co-worker.
“What we need is a law that makes clear that if you exceed authorized access for nefarious purposes … that that’s a violation of the law,” said Assistant Attorney General Leslie Caldwell.
Sens. Lindsey Graham, R-S.C., and Sheldon Whitehouse, D-R.I., have drafted legislation similar to the Justice Department proposal that aides say could be introduced soon. In the meantime Whitehouse has attached an amendment that would punish by up to 20 years damage to a “critical infrastructure computer,” such as one that controls the electric power grid, to a broader cyber bill expected to be considered soon by the Senate.
Yet even some critics of the existing law say they believe the government already has enough tools to punish computer crime, without making changes.
“All of this is a solution in search of a problem,” said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, a privacy group.
Though the Justice Department has successfully used the existing statute many times, its proposal comes amid recent decisions in appeals courts — including in a lawsuit involving trade secrets — that have interpreted the law in ways prosecutors didn’t like.