14 DAY TRIAL // Two US senators have proposed an amendment to the CFAA (Computer Fraud and Abuse Act) that would criminalize the work of security researchers and grant new surveillance powers to local US authorities, the Electronic Frontier Foundation (EFF) warns.
Senators Sheldon Whitehouse (Rhode Island) and Lindsey Graham (South Carolina) have submitted an amendment to the CFAA law, which the EFF is saying they may try to sneak past voters as part of the Email Privacy Act that's up for voting in the coming weeks.
The two used the same tactic last year, when they tried to slip the same amendment as part of the Cybersecurity Information Sharing Act (CISA) of 2015, only to be pulled out at the last minute, as their amendment was one that most of the public opinion had a problem with.
Called the Botnet Prevention Act of 2016, their proposed bill aims to change three main issues with the CFAA, regarding botnet-related topics.
CFAA amendment wants to broaden the term of "passwords" to "means of access"
First and foremost, their fancy-named Botnet Prevention Act wants to expand the way passwords are interpreted in the clause that prohibits the sale of access credentials. The two have replaced passwords with "means of access," a vaguer term that technically could be interpreted from something such as a highly secure SSH key to something as simple as a URL.
This is the clause that would cause the most problems for security researchers, since many times, the process of testing vulnerabilities requires them to test credentials or exploits, usually by "accessing" the target's system.
Theoretically, if a company wants to hush a security researcher, it could use these new interpretations in the CFAA amendment and threaten to file a criminal complaint.
"Any time we see the CFAA statute broadened, there's a broad chilling effect on security research while the implications are determined in court," Jonathan Cran, founding member of Bugcrowd, told Softpedia.
"Thankfully, we see forward-thinking organizations carving out a form of safe harbor by starting vulnerability disclosure and bug bounty programs, but this isn't happening fast enough for well-meaning researchers like Justin Schafer," Mr. Cran told Softpedia, referring to another recent case of infosec criminalization.
On this topic, Chris Vickery, the MacKeeper security researcher known for his work on uncovering unprotected MongoDB databases, would certainly be in trouble by now.
"If passed, and over zealously enforced in its current form, my research would almost certainly run afoul of these new CFAA modifications," Mr. Vickery told Softpedia. "However, I refuse to live in fear and will gladly act as a legal test case for the legitimacy of such enforcement."
CFAA amendment wants to force companies to hack their clients
The second big issue with the Botnet Prevention Act relates to the introduction of a new option that would help government agencies spy on their own citizens without a probable cause.
The CFAA amendment would allow US agencies to obtain court orders that would legally force an ISP or tech company to hack into the computers of their users, for the sake of investigating a botnet.
While this would make sense when authorities would be investigating the botnet's command infrastructure, the amendment doesn't include any safeguards to protect victims of such intrusions from investigators.
Furthermore, the Botnet Prevention Act doesn't mention anything about notifying hacked botnet victims, which would make sense if the two senators had the interest of the US population at heart.
CFAA amendment wants to create a new felony offense
The last clause in the proposed Botnet Prevention Act introduces further chaos in US legislation. Currently, the CFAA already considers damaging critical infrastructure a felony.
Whitehouse and Graham would like to replace the current definition of "critical infrastructure" with the one defined by the Department of Homeland Security, which includes even more activity fields than the one already included in the CFAA, leading to the overcriminalization of cyber-space.
Furthermore, this CFAA amendment would also reduce the limits that judges could use to bring down sentences for perpetrators of CFAA crimes, and would also prevent them from merging sentences and allow them to run concurrently, forcing defendants to execute prison sentences back to back.
Imagine if a security researcher had tested a vulnerability against ten computers on a company's network. If the researcher was sentenced to jail through some absurdity, they would have to execute a different prison sentence for each computer if an overzealous prosecutor wants to make a name for themselves.
EFF's call to arms, public support is needed
The US tech and cyber-security sectors had already voiced their displeasure over bills like these before and had recorded mild success when a vast majority of CISA's intrusive amendments were rejected.
Nevertheless, the US government got its way regardless, when in December 2015, it sneakily passed the CISA bill inside a budget bill to everyone's dismay.
Just like the recently proposed Burr-Feinstein bill, US senators prove once again that they have no clue as to how cyber-security works.
"I think that development of new anti-cybercrime laws [should] involve cybersecurity professionals," Ilia Kolochenko, High-Tech Bridge CEO & Founder, told Softpedia. "Senators and politicians have a great experience of dealing with people and economy, however quite often they have a wrong perception of technologies and methods used by the attackers."
"Cybersecurity professionals, e-crime forensics organizations, law enforcement agencies and even ex-Black Hats [should] all participate in cybercrime laws development. Otherwise, the law will never work on practice, or even worse - will allow to condemn innocent people."
When the EFF was talking about reforming the CFAA a few years back, it certainly didn't envision lawmakers going in this direction. Below is the latest proposal to the Botnet Prevention Act of 2016, at the time of writing.
UPDATE: The article was updated shortly after publication with Mr. Vickery's comments.