Think cyber crime laws are bad now? Wait till you see the latest proposals

Hoping to pursue an exciting and lucrative career in the world of crime? These days a Harvard MBA and a solid knowledge of international banking laws is as good a qualification as it gets. If you don’t have the grades or can’t swing the tuition, there’s always option B: Buy a weapon at a gun show, pull a stocking over your head, and head off to the nearest convenience store.

But whatever you do, don’t study computer science. Don’t learn about the intricacies of networking and Web servers. Don’t even think about messing with the InterTubes — then you’re truly dangerous, and an example must be made of you.

[ Cash in on your IT stories! Send your IT tales to offtherecord@infoworld.com. If we publish it, we’ll keep you anonymous and send you a $50 American Express gift cheque. | For a humorous take on the tech industry’s shenanigans, subscribe to Robert X. Cringely’s Notes from the Underground newsletter. | Get the latest insight on the tech news that matters from InfoWorld’s Tech Watch blog. ]

I’m not just talking about the tragic suicide of Aaron Swartz, who chose to kill himself rather than face jail time for illegally downloading academic papers. There’s also Andrew “Weev” Auernheimer, sentenced last month to 41 months in prison for “hacking” AT&T’s website to extract the email addresses of 114,000 iPad owners — many of them in government agencies. How did Weev hack the site, exactly? By exploiting a stupid design flaw in AT&T’s login page, flooding it with URLs containing random 20-digit numbers and watching it spit out email addresses in response.

That’s barely skimming the surface. There’s Barrett Brown, ex-spokesperson for the Anonymous movement, who’s looking at 15 years for posting a URL in a chat session where others could find a few dozen hacked credit card numbers. Matthew Keys allegedly gave the login for his former employer’s website to a member of Anonymous; he’s facing a possible 10-year sentence and a $250,000 fine if convicted. The list goes on.

Why were these guys facing hard time? Two reasons: One, instead of cowering meekly and accepting their punishments, they thumbed their noses publicly at the authorities. The other is a brain-dead law originally written in 1984 and expanded several times since then called the Computer Fraud and Abuse Act, which serves up harsh penalties for mostly victimless crimes.

Nearly everyone agrees that the CFAA needs to be amended. Even the Republicans who control the House agree — but they’re trying to amend it in the opposite direction. They want to make the CFAA worse than it already is. Mike Masnick at TechDirt breaks down the proposed changes:

Apparently, the House Judiciary Committee has decided to raise a giant middle finger to folks who are concerned about abuses of the CFAA. … , they began circulating a “draft” of a “cyber-security” bill that is so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA. Rather than fix the CFAA, it expands it. Rather than rein in the worst parts of the bill, it makes them worse. And, from what we’ve heard, the goal is to try to push this through quickly, with a big effort underway for a “cyberweek” in the middle of April that will force through a bunch of related bills.

Let’s say you take part in a chat room discussion about a computer crime that someone else ends up committing. You’re could be guilty of “conspiring to commit” that offense and face the same punishments. Or perhaps you have legal access to data for one purpose but use it for another — say, posting it to a publicly available website. You could be found guilty under the new provisions of the CFAA. Of course, the penalties get stiffer and the list of stuff the feds can take away from you grows longer.

We know that in the knife drawer of intellectual prowess Congress is brimming with spoons. We know that some duly elected members really did believe that the Internet was made up of tubes, possibly like the pneumatic ones you see at drive-through bank tellers. We know many of them couldn’t spell “SQL injection” even if you spotted them all the consonants and most of the vowels. But even by those debased standards, this is moronic.

Meanwhile, there’s an epidemic of actual cyber crime going on right under their noses, attacking the very people Congress likes to claim as its core constituents: small-business owners. Real criminals are stealing real money from real people. Why? Because small businesses have more money than individuals but far fewer protections in place than Fortune 2000 companies.

In the first six months of last year, the rate of hack attacks targeting small businesses doubled, according to Symantec. Verizon’s most recent report on data breaches details nearly 900 attacks — three-quarters of them against businesses with 100 employees or less. Average loss per business? Nearly $200,000 per incident, says Symantec.

That is actual cyber crime. Downloading academic papers, scraping email addresses, and sharing URLs and/or logins in chat rooms? Not so much. With such limited resources available to public prosecutors and so much pressure to cut them even further, why are they wasting them on these guys? Because they can. It makes for good headlines. And the CFAA gives them a mighty big hammer to go after a few tiny nails.

The EFF, the Internet Defense League, and other activists have declared this Fix #CFAA week, calling for Congress to roll back the excesses of the act and reform it in the right direction — for example, removing criminal penalties for minor violations of a website’s terms and conditions, and to make penalties for actual criminal activity proportionate to the crimes committed.

These aren’t complicated ideas. Let’s hope Congress can muster up enough gray matter to understand them and respond in the right way.

Where do you stand on the CFAA? Get on your soapbox below or send me a frothy email: cringe@infoworld.com.

This article, “Think cyber crime laws are bad now? Wait till you see the latest proposals,” was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely’s Notes from the Field blog, and subscribe to Cringely’s Notes from the Underground newsletter.