Ha ha. New York Times accidentally posted their employee database to their website: SSN, passwords, and salaries: https://t.co/1dLdUXG2tT
— Rob Graham (@ErrataRob) January 14, 2015
In next week's State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above (fictional) link illegal. The new laws make it a felony to intentionally access unauthorized information even if it's been posted to a public website. The new laws make it a felony to traffic in information like passwords, where "trafficking" includes posting a link.
You might assume that things would never become that bad, but it’s already happening even with the current laws. Prosecutors went after Andrew “weev” Auernheimer for downloading a customer list AT&T negligently made public. They prosecuted Barrett Brown for copying a URL to the Stratfor hack from one chatroom to another. A single click is all it takes. Prosecutors went after the PayPal-14 for clicking on a single link they knew would flood PayPal’s site with traffic. The proposed changes make such prosecutions much easier.
Even if you don’t do any of this, you can still be guilty if you hang around with people who do. Obama proposes upgrading hacking to a “racketeering” offense, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). Hanging out in an IRC chat room giving advice to people now makes you a member of a “criminal enterprise”, allowing the FBI to sweep in and confiscate all your assets without charging you with a crime. If you innocently clicked on the link above, and think you can defend yourself in court, prosecutors can still use the 20-year sentence of a racketeering charge in order to force you to plea bargain down to a 1-year sentence for hacking. (Civil libertarians hate the police-state nature of racketeering laws).
Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking in response to massive data breaches of the last couple years. But they are blunt political solutions which reflect no technical understanding of the problem.
Most hacking is international and anonymous. They can’t catch the perpetrators no matter how much they criminalize the activities. This War on Hackers is likely to be no more effective than the War on Drugs, where after three decades the prison population has sky rocketed from 0.1% of the population to a staggering 1%. With 5% the world’s population, we have 25% of the world’s prisoners – and this has done nothing to stop drugs. Likewise, while Obama’s new laws will dramatically increase hacking prosecutions, they’ll be of largely innocent people rather than the real hackers that matter.
Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that. For example, a search engine like Google downloads a copy of every website in order to create a search “index”. This sort of thing is grandfathered in, but if “copying the entire website” were a new idea, it would be something made illegal by the new laws. Such copies knowingly get information that website owners don’t intend to make public. Similarly, had hacking laws been around in the 1980s, the founders of Apple might’ve still been in jail today, serving out long sentences for trafficking in illegal access devices.
The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as "national security" and "cyberterrorism", then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like "hacking". Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals.
Along with its Hacking Prohibition law, Obama is also proposing a massive Internet Surveillance law. Companies currently monitor their networks, using cybersecurity products like firewalls, IPSs, and anti-virus. Obama wants to strong-arm companies into sharing that information with the government, creating a virtualized or “cloud” surveillance system.
In short, President Obama’s War on Hackers is a bad thing, creating a Cyber Police State. The current laws already overcriminalize innocent actions and allow surveillance of innocent people. We need to roll those laws back, not extend them.