TOS Trivialities Could Become Law if DoJ Gets Its Way
Nov 16, 2011 5:00 AM PT
Something as simple and common as using an online pseudonym could technically be a violation of the law if the United States Department of Justice gets what it wants.
The DoJ on Tuesday asked Congress to impose harsher penalties on various types of cyberactivities, including cybercrime.
The goal, DoJ Deputy Section Chief Richard Downing told the House Judiciary Subcommittee on Crime, Terrorism and Homeland Security, is to improve cybersecurity for the American people, the nation's critical infrastructure and the federal government's networks and computers.
To that end, the DoJ proposed revisions to the Computer Fraud and Abuse Act (CFAA) and related legislation.
These revisions call for much harsher penalties for cybercrime.
However, they also target people who breach a company's terms of service (TOS) by providing false information about their identities. It's this last suggestion that has aroused concern among civil liberties groups.
"The Department of Justice has used violations of terms of service as a predicate for prosecutions that are questionable," Gregory Nojeim, a director at the Center for Democracy and Technology, told TechNewsWorld.
"These activities of violating terms of service when using an online service happen all the time," Nojeim continued. "They can't all be crimes, and the Justice department's conduct in prosecuting crimes under CFAA shows that one cannot rely on prosecutorial discretion that only the appropriate cases will be brought to trial."
The Department of Justice did not respond to TechNewsWorld's requests for comment by press time.
What's In a Name?
Perhaps the most contentious issue on the DoJ's list is its suggestion that all breaches of a company's terms of service should be considered crimes under the CFAA.
Civil liberties groups have pointed out that this would mean anyone providing false personal information to an online service would thus be criminalized.
"TOSes are like software license agreements; no one reads or understands them," said information security expert Jeff Schmidt of JAS Global Advisors.
"Criminalizing the providing of false identifying information on social networking sites has profound implications," Schmidt continued. "Many people use pseudonyms."
Making the use of false identifying information a CFAA crime "also has extreme implications for free speech," Schmidt said.
Hammering Cybercriminal Gangs
The DoJ also wants to include CFAA offenses under the Racketeering Influenced and Corrupt Organizations (RICO) Act.
People charged under the RICO Act face fines of up to US$25,000 and 20 years in prison on each count and the forfeiture of all ill-gotten gains. RICO also enables victims harmed by such enterprises to file civil suits and collect treble damages.
Making Money Off Cyberslips
A lot will ride on how strictly the DoJ will define a criminal gang. The DoJ says malicious activities directed at the confidentiality, integrity and availability of computers should come under the provision of the RICO act.
That doesn't distinguish between cybercriminals who hack into computers for money and, say, a bunch of kids who pull a cyberprank.
That could see unscrupulous companies turning around and suing people for relatively minor acts to make money off their slips.
Should the DoJ back off from filing criminal charges in a questionable case, "making the RICO Act the CFAA predicate increases incentives for companies to bring questionable [civil] actions because treble damages are available," the CDT's Nojeim pointed out.
"The real concern here isn't federal prosecution but civil lawsuits," agreed JAS' Schmidt.
Crime and Extreme Punishment
The DoJ also proposed harsher penalties for cybercrimes.
These include making the appropriate maximum sentence for each offense equal to the number of years currently designated for a second offense.
"First-time offender provisions allow the Justice Department to prosecute cases where the penalties are less in order to bring to a fair justice people who aren't career criminals or repeat offenders in the hacking context," the CDT's Nojeim said.
Further, the DoJ wants to increase the maximum penalties in several cases, from five years to 20 in some instances.