Obama's cybersecurity plan: Share a password, click a link, go to prison as a hacker

Security experts say that, thanks to President Obama's proposed cybersecurity plans and CFAA amendments, you could be considered a hacker for innocent behavior like sharing your Netflix password with family members or clicking a link that contains unauthorized content.

“With liberty and justice for all” are words all Americans know from an early age thanks to the Pledge of Allegiance, but liberty as a “need” is at an abysmal 14% according to the supercomputer Watson’s analysis of President Obama’s 2015 State of the Union speech. Liberty expressed as a need by presidents has only dipped lower three times, plummeting to 5% in 2014, 6% in 2008 and 3% in 2002.

Supercomputer Watson analysis of needs expressed during State of the Union Watson / MSNBC's Sam Petulla & Mina Liu

During President Obama’s State of the Union address, he promised “to protect a free and open internet,” which had the EFF feeling “encouraged” about the FCC vote on net neutrality coming up in February; otherwise giants like Comcast, Time Warner Cable, Verizon and AT&T could throttle consumer access to sites and services, such as Netflix, that refuse to pay for fast lane access.

Cyber comments by President Obama during State of the Union EIA

When it comes to cybersecurity, Obama stated:

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.

At face value, improving cybersecurity sounds like a great move…except that better cybersecurity hygiene includes embracing encryption, not outlawing it. Last week Obama went on record about encryption, claiming, “If we find evidence of a terrorist plot… and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem.” That means he agrees with British Prime Minister David Cameron’s statement that there should be “no means of communication" which "we cannot read." However, President Obama didn’t go so far as to mention requiring backdoors to be built into apps.

The President’s “comprehensive approach to enhancing consumers’ security, tackling identity theft, and improving privacy online and in the classroom,” includes cybersecurity information sharing between government and the private sector; it’s basically an updated version of the President’s 2011 cybersecurity legislative proposal. The EFF suggested the recycled proposal is unnecessary, unwelcome and should remain on the shelf where it belongs.

Obama’s proposed legislation really gets worrisome when you dig a little deeper into the updated law enforcement proposal (pdf) and revisions of the Computer Fraud and Abuse Act (CFAA), which extend the maximum penalty for computer crime violations from 10 to 20 years in prison.

If that scares off security researchers from finding holes in our computers, smartphones, critical infrastructure and the plethora of Internet of Things devices – IoT gadgets that have an average of 25 vulnerabilities each – and that’s not counting the ways IoT device data can secretly be used against users, then how is that improving cybersecurity?

I Am the Cavalry security researcher Josh Corman told Tom's Guide, "Just as we get people interested in vulnerabilities in the Internet of Things, along comes this revision to the CFAA that makes it harder for us to find those vulnerabilities.”

EFF attorney Nate Cardozo tweeted a boiled down version of Obama’s speech: “To protect our children, I want to make it a 10-year felony to share Netflix passwords.”

Share Netflix password, be prosecuted for CFAA and go to prison Nate Cardozo

And at the ShmooCon 2015 security conference, Cardozo said, "Under the new proposal, sharing your HBO GO password with a friend would be a felony.”

In fact, in the words of Errata Security’s Robert Graham, the President’s proposal is a flat out “war on hackers.” 

Click link, break CFAA law Robert Graham

Could you resist the temptation to click on such links? He added that the proposed laws against hacking:

could make either retweeting or clicking on the above (fictional) link illegal. The new laws make it a felony to intentionally access unauthorized information even if it's been posted to a public website. The new laws make it a felony to traffic in information like passwords, where "trafficking" includes posting a link.

Not planning to hack anyone? Well Graham says you could “still be guilty if you hang around with people who do.” He explained:

Obama proposes upgrading hacking to a “racketeering” offense, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). Hanging out in an IRC chat room giving advice to people now makes you a member of a “criminal enterprise,” allowing the FBI to sweep in and confiscate all your assets without charging you with a crime.

The President’s enhanced cybersecurity proposal and amendments to the anti-hacking law could be seen as a war on everyone; from security researchers, to the curious who click a link, to journalists who report on info obtained via a hack or leaked by a whistleblower. We've already got 75% of journalists who are so worried about government surveillance that they self-censor free speech and avoid reporting on news like leaks, but CFAA could send reporters to prison for reporting the news. The Blot described the proposed changes to CFAA as President Obama declaring war on journalism:

If enacted, federal prosecutors could charge reporters with computer crimes for merely obtaining documents taken without authorization from a government computer system by a whistleblower or for sifting through a vast quantity of data leaked online by hackers. Reporters covering the next Edward Snowden or Sony Pictures hack could suddenly find themselves facing decades in prison and hundreds of thousands of dollars in civil fines merely for doing their jobs.

With liberty and justice for all, huh? Even an emotionless supercomputer had a hard time finding “liberty” being expressed as much of a need by America’s leader in his State of the Union speech.


Copyright © 2015 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon