The Business Software Alliance (BSA) recently lent its support to legislation pending in the U.S. Congress that would expand the scope and power of federal criminal law pertaining to IT security matters. Under the “Cyber-Security Enhancement Act of 2007” (CSEA), section 1030 of the federal criminal code would be amended to include new offenses of extortion based on threats to gain unauthorized access to a computer and of conspiracy to commit any of the IT-related crimes defined in section 1030. More significantly, the bill would create another new offense directed at anyone who:
…intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains a unique electronic identification number, address or routing code, or access device (as defined in section 1029(e)(1)), from a protected computer.
The term “exceeds authorized access” already is defined elsewhere to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” In addition, the bill amends the previous definition of “protected computer” to include any computer “affecting interstate or foreign commerce or communication” (which would seem to include any computer that is publicly accessible through the Internet). Finally, the bill would include all of these offenses, along with the other section 1030 offenses, as predicates for prosecution (as well as civil liability) under the Racketeer Influenced and Corrupt Organizations Act (RICO).
It is undoubtedly important to give law enforcement all the tools that it needs to combat organized efforts to infiltrate secure computer networks and the sensitive personal information that many of them contain (an objective that CSEA also pursues through greater funding for federal investigations into cyber-crime). However, in pursuing this end, the CSEA and its supporters seem to be casting a very wide net indeed. Questions concerning what constitutes “authorized” access or information to which a user is or is not “entitled” on a web-accessible computer could mean that more than just hardened cyber-criminals end up getting caught in CSEA’s sweep. The surprisingly broad scope of the bill, coupled with the new link to RICO and the private civil suits that statute allows, may also mean that we could see an up-tick in IT-related litigation in coming years, should CSEA see its way through to passage. It will be interesting to watch this bills progress in coming weeks and months.
You can read the text of the bill here. Section 1030 as it currently exists is available here.