Simple crimes that have no financial damage could carry 20 years each. For doing something like downloading a copy of a paper without permission.
Should internet laws carry sentences an order of magnitude greater that laws about crimes in the real world? The Steubenville rapists gangraped a girl and got what, two years? Under this expanded CFAA Aaron Swartz would have received hundreds of years in prison.
Call your rep. Tell them to fight this.
Congress’ New CFAA Draft Could Have Put Aaron Swartz in Jail For Decades Longer Than the Original Charges | Electronic Frontier Foundation
Perhaps the most disturbing aspect: instead of reducing the penalties for crimes that don’t cause much economic damage, it dramatically increases them. For example, Aaron faced four charges under section (a)(4) of the CFAA, which had a maximum sentence of five years each. EFF, Orin Kerr and many others have proposed removing (a)(4) entirely since it creates double penalties for the same behavior criminalized elsewhere in the law. What does the new draft do? It increases the maximum under (a)(4) to twenty years for each charge. As Internet law scholar James Grimmelmann remarked Monday, the thought of Aaron facing more time is “simply obscene.”
The new draft also now turns CFAA violations into a “racketeering” offense, adding yet another layer of charges the DOJ can add to the charge sheet of a hacker it doesn’t like. It also adds a broad conspiracy charge that carries the same penalty for actually committing an offense. Essentially, talking about committing computer crimes without actually doing so can land you in prison.
Most troublingly for innovation and for user empowerment, the bill “clarifies” its definition of “exceeding authorized access” to include accessing information for an “impermissible purpose”—even if you have permission to access the information in the first place. That codifies the misguided idea that any terms of service violation is indeed a crime, effectively undoing good rulings in the 9th and 4th Circuits.
The CFAA already reaches computer intrusions, serious denial of service attacks, password misuse and attacks on national security computers. Those provisions are important. The Department of Justice has more than enough tools it needs to go after real criminals using this law and a host of others—including criminal copyright, trade secrets, identity theft and other laws. It should use those tools rather than coming back to Congress for more, especially now that it's just been caught misusing the law so egregiously in Aaron’s case.
Quite simply, this bill is a nightmare for Internet users' rights. That the House Judiciary Committee would introduce it in the wake of Aaron’s death demonstrates just how out of step they are.