Killing (innovation) in the name of the law

I am not a lawyer. Nor I want to be one.

But fortunately I have enough education and practice around legal systems – domestic and international to be “dangerous” enough so I can actually get my job done wherever I need to.

This, however, is a constant balancing act, especially in light of the proposed cybersecurity bill. The proposed legislation basically expands the CFAA (Computer Fraud and Abuse Act), and not in the right directions. As-is, the CFAA is draconian, and has been repeatedly abused to prosecute people who have for a lack of better terms, pissed off someone. Notable examples like Barrett Brown, Aaron Swartz and Andrew Auernheimer (‘weev’) have been subjected to government prosecutors who leaned on the ambiguity and far-reaching implications of the CFAA.

Extending the law, and subjecting it to elements such as RICO (Racketeer Influenced and Corrupt Organizations Act) furthers it’s reach, and along with the proposed amendments basically criminalizes most of the work done by hackers (i.e. good guys). It stifles innovation and the ability to “play around” with computers, software and hardware, and would have put most hi-tech founders in jail for a long time if the law would have existed back then. Heck, I’d be serving decades in jail if it would.

And to think, even for a moment, that any of this have, or would deter real criminals is absurd. Other than holding back legitimate research and innovation that is put to use to thwart cybersecurity threats, this does nothing good.

I truly hope that legislators would wake up and rise above the political forces that managed to push this bill in its current form, and perhaps even take action to correct the already crooked CFAA in a way that would make it more relevant to computer crime and fraud.

Until then, I guess that we would have to keep tiptoeing between the raindrops to make sure that we can keep pushing the envelope as always. Much like a lot of organizations (private, as well as government, that I have had a chance to work with) have done by offshoring and distancing their more aggressive/proactive activities to avoid jurisdiction issues.

A couple of good reads on this are here for your background: Orin Kerr and a shameless plug of my comments on this on CSO Online.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.