Lawmakers should embrace a White House proposal that would mandate tougher punishments for cyber crimes, Richard Downing, deputy chief of the Justice Department Computer Crime and Intellectual Property Section, told a House subcommittee Tuesday.
Testifying before a House Judiciary subcommittee hearing on cyber security, Downing said that extending Racketeer Influenced and Corrupt Organizations statutes to online crimes and requiring minimum sentences for violations of the Computer Fraud and Abuse Act, as recommended in the proposal, would allow law enforcement officials to better cope with the increasing power of online criminals.
He also said that hacking statutes should be harmonized with those that cover crimes of equal severity committed outside of cyberspace — such as fraud and extortion statutes — and that the definition of “exceeding authorized access” — a statute that considers a terms of service violation to be a crime in the Computer Fraud and Abuse Act– should not be scaled back.
One witness, George Washington University Law Professor, Orin Kerr, a former DOJ official, was concerned with the Justice Department’s current interpretation of the definition of the “exceeding authorized access” statute, and argued that it should be scaled back significantly because violating terms of services should not be automatically considered a violation of law.
He said, for example, that because he listed his hometown as Washington, D.C. and not Northern Virginia on his Facebook profile, he is, in eyes of the Justice Department, a criminal– an admission that led to a light-hearted reading of his Miranda Rights by subcommittee chairman Louie Gohmert (R-Texas), a former state judge.
Kerr argued that interpreting terms of service agreements as a matter of law would require punishments for misbehavior that would not constitute a crime offline. Every minor that uses Google, and everyone who slightly misrepresents him or herself on an online dating profile would be a criminal if the agreements were “binding as a matter of law,” he said.
He argued that the statute concerning unauthorized access should be strictly limited to terms of service violations that deal with personal and valuable information, and that a recent case brought by federal prosecutors, in which a defendant was cited by prosecutors for violating his company’s terms of service agreements by using a business computer “for non-business reasons, illustrated the need for lawmakers to proceed with restraint.
“Concern over the Justice Department’s over-broad reading of the Computer Fraud and Abuse Act is a real one,” he said.