A bill strengthening penalties for cybercriminals using botnets would also put security researchers in legal jeopardy and give the government new powers to force companies to hack each other’s devices, according to a coalition of internet activist groups.
In a letter released Wednesday, 14 groups, led by Access Now, urge senators to oppose S. 2931, the Botnet Prevention Act of 2016.
Bill sponsors Sens. Lindsey Graham, R-S.C., Richard Blumenthal, D-Conn., and Sheldon Whitehouse, D-R.I., say the goal of their bill is to deter cybercrime by creating new offenses and toughening penalties on those who create, use and rent out botnets – networks of infected computers belonging to innocent third parties that can launch distributed denial of service attacks, send spam and spread ransomware or other malicious programs.
[Read more: New Senate bill aims to put the boot to botnets]
But the letter says the bill, which would amend the Computer Fraud and Abuse Act, could allow the government to bully white hat security researchers and “result in severe collateral damage.”
“The proposal will exacerbate the CFAA’s existing problems and enable prosecution of behaviors well beyond malicious computer trespasses or hacking, which were the original and appropriate targets of the CFAA,” the coalition letter said.
The privacy and cyber liberties groups who signed the letter — including Access Now, the American Civil Liberties Union and the Electric Frontier Foundation — argue the bill is filled with vague and poorly-defined language, which could allow the prosecution of researchers studying botnets as though they were criminals, Access Now’s Policy Counsel Drew Mitnick said.
“There is not enough nuance in the bill to permit or encourage effective research,” he said.
For example, one change expands “the existing prohibition in the CFAA against selling passwords to any ‘means of access,’”according the letter. With such loose language, coalitions fear the government could aggressively go after researchers for just studying or experimenting with botnets.
Vague language would also allow U.S. agencies to obtain court orders to legally hack botnet-related companies — or even force other companies to hack private devices, he said. For Access Now and many other groups, this crosses the line.
Even without the additional powers the bill would grant, Mitnick said, many white hats are already at risk of prosecution because of existing provisions of the CFAA. Last week, in a statement about the new bill, the Electronic Frontier Foundation called CFAA “vague, draconian, and notoriously out of touch with how we use computers today.”
Last week, after researcher Justin Schafer found a cache of dental patient information stored on an unsecured web server, armed FBI agents raided his home at dawn, according to the Daily Dot.
“What we need is reform that reigns in the CFAA, not a measure that makes things worse,” the letter said.
For both sides in the dispute — the coalition and the senators — the controversy is an ongoing debate. Last year, Whitehouse and Graham tried to pass a similar amendment to curb botnets as part of the Cybersecurity Information Sharing Act. That legislation was pulled for similar problems with language and possible conflicts with researchers.
During an October session, Whitehouse spoke angrily about the amendment, surprised it was pulled despite the support of the Justice Department.
“Why would we not want to empower or department of Justice to be able to go after people who are criminal brokers allowing access for criminals into botnets to use for criminal purposes against Americans?” Whitehouse said.
Instead of different rules or stricter consequences, Mitnick said the government should be working to encourage the community of security experts developing and studying the tools to prevent botnet attacks.
“Right now, there is a total lack of transparency and oversight,” he said. “There are barely any discussions about government hacking, either.”
Contact the reporter on this story via email: Jeremy.Snow@FedScoop.com. Follow him on Twitter @JeremyM_Snow. Sign up for the Daily Scoop — all the federal IT news you need in your inbox every morning — here: fdscp.com/sign-me-on.