Some state anti-hacking laws are even broader than the CFAA, says Crocker, the EFF attorney. California Penal Code Section 502, which Crocker describes as “pretty typical” of state-level cybercrime laws, includes language similar to the CFAA’s vague “unauthorized access” prohibition. But it also stipulates that someone who “knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network” may have broken state law.
Crocker says the EFF has argued against prosecutions where the only alleged criminal activity that occurred under Section 502 was the defendant downloading publicly accessible data that the owner of the data failed to keep private—a common activity among security researchers and journalists.
All of these broadly worded state-level cybercrime statutes can lead to over-criminalization, says Nellie King, president of the National Association of Criminal Defense Lawyers. It becomes particularly problematic when there’s little clarity about when an activity crosses the line from legal to illegal. Laws against “cyber-stalking” are a good example, King says. “I can’t tell you how many of those cases where I have to go in and say, ‘This is not stalking. This is being annoying.’”
In addition to vague laws, cybercrime statutes are sometimes essentially duplicates of other laws on the books, which means people can be charged twice for the same act—a “double counting of crime,” says Crocker. For example, prosecutors could “charge someone with the underlying crime of fraud but then enhance it with another crime of fraud conducted over the internet where there's no harm to the actual computers or networks,” he says. King agrees, adding that states can tack on additional “cyber-related” charges “to get the sentencing jacked.”
Finally, unlike the CFAA, many state cybercrime laws have not been heavily tested by the courts, says Crocker, which leaves them open to broader interpretation. “Most states have relatively sparse case law on their state hacking law,” he says, “so you have … laws without a lot of interpretation, which is a very risky area for individuals who risk running afoul of these laws.”
Rushing Into the Void
The solution to vague, expansive cybercrime legislation is to craft legal definitions that are limited to “cyber-dependent” activities, experts say. “If ‘cybercrime’ is going to mean anything, it has to be specifically limited to crimes done to computer systems and networks using computer systems and networks,” Crocker says. “In other words, it has to be the kind of crime that could not exist if this technology did not exist. ‘Cybercrime’ can't just be any bad thing done using a computer.”
Of course, amending the mountain of US state and federal cybercrime laws is unlikely to happen, Crocker says. Even just the CFAA, which Congress could update at any time, remains largely unchanged despite several attempts to amend the law. The greatest opportunity to prevent further expansion of over-criminalization through cybercrime laws now is with the UN treaty. But even with support from many member nations to limit the list of crimes covered by the treaty to “cyber-dependent” ones, and concerted efforts from civil liberties groups to exclude offenses committed unintentionally or without causing serious harm and to add safeguards against abuse, Article 19’s Gutiérrez remains skeptical.
“The probability that we get this, I think, is very low,” Gutiérrez says.
Still, the treaty’s negotiations are ongoing, with the Ad Hoc Intergovernmental Committee scheduled to meet for the fifth round of negotiations in mid-April and the sixth round in late summer. The final text of the treaty is expected to be completed by February 2024—a tight time frame that Gutiérrez says could cause trouble for an international agreement of this complexity, magnitude, and consequence.
The speed of the negotiations means there is little time to bring the treaty’s language more in line with what civil liberties and human rights groups say is essential. In fact, it could lead to a country like Russia or China slipping in language at the last minute that would be even more detrimental to what’s already in the negotiating document—something that reportedly happened during the fourth negotiating session in January. “The truth is that the issues are so complex, they are so technical, and there's very little time to negotiate all this,” Gutiérrez says. “So there’s no question some of this language will get into the treaty, because it's not just overlooked—the process is really, really being super rushed.”