There is a lot to dislike about the new cybersecurity legislation proposal President Obama unveiled this week.

A good part of the proposal is mere cybersecurity theater. The CISPA-style push for private organizations to increase “information sharing” of cybersecurity threats with the Department of Homeland Security hasn’t worked for the federal government’s own information systems and will likely fail again.

These ineffectual policies would simultaneously threaten our privacy and civil liberties. They would provide intelligence agencies with yet another pretext to easily access huge amounts of metadata about our online activities. They would also shield companies from liability and lawsuits over mishandled cyberthreat information-sharing or facilitation.

But a particularly troubling part of the President’s new cybersecurity proposal could transform an average Internet user into a dangerous cybercriminal with one wrong click — and put them on the hyperlinked lam from the full force of U.S. organized criminal law.

The description provided under the “Modernizing Law Enforcement Authorities to Combat Cyber Crime” section of the handy official White House fact sheet appears reasonable enough. We are told that the proposed changes would empower law enforcement agencies to clamp down on botnets and DDoS attacks, seize the property of persons suspected of operating or selling spyware programs, and criminalize the overseas sale of surreptitiously accessed private data.

Few would take issue with the stated goals of the White House plan. Living in a world with fewer and shorter DDoS attacks sounds pretty good to most people. Civil asset forfeiture typically isn’t the most popular stick in the big police bag of tricks, but few will weep for the CryptoLocker fiends. It seems obvious that fraud and data theft should be against the law—so obvious, that it’s little hard to believe that this kind of straightforward criminal behavior isn't already covered by our robust selection of laws.

But the devil is always in the details—and the few that Obama has provided so far are worrying indeed.

In reality, President Obama’s cybersecurity proposal could dramatically expand law enforcement powers to crank out crackdowns of online activities while broadening the range of activities that could be prosecuted as cybercrimes.

It does this in two major ways: 1) by expanding the Computer Fraud and Abuse Act (CFAA) to criminalize viewing unauthorized information even if posted to a public website (like Wikileaks); and 2) by tethering expanded law enforcement powers under the Racketeering Influenced and Corrupt Organizations Act of 1970 (RICO) to the prosecution of “cybercrimes.”

The CFAA is a federal anti-hacking law that embodies the insurmountable Kafkaesque combination of unclear statutory language and overzealous legal application. As the Electronic Frontier Foundation explains:

Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what “without authorization” actually means. The statute does attempt to define “exceeds authorized access,” but the meaning of that phrase has been subject to considerable dispute.

The CFAA is notorious within computer science and civil libertarian circles for justifying the outrageous and disproportionate prosecutions of Internet activists like Aaron Swartz. Robert Graham of Errata Security describes how this law has been abused in the past:

Prosecutors went after Andrew “weev” Auernheimer for downloading a customer list AT&T negligently made public. They prosecuted Barrett Brown for copying a URL to the Stratfor hack from one chatroom to another. A single click is all it takes. Prosecutors went after the PayPal-14 for clicking on a single link they knew would flood PayPal’s site with traffic.

The proposed changes would double down on this “War on Hackers” by expanding the number of people that can be ensnared in this tenuous legal net. Let’s say I happen to share the following tweet:

¡Ay caramba! I’ve just “knowingly and willfully” shared a “password or similar information, or any other means of access” with you people, all while “knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking.”

Under the White House proposal, I would be considered a dangerous cybercriminal facing up to a twenty year stint in the big house for my grave transgressions.

And guess what: so would you!

That’s because the cybersecurity proposal would also expand “racketeering” charges authorized by RICO to apply to crimes prosecuted under the CFAA. Like the CFAA, RICO prosecutions have long since metastasized to cover far more activities than justified by its original proposal. RICO now operates as a kind of “criminal law plus” tool, where law enforcement officials can throw the book at suspects that they can’t otherwise charge with the crime they’d like. The Independent Institute has more:

Under RICO, individuals who engage in what prosecutors allege to be extortion, illegal gambling operations, and the like are not charged with those specific crimes, but rather are accused of racketeering, which is a derivative catch-all term. Because RICO cases are tried in federal courts, U.S. attorneys do not have to prove to juries and judges that the accused engaged in the aforementioned crimes (which as a rule are violations of state criminal law); they must show only that it appears the defendants carried on those activities. Moreover, for a RICO conviction, the prosecutor must meet only the civil standard of “preponderance of the evidence,” not the higher standard of “guilt beyond a reasonable doubt” that historically has been required for criminal conviction.

In other words, just by reading this article containing the flagrant act of cybercrime that I committed above could place YOU in the legal crosshairs. Even if you didn’t find yourself compelled to share this article—and therefore the dastardly cybercrime—with your friends, by reading this article, it could be argued that you were acting like you would do something like that. After all: You peruse the Technology Liberation Front! I rest my case, your honor.

Prosecutors would love nothing more than to threaten innocent bystanders of the Anonymous hacking collective’s IRC channels with a twenty year prison sentence through a RICO-linked CFAA violation. They can always plea bargain their victims down to a few years sentence—and flex their “tough on cybercrime” muscles while throwing “members” of the “cyberterrorist Anonymous group” in the brig for a while.

If the new White House proposal is applied as haphazardly and aggressively as the CFAA has been in the past, there is a real fear that whitehat hackers’ normal activities—like emailing each other information about password leaks and security vulnerabilities—could be trumped up into criminal convictions for no reason but the zeal of a new foolhardy War on Whatever.

The gradual development of this Cyber Police State would have chilling effects on online collaboration and innovation—and the rest of us would get left in the digital dust.