Aaron's Law Finally Introduced: Reform The CFAA

from the it's-about-time dept

Thu, Jun 20th 2013 2:17pm — Mike Masnick

Today, Zoe Lofgren and Jim Sensenbrenner in the House and Ron Wyden in the Senate introduced "Aaron's Law," an attempt to reform the widely abused CFAA, so that it no longer sweeps up innocent activity.

Vagueness is the core flaw of the CFAA. As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You're not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website's terms of service or employer agreement should face jail time.

So lying about one's age on Facebook, or checking personal email on a work computer, could violate this felony statute. This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation. Millions of Americans — whether they are of a digitally native or dial-up generation — routinely submit to legal terms and agreements every day when they use the Internet. Few have the time or the ability to read and completely understand lengthy legal agreements.

The proposal tries to focus the law back to where it was intended when initially put in place:

It establishes a clear line that's needed for the law to distinguish the difference between common online activities and harmful attacks.

Among those specific lines, it notes that a "mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA." It also makes the penalties more reasonable, so people aren't facing many years in jail for doing something minor. It's well past due that the CFAA get fixed. Hopefully this is a start down that path.

Aarons Law Lofgren 061913 (PDF)Aarons Law Lofgren 061913 (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aaron swartz, aaron's law, cfaa, cfaa reform, jim sensenbrenner, ron wyden, zoe lofgren

37 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 20 Jun 2013 @ 2:48pm

Shouldn't we use the CFAA to go after the NSA first, and then fix it? I mean they are accessing my data without prior authorization from me. Huh whats that? I gave them authorization? But I'm a foreigner dammit!
[ link to this | view in chronology ]
- ChrisH, 20 Jun 2013 @ 3:23pm
  
  Re:
  The CFAA isn't about data, it's about systems. If they get it over the wire or your data is on a third party's system which has a deal with the NSA you're out of luck. It's a moot point anyway since as a governmental agency, the NSA has much immunity on paper and near total immunity in practice. Look at the TSA, they simply ignored court orders without consequence. Government agencies are totally immune from the courts. Congress are the only ones that can do anything.
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 20 Jun 2013 @ 2:54pm

"a digitally native or dial-up generation"???
That in a paragraph saying will correct vagueness? I guess to replace it with nonsense?

"As a result, prosecutors can take the view that a person who violates a website's terms of service or employer agreement should face jail time." -- Maybe, but they don't. The Swartz case was not only one of the rare ones brought forward, but far better based than that.

I've already given my view that Aaron Swartz is no hero by sneaking into a closet to download files just on a whim to "liberate" data. But there's obviously a contingent who think he is. -- Even Alex Jones!
[ link to this | view in chronology ]
- Bergman (profile), 20 Jun 2013 @ 3:05pm
  
  Re: "a digitally native or dial-up generation"???
  Swartz didn't violate any laws, but he got the full might of the DoJ coming down on him anyway. The people who were supposedly his victims didn't think he'd committed a crime either.
  [ link to this | view in chronology ]
  - PRMan, 20 Jun 2013 @ 9:01pm
    
    Re: Re: "a digitally native or dial-up generation"???
    Well, copying public domain documents from behind an illegal government paywall back into the public domain shouldn't be a crime in any universe. Yet, here we are.
    [ link to this | view in chronology ]
- That One Guy (profile), 20 Jun 2013 @ 3:08pm
  
  Re: "a digitally native or dial-up generation"???
  Well if they would never go after someone for such minor things, then they should have no objection at all with fine-tuning the language to make such actions completely, and reasonably, legal now, should they?
  [ link to this | view in chronology ]
- S. T. Stone, 20 Jun 2013 @ 3:29pm
  
  Re: "a digitally native or dial-up generation"???
  Maybe, but they don't.
  
  Except Aaron Swartz did face jail time. He committed suicide because he faced an inordinate amount of jail time that in no way reflected the seriousness of his crime (or lack thereof).
  
  He faced that jail time because an overzealous prosecutor used the CFAA to hang the threat of decades of jail time over Swartz's head.
  
  The rarity of such cases doesn�t matter. The innocence or guilt of Swartz doesn�t matter. A equitable judicial process that protects the innocent and hands out appropriate and fair punishments to the guilty matters.
  
  The CFAA as it stands today allows prosecutors to threaten people with decades behind bars for something as simple as sharing a Facebook password. Any legislature worth a damn would (and should) see this law as ripe for potential abuse and do whatever it could to correct it.
  
  Or would you prefer to spend twenty years behind bars because you accidentally logged into to someone�s Facebook account after they left it �open� on your computer?
  [ link to this | view in chronology ]
  - ChrisH, 20 Jun 2013 @ 3:47pm
    
    Re: Re: "a digitally native or dial-up generation"???
    Unfortunately prosecutors and police threaten innocent people all the time so I don't know how much a reformed CFAA would change that. Perhaps stronger penalties built into the law for malicious prosecution? Maybe we need to look at issues such as prosecutorial discretion or the grand jury process. Also reducing the size of some of these private institutions would limit the pressure they can apply to the legal process.
    [ link to this | view in chronology ]
    - S. T. Stone, 20 Jun 2013 @ 3:52pm
      
      Re: Re: Re: "a digitally native or dial-up generation"???
      That�d take a hell of a lot of time, effort, and money.
      
      Fixing the CFAA to make it harder (if not near-impossible) for prosecutors to bring charges against people for something as innocuous as a couple sharing each other�s passwords would make for a good starting point, though.
      [ link to this | view in chronology ]
      - ChrisH, 21 Jun 2013 @ 1:09am
        
        Re: Re: Re: Re: "a digitally native or dial-up generation"???
        I think you need that as a long term solution, because no matter what a particular law says, prosecutors are always free to bring charges, even if they have no chance of getting a conviction. Often the charges are enough to force a defendant to cut a deal, or worse.
        [ link to this | view in chronology ]
        
        S. T. Stone, 21 Jun 2013 @ 4:00am
        
        Re: Re: Re: Re: Re: "a digitally native or dial-up generation"???
        To wit: Aaron Swartz.
        [ link to this | view in chronology ]
- Anonymous Coward, 21 Jun 2013 @ 8:10am
  
  Re: "a digitally native or dial-up generation"???
  He wasn't a hero, true.
  
  But he wasn't a criminal either. You normally go after people with the full force of the law because they aren't heros?
  [ link to this | view in chronology ]
TheLastCzarnian (profile), 20 Jun 2013 @ 2:54pm

Coincidence?
Isn't it odd that the NSA info comes out at the same time that the government becomes more reasonable about IP? I'm sure it's just a coincidence...
[ link to this | view in chronology ]
Anonymous Coward, 20 Jun 2013 @ 2:56pm

Does this fix the TOS violation issue?
If someone puts a false age in a facebook signup form, isn't that circumventing a technological measure designed to exclude unauthorized individuals from obtaining information?
This text seems to be the same sort of thing as before. I thought Zoe had something better in mind.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Jun 2013 @ 3:00pm
  
  Re: Does this fix the TOS violation issue?
  She did start with something better. Here's the text in her original draft. It needs to be put back in:
  
  Section 1030(e)(6) of title 18, United States Code, is amended by striking ''alter;'' and inserting the following: ''alter, but does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;''
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Jun 2013 @ 3:20pm
    
    Re: Re: Does this fix the TOS violation issue?
    Also, changing parameters in a URL should not be a crime, even if it allows access to other peoples private data.
    
    (However the company that had such a lousy system should be liable for failing to protect customer private data).
    [ link to this | view in chronology ]
    - ChrisH, 20 Jun 2013 @ 3:35pm
      
      Re: Re: Re: Does this fix the TOS violation issue?
      I think a distinction needs to be made between changing a few things in a URL to visit a new "public" page and feeding information in which is known to cause a buffer overflow or SQL injection. I'm not sure exactly how you would word it. Intent probably needs to be a factor.
      [ link to this | view in chronology ]
ChrisH, 20 Jun 2013 @ 3:12pm

Has any CFAA prosecution ever obtained a conviction for terms of service?

Digital rights reforms are far more urgent since the public has been almost entirely convinced that they don't own what they buy. Even if it isn't written that way legally, DRM gives companies the power to achieve it in practice, and what is widely practiced tends to become the law. In other words, if people stop acting like they own things, for example allowing secondary markets for software and music to dry up, it will be easier for judges and legislatures to forget that these personal property rights ever existed.
[ link to this | view in chronology ]
Anonymous Coward, 20 Jun 2013 @ 3:13pm

What boggles my mind is that the CFAA hasn't been struck down by the courts as unconstitutionally vague.
[ link to this | view in chronology ]
Anonymous Coward, 20 Jun 2013 @ 3:18pm

The party of stupid will be sure not to support this. If one side is for it, in this day of totally inept legislation, the other is against it.
[ link to this | view in chronology ]
- CK20XX, 20 Jun 2013 @ 3:40pm
  
  Re:
  I don't know what they have to say
  It makes no difference anyway
  Whatever it is... I'm against it!
  No matter what it is or who commenced it
  I'm against it!
  
  Your proposition may be good
  But let's have one thing understood
  Whatever it is... I'm against it!
  And even when you've changed it or condensed it
  I'm against it!
  
  I'm opposed to it
  On general principle, I'm opposed to it.
  
  He's opposed to it
  In fact, indeed, that he's opposed to it!
  
  For months before my son was born
  I used to yell from night to morn
  Whatever it is... I'm against it!
  And I've kept yelling since I first commenced it
  I'm against it!
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Jun 2013 @ 8:12pm
    
    Re: Re:
    As relevant today as it was over 80 years ago.
    [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 20 Jun 2013 @ 8:10pm

Hi Mike,

What's the point of pretending like you can keep me off of TD when you make a living out of ridiculing others who pretend like they can block people from doing what they want on the internet?

Seriously. I know you see the irony. But what's the point? I post whatever I want, whenever I want. Your attempts to censor me are completely, 100% laughable and stupid.

Let me ask you this� Why do you, a man who pretends like he loves anonymity and freedom on the internet, make a point to block TOR IP addresses whenever they are used to criticize you?

Seriously. Are you so ashamed and insecure that you have to block TOR, the tool of freedom fighters who rage against dictators, to stop me from criticizing you?

Are you so scared of criticism that you think it�s worth it to block TOR exit nodes rather than receive any criticism whatsoever?

You�re just like China. And you fucking know it.

You are doing whatever you can to censor those who challenge you. Just like China. And you fucking know it.

Toodles!
[ link to this | view in chronology ]
- Anonymous Coward, 20 Jun 2013 @ 8:16pm
  
  Re:
  Fucking irrelevant asshole. Go have yourself an aneurysm.
  [ link to this | view in chronology ]
- Anonymous Coward, 21 Jun 2013 @ 2:34am
  
  Re:
  There's no irony. Mike posts articles rightly ridiculing people who use censorship to stop innovation. Your false accusations are harrassment, and not innovative in any way.
  
  If you were an honest person, your posts of "whatever I want, whenever I want" would be posts that add to the discussion, not taunts and cowardly accusations.
  
  Blocking juvenile, immature morons who lie, slander and harrass without legitimate reason is NOT censorship.
  
  You're in the wrong. And you fucking know it.
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 20 Jun 2013 @ 8:21pm

That's right, folks! As soon as Mike realizes that a TOR IP address is being used to criticize him--not for spam, mind you, but only for the purpose of criticizing Mike--he immediately blocks that TOR IP address from being able to post on Techdirt.

That's right. Mr. Mike "Internet Freedom and Anonymity" Masnick is so scared of personal criticism that he'd rather block a TOR exit node--the tool of dissidents who criticize their oppressors--rather than leave the TOR IP address open to those who may want to criticize him or others on Techdirt.

Protector of freedom on the internet? You decide. His actions are just like those of an insecure dictator, and he knows it. Mike is just like China, feverishly oppressing those who dare to speak out against him.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Jun 2013 @ 8:25pm
  
  Re:
  I like that you are spamming a denial that you are spamming. The dissonance is staggering.
  [ link to this | view in chronology ]
- martyburns (profile), 21 Jun 2013 @ 5:25am
  
  Re:
  I might be wrong, but can't a TOR exit node be any possible IP address? Anyone can run an exit node right?
  [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 20 Jun 2013 @ 8:37pm

See the link that Mike is so ashamed of that he's trying to censor it--just like a Chinese dictator: http://pastebin.com/5VUv7utm
[ link to this | view in chronology ]
- btr1701 (profile), 20 Jun 2013 @ 8:45pm
  
  Re:
  > See the link that Mike is so ashamed of that he's trying
  > to censor it
  
  Wow. You are seriously exhibiting signs and symptoms of an Axis II personality disorder.
  [ link to this | view in chronology ]
  - David Johnston, 20 Jun 2013 @ 8:57pm
    
    Re: Re:
    And using TOR. Maybe he's Seamus.
    
    Meanwhile, on the original topic: if you ask me, violating the CFAA should require fraudulently obtaining and using, or fraudulently bypassing the check for, an access credential such as a password. Merely accessing a service's public interface shouldn't qualify. Gaining privilege on the server by exploiting a bug, or running a dictionary attack on password hashes to log in as someone else, those are the things the law is supposed to be about.
    [ link to this | view in chronology ]
- Anonymous Coward, 21 Jun 2013 @ 2:20am
  
  Re:
  You'd have to have a right to actually post here for it to be censorship. You don't have that right. It's a private site.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Jun 2013 @ 10:31pm

Aaron Swartz didn't commit suicide. He was killed after being targeted. I am also targeted. As a little message, these people hung him on my birthday. There are some psychopathic monsters in our government whom feel justified killing anyone for any reason.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Jun 2013 @ 5:58am
  
  Re:
  There are medications that can help you. Please search them out as you are obviously a delusional whackjob.
  [ link to this | view in chronology ]
horse with no name, 21 Jun 2013 @ 12:56am

Not really a change
I think that changing the wording likely won't change much, except to give hackers even more leeway to claim defenses based on stretching the terms.

The current law is pretty straight - if you aren't suppose to access it, don't access it.

Reducing the penalties and giving hackers more outs to work with is NOT a good change to the law. It would appear that this is mostly the usual grandstanding political types using Aaron's death for political advantage and points. That is sad.
[ link to this | view in chronology ]
ethorad (profile), 21 Jun 2013 @ 1:11am

CFAA + NSA surveillance = bad news
Something struck me.

Th CFAA says things such as checking personal email at work, or presumably reading non-work related websites at work (as I'm doing just now - but shhhhh) could mean jail time.

Never mind the size of your lobsters, ever made a personal phonecall from work?

Still think you have nothing to hide?
[ link to this | view in chronology ]
Anonymous Coward, 21 Jun 2013 @ 1:12am

what is so annoying is that this sort of screw up seems to be done intentionally. whenever a new law comes in, it is always with the vaguest of terms and the most unclear language. it seems as if until something extreme happens, everyone in Congress is quite happy to have a law, whatever it may be concerning, left as open as possible, so that as many idiotic options are covered. laws are meant to do specific things. they are not meant to be blankets covering a multitude of sins. if more laws are needed, so be it but be exact with the ones brought in so everyone, Congress included, know what each one is for! this man took his own life because of the pathetic way the CFAA was written and then left! it was definitely the wrong thing to do but think about what the alternative scenario could have been. someone, one of the brightest brains in the US pursued by a DA not because of the outrageous crime he had committed but because the option was there and she took it, rather than being sensible, because she saw the opportunity of personal advancement in her career, and then if convicted or striking a deal, perhaps thrown into prison for the most ridiculous of reasons.
Congress need to sit back a bit and think what they have been doing, think about what they are going to do and how they are going to do it before enacting. they have made a lot of mistakes, some intentionally, but it isn't them that suffer. it needs to stop now!!
[ link to this | view in chronology ]