Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers

from the someone-buy-these-senators-a-clue dept

Thu, Apr 23rd 2015 12:40pm — Mike Masnick

Yesterday, we wrote about an important new bill, Aaron's Law, from Senators Ron Wyden and Rand Paul and Rep. Zoe Lofgren. It's a fix to many of the problematic aspects of the Computer Fraud and Abuse Act (CFAA). If you're unaware, the CFAA is supposed to be a law to be used against people doing malicious hacking, but the wording is so broad and problematic, it has been used against people for merely violating the terms of service on a website, or someone using a work computer for non-work-related items -- which could lead to excessively long jail terms. The reason Aaron's Law is named that is because of Aaron Swartz, the guy that Federal Prosecutors publicly announced was facing 30 years in jail under the CFAA because he downloaded too many academic journal articles from JSTOR -- despite the fact that he did so on the MIT campus where the campus had a site license that allowed anyone on their network to download all the JSTOR papers.

As we noted in our post, there are still some who are pushing in the other direction -- and they didn't waste much time. The very same day that Aaron's Law was introduced, Senators Mark Kirk and Kirsten Gillibrand introduced a competing law that appears to be a "We Should Have Threatened Aaron With More Years In Jail" Act. Okay, technically it's called the Data Breach Notification and Punishing Cyber Criminals Act -- and as I type this, no one seems willing to release the text. Both Senators have press releases out about the bill, but neither link to it, and Congress's website has a placeholder saying that it hasn't received the actual text yet either. Hopefully that will change soon.*

It's bizarre that they're lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues. And yet, from the press release quotes and the few small articles about these bills, it appears that everyone's focusing on the data breach notification stuff (which has its own problems) and thus we should be worried that the CFAA expansion could get included as something of a "throw in." The quotes, however, on this part of the bill are ridiculous. Here's Senator Kirk's press release:

This bipartisan legislation increases the maximum allowable fines and imprisonment for many of the most common cyber-crimes, including identity theft and theft of personal information. Current law does not sufficiently punish cyber criminals, and incidences like these recent devastating breaches of confidential information must be punished more aggressively. By modernizing these punishments, as many prosecutors have requested, we will better align punishments to the degree of harm that these crimes may inflict on victims.

And Senator Gillibrand's:

The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud.

It's the whole "obtaining information from a protected computer without authorization" that is a serious concern here, as that's part of what's been widely abused. Both Kirk and Gillibrand use a lot of populist rhetoric about protecting people from all these scary data breaches out there, but it demonstrates a serious ignorance of how widely the CFAA (with insanely large existing punishments) has been used repeatedly for activities no one legitimately thinks of as malicious hacking. Furthermore, it suggests a pretty serious cluelessness about the incentives and motivations of those who commit many of those breaches. Increasing the number of years they could spend in time from crazily high to insanely high isn't going to change a damn thing. And if these two Senators can't understand that, they shouldn't be touching the CFAA at all.

* As an aside, it's plainly ridiculous for anyone to announce a new bill without releasing the actual text. Even more ridiculous: in searching for the text of the actual bill on both Senators websites, I note that the very first item highlighted on Senator Gillibrand's website is "Transparency" where it says "Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results." Well, you know what might helps with that transparency? If you actually release the text of the bills you're introducing when you introduce them so that people can take a look at them.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aaron swartz, cfaa, cfaa reform, hacking, kirsten gillibrand, mark kirk

39 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 23 Apr 2015 @ 12:57pm

As we have learned from our current drug policy, longer mandatory jailtime has been applied fairly, and done wonders for the number of addicts in the US.
[ link to this | view in chronology ]
Peter (profile), 23 Apr 2015 @ 12:59pm

Tough Times ahead, then
... for the NSA?
[ link to this | view in chronology ]
- Anonymous Coward, 23 Apr 2015 @ 1:19pm
  
  Re: Tough Times ahead, then
  They control the DOJ though, so who exactly would prosecute them?
  [ link to this | view in chronology ]
Ed, 23 Apr 2015 @ 1:05pm

Well unauthorized access to computers is punishable, NSA by that standard, are the biggest criminals ever, by those standards.
[ link to this | view in chronology ]
Anonymous Coward, 23 Apr 2015 @ 1:14pm

Data breach notifications are the wrong solution
Data breaches are usually not the issue, and notifications are almost never the right solution. The right solution is to provide ways to mitigate the damage caused by a breach and to make information obtained from the breach not useful to the unauthorized parties. For example, establish in law that knowing a name+SSN is not proof that you are that person. Back it up by publishing the name+SSN pair of every person.
[ link to this | view in chronology ]
Almost Anonymous, 23 Apr 2015 @ 1:20pm

Shadow laws
* As an aside, it's plainly ridiculous for anyone to announce a new bill without releasing the actual text.
Almost as ridiculous as having a secret "alternate interpretation" of an existing law that nobody is allowed to know about. But that would never happen, right?

Right?!?
[ link to this | view in chronology ]
- Uriel-238 (profile), 26 Apr 2015 @ 10:52am
  
  Shadow laws, Shadow interpretations, Shadow courts
  In the 1970s, 80s and 90s eras of cyberpunk near-future sci-fi, these things were the clear indicators that you lived in a dystopia, much like secret police and SWAT raids were the hallmarks of a Soviet-Union-style tyranny.
  
  Kinda like when the villain kills a minion for failure or kills a traitor or spy in a particularly heinous way to show how evil he is. Piranha tanks, jet engines, decompression chambers, industrial machinery. That sort of thing.
  [ link to this | view in chronology ]
Anonymous Coward, 23 Apr 2015 @ 1:26pm

Rest of the story: by sneaking into a closet, without paying MIT fees.
Key facts needed to understand why Swarz was charged. He went to some trouble to get indicted, wasn't out of the blue.
[ link to this | view in chronology ]
Anonymous Coward, 23 Apr 2015 @ 1:28pm

Rest of the story: by sneaking into a closet, without paying MIT fees.
And to "liberate" data.

Key facts needed to understand why Swarz was charged. He went to some trouble to get indicted, wasn't out of the blue.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Apr 2015 @ 5:51am
  
  Re: Rest of the story: by sneaking into a closet, without paying MIT fees.
  1. Harvard students are allowed access to MIT's networks without paying additional fees. 2. Sneaking into a networking closet is not a felony, and the state charges related to that were dropped. 3. Swartz made no indications of his intent with the JSTOR papers; you're just speculating. Since the Constitution forbids prior restraint, he was not charged with any crimes related to intending to release the papers publicly, but rather with crimes somewhat related to his accessing of JSTOR computers and MIT networks. JSTOR settled with Swartz out of court, but MIT and the DOJ decided to to make an example of him.
  
  Prosecutors love to get people like you on their grand juries; you're incapable of distinguishing ad hominem from facts relevant to the actual charges.
  [ link to this | view in chronology ]
Patrick, 23 Apr 2015 @ 1:38pm

Called Kirks office as a constituent to let him know I oppose it, but I doubt that will stop him.
[ link to this | view in chronology ]
Anonymous Coward, 23 Apr 2015 @ 1:40pm

' they're lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues'

this is exactly the sort of thing that Senators think they should be doing, putting people in prison for minor law breaking, but for longer terms. it's about time USA citizens woke up and realised what sort of nation it is becoming, one where the security forces are only there to do what they want and the bidding of some politicians. it never dawns on anyone until they are actually in the position of being accused of something. by then it's too late!
[ link to this | view in chronology ]
STJ, 23 Apr 2015 @ 1:57pm

what is the bill
"it's plainly ridiculous for anyone to announce a new bill without releasing the actual text." This is what they did with Obamacare and it had no issues passing. You have to pass it before you know what is in it.
[ link to this | view in chronology ]
- Anonymous Coward, 23 Apr 2015 @ 2:35pm
  
  Re: what is the bill
  No, it's not what they did with Obamacare. It was mainly written by Romney and enacted in his state first. Did you forget that while you were busy playing the "Thanks Obama" card?
  [ link to this | view in chronology ]
- James Burkhardt (profile), 23 Apr 2015 @ 4:10pm
  
  Re: what is the bill
  The affordable care act was released when announced. You are conflating the (errornous) debate that no one READ the bill with the issue of announcing a bill to the news that the news (and congress) haven't received yet.
  [ link to this | view in chronology ]
- PaulT (profile), 24 Apr 2015 @ 12:56am
  
  Re: what is the bill
  It's sad how many people actually believe this. It just goes to show, get a bunch of angry morons and a handy out-of-context quote, and you can get people railing against their own healthcare.
  [ link to this | view in chronology ]
Spaceman Spiff (profile), 23 Apr 2015 @ 2:19pm

Wyden
Too bad he voted to push forward TPP. Can we spell hypocrite? Let's see - 'h' 'y' 'p' 'o' 'c' 'r' 'i' 't' 'e'. Yep, that about does it.
[ link to this | view in chronology ]
Ed, 23 Apr 2015 @ 2:21pm

Sad it's easier to buy a politician than a book.
[ link to this | view in chronology ]
Padpaw (profile), 23 Apr 2015 @ 2:37pm

Any guesses on how many are exempted from this new bill. No doubt the senators themselves are above this law they want pushed on everyone else. probably any other government officials not including whistleblowers, the police, the courts and anyone that can buy their way out of their crimes.
[ link to this | view in chronology ]
eye sea ewe, 23 Apr 2015 @ 2:51pm

Offending against the CFAA
Question: How likely is it for either/both of these Senators or their staff to have offended the CFAA?

If it is reasonable to expect that they or their staff (or even families) to have offended against the CFAA, then arrange for charges to be laid against them, their staff or families. We will then see how long it takes for them to change their minds.

Of course, they could be like the local staff at my local representative and see no problem with themselves being charge and imprisoned based solely on accusation. But then I did find their stance appeared to be based on their fear of the bogey man.
[ link to this | view in chronology ]
- Uriel-238 (profile), 24 Apr 2015 @ 6:20pm
  
  Re: Offending against the CFAA
  Little girls with Facebook accounts?
  [ link to this | view in chronology ]
Pronounce (profile), 23 Apr 2015 @ 3:06pm

American Justice phtt: No such thing.
American law is predicated on the myth of an egalitarian system. Since the elite demonstrate by their actions they are above the law we have nothing like "justice for all" in this country.

It's all about money and power. See http://www.vox.com/2014/4/11/5581272/doom-loop-oligarchy
[ link to this | view in chronology ]
Anonymous Coward, 23 Apr 2015 @ 4:22pm

Transparency
"Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results."

Senator Gillibrand understands that to be a good liar, the first thing to do is pretend that you're a big believer in truth.
[ link to this | view in chronology ]
David, 24 Apr 2015 @ 3:15am

Oh come on.
If you were serious about prosecuting unauthorized access, you'd not have let the FBI spy on staffers' computers and remove files from them without consequence.

This is not about preventing injustice. It is about giving the DoJ more ammunition to keep the populace at bay.

If you want to see how this works, compare Snowden with Petraeus. One alerted the American public to ongoing crimes against the Constitution, the other, in a position of power, traded state secrets for sex and an embellishment of his autobiography. Guess who of the two is now state enemy number one and who got away with probation?

Since the government has a lot of secrets to hide from its employer, the people, you can bet your sweet ass that the principal application of these laws will be to fight democracy and to punish people who expose government crimes, particularly those committed in cahoots with corporate and military crime lords.
[ link to this | view in chronology ]
Just Another Anonymous Troll, 24 Apr 2015 @ 5:18am

Somebody should set up a computer terminal at the Capitol building with a "Please do not use" sign on it. When a Congresscritter (preferably a supporter of this crap) uses it, the terminal drops him into a prison for 40 years, strips him of his voting and gun rights, and brands him with a scarlet H for Hacker. Problem solved.
[ link to this | view in chronology ]
Kionae (profile), 24 Apr 2015 @ 7:01am

I'm very disappointed to see this coming from Senator Kirk. On the whole, he's been more palatable than our other Illinois senator (Durbin), but his support for this actually surprises me.
[ link to this | view in chronology ]
Susan Swartz, 24 Apr 2015 @ 9:52am

Anti-Aaron's Law
Thank you for publicizing this attempt by my own Senator Mark Kirk and Senator Kirsten Gillebrand to propose an anti Aaron's Law bill. As the mother of Aaron Swartz, I am highly offended by this grandstanding attack on a legitimate bill already introduced. They are on the wrong side of this issue and should be working with their colleagues to reduce CFAA penalties!
I would ask everyone to call their offices--Help flood the offices of Senators Kirsten Gillibrand (212-688-6262) and Mark Kirk (202-224-2854)--to protest the introduction of the anti-Aaron's Law bill.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Apr 2015 @ 6:17am
  
  Re: Anti-Aaron's Law
  I agree that the penalties are already severe enough, if not too severe. Reducing penalties is a tough sell, though, especially to the computer-illiterate folks on the warpath against "teenaged hackers". I think also it is going to be difficult because the kind of situations the CFAA and wire fraud laws were supposed to be for are things like espionage, embezzlement, and bank robbery. In that light, some people think no punishment is harsh enough.
  [ link to this | view in chronology ]
  - Uriel-238 (profile), 26 Apr 2015 @ 10:57am
    
    Actually the CFAA is supposed to stop David Lightman from playing a game
    And finding backdoors to NORAD simulation mainframes in order to do so.
    
    Wouldn't you prefer a good game of chess?
    [ link to this | view in chronology ]
- yardra, 28 Apr 2015 @ 9:27am
  
  Re: Anti-Aaron's Law
  I called both of them.
  [ link to this | view in chronology ]
Kent, 25 Apr 2015 @ 4:21am

Re: Anti-Aaron's Law
Comments from the Congressional Record:

By Mr. KIRK (for himself and Mrs. Gillibrand):
S. 1027. A bill to require notification of information security
breaches and to enhance penalties for cyber criminals, and for other
purposes; to the Committee on Commerce, Science, and Transportation.
Mrs. GILLIBRAND. Mr. President, I rise to speak about two bipartisan
bills that would help to modernize the way this country approaches
cyber security.
Congress needs to get with the times and realize that the Internet is
no longer a new concept. Swiping a credit card, conducting online
banking, storing prescription records online--these are not new
activities. The cloud is no longer new. Hackers are no longer new. So
why are we still so taken aback, in shock, every time we suffer another
major cyber attack? Why are we still not requiring that consumers be
notified when their information has been stolen? Why aren't we
unleashing law enforcement to go after cyber criminals?
If we want to defend against 21st-century threats, then we have to
bring our laws into the 21st century. We have to get out of the mindset
that the only way we can be hurt is from an actual physical attack.
Hackers don't operate on battlefields; they operate in basements and in
cubicles.
Our approach to cyber security so far has been certifiably wrong. We
have the largest defense budget in the world by far, but that hasn't
stopped our hospitals and banks from falling victim to a near constant
barrage of attacks. Last year, data breaches in this country hit a
record high; they were up more than 27 percent from the year before. In
New York State, between 2006 and 2013, we had nearly 5,000 individual
data breaches that were reported by businesses, not-for-profits, and
government entities. In the same period, 23 million personal records of
New Yorkers were exposed to criminals. And that is just my home State.
Imagine how big that number actually is nationwide.
We are long overdue for a new national approach to cyber security,
and I am introducing two bills that would finally make this happen. The
first is the Data Breach Notification and Punishing Cyber Criminals
Act. It would set, for the first time, a national standard for how and
when victims of cyber attacks will be informed. When an attack takes
place on a business, for example, one that has your financial data or
medical information, this law would require that you be informed
quickly, with information about what was targeted, what was taken, and
whether you were personally affected. This bill would seriously
increase the penalties on people found guilty of hacking and cyber
crime. It would raise the allowable fines and imprisonment sentences
for many of the most common cyber crimes, including identity theft and
theft of personal information.
The second bill is the Cybersecurity Information Sharing Credit Act--
a bill that would incentivize America's businesses to share cyber
security information critical to preventing attacks, without having to
involve their competitors. Instead, businesses would be encouraged,
with significant tax credits, to adopt the preferred, most efficient
method for information sharing; that is, membership in private, sector-
specific cyber security networks designed to protect an industry, such
as health care and hospitals, from attack. At the individual level,
companies, hospitals, and banks can only do so much to protect us. Any
good cyber defense has to involve information sharing so that patterns
can be recognized, industries can bolster their defenses, and the same
hacks aren't just repeated over and over again.
To modernize America's approach to cyber security, we as individuals
have to take action, companies have to take action, law enforcement has
to take action, and local governments must take action. Most
importantly and most urgently, Congress has to take action. We
desperately need to modernize our cyber security laws. I urge my
colleagues to support these two bills.
[ link to this | view in chronology ]
Richard Bennett (profile), 25 Apr 2015 @ 1:21pm

Aaron Schwartz had no business using the MIT network in the first place. He was working for Lessig at Harvard and could have done his business there. He didn't because Lessig told him not to.
[ link to this | view in chronology ]
- Anonymous Coward, 26 Apr 2015 @ 5:33am
  
  Re:
  And what is that worth? A local misdemeanor trespass or breaking and entering charge at worst—a charge which he actually got and which was dropped. I bet he jaywalked, rode his bike unsafely, and frowned at a small child, too, but I recognize that those things are not felonies, let alone wire fraud or CFAA violations.
  [ link to this | view in chronology ]
- GEMont (profile), 27 Apr 2015 @ 4:23pm
  
  Re:
  "He was working for Lessig at Harvard and could have done his business there. He didn't because Lessig told him not to."
  
  Too true. He used an unauthorized network for peaceful purposes, against his employer's expressed wishes.
  
  So lets charge anyone who does such horrible, heinous things, as use an unauthorized network for peaceful purposes against his employer's wishes, with 100 years of incarceration among horny, bisexual, career criminals, and add on as many other false but frightening criminal charges as we can find, in order to get the perp to admit to the lesser charges of raping the President's pet sheep repeatedly and assassinating 200 imaginary first graders in their sleep.
  
  Now that's real American Justice in action.
  
  Meanwhile General Patreaus walks.
  
  ---
  [ link to this | view in chronology ]
- Anonymous Coward, 27 Apr 2015 @ 10:24pm
  
  Re:
  Oh, look - it's the contrarian trying to make a point!
  [ link to this | view in chronology ]
Anonymous Coward, 25 Apr 2015 @ 8:48pm

Mike, you're an idiot. Please do some research before you start making things about about the CFAA.
[ link to this | view in chronology ]
- Anonymous Coward, 27 Apr 2015 @ 10:23pm
  
  Re:
  Please cite your sources.
  [ link to this | view in chronology ]
GEMont (profile), 27 Apr 2015 @ 4:07pm

Its what it did not say, that counts.
"Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results."

And as astounding as this may sound, this is absolutely true.

The senator knows for a fact that openness and transparency would lead to accountability and better results.

This apparent truth is known as a lie by omission.

The statement simply fails to mention that he and his political friends are all more than willing to go to almost any lengths to prevent that career killing accountability and to insure that anything that leads to better results for the American People is limited to only those Americans in his circle of rich friends and cronies, and their corporate partners and bosses.

---
[ link to this | view in chronology ]
Brenda wirtz, 6 Mar 2016 @ 8:33pm

They're really feeds when it's your family
I hope my brother Aaron Dodge see's this ,The cowherd who is suppose to be Marine I financially supported for almost a year And ALWAYS been they're emotionally I'm going to get the EVIDNC I NEED TO HAVE YPU ARRESTED AND PROSECUTED
[ link to this | view in chronology ]