Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers
from the someone-buy-these-senators-a-clue dept
Yesterday, we wrote about an important new bill, Aaron's Law, from Senators Ron Wyden and Rand Paul and Rep. Zoe Lofgren. It's a fix to many of the problematic aspects of the Computer Fraud and Abuse Act (CFAA). If you're unaware, the CFAA is supposed to be a law to be used against people doing malicious hacking, but the wording is so broad and problematic, it has been used against people for merely violating the terms of service on a website, or someone using a work computer for non-work-related items -- which could lead to excessively long jail terms. The reason Aaron's Law is named that is because of Aaron Swartz, the guy that Federal Prosecutors publicly announced was facing 30 years in jail under the CFAA because he downloaded too many academic journal articles from JSTOR -- despite the fact that he did so on the MIT campus where the campus had a site license that allowed anyone on their network to download all the JSTOR papers.As we noted in our post, there are still some who are pushing in the other direction -- and they didn't waste much time. The very same day that Aaron's Law was introduced, Senators Mark Kirk and Kirsten Gillibrand introduced a competing law that appears to be a "We Should Have Threatened Aaron With More Years In Jail" Act. Okay, technically it's called the Data Breach Notification and Punishing Cyber Criminals Act -- and as I type this, no one seems willing to release the text. Both Senators have press releases out about the bill, but neither link to it, and Congress's website has a placeholder saying that it hasn't received the actual text yet either. Hopefully that will change soon.*
It's bizarre that they're lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues. And yet, from the press release quotes and the few small articles about these bills, it appears that everyone's focusing on the data breach notification stuff (which has its own problems) and thus we should be worried that the CFAA expansion could get included as something of a "throw in." The quotes, however, on this part of the bill are ridiculous. Here's Senator Kirk's press release:
This bipartisan legislation increases the maximum allowable fines and imprisonment for many of the most common cyber-crimes, including identity theft and theft of personal information. Current law does not sufficiently punish cyber criminals, and incidences like these recent devastating breaches of confidential information must be punished more aggressively. By modernizing these punishments, as many prosecutors have requested, we will better align punishments to the degree of harm that these crimes may inflict on victims.And Senator Gillibrand's:
The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud.It's the whole "obtaining information from a protected computer without authorization" that is a serious concern here, as that's part of what's been widely abused. Both Kirk and Gillibrand use a lot of populist rhetoric about protecting people from all these scary data breaches out there, but it demonstrates a serious ignorance of how widely the CFAA (with insanely large existing punishments) has been used repeatedly for activities no one legitimately thinks of as malicious hacking. Furthermore, it suggests a pretty serious cluelessness about the incentives and motivations of those who commit many of those breaches. Increasing the number of years they could spend in time from crazily high to insanely high isn't going to change a damn thing. And if these two Senators can't understand that, they shouldn't be touching the CFAA at all.
* As an aside, it's plainly ridiculous for anyone to announce a new bill without releasing the actual text. Even more ridiculous: in searching for the text of the actual bill on both Senators websites, I note that the very first item highlighted on Senator Gillibrand's website is "Transparency" where it says "Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results." Well, you know what might helps with that transparency? If you actually release the text of the bills you're introducing when you introduce them so that people can take a look at them.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aaron swartz, cfaa, cfaa reform, hacking, kirsten gillibrand, mark kirk
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Tough Times ahead, then
[ link to this | view in thread ]
[ link to this | view in thread ]
Data breach notifications are the wrong solution
[ link to this | view in thread ]
Re: Tough Times ahead, then
[ link to this | view in thread ]
Shadow laws
Right?!?
[ link to this | view in thread ]
Rest of the story: by sneaking into a closet, without paying MIT fees.
[ link to this | view in thread ]
Rest of the story: by sneaking into a closet, without paying MIT fees.
Key facts needed to understand why Swarz was charged. He went to some trouble to get indicted, wasn't out of the blue.
[ link to this | view in thread ]
[ link to this | view in thread ]
this is exactly the sort of thing that Senators think they should be doing, putting people in prison for minor law breaking, but for longer terms. it's about time USA citizens woke up and realised what sort of nation it is becoming, one where the security forces are only there to do what they want and the bidding of some politicians. it never dawns on anyone until they are actually in the position of being accused of something. by then it's too late!
[ link to this | view in thread ]
what is the bill
[ link to this | view in thread ]
Wyden
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: what is the bill
[ link to this | view in thread ]
[ link to this | view in thread ]
Offending against the CFAA
If it is reasonable to expect that they or their staff (or even families) to have offended against the CFAA, then arrange for charges to be laid against them, their staff or families. We will then see how long it takes for them to change their minds.
Of course, they could be like the local staff at my local representative and see no problem with themselves being charge and imprisoned based solely on accusation. But then I did find their stance appeared to be based on their fear of the bogey man.
[ link to this | view in thread ]
American Justice phtt: No such thing.
It's all about money and power. See http://www.vox.com/2014/4/11/5581272/doom-loop-oligarchy
[ link to this | view in thread ]
Re: what is the bill
[ link to this | view in thread ]
Transparency
Senator Gillibrand understands that to be a good liar, the first thing to do is pretend that you're a big believer in truth.
[ link to this | view in thread ]
Re: what is the bill
[ link to this | view in thread ]
Oh come on.
This is not about preventing injustice. It is about giving the DoJ more ammunition to keep the populace at bay.
If you want to see how this works, compare Snowden with Petraeus. One alerted the American public to ongoing crimes against the Constitution, the other, in a position of power, traded state secrets for sex and an embellishment of his autobiography. Guess who of the two is now state enemy number one and who got away with probation?
Since the government has a lot of secrets to hide from its employer, the people, you can bet your sweet ass that the principal application of these laws will be to fight democracy and to punish people who expose government crimes, particularly those committed in cahoots with corporate and military crime lords.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Anti-Aaron's Law
I would ask everyone to call their offices--Help flood the offices of Senators Kirsten Gillibrand (212-688-6262) and Mark Kirk (202-224-2854)--to protest the introduction of the anti-Aaron's Law bill.
[ link to this | view in thread ]
Re: Offending against the CFAA
[ link to this | view in thread ]
Re: Anti-Aaron's Law
By Mr. KIRK (for himself and Mrs. Gillibrand):
S. 1027. A bill to require notification of information security
breaches and to enhance penalties for cyber criminals, and for other
purposes; to the Committee on Commerce, Science, and Transportation.
Mrs. GILLIBRAND. Mr. President, I rise to speak about two bipartisan
bills that would help to modernize the way this country approaches
cyber security.
Congress needs to get with the times and realize that the Internet is
no longer a new concept. Swiping a credit card, conducting online
banking, storing prescription records online--these are not new
activities. The cloud is no longer new. Hackers are no longer new. So
why are we still so taken aback, in shock, every time we suffer another
major cyber attack? Why are we still not requiring that consumers be
notified when their information has been stolen? Why aren't we
unleashing law enforcement to go after cyber criminals?
If we want to defend against 21st-century threats, then we have to
bring our laws into the 21st century. We have to get out of the mindset
that the only way we can be hurt is from an actual physical attack.
Hackers don't operate on battlefields; they operate in basements and in
cubicles.
Our approach to cyber security so far has been certifiably wrong. We
have the largest defense budget in the world by far, but that hasn't
stopped our hospitals and banks from falling victim to a near constant
barrage of attacks. Last year, data breaches in this country hit a
record high; they were up more than 27 percent from the year before. In
New York State, between 2006 and 2013, we had nearly 5,000 individual
data breaches that were reported by businesses, not-for-profits, and
government entities. In the same period, 23 million personal records of
New Yorkers were exposed to criminals. And that is just my home State.
Imagine how big that number actually is nationwide.
We are long overdue for a new national approach to cyber security,
and I am introducing two bills that would finally make this happen. The
first is the Data Breach Notification and Punishing Cyber Criminals
Act. It would set, for the first time, a national standard for how and
when victims of cyber attacks will be informed. When an attack takes
place on a business, for example, one that has your financial data or
medical information, this law would require that you be informed
quickly, with information about what was targeted, what was taken, and
whether you were personally affected. This bill would seriously
increase the penalties on people found guilty of hacking and cyber
crime. It would raise the allowable fines and imprisonment sentences
for many of the most common cyber crimes, including identity theft and
theft of personal information.
The second bill is the Cybersecurity Information Sharing Credit Act--
a bill that would incentivize America's businesses to share cyber
security information critical to preventing attacks, without having to
involve their competitors. Instead, businesses would be encouraged,
with significant tax credits, to adopt the preferred, most efficient
method for information sharing; that is, membership in private, sector-
specific cyber security networks designed to protect an industry, such
as health care and hospitals, from attack. At the individual level,
companies, hospitals, and banks can only do so much to protect us. Any
good cyber defense has to involve information sharing so that patterns
can be recognized, industries can bolster their defenses, and the same
hacks aren't just repeated over and over again.
To modernize America's approach to cyber security, we as individuals
have to take action, companies have to take action, law enforcement has
to take action, and local governments must take action. Most
importantly and most urgently, Congress has to take action. We
desperately need to modernize our cyber security laws. I urge my
colleagues to support these two bills.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Rest of the story: by sneaking into a closet, without paying MIT fees.
Prosecutors love to get people like you on their grand juries; you're incapable of distinguishing ad hominem from facts relevant to the actual charges.
[ link to this | view in thread ]
Re: Anti-Aaron's Law
[ link to this | view in thread ]
Shadow laws, Shadow interpretations, Shadow courts
Kinda like when the villain kills a minion for failure or kills a traitor or spy in a particularly heinous way to show how evil he is. Piranha tanks, jet engines, decompression chambers, industrial machinery. That sort of thing.
[ link to this | view in thread ]
Actually the CFAA is supposed to stop David Lightman from playing a game
Wouldn't you prefer a good game of chess?
[ link to this | view in thread ]
Its what it did not say, that counts.
And as astounding as this may sound, this is absolutely true.
The senator knows for a fact that openness and transparency would lead to accountability and better results.
This apparent truth is known as a lie by omission.
The statement simply fails to mention that he and his political friends are all more than willing to go to almost any lengths to prevent that career killing accountability and to insure that anything that leads to better results for the American People is limited to only those Americans in his circle of rich friends and cronies, and their corporate partners and bosses.
---
[ link to this | view in thread ]
Re:
Too true. He used an unauthorized network for peaceful purposes, against his employer's expressed wishes.
So lets charge anyone who does such horrible, heinous things, as use an unauthorized network for peaceful purposes against his employer's wishes, with 100 years of incarceration among horny, bisexual, career criminals, and add on as many other false but frightening criminal charges as we can find, in order to get the perp to admit to the lesser charges of raping the President's pet sheep repeatedly and assassinating 200 imaginary first graders in their sleep.
Now that's real American Justice in action.
Meanwhile General Patreaus walks.
---
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Anti-Aaron's Law
[ link to this | view in thread ]
They're really feeds when it's your family
[ link to this | view in thread ]