Aaron's Law Reintroduced To Try To Reform Dangerous, Broken Anti-Hacking Law

from the can-we-get-this-one-done-already? dept

We've written in the past how Rep. Zoe Lofgren and Senator Ron Wyden had introduced "Aaron's Law" (named after Aaron Swartz) as a way to fix the very broken CFAA law, which was used to throw the book at Swartz for downloading too many JSTOR journal articles on MIT's campus (where anyone on the network is allowed to download whatever they want from JSTOR). Swartz later committed suicide, which many blame on the aggressive prosecution against him (I hesitate to join those who do so, as you never know all the factors that went into the decision). Still, the CFAA has long needed a massive overhaul, as the law is frequently abused by law enforcement to threaten massive penalties for rather routine activities on a computer network.

Lofgren and Wyden have now reintroduced Aaron's Law, and this time they've added Senator Rand Paul as a sponsor, which is interesting to see (especially as he courts the tech industry). They also have a nice group of co-sponsors, including Reps. Jim Sensenbrenner, Mike Doyle, Dan Lipinski, Jared Polis and Beto O'Rourke. Here are the three key things the new bill does, according to Lofgren:

• Establishing that breaches of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls — such as password requirements, encryption or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under the strong CFAA provisions this bill does not modify.
• Bringing balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.
• Bringing greater proportionality to CFAA penalties. Currently, the CFAA's penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.

Frankly, I'd like to see CFAA reform go even further, but this is a good (and necessary) start. If you agree, you should let your own elected officials know that this is a bill worth supporting. Unfortunately, the White House is pushing a terribly bad update to the CFAA that won't actually fix the problems with it and could make the bill even worse. The DOJ, for example, remains a big fan of the CFAA and would like to see it expanded so it can be used more widely. At the same time, some large tech companies, like Oracle, have worked hard to prevent any significant CFAA reform, because they want to be able to use the law themselves. In other words, meaningful CFAA reform, no matter how strongly needed, is nowhere near a sure thing.

Filed Under: aaron swartz, aaron's law, cfaa, cfaa reform, rand paul, ron wyden, zoe lofgren

CFAA: Still Broken And Congress Is Unlikely To Fix It Any Time Soon

from the your-random-reminder dept

There's been some attention paid to a recent Forbes article that confirms what pretty much everyone has always said: Congress won't move forward with reforming the CFAA. There's nothing particularly new in the article. It's just rehashing things that were hashed out over the past few years: the Computer Fraud and Abuse Act, a very out-of-date law concerning hacking, has been abused mightily for decades, well beyond its intended purpose. It got lots of attention as the law being used against Aaron Swartz, but the abuses started long before that. However, many tech companies, led by Oracle, have fought against reform (in part because they use the threat of the law to keep employees from running off with trade secrets, even though there are other laws for that). At the same time, the DOJ would actually like to make the law even worse.

And, in the simplistic minds of many in Congress, if the big industry associated with the issue and the government don't want the necessary reforms -- even if the public is interested in such reforms -- it's just not worth doing. This doesn't necessarily mean that CFAA reform won't eventually happen, but like ECPA reform, patent reform and other related issues, very little can actually get through Congress these days. So in many cases, in the minds of certain folks in Congress, it's just not worth trying, even if it's the right thing to do.

Filed Under: aaron's law, cfaa, congress, hacking, politics

Aaron's Law Finally Introduced: Reform The CFAA

from the it's-about-time dept

Today, Zoe Lofgren and Jim Sensenbrenner in the House and Ron Wyden in the Senate introduced "Aaron's Law," an attempt to reform the widely abused CFAA, so that it no longer sweeps up innocent activity.

Vagueness is the core flaw of the CFAA. As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You're not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website's terms of service or employer agreement should face jail time.

So lying about one's age on Facebook, or checking personal email on a work computer, could violate this felony statute. This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation. Millions of Americans — whether they are of a digitally native or dial-up generation — routinely submit to legal terms and agreements every day when they use the Internet. Few have the time or the ability to read and completely understand lengthy legal agreements.

The proposal tries to focus the law back to where it was intended when initially put in place:

It establishes a clear line that's needed for the law to distinguish the difference between common online activities and harmful attacks.

Among those specific lines, it notes that a "mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA." It also makes the penalties more reasonable, so people aren't facing many years in jail for doing something minor. It's well past due that the CFAA get fixed. Hopefully this is a start down that path.

Filed Under: aaron swartz, aaron's law, cfaa, cfaa reform, jim sensenbrenner, ron wyden, zoe lofgren

Congress Apparently Uninterested In 'Aaron's Law' To Reform CFAA

from the this-is-a-problem dept

Well, this is rather unfortunate, but perhaps not a surprise. Last week, Politico reported that despite progress on Zoe Lofgren's "Aaron's Law," designed to improve the CFAA, it's unlikely to get any traction in Congress. The CFAA, of course, is the widely abused law that was written decades ago in an attempt to outlaw malicious hacking. The bill was never particularly well-written, and over time as the technology has changed, the CFAA has become wide open to broad interpretations, such that people have faced criminal charges for daring to... disobey a site's terms of service (which they never even read). Aaaron Swartz was charged under the CFAA, hence the reform bill is being called "Aaron's Law." But, even with all the attention that Aaron got, Congress isn't interested yet.

The article doesn't suggest the idea is dead, just that it doesn't have nearly enough support. Part of the reason is that the White House and the DOJ haven't said a word about it -- but, really, is that all that surprising given the complaints they've been receiving about US Attorney Carmen Ortiz's use of the CFAA in the Swartz case? But, even within Congress, the key people who are needed to support the bill have basically said they have more important things to deal with right now. And while there are other important bills on the table, it's a big mistake to not update the CFAA before it is abused again.

Filed Under: aaron swartz, aaron's law, cfaa, cfaa reform, congress, reform