"Aaron's Law," to amend the CFAA, introduced in Congress

Share this article:
"Aaron's Law," to amend the CFAA, introduced in Congress
"Aaron's Law," to amend the CFAA, introduced in Congress

Lawmakers have unveiled companion bills in the House and Senate that would reform a federal anti-hacking law that critics believe is outdated and has enabled unnecessarily aggressive prosecutions.

After months of feedback, Rep. Zoe Lofgren, D-Calif., on Thursday formally introduced legislation that would amend the three-decade-old Computer Fraud and Abuse Act (CFAA). Sen. Ron Wyden, D-Ore., introduced a companion bill in the Senate.

Nicknamed "Aaron's Law," after the late activist and developer Aaron Swartz, who was being prosecuted under the CFAA when he committed suicide in January, the measure would limit the ways in which people can be charged under existing legislation. Just days after Swartz's death, Lofgren announced on Reddit, the site that Swartz co-founded, her intentions to revamp the CFAA.

"The CFAA is a sweeping internet regulation that criminalizes many forms of common Internet use," the two legislators wrote Thursday in a Wired op-eds. "It allows breathtaking levels of prosecutorial discretion that invites serious abuse. As Congress considers policies to preserve an open internet as a platform for ideas and commerce, reforming the CFAA must be included."

The reason Swartz faced more than three decades in prison was because of language in a section of the CFAA that states that a person can be held liable for violating the law if they've “knowingly accessed a computer without authorization or [exceeded] authorized access.” Prosecutors could interpret this to mean an infraction is as seemingly innocuous and common as violating a company's computing policy (visiting YouTube, for example) or a website's terms of service (for instance, lying about one's age when setting up a Facebook account) – possibilities that didn't exist when the CFAA was passed.

Aaron's Law would amend this section of the CFAA by removing the phrase "exceeds authorized access" from the statute and clarifying that "access without authorization" involves purposefully evading physical or digital safeguards that prevent unauthorized people from reaching certain information.

"The proposed changes make clear that the CFAA does not outlaw mere violations of terms of service, website notices, contracts or employment agreements," Lofgren explained in a summary (PDF) of the proposal.

The amendments also would remove redundant provisions that allow a person charged with knowingly accessing a protected computer without authorization and obtaining value of more than $5,000 to also be charged under a separate, but similar section, which carries an identical penalty. This, Lofgren and Wyden said, enables prosecutors to charge a suspect multiple times for the same alleged crime, "resulting in the threat of higher cumulative fines and jail time for the exact same violation."

"This allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single, solitary act," the lawmakers wrote. "It also plays a significant role in sentencing."

A third revision offered changes wording in the CFAA so individuals facing higher penalties are "repeat offenders [of the law] rather than individuals facing multiple charges."

The Electronic Frontier Foundation, in a blog post authored by Mark Jaycox, Kurt Opsahl and Trevor Timm, wrote Thursday that the reforms speak to "overzealous persecutions like the ones seen in Andrew ‘Weev' Auernheimer and Swartz's cases, where multiple felony counts were stacked on top of each other for the same underlying action and where both defendants faced decades in jail for 'crimes' that caused little or no economic harm."

But there were reforms left out that originally Lofgren planned to include.

The EFF was hoping that Aaron's Law would clarify that circumventing technological measures does not include changing one's IP or MAC address, something commonly done by security researchers.

"In order to protect security researchers, innovators and ordinary citizens who take measures to protect their privacy, we have also asked (PDF) for a clause that would clarify that your efforts to mask or hide your real name, personally identifiable information or device identifier – like IP address or MAC address – are not criminal in and of themselves," EFF wrote.
Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.