Compliance Management, Government Regulations, Vulnerability Management

“Aaron’s Law,” to amend the CFAA, introduced in Congress

Lawmakers have unveiled companion bills in the House and Senate that would reform a federal anti-hacking law that critics believe is outdated and has enabled unnecessarily aggressive prosecutions.

After months of feedback, Rep. Zoe Lofgren, D-Calif., on Thursday formally introduced legislation that would amend the three-decade-old Computer Fraud and Abuse Act (CFAA). Sen. Ron Wyden, D-Ore., introduced a companion bill in the Senate.

Nicknamed "Aaron's Law," after the late activist and developer Aaron Swartz, who was being prosecuted under the CFAA when he committed suicide in January, the measure would limit the ways in which people can be charged under existing legislation. Just days after Swartz's death, Lofgren announced on Reddit, the site that Swartz co-founded, her intentions to revamp the CFAA.

"The CFAA is a sweeping internet regulation that criminalizes many forms of common Internet use," the two legislators wrote Thursday in a Wired op-eds. "It allows breathtaking levels of prosecutorial discretion that invites serious abuse. As Congress considers policies to preserve an open internet as a platform for ideas and commerce, reforming the CFAA must be included."

The reason Swartz faced more than three decades in prison was because of language in a section of the CFAA that states that a person can be held liable for violating the law if they've “knowingly accessed a computer without authorization or [exceeded] authorized access.” Prosecutors could interpret this to mean an infraction is as seemingly innocuous and common as violating a company's computing policy (visiting YouTube, for example) or a website's terms of service (for instance, lying about one's age when setting up a Facebook account) – possibilities that didn't exist when the CFAA was passed.

Aaron's Law would amend this section of the CFAA by removing the phrase "exceeds authorized access" from the statute and clarifying that "access without authorization" involves purposefully evading physical or digital safeguards that prevent unauthorized people from reaching certain information.

"The proposed changes make clear that the CFAA does not outlaw mere violations of terms of service, website notices, contracts or employment agreements," Lofgren explained in a summary (PDF) of the proposal.

The amendments also would remove redundant provisions that allow a person charged with knowingly accessing a protected computer without authorization and obtaining value of more than $5,000 to also be charged under a separate, but similar section, which carries an identical penalty. This, Lofgren and Wyden said, enables prosecutors to charge a suspect multiple times for the same alleged crime, "resulting in the threat of higher cumulative fines and jail time for the exact same violation."

"This allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single, solitary act," the lawmakers wrote. "It also plays a significant role in sentencing."

A third revision offered changes wording in the CFAA so individuals facing higher penalties are "repeat offenders [of the law] rather than individuals facing multiple charges."

The Electronic Frontier Foundation, in a blog post authored by Mark Jaycox, Kurt Opsahl and Trevor Timm, wrote Thursday that the reforms speak to "overzealous persecutions like the ones seen in Andrew ‘Weev' Auernheimer and Swartz's cases, where multiple felony counts were stacked on top of each other for the same underlying action and where both defendants faced decades in jail for 'crimes' that caused little or no economic harm."

But there were reforms left out that originally Lofgren planned to include.

The EFF was hoping that Aaron's Law would clarify that circumventing technological measures does not include changing one's IP or MAC address, something commonly done by security researchers.

"In order to protect security researchers, innovators and ordinary citizens who take measures to protect their privacy, we have also asked (PDF) for a clause that would clarify that your efforts to mask or hide your real name, personally identifiable information or device identifier – like IP address or MAC address – are not criminal in and of themselves," EFF wrote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.