Rep. Zoe Lofgren Plans To Introduce 'Aaron's Law' To Stop Bogus Prosecutions Under The CFAA
from the one-step dept
There’s been talk for years about fixing the Computer Fraud and Abuse Act (CFAA), which has been widely abused by law enforcement/prosecutors to claim that basically any use of a computer that did not fall under the explicitly allowed uses was a form of “computer hacking” — and potentially a felony. This allowed for law enforcement to go after all sorts of people — including anyone who did anything on a computer that their employer didn’t like. Or anyone whosent spam. Or anyone who reported on a data vulnerability. Or anyone who just senta too many emails. These and many more cases mostly revolved around a stretched interpretation of the (outdated) CFAA, which suggested that simply violating a terms of service was the equivalent of “unauthorized access,” and thus a “hacking” violation. Courts have so far been somewhat split on this interpretation, with some buying it and others not buying it at all.
The abuse of the CFAA has been seen in some high profile cases, including the one against Lori Drew, after a young girl, who was a friend of Drew’s daughter, killed herself following a “dispute” with a fake profile of a boy that was really set up by Drew and some others. The court eventually tossed that out (though a jury convicted her). But it seems tragically ironic that a law that prosecutors once used (they claimed) to go after someone for bullying someone to commit suicide, is now itself being blamed for prosecutors’ own bullying tactics, which many (including his parents) now insist led to the suicide of Aaron Swartz.
Congress has approved fixes for the CFAA in the past, but they’ve never made it all the way into law. The unfortunate, untimely and tragic death of Aaron Swartz may have brought back politicians’ interest in making such a fix. Rep. Zoe Lofgren announced on Reddit her plans to introduce “Aaron’s Law” to fix one glaring weakness in the CFAA: the idea that any terms of service violation is akin to hacking and fraud under the law. The draft bill rejects such an interpretation explicitly:
Section 1343 of title 18, United States Code, is amended by inserting after the first sentence the following: ‘‘A violation of an agreement or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer is not in itself a violation of this section.’’
Hopefully, this new Congress can look at the unfortunate situation with Aaron (and many others) and how prosecutors are using the CFAA as a weapon to browbeat people they don’t like into guilty pleas on garbage charges, and finally pass this much needed fix to the CFAA.
Filed Under: aaron swartz, cfaa, computer fraud and abuse act, zoe lofgren
Comments on “Rep. Zoe Lofgren Plans To Introduce 'Aaron's Law' To Stop Bogus Prosecutions Under The CFAA”
I don’t know if Senator Lofgren reads this site, but if she does, a bit of advice: correct the law already on the books rather than throw another law on the record which gets abused later.
My confidence in a Congress writing a law to “protect” was lost in 1976.
Learn from this. Correct, not replace.
PLEASE.
Re:
Given that the entirety of the bill is just two amendments to an existing law, then it appears she is very much trying to correct a law already in place.
Re: Re:
I don’t know if Senator Lofgren reads this site, but if she does, a bit of advice: correct the law already on the books rather than throw another law on the record which gets abused later.
Read the bill above. All it does is correct the CFAA.
Re: Re: Re:
My apologies, but all I see is the box. I assumed it contained a new law. 🙁
I just want to make sure this isn’t adding “exceptions” rather than correcting the law’s problematic and very, very generic definitions.
Re: Re: Re: Re:
Technically it is another law. Modifications to statutes in the U.S. Code are made by passing new laws that modify the existing statutes. These amending bills have to get through Congress and be signed by the President, just like the ones that created the law in the first place.
Re: Re:
If you’ll forgive me, what happened in ’76 that you’re referencing? Or am I going to kick myself for not remembering?
Re: Re: Re:
Copyright Act of 1976
Re: Re: Re: Re:
Oh wow…
Ok I hear ya. I hear ya….
While this proposal is sound and beneficial, I don’t like the trend towards attaching the names of the deceased as a sympathy ploy. We don’t like it when government tries to manipulate the public into making an emotional response with cries of “for the children” and the like, only to try and pass some onerous, draconian law. The way CFAA is being (mis)interpreted is at the heart of the problem here. Nevertheless, I’m in favor of Lofgren’s proposal. It’s far too easy for government/corps to abuse the law and prosecute persons of interest.
Re: Re:
The US needs an urgent and profound review of its laws and it should be conducted with very clear guidelindes.
1- Does this law produce more harm than good?
2- Does this law use vague terms that could be misinterpreted and abused by the Government/whoever?
3- Does this law allow any sort of conflict with the Constitutional rights?
4- Does this law allow any sort of abuse AT ALL?
5- Does this law include a DATE FOR MANDATORY REVIEW?
We just need sensible people willing to do this reviewing (and possibly extinction of some of them).
Re: Re: Laws are already reviewed according to strict criteria
No changes needed. Before any laws are passed, they are already reviewed according to strict criteria.
1. Does this law produce more harm than good for my campaign donors?
2. Does this law use vague terms that could be misinterpreted and abused by the government to the detriment of my campaign donors?
3. Does this law allow any sort of conflict with my campaign donors?
4. Does this law prevent any sort of abuse that my campaign donors may wish to engage in?
5. Does this law include a date that it will be voted on, and have my campaign donors paid me in advance of that date?
Re: Re: Re: Laws are already reviewed according to strict criteria
Sad but true button needed.
Re: Re: Re:
Um, Who would you trust to do this review?
Certainly not the bought and paid for politicians in D.C.!
They have repeatedly shown that they are incapable of understanding the problem, let alone writing legislation to actually address the problem.
Re: Re: Re:
Just about every country needs an urgent and profound review of it’s laws.
Re: Re: Re: Re:
That.
Re: Re:
I think there is a slight (intended?) irony here – as the law we are trying to fix is exactly the kind of law that tends to get the xxx’s law tag.
I agree that most such laws tend to be bad…
Re: Re:
While normally I would agree with you, this time around at least it seems the response is actually being well thought out and considered, rather than the usual knee-jerk, making things worse off than before reaction that tends to result from a tragedy.
Passing new laws as a PR stunt post-tragedy tends to cause more harm than they solve, due to how rushed the process is by people who ‘want to do something now‘, but in this case at least it’s more fixing the problem that caused, or at least enabled, the tragedy in the first place, and that I have no trouble with at all.
Re: Re: Re:
Like I said, in this instance it’s a common-sense remedy to a flawed interpretation of a law, but in other instances it’s not. Political grandstanding using victims as an emotional tool can, and often does, lead to dangerous consequences for society.
Re: Re:
The emotional appeal could be in this case useful to actually get the damn law changed.
Re: Re: Re:
Cyber Intelligence Sharing and Protection Act
USA Patriot act
National Defense Authorization Act
At least this time the bill would actually represent its namesake.
Re: Re: Re: Re:
A law named after a person has never been a good idea.
Re: Re:
Wait and see how Swartz tragic death is manipulated for political gain. It’s absolutely shameful.
either correcting the wrongs in the existing bill or writing a new one to achieve in part something similar is a good start. however, what is really needed is true addressing of all internet related and copyright laws. as they stand atm, they are open to abuse by corporations and the government but totally closed to the public. that desperately needs changing so that there can be no abuse and if anyone tries, they are severely punished. it’s going to upset yet again the entertainment industries because they are the biggest abusers but how many more situations like Aaron’s does there have to be before some common sense comes into play? it isn’t as if this is the first death due to over aggressive persuance of ‘file sharers’. i seem to remember a case in a Canadian prison. correct me if i am wrong. the point being that no one should be driven to take their own life because they shared or made available files to others. it’s data for God’s sake, a music cd or a movie, not information that would cause a country to lose a war!!
Re: Re:
It’s hard to say complex, important things in a little quip, isn’t it? I totally agree with you. It’s damned difficult to get that message out to folks in a way that doesn’t cause their minds to skip past to the next saucy bit of entertainment though.
"dispute"
Your adamant refusal to acknowledge any guilt on the part of Lori Drew is positively pathological.
Re: "dispute"
There is “guilt” and then there are things that it is reasonable to punish using the law.
Only about half (or less) of the ten commandements now attract punishment in most western countries.
Moving away from punishing every wrongdoing as a crime is generally s step forward in civilisation.
For example most people would certainly associate some guilt with adultery – but wouyld not regard it as civilised to punish people for it (as they still do in some countries).
So I would (as I suspect that Mike would) associate some guilt with Lori Drew – but I would stop short of using the law against her.
Re: "dispute"
Your adamant refusal to acknowledge any guilt on the part of Lori Drew is positively pathological.
Some might say that your need to blame a second party for the unfortunate actions of a first party is positively pathological.
It was a sad situation but Drew did not break any laws, and the over-the-top efforts to try and punish her by any means was worse than sad, it was a travesty. Society will ostracise Drew for the rest of her days, there was no need to fabricate a legal issue.
wait, can we leave in the death penalty for spammers?
Irony
The real irony in naming this “Aaron’s Law” is that it really wouldn’t have made much difference in the case against him. Whatever flaws there may have been in the prosecutions case, it didn’t turn on a ToS violation, but instead on other things — like continued efforts to get around roadblocks that JSTOR and MIT put up specifically to keep “G. Host” out. (And of course, if you think what Aaron did was perfectly fine, you don’t a new law to convince you of that.)
It’s not a terrible idea. And Aaron Swartz no doubt would have thought it a good step (and perhaps did think that – this proposal was made earlier this year). But it’s weird to label it “Aaron’s Law”.
Re: Irony
Actually, if JSTOR were to really be upset, why did they not press charges? Just curious what you think.
Re: Re: Irony
Because bringing criminal charges is generally up to the government. If a drunk driver rear-ends your car, do you really think that if you “don’t press charges” that he won’t end up being arrested and tried anyway?
Re: Re: Re: Irony
“Because bringing criminal charges is generally up to the government.”
This is true, however usually when the victim refuses to press charges, the government usually goes along with their wishes. Most of the time, with no victim, they have no case. Also, in order to prove a crime, they have to prove a number of things, this particular case would have fallen flat on it’s face had it gone to court.
Your analogy with DUI is completely different. Police are free to charge anyone with DUI without their having to be an accident. The accident would bring other charges separately from the DUI.
Re: Re: Re:2 Irony
The way DUI’s are handled they were excepted from a lot of the laws that surround other types of criminal behavior. You could say that they wrote a new law book for DUI’s.
Re: Irony
To me this is not entirely accurate. The things MIT and JSTOR did to limit his access were not, strictly speaking, authorization denials until JSTOR just shot off access to MIT. It is more JSTOR’s fault than Aaron’s that they did not have the technology in place to deal with what he did. He did not “hack”, he just rather expertly violated the terms of service. His method of violating those terms was purposefully misconstrued by the prosecution in spite of the fact that neither MIT nor JSTOR had any interest in pursuing the matter.
Now, whether or not this law would have helped keep the prosecutor for finding some OTHER Federal Law to harass him with, I don’t know, but a correct reading of the events would lead to a correct outcome with this law as I currently understand it.
To Many Laws
Just get rid of the Law, don’t replace it. We have to many Law’s. It is impossible for anyone to know all of them (Federal too StateProvincial too Municipal).
At any given moment, everyone commits a crime without knowing it. More time, money and energy is wasted on micro-managing law enforcement than any other service! including Health Care!.
If we were to some how bring a person from 1920 or even 1860 to 2013, with in 5 minutes, they will have committed 20 years of prison worth of crimes. Imagine if we brought a person from 1000 AD? or 500 BC? Our entire list of ancestors are criminals to today’s standards of law.
Humans are not meant to live this way. I hope the next revolution brings us back to something of the equivalent of the ten commandments and leaves it at ten (updated of course to allow everyone to slept with their neighbours 🙂
Contract Law
There’s no reason that contract law couldn’t net people like Lori Drew and free people like Aaron Swartz.
If they just amended contract law to allow 3rd parties harmed by a violation of T&C’s to seek restitution.
E.g. Lori Drew wouldn’t be jailed, but could be sued by the girls parents; meanwhile JSTOR and MIT decide not to press charges.
Maybe US contract law is already set up like this, I have little experience of it, but if that’s the case then this small amendment is all that’s needed.
The cynical side of me says that once congress has gone through this amendment it’s going to say something like,
Then they’ll just re-badge hackers as terrorists. In the UK they do this a lot with photographers and protestors.
Re: Contract Law
My problem with this is twofold. First off, being sued is not an appropriate or sufficient social response to driving someone to suicide.
Secondly, sometimes the government does need to be able to prosecute without the express written permission of the victim.
There really are no easy solutions. Much of our trouble these days is the apathy common to all of humanity. I don’t have a handy solution for that.
Re: Contract Law
Err, what makes you think that Megan’s parents couldn’t sue Lori Drew? I assure you, they could certainly sue, perhaps over wrongful death or intentional infliction of emotional distress. The question is whether or not they would win, which I suspect would be unlikely on either of those counts. Modification to contract law to allow 3rd party action over TOS violations is a horrible, horrible idea. It would be immediately abused and overused in ways that we probably can’t even imagine.
writing laws backwards
It seems to me that if a law says too much, it should be revised to say less. This amendment is a (tiny) step in the right direction, but instead of adding a narrow exception (making the law longer and more complex in the bargain), wouldn’t it be better to look at the existing law and change the parts of it that make the exception necessary?
How about amending (a)(2) so that “information” must be private or restricted information, not just any old information. And let’s remove (a)(2)(C) (“information from any protected computer;”) because it includes everything.
How about stating very clearly that “authorized” means “what the owner set the computer up to allow” (rather than “what the owner had in mind”). If there isn’t a clean way to do that, then maybe the word “authorized” shouldn’t be in the law at all.
How about changing “value of the information” to “free market value of the information”– and if the information is not available in the free market (e.g. if it is under copyright) then it has no such value. Any economic harm must be proved, not just claimed with speculation (I’m looking at you, (a)(4)(A)(i)(I)).
How about defining “damage” as something more than epsilon? Or maybe splitting it out of the law entirely, since it doesn’t seem to serve any good purpose.
How about eliminating the “conspiracy” language altogether?
And one of my favorites: How about allowing legal recourse against officials of the Justice Department who abuse the law?
Re: writing laws backwards
Yes, all of this.
I have a simple test for most bills; if it upsets the powers abusing the bill, then it’s good. If it doesn’t get a pushback from those who need correcting, then it’s bad. I’ll wait and see what the DOJ, FBI, etc. says.
Has Petraeus been indicted yet?
I don’t use Gmail, so I don’t know for sure that their terms of service forbid using false information when signing up for an account. But if they do, and if David Petraeus didn’t use his real name when signing up for the email account he used to communicate with Paula Broadwell, shouldn’t he be indicted for violating the CFAA.
Ah, I see your Schwartz is as long as mine....
Where’s Dark Helmet with the relevant quote when you need him?
Okay, a little humor along with the tragedy gets me thru the day…
senta too many emails
Read in a mexican accent.