Rep. Zoe Lofgren Plans To Introduce 'Aaron's Law' To Stop Bogus Prosecutions Under The CFAA

from the one-step dept

There’s been talk for years about fixing the Computer Fraud and Abuse Act (CFAA), which has been widely abused by law enforcement/prosecutors to claim that basically any use of a computer that did not fall under the explicitly allowed uses was a form of “computer hacking” — and potentially a felony. This allowed for law enforcement to go after all sorts of people — including anyone who did anything on a computer that their employer didn’t like. Or anyone whosent spam. Or anyone who reported on a data vulnerability. Or anyone who just senta too many emails. These and many more cases mostly revolved around a stretched interpretation of the (outdated) CFAA, which suggested that simply violating a terms of service was the equivalent of “unauthorized access,” and thus a “hacking” violation. Courts have so far been somewhat split on this interpretation, with some buying it and others not buying it at all.

The abuse of the CFAA has been seen in some high profile cases, including the one against Lori Drew, after a young girl, who was a friend of Drew’s daughter, killed herself following a “dispute” with a fake profile of a boy that was really set up by Drew and some others. The court eventually tossed that out (though a jury convicted her). But it seems tragically ironic that a law that prosecutors once used (they claimed) to go after someone for bullying someone to commit suicide, is now itself being blamed for prosecutors’ own bullying tactics, which many (including his parents) now insist led to the suicide of Aaron Swartz.

Congress has approved fixes for the CFAA in the past, but they’ve never made it all the way into law. The unfortunate, untimely and tragic death of Aaron Swartz may have brought back politicians’ interest in making such a fix. Rep. Zoe Lofgren announced on Reddit her plans to introduce “Aaron’s Law” to fix one glaring weakness in the CFAA: the idea that any terms of service violation is akin to hacking and fraud under the law. The draft bill rejects such an interpretation explicitly:

Section 1343 of title 18, United States Code, is amended by inserting after the first sentence the following: ‘‘A violation of an agreement or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer is not in itself a violation of this section.’’

Hopefully, this new Congress can look at the unfortunate situation with Aaron (and many others) and how prosecutors are using the CFAA as a weapon to browbeat people they don’t like into guilty pleas on garbage charges, and finally pass this much needed fix to the CFAA.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Rep. Zoe Lofgren Plans To Introduce 'Aaron's Law' To Stop Bogus Prosecutions Under The CFAA”

Subscribe: RSS Leave a comment
The Real Michael says:

While this proposal is sound and beneficial, I don’t like the trend towards attaching the names of the deceased as a sympathy ploy. We don’t like it when government tries to manipulate the public into making an emotional response with cries of “for the children” and the like, only to try and pass some onerous, draconian law. The way CFAA is being (mis)interpreted is at the heart of the problem here. Nevertheless, I’m in favor of Lofgren’s proposal. It’s far too easy for government/corps to abuse the law and prosecute persons of interest.

Ninja (profile) says:

Re: Re:

The US needs an urgent and profound review of its laws and it should be conducted with very clear guidelindes.

1- Does this law produce more harm than good?
2- Does this law use vague terms that could be misinterpreted and abused by the Government/whoever?
3- Does this law allow any sort of conflict with the Constitutional rights?
4- Does this law allow any sort of abuse AT ALL?
5- Does this law include a DATE FOR MANDATORY REVIEW?

We just need sensible people willing to do this reviewing (and possibly extinction of some of them).

DannyB (profile) says:

Re: Re: Laws are already reviewed according to strict criteria

No changes needed. Before any laws are passed, they are already reviewed according to strict criteria.

1. Does this law produce more harm than good for my campaign donors?
2. Does this law use vague terms that could be misinterpreted and abused by the government to the detriment of my campaign donors?
3. Does this law allow any sort of conflict with my campaign donors?
4. Does this law prevent any sort of abuse that my campaign donors may wish to engage in?
5. Does this law include a date that it will be voted on, and have my campaign donors paid me in advance of that date?

That One Guy (profile) says:

Re: Re:

While normally I would agree with you, this time around at least it seems the response is actually being well thought out and considered, rather than the usual knee-jerk, making things worse off than before reaction that tends to result from a tragedy.

Passing new laws as a PR stunt post-tragedy tends to cause more harm than they solve, due to how rushed the process is by people who ‘want to do something now‘, but in this case at least it’s more fixing the problem that caused, or at least enabled, the tragedy in the first place, and that I have no trouble with at all.

Anonymous Coward says:

either correcting the wrongs in the existing bill or writing a new one to achieve in part something similar is a good start. however, what is really needed is true addressing of all internet related and copyright laws. as they stand atm, they are open to abuse by corporations and the government but totally closed to the public. that desperately needs changing so that there can be no abuse and if anyone tries, they are severely punished. it’s going to upset yet again the entertainment industries because they are the biggest abusers but how many more situations like Aaron’s does there have to be before some common sense comes into play? it isn’t as if this is the first death due to over aggressive persuance of ‘file sharers’. i seem to remember a case in a Canadian prison. correct me if i am wrong. the point being that no one should be driven to take their own life because they shared or made available files to others. it’s data for God’s sake, a music cd or a movie, not information that would cause a country to lose a war!!

Richard (profile) says:

Re: "dispute"

There is “guilt” and then there are things that it is reasonable to punish using the law.

Only about half (or less) of the ten commandements now attract punishment in most western countries.

Moving away from punishing every wrongdoing as a crime is generally s step forward in civilisation.

For example most people would certainly associate some guilt with adultery – but wouyld not regard it as civilised to punish people for it (as they still do in some countries).

So I would (as I suspect that Mike would) associate some guilt with Lori Drew – but I would stop short of using the law against her.

Almost Anonymous (profile) says:

Re: "dispute"

Your adamant refusal to acknowledge any guilt on the part of Lori Drew is positively pathological.

Some might say that your need to blame a second party for the unfortunate actions of a first party is positively pathological.

It was a sad situation but Drew did not break any laws, and the over-the-top efforts to try and punish her by any means was worse than sad, it was a travesty. Society will ostracise Drew for the rest of her days, there was no need to fabricate a legal issue.

Paula Product says:


The real irony in naming this “Aaron’s Law” is that it really wouldn’t have made much difference in the case against him. Whatever flaws there may have been in the prosecutions case, it didn’t turn on a ToS violation, but instead on other things — like continued efforts to get around roadblocks that JSTOR and MIT put up specifically to keep “G. Host” out. (And of course, if you think what Aaron did was perfectly fine, you don’t a new law to convince you of that.)

It’s not a terrible idea. And Aaron Swartz no doubt would have thought it a good step (and perhaps did think that – this proposal was made earlier this year). But it’s weird to label it “Aaron’s Law”.

Anonymous Coward says:

Re: Re: Re: Irony

“Because bringing criminal charges is generally up to the government.”

This is true, however usually when the victim refuses to press charges, the government usually goes along with their wishes. Most of the time, with no victim, they have no case. Also, in order to prove a crime, they have to prove a number of things, this particular case would have fallen flat on it’s face had it gone to court.

Your analogy with DUI is completely different. Police are free to charge anyone with DUI without their having to be an accident. The accident would bring other charges separately from the DUI.

shane (profile) says:

Re: Irony

To me this is not entirely accurate. The things MIT and JSTOR did to limit his access were not, strictly speaking, authorization denials until JSTOR just shot off access to MIT. It is more JSTOR’s fault than Aaron’s that they did not have the technology in place to deal with what he did. He did not “hack”, he just rather expertly violated the terms of service. His method of violating those terms was purposefully misconstrued by the prosecution in spite of the fact that neither MIT nor JSTOR had any interest in pursuing the matter.

Now, whether or not this law would have helped keep the prosecutor for finding some OTHER Federal Law to harass him with, I don’t know, but a correct reading of the events would lead to a correct outcome with this law as I currently understand it.

Gregg says:

To Many Laws

Just get rid of the Law, don’t replace it. We have to many Law’s. It is impossible for anyone to know all of them (Federal too StateProvincial too Municipal).

At any given moment, everyone commits a crime without knowing it. More time, money and energy is wasted on micro-managing law enforcement than any other service! including Health Care!.

If we were to some how bring a person from 1920 or even 1860 to 2013, with in 5 minutes, they will have committed 20 years of prison worth of crimes. Imagine if we brought a person from 1000 AD? or 500 BC? Our entire list of ancestors are criminals to today’s standards of law.

Humans are not meant to live this way. I hope the next revolution brings us back to something of the equivalent of the ten commandments and leaves it at ten (updated of course to allow everyone to slept with their neighbours 🙂

nospacesorspecialcharacters (profile) says:

Contract Law

There’s no reason that contract law couldn’t net people like Lori Drew and free people like Aaron Swartz.

If they just amended contract law to allow 3rd parties harmed by a violation of T&C’s to seek restitution.

E.g. Lori Drew wouldn’t be jailed, but could be sued by the girls parents; meanwhile JSTOR and MIT decide not to press charges.

Maybe US contract law is already set up like this, I have little experience of it, but if that’s the case then this small amendment is all that’s needed.

The cynical side of me says that once congress has gone through this amendment it’s going to say something like,

“A violation of an agreement or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer is not in itself a violation of this section. Unless terrorism. Or piracy.

Then they’ll just re-badge hackers as terrorists. In the UK they do this a lot with photographers and protestors.

shane (profile) says:

Re: Contract Law

My problem with this is twofold. First off, being sued is not an appropriate or sufficient social response to driving someone to suicide.

Secondly, sometimes the government does need to be able to prosecute without the express written permission of the victim.

There really are no easy solutions. Much of our trouble these days is the apathy common to all of humanity. I don’t have a handy solution for that.

Almost Anonymous (profile) says:

Re: Contract Law

Err, what makes you think that Megan’s parents couldn’t sue Lori Drew? I assure you, they could certainly sue, perhaps over wrongful death or intentional infliction of emotional distress. The question is whether or not they would win, which I suspect would be unlikely on either of those counts. Modification to contract law to allow 3rd party action over TOS violations is a horrible, horrible idea. It would be immediately abused and overused in ways that we probably can’t even imagine.

Beta (profile) says:

writing laws backwards

It seems to me that if a law says too much, it should be revised to say less. This amendment is a (tiny) step in the right direction, but instead of adding a narrow exception (making the law longer and more complex in the bargain), wouldn’t it be better to look at the existing law and change the parts of it that make the exception necessary?

How about amending (a)(2) so that “information” must be private or restricted information, not just any old information. And let’s remove (a)(2)(C) (“information from any protected computer;”) because it includes everything.

How about stating very clearly that “authorized” means “what the owner set the computer up to allow” (rather than “what the owner had in mind”). If there isn’t a clean way to do that, then maybe the word “authorized” shouldn’t be in the law at all.

How about changing “value of the information” to “free market value of the information”– and if the information is not available in the free market (e.g. if it is under copyright) then it has no such value. Any economic harm must be proved, not just claimed with speculation (I’m looking at you, (a)(4)(A)(i)(I)).

How about defining “damage” as something more than epsilon? Or maybe splitting it out of the law entirely, since it doesn’t seem to serve any good purpose.

How about eliminating the “conspiracy” language altogether?

And one of my favorites: How about allowing legal recourse against officials of the Justice Department who abuse the law?

F Kyle says:

Has Petraeus been indicted yet?

I don’t use Gmail, so I don’t know for sure that their terms of service forbid using false information when signing up for an account. But if they do, and if David Petraeus didn’t use his real name when signing up for the email account he used to communicate with Paula Broadwell, shouldn’t he be indicted for violating the CFAA.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...