Aaron's Law Finally Introduced: Reform The CFAA

from the it's-about-time dept

Today, Zoe Lofgren and Jim Sensenbrenner in the House and Ron Wyden in the Senate introduced “Aaron’s Law,” an attempt to reform the widely abused CFAA, so that it no longer sweeps up innocent activity.

Vagueness is the core flaw of the CFAA. As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You’re not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time.

So lying about one’s age on Facebook, or checking personal email on a work computer, could violate this felony statute. This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation. Millions of Americans — whether they are of a digitally native or dial-up generation — routinely submit to legal terms and agreements every day when they use the Internet. Few have the time or the ability to read and completely understand lengthy legal agreements.

The proposal tries to focus the law back to where it was intended when initially put in place:

It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.

Among those specific lines, it notes that a “mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA.” It also makes the penalties more reasonable, so people aren’t facing many years in jail for doing something minor. It’s well past due that the CFAA get fixed. Hopefully this is a start down that path.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Aaron's Law Finally Introduced: Reform The CFAA”

Subscribe: RSS Leave a comment
ChrisH says:

Re: Re:

The CFAA isn’t about data, it’s about systems. If they get it over the wire or your data is on a third party’s system which has a deal with the NSA you’re out of luck. It’s a moot point anyway since as a governmental agency, the NSA has much immunity on paper and near total immunity in practice. Look at the TSA, they simply ignored court orders without consequence. Government agencies are totally immune from the courts. Congress are the only ones that can do anything.

out_of_the_blue says:

"a digitally native or dial-up generation"???

That in a paragraph saying will correct vagueness? I guess to replace it with nonsense?

“As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time.” — Maybe, but they don’t. The Swartz case was not only one of the rare ones brought forward, but far better based than that.

I’ve already given my view that Aaron Swartz is no hero by sneaking into a closet to download files just on a whim to “liberate” data. But there’s obviously a contingent who think he is. — Even Alex Jones!

S. T. Stone says:

Re: "a digitally native or dial-up generation"???

Maybe, but they don’t.

Except Aaron Swartz did face jail time. He committed suicide because he faced an inordinate amount of jail time that in no way reflected the seriousness of his crime (or lack thereof).

He faced that jail time because an overzealous prosecutor used the CFAA to hang the threat of decades of jail time over Swartz’s head.

The rarity of such cases doesn?t matter. The innocence or guilt of Swartz doesn?t matter. A equitable judicial process that protects the innocent and hands out appropriate and fair punishments to the guilty matters.

The CFAA as it stands today allows prosecutors to threaten people with decades behind bars for something as simple as sharing a Facebook password. Any legislature worth a damn would (and should) see this law as ripe for potential abuse and do whatever it could to correct it.

Or would you prefer to spend twenty years behind bars because you accidentally logged into to someone?s Facebook account after they left it ?open? on your computer?

ChrisH says:

Re: Re: "a digitally native or dial-up generation"???

Unfortunately prosecutors and police threaten innocent people all the time so I don’t know how much a reformed CFAA would change that. Perhaps stronger penalties built into the law for malicious prosecution? Maybe we need to look at issues such as prosecutorial discretion or the grand jury process. Also reducing the size of some of these private institutions would limit the pressure they can apply to the legal process.

S. T. Stone says:

Re: Re: Re: "a digitally native or dial-up generation"???

That?d take a hell of a lot of time, effort, and money.

Fixing the CFAA to make it harder (if not near-impossible) for prosecutors to bring charges against people for something as innocuous as a couple sharing each other?s passwords would make for a good starting point, though.

ChrisH says:

Re: Re: Re:2 "a digitally native or dial-up generation"???

I think you need that as a long term solution, because no matter what a particular law says, prosecutors are always free to bring charges, even if they have no chance of getting a conviction. Often the charges are enough to force a defendant to cut a deal, or worse.

Anonymous Coward says:

Does this fix the TOS violation issue?

If someone puts a false age in a facebook signup form, isn’t that circumventing a technological measure designed to exclude unauthorized individuals from obtaining information?
This text seems to be the same sort of thing as before. I thought Zoe had something better in mind.

Anonymous Coward says:

Re: Does this fix the TOS violation issue?

She did start with something better. Here’s the text in her original draft. It needs to be put back in:

Section 1030(e)(6) of title 18, United States Code, is amended by striking ”alter;” and inserting the following: ”alter, but does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;”

ChrisH says:

Re: Re: Re: Does this fix the TOS violation issue?

I think a distinction needs to be made between changing a few things in a URL to visit a new “public” page and feeding information in which is known to cause a buffer overflow or SQL injection. I’m not sure exactly how you would word it. Intent probably needs to be a factor.

ChrisH says:

Has any CFAA prosecution ever obtained a conviction for terms of service?

Digital rights reforms are far more urgent since the public has been almost entirely convinced that they don’t own what they buy. Even if it isn’t written that way legally, DRM gives companies the power to achieve it in practice, and what is widely practiced tends to become the law. In other words, if people stop acting like they own things, for example allowing secondary markets for software and music to dry up, it will be easier for judges and legislatures to forget that these personal property rights ever existed.

CK20XX (profile) says:

Re: Re:

I don’t know what they have to say
It makes no difference anyway
Whatever it is… I’m against it!
No matter what it is or who commenced it
I’m against it!

Your proposition may be good
But let’s have one thing understood
Whatever it is… I’m against it!
And even when you’ve changed it or condensed it
I’m against it!

I’m opposed to it
On general principle, I’m opposed to it.

He’s opposed to it
In fact, indeed, that he’s opposed to it!

For months before my son was born
I used to yell from night to morn
Whatever it is… I’m against it!
And I’ve kept yelling since I first commenced it
I’m against it!

Anonymous Coward says:

Hi Mike,

What’s the point of pretending like you can keep me off of TD when you make a living out of ridiculing others who pretend like they can block people from doing what they want on the internet?

Seriously. I know you see the irony. But what’s the point? I post whatever I want, whenever I want. Your attempts to censor me are completely, 100% laughable and stupid.

Let me ask you this? Why do you, a man who pretends like he loves anonymity and freedom on the internet, make a point to block TOR IP addresses whenever they are used to criticize you?

Seriously. Are you so ashamed and insecure that you have to block TOR, the tool of freedom fighters who rage against dictators, to stop me from criticizing you?

Are you so scared of criticism that you think it?s worth it to block TOR exit nodes rather than receive any criticism whatsoever?

You?re just like China. And you fucking know it.

You are doing whatever you can to censor those who challenge you. Just like China. And you fucking know it.


Anonymous Coward says:

Re: Re:

There’s no irony. Mike posts articles rightly ridiculing people who use censorship to stop innovation. Your false accusations are harrassment, and not innovative in any way.

If you were an honest person, your posts of “whatever I want, whenever I want” would be posts that add to the discussion, not taunts and cowardly accusations.

Blocking juvenile, immature morons who lie, slander and harrass without legitimate reason is NOT censorship.

You’re in the wrong. And you fucking know it.

Anonymous Coward says:

That’s right, folks! As soon as Mike realizes that a TOR IP address is being used to criticize him–not for spam, mind you, but only for the purpose of criticizing Mike–he immediately blocks that TOR IP address from being able to post on Techdirt.

That’s right. Mr. Mike “Internet Freedom and Anonymity” Masnick is so scared of personal criticism that he’d rather block a TOR exit node–the tool of dissidents who criticize their oppressors–rather than leave the TOR IP address open to those who may want to criticize him or others on Techdirt.

Protector of freedom on the internet? You decide. His actions are just like those of an insecure dictator, and he knows it. Mike is just like China, feverishly oppressing those who dare to speak out against him.

David Johnston says:

Re: Re: Re:

And using TOR. Maybe he’s Seamus.

Meanwhile, on the original topic: if you ask me, violating the CFAA should require fraudulently obtaining and using, or fraudulently bypassing the check for, an access credential such as a password. Merely accessing a service’s public interface shouldn’t qualify. Gaining privilege on the server by exploiting a bug, or running a dictionary attack on password hashes to log in as someone else, those are the things the law is supposed to be about.

horse with no name says:

Not really a change

I think that changing the wording likely won’t change much, except to give hackers even more leeway to claim defenses based on stretching the terms.

The current law is pretty straight – if you aren’t suppose to access it, don’t access it.

Reducing the penalties and giving hackers more outs to work with is NOT a good change to the law. It would appear that this is mostly the usual grandstanding political types using Aaron’s death for political advantage and points. That is sad.

Anonymous Coward says:

what is so annoying is that this sort of screw up seems to be done intentionally. whenever a new law comes in, it is always with the vaguest of terms and the most unclear language. it seems as if until something extreme happens, everyone in Congress is quite happy to have a law, whatever it may be concerning, left as open as possible, so that as many idiotic options are covered. laws are meant to do specific things. they are not meant to be blankets covering a multitude of sins. if more laws are needed, so be it but be exact with the ones brought in so everyone, Congress included, know what each one is for! this man took his own life because of the pathetic way the CFAA was written and then left! it was definitely the wrong thing to do but think about what the alternative scenario could have been. someone, one of the brightest brains in the US pursued by a DA not because of the outrageous crime he had committed but because the option was there and she took it, rather than being sensible, because she saw the opportunity of personal advancement in her career, and then if convicted or striking a deal, perhaps thrown into prison for the most ridiculous of reasons.
Congress need to sit back a bit and think what they have been doing, think about what they are going to do and how they are going to do it before enacting. they have made a lot of mistakes, some intentionally, but it isn’t them that suffer. it needs to stop now!!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...