Aaron's Law Finally Introduced: Reform The CFAA
from the it's-about-time dept
Today, Zoe Lofgren and Jim Sensenbrenner in the House and Ron Wyden in the Senate introduced “Aaron’s Law,” an attempt to reform the widely abused CFAA, so that it no longer sweeps up innocent activity.
Vagueness is the core flaw of the CFAA. As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You’re not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time.
So lying about one’s age on Facebook, or checking personal email on a work computer, could violate this felony statute. This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation. Millions of Americans — whether they are of a digitally native or dial-up generation — routinely submit to legal terms and agreements every day when they use the Internet. Few have the time or the ability to read and completely understand lengthy legal agreements.
The proposal tries to focus the law back to where it was intended when initially put in place:
It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.
Among those specific lines, it notes that a “mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA.” It also makes the penalties more reasonable, so people aren’t facing many years in jail for doing something minor. It’s well past due that the CFAA get fixed. Hopefully this is a start down that path.
Filed Under: aaron swartz, aaron's law, cfaa, cfaa reform, jim sensenbrenner, ron wyden, zoe lofgren
Comments on “Aaron's Law Finally Introduced: Reform The CFAA”
Shouldn’t we use the CFAA to go after the NSA first, and then fix it? I mean they are accessing my data without prior authorization from me. Huh whats that? I gave them authorization? But I’m a foreigner dammit!
Re: Re:
The CFAA isn’t about data, it’s about systems. If they get it over the wire or your data is on a third party’s system which has a deal with the NSA you’re out of luck. It’s a moot point anyway since as a governmental agency, the NSA has much immunity on paper and near total immunity in practice. Look at the TSA, they simply ignored court orders without consequence. Government agencies are totally immune from the courts. Congress are the only ones that can do anything.
"a digitally native or dial-up generation"???
That in a paragraph saying will correct vagueness? I guess to replace it with nonsense?
“As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time.” — Maybe, but they don’t. The Swartz case was not only one of the rare ones brought forward, but far better based than that.
I’ve already given my view that Aaron Swartz is no hero by sneaking into a closet to download files just on a whim to “liberate” data. But there’s obviously a contingent who think he is. — Even Alex Jones!
Re: "a digitally native or dial-up generation"???
Swartz didn’t violate any laws, but he got the full might of the DoJ coming down on him anyway. The people who were supposedly his victims didn’t think he’d committed a crime either.
Re: Re: "a digitally native or dial-up generation"???
Well, copying public domain documents from behind an illegal government paywall back into the public domain shouldn’t be a crime in any universe. Yet, here we are.
Re: "a digitally native or dial-up generation"???
Well if they would never go after someone for such minor things, then they should have no objection at all with fine-tuning the language to make such actions completely, and reasonably, legal now, should they?
Re: "a digitally native or dial-up generation"???
Maybe, but they don’t.
Except Aaron Swartz did face jail time. He committed suicide because he faced an inordinate amount of jail time that in no way reflected the seriousness of his crime (or lack thereof).
He faced that jail time because an overzealous prosecutor used the CFAA to hang the threat of decades of jail time over Swartz’s head.
The rarity of such cases doesn?t matter. The innocence or guilt of Swartz doesn?t matter. A equitable judicial process that protects the innocent and hands out appropriate and fair punishments to the guilty matters.
The CFAA as it stands today allows prosecutors to threaten people with decades behind bars for something as simple as sharing a Facebook password. Any legislature worth a damn would (and should) see this law as ripe for potential abuse and do whatever it could to correct it.
Or would you prefer to spend twenty years behind bars because you accidentally logged into to someone?s Facebook account after they left it ?open? on your computer?
Re: Re: "a digitally native or dial-up generation"???
Unfortunately prosecutors and police threaten innocent people all the time so I don’t know how much a reformed CFAA would change that. Perhaps stronger penalties built into the law for malicious prosecution? Maybe we need to look at issues such as prosecutorial discretion or the grand jury process. Also reducing the size of some of these private institutions would limit the pressure they can apply to the legal process.
Re: Re: Re: "a digitally native or dial-up generation"???
That?d take a hell of a lot of time, effort, and money.
Fixing the CFAA to make it harder (if not near-impossible) for prosecutors to bring charges against people for something as innocuous as a couple sharing each other?s passwords would make for a good starting point, though.
Re: Re: Re:2 "a digitally native or dial-up generation"???
I think you need that as a long term solution, because no matter what a particular law says, prosecutors are always free to bring charges, even if they have no chance of getting a conviction. Often the charges are enough to force a defendant to cut a deal, or worse.
Re: Re: Re:3 "a digitally native or dial-up generation"???
To wit: Aaron Swartz.
Re: "a digitally native or dial-up generation"???
He wasn’t a hero, true.
But he wasn’t a criminal either. You normally go after people with the full force of the law because they aren’t heros?
Coincidence?
Isn’t it odd that the NSA info comes out at the same time that the government becomes more reasonable about IP? I’m sure it’s just a coincidence…
Does this fix the TOS violation issue?
If someone puts a false age in a facebook signup form, isn’t that circumventing a technological measure designed to exclude unauthorized individuals from obtaining information?
This text seems to be the same sort of thing as before. I thought Zoe had something better in mind.
Re: Does this fix the TOS violation issue?
She did start with something better. Here’s the text in her original draft. It needs to be put back in:
Section 1030(e)(6) of title 18, United States Code, is amended by striking ”alter;” and inserting the following: ”alter, but does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized;”
Re: Re: Does this fix the TOS violation issue?
Also, changing parameters in a URL should not be a crime, even if it allows access to other peoples private data.
(However the company that had such a lousy system should be liable for failing to protect customer private data).
Re: Re: Re: Does this fix the TOS violation issue?
I think a distinction needs to be made between changing a few things in a URL to visit a new “public” page and feeding information in which is known to cause a buffer overflow or SQL injection. I’m not sure exactly how you would word it. Intent probably needs to be a factor.
Has any CFAA prosecution ever obtained a conviction for terms of service?
Digital rights reforms are far more urgent since the public has been almost entirely convinced that they don’t own what they buy. Even if it isn’t written that way legally, DRM gives companies the power to achieve it in practice, and what is widely practiced tends to become the law. In other words, if people stop acting like they own things, for example allowing secondary markets for software and music to dry up, it will be easier for judges and legislatures to forget that these personal property rights ever existed.
What boggles my mind is that the CFAA hasn’t been struck down by the courts as unconstitutionally vague.
The party of stupid will be sure not to support this. If one side is for it, in this day of totally inept legislation, the other is against it.
Re: Re:
I don’t know what they have to say
It makes no difference anyway
Whatever it is… I’m against it!
No matter what it is or who commenced it
I’m against it!
Your proposition may be good
But let’s have one thing understood
Whatever it is… I’m against it!
And even when you’ve changed it or condensed it
I’m against it!
I’m opposed to it
On general principle, I’m opposed to it.
He’s opposed to it
In fact, indeed, that he’s opposed to it!
For months before my son was born
I used to yell from night to morn
Whatever it is… I’m against it!
And I’ve kept yelling since I first commenced it
I’m against it!
Re: Re: Re:
As relevant today as it was over 80 years ago.
Hi Mike,
What’s the point of pretending like you can keep me off of TD when you make a living out of ridiculing others who pretend like they can block people from doing what they want on the internet?
Seriously. I know you see the irony. But what’s the point? I post whatever I want, whenever I want. Your attempts to censor me are completely, 100% laughable and stupid.
Let me ask you this? Why do you, a man who pretends like he loves anonymity and freedom on the internet, make a point to block TOR IP addresses whenever they are used to criticize you?
Seriously. Are you so ashamed and insecure that you have to block TOR, the tool of freedom fighters who rage against dictators, to stop me from criticizing you?
Are you so scared of criticism that you think it?s worth it to block TOR exit nodes rather than receive any criticism whatsoever?
You?re just like China. And you fucking know it.
You are doing whatever you can to censor those who challenge you. Just like China. And you fucking know it.
Toodles!
Re: Re:
Fucking irrelevant asshole. Go have yourself an aneurysm.
Re: Re:
There’s no irony. Mike posts articles rightly ridiculing people who use censorship to stop innovation. Your false accusations are harrassment, and not innovative in any way.
If you were an honest person, your posts of “whatever I want, whenever I want” would be posts that add to the discussion, not taunts and cowardly accusations.
Blocking juvenile, immature morons who lie, slander and harrass without legitimate reason is NOT censorship.
You’re in the wrong. And you fucking know it.
That’s right, folks! As soon as Mike realizes that a TOR IP address is being used to criticize him–not for spam, mind you, but only for the purpose of criticizing Mike–he immediately blocks that TOR IP address from being able to post on Techdirt.
That’s right. Mr. Mike “Internet Freedom and Anonymity” Masnick is so scared of personal criticism that he’d rather block a TOR exit node–the tool of dissidents who criticize their oppressors–rather than leave the TOR IP address open to those who may want to criticize him or others on Techdirt.
Protector of freedom on the internet? You decide. His actions are just like those of an insecure dictator, and he knows it. Mike is just like China, feverishly oppressing those who dare to speak out against him.
Re: Re:
I like that you are spamming a denial that you are spamming. The dissonance is staggering.
Re: Re:
I might be wrong, but can’t a TOR exit node be any possible IP address? Anyone can run an exit node right?
See the link that Mike is so ashamed of that he’s trying to censor it–just like a Chinese dictator: http://pastebin.com/5VUv7utm
Re: Re:
Re: Re: Re:
And using TOR. Maybe he’s Seamus.
Meanwhile, on the original topic: if you ask me, violating the CFAA should require fraudulently obtaining and using, or fraudulently bypassing the check for, an access credential such as a password. Merely accessing a service’s public interface shouldn’t qualify. Gaining privilege on the server by exploiting a bug, or running a dictionary attack on password hashes to log in as someone else, those are the things the law is supposed to be about.
Re: Re:
You’d have to have a right to actually post here for it to be censorship. You don’t have that right. It’s a private site.
Aaron Swartz didn’t commit suicide. He was killed after being targeted. I am also targeted. As a little message, these people hung him on my birthday. There are some psychopathic monsters in our government whom feel justified killing anyone for any reason.
Re: Re:
There are medications that can help you. Please search them out as you are obviously a delusional whackjob.
Not really a change
I think that changing the wording likely won’t change much, except to give hackers even more leeway to claim defenses based on stretching the terms.
The current law is pretty straight – if you aren’t suppose to access it, don’t access it.
Reducing the penalties and giving hackers more outs to work with is NOT a good change to the law. It would appear that this is mostly the usual grandstanding political types using Aaron’s death for political advantage and points. That is sad.
CFAA + NSA surveillance = bad news
Something struck me.
Th CFAA says things such as checking personal email at work, or presumably reading non-work related websites at work (as I’m doing just now – but shhhhh) could mean jail time.
Never mind the size of your lobsters, ever made a personal phonecall from work?
Still think you have nothing to hide?
what is so annoying is that this sort of screw up seems to be done intentionally. whenever a new law comes in, it is always with the vaguest of terms and the most unclear language. it seems as if until something extreme happens, everyone in Congress is quite happy to have a law, whatever it may be concerning, left as open as possible, so that as many idiotic options are covered. laws are meant to do specific things. they are not meant to be blankets covering a multitude of sins. if more laws are needed, so be it but be exact with the ones brought in so everyone, Congress included, know what each one is for! this man took his own life because of the pathetic way the CFAA was written and then left! it was definitely the wrong thing to do but think about what the alternative scenario could have been. someone, one of the brightest brains in the US pursued by a DA not because of the outrageous crime he had committed but because the option was there and she took it, rather than being sensible, because she saw the opportunity of personal advancement in her career, and then if convicted or striking a deal, perhaps thrown into prison for the most ridiculous of reasons.
Congress need to sit back a bit and think what they have been doing, think about what they are going to do and how they are going to do it before enacting. they have made a lot of mistakes, some intentionally, but it isn’t them that suffer. it needs to stop now!!