Aaron's Law Reintroduced To Try To Reform Dangerous, Broken Anti-Hacking Law

from the can-we-get-this-one-done-already? dept

We’ve written in the past how Rep. Zoe Lofgren and Senator Ron Wyden had introduced “Aaron’s Law” (named after Aaron Swartz) as a way to fix the very broken CFAA law, which was used to throw the book at Swartz for downloading too many JSTOR journal articles on MIT’s campus (where anyone on the network is allowed to download whatever they want from JSTOR). Swartz later committed suicide, which many blame on the aggressive prosecution against him (I hesitate to join those who do so, as you never know all the factors that went into the decision). Still, the CFAA has long needed a massive overhaul, as the law is frequently abused by law enforcement to threaten massive penalties for rather routine activities on a computer network.

Lofgren and Wyden have now reintroduced Aaron’s Law, and this time they’ve added Senator Rand Paul as a sponsor, which is interesting to see (especially as he courts the tech industry). They also have a nice group of co-sponsors, including Reps. Jim Sensenbrenner, Mike Doyle, Dan Lipinski, Jared Polis and Beto O’Rourke. Here are the three key things the new bill does, according to Lofgren:

  • Establishing that breaches of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on 9th and 4th Circuit Court opinions, the bill would instead define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls ? such as password requirements, encryption or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under the strong CFAA provisions this bill does not modify.
  • Bringing balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.
  • Bringing greater proportionality to CFAA penalties. Currently, the CFAA’s penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.

Frankly, I’d like to see CFAA reform go even further, but this is a good (and necessary) start. If you agree, you should let your own elected officials know that this is a bill worth supporting. Unfortunately, the White House is pushing a terribly bad update to the CFAA that won’t actually fix the problems with it and could make the bill even worse. The DOJ, for example, remains a big fan of the CFAA and would like to see it expanded so it can be used more widely. At the same time, some large tech companies, like Oracle, have worked hard to prevent any significant CFAA reform, because they want to be able to use the law themselves. In other words, meaningful CFAA reform, no matter how strongly needed, is nowhere near a sure thing.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Aaron's Law Reintroduced To Try To Reform Dangerous, Broken Anti-Hacking Law”

Subscribe: RSS Leave a comment

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...