Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers

from the someone-buy-these-senators-a-clue dept

Yesterday, we wrote about an important new bill, Aaron’s Law, from Senators Ron Wyden and Rand Paul and Rep. Zoe Lofgren. It’s a fix to many of the problematic aspects of the Computer Fraud and Abuse Act (CFAA). If you’re unaware, the CFAA is supposed to be a law to be used against people doing malicious hacking, but the wording is so broad and problematic, it has been used against people for merely violating the terms of service on a website, or someone using a work computer for non-work-related items — which could lead to excessively long jail terms. The reason Aaron’s Law is named that is because of Aaron Swartz, the guy that Federal Prosecutors publicly announced was facing 30 years in jail under the CFAA because he downloaded too many academic journal articles from JSTOR — despite the fact that he did so on the MIT campus where the campus had a site license that allowed anyone on their network to download all the JSTOR papers.

As we noted in our post, there are still some who are pushing in the other direction — and they didn’t waste much time. The very same day that Aaron’s Law was introduced, Senators Mark Kirk and Kirsten Gillibrand introduced a competing law that appears to be a “We Should Have Threatened Aaron With More Years In Jail” Act. Okay, technically it’s called the Data Breach Notification and Punishing Cyber Criminals Act — and as I type this, no one seems willing to release the text. Both Senators have press releases out about the bill, but neither link to it, and Congress’s website has a placeholder saying that it hasn’t received the actual text yet either. Hopefully that will change soon.*

It’s bizarre that they’re lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues. And yet, from the press release quotes and the few small articles about these bills, it appears that everyone’s focusing on the data breach notification stuff (which has its own problems) and thus we should be worried that the CFAA expansion could get included as something of a “throw in.” The quotes, however, on this part of the bill are ridiculous. Here’s Senator Kirk‘s press release:

This bipartisan legislation increases the maximum allowable fines and imprisonment for many of the most common cyber-crimes, including identity theft and theft of personal information. Current law does not sufficiently punish cyber criminals, and incidences like these recent devastating breaches of confidential information must be punished more aggressively. By modernizing these punishments, as many prosecutors have requested, we will better align punishments to the degree of harm that these crimes may inflict on victims.

And Senator Gillibrand’s:

The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud.

It’s the whole “obtaining information from a protected computer without authorization” that is a serious concern here, as that’s part of what’s been widely abused. Both Kirk and Gillibrand use a lot of populist rhetoric about protecting people from all these scary data breaches out there, but it demonstrates a serious ignorance of how widely the CFAA (with insanely large existing punishments) has been used repeatedly for activities no one legitimately thinks of as malicious hacking. Furthermore, it suggests a pretty serious cluelessness about the incentives and motivations of those who commit many of those breaches. Increasing the number of years they could spend in time from crazily high to insanely high isn’t going to change a damn thing. And if these two Senators can’t understand that, they shouldn’t be touching the CFAA at all.

* As an aside, it’s plainly ridiculous for anyone to announce a new bill without releasing the actual text. Even more ridiculous: in searching for the text of the actual bill on both Senators websites, I note that the very first item highlighted on Senator Gillibrand’s website is “Transparency” where it says “Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results.” Well, you know what might helps with that transparency? If you actually release the text of the bills you’re introducing when you introduce them so that people can take a look at them.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Data breach notifications are the wrong solution

Data breaches are usually not the issue, and notifications are almost never the right solution. The right solution is to provide ways to mitigate the damage caused by a breach and to make information obtained from the breach not useful to the unauthorized parties. For example, establish in law that knowing a name+SSN is not proof that you are that person. Back it up by publishing the name+SSN pair of every person.

Uriel-238 (profile) says:

Re: Shadow laws, Shadow interpretations, Shadow courts

In the 1970s, 80s and 90s eras of cyberpunk near-future sci-fi, these things were the clear indicators that you lived in a dystopia, much like secret police and SWAT raids were the hallmarks of a Soviet-Union-style tyranny.

Kinda like when the villain kills a minion for failure or kills a traitor or spy in a particularly heinous way to show how evil he is. Piranha tanks, jet engines, decompression chambers, industrial machinery. That sort of thing.

Anonymous Coward says:

Re: Rest of the story: by sneaking into a closet, without paying MIT fees.

  1. Harvard students are allowed access to MIT’s networks without paying additional fees. 2. Sneaking into a networking closet is not a felony, and the state charges related to that were dropped. 3. Swartz made no indications of his intent with the JSTOR papers; you’re just speculating. Since the Constitution forbids prior restraint, he was not charged with any crimes related to intending to release the papers publicly, but rather with crimes somewhat related to his accessing of JSTOR computers and MIT networks. JSTOR settled with Swartz out of court, but MIT and the DOJ decided to to make an example of him.

    Prosecutors love to get people like you on their grand juries; you’re incapable of distinguishing ad hominem from facts relevant to the actual charges.

Anonymous Coward says:

‘ they’re lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues’

this is exactly the sort of thing that Senators think they should be doing, putting people in prison for minor law breaking, but for longer terms. it’s about time USA citizens woke up and realised what sort of nation it is becoming, one where the security forces are only there to do what they want and the bidding of some politicians. it never dawns on anyone until they are actually in the position of being accused of something. by then it’s too late!

eye sea ewe says:

Offending against the CFAA

Question: How likely is it for either/both of these Senators or their staff to have offended the CFAA?

If it is reasonable to expect that they or their staff (or even families) to have offended against the CFAA, then arrange for charges to be laid against them, their staff or families. We will then see how long it takes for them to change their minds.

Of course, they could be like the local staff at my local representative and see no problem with themselves being charge and imprisoned based solely on accusation. But then I did find their stance appeared to be based on their fear of the bogey man.

David says:

Oh come on.

If you were serious about prosecuting unauthorized access, you’d not have let the FBI spy on staffers’ computers and remove files from them without consequence.

This is not about preventing injustice. It is about giving the DoJ more ammunition to keep the populace at bay.

If you want to see how this works, compare Snowden with Petraeus. One alerted the American public to ongoing crimes against the Constitution, the other, in a position of power, traded state secrets for sex and an embellishment of his autobiography. Guess who of the two is now state enemy number one and who got away with probation?

Since the government has a lot of secrets to hide from its employer, the people, you can bet your sweet ass that the principal application of these laws will be to fight democracy and to punish people who expose government crimes, particularly those committed in cahoots with corporate and military crime lords.

Just Another Anonymous Troll says:

Somebody should set up a computer terminal at the Capitol building with a “Please do not use” sign on it. When a Congresscritter (preferably a supporter of this crap) uses it, the terminal drops him into a prison for 40 years, strips him of his voting and gun rights, and brands him with a scarlet H for Hacker. Problem solved.

Susan Swartz says:

Anti-Aaron's Law

Thank you for publicizing this attempt by my own Senator Mark Kirk and Senator Kirsten Gillebrand to propose an anti Aaron’s Law bill. As the mother of Aaron Swartz, I am highly offended by this grandstanding attack on a legitimate bill already introduced. They are on the wrong side of this issue and should be working with their colleagues to reduce CFAA penalties!
I would ask everyone to call their offices–Help flood the offices of Senators Kirsten Gillibrand (212-688-6262) and Mark Kirk (202-224-2854)–to protest the introduction of the anti-Aaron’s Law bill.

Anonymous Coward says:

Re: Anti-Aaron's Law

I agree that the penalties are already severe enough, if not too severe. Reducing penalties is a tough sell, though, especially to the computer-illiterate folks on the warpath against “teenaged hackers”. I think also it is going to be difficult because the kind of situations the CFAA and wire fraud laws were supposed to be for are things like espionage, embezzlement, and bank robbery. In that light, some people think no punishment is harsh enough.

Kent (user link) says:

Anti-Aaron's Law

Comments from the Congressional Record:

By Mr. KIRK (for himself and Mrs. Gillibrand):
S. 1027. A bill to require notification of information security
breaches and to enhance penalties for cyber criminals, and for other
purposes; to the Committee on Commerce, Science, and Transportation.
Mrs. GILLIBRAND. Mr. President, I rise to speak about two bipartisan
bills that would help to modernize the way this country approaches
cyber security.
Congress needs to get with the times and realize that the Internet is
no longer a new concept. Swiping a credit card, conducting online
banking, storing prescription records online–these are not new
activities. The cloud is no longer new. Hackers are no longer new. So
why are we still so taken aback, in shock, every time we suffer another
major cyber attack? Why are we still not requiring that consumers be
notified when their information has been stolen? Why aren’t we
unleashing law enforcement to go after cyber criminals?
If we want to defend against 21st-century threats, then we have to
bring our laws into the 21st century. We have to get out of the mindset
that the only way we can be hurt is from an actual physical attack.
Hackers don’t operate on battlefields; they operate in basements and in
Our approach to cyber security so far has been certifiably wrong. We
have the largest defense budget in the world by far, but that hasn’t
stopped our hospitals and banks from falling victim to a near constant
barrage of attacks. Last year, data breaches in this country hit a
record high; they were up more than 27 percent from the year before. In
New York State, between 2006 and 2013, we had nearly 5,000 individual
data breaches that were reported by businesses, not-for-profits, and
government entities. In the same period, 23 million personal records of
New Yorkers were exposed to criminals. And that is just my home State.
Imagine how big that number actually is nationwide.
We are long overdue for a new national approach to cyber security,
and I am introducing two bills that would finally make this happen. The
first is the Data Breach Notification and Punishing Cyber Criminals
Act. It would set, for the first time, a national standard for how and
when victims of cyber attacks will be informed. When an attack takes
place on a business, for example, one that has your financial data or
medical information, this law would require that you be informed
quickly, with information about what was targeted, what was taken, and
whether you were personally affected. This bill would seriously
increase the penalties on people found guilty of hacking and cyber
crime. It would raise the allowable fines and imprisonment sentences
for many of the most common cyber crimes, including identity theft and
theft of personal information.
The second bill is the Cybersecurity Information Sharing Credit Act–
a bill that would incentivize America’s businesses to share cyber
security information critical to preventing attacks, without having to
involve their competitors. Instead, businesses would be encouraged,
with significant tax credits, to adopt the preferred, most efficient
method for information sharing; that is, membership in private, sector-
specific cyber security networks designed to protect an industry, such
as health care and hospitals, from attack. At the individual level,
companies, hospitals, and banks can only do so much to protect us. Any
good cyber defense has to involve information sharing so that patterns
can be recognized, industries can bolster their defenses, and the same
hacks aren’t just repeated over and over again.
To modernize America’s approach to cyber security, we as individuals
have to take action, companies have to take action, law enforcement has
to take action, and local governments must take action. Most
importantly and most urgently, Congress has to take action. We
desperately need to modernize our cyber security laws. I urge my
colleagues to support these two bills.

Anonymous Coward says:

Re: Re:

And what is that worth? A local misdemeanor trespass or breaking and entering charge at worst—a charge which he actually got and which was dropped. I bet he jaywalked, rode his bike unsafely, and frowned at a small child, too, but I recognize that those things are not felonies, let alone wire fraud or CFAA violations.

GEMont (profile) says:

Re: Re:

He was working for Lessig at Harvard and could have done his business there. He didn’t because Lessig told him not to.

Too true. He used an unauthorized network for peaceful purposes, against his employer’s expressed wishes.

So lets charge anyone who does such horrible, heinous things, as use an unauthorized network for peaceful purposes against his employer’s wishes, with 100 years of incarceration among horny, bisexual, career criminals, and add on as many other false but frightening criminal charges as we can find, in order to get the perp to admit to the lesser charges of raping the President’s pet sheep repeatedly and assassinating 200 imaginary first graders in their sleep.

Now that’s real American Justice in action.

Meanwhile General Patreaus walks.

GEMont (profile) says:

Its what it did not say, that counts.

“Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results.”

And as astounding as this may sound, this is absolutely true.

The senator knows for a fact that openness and transparency would lead to accountability and better results.

This apparent truth is known as a lie by omission.

The statement simply fails to mention that he and his political friends are all more than willing to go to almost any lengths to prevent that career killing accountability and to insure that anything that leads to better results for the American People is limited to only those Americans in his circle of rich friends and cronies, and their corporate partners and bosses.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...