Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers

from the someone-buy-these-senators-a-clue dept

Yesterday, we wrote about an important new bill, Aaron's Law, from Senators Ron Wyden and Rand Paul and Rep. Zoe Lofgren. It's a fix to many of the problematic aspects of the Computer Fraud and Abuse Act (CFAA). If you're unaware, the CFAA is supposed to be a law to be used against people doing malicious hacking, but the wording is so broad and problematic, it has been used against people for merely violating the terms of service on a website, or someone using a work computer for non-work-related items -- which could lead to excessively long jail terms. The reason Aaron's Law is named that is because of Aaron Swartz, the guy that Federal Prosecutors publicly announced was facing 30 years in jail under the CFAA because he downloaded too many academic journal articles from JSTOR -- despite the fact that he did so on the MIT campus where the campus had a site license that allowed anyone on their network to download all the JSTOR papers.

As we noted in our post, there are still some who are pushing in the other direction -- and they didn't waste much time. The very same day that Aaron's Law was introduced, Senators Mark Kirk and Kirsten Gillibrand introduced a competing law that appears to be a "We Should Have Threatened Aaron With More Years In Jail" Act. Okay, technically it's called the Data Breach Notification and Punishing Cyber Criminals Act -- and as I type this, no one seems willing to release the text. Both Senators have press releases out about the bill, but neither link to it, and Congress's website has a placeholder saying that it hasn't received the actual text yet either. Hopefully that will change soon.*

It's bizarre that they're lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues. And yet, from the press release quotes and the few small articles about these bills, it appears that everyone's focusing on the data breach notification stuff (which has its own problems) and thus we should be worried that the CFAA expansion could get included as something of a "throw in." The quotes, however, on this part of the bill are ridiculous. Here's Senator Kirk's press release:
This bipartisan legislation increases the maximum allowable fines and imprisonment for many of the most common cyber-crimes, including identity theft and theft of personal information. Current law does not sufficiently punish cyber criminals, and incidences like these recent devastating breaches of confidential information must be punished more aggressively. By modernizing these punishments, as many prosecutors have requested, we will better align punishments to the degree of harm that these crimes may inflict on victims.
And Senator Gillibrand's:
The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud.
It's the whole "obtaining information from a protected computer without authorization" that is a serious concern here, as that's part of what's been widely abused. Both Kirk and Gillibrand use a lot of populist rhetoric about protecting people from all these scary data breaches out there, but it demonstrates a serious ignorance of how widely the CFAA (with insanely large existing punishments) has been used repeatedly for activities no one legitimately thinks of as malicious hacking. Furthermore, it suggests a pretty serious cluelessness about the incentives and motivations of those who commit many of those breaches. Increasing the number of years they could spend in time from crazily high to insanely high isn't going to change a damn thing. And if these two Senators can't understand that, they shouldn't be touching the CFAA at all.

* As an aside, it's plainly ridiculous for anyone to announce a new bill without releasing the actual text. Even more ridiculous: in searching for the text of the actual bill on both Senators websites, I note that the very first item highlighted on Senator Gillibrand's website is "Transparency" where it says "Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results." Well, you know what might helps with that transparency? If you actually release the text of the bills you're introducing when you introduce them so that people can take a look at them.

Filed Under: aaron swartz, cfaa, cfaa reform, hacking, kirsten gillibrand, mark kirk


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Apr 2015 @ 12:57pm

    As we have learned from our current drug policy, longer mandatory jailtime has been applied fairly, and done wonders for the number of addicts in the US.

    reply to this | link to this | view in chronology ]

  • icon
    Peter (profile), 23 Apr 2015 @ 12:59pm

    Tough Times ahead, then

    ... for the NSA?

    reply to this | link to this | view in chronology ]

  • identicon
    Ed, 23 Apr 2015 @ 1:05pm

    Well unauthorized access to computers is punishable, NSA by that standard, are the biggest criminals ever, by those standards.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 1:14pm

    Data breach notifications are the wrong solution

    Data breaches are usually not the issue, and notifications are almost never the right solution. The right solution is to provide ways to mitigate the damage caused by a breach and to make information obtained from the breach not useful to the unauthorized parties. For example, establish in law that knowing a name+SSN is not proof that you are that person. Back it up by publishing the name+SSN pair of every person.

    reply to this | link to this | view in chronology ]

  • identicon
    Almost Anonymous, 23 Apr 2015 @ 1:20pm

    Shadow laws

    * As an aside, it's plainly ridiculous for anyone to announce a new bill without releasing the actual text.
    Almost as ridiculous as having a secret "alternate interpretation" of an existing law that nobody is allowed to know about. But that would never happen, right?

    Right?!?

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 26 Apr 2015 @ 10:52am

      Shadow laws, Shadow interpretations, Shadow courts

      In the 1970s, 80s and 90s eras of cyberpunk near-future sci-fi, these things were the clear indicators that you lived in a dystopia, much like secret police and SWAT raids were the hallmarks of a Soviet-Union-style tyranny.

      Kinda like when the villain kills a minion for failure or kills a traitor or spy in a particularly heinous way to show how evil he is. Piranha tanks, jet engines, decompression chambers, industrial machinery. That sort of thing.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 1:26pm

    Rest of the story: by sneaking into a closet, without paying MIT fees.

    Key facts needed to understand why Swarz was charged. He went to some trouble to get indicted, wasn't out of the blue.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 1:28pm

    Rest of the story: by sneaking into a closet, without paying MIT fees.

    And to "liberate" data.

    Key facts needed to understand why Swarz was charged. He went to some trouble to get indicted, wasn't out of the blue.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2015 @ 5:51am

      Re: Rest of the story: by sneaking into a closet, without paying MIT fees.

      1. Harvard students are allowed access to MIT's networks without paying additional fees. 2. Sneaking into a networking closet is not a felony, and the state charges related to that were dropped. 3. Swartz made no indications of his intent with the JSTOR papers; you're just speculating. Since the Constitution forbids prior restraint, he was not charged with any crimes related to intending to release the papers publicly, but rather with crimes somewhat related to his accessing of JSTOR computers and MIT networks. JSTOR settled with Swartz out of court, but MIT and the DOJ decided to to make an example of him.

      Prosecutors love to get people like you on their grand juries; you're incapable of distinguishing ad hominem from facts relevant to the actual charges.

      reply to this | link to this | view in chronology ]

  • identicon
    Patrick, 23 Apr 2015 @ 1:38pm

    Called Kirks office as a constituent to let him know I oppose it, but I doubt that will stop him.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 1:40pm

    ' they're lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues'

    this is exactly the sort of thing that Senators think they should be doing, putting people in prison for minor law breaking, but for longer terms. it's about time USA citizens woke up and realised what sort of nation it is becoming, one where the security forces are only there to do what they want and the bidding of some politicians. it never dawns on anyone until they are actually in the position of being accused of something. by then it's too late!

    reply to this | link to this | view in chronology ]

  • identicon
    STJ, 23 Apr 2015 @ 1:57pm

    what is the bill

    "it's plainly ridiculous for anyone to announce a new bill without releasing the actual text." This is what they did with Obamacare and it had no issues passing. You have to pass it before you know what is in it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Apr 2015 @ 2:35pm

      Re: what is the bill

      No, it's not what they did with Obamacare. It was mainly written by Romney and enacted in his state first. Did you forget that while you were busy playing the "Thanks Obama" card?

      reply to this | link to this | view in chronology ]

    • icon
      James Burkhardt (profile), 23 Apr 2015 @ 4:10pm

      Re: what is the bill

      The affordable care act was released when announced. You are conflating the (errornous) debate that no one READ the bill with the issue of announcing a bill to the news that the news (and congress) haven't received yet.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 24 Apr 2015 @ 12:56am

      Re: what is the bill

      It's sad how many people actually believe this. It just goes to show, get a bunch of angry morons and a handy out-of-context quote, and you can get people railing against their own healthcare.

      reply to this | link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 23 Apr 2015 @ 2:19pm

    Wyden

    Too bad he voted to push forward TPP. Can we spell hypocrite? Let's see - 'h' 'y' 'p' 'o' 'c' 'r' 'i' 't' 'e'. Yep, that about does it.

    reply to this | link to this | view in chronology ]

  • identicon
    Ed, 23 Apr 2015 @ 2:21pm

    Sad it's easier to buy a politician than a book.

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 23 Apr 2015 @ 2:37pm

    Any guesses on how many are exempted from this new bill. No doubt the senators themselves are above this law they want pushed on everyone else. probably any other government officials not including whistleblowers, the police, the courts and anyone that can buy their way out of their crimes.

    reply to this | link to this | view in chronology ]

  • identicon
    eye sea ewe, 23 Apr 2015 @ 2:51pm

    Offending against the CFAA

    Question: How likely is it for either/both of these Senators or their staff to have offended the CFAA?

    If it is reasonable to expect that they or their staff (or even families) to have offended against the CFAA, then arrange for charges to be laid against them, their staff or families. We will then see how long it takes for them to change their minds.

    Of course, they could be like the local staff at my local representative and see no problem with themselves being charge and imprisoned based solely on accusation. But then I did find their stance appeared to be based on their fear of the bogey man.

    reply to this | link to this | view in chronology ]

  • icon
    Pronounce (profile), 23 Apr 2015 @ 3:06pm

    American Justice phtt: No such thing.

    American law is predicated on the myth of an egalitarian system. Since the elite demonstrate by their actions they are above the law we have nothing like "justice for all" in this country.

    It's all about money and power. See http://www.vox.com/2014/4/11/5581272/doom-loop-oligarchy

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 4:22pm

    Transparency

    "Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results."

    Senator Gillibrand understands that to be a good liar, the first thing to do is pretend that you're a big believer in truth.

    reply to this | link to this | view in chronology ]

  • identicon
    David, 24 Apr 2015 @ 3:15am

    Oh come on.

    If you were serious about prosecuting unauthorized access, you'd not have let the FBI spy on staffers' computers and remove files from them without consequence.

    This is not about preventing injustice. It is about giving the DoJ more ammunition to keep the populace at bay.

    If you want to see how this works, compare Snowden with Petraeus. One alerted the American public to ongoing crimes against the Constitution, the other, in a position of power, traded state secrets for sex and an embellishment of his autobiography. Guess who of the two is now state enemy number one and who got away with probation?

    Since the government has a lot of secrets to hide from its employer, the people, you can bet your sweet ass that the principal application of these laws will be to fight democracy and to punish people who expose government crimes, particularly those committed in cahoots with corporate and military crime lords.

    reply to this | link to this | view in chronology ]

  • identicon
    Just Another Anonymous Troll, 24 Apr 2015 @ 5:18am

    Somebody should set up a computer terminal at the Capitol building with a "Please do not use" sign on it. When a Congresscritter (preferably a supporter of this crap) uses it, the terminal drops him into a prison for 40 years, strips him of his voting and gun rights, and brands him with a scarlet H for Hacker. Problem solved.

    reply to this | link to this | view in chronology ]

  • icon
    Kionae (profile), 24 Apr 2015 @ 7:01am

    I'm very disappointed to see this coming from Senator Kirk. On the whole, he's been more palatable than our other Illinois senator (Durbin), but his support for this actually surprises me.

    reply to this | link to this | view in chronology ]

  • identicon
    Susan Swartz, 24 Apr 2015 @ 9:52am

    Anti-Aaron's Law

    Thank you for publicizing this attempt by my own Senator Mark Kirk and Senator Kirsten Gillebrand to propose an anti Aaron's Law bill. As the mother of Aaron Swartz, I am highly offended by this grandstanding attack on a legitimate bill already introduced. They are on the wrong side of this issue and should be working with their colleagues to reduce CFAA penalties!
    I would ask everyone to call their offices--Help flood the offices of Senators Kirsten Gillibrand (212-688-6262) and Mark Kirk (202-224-2854)--to protest the introduction of the anti-Aaron's Law bill.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2015 @ 6:17am

      Re: Anti-Aaron's Law

      I agree that the penalties are already severe enough, if not too severe. Reducing penalties is a tough sell, though, especially to the computer-illiterate folks on the warpath against "teenaged hackers". I think also it is going to be difficult because the kind of situations the CFAA and wire fraud laws were supposed to be for are things like espionage, embezzlement, and bank robbery. In that light, some people think no punishment is harsh enough.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 26 Apr 2015 @ 10:57am

        Actually the CFAA is supposed to stop David Lightman from playing a game

        And finding backdoors to NORAD simulation mainframes in order to do so.

        Wouldn't you prefer a good game of chess?

        reply to this | link to this | view in chronology ]

    • identicon
      yardra, 28 Apr 2015 @ 9:27am

      Re: Anti-Aaron's Law

      I called both of them.

      reply to this | link to this | view in chronology ]

  • identicon
    Kent, 25 Apr 2015 @ 4:21am

    Re: Anti-Aaron's Law

    Comments from the Congressional Record:

    By Mr. KIRK (for himself and Mrs. Gillibrand):
    S. 1027. A bill to require notification of information security
    breaches and to enhance penalties for cyber criminals, and for other
    purposes; to the Committee on Commerce, Science, and Transportation.
    Mrs. GILLIBRAND. Mr. President, I rise to speak about two bipartisan
    bills that would help to modernize the way this country approaches
    cyber security.
    Congress needs to get with the times and realize that the Internet is
    no longer a new concept. Swiping a credit card, conducting online
    banking, storing prescription records online--these are not new
    activities. The cloud is no longer new. Hackers are no longer new. So
    why are we still so taken aback, in shock, every time we suffer another
    major cyber attack? Why are we still not requiring that consumers be
    notified when their information has been stolen? Why aren't we
    unleashing law enforcement to go after cyber criminals?
    If we want to defend against 21st-century threats, then we have to
    bring our laws into the 21st century. We have to get out of the mindset
    that the only way we can be hurt is from an actual physical attack.
    Hackers don't operate on battlefields; they operate in basements and in
    cubicles.
    Our approach to cyber security so far has been certifiably wrong. We
    have the largest defense budget in the world by far, but that hasn't
    stopped our hospitals and banks from falling victim to a near constant
    barrage of attacks. Last year, data breaches in this country hit a
    record high; they were up more than 27 percent from the year before. In
    New York State, between 2006 and 2013, we had nearly 5,000 individual
    data breaches that were reported by businesses, not-for-profits, and
    government entities. In the same period, 23 million personal records of
    New Yorkers were exposed to criminals. And that is just my home State.
    Imagine how big that number actually is nationwide.
    We are long overdue for a new national approach to cyber security,
    and I am introducing two bills that would finally make this happen. The
    first is the Data Breach Notification and Punishing Cyber Criminals
    Act. It would set, for the first time, a national standard for how and
    when victims of cyber attacks will be informed. When an attack takes
    place on a business, for example, one that has your financial data or
    medical information, this law would require that you be informed
    quickly, with information about what was targeted, what was taken, and
    whether you were personally affected. This bill would seriously
    increase the penalties on people found guilty of hacking and cyber
    crime. It would raise the allowable fines and imprisonment sentences
    for many of the most common cyber crimes, including identity theft and
    theft of personal information.
    The second bill is the Cybersecurity Information Sharing Credit Act--
    a bill that would incentivize America's businesses to share cyber
    security information critical to preventing attacks, without having to
    involve their competitors. Instead, businesses would be encouraged,
    with significant tax credits, to adopt the preferred, most efficient
    method for information sharing; that is, membership in private, sector-
    specific cyber security networks designed to protect an industry, such
    as health care and hospitals, from attack. At the individual level,
    companies, hospitals, and banks can only do so much to protect us. Any
    good cyber defense has to involve information sharing so that patterns
    can be recognized, industries can bolster their defenses, and the same
    hacks aren't just repeated over and over again.
    To modernize America's approach to cyber security, we as individuals
    have to take action, companies have to take action, law enforcement has
    to take action, and local governments must take action. Most
    importantly and most urgently, Congress has to take action. We
    desperately need to modernize our cyber security laws. I urge my
    colleagues to support these two bills.

    reply to this | link to this | view in chronology ]

  • icon
    Richard Bennett (profile), 25 Apr 2015 @ 1:21pm

    Aaron Schwartz had no business using the MIT network in the first place. He was working for Lessig at Harvard and could have done his business there. He didn't because Lessig told him not to.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2015 @ 5:33am

      Re:

      And what is that worth? A local misdemeanor trespass or breaking and entering charge at worst—a charge which he actually got and which was dropped. I bet he jaywalked, rode his bike unsafely, and frowned at a small child, too, but I recognize that those things are not felonies, let alone wire fraud or CFAA violations.

      reply to this | link to this | view in chronology ]

    • icon
      GEMont (profile), 27 Apr 2015 @ 4:23pm

      Re:

      "He was working for Lessig at Harvard and could have done his business there. He didn't because Lessig told him not to."

      Too true. He used an unauthorized network for peaceful purposes, against his employer's expressed wishes.

      So lets charge anyone who does such horrible, heinous things, as use an unauthorized network for peaceful purposes against his employer's wishes, with 100 years of incarceration among horny, bisexual, career criminals, and add on as many other false but frightening criminal charges as we can find, in order to get the perp to admit to the lesser charges of raping the President's pet sheep repeatedly and assassinating 200 imaginary first graders in their sleep.

      Now that's real American Justice in action.

      Meanwhile General Patreaus walks.

      ---

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Apr 2015 @ 10:24pm

      Re:

      Oh, look - it's the contrarian trying to make a point!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Apr 2015 @ 8:48pm

    Mike, you're an idiot. Please do some research before you start making things about about the CFAA.

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 27 Apr 2015 @ 4:07pm

    Its what it did not say, that counts.

    "Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results."

    And as astounding as this may sound, this is absolutely true.

    The senator knows for a fact that openness and transparency would lead to accountability and better results.

    This apparent truth is known as a lie by omission.

    The statement simply fails to mention that he and his political friends are all more than willing to go to almost any lengths to prevent that career killing accountability and to insure that anything that leads to better results for the American People is limited to only those Americans in his circle of rich friends and cronies, and their corporate partners and bosses.

    ---

    reply to this | link to this | view in chronology ]

  • identicon
    Brenda wirtz, 6 Mar 2016 @ 8:33pm

    They're really feeds when it's your family

    I hope my brother Aaron Dodge see's this ,The cowherd who is suppose to be Marine I financially supported for almost a year And ALWAYS been they're emotionally I'm going to get the EVIDNC I NEED TO HAVE YPU ARRESTED AND PROSECUTED

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.