from the can-we-get-this-one-done-already? dept
Lofgren and Wyden have now reintroduced Aaron's Law, and this time they've added Senator Rand Paul as a sponsor, which is interesting to see (especially as he courts the tech industry). They also have a nice group of co-sponsors, including Reps. Jim Sensenbrenner, Mike Doyle, Dan Lipinski, Jared Polis and Beto O'Rourke. Here are the three key things the new bill does, according to Lofgren:
- Establishing that breaches of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls — such as password requirements, encryption or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under the strong CFAA provisions this bill does not modify.
- Bringing balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.
- Bringing greater proportionality to CFAA penalties. Currently, the CFAA's penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.