The so-called "Aaron's Law," named after the late activist Aaron Swartz, is back before US Congress having been reintroduced on Wednesday in both houses.
Silicon Valley rep Zoe Lofgren (D-CA) and tech-savvy senator Ron Wyden (D-OR) have put the legislation on the table a second time after it was effectively ignored last session. The bill has also gained the backing of presidential candidate Rand Paul.
Its namesake, Aaron Swartz faced up to 35 years in jail, and a $1m fine, for downloading five million articles from the academic journal repository JSTOR from the MIT campus – which has a site-wide license to the material. It was alleged he broke into a closet of campus network equipment, and slipped in a laptop that fetched articles from JSTOR.
As a result of his actions, Swartz was arrested under breaking-and-entering charges under state law, and then prosecuted under federal law for 11 violations of the CFAA – actions that many felt were wholly out of proportion to what he actually did.
Swartz turned down a plea bargain that would have seen him sentenced to six months in jail; the day after his counteroffer was rejected, he was found dead in his New York apartment having hanged himself.
The CFAA was enacted 25 years ago, and does not reflect today's realities, according to the politicians. "Numerous and recent instances of heavy-handed prosecutions for non-malicious computer crimes have raised serious questions as to how the law treats violations of terms of service, employer agreement or website notices," an official statement from Wyden et al read.
The senator also said: "Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files" - a reference to the controversial CIA hacking of the Senate Intelligence Committee's computers last year. He went on: "The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution. Aaron’s Law would curb this abuse while still preserving the tools needed to prosecute malicious attacks."
In her statement on the reintroduction, Lofgren said: "The Computer Fraud and Abuse Act is long overdue for reform. At its very core, CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It's time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities."
As well as Swartz's example, some security researchers have complained that they have been threatened with the CFAA after testing networks for vulnerabilities.
The meat of it
The bill would make three broad changes to the CFAA:
- Pull terms of service, employment agreements and contracts out of the CFAA, and use language from relevant court opinions to draw a distinction between hacking and unauthorized access. Hacking such as phishing, introducing malware, and DDoS attacks, would still be within the CFAA.
- Pull out the ability to file duplicate charges.
- Remove the ability for prosecutors to increase the penalties and charges as a way to force a deal.
Wyden's team has produced a breakdown of the bill and its changes.
As to the bill's success, that remains uncertain. As well as Lofgren, Wyden and Paul, it has a number of co-sponsors including Jim Sensenbrenner (R-Wis.), Mike Doyle (D-Pa.), Dan Lipinski (D-Ill.) and Jared Polis (D-Colo.). In that sense, it is a bipartisan bill, which should make its passage easier.
But during the last time around, Lofgren expressed frustration when chairman of the House Judiciary Committee Bob Goodlatte said he supported CFAA reform but refused to discuss or vote on the bill. Goodlatte is still chairman of the committee. ®