Lawmakers revive support for Aaron's Law to reform anti-hacking statute
For Taren Stinebrickner-Kauffman, the Computer Fraud and Abuse Act is deeply personal.
In 2011, her partner,听the Internet activist听Aaron Swartz, snuck into a wiring closet at the Massachusetts Institute of Technology and downloaded millions of scholarly articles from an online database. He was later arrested and prosecutors charged听him with violations under the fraud and abuse act that carried up to 35 years in prison.听Before any trial or deal with federal prosecutors, however, Mr. Swartz, 26, committed suicide.
Swartz's friends, family members, and fellow activists blamed his death on an overzealous prosecution and a harsh application of听the federal anti-hacking statute.
As a result, in June 2013, Rep. Zoe听Lofgren (D) of California听introduced a bill known as "Aaron's Law" to reform the Computer Fraud and Abuse Act (CFAA), which critics such as the Electronic Frontier Foundation have long complained has been so abused that it stifles security research and hampers innovation.
鈥淚 lost my partner and best friend because of unfair and absurd prosecution under the CFAA,鈥 says Ms. Stinebrickner-Kauffman. 鈥淎aron's Law would make it impossible for prosecutors to abuse their power in the same way.鈥
The bill failed to pass after it was first presented but听has another shot as a听bipartisan group of congressional legislators reintroduced Aaron鈥檚 Law last week to limit the scope of the current anti-hacking statute and restrict prosecutorial听action听for certain CFAA violations. It would also make it impossible to press charges for violating a terms-of-service agreement or an employer鈥檚 computer use policy.
Congress wrote the CFAA in 1984, when it was impossible to imagine the ways ordinary people now use computers every day. That makes it long overdue for an upgrade, according to Mark Jaycox of the Electronic听Frontier Foundation.
鈥淭he CFAA was originally intended to cover the hacking of defense department and bank computers, but it's been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate听penalties for virtual crimes. [The reform]听bill is a step forward as it makes key fixes in a law that has for years been misinterpreted because of its vague definitions,鈥 Mr. Jaycox says.
Swartz鈥檚 case brought the CFAA and its problems to public attention. But the law has long been controversial among activists, legal scholars, and security experts. Many say its broad definitions criminalize legitimate听security research.
鈥淰iolating a smartphone app鈥檚 terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,鈥 Sen. Ron Wyden (D) of Oregon, a cosponsor of the听bill,听said in a press release听last Tuesday.听鈥淭he CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution."
One example is so-called "gray-hat" hacking. Under the current fraud and abuse act, a researcher could face charges for testing a computer system's security in a way that exceeds authorized access 鈥 even if the researcher does so without malicious intent and notifies the听system's owner about any security holes. Many believe that makes Internet less secure because only malicious hackers look for vulnerabilities.
"Keeping quiet means that the flaw will go unremedied and potentially could be exploited by someone who does have criminal intent," the Electronic Frontier Foundation writes in its ".
滨苍听, prosecutors used the CFAA to convict a technology professional named Bret McDanel after he anonymously e-mailed听customers of his former employer, a webmail company, about a major security hole in its e-mail system. Prosecutors听later asked a judge to vacate Mr. McDanel's conviction, but only after he'd served 16 months in prison.
Aaron鈥檚 Law would stop many, though not all, of those prosecutions.
罢丑别听听affects three main aspects of the CFAA. First, it would take out redundant charges so prosecutors can't charge someone with two violations for the same crime.听
Second, it would only increase jail time for repeat offenders. That would keep prosecutors from inflating a sentence by adding multiple charges.
Finally, the bill removes language that makes it a crime to "exceed authorized access,鈥 meaning even terms of service. Instead, it would criminalize 鈥渁ccess without authorization.鈥 To meet that standard, a user would听have to break into a system 鈥 what we usually think of when we say 鈥渉acking.鈥
But CFAA reform is just one small part of fixing much bigger problems with regard to how current laws deal with the rapid growth of technology and the Internet, says听Stinebrickner-Kauffman.
"There are a whole patchwork of laws that are 20, 30 years outdated that don鈥檛 make sense given the structure of the contemporary Internet," she says. "[Aaron's Law] is not going to fix all of those things, but it鈥檚 certainly going to take us one-step forward into听the 21st Century."
听
