Aaron’s Law to amend the CFAAMonday, June 24, 2013 at 10:00 am by Kyla Kuvach
Representative Zoe Lofgren (D-CA) and Senator Ron Wyden (D-OR) have drafted legislation called Aaron’s Law, which aims to correct the outdated and overly aggressive Computer Fraud and Abuse Act (CFAA).
The bill is named after the late Aaron Swartz, the young internet genius who took his own life in January in the face of vindictive prosecution for supposed CFAA violations committed in the public interest.
The CFAA has acted as a passé legal dragnet, criminalizing many forms of internet abuse in an inefficient and heavy-handed way. In an article in Wired magazine introducing Aaron’s Law to the public, Lofgren and Wyden characterize the core flaw of the CFAA as its vagueness. The CFAA currently makes it criminal to access a computer knowingly without authorization or in a way that exceeds authorization.
Reflecting on the ambiguity of that standard, Lofgren and Wyden write:
Confused…? You’re not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time.”
Many internet users have probably (at one point or another) hastily scrolled from top to bottom of a website’s terms of service, checked the “I Agree” box, and continued on to their destination without any idea what terms they just agreed to. Is it fair that the CFAA deems this lack of diligence a felony?
Another issue that Aaron’s Law aims to tackle is the potential for redundant provisions — that is, the possibility of being charged multiple times for the same crime. Aaron Swartz suffered this exact abuse from the CFAA, which penalized him numerous times for what amounted to an act of civil disobedience, facing multiple felony charges and up to 35 years in prison.
These redundant provisions, as exhibited in Swartz’s case, ultimately snowball and can result in excessively high jail time. Wyden and Lofgren also argue that redundant provisions allow the prosecutor to bully defendants into taking a deal (generally not in their favor) to avoid facing a multitude of charges from a single act, as Aaron faced.
Aaron’s Law would encourage three main changes to the CFAA. The first, as the co-authors define it, is that Aaron’s Law would: “Establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA…Aaron’s Law would instead define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls.”
This would clarify that individuals innocently breaking terms of service, for example, would not be committing a felony – rather the law would be rewritten specifically to target “hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses,” continuing to make these prosecutable.
The second change would be to “Bring balance back to the CFAA by eliminating a redundant provision of the law that can subject an individual to duplicate charges for the same CFAA violation.” This is much like the third change, which aims to, “Bring greater proportionality to CFAA penalties.”
Together, these two alterations would eliminate duplicate charges, while also keeping the charges reasonably fitting for the crime. Lofgren and Wyden characterize the current state of penalties by saying they, “are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances — leaving little room for non-felony charges under CFAA.” Aaron’s Law would keep prosecutions fair and ensure redundant charges would not be stacked against a defendant.
Lofgren and Wyden summarize the importance of Aaron’s Law by writing:
Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks. It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.
The law must separate its treatment of everyday Internet activity from criminals intent on causing serious damage to financial, social, civic, or security institutions.
Much in the spirit of Aaron Swartz himself, the co-authors of the new legislation made the very act of drafting the law a democratic process. They shared rough drafts of the legislation on Reddit, encouraging edits and feedback from the public. They also solicited feedback from tech experts, business, advocacy groups and political leaders, and now bring it to the house and senate as bipartisan legislation. This is truly legislation for the people and by the people.
Lofgren and Wyden end their defense of Aaron’s Law by writing: “Today, there’s an entire generation of digitally-native young people that have never known a world without an open Internet and their ability to use it as a platform to develop and share ideas. It’s up to all of us to keep it that way.”
Read a section-by-section summary of Aaron’s Law, and stay informed about Lofgren and Wyden’s progress in the House and Senate.