Lofgren and Wyden introduce "Aaron's Law"
BY Miranda Neubauer | Thursday, June 20 2013
Rep. Zoe Lofgren (D-Calif.) and Senator Ron Wyden (D-Ore.) announced in a Wired piece Thursday that they are introducing House and Senate legislation called Aaron's Law to reform the Computer Fraud and Abuse Act - the law under which late Internet activist Aaron Swartz faced multiple felony charges and the possibility of up to 35 years in prison for downloading around 5 million JSTOR articles without authorization.
The legislation introduced in the House is co-sponsored by Rep. Jim Sensenbrenner (R-Wis.), Rep. Mike Doyle (R-Pa.), Rep. Yvette Clarke (D-NY) and Rep. Jared Polis (D-Col.), according to Lofgren's communications director, Duncan Neasham.
The main goal of the legislation is to address vagueness in the law in order to reduce the possibility of prosecutorial overreach, Lofgren and Wyden write in Wired.
"As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You’re not alone," they write. "Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time."
Lofgren and Wyden suggest that as written, lying about one's age on Facebook or checking personal e-mail on a work computer could violate the felony statute. "This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation," they write.
They also say that redundant provisions in the law allow punishment of a person multiple times for the same crime, which they suggest can lead to excessive sentencing. Under Aaron's Law, the CFAA would be rolled back, setting, for example, a higher legal standard for criminal liability in the case of violating terms of service, according to a summary on Lofgren's website. The bill would also change the definition of some terms that appear in the current law, like "access without authorization."
The bill would also change sentencing and penalty provisions for computer crimes.
"Aaron’s Law would reform the penalty for certain violations to ensure prosecutors cannot seek to inflate sentences by stacking multiple charges under CFAA, including state law equivalents of CFAA, and torts (non-criminal violations of law)," according to Lofgren and Wyden.
The final draft of the legislation was informed by feedback from Reddit and by discussions with technical experts, businesses, advocacy groups, current and former government officials and the public
David Segal, executive director of Demand Progress, which has campaigned for Aaron's Law and for "fixing" the CFAA, praised the legislation in an e-mail. Swartz was a co-founder of Demand Progress.
"We're very excited to have a bill, and to have a broad coalition of organizations from across the spectrum who believe that these changes -- lowering penalties and making it clear that terms of service breaches aren't crimes -- need to be made," he wrote.
Support also came from the Center for Democracy and Technology.
“The courts, sensibly, have already started to reject prosecutors’ attempts to charge computer crimes based on violation of a web site’s terms of service or an employer’s computer use policy," Kevin Bankston, Director of CDT's Free Expression Project, said in a statement. "‘Aaron’s Law’ would eliminate any ambiguity and make those courts’ decisions the law of the land. Only people who break into computers by circumventing technical restrictions should be prosecuted as computer criminals.”
But others say the bill would go too far.
The Software Alliance issued a statement calling the legislation "flawed."
"Everyone agrees that lying about your age on Facebook shouldn’t be a felony, but ‘Aaron’s Law’ is a flawed solution to that problem,” BSA Director of Government Relations Tim Molino said in the statement. "Tying liability to theft that involves ‘knowingly circumventing technological or physical measures’ is out of step with the technology innovations driving today’s economy."
He added that rolling back protections in the CFAA might force companies to spend time securing their networks and support systems, which, he suggested, might slow the pace of innovation.
"It is especially troubling at a time when hacking and intellectual property theft are rampant — weakening cybercrime laws would be like handing out keys to the castle," Molino said in the statement.
In their Wired piece, Lofgren and Wyden note that while the CFAA allows private parties to sue violators, this possibility is not present in other statutes. They write that they have heard concerns from companies that the law would make it difficult for them to protect proprietary information from insider theft, such as a case where an authorized individual uses their own password to access and use information in an unauthorized way, and are open to discussions to address those concerns.
Lofgren plans to participate in a Netroots Nation panel entitled Carrying on Aaron Swartz’s Legacy this Friday that also includes Sen. Mark Begich (D-Ak.) and David Segal.