CybersecurityLawmakers reintroduce “Aaron’s Law” to curb CFAA abuses

A bipartisan group of lawmakers have reintroduced a bill known as “Aaron’s Law,” which aims to reform the Computer Fraud and Abuse Act (CFAA). CFAA has been cited by groups such as the Electronic Frontier Foundation (EFF) as having been abused to the point where it now stifles research and innovation, as well as civil liberties.

As theChristian Science Monitor reports, the measure is intended to honor Aaron Swartz, the Reddit co-founder who was apprehended after downloading millions of scholarly articles from a Massachusetts Institute of Technology database in 2011. Following his arrest, with charges under the CFAA which might lead to a maximum sentence of thirty-five years in prison, Swartz committed suicide at age 26, leading some to charge that the aggression of prosecutors led to the his decision.

“I lost my partner and best friend because of unfair and absurd prosecution under the CFAA,” said Taren Stinebrickner-Kauffman, who has helped support Lofgren’s bill. “Aaron’s Law would make it impossible for prosecutors to abuse their power in the same way.”

Aaron’s Law was first introduced by Representative Zoe Lofgren (D–California) in 2013, but failed to pass. Now, a larger group of legislators are reintroducing it with the hope that it will “limit the scope of the current anti-hacking statute and restrict prosecutorial action for certain CFAA violations. It would also make it impossible to press charges for violating a terms-of-service agreement or an employer’s computer use policy.”

The bill would remove language that makes “exceeding authorized access” a crime and would more harshly punish repeat offenders rather than those that only do it once.

The CFAA was written in 1984, long before it was possible to imagine the ways that computers would affect the daily lives of Americans today. For example, under the current CFAA, a researcher can be charged for testing a computer system’s security in a way that exceeds what they are authorized to do, even if there is no malicious intent behind the breach — known as “grey-hat” hacking, and often leading to silence and unresolved breaches that could benefit from a proper patch.

“The CFAA was originally intended to cover the hacking of defense department and bank computers, but it’s been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. [The reform] bill is a step forward as it makes key fixes in a law that has for years been misinterpreted because of its vague definitions,” said Mark Jaycox of the EFF.

Many lawmakers agree.

“Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,” said Senator Ron Wyden (D–Oregon), a cosponsor of the bill. “The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution.”

Many hope that Aaron’s Law could be one of the first steps toward a greater progress.

“There are a whole patchwork of laws that are 20, 30 years outdated that don’t make sense given the structure of the contemporary Internet,” Stinebrickner-Kauffman added. “[Aaron’s Law] is not going to fix all of those things, but it’s certainly going to take us one-step forward into the 21st Century.”