Aaron's Law would revamp computer fraud penalties
Two U.S. lawmakers have introduced a bill that would prevent the Department of Justice from prosecuting people for violating terms of service for Web-based products, website notices or employment agreements under the Computer Fraud and Abuse Act (CFAA).
On Thursday, Representative Zoe Lofgren, a California Democrat, and Senator Ron Wyden, an Oregon Democrat, introduced Aaron’s Law, a bill aimed at removing some types of prosecutions under the CFAA.
The bill is named after Internet activist Aaron Swartz, who committed suicide in January while facing federal prosecution for allegedly hacking into a Massachusetts Institute of Technology network and downloading millions of scholarly articles from the JSTOR subscription service.
The bill would remove the charge of “exceeds authorized access” from the CFAA, instead creating a definition for “access without authorization.” Access without authorization would include bypassing technology and physical measures through deception or through gaining access to an authorized person’s credentials.
“Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks,” Lofgren and Wyden wrote in a joint statement. “It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.”
The bill would also narrow the penalty enhancement provisions in the CFAA, making it tougher for prosectors to seek enhanced penalties for crimes involving little financial gain.
Lofgren released a draft bill to amend the CFAA back in January, days after Swartz killed himself. The sponsors of the bill posted drafts on Reddit.
Digital rights groups have called on lawmakers to soften the CFAA after prosecutors in Massachusetts threatened Swartz with a lengthy jail sentence.
“In drafting Aaron’s Law ... we did not opt for a quick fix of the CFAA that could bring with it unintended consequences,” Wyden and Lofgren wrote. “Instead, we undertook a deliberative process for crafting this legislation. We reviewed extensive input from a broad swath of technical experts, businesses, advocacy groups, current and former government officials, and the public.”
Demand Progress, the digital rights group Swartz cofounded, praised the legislation.
“Since we lost Aaron in January there have been good days and there have been bad days,” David Segal, the group’s executive director, said in an email. “This is a good day. When Aaron’s Law is signed into law it will mean that Aaron will continue to do in death what he always did in life, protect the freedoms and rights of all people.”
The Center for Democracy and Technology also applauded the bill.
“Breaking a promise is not the same as breaking into a computer, and fibbing about your age on Facebook shouldn’t be a federal crime,” Kevin Bankston, director of CDT’s Free Expression Project, said in an email. “The courts, sensibly, have already started to reject prosecutors’ attempts to charge computer crimes based on violation of a website’s terms of service or an employer’s computer use policy. Aaron’s Law’ would eliminate any ambiguity and make those courts’ decisions the law of the land.”