Modern field guide to security and privacy

Lawmakers revive support for Aaron's Law to reform anti-hacking statute

The bill named for late Internet activist Aaron Swartz, who committed suicide while facing charges under the Computer Fraud and Abuse Act, aims to restrict prosecutorial actions for crimes related to hacking.

Mary Altaffer/AP/File
Taren Stinebrickner-Kauffman, partner of the late Aaron Swartz, spoke during his memorial service in January 2013.

For Taren Stinebrickner-Kauffman, the Computer Fraud and Abuse Act is deeply personal.

In 2011, her partner, the Internet activist Aaron Swartz, snuck into a wiring closet at the Massachusetts Institute of Technology and downloaded millions of scholarly articles from an online database. He was later arrested and prosecutors charged him with violations under the fraud and abuse act that carried up to 35 years in prison. Before any trial or deal with federal prosecutors, however, Mr. Swartz, 26, committed suicide.

Swartz's friends, family members, and fellow activists blamed his death on an overzealous prosecution and a harsh application of the federal anti-hacking statute.

As a result, in June 2013, Rep. Zoe Lofgren (D) of California introduced a bill known as "Aaron's Law" to reform the Computer Fraud and Abuse Act (CFAA), which critics such as the Electronic Frontier Foundation have long complained has been so abused that it stifles security research and hampers innovation.

“I lost my partner and best friend because of unfair and absurd prosecution under the CFAA,” says Ms. Stinebrickner-Kauffman. “Aaron's Law would make it impossible for prosecutors to abuse their power in the same way.”

The bill failed to pass after it was first presented but has another shot as a bipartisan group of congressional legislators reintroduced Aaron’s Law last week to limit the scope of the current anti-hacking statute and restrict prosecutorial action for certain CFAA violations. It would also make it impossible to press charges for violating a terms-of-service agreement or an employer’s computer use policy.

Congress wrote the CFAA in 1984, when it was impossible to imagine the ways ordinary people now use computers every day. That makes it long overdue for an upgrade, according to Mark Jaycox of the Electronic Frontier Foundation.

“The CFAA was originally intended to cover the hacking of defense department and bank computers, but it's been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. [The reform] bill is a step forward as it makes key fixes in a law that has for years been misinterpreted because of its vague definitions,” Mr. Jaycox says.

Swartz’s case brought the CFAA and its problems to public attention. But the law has long been controversial among activists, legal scholars, and security experts. Many say its broad definitions criminalize legitimate security research.

“Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,” Sen. Ron Wyden (D) of Oregon, a cosponsor of the bill, said in a press release last Tuesday. “The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution."

One example is so-called "gray-hat" hacking. Under the current fraud and abuse act, a researcher could face charges for testing a computer system's security in a way that exceeds authorized access — even if the researcher does so without malicious intent and notifies the system's owner about any security holes. Many believe that makes Internet less secure because only malicious hackers look for vulnerabilities.

"Keeping quiet means that the flaw will go unremedied and potentially could be exploited by someone who does have criminal intent," the Electronic Frontier Foundation writes in its "Grey Hat" guide.

In another example, prosecutors used the CFAA to convict a technology professional named Bret McDanel after he anonymously e-mailed customers of his former employer, a webmail company, about a major security hole in its e-mail system. Prosecutors later asked a judge to vacate Mr. McDanel's conviction, but only after he'd served 16 months in prison.

Aaron’s Law would stop many, though not all, of those prosecutions.

The proposed legislation affects three main aspects of the CFAA. First, it would take out redundant charges so prosecutors can't charge someone with two violations for the same crime. 

Second, it would only increase jail time for repeat offenders. That would keep prosecutors from inflating a sentence by adding multiple charges.

Finally, the bill removes language that makes it a crime to "exceed authorized access,” meaning even terms of service. Instead, it would criminalize “access without authorization.” To meet that standard, a user would have to break into a system – what we usually think of when we say “hacking.”

But CFAA reform is just one small part of fixing much bigger problems with regard to how current laws deal with the rapid growth of technology and the Internet, says Stinebrickner-Kauffman.

"There are a whole patchwork of laws that are 20, 30 years outdated that don’t make sense given the structure of the contemporary Internet," she says. "[Aaron's Law] is not going to fix all of those things, but it’s certainly going to take us one-step forward into the 21st Century."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.