Lawmakers revive support for Aaron's Law to reform anti-hacking statute

The bill named for late Internet activist Aaron Swartz, who committed suicide while facing charges under the Computer Fraud and Abuse Act, aims to restrict prosecutorial actions for crimes related to hacking.

For Taren Stinebrickner-Kauffman, the Computer Fraud and Abuse Act is deeply personal.

In 2011, her partner, the Internet activist Aaron Swartz, snuck into a wiring closet at the Massachusetts Institute of Technology and downloaded millions of scholarly articles from an online database. He was later arrested and prosecutors charged him with violations under the fraud and abuse act that carried up to 35 years in prison. Before any trial or deal with federal prosecutors, however, Mr. Swartz, 26, committed suicide.

Swartz's friends, family members, and fellow activists blamed his death on an overzealous prosecution and a harsh application of the federal anti-hacking statute.

As a result, in June 2013, Rep. Zoe Lofgren (D) of California introduced a bill known as "Aaron's Law" to reform the Computer Fraud and Abuse Act (CFAA), which critics such as the Electronic Frontier Foundation have long complained has been so abused that it stifles security research and hampers innovation.

“I lost my partner and best friend because of unfair and absurd prosecution under the CFAA,” says Ms. Stinebrickner-Kauffman. “Aaron's Law would make it impossible for prosecutors to abuse their power in the same way.”

The bill failed to pass after it was first presented but has another shot as a bipartisan group of congressional legislators reintroduced Aaron’s Law last week to limit the scope of the current anti-hacking statute and restrict prosecutorial action for certain CFAA violations. It would also make it impossible to press charges for violating a terms-of-service agreement or an employer’s computer use policy.

Congress wrote the CFAA in 1984, when it was impossible to imagine the ways ordinary people now use computers every day. That makes it long overdue for an upgrade, according to Mark Jaycox of the Electronic Frontier Foundation.

“The CFAA was originally intended to cover the hacking of defense department and bank computers, but it's been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. [The reform] bill is a step forward as it makes key fixes in a law that has for years been misinterpreted because of its vague definitions,” Mr. Jaycox says.

Swartz’s case brought the CFAA and its problems to public attention. But the law has long been controversial among activists, legal scholars, and security experts. Many say its broad definitions criminalize legitimate security research.

“Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,” Sen. Ron Wyden (D) of Oregon, a cosponsor of the bill, said in a press release last Tuesday. “The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution."

One example is so-called "gray-hat" hacking. Under the current fraud and abuse act, a researcher could face charges for testing a computer system's security in a way that exceeds authorized access — even if the researcher does so without malicious intent and notifies the system's owner about any security holes. Many believe that makes Internet less secure because only malicious hackers look for vulnerabilities.

"Keeping quiet means that the flaw will go unremedied and potentially could be exploited by someone who does have criminal intent," the Electronic Frontier Foundation writes in its "Grey Hat" guide.

In another example, prosecutors used the CFAA to convict a technology professional named Bret McDanel after he anonymously e-mailed customers of his former employer, a webmail company, about a major security hole in its e-mail system. Prosecutors later asked a judge to vacate Mr. McDanel's conviction, but only after he'd served 16 months in prison.

Aaron’s Law would stop many, though not all, of those prosecutions.

The proposed legislation affects three main aspects of the CFAA. First, it would take out redundant charges so prosecutors can't charge someone with two violations for the same crime. 

Second, it would only increase jail time for repeat offenders. That would keep prosecutors from inflating a sentence by adding multiple charges.

Finally, the bill removes language that makes it a crime to "exceed authorized access,” meaning even terms of service. Instead, it would criminalize “access without authorization.” To meet that standard, a user would have to break into a system – what we usually think of when we say “hacking.”

But CFAA reform is just one small part of fixing much bigger problems with regard to how current laws deal with the rapid growth of technology and the Internet, says Stinebrickner-Kauffman.

"There are a whole patchwork of laws that are 20, 30 years outdated that don’t make sense given the structure of the contemporary Internet," she says. "[Aaron's Law] is not going to fix all of those things, but it’s certainly going to take us one-step forward into the 21st Century."