Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Ore.) introduced legislation on Thursday to reform the Computer Fraud and Abuse Act, or CFAA, a law that outlines cybersecurity rules and laws.
Named “Aaron’s Law” after freedom-of-information advocate Aaron Swartz — who committed suicide after federal prosecutors targeted him for downloading academic journals and articles from a subscription database, JSTOR, and publishing them online for free — the bill was created to lessen the number of Americans punished under the CFAA.
While the CFAA has been used to prevent and prosecute whistleblowers such as Bradley Manning, Jeremy Hammond and other average Americans, it is not typically used against government officials who are spying on U.S. citizens. Instead, the U.S. government often cites laws such as the Patriot Act and the Foreign Intelligence Surveillance Act of 1978 as legal documents that allow them to conduct surveillance on American citizens — tapping into their phone records, emails and social media accounts to gather information they say is necessary for national security.
In an op-ed for Wired magazine, Lofgren and Wyden introduced their bill and explained why they believed the CFAA needed reform.
“The CFAA is a sweeping Internet regulation that criminalizes many forms of common Internet use,” they wrote. “It allows breathtaking levels of prosecutorial discretion that invites serious abuse. As Congress considers policies to preserve an open Internet as a platform for ideas and commerce, reforming the CFAA must be included.”
Under the CFAA, lying about one’s age on Facebook could land a person in jail, as could checking a personal email account while at work. That unclear language of the CFAA was cited by Lofgren and Wyden as the “core flaw” of the legislation and the main reason they were introducing their bill.
Since the CFAA also has a clause that allows a person to be punished multiple times for the same crime, jail time and fines for the same violation can increase quickly.
Lofgren and Wyden say they find this feature of the law “allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single, solitary act. It also plays a significant role in sentencing. The ambiguity of a provision meant to toughen sentencing for repeat offenders of the CFAA may in fact make it possible for defendants to be sentenced based on what should be prior convictions — but were nothing more than multiple convictions for the same crime.”
Aaron’s Law
“Aaron Swartz was not the first or the last victim of overzealous prosecution under the CFAA,” Lofgren and Wyden wrote. “Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks. It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.”
In their bill, which they asked for input on from the general public, Lofgren and Wyden have three main changes they would like to make to the current law.
The first change alters the meaning of “access without authorization” to encompass only the act of breaking passwords and circumventing encryptions. The second change eliminates the ability to charge someone multiple times for the same violation, and the last change addresses how prosecutors decide the severity of a violation of the CFAA.
“For example, under current law a prosecutor can seek to inflate potential sentences by stacking new charges atop violations of state laws. Aaron’s Law would reform the penalty for certain violations to ensure prosecutors cannot seek to inflate sentences by stacking multiple charges under CFAA, including state law equivalents of CFAA, and torts (non-criminal violations of law).”
Aaron’s Law has the backing of a wide variety of groups, including technical experts, businesses, advocacy groups, current and former government officials, and the general public.
Prosecution response
As Lofgren and Wyden worked to write Aaron’s Law, they often shared their progress and drafts with the public in order to get support and feedback. However, this highly public tactic opened up Aaron’s Law to criticism from Lofgren and Wyden’s peers, which the two attempted to address.
“Although we do not wish to create any new vulnerabilities, the overbroad approach currently taken by the CFAA potentially criminalizes millions of Americans for common Internet activity. Moreover, numerous laws like Theft of Trade Secrets, the Privacy Act, copyright law, the Stored Communications Act, wire fraud, and HIPAA already criminalize misuse of information.”
The lawmakers said they were open to additional input, but insisted that something has to be done.
“We live in an age where people connect globally by simply touching a device in the palm of their hand, empowered by online advances that have enriched the world scientifically, culturally, and economically,” they wrote. “Today, there’s an entire generation of digitally-native young people that have never known a world without an open Internet and their ability to use it as a platform to develop and share ideas. It’s up to all of us to keep it that way.”