Today, after input from Reddit and the Internet-at-large, Rep. Zoe Lofgren, along with Sen. Ron Wyden, will finally introduce Aaron's Law to Congress, reports Wired. The law, if passed, would clarify the scope of CFAA crimes to exclude violations of terms of service and instead would require a breach of security, either virtual (such as passwords or encryption cracking) or physical. It would also reduce potential penalties by removing redundant provisions.
Ironically enough, the revision to the the oft-criticized pre-Internet computer "hacking" law may not have excluded the acts undertaken by the late Aaron Swartz. Despite that, it seems to be a much-needed step towards modernizing our nation's cyber-security laws.
For those unfamiliar with Aaron Swartz, the Internet activist and computer programmer was indicted under the CFAA after he went beyond the terms of service for JSTOR and downloaded too many articles, all in an attempt to publish those articles for free online. When he was banned from his school's wireless network, he allegedly snuck his laptop, in a box, into a closet and hooked up to the network via a wired connection.
That physical breach of security would likely still qualify as a crime under the proposed revised CFAA. However, the violation of JSTOR's terms of service, and other absurd possibilities, like turning teenage Cosmo readers into felons, would be eliminated from the law's coverage. Equally important is the change to the penalty provisions. Per the bill summary:
- Under 1030(a)(4), a person who knowingly and with intent to defraud accesses a protected computer without authorization and obtains anything of value over $5,000 can be punished with a fine and imprisonment for not more than five years.
- Under 1030(a)(2)(C), a person who intentionally accesses a computer without authorization and obtains information valued at more than $5,000 from any protected computer can be punished with a fine and imprisonment for not more than five years.
The two provisions greatly overlap. The former provision would be eliminated. Another provision, 1030(c)(2), is a sentencing enhancement for repeat offenders. It's application would be narrowed to "subsequent offense[s]." In its present form, it could be interpreted to enhance penalties for multiple current offenses.
At the time Swartz committed suicide, he was facing up to 35 years in prison, as well as millions of dollars in potential fines. By eliminating redundancy in the penalty provisions, it reduces the possibility of prosecutorial over-charging in order to force a plea bargain.
One final important note: though the revision would remove penalties for going beyond one's allowed access (such as downloading too many JSTOR articles, or accessing prohibited websites at work), other laws already cover the most severe offenses to which the former law would've applied, such as theft of trade secrets, wire fraud, copyright law, and unauthorized removal and retention of classified material.
- Aaron's Law - Proposed Bill Text (Congresswoman Zoe Lofgren)
- Rep. Zoe Lofgren Introduces 'Aaron's Law' to Amend CFAA (FindLaw's Technologist)
- The ECPA is So Bad Republicans, ACLU, Unify to Fix It (FindLaw's Technologist)