Introducing Aaron’s Law, a Desperately Needed Reform of the Computer Fraud and Abuse Act

The Internet is up for grabs.
Foreign countries want to control it. Military regimes use it to spy, to oppress, and to attack public and private institutions. ‘Big Content’ sought to censor it and dismantle its architecture. Law enforcement and intelligence agencies want to mine and monitor it. Powerful incumbent business interests seek to shape it in ways that benefit their bottom line but undermine the national interest and the interests of individuals worldwide.
In each of these areas, there is debate in Congress about how to respond. We need an informed public debate to ensure lawmakers make the right choices that fully preserve the vital openness of the Internet and the privacy and civil liberties of its users. Reforming the Computer Fraud and Abuse Act (CFAA) should be a part of that debate.
The CFAA is a sweeping Internet regulation that criminalizes many forms of common Internet use. It allows breathtaking levels of prosecutorial discretion that invites serious abuse. As Congress considers policies to preserve an open Internet as a platform for ideas and commerce, reforming the CFAA must be included.

The Law Is Flawed and Prone to Prosecutorial Abuse

Vagueness is the core flaw of the CFAA. As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You’re not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time.
So lying about one’s age on Facebook, or checking personal email on a work computer, could violate this felony statute. This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation. Millions of Americans — whether they are of a digitally native or dial-up generation — routinely submit to legal terms and agreements every day when they use the Internet. Few have the time or the ability to read and completely understand lengthy legal agreements.
Another flaw in the CFAA is redundant provisions that enable a person to be punished multiple times … for the same crime. These charges can be stacked one on top of another, resulting in the threat of higher cumulative fines and jail time for the exact same violation.
This allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single, solitary act. It also plays a significant role in sentencing. The ambiguity of a provision meant to toughen sentencing for repeat offenders of the CFAA may in fact make it possible for defendants to be sentenced based on what should be prior convictions — but were nothing more than multiple convictions for the same crime.
These problems are not hypothetical. But it took the unfortunate death of Aaron Swartz to spotlight them.

Aaron’s Law

In January, Aaron Swartz, an Internet innovator and activist, decided to end his brief but brilliant life. At the time, Swartz faced the possibility of severe punishment under the CFAA — multiple felony charges and up to 35 years in prison by the government’s own declaration – for what amounted to an act of civil disobedience. Aaron attempted to make documents, many created with public funding, freely available to the public.
But Aaron Swartz was not the first or the last victim of overzealous prosecution under the CFAA.
That’s why we’re authoring bipartisan legislation — which, with the permission of Aaron Swartz’s family, we call “Aaron’s Law” — in the House and Senate to begin the process of updating the CFAA.
Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks. It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.
In drafting Aaron’s Law — the text of which is available here, along with a detailed summary here – we did not opt for a quick fix of the CFAA that could bring with it unintended consequences.
Instead, we undertook a deliberative process for crafting this legislation. We posted drafts of the bill on Reddit to solicit public feedback. And that feedback informed revisions and solicitation of further feedback. We reviewed extensive input from a broad swath of technical experts, businesses, advocacy groups, current and former government officials, and the public. The result is a proposal that we believe, if enacted into law, safeguards commonplace online activity from overbroad prosecution and overly harsh penalties, while ensuring that real harmful activity is discouraged and fully prosecuted.
The law must separate its treatment of everyday Internet activity from criminals intent on causing serious damage to financial, social, civic, or security institutions. Our proposal attempts to accomplish this and address the fundamental problems of CFAA by doing the following:
Establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, Aaron’s Law would instead define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls — such as password requirements, encryption, or locked office doors. Notwithstanding this change, hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions that Aaron’s Law does not modify.
Bring balance back to the CFAA by eliminating a redundant provision of the law that can subject an individual to duplicate charges for the same CFAA violation. This is, in fact, what happened to Aaron Swartz — more than a third of the charges in the superseding indictment against him were under this redundant CFAA provision. Eliminating the redundant provision streamlines the law, reduces duplicative charges, but would not create a gap in protection against hackers.
Bring greater proportionality to CFAA penalties. Currently, the CFAA’s penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances — leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). For example, under current law a prosecutor can seek to inflate potential sentences by stacking new charges atop violations of state laws. Aaron’s Law would reform the penalty for certain violations to ensure prosecutors cannot seek to inflate sentences by stacking multiple charges under CFAA, including state law equivalents of CFAA, and torts (non-criminal violations of law).

By Zoe Lofgren and Ron Wyden
Source and read more:

0 yorum: