Aaron’s Law, much-needed reforms to computer crimes law, introduced in Congress
by Cyrus Farivar, arstechnica.com
June 20th 2013 2:45 PM
Since late January 2013, a California congresswoman has pushed for legal reforms that would revise the Computer Fraud and Abuse Act (CFAA). She dubbed these proposed changes “Aaron’s Law” because the new law’s revisions (PDF) are in honor of the late Aaron Swartz. Swartz tragically committed suicide in January 2013 after facing substantial federal charges in the wake of downloading a huge trove of academic articles.
On Thursday, Zoe Lofgren (D-CA) and Ron Wyden (D-OR) formally introduced Aaron’s Law into the House of Representatives after requesting revisions from reddit in February 2013. For the revisions to take effect, the law must pass the House, Senate, and be signed by the president.
The new four-page revisions make two major changes to the existing CFAA. Lofgren outlined the first in her legislative summary (PDF):
the definition of “exceeds authorized access,” removes the phrase “exceeds authorized access” from the statute, and creates a definition for “access without authorization,” which already appears in the statute alongside “exceeds authorized access.” The proposed definition for “access without authorization” is to obtain information on a computer that the accesser lacks authorization to obtain by knowingly circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information.
The proposed changes make clear that the CFAA does not outlaw mere violations of terms of service, website notices, contracts, or employment agreements. The proposed definition of “access without authorization” includes bypassing technological or physical measures via deception (as in the case with phishing or social engineering), and scenarios in which an authorized individual provides a means to circumvent to an unauthorized individual (i.e. sharing login credentials). Examples of technological or physical measures include password requirements, cryptography, or locked office doors. The proposed definition of “access without authorization” is based on recent appellate rulings in the Ninth and Fourth Circuits, which are also followed by some district courts.
The second major change would limit the possible prison terms for such an offense and change the language “conviction for another offense” with “subsequent offense.’ The new language is “to ensure that the penalty enhancement is directed at repeat offenders rather than individuals facing multiple charges.”
In an op-ed published Thursday in Wired, the two lawmakers wrote:
Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks. It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.