Aaron Swartz

Legislators Still Trying to Reform Anti-Hacking Laws to Prevent Prosecutor Overreach

Law named after Aaron Swartz introduced again.

|

Aaron Swartz
Credit: ragesoss / photo on flickr

In 2013, legislators started crafting "Aaron's Law," named after Aaron Swartz, the open access activist who faced federal prosecution for downloading tons of academic journals from the Massachusetts Institute of Technology. After federal prosecutors dumped all sorts of charges on him, scaring him with the possibility of federal prison in order to try to get a plea deal out of him, he committed suicide.

Aaron's Law is intended to scale back the power of the Computer Fraud and Abuse Act (CFAA), legislation that was written so broadly 25 years ago that it allows the government to describe just about any unauthorized computer use as hacking and prosecute accordingly.

The law did not pass back then, but legislators are introducing it again today, with support of some names that should be familiar to tech-oriented libertarians: Sen. Ron Wyden (D-Ore.), Sen. Rand Paul (R-Ky.), Rep. Zoe Lofgren (D-Calif.), Rep. Jim Sensenbrenner (R-Wis.), Rep. Mike Doyle (D-Pa.), Rep. Dan Lipinski (D-Ill.) and Rep. Jared Polis (D-Colo.).

Wyden announced the news on his site today. Here's what the law would accomplish:

  • Establishing that breaches of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls — such as password requirements, encryption or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under the strong CFAA provisions this bill does not modify.
  • Bringing balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.
  • Bringing greater proportionality to CFAA penalties. Currently, the CFAA's penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.

Wyden also tweaked the Department of Justice for not filing any charges related to the CIA's intrusion into the computers used by the Senate Intelligence Committee when putting together the torture report critical of the CIA, yet going after folks like Swartz:

Violating a smartphone app's terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files. The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution. Aaron's Law would curb this abuse while still preserving the tools needed to prosecute malicious attacks.

NEXT: DEA Chief to Step Down, Deal Reached on Human Trafficking Legislation, EU May Allow Countries to Ban GMO Crops: P.M. Links

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Legislation written by technical illiterates to rein in prosecutors who already have a litany of laws at their disposal to bully victims into resume-padding.

  2. Nice for PR, but worthless as long as prosecution is a government monopoly with immunity for rmisdeeds.

    I wish I wish I wish government would get out of the prosecution business, leave it to victims who would be held accountable by their victims in turn if they prosecute beyond reason. But I don’t have fishes in the other hand, so it’s just a rhetorical wish.

  3. The CFAAAny vaguely-written law is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution.

    Any prosecutor who promises to make a badly-written law work by using it selectively should be tased. Any legislator stupid enough to believe the prosecutor should be tased twice.

    1. Bringing balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same violation.

      Considering this a violation of the 5th and Double Jeopardy, they all deserve to lose their jobs.

      Considering virtually all of them consider it their job to hack the constitution, I expect nothing else to happen.

  4. Dude was a pussy.

    1. Seriously.

  5. What’s that rule about laws named after worthless people that died?

    1. Exactly. A law for a proggie, anti-capitalist, who would have happily seized and redistributed all personal wealth/property…not worthy of my empathy.

Please to post comments

Comments are closed.