Attacks/Breaches
6/21/2013
12:46 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

'Aaron's Law' Seeks Hacking Legislation Reform

Following Aaron Swartz's suicide, revamp of Computer Fraud and Abuse Act would restrict federal prosecutions from prosecuting minor "acceptable use" violations.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A proposed law would retool the Computer Fraud and Abuse Act (CFAA) so that it couldn't be used to prosecute people for some minor offenses, such as breaking a website's terms of service.

Dubbed "Aaron's Law," the bipartisan legislation was written by Rep. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wis.), who said they solicited input from a broad number of sources, including public comments on drafts of the bill posted on Reddit.

The bill is named for Reddit co-founder Aaron Swartz, who committed suicide in December 2012 after being charged with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer and unauthorized access. He faced over 35 years in prison and a $1 million fine.

Lofgren and Sen. Ron Wyden (D-Ore.), in a Wired editorial published Thursday, said their CFAA revisions would "establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA."

[ Which security practices are worth implementing? Read Security ROI: 5 Practices Analyzed. ]

"By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, Aaron's Law would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls -- such as password requirements, encryption, or locked office doors," they wrote. "Notwithstanding this change, hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks and viruses would continue to be fully prosecutable under strong CFAA provisions that Aaron's Law does not modify."

The Center for Democracy and Technology (CDT), a civil rights advocacy group, said it supports the proposed CFAA changes. "CDT supported similar improvements that passed out of the Senate Judiciary Committee in September 2011 with bipartisan support," said a CDT statement. "'Aaron's Law' improves upon the prior Senate effort in a variety of ways, including by taking the additional step of removing duplicative portions of the law that enable prosecutors to double-charge certain computer crimes and rack up massive penalties."

"Only people who break into computers by circumventing technical restrictions should be prosecuted as computer criminals," said Kevin Bankston, director of the Center for Democracy and Technology's Free Expression Project, in a statement.

Legal experts have long derided CFAA for its imprecise language, which has resulted in some court cases in which a company's network terms of service was a benchmark for what constituted criminal behavior.

But if the proposed CFAA changes had been in place, would they have prevented federal prosecutors from pursuing Swartz, who was charged with using a laptop in 2010 to access the Massachusetts Institute of Technology (MIT) on-campus network and download nearly 5 million academic journal articles from JSTOR? Swartz, formerly a fellow at the Harvard University Safra Center for Ethics, pleaded not guilty to the charges, and had characterized the downloading as an act of civil disobedience. He'd also turned over all copies of the documents, without distributing them, to JSTOR, which said it considered the matter to be closed. But federal prosecutors, backed by MIT, subsequently filed charges against him.

Following Swartz's death, his family accused prosecutors of "intimidation and prosecutorial overreach," and said the multiple waves of charges had helped drive Swartz to commit suicide. The lead federal prosecutor in Swartz's case, Carmen Ortiz, defended the charges against Swartz, although she suggested that prosecutors would have sought only a six-month jail term.

The apparent mental brinkmanship practiced by the prosecutors in Swartz's case lead to widespread calls for CFAA to be reformed, in particular to rein in what critics saw as prosecutorial excess.

The White House, however, has previously resisted attempts to restrict the CFAA. In September 2011, associate deputy attorney general James A. Baker told Congress that the Obama administration would resist all attempts to restrict CFAA language for using "exceeds authorized access" as a benchmark for determining if a crime had been committed, saying it was essential for prosecuting insider attacks.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2014-0778
Published: 2014-04-19
The TCPUploader module in Progea Movicon 11.4 before 11.4.1150 allows remote attackers to obtain potentially sensitive version information via network traffic to TCP port 10651.

CVE-2014-1974
Published: 2014-04-19
Directory traversal vulnerability in LYSESOFT AndExplorer before 20140403 and AndExplorerPro before 20140405 allows attackers to overwrite or create arbitrary files via unspecified vectors.

CVE-2014-1983
Published: 2014-04-19
Unspecified vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x before 3.1.1 allows remote attackers to cause a denial of service (CPU consumption) via unknown vectors.

Best of the Web