Attacks/Breaches
6/21/2013
12:46 PM
50%
50%

'Aaron's Law' Seeks Hacking Legislation Reform

Following Aaron Swartz's suicide, revamp of Computer Fraud and Abuse Act would restrict federal prosecutions from prosecuting minor "acceptable use" violations.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A proposed law would retool the Computer Fraud and Abuse Act (CFAA) so that it couldn't be used to prosecute people for some minor offenses, such as breaking a website's terms of service.

Dubbed "Aaron's Law," the bipartisan legislation was written by Rep. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wis.), who said they solicited input from a broad number of sources, including public comments on drafts of the bill posted on Reddit.

The bill is named for Reddit co-founder Aaron Swartz, who committed suicide in December 2012 after being charged with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer and unauthorized access. He faced over 35 years in prison and a $1 million fine.

Lofgren and Sen. Ron Wyden (D-Ore.), in a Wired editorial published Thursday, said their CFAA revisions would "establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA."

[ Which security practices are worth implementing? Read Security ROI: 5 Practices Analyzed. ]

"By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, Aaron's Law would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls -- such as password requirements, encryption, or locked office doors," they wrote. "Notwithstanding this change, hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks and viruses would continue to be fully prosecutable under strong CFAA provisions that Aaron's Law does not modify."

The Center for Democracy and Technology (CDT), a civil rights advocacy group, said it supports the proposed CFAA changes. "CDT supported similar improvements that passed out of the Senate Judiciary Committee in September 2011 with bipartisan support," said a CDT statement. "'Aaron's Law' improves upon the prior Senate effort in a variety of ways, including by taking the additional step of removing duplicative portions of the law that enable prosecutors to double-charge certain computer crimes and rack up massive penalties."

"Only people who break into computers by circumventing technical restrictions should be prosecuted as computer criminals," said Kevin Bankston, director of the Center for Democracy and Technology's Free Expression Project, in a statement.

Legal experts have long derided CFAA for its imprecise language, which has resulted in some court cases in which a company's network terms of service was a benchmark for what constituted criminal behavior.

But if the proposed CFAA changes had been in place, would they have prevented federal prosecutors from pursuing Swartz, who was charged with using a laptop in 2010 to access the Massachusetts Institute of Technology (MIT) on-campus network and download nearly 5 million academic journal articles from JSTOR? Swartz, formerly a fellow at the Harvard University Safra Center for Ethics, pleaded not guilty to the charges, and had characterized the downloading as an act of civil disobedience. He'd also turned over all copies of the documents, without distributing them, to JSTOR, which said it considered the matter to be closed. But federal prosecutors, backed by MIT, subsequently filed charges against him.

Following Swartz's death, his family accused prosecutors of "intimidation and prosecutorial overreach," and said the multiple waves of charges had helped drive Swartz to commit suicide. The lead federal prosecutor in Swartz's case, Carmen Ortiz, defended the charges against Swartz, although she suggested that prosecutors would have sought only a six-month jail term.

The apparent mental brinkmanship practiced by the prosecutors in Swartz's case lead to widespread calls for CFAA to be reformed, in particular to rein in what critics saw as prosecutorial excess.

The White House, however, has previously resisted attempts to restrict the CFAA. In September 2011, associate deputy attorney general James A. Baker told Congress that the Obama administration would resist all attempts to restrict CFAA language for using "exceeds authorized access" as a benchmark for determining if a crime had been committed, saying it was essential for prosecuting insider attacks.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9209
Published: 2015-03-30
Untrusted search path vulnerability in the Clean Utility application in Rockwell Automation FactoryTalk Services Platform before 2.71.00 and FactoryTalk View Studio 8.00.00 and earlier allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.