Attacks/Breaches
6/21/2013
12:46 PM
Connect Directly
RSS
E-Mail
50%
50%

'Aaron's Law' Seeks Hacking Legislation Reform

Following Aaron Swartz's suicide, revamp of Computer Fraud and Abuse Act would restrict federal prosecutions from prosecuting minor "acceptable use" violations.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A proposed law would retool the Computer Fraud and Abuse Act (CFAA) so that it couldn't be used to prosecute people for some minor offenses, such as breaking a website's terms of service.

Dubbed "Aaron's Law," the bipartisan legislation was written by Rep. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wis.), who said they solicited input from a broad number of sources, including public comments on drafts of the bill posted on Reddit.

The bill is named for Reddit co-founder Aaron Swartz, who committed suicide in December 2012 after being charged with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer and unauthorized access. He faced over 35 years in prison and a $1 million fine.

Lofgren and Sen. Ron Wyden (D-Ore.), in a Wired editorial published Thursday, said their CFAA revisions would "establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA."

[ Which security practices are worth implementing? Read Security ROI: 5 Practices Analyzed. ]

"By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, Aaron's Law would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls -- such as password requirements, encryption, or locked office doors," they wrote. "Notwithstanding this change, hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks and viruses would continue to be fully prosecutable under strong CFAA provisions that Aaron's Law does not modify."

The Center for Democracy and Technology (CDT), a civil rights advocacy group, said it supports the proposed CFAA changes. "CDT supported similar improvements that passed out of the Senate Judiciary Committee in September 2011 with bipartisan support," said a CDT statement. "'Aaron's Law' improves upon the prior Senate effort in a variety of ways, including by taking the additional step of removing duplicative portions of the law that enable prosecutors to double-charge certain computer crimes and rack up massive penalties."

"Only people who break into computers by circumventing technical restrictions should be prosecuted as computer criminals," said Kevin Bankston, director of the Center for Democracy and Technology's Free Expression Project, in a statement.

Legal experts have long derided CFAA for its imprecise language, which has resulted in some court cases in which a company's network terms of service was a benchmark for what constituted criminal behavior.

But if the proposed CFAA changes had been in place, would they have prevented federal prosecutors from pursuing Swartz, who was charged with using a laptop in 2010 to access the Massachusetts Institute of Technology (MIT) on-campus network and download nearly 5 million academic journal articles from JSTOR? Swartz, formerly a fellow at the Harvard University Safra Center for Ethics, pleaded not guilty to the charges, and had characterized the downloading as an act of civil disobedience. He'd also turned over all copies of the documents, without distributing them, to JSTOR, which said it considered the matter to be closed. But federal prosecutors, backed by MIT, subsequently filed charges against him.

Following Swartz's death, his family accused prosecutors of "intimidation and prosecutorial overreach," and said the multiple waves of charges had helped drive Swartz to commit suicide. The lead federal prosecutor in Swartz's case, Carmen Ortiz, defended the charges against Swartz, although she suggested that prosecutors would have sought only a six-month jail term.

The apparent mental brinkmanship practiced by the prosecutors in Swartz's case lead to widespread calls for CFAA to be reformed, in particular to rein in what critics saw as prosecutorial excess.

The White House, however, has previously resisted attempts to restrict the CFAA. In September 2011, associate deputy attorney general James A. Baker told Congress that the Obama administration would resist all attempts to restrict CFAA language for using "exceeds authorized access" as a benchmark for determining if a crime had been committed, saying it was essential for prosecuting insider attacks.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.