Attacks/Breaches
6/21/2013
12:46 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

'Aaron's Law' Seeks Hacking Legislation Reform

Following Aaron Swartz's suicide, revamp of Computer Fraud and Abuse Act would restrict federal prosecutions from prosecuting minor "acceptable use" violations.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A proposed law would retool the Computer Fraud and Abuse Act (CFAA) so that it couldn't be used to prosecute people for some minor offenses, such as breaking a website's terms of service.

Dubbed "Aaron's Law," the bipartisan legislation was written by Rep. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wis.), who said they solicited input from a broad number of sources, including public comments on drafts of the bill posted on Reddit.

The bill is named for Reddit co-founder Aaron Swartz, who committed suicide in December 2012 after being charged with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer and unauthorized access. He faced over 35 years in prison and a $1 million fine.

Lofgren and Sen. Ron Wyden (D-Ore.), in a Wired editorial published Thursday, said their CFAA revisions would "establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA."

[ Which security practices are worth implementing? Read Security ROI: 5 Practices Analyzed. ]

"By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, Aaron's Law would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls -- such as password requirements, encryption, or locked office doors," they wrote. "Notwithstanding this change, hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks and viruses would continue to be fully prosecutable under strong CFAA provisions that Aaron's Law does not modify."

The Center for Democracy and Technology (CDT), a civil rights advocacy group, said it supports the proposed CFAA changes. "CDT supported similar improvements that passed out of the Senate Judiciary Committee in September 2011 with bipartisan support," said a CDT statement. "'Aaron's Law' improves upon the prior Senate effort in a variety of ways, including by taking the additional step of removing duplicative portions of the law that enable prosecutors to double-charge certain computer crimes and rack up massive penalties."

"Only people who break into computers by circumventing technical restrictions should be prosecuted as computer criminals," said Kevin Bankston, director of the Center for Democracy and Technology's Free Expression Project, in a statement.

Legal experts have long derided CFAA for its imprecise language, which has resulted in some court cases in which a company's network terms of service was a benchmark for what constituted criminal behavior.

But if the proposed CFAA changes had been in place, would they have prevented federal prosecutors from pursuing Swartz, who was charged with using a laptop in 2010 to access the Massachusetts Institute of Technology (MIT) on-campus network and download nearly 5 million academic journal articles from JSTOR? Swartz, formerly a fellow at the Harvard University Safra Center for Ethics, pleaded not guilty to the charges, and had characterized the downloading as an act of civil disobedience. He'd also turned over all copies of the documents, without distributing them, to JSTOR, which said it considered the matter to be closed. But federal prosecutors, backed by MIT, subsequently filed charges against him.

Following Swartz's death, his family accused prosecutors of "intimidation and prosecutorial overreach," and said the multiple waves of charges had helped drive Swartz to commit suicide. The lead federal prosecutor in Swartz's case, Carmen Ortiz, defended the charges against Swartz, although she suggested that prosecutors would have sought only a six-month jail term.

The apparent mental brinkmanship practiced by the prosecutors in Swartz's case lead to widespread calls for CFAA to be reformed, in particular to rein in what critics saw as prosecutorial excess.

The White House, however, has previously resisted attempts to restrict the CFAA. In September 2011, associate deputy attorney general James A. Baker told Congress that the Obama administration would resist all attempts to restrict CFAA language for using "exceeds authorized access" as a benchmark for determining if a crime had been committed, saying it was essential for prosecuting insider attacks.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web