12:46 PM

'Aaron's Law' Seeks Hacking Legislation Reform

Following Aaron Swartz's suicide, revamp of Computer Fraud and Abuse Act would restrict federal prosecutions from prosecuting minor "acceptable use" violations.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A proposed law would retool the Computer Fraud and Abuse Act (CFAA) so that it couldn't be used to prosecute people for some minor offenses, such as breaking a website's terms of service.

Dubbed "Aaron's Law," the bipartisan legislation was written by Rep. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wis.), who said they solicited input from a broad number of sources, including public comments on drafts of the bill posted on Reddit.

The bill is named for Reddit co-founder Aaron Swartz, who committed suicide in December 2012 after being charged with 13 felony violations, including wire fraud, computer fraud, "recklessly damaging" a computer and unauthorized access. He faced over 35 years in prison and a $1 million fine.

Lofgren and Sen. Ron Wyden (D-Ore.), in a Wired editorial published Thursday, said their CFAA revisions would "establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA."

[ Which security practices are worth implementing? Read Security ROI: 5 Practices Analyzed. ]

"By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, Aaron's Law would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls -- such as password requirements, encryption, or locked office doors," they wrote. "Notwithstanding this change, hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks and viruses would continue to be fully prosecutable under strong CFAA provisions that Aaron's Law does not modify."

The Center for Democracy and Technology (CDT), a civil rights advocacy group, said it supports the proposed CFAA changes. "CDT supported similar improvements that passed out of the Senate Judiciary Committee in September 2011 with bipartisan support," said a CDT statement. "'Aaron's Law' improves upon the prior Senate effort in a variety of ways, including by taking the additional step of removing duplicative portions of the law that enable prosecutors to double-charge certain computer crimes and rack up massive penalties."

"Only people who break into computers by circumventing technical restrictions should be prosecuted as computer criminals," said Kevin Bankston, director of the Center for Democracy and Technology's Free Expression Project, in a statement.

Legal experts have long derided CFAA for its imprecise language, which has resulted in some court cases in which a company's network terms of service was a benchmark for what constituted criminal behavior.

But if the proposed CFAA changes had been in place, would they have prevented federal prosecutors from pursuing Swartz, who was charged with using a laptop in 2010 to access the Massachusetts Institute of Technology (MIT) on-campus network and download nearly 5 million academic journal articles from JSTOR? Swartz, formerly a fellow at the Harvard University Safra Center for Ethics, pleaded not guilty to the charges, and had characterized the downloading as an act of civil disobedience. He'd also turned over all copies of the documents, without distributing them, to JSTOR, which said it considered the matter to be closed. But federal prosecutors, backed by MIT, subsequently filed charges against him.

Following Swartz's death, his family accused prosecutors of "intimidation and prosecutorial overreach," and said the multiple waves of charges had helped drive Swartz to commit suicide. The lead federal prosecutor in Swartz's case, Carmen Ortiz, defended the charges against Swartz, although she suggested that prosecutors would have sought only a six-month jail term.

The apparent mental brinkmanship practiced by the prosecutors in Swartz's case lead to widespread calls for CFAA to be reformed, in particular to rein in what critics saw as prosecutorial excess.

The White House, however, has previously resisted attempts to restrict the CFAA. In September 2011, associate deputy attorney general James A. Baker told Congress that the Obama administration would resist all attempts to restrict CFAA language for using "exceeds authorized access" as a benchmark for determining if a crime had been committed, saying it was essential for prosecuting insider attacks.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-12
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.

Published: 2015-10-12
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol.

Published: 2015-10-12
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241.

Published: 2015-10-12
The process-management implementation in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to gain privileges by terminating a supervised process and then triggering the restart of a process by the root account, aka Bug ID CSCuv12272.

Published: 2015-10-12
HP 3PAR Service Processor SP 4.2.0.GA-29 (GA) SPOCC, SP 4.3.0.GA-17 (GA) SPOCC, and SP 4.3.0-GA-24 (MU1) SPOCC allows remote authenticated users to obtain sensitive information via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.