Today, Reps. Zoe Lofgren and Jim Sensenbrenner, and Sen. Ron Wyden introduced Aaron’s Law, a bipartisan bill to reform the Computer Fraud and Abuse Act (CFAA), the law notoriously used in the aggressive prosecution of the late Aaron Swartz. Lofgren and Sensenbrenner's bill draws from EFF’s own proposal written in the wake of Aaron’s tragic death and fixes some of the main problems with the CFAA. You can tell your representative to support common sense changes to the CFAA by going here.
For years, the CFAA has been widely abused by the prosecutors to hamper security research, stifle innovation, and lock people away for years who have caused little or no economic harm. The CFAA was originally intended to cover the hacking of defense department and bank computers, but it's been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. We’ve written extensively about the need for CFAA reform and Aaron’s Law is a great first step.
First, Lofgren and Sensenbrenner's bill deletes the vague phrase “exceeds authorized access” and clarifies the definition of “access without authorization,” key fixes in a law that has for years been misinterpreted because of its vague definitions. By fixing these definitions, the bill incorporates judgments from the Fourth and Ninth circuits, which held that access in violation of private contracts, like employer agreements and terms of service, are not criminal offenses under the CFAA.
This is a great step forward. The Department of Justice has aggressively argued for an interpretation of the law that would criminalize website terms of service violations. As the Ninth Circuit court explained, under the DOJ’s dangerous—and incorrect—interpretation, “posting for sale an item prohibited by Craigslist's policy, or describing yourself as ‘tall, dark and handsome’ when you're actually short and homely, will earn you a handsome orange jumpsuit.”
Without this change, the government could've prosecuted everyday Americans for violating low-level terms of service violations, like accessing your friend's Facebook page, or, for a time, reading Seventeen Magazine when you are under 18 years old. In short, everyone would be a criminal, leaving it up to the government to decide when and where to bring down the hammer.
The bill also addresses provisions that have allowed the Justice Department to use the statute too aggressively by deleting one of the CFAA's redundant clauses and lowering its penalties in specific situations. Both are crucial factors that lead to overzealous persecutions like the ones seen in Andrew ‘Weev’ Auernheimer and Swartz's cases, where multiple felony counts were stacked on top of each other for the same underlying action and where both defendants faced decades in jail for “crimes” that caused little or no economic harm.
While Aaron’s law is clearly an improvement, it is important to point out that it’s far from perfect. We would have liked to see an additional redundant provision cut from the CFAA and more penalty reductions to the draconian scheme currently in the CFAA—notably, the bill sensibly removed the ability to bootstrap penalties in one clause, but not three others.
In order to protect security researchers, innovators and ordinary citizens who take measures to protect their privacy, we have also asked (PDF) for a clause that would clarify that your efforts to mask or hide your real name, personally identifiable information or device identifier—like IP address or MAC address – are not criminal in and of themselves.
But common sense changes to the CFAA are needed to update the law and make it in-line with recent court rulings, and this bill is a great start. Now it's time for Congress act. Tell your representatives to support common sense changes to CFAA reform.