Lofgren, Sensenbrenner and Wyden introduce Aaron’s Law

Writing in Wired, authors of the new bipartisan bill (Zoe Lofgren and Ron Wyden) explain that “The CFAA [Computer Fraud and Abuse Act] is a sweeping Internet regulation that criminalizes many forms of common Internet use. It allows breathtaking levels of prosecutorial discretion that invites serious abuse.” Where Aaron Swartz was concerned, he faced the greater part of the rest of his life behind bars because he illegally downloaded academic papers from JSTOR via the MIT computer network – an act, say Lofgren and Wyden, that amounted to nothing more than ‘civil disobedience.’.

The main problem with the CFAA, suggest Lofgren and Wyden, is ‘vagueness’: “the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization.” But it doesn’t adequately describe what this means, and prosecutors can consequently claim that violation of a website’s terms of service deserves a prison sentence. “So lying about one’s age on Facebook, or checking personal email on a work computer,” say Lofgren and Wyden, “could violate this felony statute.”

Aaron’s Law, they say, “is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks. It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.” To do this, they used a new form of democracy – online crowdsourcing. 

“We posted drafts of the bill on Reddit to solicit public feedback. And that feedback informed revisions and solicitation of further feedback. We reviewed extensive input from a broad swath of technical experts, businesses, advocacy groups, current and former government officials, and the public. The result is a proposal that we believe, if enacted into law, safeguards commonplace online activity from overbroad prosecution and overly harsh penalties, while ensuring that real harmful activity is discouraged and fully prosecuted.” Both the text and a detailed summary are available online.

The Electronic Frontier Foundation broadly supports the bill, but would like it to go further. “While Aaron’s law is clearly an improvement, it is important to point out that it’s far from perfect.” For example, it says, “In order to protect security researchers, innovators and ordinary citizens who take measures to protect their privacy, we have also asked (PDF) for a clause that would clarify that your efforts to mask or hide your real name, personally identifiable information or device identifier—like IP address or MAC address – are not criminal in and of themselves.”

Ironically, while US legislators are trying soften the Computer Fraud and Abuse Act, EU legislators are going in the opposite direction. The European Parliament is expected to vote on a so-called ‘anti-hacking directive’ next month; but it doesn’t differentiate between white-hat hacking and black-hat hacking. As a result, security researchers who discover flaws in vendor software and websites could find themselves prosecuted under the new law. “This will result in cases against these individuals, who pose no real security threat and play an important role in strengthening the internet, whilst failing to properly deal with real cyber criminals,” commented German MEP Jan Philipp Albrecht.

While Lofgren, Sensenbrenner and Wyden are trying to eliminate the potential for prosecutorial overreach in the US, Albrecht fears that the EU is about to make it easier in Europe.

What’s hot on Infosecurity Magazine?