'Aaron's Law' focuses penalties on malicious hackers

Aaron’s Law is back in Congress.

Named for Aaron Swartz — the programmer and digital activist who took his life while facing data theft charges — the bill would ease punishments stemming from the law under which Swartz was charged, the Computer Fraud and Abuse Act (CFAA).

ADVERTISEMENT
Rep. Zoe Lofgren (D-Calif.) is backing the House version; Sens. Ron WydenRonald (Ron) Lee WydenHillicon Valley: Facebook, Google struggle to block terrorist content | Cambridge Analytica declares bankruptcy in US | Company exposed phone location data | Apple starts paying back taxes to Ireland Firm exposes cell phone location data on US customers Overnight Finance: Watchdog weighs probe into handling of Cohen bank records | Immigration fight threatens farm bill | House panel rebukes Trump on ZTE | Trump raises doubts about trade deal with China MORE (D-Ore.) and Rand PaulRandal (Rand) Howard PaulOvernight Defense: Senate confirms Haspel as CIA chief | Trump offers Kim 'protections' if he gives up nukes | Dem amendments target Trump military parade Hillicon Valley: Lawmakers target Chinese tech giants | Dems move to save top cyber post | Trump gets a new CIA chief | Ryan delays election security briefing | Twitter CEO meets lawmakers Overnight Finance: Watchdog weighs probe into handling of Cohen bank records | Immigration fight threatens farm bill | House panel rebukes Trump on ZTE | Trump raises doubts about trade deal with China MORE (R-Ky.) are supporting the Senate’s companion bill.

"At its very core, CFAA is an anti-hacking law,” said Lofgren in a statement. “Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations.”

In 2011, Swartz faced up to 35 years in prison and $1 million in fines after being charged with gaining unauthorized access to JSTOR, a subscription-based digital repository for academic journals and papers.

Swartz allegedly downloaded 5 million articles and later posted some of them publicly online.

“Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,” said Wyden in a statement, referring to a CIA report acknowledging it infiltrated Senate computers.

Aaron’s Law would change the definition of “access without authorization” in the CFAA so it more directly applies to malicious hacks such as sending fraudulent emails, injecting malware, installing viruses or overwhelming a website with traffic.

“The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution,” Wyden said. “Aaron’s Law would curb this abuse while still preserving the tools needed to prosecute malicious attacks.”

The measure would also strike provisions in the law allowing prosecutors to add up extensive prison sentences for individuals charged with multiple CFAA violations.

“It's time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities,” Lofgren said.

This is lawmakers’ second attempt at the bill, which didn’t move in the last Congress.

Privacy and civil liberties groups have long advocated for changes to the CFAA, which they say put basic security engineers and researchers at risk of criminal prosecution. The result, they maintain, is a chilling effect on cybersecurity research — which they say is much needed as cyber threats grow exponentially.   

More broadly, government officials and lawmakers are working to restructure punishments to better fit the interconnected world.

Wyden joined with Rep. Jared Polis (D-Colo.) last week to introduce a bill that would reform copyright laws in an effort to protect security researchers from being prosecuted.

Polis is also signed on as a co-sponsor of Aaron’s Law, as are Reps. Jim SensenbrennerFrank (Jim) James SensenbrennerLawmakers question FBI director on encryption Doug Collins to run for House Judiciary chair Lawmakers renew call for end to 'black budget' secrecy MORE (R-Wis.), Mike Doyle (D-Pa.) and Dan Lipinski (D-Ill.).