The Rise and Fall (and re-Rise) of Aaron’s Law
The tragic death of Aaron Swartz (see my post Hactkivism & the CFAA for more details) spurred a swarm of criticisms of the Computer Fraud and Abuse Act and proposals of how it could be fixed. These efforts accumulated into a bill that was introduced to Congress in 2013 as Aaron’s Law, which sought to do the following:
- Narrow the scope of the CFAA to exclude breaches of terms of service, employment agreements, and other contracts.
- Eliminate redundant provisions to reduce multiple charges for the same conduct.
- Limit the penalties of stacked charges to avoid overly-severe punishments that are disproportionate to the crime.
Unfortunately, the bill eventually died on the floor (pardon the terminology) after two years of being stalled in committee review. Large tech companies such as Oracle reportedly lobbied against the bill because they allegedly use the CFAA to prosecute their competitors. In an interview with Forbes, Mark Jaycox, legislative analyst at the Electronic Frontier Foundation, commented:
“Some particular companies offered a fierce attack on common sense changes to the CFAA due to certain companies use of the CFAA not as a statute being used in civil suits to prosecute computer hacking as it was originally intended, but being used to protect trade secrets.”
In 2015, the bill was reintroduced by Representative Zoe Lofgren of California and Senator Wyden of Oregon, and co-sponsored by Senator Rand Paul of Kentucky. Rep. Lofgren says that she hopes the bill will help “prevent what happened to Aaron from happening to other Internet users.”
Unfortunately, Aaron’s Law 2.0 still is not getting much traction, as some members of Congress believe that harsh penalties are necessary to deter hackers and other cyber-criminals.
While Aaron’s Law sits waiting in the wings, the Senate has already passed the Cybersecurity Information Sharing Act (CISA) as of October of 2015, which potentially undermines the efforts of Aaron’s Law completely. The Electronic Frontier Foundation voiced its disapproval of CISA:
CISA is fundamentally flawed. The bill’s broad immunity clauses, vague definitions, and aggressive spying powers combine to make the bill a surveillance bill in disguise. Further, the bill does not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
In December of 2015, CISA was surreptitiously rolled into the Military Construction and Veterans Affairs and Related Agencies Appropriations Act, which passed the House and was signed into law by President Obama on December 18, 2015.
To add insult to injury, Senator Sheldon Whitehouse of Rhode Island has introduced his own amendment to CISA that would expand the CFAA by adding more penalties and would allow the Attorney General to file injunctions against suspected violators of the CFAA.
In a final effort to stop Congress from making the CFAA more draconian than it already is, the Electronic Frontier Foundation urges citizens to email their representatives and tell them to vote against Senator Whitehouse’s amendment.
There is currently a circuit split over the CFAA and the words “exceeds authorized access,” as I previously discussed in my post Employees + the CFAA = Circuit Split. When a circuit split exists, there is a high likelihood that a petition for writ of certiorari will be granted by the Supreme Court to resolve the dispute among the Federal Circuit Courts of Appeal. Looking forward in a feeble attempt to predict the outcome of the future fate of the CFAA, I decided to start by figuring out which court of appeals SCOTUS tends to agree with the most in a circuit split and see which side of the CFAA chasm they stand on.
Although subject to change with the passing of Justice Scalia, Tom Cummins & Adam Aft have reported in their annual Appellate Review series that in recent court terms, SCOTUS has sided most frequently with the 10th Circuit in resolving a split. After that, they agree second most frequently with the 1st Circuit.
Interestingly, the 10th Circuit has yet to weigh in on the CFAA debate, and the 1st Circuit is on the increasingly unpopular side of the split, pulling for a broad interpretation of “exceeds authorized access” with their decision in EF Cultural Travel BV v. Explorica, Inc. (holding that using a web scraping tool to download all of the content off a competitor’s website “exceeded authorized access”).
Let us take a look at how the lower courts in the 10th Circuit have been interpreting “exceeds authorized access,” and whether the 10th Circuit has denied appeals of those decisions. Continue reading
What is Hacktivism?
Hacktivism is exactly what it sounds like: Activism via Computer Hacking. Hacktivists express their disdain for social or political issues in a number of ways, some more harmful than others. One of the most well known hacktivist groups of the twenty-first century is Anonymous; a self-identified legion of faceless hackers who band together through online networks to launch various cyber attacks, with no specific centralized political or social goal. Another popular hacktivist of the moment is Alexandra Elbakyan, a graduate student and scientific researcher from Kazakhstan. Alexandra has made more than 50 million stolen scientific research articles available on her website, Sci-Hub. Despite reoccurring injunctions against the website, Alexandra has found ways to keep the project going. Her hacktivist goal is “to remove all barriers in the way of science” by “provid[ing] mass & public access to research papers.” Alexandra’s efforts sound hauntingly familiar to another hacktivist whose name is frequently associated with the CFAA: Aaron Swartz.
is was Aaron Swartz?
Aaron Swartz was a gifted computer programmer who made several contributions to the
modern Internet experience, including his work to help create RSS and the popular website Reddit. Aaron was also an outspoken activist, openly rallying against political issues such as the proposed Stop Online Piracy Act (SOPA), and was passionate about open access to all scholarship. Unfortunately, Aaron committed suicide on January 11, 2013, at the age of 26. Although no suicide note was found, his death occurred amidst felony charges from the U.S. Attorney after Swartz had downloaded 4.8 million articles from JSTOR, the academic online journal database, utilizing the MIT network.
Nate Raymond writes for REUTERS:
“An ex-employee of Western Asset Management Co pleaded guilty on Friday to repeatedly accessing his former supervisor’s email account after leaving the financial firm, conduct his lawyer said stemmed from a concern he was being criticized.
Kristopher Rocchio, who after leaving the company became a vice president at investment manager Neuberger Berman, pleaded guilty in federal court in Manhattan to a misdemeanor charge of unauthorized computer intrusion, according to court records.
In a statement Rocchio read in court, the Staten Island resident said from sometime in 2012 to February 2015, he used log-in information his former supervisor provided him while he worked at Western Asset Management to illegally read his emails.” Read more…
The Computer Fraud and Abuse Act is a necessary evil.
Why? Because it is necessary to punish individuals who maliciously use computer systems to exploit, harass, and torment others (such as hijacking your computer’s built in camera, infecting your smartphone with malware, or phishing credit card information from popular retail stores). Although some mock the origin of the CFAA, saying that it was spurred by the overreacting to the 1983 movie WarGames with Mathew Broderick, the unfortunate reality is that computer crimes are on the rise.
So why is the CFAA evil?
The CFAA is just a sum of its parts, and it contains one part that is particularly sinister: section (a)(2)(C). The broad scope of this section has the potential to be abused by prosecutors by criminalizing otherwise innocuous behavior that does not cause loss or harm. 18 U.S.C. 1030 (a)(2)(C) reads:
“Whoever—intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—information from any protected computer.”
What constitutes a “protected computer” is incredibly broad, as defined in section (e)(2)(B) as any computer “which is used in or affecting interstate or foreign commerce or communication.” The federal courts have determined that under this definition, any computer with a “connection to the internet” qualifies as a protected computer.
The part of (a)(2)(C) that broadens the scope of liability the most is “exceeds authorized access,” because courts and scholars do not agree one what all this encompasses. The most broad and heavily debated meaning of “exceeds authorized access” would include using an authorized account in a way that violates the contractual user agreement. An example of this is would be a Google employee who used his access privileges at work to spy on the internet activities of underage teenagers. This particular case is a great illustration of the kind of computer abuse that deserves to be deterred and punished.
However, under the same theory of CFAA liability from contract violation, you may be prosecuted for violating any terms of services on any website. Let’s look at one such example…
Image © NBC NEWS 2014.
Andrew Blankstein writes on NBC NEWS:
“A Pennsylvania man has been charged in the hacking of Apple and Google accounts belonging to more than 100 people, many of them celebrities, officials said on Tuesday.
Between Nov. 2012 and Sept. 2014, Ryan Collins, 36, sent fake emails that purported to be from Apple or Google, and got victims to unknowingly hand over their usernames and passwords, the U.S. Attorney for the Central District of California said.
He then used that information to get into their email accounts, swiping nude photos in some instances, and sometimes downloading full backups from Apple’s iCloud, prosecutors said in a charging document filed Tuesday.
Police began probing an apparent iCloud hack that resulted in leaked nude photos of Jennifer Lawrence and other celebrities, mostly women, in September of 2014.
Collins, of Lancaster, Pennsylvania, was charged in Los Angeles with violating the Computer Fraud and Abuse Act and has agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information, prosecutors said.
The charge carries a maximum of five years in prison, but prosecutors will recommend a sentence of 18 months, the U.S. Attorney’s Office said.” Read more…
Image above © NBC NEWS 2014.
The broad scope of the CFAA is continuously being challenged among the legal community for ascribing criminal liability to otherwise harmless activities with computers and on the Internet. But why isn’t anyone complaining about the even broader state level computer crime statutes?
Let’s take a moment to talk about Domanik Green. About a year ago, fourteen-year old Domanik sat down at a computer in his middle school in Florida, and with a generic administrative password that was commonly known throughout the school, he changed his teacher’s computer wallpaper to a picture of two men kissing. This childish and immature prank, which Domanik surely thought was funny at the time, resulted in a felony charge under Florida’s Computer-Related Crimes statute. The language of the statute provides felony liability for anyone who:
815.06 (2)(a) Accesses or causes to be accessed any computer, computer system, computer network, or electronic device with knowledge that such access is unauthorized.
The statute does not require the offender to actually do anything to the computer system, and mere unauthorized access is enough to be a punishable offense. Surely most people appreciate the absurdity of an eighth-grader being arrested and charged with a criminal felony for playing a stupid prank that did not result in any injury, loss, or harm. Continue reading