The Rise and Fall (and re-Rise) of Aaron’s Law
The tragic death of Aaron Swartz (see my post Hactkivism & the CFAA for more details) spurred a swarm of criticisms of the Computer Fraud and Abuse Act and proposals of how it could be fixed. These efforts accumulated into a bill that was introduced to Congress in 2013 as Aaron’s Law, which sought to do the following:
- Narrow the scope of the CFAA to exclude breaches of terms of service, employment agreements, and other contracts.
- Eliminate redundant provisions to reduce multiple charges for the same conduct.
- Limit the penalties of stacked charges to avoid overly-severe punishments that are disproportionate to the crime.
Unfortunately, the bill eventually died on the floor (pardon the terminology) after two years of being stalled in committee review. Large tech companies such as Oracle reportedly lobbied against the bill because they allegedly use the CFAA to prosecute their competitors. In an interview with Forbes, Mark Jaycox, legislative analyst at the Electronic Frontier Foundation, commented:
“Some particular companies offered a fierce attack on common sense changes to the CFAA due to certain companies use of the CFAA not as a statute being used in civil suits to prosecute computer hacking as it was originally intended, but being used to protect trade secrets.”
In 2015, the bill was reintroduced by Representative Zoe Lofgren of California and Senator Wyden of Oregon, and co-sponsored by Senator Rand Paul of Kentucky. Rep. Lofgren says that she hopes the bill will help “prevent what happened to Aaron from happening to other Internet users.”
Unfortunately, Aaron’s Law 2.0 still is not getting much traction, as some members of Congress believe that harsh penalties are necessary to deter hackers and other cyber-criminals.
While Aaron’s Law sits waiting in the wings, the Senate has already passed the Cybersecurity Information Sharing Act (CISA) as of October of 2015, which potentially undermines the efforts of Aaron’s Law completely. The Electronic Frontier Foundation voiced its disapproval of CISA:
CISA is fundamentally flawed. The bill’s broad immunity clauses, vague definitions, and aggressive spying powers combine to make the bill a surveillance bill in disguise. Further, the bill does not address problems from the recent highly publicized computer data breaches that were caused by unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.
In December of 2015, CISA was surreptitiously rolled into the Military Construction and Veterans Affairs and Related Agencies Appropriations Act, which passed the House and was signed into law by President Obama on December 18, 2015.
To add insult to injury, Senator Sheldon Whitehouse of Rhode Island has introduced his own amendment to CISA that would expand the CFAA by adding more penalties and would allow the Attorney General to file injunctions against suspected violators of the CFAA.
In a final effort to stop Congress from making the CFAA more draconian than it already is, the Electronic Frontier Foundation urges citizens to email their representatives and tell them to vote against Senator Whitehouse’s amendment.