Wyden and Logren Introduce Aaron's Law to Reform the CFAA
Introducing Aaron's Law, a Desperately Needed Reform of the Computer Fraud and Abuse Act
By Zoe Lofgren and Ron Wyden (Note: this op-ed originally appeared in Wired on June 20, 2013)
The Internet is up for grabs.
Foreign countries want to control it. Military regimes use it to spy, to oppress, and to attack public and private institutions. ‘Big Content’ sought to censor it and dismantle its architecture. Law enforcement and intelligence agencies want to mine and monitor it. Powerful incumbent business interests seek to shape it in ways that benefit their bottom line but undermine the national interest and the interests of individuals worldwide.
In each of these areas, there is debate in Congress about how to respond. We need an informed public debate to ensure lawmakers make the right choices that fully preserve the vital openness of the Internet and the privacy and civil liberties of its users. Reforming the Computer Fraud and Abuse Act (CFAA) should be a part of that debate.
The CFAA is a sweeping Internet regulation that criminalizes many forms of common Internet use. It allows breathtaking levels of prosecutorial discretion that invites serious abuse. As Congress considers policies to preserve an open Internet as a platform for ideas and commerce, reforming the CFAA must be included.
The Law Is Flawed and Prone to Prosecutorial Abuse
Vagueness is the core flaw of the CFAA. As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You’re not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time.
So lying about one’s age on Facebook, or checking personal email on a work computer, could violate this felony statute. This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation. Millions of Americans — whether they are of a digitally native or dial-up generation — routinely submit to legal terms and agreements every day when they use the Internet. Few have the time or the ability to read and completely understand lengthy legal agreements.
Another flaw in the CFAA is redundant provisions that enable a person to be punished multiple times … for the same crime. These charges can be stacked one on top of another, resulting in the threat of higher cumulative fines and jail time for the exact same violation.
This allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single, solitary act. It also plays a significant role in sentencing. The ambiguity of a provision meant to toughen sentencing for repeat offenders of the CFAA may in fact make it possible for defendants to be sentenced based on what should be prior convictions — but were nothing more than multiple convictions for the same crime.
These problems are not hypothetical. But it took the unfortunate death of Aaron Swartz to spotlight them.
In January, Aaron Swartz, an Internet innovator and activist, decided to end his brief but brilliant life. At the time, Swartz faced the possibility of severe punishment under the CFAA — multiple felony charges and up to 35 years in prison by the government’s own declaration – for what amounted to an act of civil disobedience. Aaron attempted to make documents, many created with public funding, freely available to the public.
But Aaron Swartz was not the first or the last victim of overzealous prosecution under the CFAA.
That’s why we’re authoring bipartisan legislation — which, with the permission of Aaron Swartz’s family, we call “Aaron’s Law” — in the House and Senate to begin the process of updating the CFAA.
Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks. It establishes a clear line that’s needed for the law to distinguish the difference between common online activities and harmful attacks.
Instead, we undertook a deliberative process for crafting this legislation. We posted drafts of the bill on Reddit to solicit public feedback. And that feedback informed revisions and solicitation of further feedback. We reviewed extensive input from a broad swath of technical experts, businesses, advocacy groups, current and former government officials, and the public. The result is a proposal that we believe, if enacted into law, safeguards commonplace online activity from overbroad prosecution and overly harsh penalties, while ensuring that real harmful activity is discouraged and fully prosecuted.
The law must separate its treatment of everyday Internet activity from criminals intent on causing serious damage to financial, social, civic, or security institutions. Our proposal attempts to accomplish this and address the fundamental problems of CFAA by doing the following:
Establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, Aaron’s Law would instead define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls — such as password requirements, encryption, or locked office doors. Notwithstanding this change, hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions that Aaron’s Law does not modify.
Bring balance back to the CFAA by eliminating a redundant provision of the law that can subject an individual to duplicate charges for the same CFAA violation. This is, in fact, what happened to Aaron Swartz — more than a third of the charges in the superseding indictment against him were under this redundant CFAA provision. Eliminating the redundant provision streamlines the law, reduces duplicative charges, but would not create a gap in protection against hackers.
Bring greater proportionality to CFAA penalties. Currently, the CFAA’s penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances — leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). For example, under current law a prosecutor can seek to inflate potential sentences by stacking new charges atop violations of state laws. Aaron’s Law would reform the penalty for certain violations to ensure prosecutors cannot seek to inflate sentences by stacking multiple charges under CFAA, including state law equivalents of CFAA, and torts (non-criminal violations of law).
Will It Work?
Some say that while the CFAA may be a broad statute, prosecutorial discretion will ensure that it is not abused. We disagree. Whether it is with respect to privacy, civil liberties, or Internet use, the government has shown itself unable to restrain its use of power. So far, government discretion has repeatedly failed to curb abuse and, in fact, has resulted in abuse itself.
Other critics may argue that Aaron’s Law reforms remove one specific scenario from CFAA: an authorized individual using their own authorization (such as password credentials) to access and use information in unauthorized ways. Although we do not wish to create any new vulnerabilities, the overbroad approach currently taken by the CFAA potentially criminalizes millions of Americans for common Internet activity. Moreover, numerous laws like Theft of Trade Secrets, the Privacy Act, copyright law, the Stored Communications Act, wire fraud, and HIPAA already criminalize misuse of information.
The CFAA permits private parties to sue violators, but this private cause of action is not always present in other federal laws. We’ve heard some concern from companies that Aaron’s Law would hinder their ability to take matters into their own hands to protect their proprietary information from insider theft. We look forward to robust discussions on this issue and to addressing any warranted concerns.
Laws Can Spur Innovation … Or Halt It
The introduction of this legislation is just the beginning of a process needed to bring balance back to the CFAA. Still, achieving even the specific, important reforms in Aaron’s Law will not be an easy lift.
Congress rarely moves with haste. Correcting this complex law — enacted more than a quarter century ago — to work in the Digital Age will take a significant amount of time. To successfully build meaningful CFAA reforms into law will require sustained public engagement and support.
But the events of the last couple of years have demonstrated that the public can speak loudly thanks to the Internet. And when it does, lawmakers will listen.
The consequences of inaction are all too clear. We live in an age where people connect globally by simply touching a device in the palm of their hand, empowered by online advances that have enriched the world scientifically, culturally, and economically.
But ill-conceived computer crime laws can undermine this progress if they entrap more and more people — simply for creative uses of the technology that increasingly mediates our everyday activities and our interactions with the world. This not only fails us today, it can also become an obstacle to the innovations of tomorrow.
The Internet faces broad challenges to the fundamental characteristics that have enabled it to be the transformational technology that we know. An update to the CFAA must be part of the discussion that seeks to resolve these challenges. Today, there’s an entire generation of digitally-native young people that have never known a world without an open Internet and their ability to use it as a platform to develop and share ideas. It’s up to all of us to keep it that way.