Print 53 comment(s) - last by ebakke.. on Jun 28 at 3:27 PM

Tragedy provided the momentum to

A new bill has been introduced in the House and Senate dubbed "Aaron's Law", which looks to reform the badly outdated and ambiguous Computer Fraud and Abuse Act of 1986 (18 USC § 1030).  So who is Aaron and why is a law being named after him?  The answer traces back to a tragic event that occurred early this year.

I. A Tragic Loss Leads to Reform

Aaron Swartz, a Reddit co-founder and co-developer of the RSS standard, committed suicide this January leaving behind a complex legacy of success and controversy.  While amassing enough money to live comfortably following the sale of Reddit to Conde Nast, Mr. Swartz became an ardent activist.  

In 2011 while visiting the Massachusetts Institute of Technology (MIT) he downloaded a 4.8 million scholarly journal articles from JSTOR -- a subscription only distribution service.  The authors made no money off the publication, he figured. It all went to the publishers.  Further, the research was paid for with taxpayer money.  So he boldly offered up the articles online.
JSTOR logos
And he paid for it.  Federal prosecutors, aided by MIT administrators, hit him with numerous CFAA charges with a maximum penalty of $1M USD and 35 years in prison.  As the feds piled on more charges (nine additional counts in Sept. 2012 alone), Mr. Swartz allegedly grew despondent, and ultimately chose to hang himself.  His then-girlfriend found him at their shared Crown Heights, Brooklyn, New York apartment.

But his death set off a spark.  At his funeral at Central Avenue Synagogue in Highland Park, Illinois, his father Robert Swartz was unequivocal, stating, "[Aaron] was killed by the government, and MIT betrayed all of its basic principles."

Aaron Swartz
A media storm ensued.  Congress soon took up the issue.  And some feared -- like many Congressional inquiries -- the momentum would eventually die down.

II. "Aaron's Law" Looks to Clean up CFAA Mess

But ultimately two bills have emerged from the tragedy -- the second of which was introduced today.

One man standing firmly behind both bills is Sen. Ron Wyden (D-Ore.) -- a man who might have more in common with social libertarians like Rep. Ron Paul (R-Tex.) than his Democratic colleagues, when it comes to civil rights.  But the credit for "Aaron's Law" goes primarily to its author, Rep. Zoe Lofgren (D-Calif.).

The bill points out that the language of the CFAA "invites abuse" in that it makes it hard to differentiate between law-abiding users and criminals.  For example the CFAA makes it a felony to "access a computer without authorization or exceed authorized access" -- while failing to define exactly what that blob of tech jargon means.

Ethernet Cables
"Aaron's Law" finally clarifies "authorized access" from a technical standpoint.
[Image Source: Boot Click]

That ambiguity has made it the favorite tool of zealous district prosecutors; after all, almost any action using a digital device could be construed as "exceeding the authorized access".  Further the law allows for redundant charges within the bill itself, and allows these charges to be piled atop state statutes -- which was what happened in Mr. Swartz's case.

The proposed bill does the following:
  1. Prevents redundant charges within the bill itself
  2. Prevents federal charges that overlap state charges.
  3. Allows flexibility to downgrade charges to a non-felony.
  4. Explain what "exceeding authorized access" means.
The final amendment is particularly important.  The bill -- at last -- offers a quasi-technical definition of access, writing:

(A) to obtain information on a protected computer;
(B) that the accesser lacks authorization to obtain; and
(C) by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized ndividuals from obtaining that information.

In other words all manner of attacks on systems protected by cryptography would be considered a crime.  But data dumps on open interfaces -- such as imprisoned computer specialist Andrew "weev" Auernheimer's scraping of openly accessible online ID data for Apple, Inc. (AAPL) iPads or Mr. Swartz's data dump -- would arguably not qualify.  Of course such actions could still violate state criminal or civil statutes, but at a federal level, at least, a "locked door" analogy would be adopted when it comes to access.

Sen. Wyden and Rep. Lofgren write in a Wired op-ed that critics of the bill are ignorant to the fact that other laws already protect companies and institutions against the unauthorized distribution of proprietary information.  They write:

Other critics may argue that Aaron’s Law reforms remove one specific scenario from CFAA: an authorized individual using their own authorization (such as password credentials) to access and use information in unauthorized ways. Although we do not wish to create any new vulnerabilities, the overbroad approach currently taken by the CFAA potentially criminalizes millions of Americans for common Internet activity. Moreover, numerous laws like Theft of Trade Secrets, the Privacy Act, copyright law, the Stored Communications Act, wire fraud, and HIPAA already criminalize misuse of information.

The pair did say that they were open to suggestions by businesses on that topic of tweaking the language to fairly punish the theft of insider secrets.

Sen. Wyden
The bills have the backing of Sen. Ron Wyden (left). [Image Source: Kevin Krejci]

The cost of inaction is too high, they conclude, writing:

The consequences of inaction are all too clear. We live in an age where people connect globally by simply touching a device in the palm of their hand, empowered by online advances that have enriched the world scientifically, culturally, and economically.

But ill-conceived computer crime laws can undermine this progress if they entrap more and more people — simply for creative uses of the technology that increasingly mediates our everyday activities and our interactions with the world. This not only fails us today, it can also become an obstacle to the innovations of tomorrow.

The second pending bill was already introduced back in February, dubbed The Fair Access to Science and Technology Research Act (FASTR).  Sponsored by Sen. Wyden, Sen. John Cornyn (R-Tex.), and Rep. Lofgren (among others), this law is nicknamed "The Other Aaron's Law".  Its primary purpose would be to force taxpayer-funded research to be released to the public .

Sources: Aaron's Law (PDF), The Fair Access to Science and Technology Research Act (FASTR) [PDF], Sen. Wyden, Rep. Lofgren on Wired

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Millenials
By ebakke on 6/24/2013 11:36:59 PM , Rating: 2
... the reason why you are free to say whatever you like its because of people like me along with many others that took an oath to protect the constitution and unfortunately twits like you.
I mean this with absolute sincerity and with as much respect as possible: You are failing.

Your arguments here today serve to protect the state at the expense of the Constitution you've sworn to protect. It's saddening and equally terrifying that you and others like you line up to vigorously defend those who strip us of our liberty. It's even more frightful that those who have volunteered to fight against it, are now fighting for it.

RE: Millenials
By Ammohunt on 6/25/2013 2:13:32 PM , Rating: 2
Fighting to protect a government designed by the people for the people? Don't get it do you? there is no they! only us this is our government.

RE: Millenials
By ebakke on 6/25/2013 3:21:01 PM , Rating: 2
You're fighting to protect the government, yes. That government isn't by the people, and for the people in the sense that it's by 100% of the people for 100% of the people as you're implying.

It's made of only those who have the means (financial, personality, and otherwise) to run for office. Those people are elected by merely 50% + 1 of the people who show up to vote. And those people do not represent the entire nation. They represent the people who brought them to power. So, at best, our government is designed by 50%+1 of the people, for 50%+1 of the people. The rest of us get whatever the majority deems fitting for us. I didn't vote for any of this, or for the people who put it in place. I also don't want it. Are you telling me this government is still designed by me, for me?

All of that said, your continued argument that all of this is fine and acceptable because it was put in place and run by duly elected people only holds under one condition: the public has 100% of the information. Without information on what is happening, by whom, and for what reasons the populace is making choices with partial (or false) information. How could you possibly claim a politician is duly elected when the whole premise of what they know, what they're doing, and how they're serving us is a farse?

And that's the crux of the problem - this entire thing is being done in secret. The court is secret. Its rulings are secret. The requests are secret. The "suspects" are secret. The methodologies are secret. The information being collected is secret. The companies being forced to give up information as well as the politicians charged with overseeing these programs are both prevented by threat of imprisonment from sharing any of this information. So if a Congressman sees a blatant abuse of power, he can't even tell his constituents about it! The best he can say is, "You'd be shocked!" That wouldn't even get him 30 seconds of news coverage. And certainly a person running for office couldn't get access to what's happening and make a case to those in his district that "I'm a better guy for the job, because that guy's allowing _____".

We've given a group of people near unlimited power. They've gagged themselves and everyone else, and then told us to just "trust them" while they store the electronic history of the entire country (world?).

RE: Millenials
By Ammohunt on 6/26/2013 8:07:29 PM , Rating: 2
So what you are saying is that their should be no national secrets and no one can be trusted as the custodian of those secrets? Having held a clearance I can tell you that is a total nonsense and inane argument. There are things that absolutely need to be kept secret!

RE: Millenials
By ebakke on 6/27/2013 3:56:49 PM , Rating: 2
If we're waving credentials around, I too have held clearances before. I've been entrusted with a subset of the nation's secrets, but nothing I was privy to included spying on US citizens without any due process.

Yes, we should have national secrets. If we're at war with Germany, and have cracked the Enigma, we should be able to keep that hidden. But this is entirely different and you know it. We have no declaration of war, and these activities don't just involve foreign individuals. It's spying on American citizens - and no matter how many times you want to stomp your foot and yell NATIONAL SECURITY!!! it still doesn't change the fact that doing so without probable cause and warrant is directly in contradiction with the 4th Amendment and is therefore illegal.

RE: Millenials
By Ammohunt on 6/28/2013 1:31:52 PM , Rating: 2
The congress authorized this program via legislation these are the same guys that have the power to suspend your Constitutional rights at anytime simply by declaring marshal law. Whats constitutional is determined by the judicial branch. This is a Republic we elected the people that created this program and we are culpable. i.e. we created this not they the government.

RE: Millenials
By ebakke on 6/28/2013 3:27:00 PM , Rating: 2
You may have created it, but I certainly didn't.

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Most Popular ArticlesFree Windows 10 offer ends July 29th, 2016: 10 Reasons to Upgrade Immediately
July 22, 2016, 9:19 PM
Top 5 Smart Watches
July 21, 2016, 11:48 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki