Rep. Zoe Lofgren (D-CA), along with Reps. James Sensenbrenner (R-WI), Mike Doyle (D-PA), Yvette Clarke (D-NY) and Jared Polis (D-CO), have introduced H.R. 2454, the Aaron's Law Act of 2013. Named in honor of the late Internet innovator and activist Aaron Swartz, the bipartisan legislation would reform the quarter-century old Computer Fraud and Abuse Act (CFAA) to work for the digital age. Swartz's passing in January spotlighted serious problems with the vague wording of the CFAA. Among those concerns is how the law treats violations of terms of service, employer agreements, or website notices.
"Reform of the CFAA is necessary," Rep. Lofgren said. "I hope this bipartisan bill will lead to the reforms that are needed for the good of the country."
Aaron's Law refocuses the CFAA away from common computer and Internet activity and back towards targeting damaging hacks, as originally intended. By establishing a clear line that is needed in the law, it distinguishes the difference between common online activities and harmful attacks. Specifically the legislation:
- Establishes that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls -- such as password requirements, encryption, or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions this bill does not modify.
- Brings balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same solitary violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.
- Brings greater proportionality to CFAA penalties. Currently, the CFAA's penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.