The Computer Fraud and Abuse Act is a nearly 30-year-old criminal law with sweeping authorities that criminalize many forms of common Internet use. U.S. Senator Ron Wyden (D-Ore.) has introduced legislation that reforms the CFAA to bring it in line with the needs of a 21st century digital landscape.
The reform proposal - also introduced in the House of Representatives by Rep. Zoe Lofgren (D-Calif.) - clarifies a vague and outdated statute initially intended to protect government computers from malicious hacks but is now interpreted so broadly as to criminalize harmless and commonplace infractions of a website’s terms of service.
Aaron’s Law (summary)removes redundant provisions in the CFAA that only serve to give prosecutors the ability to stack multiple felony charges on top of one another for the exact same crime and lengthen potential prison sentences.
“The CFAA is a vague and problematic law that no longer responds to the needs and challenges of today’s digital ecosystem,” Wyden said. “The law should not enable Americans to be prosecuted for felonies because of a mere violation of a website’s term of service. The CFAA’s broad scope and vague standards all but invite prosecutorial abuse. The important reforms we propose today would bring the law in line with the reality of the digital landscape of 2013 while making sure the changes do not undermine the ability to fully prosecute malicious hacks.”
The bill is known as “Aaron’s Law” after the online innovator and activist whose death earlier this year while facing up to 35 years in prison for an act of civil disobedience shone a spotlight on the law’s obsolescence and potential for prosecutorial abuse.
Aaron's Law refocuses the CFAA away from common computer and Internet activity and back towards targeting damaging hacks, as originally intended. By establishing a clear line that is needed in the law, it distinguishes the difference between common online activities and harmful attacks. Specifically the legislation:
- Establishes that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on recent important 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls – such as password requirements, encryption, or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under strong CFAA provisions this bill does not modify.
- Brings balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same solitary violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.
- Brings greater proportionality to CFAA penalties. Currently, the CFAA's penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.