A second look at 'Aaron's Law'

The idea behind Aaron's Law connects with me on an emotional level. But when it comes to justice, we must use our heads instead of our hearts.

Last week I wrote a post offering tentative support for "Aaron's Law," an amendment Congresswoman Zoe Lofgren filed to "fix" the Computer Fraud and Abuse Act (CFAA). I still believe what I said then, that in the case of Aaron Swartz, the government took things too far in its effort to crack down on fraud.

[Also see: Three must-reads on the legacy of Aaron Swartz]

Swartz, the 26-year-old co-creator of RSS and Reddit who died by his own hand earlier this month, was charged with wire fraud, computer fraud and other crimes after he accessed and downloaded over 4 million articles from the JSTOR online database through MIT's network. His cause -- making information more freely available on the Internet and opposing government and corporate secrecy -- was admirable.

His methods were wrong. But his transgressions were not severe enough to justify holding a 35-year prison sentence over his head. That's where the government's prosecution went astray, and that's why I liked the idea behind Lofgren's effort. [You can read about my full position at the time in "I support 'Aaron's Law' -- for now"]

Since then, I've gotten feedback from some smart infosec friends and we've done a more in-depth article on the subject. Here are the results of that, followed by my latest thinking on the matter.

Let's start with that feedback. I heard from a few people offline, but someone left this in the comments section of the last post, which makes some powerful points:

So let's look at the definition with this amendment: the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter,  but does not include access

in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.

One obvious problem: a policy which says, "if you accidentally are granted access to information that you should not have access to, you are required/prohibited ..." basically becomes non-binding.  I believe this becomes "any access you have the technical ability to get is now 'authorized.'"

Also, any law named after an individual or single case is suspect.

After seeing that, I read "'Aaron's Law' could have unintended consequences" by Taylor Armerding, in which those interviewed cautioned against letting a tragedy undermine the protection of private and public property. From the article:

Jody Westby, an attorney and CEO of Global Cyber Risk, said Swartz's death could be blamed on overly zealous prosecution "that crushed a young man." But she said that the proposed amendment to the CFAA "is another form of overkill that would have terribly detrimental consequences."

"[The CFAA language regarding terms-of-service violations] is absolutely essential in arresting insiders who steal or misuse confidential or proprietary data they were not given access to, and also criminals who hack into computers or plant malware to steal credentials or exfiltrate data," Westby said.

Randy Sabett, an attorney with ZwillGen and an expert in information security and intellectual property, said: "To isolate this law as the showpiece cause of a terrible tragedy, and therefore wipe out an entire remedy for criminal activity and intent is not the way to go."

Westby said there might be a need for the law's language to be more precise, and for sentencing guidelines to be adjusted. She suggested that Lofgren's bill should, "serve as a basis for Congressional hearings on what guidelines exist for prosecutors in handling CFAA cases."

But she said simply exempting terms-of-service violations from criminal penalties would be disastrous. "It would leave all businesses, individuals, and governments unable to use the CFAA to prosecute cybercriminals in circumstances where the perpetrator was violating terms of use, contractual obligations, or company policies."

"I do not say this with a hard heart. I lost a very close friend who committed suicide over extreme prosecutorial conduct over a relatively minor securities violation," she said. "What happened is that four boys lost their father. There are bounds of decency in prosecutorial conduct and certainly looking at damage should be a factor."

The overriding point here is that we need to act with our heads and not our hearts when it comes to legislating.

Something must be done to crack down on the abuse of power we've been seeing from prosecutors like U.S. Attorney Carmen Ortiz. But "Aaron's Law," as currently written, overreaches.

We should revisit the matter after we've all had some time to cool off. Emotions are still too raw to act with clarity.


Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)