'Aaron's Law' could have unintended consequences

The suicide of Internet wunderkind Aaron Swartz has prompted a variation on the classic "there-ought-to-be-a-law" response to tragedy. In this case, it's, "There ought to be an amendment to the law," to prevent what critics have called overzealous prosecution and vastly disproportionate sentencing guidelines.

The law in this case is the Computer Fraud and Abuse Act (CFAA), invoked by federal prosecutors to bring a 13-count indictment against Swartz, 26, after he used the MIT computer network to download more than 4 million academic articles from the online archive JSTOR, allegedly without legal authorization, in violation of MIT's terms of service.

U.S. Rep. Zoe Lofgren (D-Calif.) filed a bill this week she called "Aaron's Law," that would exclude terms of service violations from the CFAA and wire fraud statutes. In a post on Reddit, the Internet forum that Swartz cofounded, Lofgren wrote that "using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.

"A simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations," she wrote.

But several Internet security experts, while expressing sympathy for Swartz's family, say it is not so simple, and that Lofgren's proposal could end up being yet another example of the law of unintended consequences.

[Bill Brenner in Salted Hash: I support 'Aaron's Law' -- for now]

Jody Westby, an attorney and CEO of Global Cyber Risk, said Swartz's death could be blamed on overly zealous prosecution "that crushed a young man." But she said that the proposed amendment to the CFAA "is another form of overkill that would have terribly detrimental consequences."

"[The CFAA language regarding terms-of-service violations]Ã'Â is absolutely essential in arresting insiders who steal or misuse confidential or proprietary data they were not given access to, and also criminals who hack into computers or plant malware to steal credentials or exfiltrate data," Westby said.

Randy Sabett, an attorney with ZwillGen and an expert in information security and intellectual property, said: "To isolate this law as the showpiece cause of a terrible tragedy, and therefore wipe out an entire remedy for criminal activity and intent is not the way to go."

Swartz, the founder and director of Demand Progress, co-author of RSS and a former research fellow at Harvard's Center for Ethics, was an outspoken crusader for making information free on the Internet, and prosecutors say he had planned to make the articles he obtained available to the public for free, as a political statement about access to knowledge.

He was scheduled to go to trial in April, and could have faced as many as 35 years in prison and as much as $1 million in fines, although the U.S. Attorney's office had reportedly offered a plea bargain that would have resulted in six months of jail time.

However, since his death, U.S. Attorney Carmen Ortiz has faced a firestorm of criticism, including a petition demanding her removal, which this week reached 25,000 signatures, however the White House has increased the theshold for a response from 25,000 to 100,000 petitions.Ã'Â

Marcia Hofmann, a senior staff attorney at the Electronic Frontier Foundation (EFF), said in a blog post earlier this week that the CFAA is indeed badly flawed. "The government should never have thrown the book at Aaron for accessing MIT's network and downloading scholarly research," she wrote. "However, some extremely problematic elements of the law made it possible."

One of them is that the law doesn't clearly define what "authorization" to access protected computers means, she wrote. "Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead (to) target other behavior the prosecutors don't like," she said, adding that a second major problem is that sentences for hacking crimes are far too severe.

Westby said there might be a need for the law's language to be more precise, and for sentencing guidelines to be adjusted. She suggested that Lofgren's bill should, "serve as a basis for Congressional hearings on what guidelines exist for prosecutors in handling CFAA cases."

But she said simply exempting terms-of-service violations from criminal penalties would be disastrous. "It would leave all businesses, individuals, and governments unable to use the CFAA to prosecute cybercriminals in circumstances where the perpetrator was violating terms of use, contractual obligations, or company policies."

"I do not say this with a hard heart. I lost a very close friend who committed suicide over extreme prosecutorial conduct over a relatively minor securities violation," she said. "What happened is that four boys lost their father. There are bounds of decency in prosecutorial conduct and certainly looking at damage should be a factor."

Sabett said if the penalties are indeed disproportionate, that is what should be changed. "Change the remedies," he said. "But don't wipe out a whole provision of the law. Any deterrent effect it would have against criminals would no longer exist."

A terrible tragedy should not eliminate the ability to bring charges for criminal behavior, he said. "Even if you say you're doing it for the common man -- that it is OK because it is for the greater good -- if it is a crime, then it is still a crime."

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags redditZoe LofgrenIdentity & Access | Access ControlNetworkingsecurityAccess control and authenticationAaron's Lawaccess controlIdentity & Accessmanagement

More about BillCreativeEFFElectronic Frontier FoundationMIT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts