Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers
from the someone-buy-these-senators-a-clue dept
Yesterday, we wrote about an important new bill, Aaron’s Law, from Senators Ron Wyden and Rand Paul and Rep. Zoe Lofgren. It’s a fix to many of the problematic aspects of the Computer Fraud and Abuse Act (CFAA). If you’re unaware, the CFAA is supposed to be a law to be used against people doing malicious hacking, but the wording is so broad and problematic, it has been used against people for merely violating the terms of service on a website, or someone using a work computer for non-work-related items — which could lead to excessively long jail terms. The reason Aaron’s Law is named that is because of Aaron Swartz, the guy that Federal Prosecutors publicly announced was facing 30 years in jail under the CFAA because he downloaded too many academic journal articles from JSTOR — despite the fact that he did so on the MIT campus where the campus had a site license that allowed anyone on their network to download all the JSTOR papers.
As we noted in our post, there are still some who are pushing in the other direction — and they didn’t waste much time. The very same day that Aaron’s Law was introduced, Senators Mark Kirk and Kirsten Gillibrand introduced a competing law that appears to be a “We Should Have Threatened Aaron With More Years In Jail” Act. Okay, technically it’s called the Data Breach Notification and Punishing Cyber Criminals Act — and as I type this, no one seems willing to release the text. Both Senators have press releases out about the bill, but neither link to it, and Congress’s website has a placeholder saying that it hasn’t received the actual text yet either. Hopefully that will change soon.*
It’s bizarre that they’re lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues. And yet, from the press release quotes and the few small articles about these bills, it appears that everyone’s focusing on the data breach notification stuff (which has its own problems) and thus we should be worried that the CFAA expansion could get included as something of a “throw in.” The quotes, however, on this part of the bill are ridiculous. Here’s Senator Kirk‘s press release:
This bipartisan legislation increases the maximum allowable fines and imprisonment for many of the most common cyber-crimes, including identity theft and theft of personal information. Current law does not sufficiently punish cyber criminals, and incidences like these recent devastating breaches of confidential information must be punished more aggressively. By modernizing these punishments, as many prosecutors have requested, we will better align punishments to the degree of harm that these crimes may inflict on victims.
And Senator Gillibrand’s:
The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud.
It’s the whole “obtaining information from a protected computer without authorization” that is a serious concern here, as that’s part of what’s been widely abused. Both Kirk and Gillibrand use a lot of populist rhetoric about protecting people from all these scary data breaches out there, but it demonstrates a serious ignorance of how widely the CFAA (with insanely large existing punishments) has been used repeatedly for activities no one legitimately thinks of as malicious hacking. Furthermore, it suggests a pretty serious cluelessness about the incentives and motivations of those who commit many of those breaches. Increasing the number of years they could spend in time from crazily high to insanely high isn’t going to change a damn thing. And if these two Senators can’t understand that, they shouldn’t be touching the CFAA at all.
* As an aside, it’s plainly ridiculous for anyone to announce a new bill without releasing the actual text. Even more ridiculous: in searching for the text of the actual bill on both Senators websites, I note that the very first item highlighted on Senator Gillibrand’s website is “Transparency” where it says “Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results.” Well, you know what might helps with that transparency? If you actually release the text of the bills you’re introducing when you introduce them so that people can take a look at them.
Filed Under: aaron swartz, cfaa, cfaa reform, hacking, kirsten gillibrand, mark kirk
Comments on “Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers”
As we have learned from our current drug policy, longer mandatory jailtime has been applied fairly, and done wonders for the number of addicts in the US.
Tough Times ahead, then
… for the NSA?
Re: Tough Times ahead, then
They control the DOJ though, so who exactly would prosecute them?
Well unauthorized access to computers is punishable, NSA by that standard, are the biggest criminals ever, by those standards.
Data breach notifications are the wrong solution
Data breaches are usually not the issue, and notifications are almost never the right solution. The right solution is to provide ways to mitigate the damage caused by a breach and to make information obtained from the breach not useful to the unauthorized parties. For example, establish in law that knowing a name+SSN is not proof that you are that person. Back it up by publishing the name+SSN pair of every person.
Shadow laws
Almost as ridiculous as having a secret “alternate interpretation” of an existing law that nobody is allowed to know about. But that would never happen, right?
Right?!?
Re: Shadow laws, Shadow interpretations, Shadow courts
In the 1970s, 80s and 90s eras of cyberpunk near-future sci-fi, these things were the clear indicators that you lived in a dystopia, much like secret police and SWAT raids were the hallmarks of a Soviet-Union-style tyranny.
Kinda like when the villain kills a minion for failure or kills a traitor or spy in a particularly heinous way to show how evil he is. Piranha tanks, jet engines, decompression chambers, industrial machinery. That sort of thing.
Rest of the story: by sneaking into a closet, without paying MIT fees.
Key facts needed to understand why Swarz was charged. He went to some trouble to get indicted, wasn’t out of the blue.
Rest of the story: by sneaking into a closet, without paying MIT fees.
And to “liberate” data.
Key facts needed to understand why Swarz was charged. He went to some trouble to get indicted, wasn’t out of the blue.
Re: Rest of the story: by sneaking into a closet, without paying MIT fees.
Prosecutors love to get people like you on their grand juries; you’re incapable of distinguishing ad hominem from facts relevant to the actual charges.
Called Kirks office as a constituent to let him know I oppose it, but I doubt that will stop him.
‘ they’re lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues’
this is exactly the sort of thing that Senators think they should be doing, putting people in prison for minor law breaking, but for longer terms. it’s about time USA citizens woke up and realised what sort of nation it is becoming, one where the security forces are only there to do what they want and the bidding of some politicians. it never dawns on anyone until they are actually in the position of being accused of something. by then it’s too late!
what is the bill
“it’s plainly ridiculous for anyone to announce a new bill without releasing the actual text.” This is what they did with Obamacare and it had no issues passing. You have to pass it before you know what is in it.
Re: what is the bill
No, it’s not what they did with Obamacare. It was mainly written by Romney and enacted in his state first. Did you forget that while you were busy playing the “Thanks Obama” card?
Re: what is the bill
The affordable care act was released when announced. You are conflating the (errornous) debate that no one READ the bill with the issue of announcing a bill to the news that the news (and congress) haven’t received yet.
Re: what is the bill
It’s sad how many people actually believe this. It just goes to show, get a bunch of angry morons and a handy out-of-context quote, and you can get people railing against their own healthcare.
Wyden
Too bad he voted to push forward TPP. Can we spell hypocrite? Let’s see – ‘h’ ‘y’ ‘p’ ‘o’ ‘c’ ‘r’ ‘i’ ‘t’ ‘e’. Yep, that about does it.
Sad it’s easier to buy a politician than a book.
Any guesses on how many are exempted from this new bill. No doubt the senators themselves are above this law they want pushed on everyone else. probably any other government officials not including whistleblowers, the police, the courts and anyone that can buy their way out of their crimes.
Offending against the CFAA
Question: How likely is it for either/both of these Senators or their staff to have offended the CFAA?
If it is reasonable to expect that they or their staff (or even families) to have offended against the CFAA, then arrange for charges to be laid against them, their staff or families. We will then see how long it takes for them to change their minds.
Of course, they could be like the local staff at my local representative and see no problem with themselves being charge and imprisoned based solely on accusation. But then I did find their stance appeared to be based on their fear of the bogey man.
Re: Offending against the CFAA
Little girls with Facebook accounts?
American Justice phtt: No such thing.
American law is predicated on the myth of an egalitarian system. Since the elite demonstrate by their actions they are above the law we have nothing like “justice for all” in this country.
It’s all about money and power. See http://www.vox.com/2014/4/11/5581272/doom-loop-oligarchy
Transparency
“Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results.”
Senator Gillibrand understands that to be a good liar, the first thing to do is pretend that you’re a big believer in truth.
Oh come on.
If you were serious about prosecuting unauthorized access, you’d not have let the FBI spy on staffers’ computers and remove files from them without consequence.
This is not about preventing injustice. It is about giving the DoJ more ammunition to keep the populace at bay.
If you want to see how this works, compare Snowden with Petraeus. One alerted the American public to ongoing crimes against the Constitution, the other, in a position of power, traded state secrets for sex and an embellishment of his autobiography. Guess who of the two is now state enemy number one and who got away with probation?
Since the government has a lot of secrets to hide from its employer, the people, you can bet your sweet ass that the principal application of these laws will be to fight democracy and to punish people who expose government crimes, particularly those committed in cahoots with corporate and military crime lords.
Somebody should set up a computer terminal at the Capitol building with a “Please do not use” sign on it. When a Congresscritter (preferably a supporter of this crap) uses it, the terminal drops him into a prison for 40 years, strips him of his voting and gun rights, and brands him with a scarlet H for Hacker. Problem solved.
I’m very disappointed to see this coming from Senator Kirk. On the whole, he’s been more palatable than our other Illinois senator (Durbin), but his support for this actually surprises me.
Anti-Aaron's Law
Thank you for publicizing this attempt by my own Senator Mark Kirk and Senator Kirsten Gillebrand to propose an anti Aaron’s Law bill. As the mother of Aaron Swartz, I am highly offended by this grandstanding attack on a legitimate bill already introduced. They are on the wrong side of this issue and should be working with their colleagues to reduce CFAA penalties!
I would ask everyone to call their offices–Help flood the offices of Senators Kirsten Gillibrand (212-688-6262) and Mark Kirk (202-224-2854)–to protest the introduction of the anti-Aaron’s Law bill.
Re: Anti-Aaron's Law
I agree that the penalties are already severe enough, if not too severe. Reducing penalties is a tough sell, though, especially to the computer-illiterate folks on the warpath against “teenaged hackers”. I think also it is going to be difficult because the kind of situations the CFAA and wire fraud laws were supposed to be for are things like espionage, embezzlement, and bank robbery. In that light, some people think no punishment is harsh enough.
Re: Re: Actually the CFAA is supposed to stop David Lightman from playing a game
And finding backdoors to NORAD simulation mainframes in order to do so.
Wouldn’t you prefer a good game of chess?
Re: Anti-Aaron's Law
I called both of them.
Anti-Aaron's Law
Comments from the Congressional Record:
By Mr. KIRK (for himself and Mrs. Gillibrand):
S. 1027. A bill to require notification of information security
breaches and to enhance penalties for cyber criminals, and for other
purposes; to the Committee on Commerce, Science, and Transportation.
Mrs. GILLIBRAND. Mr. President, I rise to speak about two bipartisan
bills that would help to modernize the way this country approaches
cyber security.
Congress needs to get with the times and realize that the Internet is
no longer a new concept. Swiping a credit card, conducting online
banking, storing prescription records online–these are not new
activities. The cloud is no longer new. Hackers are no longer new. So
why are we still so taken aback, in shock, every time we suffer another
major cyber attack? Why are we still not requiring that consumers be
notified when their information has been stolen? Why aren’t we
unleashing law enforcement to go after cyber criminals?
If we want to defend against 21st-century threats, then we have to
bring our laws into the 21st century. We have to get out of the mindset
that the only way we can be hurt is from an actual physical attack.
Hackers don’t operate on battlefields; they operate in basements and in
cubicles.
Our approach to cyber security so far has been certifiably wrong. We
have the largest defense budget in the world by far, but that hasn’t
stopped our hospitals and banks from falling victim to a near constant
barrage of attacks. Last year, data breaches in this country hit a
record high; they were up more than 27 percent from the year before. In
New York State, between 2006 and 2013, we had nearly 5,000 individual
data breaches that were reported by businesses, not-for-profits, and
government entities. In the same period, 23 million personal records of
New Yorkers were exposed to criminals. And that is just my home State.
Imagine how big that number actually is nationwide.
We are long overdue for a new national approach to cyber security,
and I am introducing two bills that would finally make this happen. The
first is the Data Breach Notification and Punishing Cyber Criminals
Act. It would set, for the first time, a national standard for how and
when victims of cyber attacks will be informed. When an attack takes
place on a business, for example, one that has your financial data or
medical information, this law would require that you be informed
quickly, with information about what was targeted, what was taken, and
whether you were personally affected. This bill would seriously
increase the penalties on people found guilty of hacking and cyber
crime. It would raise the allowable fines and imprisonment sentences
for many of the most common cyber crimes, including identity theft and
theft of personal information.
The second bill is the Cybersecurity Information Sharing Credit Act–
a bill that would incentivize America’s businesses to share cyber
security information critical to preventing attacks, without having to
involve their competitors. Instead, businesses would be encouraged,
with significant tax credits, to adopt the preferred, most efficient
method for information sharing; that is, membership in private, sector-
specific cyber security networks designed to protect an industry, such
as health care and hospitals, from attack. At the individual level,
companies, hospitals, and banks can only do so much to protect us. Any
good cyber defense has to involve information sharing so that patterns
can be recognized, industries can bolster their defenses, and the same
hacks aren’t just repeated over and over again.
To modernize America’s approach to cyber security, we as individuals
have to take action, companies have to take action, law enforcement has
to take action, and local governments must take action. Most
importantly and most urgently, Congress has to take action. We
desperately need to modernize our cyber security laws. I urge my
colleagues to support these two bills.
Aaron Schwartz had no business using the MIT network in the first place. He was working for Lessig at Harvard and could have done his business there. He didn’t because Lessig told him not to.
Re: Re:
And what is that worth? A local misdemeanor trespass or breaking and entering charge at worst—a charge which he actually got and which was dropped. I bet he jaywalked, rode his bike unsafely, and frowned at a small child, too, but I recognize that those things are not felonies, let alone wire fraud or CFAA violations.
Re: Re:
“He was working for Lessig at Harvard and could have done his business there. He didn’t because Lessig told him not to.“
Too true. He used an unauthorized network for peaceful purposes, against his employer’s expressed wishes.
So lets charge anyone who does such horrible, heinous things, as use an unauthorized network for peaceful purposes against his employer’s wishes, with 100 years of incarceration among horny, bisexual, career criminals, and add on as many other false but frightening criminal charges as we can find, in order to get the perp to admit to the lesser charges of raping the President’s pet sheep repeatedly and assassinating 200 imaginary first graders in their sleep.
Now that’s real American Justice in action.
Meanwhile General Patreaus walks.
—
Re: Re:
Oh, look – it’s the contrarian trying to make a point!
Mike, you’re an idiot. Please do some research before you start making things about about the CFAA.
Re: Re:
Please cite your sources.
Its what it did not say, that counts.
“Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results.”
And as astounding as this may sound, this is absolutely true.
The senator knows for a fact that openness and transparency would lead to accountability and better results.
This apparent truth is known as a lie by omission.
The statement simply fails to mention that he and his political friends are all more than willing to go to almost any lengths to prevent that career killing accountability and to insure that anything that leads to better results for the American People is limited to only those Americans in his circle of rich friends and cronies, and their corporate partners and bosses.
—
They're really feeds when it's your family
I hope my brother Aaron Dodge see’s this ,The cowherd who is suppose to be Marine I financially supported for almost a year And ALWAYS been they’re emotionally I’m going to get the EVIDNC I NEED TO HAVE YPU ARRESTED AND PROSECUTED