Wyden, Lofgren, Paul Introduce Bipartisan, Bicameral Aaron’s Law to Reform Abused Computer Fraud and Abuse Act

WASHINGTON, D.C. – U.S. Senators Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) Representative Zoe Lofgren (D-Calif.) introduced bipartisan legislation today to better target serious criminals and curb overzealous prosecutions for non-malicious computer and Internet offenses.

The legislation, inspired by the late Internet innovator and activist Aaron Swartz, who faced up to 35 years in prison for an act of civil disobedience, would reform the quarter-century old Computer Fraud and Abuse Act (CFAA) to better reflect computer and Internet activities in the digital age. Numerous and recent instances of heavy-handed prosecutions for non-malicious computer crimes have raised serious questions as to how the law treats violations of terms of service, employer agreement or website notices.

Cosponsors of the legislation also include U.S. Representatives Jim Sensenbrenner (R-Wis.), Mike Doyle (D-Pa.), Dan Lipinski (D-Ill.) and Jared Polis (D-Colo.).

“Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,” Wyden said. “The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution. Aaron’s Law would curb this abuse while still preserving the tools needed to prosecute malicious attacks.”

"The Computer Fraud and Abuse Act is long overdue for reform," said Lofgren. "At its very core, CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It's time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities."

“I am proud to join Sen. Wyden and Rep. Lofgren today in offering this bipartisan and bicameral legislation which will amend the Computer Fraud and Abuse Act. Aaron’s Law will reduce overbroad prosecutions and adjust unfair sentencing practices,” Paul said.

Aaron’s Law would address fundamental problems with the CFAA by:

Establishing that breaches of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on 9th and 4th Circuit Court opinions, the bill would instead define 'access without authorization' under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls — such as password requirements, encryption or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under the strong CFAA provisions this bill does not modify.

Bringing balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.

Bringing greater proportionality to CFAA penalties. Currently, the CFAA's penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for non-felony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.

Aaron’s Law was first introduced by Sen. Wyden and Rep. Lofgren in the 113th Congress.

Click here for bill text, and a section-by-section summary of the legislation.