Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers

from the someone-buy-these-senators-a-clue dept

This bipartisan legislation increases the maximum allowable fines and imprisonment for many of the most common cyber-crimes, including identity theft and theft of personal information. Current law does not sufficiently punish cyber criminals, and incidences like these recent devastating breaches of confidential information must be punished more aggressively. By modernizing these punishments, as many prosecutors have requested, we will better align punishments to the degree of harm that these crimes may inflict on victims.

The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Yesterday, we wrote about an important new bill, Aaron's Law , from Senators Ron Wyden and Rand Paul and Rep. Zoe Lofgren. It's a fix to many of the problematic aspects of the Computer Fraud and Abuse Act (CFAA). If you're unaware, the CFAA isto be a law to be used against people doing malicious hacking, but the wording is so broad and problematic, it has been used against people for merely violating the terms of service on a website, or someone using a work computer for non-work-related items -- which could lead to excessively long jail terms. The reason Aaron's Law is named that is because of Aaron Swartz, the guy that Federal Prosecutors publicly announced was facing 30 years in jail under the CFAA because he downloaded too many academic journal articles from JSTOR -- despite the fact that he did so on the MIT campus where the campus had a site license that allowed anyone on their network to download all the JSTOR papers.As we noted in our post, there are still some who are pushing in the other direction -- and they didn't waste much time. The very same day that Aaron's Law was introduced, Senators Mark Kirk and Kirsten Gillibrand introduced a competing law that appears to be a "We Should Have Threatened Aaron With More Years In Jail" Act. Okay, technically it's called the Data Breach Notification and Punishing Cyber Criminals Act -- and as I type this, no one seems willing to release the text. Both Senators have press releases out about the bill, but neither link to it, and Congress's website has a placeholder saying that it hasn't received the actual text yet either. Hopefully that will change soon.*It's bizarre that they're lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues. And yet, from the press release quotes and the few small articles about these bills, it appears that everyone's focusing on the data breach notification stuff (which has its own problems) and thus we should be worried that the CFAA expansion could get included as something of a "throw in." The quotes, however, on this part of the bill are ridiculous. Here's Senator Kirk 's press release:And Senator Gillibrand's It's the whole "obtaining information from a protected computer without authorization" that is a serious concern here, as that's part of what's been widely abused. Both Kirk and Gillibrand use a lot of populist rhetoric about protecting people from all these scary data breaches out there, but it demonstrates a serious ignorance of how widely the CFAA (with insanely large existing punishments) has been used repeatedly for activities no one legitimately thinks of as malicious hacking. Furthermore, it suggests a pretty serious cluelessness about the incentives and motivations of those who commit many of those breaches. Increasing the number of years they could spend in time from crazily high to insanely high isn't going to change a damn thing. And if these two Senators can't understand that, they shouldn't be touching the CFAA at all.

Filed Under: aaron swartz, cfaa, cfaa reform, hacking, kirsten gillibrand, mark kirk