Aaron’s Law To Fix US Computer Hacking Rules Introduced

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Tragic death of Aaron Swartz could bring about positive change

US representatives have launched Aaron’s Law, a bill named after the late Internet activist Aaron Swartz, which would amend US computer hacking laws that been the subject of much criticism.

Representative Zoe Lofgren, along with four others, brought the Aaron’s Law Act of 2013 before the House of Representatives. It will have to be passed by Congress and then signed off by the Senate if the the Computer Fraud and Abuse Act (CFAA) is to be amended.

Aaron Swartz 3Fixing computer hacking laws

Swartz committed suicide earlier this year, having been investigated for alleged computer hacking offences after he set up a system to siphon off JSTOR documents. Swartz’s family claimed he was hounded by law enforcement, which contributed to his decision to end his life.

He was facing decades in prison for what he did – something many saw as egregious given the limited damage caused. Subsequently, calls to fix computer hacking laws were greeted with action by US politicians, especially California congresswoman Lofgren.

“Swartz’s passing in January spotlighted serious problems with the vague wording of the CFAA. Among those concerns is how the law treats violations of terms of service, employer agreements, or website notices,” a note on Lofgren’s website read today.

“Aaron’s Law refocuses the CFAA away from common computer and Internet activity and back towards targeting damaging hacks, as originally intended.”

The biggest problem with the CFAA, it is argued, is its vagueness. It states that it is a criminal offence to access a computer without authorisation or in a way that exceeds authorisation, which gives US law enforcement a lot of room to apply the law.

Aaron’s Law would ensure a “mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA”.

“The bill would … define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls – such as password requirements, encryption, or locked office doors.”

It would also bring greater “proportionality” to penalties by preventing judges from inflating sentences by using multiple charges for a single breach.

What do you know about Internet security? Find out with our quiz!

Read also :