A bill named after the late internet activist Aaron Swartz that was supposed to update much-criticized US hacking law is almost certain to be left to wither in Congress, according to various sources with knowledge of the matter. A stalemate has emerged between Representative Zoe Lofgren, who was carrying the bill into the House with Senator Ron Wyden, and the House Judiciary Committee headed up by Representative Bob Goodlatte, which has chosen not to discuss or vote on Aaron’s Law.
“There is still a pressing need for Computer Fraud and Abuse Act [CFAA] reform, and I stand by the bill I authored and introduced to do just that,” Representative Lofgren said in an email. “Unfortunately, Chairman Goodlatte has refused to schedule any debate or vote on this important issue – only he can explain why he refuses to move this bipartisan bill forward.”
Senator Wyden said he was disappointed by the inactivity in Congress. “I regret that many in Congress fail to see the harm done by this law and the need to take action to fix it. Members of Congress should be appalled at the disparity between how the Department of Justice handled Aaron’s case and how it is handling the CIA breaking into Congressional computers.”
Jessica Collins, press secretary at the House Judiciary Committee, said Representative Goodlatte still supported reform of the CFAA, but the body had no plans to move the bill for a markup. That means Aaron’s Law still has a chance of passing through, but a very slim one.
There are various reasons for the impasse. One is that the plans simply haven't elicited much interest from lawmakers or the general public, said Orin Kerr, professor of law at the George Washington University Law School. “This reform only captured the attention of a small group of people. It's not an issue that resonates with the public - at least yet,” Kerr told me.
Other sources said the proposals simply went too far in trying to weaken the CFAA, which has been criticized for allowing hefty sentences for ostensibly minor offences. The purpose of Aaron’s Law was to clear up the vagueness of current legislation, which states that anyone who accesses a computer without proper authorization or in a way that “exceeds authorization” can be prosecuted. According to a Wired article penned by Representative Lofgren last year, this meant breaking Facebook’s terms of service could be classed as a criminal act, as could checking personal email on a work computer.
Aaron’s Law would have ensured that breaching of terms of service, employment agreements or contracts would not be automatically deemed as violations of the CFAA. It would also look to remove the potential for duplicate charges for the same offence and bring “greater proportionality” to sentences.
Before committing suicide in January 2013, Swartz was being pursued by US law enforcement for downloading reams of documents from online archive JSTOR, using a connection at the Massachusetts Institute of Technology (MIT). He was looking at more than 30 years in prison. Swartz’s family and friends blamed those behind the investigation for his death, claiming they had gone too far to prosecute Swartz for CFAA offences for what many considered a minor crime.
Yet some in Congress still believe the CFAA should be updated to allow for tougher sentencing. There remains a divide between those looking for a stricter law to keep up with the growing menace of cyber crime and those keen for a considerably softer approach, which is further delaying progress.
Private interests are also holding up discussions around the CFAA. Various companies are known to have lobbied on Capitol Hill in an attempt to block change. Business software maker
“Some particular companies offered a fierce attack on common sense changes to the CFAA due to certain companies use of the CFAA not as a statute being used in civil suits to prosecute computer hacking as it was originally intended, but being used to protect trade secrets,” said Mark Jaycox, legislative analyst at the Electronic Frontier Foundation.
Meanwhile, another source said the law’s connection with Swartz was enough to put key members of Congress off. A simple repackaging of the law without his name attached to it would have a better chance of making it through, the source said.
There is a general agreement, however, that the CFAA needs an urgent update. That's largely because CFAA is being used against those trying to fix vulnerabilities on the internet. Various members of the security community, which is descending on Las Vegas for 2014’s BlackHat conference this week, have told me they have been threatened with law enforcement action over research efforts that were supposed to shore up the web and the machines connected to it. They include Zach Lanier of Duo Security and HD Moore of Rapid7, both highly-respected security pros. Given simply scanning systems for the infamous Heartbleed bug could have been deemed a felony, it’s become apparent that even those trying to do good are considered criminals.
According to the world’s benevolent hackers, US law requires a rethink. But at the current rate of progress, it might be some time before anything changes.
