Aaron’s Law and the CFAA

Excessive Use This Week

The man who stopped the recent global cyberattack known as WannaCry has been arrested for allegedly creating a virus of his own that aimed to steal peoples’ banking details online.

Marcus Hutchins, who is also known as Malwaretech, was indicted on six counts last month, and was arrested on Wednesday.

Hutchins was charged with one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization.

The alleged conduct for which Hutchins was arrested occurred between or around July 2014 and July 2015.

Source: https://www.cnbc.com/2017/08/04/marcus-hutchins-wannacry-arrested-for-banking-virus.html

Background of excessive over-reach

What is Aaron’s Law?

Definition – What does Aaron’s Law mean?
Aaron’s Law is pending legislation introduced in response to the death of Aaron Swartz, a respected and celebrated political activist, computer programmer and entrepreneur who founded Demand Progress and co-founded Reddit. Swartz died January 11, 2013, at the age of 26.

Introduced by Rep. Zoe Lofgren (D-Calif.), Aaron’s Law would amend the Computer Fraud and Abuse Act (CFAA) and wire fraud statute. In 2010, Swartz was charged with 13 felony wire fraud and hacking charges based on these laws. If Swartz had been convicted, he may have been forced to pay a large fine or have received a prison sentence of up to 35 years.

U.S. Senators Ron Wyden (D-Ore.) and Rand Paul (R-Ky.) Representative Zoe Lofgren (D-Calif.) introduced bipartisan legislation in 2015 to better target serious criminals and curb overzealous prosecutions for non-malicious computer and Internet offenses.
Cosponsors of the legislation also include U.S. Representatives Jim Sensenbrenner (R-Wis.), Mike Doyle (D-Pa.), Dan Lipinski (D-Ill.) and Jared Polis (D-Colo.).
“Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,” Wyden said. “The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution. Aaron’s Law would curb this abuse while still preserving the tools needed to prosecute malicious attacks.”
“The Computer Fraud and Abuse Act is long overdue for reform,” said Lofgren. “At its very core, CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It’s time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities.”
“I am proud to join Sen. Wyden and Rep. Lofgren today in offering this bipartisan and bicameral legislation which will amend the Computer Fraud and Abuse Act. Aaron’s Law will reduce overbroad prosecutions and adjust unfair sentencing practices,” Paul said.

Aaron’s Law would address fundamental problems with the CFAA by:

Establishing that breaches of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. By using legislative language based closely on 9th and 4th Circuit Court opinions, the bill would instead define ‘access without authorization’ under the CFAA as gaining unauthorized access to information by circumventing technological or physical controls — such as password requirements, encryption or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would continue to be fully prosecutable under the strong CFAA provisions this bill does not modify.

Bringing balance back to the CFAA by eliminating a redundant provision that enables an individual to be punished multiple times through duplicate charges for the same violation. Eliminating the redundant provision streamlines the law, but would not create a gap in protection against hackers.

Bringing greater proportionality to CFAA penalties. Currently, the CFAA’s penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for nonfelony charges under CFAA (i.e., charges with penalties carrying less than a year in prison). The bill ensures prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.

a) IN GENERAL.—Section 1030(e)(6) of title 18, United States Code, is amended by—

(1) striking ‘‘exceeds authorized access’’ and all that follows; and

(2) inserting the following: ‘‘ ‘access without authorization’ means— ‘‘(A) to obtain information on a protected computer; ‘‘
(B) that the accessor lacks authorization to obtain; and

‘‘(C) by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information;’’.

(b) CONFORMING AMENDMENT.—Section 1030 of title 18, United States Code, is amended—

(1) in subsection (d)(10), by striking ‘‘unauthorized access, or exceeding authorized access, to ’’ and inserting ‘‘access without authorization of a protected’’; and
(2) by striking ‘‘exceeds authorized access’’ each place it appears.

(a) REPEAL.—Section 1030(a) of title 18, United States Code, is amended—
(1) by striking paragraph (4); and
(2) by redesignating paragraphs (5), (6), and (7) as paragraphs (4), (5), and (6), respectively.

AMENDMENTS.—Section 1030 of title 18, United States Code, is amended— (1) in subsection (c)—

(A) in paragraph (2), by striking ‘‘(a)(6)’’ each place it appears and inserting ‘‘(a)(5)’’; and
(B) in paragraph (3)— (i) in subparagraph (A), by striking ‘‘subsection (a)(4) or (a)(7)’’ and inserting ‘‘subsection (a)(6)’’; and (ii) in subparagraph (B), by striking ‘‘subsection (a)(4), or (a)(7)’’ and inserting ‘‘subsection (a)(6)’’; and

(C) in paragraph (4)— (i) in subparagraph (A)(i), in the matter preceding clause (i), by striking ‘‘subsection (a)(5)(B)’’ and inserting ‘‘sub-section (a)(4)(B)’’; (ii) in subparagraph (B)(i), by striking ‘‘subsection (a)(5)(A)’’ and inserting ‘‘subsection (a)(4)

(A)’’; (iii) in subparagraph (C)(i), by striking ‘‘subsection (a)(5)’’ and inserting ‘‘subsection (a)(4)’’; (iv) in subparagraph (D)(i), by striking ‘‘subsection (a)(5)(C)’’ and inserting ‘‘subsection (a)(4)(C)’’; (v) in subparagraph (E), by striking ‘‘subsection (a)(5)(A)’’ and inserting ‘‘subsection (a)(4)(A)’’; (vi) in subparagraph (F), by striking ‘‘subsection (a)(5)

(A)’’ and inserting ‘‘subsection (a)(4)(A)’’; and (vii) in subparagraph (G)(i), by striking ‘‘subsection (a)(5)’’ and inserting ‘‘subsection (a)(4)’’; and
(2) in subsection (h), by striking ‘‘subsection (a)(5)’’ and inserting ‘‘subsection (a)(4)’’.


(a) Section 1030(c)(2) of title 18, United States Code, is amended—

(1) in subparagraph (A)— (A) by striking ‘‘conviction for another’’ and inserting ‘‘subsequent’’; and (B) by inserting ‘‘such’’ after ‘‘attempt to commit’’;

(2) in subparagraph (B)(i), by inserting after ‘‘financial gain’’ the following: ‘‘and the fair market value of the information obtained exceeds $5,000’’;

(3) in subparagraph (B)(ii), by striking ‘‘the offense was committed’’ and all that follows through the semicolon, and inserting the following: ‘‘the offense was committed in furtherance of any criminal act in violation of the Constitution or laws of the United States or of any State punishable by a term of imprisonment greater than one year, unless such criminal acts are prohibited by this section or such State violation would be based solely on accessing information without authorization;’’;

(4) in subparagraph (B)(iii), by inserting ‘‘fair market’’ before ‘‘value’’; and (5) in subparagraph (C)— (A) by striking ‘‘conviction for another’’ and inserting ‘‘subsequent’’; and (B) by inserting ‘‘such’’ after ‘‘attempt to commit.


Source: https://www.change.org/p/bob-goodlatte-to-enact-aaron-s-law-2017-and-amend-the-cfaa

Source: https://www.techopedia.com/definition/29206/aarons-law


Author: mcguire

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.