'Aaron's Law' Is Back to Try to Reform Overbroad US Hacking Laws

The controversial anti-hacking law called Computer Fraud or Abuse Act, or CF​AA, was passed more than 30 years ago, before the internet came into everyone's life, and even before the first virus spread online.

Yet the law has practically remained untouched, despite the fact that pretty much everyone from lawmakers to activists and internet law experts agree that it's outdated. Critics say it also allows prosecutors to abuse their power by threatening hackers and security researchers with outsized prison convictions.

Now, a group of lawmakers led by Sen. Ron Wyden (D-Ore.), Representative Zoe Lofgren (D-Calif.), and presidential hopeful Sen. Rand Paul (R-Ky.), are trying once again to reform it with a bill called "Aaron's Law," in honor of the late coder and activist Aaron Swartz, who committ​ed suicide in early 2013 while he was awaiting trial for illegally downloading millions of academic documents from an online database. He was potentially facing 35 years and $1 millions in fines for these actions.

The lawmakers, who ​introduced the bill on Tuesday, believe that the law is too harsh, and criminalizes some activities that should not lead to prison.

"Violating a smartphone app's terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files," Wyden said in a statem​ent, referring to the CIA hacking scandal.

If a 19 year old hacker did what the CIA did, (s)he would be in jail. CIA has not been punished at all. — Ron Wyden (@RonWyden)April 21, 2015

Basically, the bill would change the definition of "access without authorization"—one of the most controversial parts of the CFAA—to limit it to "circumventing technological or physical controls," and not merely breaching terms of service, which is practically what Swartz did.

It also would try to limit prosecutor's discretion, according to a sum​​mary of the legislation, preventing them from inflating penalties.

"At its very core, CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations," Lofgren, the representative who first propos​ed "Aaron's Law" in 2013, said in a statement.

Given that lawmakers already tried to ​pass "Aaron's Law" before, only to see the bill die without much fanfare last year, it's unclear if new push will succeed. Last year, "Aaron's Law" was killed by Congress' inactivity and lack of interest, and also perhaps by the fact that none of the tech giants lobbied for it and prac​tically stonewalled it.

It's unclear if any of this will be different this time.