Congresswoman Zoe Lofgren has posted a new draft version of “Aaron’s Law,” an amendment to 18 U.S.C. 1030 in the wake of the Aaron Swartz case. In this new draft, Lofgren adopts the idea I floated and others have since adopted of eliminating the concept of “exceeds authorized access” and instead defining “access without authorization.” Readers may recall that I proposed the following definition of “access without authorization”:
“access without authorization” means to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer;
Lofgren proposes a much more complex definition of “access without authorization.” Here’s Lofgren’s language:
‘access without authorization’— (A) means—
(i) to obtain or alter information on a protected computer;
(ii) that the accesser lacks authorization to obtain or alter; and
(iii) by circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering that information; and
(B) does not include the following, either in themselves or in combination—
(i) a violation of an agreement, policy, duty, or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement with an online service provider, Internet website, or employer; or
(ii) efforts to prevent personal identification of a computer user, or identification of a user’s hardware device or software, through a user’s real name, personally identifiable information, or software program or hardware device identifier(s);’’
Based on a quick read, I think this definition has some problems. To explain my views, I’ll put Lofgren’s text in italics section-by-section and then offer my comments in plain text following it:
‘access without authorization’— (A) means (i) to obtain or alter information on a protected computer; (ii) that the accesser lacks authorization to obtain or alter;
This language is taken from the current definition of “exceeds authorized access” in the existing 18 U.S.C. 1030(e)(6), but I’m not sure what work it does here. I gather that (i) provides a definition of “access” to a computer — defining it as the obtaining or altering of information on that computer. I’m not sure that is how we would want to define “access,” but then perhaps that depends on how broadly one reads “alter information” on a computer. Is every use of a computer something that “alters” information in it for purposes of the statute? Or is the threshold for “altering” supposed to be something higher? I’m not sure. In general, though, I think the wiser approach is to interpret access broadly and then limit the statute through the authorization prong; I’m not sure if (i) does that.
As for (ii), that language shares the problematic circularity of the existing definition of “exceeds authorized access.” The language says that a person isn’t allowed to do what they’re not allowed to do. But that begs the question of what a person is allowed to do, so it’s not clear what the language is supposed to mean.
by circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering that information; and
This language strikes me as a bit confusing. Read literally, it appears to say that if you can break in then you must be authorized. After all, if an unauthorized person has circumvented the measure and obtained or altered information, then obviously the measure didn’t exclude or prevent unauthorized individuals from obtaining or altering that information. Perhaps that language works better if you insert the phrase “designed to” before “exclude or prevent”?
(B) does not include the following, either in themselves or in combination— (i) a violation of an agreement, policy, duty, or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement with an online service provider, Internet website, or employer; or
This language is redundant. An “agreement, policy, duty, or contractual obligation” is not a “technological measure,” so the exclusion in (B)(i) doesn’t actually subtract anything from (A). I gather that the language was added to make extra sure that courts know that the statute does not prohibit breaching TOS or a policy. So interpreted, perhaps the language is harmless. At the same time, I always worry that redundant language might lead courts astray. Courts like to invoke the maxim that every word or phrase in a statute should be treated as having meaning and not as surplusage. In light of that, the intentional addition of surplusage in (B)(i) may have the unintended effect of leading courts to read the definition in (A) more broadly to give the exclusion in (B)(i) independent meaning.
(B) does not include . . . (ii) efforts to prevent personal identification of a computer user, or identification of a user’s hardware device or software, through a user’s real name, personally identifiable information, or software program or hardware device identifier(s);
I assume the purpose of this language was to try to carve out an exception for IP and MAC address spoofing in light of the fact that Swartz did this in his accessing the MIT computer. Assuming such a carve out is a good idea — a question I’m not so sure about, but let’s assume that as a goal — the language here seems problematic. One of the core examples of “access without authorization” is using someone else’s password to access their private account without their permission. But it’s possible to read (B)(ii) as saying that this is legal. Imagine Joe runs a program designed to crack Sally’s password, and he uses the password to login to her account and read her personal e-mail. In that case, Joe is using a software program to try to get information to disguise himself as Sally (or someone with Sally’s permission) so he could access her e-mail. Isn’t that an example of “efforts to prevent personal identification of a computer user . . . through a . . . software program” that would be exempt from liability under this language?
Finally, it’s worth noting the uncertainty of whether Swartz would have been criminally liable for violating the CFAA even under this version of “Aaron’s Law.” Swartz entered the closet at MIT and physically connected his laptop to the non-public MIT computer inside. Neither Lofgren’s latest draft nor my own proposed definition of “access with authorization” is clear about how to treat this kind of circumvention of physical access barriers. Let’s put the facts of the Swartz case aside and imagine a few hypotheticals. First, imagine you bring your laptop to a coffee shop and leave it there while you get up to get another latte. While you are up and not paying attention, a man you have never seen before takes his thumb drive and connects it to your machine to get information from your machine. Is the man accessing your computer without authorization, or has he not circumvented a technological access barrier? Next consider the difference between two situations. In the first situation, Sally’s computer workstation is set up in a room but is password protected. Joe accesses the computer by guessing the password, which is a classic case of access without authorization. In the second situation, Sally’s computer workstation is in a room but enclosed in steel box with a combination lock. Joe accesses the computer by guessing the combination on the lock, removing the case, and then using Sally’s machine. Should this also be access without authorization, or is there a difference between a password gate and a physical lock? How should the law treat physical access restrictions, and what kind of physical access restrictions should be covered under the statute? Perhaps the answer is all of them, in which case the word “technological” should be replaced by “technological or physical.” Or perhaps some kind of physical barriers should not be enough. Either way, it’s an issue that merits more attention. (Thanks to Harriet Pearson for raising it.)