Rep. Zoe Lofgren (D-Calif) and Sen. Ron Wyden (D-Ore) have introduced “Aaron’s Law,” a billed named after Aaron Swartz, who committed suicide while facing federal charges. The bill would amend the Computer Fraud and Abuse Act (CFAA) by providing that simply violating term of services, website notices, contracts or employment agreements are not violations. According to the sponsors, the amendment is necessary to “distinguish between common online activities and harmful attacks.”In particular, the bill would strike the phrase “exceeds authorized access,” from the statue and would amend the existing definition of “access without authorization” to “obtain information on a computer that the accesser lacks authorization to obtain; and by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” The summary of the bill provides that “’access without authorization’ would include bypassing technological or physical measures via deception (as in the case with phishing or social engineering, and scenarios in which an authorized individual provides a means to circumvent to an unauthorized individual (i.e, sharing login credentials). Examples of technological or physical measures include password requirements, cryptography, or locked office doors.” The sponsors assert that the proposed definition of “access without authorization” is based on recent Ninth and Fourth Circuit decision.
The bill would also eliminate 1030(a)(4) as being redundant. This subsection currently provides that a person who knowingly and with intent to defraud accesses a protected computer without authorization and obtains anything of value over $5,000 is guilty of a felony. According to the sponsors, such persons can be charged under 1030(a)(2), which is the broadest subsection of the CFAA.
While the bill does provide needed clarification on what it means to “access without authorization,” it does not address the impact that this would have civil actions that also be brought under the CFAA. Further, there is nothing to suggest that the sponsors considered this issue as part of considering various proposals to amend the CFAA. At present, victims of trade secret theft committed by employees or former employees have used the CFAA as a mechanism to assert jurisdiction in federal court. For example, employers have asserted violations of the CFAA against an employee who just prior to leaving the employment downloads files and information and uses that information at his next job or start a company. At least under the broad reading of the statute, the employee has exceeded authorized access because, while the employee may have had authorization to access the information, the employee did not have authorization to use the information to the detriment of his employer. Thus, the employer could maintain an action in federal court for violation of the CFAA and include a state claim for theft of trade secrets. The proposed amendment would eliminate this basis for federal jurisdiction.
I have written a lot about the importance of protecting intellectual property and the need for a federal civil trade secret law. Amending the CFAA as proposed by Rep. Lofgren and Sen. Wyden would have the impact of weakening the rights of intellectual property owners. I suggest that the bill should be revised to permit civil actions for violating a term of service. This proposed revision would mean that employers, for example, who have suffered damage when an employee misappropriates confidential information would still have the right to bring an action in federal court. Preferably, Congress should use this as an opportunity to finally pass a civil trade secrets law.