Prominent Security Researchers, Academics, and Lawyers Demand Congress Reform the CFAA and Support Aaron's Law
Deeplinks 2013-08-03
Summary:
EFF is at Black Hat and DEFCON this week, two conferences that draw a wide variety of people from tech including security researchers, coders, engineers, and everyday users. This year, EFF is pushing its campaign around making common sense changes to the Computer Fraud and Abuse Act—including a phone booth called the CFAA DC Dialer that allows DEFCON attendees to call their Representative.
Alex Stamos, Nico Sell, and EFF are also publishing a letter from security researchers and members of the DEFCON community calling on Congress to reform the CFAA and to support Aaron's Law, a bipartisan bill sponsored by Representatives Zoe Lofgren and Jim Sensenbrenner and Senator Ron Wyden. The letter includes prominent lawyers, professors, security researchers, and members of the tech community including Jeff Moss, Ed Felten, Alex Stamos, Stefan Savage, Cory Doctorow, Nico Sell, and Avi Rubin.
The letter calls on Congress to pass Aaron's Law, noting:
While seldom heralded publicly, security researchers in academia, industry, public service, and independent practice work to identify serious security shortcomings in systems ranging from medical devices to voting machines to cloud services to critical national infrastructure. This research and investigation is especially urgent as we find ourselves integrating computers into our homes, vehicles—even our bodies. The security research community stands ready to meet that technical challenge, but we need Congress to clear legal hurdles out of our way.
The CFAA is long overdue for reform. And Aaron's Law makes commons sense changes already confirmed by court decisions in both the Ninth and Fourth Circuits. Now is the time for Congress to act. Join us, by telling your Representative now to reform the CFAA. If you'd like to sign the letter, please email info@eff.org with the subject header "DEF CON CFAA Letter." The full letter can be found here or you can read it below.
Dear Congress and members of the Senate and House Committees on the Judiciary,
We are computer security experts who have dedicated our careers to maintaining the safety and integrity of information technology systems in the service of consumers, businesses, and governments worldwide. We are also coders, developers, engineers, explorers, and users of digital technologies who care deeply about protecting those who engage in computer security research and science. We write to urge you to support HR 2454: “Aaron’s law.” It's a new bipartisan bill by Representatives Zoe Lofgren and Jim Sensenbrenner and Senator Ron Wyden’s aimed at reforming the Computer Fraud and Abuse Act (“CFAA”), 18 USC § 1030. The bill seeks to ensure that this work will continue to both help Americans be more secure and to ensure that American companies build better products.
While seldom heralded publicly, security researchers in academia, industry, public service, and independent practice work to identify serious security shortcomings in systems ranging from medical devices to voting machines to cloud services to critical national infrastructure. This research and investigation is especially urgent as we find ourselves integrating computers into our homes, vehicles—even our bodies. The security research community stands ready to meet that technical challenge, but we need Congress to clear legal hurdles out of our way.
We recognize that there are bad actors in the world; individuals, groups, corporations, and nations that wish to use technology to manipulate, lie, cheat, and steal. We have no desire to eliminate the ability for real crimes to be investigated and criminals judged with due process. Yet while the CFAA has a core purpose of criminalizing harmful computer intrusions that we strongly support, the law has lost its way. It now poses an increasing threat to security research. In short, applied computer security research requires experimenting with computer systems. The CFAA, due to outdated wording, makes it unlawful to access a computer system “without authorization” or “in excess of authorization.” This vague wording, while not misused in the early days of the statute, has recently allowed the Department of Justice and companies litigating under the civil enforcement provision of the law to push an expansive definition that, if applied, would make much of the best work in computer security research a serious federal crime, along with criminalizing ord
Link:
https://www.eff.org/deeplinks/2013/08/letterFrom feeds:
Fair Use Tracker » DeeplinksCLS / ROC » Deeplinks