Wednesday, February 27, 2013

Is Aaron's Law necessary in Japan?

After Aaron Swartz's death, a congressman proposed "Aaron's Law." One of the main points is to clarify and limit the ambiguous and extensive prohibition of the Computer Fraud and Abuse Act ("CFAA"). It is not the purpose of this post to explain US v. Nosal or other relevant cases of the CFAA in detail. Rather, this post will discuss the question of whether Japan needs to amend its equivalent CFAA.

The Act on the Prohibition of Unauthorized Computer Access (the "Act") is the Japanese equivalent of the CFAA. The basic concept of the Act is to ban two types of "unauthorized computer access". 

The first type is misuse of fraudulently obtained ID/password (or other authentication information). A typical example is that A obtains B's ID and password by social engineering (fraudulently) and uses B's ID and password to access an Internet site protected by access control function (namely, the password authentication function). Article 2(4)(i) of the Act.

The second type is making use of the security hole. If there is a security hole, an originally impossible access to a computer (because of the access control function) becomes possible by the insertion of special information or a command. Such access is also prohibited by the Act. Article 2(4)(i) and (ii) of the Act.

I believe that compared to the CFAA, the prohibited acts of the Act on the Prohibition of Unauthorized Computer Access is more limited and clearer. The requirement of "fraudulently obtained" authentication information plays a significant role in the password misuse type unauthorized access. Let's say that Company A employs B. And B is an authorized administrator of Company A's server which is password protected. As an administrator, B obtains IDs and passwords of users of the site. What happens, if one day, B changes her mind and decides to make use of the IDs and passwords and obtain the information stored in the server for an evil purpose (perhaps B decided to quit company A and wanted to search for "useful" information for when she goes to a competitor company)? That is not a violation of the Act because B did not "fraudulently" obtain the IDs and passwords at the time B obtained them. Although that conduct might be a violation of the Unfair Competition Prevention Act which protects trade secrets, that is a different law. The Japanese version of the CFAA will not criminalize users of the sites protected by the access control functions as long as they are using their ID/password they originally lawfully (or at least non-fraudulently) obtained.

In 2012, there was a reform of the Act to make it more strict. However, the definition of "unauthorized computer access" remained unchanged. Some of the amendments are: (1) the maximum penalty for unauthorized computer access of one year imprisonment and a five hundred thousand yen fine (around $5,000) was increased to a three-year imprisonment and a million yen (around $10,000) and (2) the fraudulent acquisition of ID/passwords (such as through phishing) itself became criminalized. 

Because of this, I think that this point perhaps might be relevant in Japan.  However, Professor Lawrence Lessig argued that the "corruption" of the legislative system was the cause of the problematic laws such as the CFAA and other laws, and that the corruption problem should be changed by Aaron's Laws. I think that this point perhaps might be relevant in Japan.

DISCLAIMER: "IT Law issues in Japan" only provides general information about Japanese information technology law and does not, under any circumstances, constitute legal advice. You should first obtain the advice of professional legal counsel who is qualified in Japan before acting or refraining from acting based on this blog.

No comments:

Post a Comment