First proposed over two years ago, “Aaron’s Law” — a proposed softening of the terms of the Computer Fraud and Abuse Act (CFAA) — is again being considered by Congress. Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., introduced the Senate version, while Rep. Zoe Lofgren, D-Calif., put forth the bill in the House.
The update to the CFAA would help “better target serious criminals and curb overzealous prosecutions for non-malicious computer and Internet offenses,” according to its authors. Nearly every argument in favor of Aaron’s Law focuses on the second half of that rationale: the belief that the current language in the CFAA goes beyond its original intent (preventing hacking) and instead leaves the door open to aggressive prosecution of insignificant lawbreakers.
It’s this abuse, the CFAA critics claim, that led to the 2014 suicide of Aaron Swartz, the Internet activist, programmer, writer and co-founder of Reddit. In January 2011, Swartz was arrested on breaking-and-entering charges and federal computer hacking and fraud offenses. He was charged with 11 violations of the CFAA as well as two counts of wire fraud — charges that his allies and friends claim did not fit the crime and led to his suicide.
What was Swartz’s crime? Downloading articles from the digital repository JSTOR over the MIT Network, which he jerry-rigged his way into through a legally questionable method. In the end, the state prosecutors dropped two of the three charges against Swartz — but the federal officials involved in the case added nine felony counts. As a result, Swartz faced decades in prison and over $1 million in fines. In exchange for a guilty plea, prosecutors were willing to offer a six-month sentence in a low-security facility. Swartz refused. The government would have to make its case against him in open court.
MIT, whose network Swartz used, and JSTOR, whose articles Swartz downloaded were considered the victims in the case, and yet both declined to pursue civil litigation. The federal prosecutors, however, continued to press their case. It was only after Swartz hanged himself on Jan. 11, 2013, that prosecutors dropped the charges against him.
Swartz’s suicide unleashed a firestorm of criticism, most of it directed against MIT, for not pushing for more lenient treatment, and against the federal prosecutors, for not backing down. That initial public outcry led to “Aaron’s Law.” Rep. Lofgren had this to say about the re-introduction:
“The Computer Fraud and Abuse Act is long overdue for reform. At its very core, CFAA is an anti-hacking law. Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It’s time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities.”
What does “Aaron’s Law” do? At the moment, anyone who violates a terms of service agreement or an employment contract while accessing a computer can be accused of and prosecuted for “unauthorized access.” The proposed law would make that impossible. It would also eliminate the vagueness in the CFAA that allows for the filing of duplicate charges for the same crime, as well as regulate the ability of prosecutors to stiffen up penalties and fines in an effort to force a plea deal.
For the CFAA’s critics, the 1986 legislation is unsuited to the times, and it is “so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution,” according to Wyden. Co-sponsored by Reps. Jim Sensenbrenner, R-Wis., Mike Doyle, D-Pa., Dan Lipinski, D-Ill., and Jared Polis, D-Colo., it remains to be seen whether the bill’s second effort can go any further than its first — but this is a bill that illustrates the challenges of anachronistic policy can create, and the human consequences we often fail to consider.
