Sophos Cloud Optix
In a posting to the online forum that Aaron Swartz co-founded, Rep. Zoe Lofgren on Tuesday night proposed legislation that would dial back the ferocity of the charges that were used against the internet activist.
Zofgren, a US Democratic Congresswoman from California, said in her Reddit posting that many are “deeply troubled” as details of the government’s involvement in the events leading up to the activist’s death unfold:
"His family's statement about this speaks volumes about the inappropriate efforts undertaken by the U.S. government. There’s no way to reverse the tragedy of Aaron's death, but we can work to prevent a repeat of the abuses of power he experienced."
In that statement, the Swartz family called Aaron’s death – an apparent suicide – the product of “a criminal justice system rife with intimidation and prosecutorial overreach.”
Lofgren’s so-called “Aaron’s Law” [PDF of the bill’s draft] would change the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute—laws that formed the basis of 13 felony counts of hacking and wire fraud [PDF] brought against Swartz.
The charges carried the possibility of decades in prison and devastating fines.
As noted by the Electronic Frontier Foundation’s Marcia Hoffman, the CFAA makes it illegal to gain access to protected computers “without authorization” or in a manner that “exceeds authorized access”, but it doesn’t clearly explain what a lack of “authorization” actually means.
Prosecutors have taken advantage of that murkiness, Hoffman writes:
"Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like."
Hoffman points to one infamous example: that of United States v. Drew, a case in which a woman created a fake MySpace page to taunt a teenage girl who became distraught and committed suicide.
Because no crime made the bullying itself illegal, prosecutors charged Drew under the CFAA, claiming her fake profile violated MySpace’s terms of use, which made her access to the social networking site’s computers “unauthorized,” Hoffman says.
Using vague wording in such a way could criminalize many everyday activities and allow for “outlandishly severe penalties,” Hoffman wrote.
To avoid such misuse, Lofgren is proposing changing the CFAA and the wire fraud statutes to exclude terms of service violations.
Will this bill mitigate creative prosecutorial interpretations of the CFAA?
It could, given that “exceeding authorized access,” as it comes under the scope of the existing law, would no longer be liable for criminal fines and prison time.
But as one commenter on Zofgren’s announcement noted, the CFAA is only one of hundreds of laws in a prosecutor’s toolbox.
And as Reddit commenter droogans noted, as we consider such legislation, we should take it with a grain of salt, given that, unfortunately, politicians aren’t above capitalizing on tragedy:
droogans These "named in post tragedy" bills are knee jerk reactions, can be rushed, and could include stipulations that go against the spirit of the intended fixes proposed. I hope we all see past the name, and remember that politicians play to our heartstrings, and aren't above using it to further any personal advantage that they can.
Let’s hope that the CFAA and wire fraud statutes do get amended sincerely, in the way that Lofgren proposes, in a spirit that does honor to his memory.
I read somewhere that the Swartz was offered a plea bargain with a six-month sentence.
The whole "30 year" or "35 year" thing was just the maximum terms all added up consecutively…that's what the media seems to do. With a shorter maximum term but lots of specimen charges you could still get a very long sentence, but then someone who could only be charged even on one really serious count would get off lightly.
Uhh, something about the style guidelines used for Naked Security:
How does one tell which of the photos is Aaron Schwartz, which is Lisa Vaas, which is Zoe Lofgren, and which is Marcia Hoffman? Picture captions or tooltips would be real helpful here.
While it seems fairly obvious which one is Aaron, I do agree completely. One shouldn't need to resort to hovering a mouse cursor over a photo to determine who is in the photo.
Come on Sophos. You guys know better than that.
Aaron Schwartz is the guy, dude.
"the CFAA makes it illegal to gain access to protected computers "without authorization" or in a manner that "exceeds authorized access", but it doesn't clearly explain what a lack of "authorization" actually means."
The meaning of the word "authorization" is self explanatory. This reminds me of when Bill Clinton tried to bring into question the meaning of the word "sex". These democrats need to buy a good dictionary and educate themselves.
isn't it obvious? When it isn't your computer and you do not have permission, stay out. You know when you are violating some else's computer. You cannot feign ignorance. Hackers know who they are and they are trash no matter what kind of high ideals or purpose they pretend to have. I feel like the same rules should apply to the government as well.
Abuse of power? What that guy did was an abuse of freedom. I can't stand hackers of any kind. No one should be poking around other peoples' computers without permission. They can all go to jail for all I care.