“Aaron’s Law” would partly de-fang Computer Fraud and Abuse Act

Aaron SwartzIn a posting to the online forum that Aaron Swartz co-founded, Rep. Zoe Lofgren on Tuesday night proposed legislation that would dial back the ferocity of the charges that were used against the internet activist.

Zofgren, a US Democratic Congresswoman from California, said in her Reddit posting that many are “deeply troubled” as details of the government’s involvement in the events leading up to the activist’s death unfold:

"His family's statement about this speaks volumes about the inappropriate efforts undertaken by the U.S. government. There’s no way to reverse the tragedy of Aaron's death, but we can work to prevent a repeat of the abuses of power he experienced."

In that statement, the Swartz family called Aaron’s death – an apparent suicide – the product of “a criminal justice system rife with intimidation and prosecutorial overreach.”

Marcia Hoffman, EFFLofgren’s so-called “Aaron’s Law” [PDF of the bill’s draft] would change the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute—laws that formed the basis of 13 felony counts of hacking and wire fraud [PDF] brought against Swartz.

The charges carried the possibility of decades in prison and devastating fines.

As noted by the Electronic Frontier Foundation’s Marcia Hoffman, the CFAA makes it illegal to gain access to protected computers “without authorization” or in a manner that “exceeds authorized access”, but it doesn’t clearly explain what a lack of “authorization” actually means.

Prosecutors have taken advantage of that murkiness, Hoffman writes:

"Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behavior the prosecutors don't like."

Hoffman points to one infamous example: that of United States v. Drew, a case in which a woman created a fake MySpace page to taunt a teenage girl who became distraught and committed suicide.

Because no crime made the bullying itself illegal, prosecutors charged Drew under the CFAA, claiming her fake profile violated MySpace’s terms of use, which made her access to the social networking site’s computers “unauthorized,” Hoffman says.

Using vague wording in such a way could criminalize many everyday activities and allow for “outlandishly severe penalties,” Hoffman wrote.

Zoe LofgrenTo avoid such misuse, Lofgren is proposing changing the CFAA and the wire fraud statutes to exclude terms of service violations.

Will this bill mitigate creative prosecutorial interpretations of the CFAA?

It could, given that “exceeding authorized access,” as it comes under the scope of the existing law, would no longer be liable for criminal fines and prison time.

But as one commenter on Zofgren’s announcement noted, the CFAA is only one of hundreds of laws in a prosecutor’s toolbox.

And as Reddit commenter droogans noted, as we consider such legislation, we should take it with a grain of salt, given that, unfortunately, politicians aren’t above capitalizing on tragedy:

droogans These "named in post tragedy" bills are knee jerk reactions, can be rushed, and could include stipulations that go against the spirit of the intended fixes proposed. I hope we all see past the name, and remember that politicians play to our heartstrings, and aren't above using it to further any personal advantage that they can.

Let’s hope that the CFAA and wire fraud statutes do get amended sincerely, in the way that Lofgren proposes, in a spirit that does honor to his memory.