Rep. Zoe Lofgren (D-California) and Sen. Ron Wyden (D-Oregon) introduced Thursday the latest version of “Aaron’s Law,” a proposal the congresswoman started putting together earlier this year in an attempt to bring reform to the Computer Fraud and Abuse Act of 1986.
Lofgren announced on the website Reddit in January that she was aiming to make changes to the CFAA in honor of Swartz, who committed suicide just days earlier while awaiting trial for a computer hacking case that could have ended with a sentence of several decades if he was found guilty. Swartz, who helped program Reddit and a number of other projects, was charged by federal prosecutors with accessing thousands of academic journal articles from the website JSTOR without authorized permission. He was only 26 years old when he took his life on January 11.
“Aaron did not commit suicide but was killed by the government,” father Robert Swartz said during his son’s funeral service. “Someone who made the world a better place was pushed to his death by the government.”
In the wake of his passing, Lofgren asked for help in drafting changes to the CFAA that would ensure others like Swartz won’t stand in the face of similar sentences for nonviolent computer crimes. On Thursday, both Lofgren and Wyden co-authored an article on Wired.com introducing “Aaron’s Law Act of 2013” and explaining why they say reform must occur.
“The CFAA is a sweeping Internet regulation that criminalizes many forms of common Internet use,” they wrote. “It allows breathtaking levels of prosecutorial discretion that invites serious abuse. As Congress considers policies to preserve an open Internet as a platform for ideas and commerce, reforming the CFAA must be included.”
“As written, the CFAA makes it a federal crime to access a computer without authorization or in a way that exceeds authorization. Confused by that? You’re not alone. Congress never clearly described what this really means. As a result, prosecutors can take the view that a person who violates a website’s terms of service or employer agreement should face jail time,” the lawmakers wrote.
In January, Lofgren posted on Reddit that “There’s no way to reverse the tragedy of Aaron’s death, but we can work to prevent a repeat of the abuses of power he experienced.”
“The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute,” she wrote.
“Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties,” Lofgren said.
This week, Lofgren and Wyden wrote that they’ve settled on a proposal that could reverse all of what they say is wrong with the CFAA. If enacted, they said, Aaron’s Law would protect “commonplace online activity from overbroad prosecution and overly harsh penalties, while ensuring that real harmful activity is discouraged and fully prosecuted.”
Specifically, Aaron’s Law would establish that mere breach of terms of service, employment agreements or contracts are not automatic violations of the CFAA, and would also eliminate part of the law that can subject an individual to duplicate charges for the same violation. Additionally, they hope to reform current provisions in an effort to bring greater proportionality to penalties imposed under the CFAA.
“Currently, the CFAA’s penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances — leaving little room for non-felony charges under CFAA,” they wrote for Wired. “For example, under current law a prosecutor can seek to inflate potential sentences by stacking new charges atop violations of state laws. Aaron’s Law would reform the penalty for certain violations to ensure prosecutors cannot seek to inflate sentences by stacking multiple charges under CFAA, including state law equivalents of CFAA, and torts (non-criminal violations of law).”
In March, 27-year-old Andrew Auernheimer was sentenced to 41 months in federal prison for violating the CFAA because he operated a computer program that harvested publically available email addresses from the servers of telecom AT&T. He was convicted of accessing a computer without authorization under the CFAA, but sharpy condemned the law during his sentencing hearing.
The CFAA, said Auernheimer, was written and approved by then-President Ronald Reagan “at a time when he was so senile” that he thought Hollywood’s interpretation of compute hackers was an accurate portrayal.
“The access which I am charged with involves adding one to a number. It is simple arithmetic. Anybody with a Web browser could have done it. I respectfully say that this court’s decision is wrong. And if you people understood what you were doing with the rule of law and the Constitution, you would feel shame,” he said.
Lofgren and Wyden say, “The introduction of this legislation is just the beginning of a process needed to bring balance back to the CFAA.”
“Today, there’s an entire generation of digitally-native young people that have never known a world without an open Internet and their ability to use it as a platform to develop and share ideas. It’s up to all of us to keep it that way.”