Aaron’s Law: A Necessary Change to the CFAA

Sadly, Aaron Swartz recently took his own life. An oppressive federal lawsuit, over a victim-less crime, is thought to be the true impetus for his death. If Swartz had lost the suit, it would’ve meant a multi-decade prison sentence for the computer genius.

To ensure nobody else in Aaron’s position feels forced to make the same ultimate sacrifice, Rep. Zoe Lofgren wants to change the law. The congresswoman from California introduced Aaron’s Law, an amendment to the Computer Fraud and Abuse Act.

Aaron’s Story: Genius with a Yen for Information

Ever used an RSS feed? You can thank Aaron Swartz for that. As a teenager, when peers were hanging out at the mall, he was helping to create RSS specifications. He was also one of the big brains credited with getting Reddit.com off the ground.

Aaron got into some trouble with the government, though. Without rehashing the long and technical story, suffice it to say that he set up a computer, which was used to download a whole lot of data from the M.I.T. JSTOR database. Even though the university declined to prosecute, the government decided to bring him up on wire and computer fraud charges anyway. The Feds wanted to use Aaron as an example of what could happen if you hack or crack networks. Perhaps law enforcement officials were frustrated about their inability to pin down Julian Assange and decided to go after a guy with far fewer resources (and far less sinister goals). Whatever the case, the ordeal was distressing.

A David v. Goliath legal showdown; Aaron represented himself against an army of federal attorneys; he wasn’t successful like David and potentially faced 35 years behind bars. Instead of going to jail, he decided to take his own life.

Zoe Lofgren’s Proposal: Aaron’s Law

Aaron’s death pierced the tech community’s collective soul. Few people doubted that the Digital Age had lost one of its most creative – albeit melancholy – minds. Perhaps as a means to cope and honor Aaron’s significant contribution to our times, his passing reawakened a movement to amend outdated Internet law regulations that call for “outlandishly severe penalties” in victim-less online intellectual property cases.

As a tasteful homage to Swartz, Lofgren introduced a bill on Reddit – a bill that Lofgren explained was written with the intention of preventing “what happened to Aaron from happening to other Internet users.” She also explained that a “simple way to correct this dangerous legal interpretation is to change the CFAA and the wire fraud statutes to exclude terms of service violations.”

Lofgren’s proposal does exactly what Harvard law professor Laurence Lessig has been touting for a while – it prevents “’crimes’ that are nothing more than a breach of contract” from being prosecutable under the Computer Fraud and Abuse Act. Specifically, Lofgren’s law would annotate the CFAA’s definition of “authorized access” to:

“[Unauthorized access] does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer.”

About The Computer Fraud And Abuse Act

The Computer Fraud and Abuse Act (18 USC 1030) passed in 1984 as a way to prosecute high-level computer cracking and espionage. The law was updated in 1988, 1994, 1996, 2001, 2002 and 2008.  As of 2012, the CFAA has been used to combat foreign cybercrimes, computer espionage, computer trespassing, computer fraud, password trafficking and malicious virus spreading. A felony offense, first time offenders convicted under the CFAA can be thrown in jail for 5 years per charge. Defendants convicted twice can receive double the sentence. Currently, the act’s only limitation is monetary in that the action in question must involve a direct cost greater than $5,000.

Since some of the information that lands on “hacktivist” sites is obtained by cracking and hacking, in recent years the government has attempted to make the CFAA stricter as a way to shut down sites like Wikileaks. Department of Justice Computer Crime Chief Richard Downing claims it will be impossible “to deter serious insider threats through prosecution” if the CFAA is not made stricter.

Prediction: Who Will Be For Aaron’s Law & Who Will Be Against It?

Now that Lofgren’s bill is on the table, representatives will review the language and get down to the business of “yay-ing” or “nay-ing.” Expect push-back from law enforcement agencies and groups that have an interest in mitigating piracy (think RIAA, MPAA and the politicians on their side). The same communities that organized against SOPA, in addition to constitutional advocates on the lookout for statutes with unreasonable punishments, will probably support Lofgren’s proposal.

Kelly / Warner deals with cases involving Internet law matters. If you need to speak with an attorney well-versed in online regulations, feel free to contact us anytime.

Lee, Timothy B. ‘“Aaron’s law,” Congressional investigation in wake of Swartz suicide.’ Arstechnica.com. January 16, 2013. Date Accessed: January 29, 2013. <http://arstechnica.com/tech-policy/2013/01/aarons-law-congressional-investigation-in-wake-of-swartz-suicide/>

Choney, Suzanne. “‘Aaron’s Law’ to honor Internet activist, redefine computer fraud.” NBCNews.com. January 17, 2013. date Accessed: January 29, 2013. <http://www.nbcnews.com/technology/technolog/aarons-law-honor-internet-activist-redefine-computer-fraud-1B8005442>