Earlier this year, the prosecution and death of internet activist Aaron Swartz highlighted a number of flaws in the Computer Fraud and Abuse Act (CFAA), a 1986 computer crime law which allows federal prosecutors to press serious charges for sometimes innocuous internet activities. Now two members of Congress, Rep. Zoe Lofgren (D-CA) and Sen. Ron Wyden (D-OR), are getting ready to plug those holes with the introduction of "Aaron's Law," a CFAA reform bill first proposed on Reddit aimed at curbing the law's abuses.
In Wired, Lofgren and Wyden outline how the law's vague definitions of "unauthorized access" and "exceeding access" to a computer have allowed for broad interpretations on what a computer crime actually is. Because of that vagueness, prosecutors can default to the language of Terms of Service agreements, making violating such an agreement — by using a fake name on Facebook, for example — punishable as a felony. The final draft of the bill, released on Thursday, proposes sharpening that language to only include the act of "knowingly circumventing one or more technological or physical measures" meant to prevent access to information, such as encryption or a locked office door. Aaron's Law also targets the redundancies which currently allow prosecutors to trump up sentences by charging defendants with the same violation multiple times.
"Ill-conceived computer crime laws can undermine progress if they entrap more and more people."
The CFAA's loose language allowed US attorneys Steven Heymann and Carmen Ortiz to force Aaron Swartz into a plea bargain after threatening up to 35 years in prison. Swartz had accessed MIT's open network and used a Python script to automatically download millions of publicly funded academic papers hidden behind the JSTOR paywall. JSTOR refused to press charges, but because Swartz violated the Terms of Service, he was able to be prosecuted by the government under the CFAA.
Lofgren and Wyden say the bill's intent is "refocusing the law away from common computer and internet activity and toward damaging hacks," warning that keeping the law as-is threatens legitimate activity and "can also become an obstacle to the innovations of tomorrow."