On Thursday, Rep. Zoe Lofgren brought a bill to the floor of the House of Representatives that would reform certain provisions of the Computer Fraud and Abuse Act, the controversial and outdated computer crime statute that I’ve criticized numerous times in this space. The bill is dubbed “Aaron’s Law,” after Aaron Swartz, the computer programmer and digital advocate who committed suicide in January. It addresses the sections of the CFAA that allowed prosecutors to threaten Swartz with charges that could have earned him decades in prison—charges that may have contributed to Swartz’s decision to take his own life.
The bill is not the comprehensive overhaul of computer crime laws that I would like to see. It’s a small step toward a more sensible policy, and that’s all it is. But when it comes to the CFAA, even a small step is a significant one. The CFAA was passed in 1984, back when personal computers were rare and networked personal computers were even rarer. The bill was essentially meant to stop people from hacking into government or financial-industry computers—think WarGames, or Richard Pryor’s scheme in Superman III.
Times have changed, but the law really hasn’t. Now that the entire world is networked, the CFAA more or less encompasses every single computer with an Internet connection, making the law broader than it was ever meant to be. Not only is it extraordinarily broad, it is also extraordinarily vague. For example, the law allows the government to prosecute people for “exceeding authorized access” to a protected computer, but does not clearly define what “exceeding authorized access” means. This vagueness gives prosecutors the latitude to threaten minor-league offenders with potentially huge sentences for purported crimes that hardly merit the term. Swartz, for example, was facing a potential maximum 50-year sentence for unauthorized downloading of journal articles from an academic database.
Aaron’s Law would restore some balance to the CFAA. First and foremost, the bill would strike the phrase “exceeds authorized access” from the CFAA, and would also clearly define the phrase “access without authorization”; these changes make it clear that the law should not be used to prosecute people for violating a website’s terms of service. And, as Electronic Frontier Foundation staff attorney Hanni Fakhoury told me in an email earlier today, Aaron’s Law “eliminates some of the bootstrapping prosecutors can use to increase maximum penalties … specifically that it prevents prosecutors from using state computer crime laws or torts to elevate misdemeanors into felonies. And it eliminates the ability of prosecutors to treat multiple CFAA charges as ‘repeat’ offenses even though they are part of one scheme of criminal activity.”
These are all good, sensible changes. The question is whether the bill will go anywhere in Congress. It’s got bipartisan support: Republican Rep. James Sensenbrenner is joining Lofgren, a Democrat, in bringing the bill to the floor. And Swartz’s personal story is a tragic and compelling one, likely to affect some legislators who might not otherwise understand or care about computer-related laws. “Right now there is a lot of apprehension about government overreach, whether it’s the CFAA or the NSA spying scandal,” notes Fakhoury, who says he’s “cautiously optimistic” that Aaron’s Law will gain traction. “This bill reins in the government’s ability to criminalize wide swaths of innocent behavior and focus scarce DOJ resources on real crime rather than minor contractual disputes. That should resonate with people on both sides of the political divide.”
Though I hope he’s right, I’m not as confident as Fakhoury that this bill will go anywhere. While Swartz’s death might have changed a few congressmen’s minds, I think it’s dangerous to mistake the sentiments of the Internet for the sentiments of society at large. Congressmen, like most people, care a lot more about meting out punishment to “bad hackers” than they do about offering justice to “good hackers,” and I think a lot of them will be susceptible to arguments that Aaron’s Law might make it harder for prosecutors to go after the bad guys and put them in jail. We’ll see if I’m wrong. I hope I am. But you’ll never go broke betting on Congress to do the wrong thing.